Defender needs to allow file exclusions in the prevent information disclosure part.

Defender is preventing auto sll from renewing automatically making auto ssl not so auto... It is the prevent information disclosure setting that adds to the htaccess file to block txt files from being accessed. autossl uses a txt file in \.well-known/acme-challenge/ folder to authenticate the domain. Can defender add this folder as an exclusion when you turn on prevent information disclosure or at least allow us to make exclusions?

  • Paul Kevin

    Hey there jordan ,

    Hope you are well today. For folders, all you need to do is place the .htccess file in the directory with this rule for Apache 2.4 and above

    <FilesMatch "\.(txt)$">
    Require all granted

    And for Apache versions lower than 2.4 :

    <FilesMatch "\.(txt)$">
    Allow from all

    You will need to place this in the directory \.well-known/acme-challenge/ of your webserver.

    Warm Regards
    Paul Kevin

  • slavetotheweb

    This is very useful - perhaps it should be included or linked to the official documentation, because even simpler exceptions might be required.
    I just ran an initial file scan for the first time on a site - and it flagged a /downloads folder as (rightly) not being part of WP. We use it to provide certain purchased digital products that we currently can't store within WP itself.
    However, before I said to 'Ignore' that - it locked down the folder and anyone trying to download from it got a 403 forbidden. And, even then choosing to 'Ignore' the folder (which I would imply as being to permit it) it still kept it locked down.
    I understand this behaviour (it's a security plugin after all) but nowhere did it make clear (or did I miss it?) that it was going to act on locking down anything found outside WP?
    Thankfully I spotted it quickly - and then found the above snippet to resolve.
    Perhaps alongside 'Ignore' (which seems to simply take it off the list) there should be a 'Permit' or 'Except' option?

  • Kootj

    i have same problem with last version of defender. SSL Update fails and i have add this code to htaccess file:

    ## WP Defender - Prevent information disclosure ##
    SetEnvIfNoCase Request_URI "^/\.well-known/pki-validation/[A-F0-9]{32}.txt$|Comodo\ DCV" ALLOWED=TRUE
    <FilesMatch "\.(txt|md|exe|sh|bak|inc|pot|po|mo|log|sql)$">
    Order allow,deny
    allow from env=ALLOWED
    Deny from all
    Satisfy any

    but this can be override when i reset or change someting with defender

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.