Newbie help required for Defender.

I'm a complete newbie to WordPress and WPMUDEV so will apologise in advance for some pretty stupid questions, but if you don't ask you'll never find out!

Just recently I've taken over the administrator role for a website and recommended we transfer hosting over to SiteGround as there were a few issues with the provider we were with.
SiteGround transferred everything across and all seems to be working fine, it's on a shared hosting plan and it had a TablePress plugin already in place. I activated an SSL certificate, installed the Akismet Pro & VaultPress Lite Bundle and WordFence plugins.

I came across WPMUDEV, really liked what I saw and joined! I added the WPMU DEV Dashboard and then the WP Defender plugins.
To prevent me from breaking the website and because I don't know what I can and can't do without causing problems, I thought I'd ask these questions first before doing anything!

I came across this: Please note the nested WP install on your site will not be scanned. Install WP Defender there to scan separately.
Q1. How do I find the nested WP install?

Under HARDENING I have 2 issues:
Issue #1. Change default database prefix
Q2. How do I backup the database before changing the prefix?
Q3. What kind of thing would be a unique prefix?

Issue #2. Prevent Information Disclosure
Q4. How do I find out if I'm using NGINX servers?
Q5. Do I just click IGNORE if I'm not using NGINX servers?

Under SCAN REPORT I have 10 items all to do with the WordPress core.
There are 9 x Unknown file in WordPress core:

php_mail.log
/wp-admin/php_mail.log

error_log
/wp-includes/error_log

utils.php
/wp-includes/js/tinymce/utils/utils.php

php_errorlog
/wp-admin/php_errorlog

error_log
/wp-admin/error_log

wordfence-waf.php
/wordfence-waf.php

wp-pass.php
/wp-pass.php

wp-register.php
/wp-register.php

i.php
/i.php

Q6. What do I select here as I'm not sure: Resolve Issue, False Alarm, Delete This File?
Q7. If I click Resolve Issue what do I do?

There is 1 x This WordPress core file appears modified

version.php
/wp-includes/version.php

Q8. What do I select here as I'm not sure: Resolve Issue, False Alarm, Delete This File?
Q9. If I click Resolve Issue what do I do?

Again, sorry for what are probably basic stupid questions!

  • Ivan Shulev

    Hey Scott ,

    I hope you are having a nice day so far!

    You are more than welcome to ask any question that comes to mind, no matter how "stupid" you might think it is. By asking these questions you are helping yourself, helping other members in the future and also helping us broaden our knowledge so I should be thanking you for this :slight_smile:

    Let's try to answer those questions:

    Q1. How do I find the nested WP install?

    Imagine you have your site folder on the following server path - /var/www/root - and there lies your WordPress installation with the installed Defender plugin.

    Now imagine you create another folder, let's assume /var/www/root/anotherfolder, and install another WordPress in there. This new install is nested within the other one. The two sites will not know about each other and you will need to install Defender for the new one as well.

    Q2. How do I backup the database before changing the prefix?

    You can use a plugin like https://premium.wpmudev.org/project/snapshot/. It does a great job for backups :slight_smile:

    Q3. What kind of thing would be a unique prefix?

    Anything that is not the default "wp_" prefix. You can make something up with your name and URL, for example. You can take the first two letters of your name and add the first two of your URL. Use your imagination :slight_smile:

    Q4. How do I find out if I'm using NGINX servers?

    This information can be provided by your hosting provider, but there are quick 3rd party scans. In http://browserspy.dk/webserver.php you can enter your URL and it will tell you whether it is Nginx, Apache or another server.

    Since Defender is showing a solution for Nginx, you probably have Nginx.

    Q5. Do I just click IGNORE if I'm not using NGINX servers?

    There is a solution for Apache as well, but I would advise you to try adding the fix suggested by Defender first.

    Q6. What do I select here as I'm not sure: Resolve Issue, False Alarm, Delete This File?

    I would advise you to ask your hosting provider. If this is a fresh install, there should be no problems and you can click False Alarm. However, there are files that look like they are added by your hosting provider and I am uncertain about them. Just ask them if they recognized these files and if they have been changed / look suspicious.

    Ask them about the modified files as well.

    Again, you are more than welcome to post back here with updates and further questions! We are all here to learn and help each other :slight_smile:

    I wish you an awesome day ahead!

    Ivan

  • Scott

    Hi Ivan

    Thank you very much for your quick reply. :smiley:

    Please allow me to reply back with a few queries and questions to your answers just to clarify a few things and see if this helps other people too!

    (Q1. How do I find the nested WP install?)
    Going by your example I am assuming the following path is what you are talking about:

    /home/(cpanel-username)/public_html

    Within this are the following folders:

    cgi-bin
    wp
    wp-admin
    wp-content
    wp-includes

    This to me says there are no other folders that WordPress could be installed in, would that be correct?
    So does this mean: "Please note the nested WP install on your site will not be scanned. Install WP Defender there to scan separately." is just for information or is it saying there is a nested WP install which I need to find?

    (Q2. How do I backup the database before changing the prefix?)
    I have installed Snapshot and backed up the database to Dropbox. :smiley:

    (Q3. What kind of thing would be a unique prefix?)
    I've changed the default database prefix (not saying to what) and everything seems to be working fine!

    (Q4. How do I find out if I'm using NGINX servers?)
    I used the link you gave me and found out I'm using NGINX servers. :smiley:

    (Q5. Do I just click IGNORE if I'm not using NGINX servers?)
    So since Defender is showing a solution for Nginx, I have Nginx! However I cannot find the location of the file to add the code! :disappointed:

    I contacted the hosting provider about the other issues to do with the WordPress core, here is the reply:
    ---------
    I just scanned your whole account for malware but none was found.

    Therefore these files are not malicious / suspicious.

    Of course if anything else comes up please let us know.
    ---------
    Going by this reply, False Alarm would be the correct choice to select. Do you agree?

    Kind Regards

    Scott

  • Ivan Shulev

    Hey Scott ,

    Awesome to see you are digging deeper into this! I will try to clarify your questions and as always, keep them coming :slight_smile:

    (Q1. How do I find the nested WP install?)

    I would look into /home/(cpanel-username)/public_html/wp folder. If the plugin is displaying the "Please note the nested WP install on your site will not be scanned." message, then it supposedly has found WordPress core files outside of the regular WP folder structure.

    The usual WP folders are:
    wp-admin
    wp-content
    wp-includes

    So it would be nice to check the wp folder. You could also ask your hosting provider about it. Most hosting providers offer a one-click install of WordPress and it might be installed by accident.

    Here is an intro article about the core WordPress file and folder structure - http://www.wpbeginner.com/beginners-guide/beginners-guide-to-wordpress-file-and-directory-structure/

    So since Defender is showing a solution for Nginx, I have Nginx! However I cannot find the location of the file to add the code!

    I would suggest contacting your hosting provider and asking them to paste the suggested code by Defender. Different hosting companies have different file structures so they will know where to find the right files. Also, you will need Server access (possibly through Control Panel) and not just FTP access to find those files.

    Going by this reply, False Alarm would be the correct choice to select. Do you agree?

    They say they scanned all your files, so yes, False Alarm would be the way to go!

    I hope this gave a bit more clarity and I wish you an awesome day ahead!

    Ivan

  • Scott

    Hi Ivan

    Thank you for the link to the intro article about the WordPress file and folder struture, that help me understand things a lot better. I have no idea why the wp folder is there and I don't think it needs to be there so I'll probably just delete it as it does not appear to have been touched in quite a few years. (I've recently taken over administration of this site and there seems to be a whole lot of things to sort out!)

    I contacted my hosting provider about the Nginx solution, so here is an update with what they sent back:

    As your account is a shared hosting that is hosted on a server with other shared accounts, direct access to the NGinX configuration file and editing this file is not possible as it might ruin the configuration of other websites hosted on the server.

    Nevertheless if you want to do such configurations for your website, you can do it in the .htaccess file that is place in the root directory of your website by adding:

    # Turn off directory indexing
    Options -Indexes

    # Deny access to htaccess
    <Files .htaccess>
    Order Allow,Deny
    Deny from all
    </Files>

    # Deny access to wp-config
    <Files wp-config.php>
    Order Allow,Deny
    Deny from all
    </Files>

    # Block the include-only files.
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ -
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]
    </IfModule>

    Would this solve the Defender issue?

    If so and having looked at my .htaccess file my question is this:

    Does it matter where I put the code?

    I'll include the .htaccess file below just in case there is a particular place it should be inserted:

    SetEnv PHPRC /home/******/public_html/php.ini

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>

    # END WordPress

    # Wordfence WAF
    <IfModule mod_suphp.c>
    suPHP_ConfigPath '/home/******/public_html'
    </IfModule>

    # END Wordfence WAF

    AddHandler application/x-httpd-php56 .php .php5 .php4 .php3

    Thanks again for your help and patience,

    Scott

  • Madhusudan

    Hello Scott ,

    Create a backup of your site's .htaccess so that it could be restored later if required.
    Next copy and paste the following code into your existing .htaccess file replacing the whole content of your old file.

    "SetEnv PHPRC /home/******/public_html/php.ini
    
        # BEGIN WordPress
    
    	# Block the index.php and include-only files.
    
        <IfModule mod_rewrite.c>
    	    RewriteEngine On
    	    RewriteBase /
    	    RewriteRule ^index\.php$ - [L]
    	    RewriteCond %{REQUEST_FILENAME} !-f
    	    RewriteCond %{REQUEST_FILENAME} !-d
    	    RewriteRule . /index.php [L]
    
    	    RewriteRule ^wp-admin/includes/ - [F,L]
    	    RewriteRule !^wp-includes/ -
    		    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    		    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    		    RewriteRule ^wp-includes/theme-compat/ - [F,L]
        </IfModule>
    
        # END WordPress
    
        # Turn off directory indexing
    		Options -Indexes
    
    	# Deny access to htaccess
    		<Files .htaccess>
    		Order Allow,Deny
    		Deny from all
    		</Files>
    
    	# Deny access to wp-config
    		<Files wp-config.php>
    		Order Allow,Deny
    		Deny from all
    		</Files>
    
        # Wordfence WAF
        <IfModule mod_suphp.c>
        suPHP_ConfigPath '/home/******/public_html'
        </IfModule>
    
        # END Wordfence WAF
    
        AddHandler application/x-httpd-php56 .php .php5 .php4 .php3"

    After updating the .htaccess file on your server, make sure to check your site by refreshing whether it's still working or not. In the case your website returns a blank/white screen, immediately replace the new content of .htaccess fille with the old saved copy of .htaccess.

    Let us know how it works.

    Thanking you,
    Madhusudan

  • Alex Stine

    Hello,
    Please see this thread for more information.
    https://premium.wpmudev.org/forums/topic/defender-wants-me-to-edit-nginx-config-file-but-im-on-apache

    The reason why Defender says you are on NGINX, is because of this.

    As you may know, our servers are using NGINX as a proxy server which is configured to listen before the Apache web server.

    This is a reply straight from SiteGround technical support. I made them dig until I had the answer.

    Now, here is a reply from the developer,
    https://premium.wpmudev.org/forums/topic/defender-wants-me-to-edit-nginx-config-file-but-im-on-apache#post-1062046
    the Prevent Information Disclosure module will still not work correctly because this is handled at the NGINX level, best thing to do, ignore it.

    If the most recent update still has not fixed some of your SiteGround problems, please grab the beta version, it works, I tested it. :slight_smile:
    https://premium.wpmudev.org/forums/topic/defender-wants-me-to-edit-nginx-config-file-but-im-on-apache#post-1064604

    Thanks,
    Alex :smiley:

  • Scott

    Hi Madhusudan

    Did what you suggested and after refreshing... my site is still working!
    However the Prevent Information Disclosure issue in Defender is still there so going by Alex S's post above, should I just click Ignore until the next version comes out?

    Just for information, would I have to deactivate and delete the current Defender plugin before uploading and installing the beta version?

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.