Defender security tweaks not applied

Defender says that "Prevent information disclosure" and "Prevent PHP execution" tweaks are not applied to the site. However, the code for the first one is in .htaccess. Actually, it was there initially 3 times. File permissions and ownership were checked.

  • Kasia Swiderska

    Hello Aaron,

    If your .htaccess file contains required rules but the notification is still there that usually means that your server doesn't allow these changes to be made from .htaccess file.

    Could you get in touch with your hosting provider and check if that's indeed the case?

    Right now it seems that only "Prevent Information Disclosure" is showing as not done.

    kind regards,
    Kasia

  • Kasia Swiderska

    Hello Aaron,

    If your .htaccess file contains required rules but the notification is still there that usually means that your server doesn't allow these changes to be made from .htaccess file.

    Could you get in touch with your hosting provider and check if that's indeed the case?

    Right now it seems that only "Prevent Information Disclosure" is showing as not applied.

    kind regards,
    Kasia

  • blue

    Hello, I seem to be having this issue as well. My server environment is Ubuntu 17.10, LAMP stack with Apache 2.4 and php 7.1. WP multisite 4.9.2

    I'm in charge of the server's configuration, and Apache seems correctly configured to work with .htaccess files. Permalinks are working fine, and so is multisite (per WP multisite setup instructions).

    I wonder if these may be related since the issues are so close together? There is a transcript in the WPMU chat support with a rep about this for reference, if you need. What can we check to work this out? Those two issues are the exact two that I'm having trouble with as well. Thanks!

  • blue

    I discovered the reason for this and how to fix it. Apache has a directive called "AllowOverride." And this directive specifically is related to whether or not .htaccess configurations take effect. By default, Apache 2.4 has AllowOverride set to none (Before Apache 2.3.9, the default was AllowOverride All).

    In order for your .htaccess rules to take effect, you have to edit your main Apache configuration file and switch AllowOverride None to AllowOverride All. Depending on which system you're using, your configuration file could be in a different place. I use Ubuntu, so my file is located in /etc/apache2/apache2.conf

    The above advice is for a system with only one website (in other words, no virtualhosts). If you run more than one website on your server, virtual hosts, then you will have a configuration file for each virtual website you're hosting. Their configuration files will be located at /etc/apache2/sites-available (Ubuntu). You can set AllowOverride All in the <Directory> section of the file for the domain you're having trouble with. This allows you to set .htaccess configuration on a per domain basis, just in case there are other domains you don't want that to take effect. If you want all of your domains to have it, you can still edit the main apache2.conf file so it will take effect globally for all sites.

    Here is a link to the official Apache documentation describing how to set it up in more detail.

    https://httpd.apache.org/docs/2.4/mod/core.html#allowoverride

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.