Defender: Prevent Information Disclosure on SiteGround Cloud Hosting

I'm working on building a new multisite network for my business from scratch. I learned a lot in the first year and want to get a good clean fresh start...

So I'm starting with Defender, working though the hardening issues now. I've got one left... Prevent Information Disclosure. I'm not sure how to edit the .conf files on my server, so I asked SG support to take care of it. I'll include my conversation with them below:

---

Hello! I'm using the defender plugin to secure a new multisite installation at DGTL.church and need some help adding some lines of code to the server.

Here are the full instructions that the Defender plugin are giving me:

----

OVERVIEW

Often servers are incorrectly configured, and can allow an attacker to get access to sensitive information that can be used in attacks. WP Defender can help you prevent that disclosure.

HOW TO FIX

For NGINX servers:

1. Copy the generated code into your site specific .conf file usually located in a subdirectory under /etc/nginx/... or /usr/local/nginx/conf/...

2. Add the code above inside the server section in the file, right before the php location block. Looks something like:

location ~ \.php$ {

3. Reload NGINX.

## WP Defender - Prevent information disclosure ##
# Turn off directory indexing
autoindex off;

# Deny access to htaccess and other hidden files
location ~ /\. {
deny all;
}

# Deny access to wp-config.php file
location = /wp-config.php {
deny all;
}

# Deny access to revealing or potentially dangerous files in the /wp-content/ directory (including sub-folders)
location ~* ^/wp-content/.*\.(txt|md|exe|sh|bak|inc|pot|po|mo|log|sql)$ {
deny all;
}
## WP Defender - End ##

---

And here is their reply:

---

Hello Mark,

I have added the code into the Nginx vhost file for your domain dgtl.church and it was detected as invalid code as Nginx failed to start after it was added:

Code:

root@c2**** [/home/m******2]# /etc/init.d/nginx restart
nginx: [emerg] "location" directive is not allowed here in /etc/nginx/vhosts/dgtl.church.conf:84
nginx: configuration file /etc/nginx/nginx.conf test failed

Please check this with the developers of the plugin to modify the code accordingly and provide us with the new one.

We are looking forward to your reply.

---

I appreciate your help!

  • Vaughan
    • Support/SLS MockingJay

    Hi Mark,

    Hope you're well?

    I'm no expert with NGinx, but I think they added the mentioned code in the wrong place.

    It needs to be added in the server{} directive itself in the nginx.conf file. The error you gave suggests it was added in the wrong place.:

    nginx: [emerg] "location" directive is not allowed here in /etc/nginx/vhosts/dgtl.church.conf:84

    So in the server directive, search to find the following line;

    location ~ \.php$ {

    Then add the defender code ABOVE that line.

    Hope this helps

  • Mark
    • Site Builder, Child of Zeus

    SiteGround support says that they have entered the code into the correct location now.

    I went to my Defender plugin dashboard, and it still said there was a vulnerability, so I went to run a new scan of the site and received an error code:

    cURL error 7: Failed to connect to premium.wpmudev.org port 443: Network is unreachable

    Is this just a temporary error in communicating with the WPMUdev servers?

  • Mark
    • Site Builder, Child of Zeus

    Okay, so the cURL errors have resolved, but I'm still showing a vulnerability in the hardening section of Defender. My SG support rep says that the code has been added, but defender seems to disagree, so I want to double check to make sure everything is correct. How can I be sure this vulnerability has been patched?

  • Mark
    • Site Builder, Child of Zeus

    Vaughan Sorry to bother you, but I've updated this thread with a few more questions over the past few days.

    My host says they have gone back and added the proper code using the instructions you provided, but my Defender plugin is still telling me it's a vulnerability. I've enabled support access so you can take a look at it.

    Thank you!

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.