Info Disclosure / Security Tweak

I read the recommendation in DEFENDER PRO regarding "preventing information disclosure," but I still do not know where to place the coded information that was supplied.

  • Adam Czajczyk

    Hello Kale

    I hope you're well today and thank you for your question!

    The Defender should be able to apply that code/tweak for you in most cases. Have you tried to do this or does it fail after you click the button to apply the tweak?

    If you do need to add the code manually then it depends on what webserver is powering your site. If it's Apache, that would be the .htaccess file in the root folder of your site install. If it's other server, the location might be different and in some cases it might even be necessary to ask host support for help (especially on shared hosts).

    In most cases, however, either the button to apply the tweak in Defender should do it for you or it shoud be enough to put the given code in the aforementioned .htaccess file.

    Have you tried any of these two way?

    Kind regards,
    Adam

  • Predrag Dubajic

    Hi Kale,

    Thanks for granting access, I had a look at your site and see that you're running on NGINX, and unlike Apache powered site, Information Disclosure can't be applied automatically from Defender and it will need to be done manually.

    In order to do this you will need to have access to your NGINX .conf file which is usually located in /etc/nginx/ or /usr/local/nginx/conf/ folder, but it depends on the server where you're hosting your site.

    Inside .conf file you should locate this line of code:
    location ~ \.php$ {
    And before that add the code for preventing infromation disclosure:

    ## WP Defender - Prevent information disclosure ### Turn off directory indexing
    autoindex off;
    
    # Deny access to htaccess and other hidden files
    location ~ /\. {
      deny  all;
    }
    
    # Deny access to wp-config.php file
    location = /wp-config.php {
      deny all;
    }
    
    # Deny access to revealing or potentially dangerous files in the /wp-content/ directory (including sub-folders)
    location ~* ^/wp-content/.*\.(txt|md|exe|sh|bak|inc|pot|po|mo|log|sql)$ {
      deny all;
    }
    ## WP Defender - End ##

    If you're unsure of the file location and where to add the code you should get in touch with your hosting provider with these instructions and they should be able to add it for you in a matter of minutes.

    Let us know how it goes and if you have any followup questions.

    Best regards,
    Predrag

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.