Prevent Information Disclosure warning on nginx

The Prevent Information Disclosure fix had been added to the site by adding the code to Nginx config file. Hummingbird still detects it as not applied (other fixes are detected).

  • Ash

    Hello reza

    I tried to connect using ssh, but looks like there is a permission issue. Would you please check?

    The following is what I got when tried to login:

    ssl ssh root@xx.xx.xx.xx
    The authenticity of host 'xx.xx.xx.xx (xx.xx.xx.xx)' can't be established.
    ECDSA key fingerprint is SHA256:xxxxxxxxxxxxxxxxx.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added 'xx.xx.xx.xx' (ECDSA) to the list of known hosts.
    Permission denied

    Please let us know. Have a nice day!


  • James Morris

    Hello reza,

    You can send the updated information through our secure contact form.

    Please visit the Contact page and complete the form with the following information:

    Subject: "Attn: Ash or James Morris"

    In the Message box, please provide the following:

    - link back to this thread for reference
    - any other relevant urls

    - Site Admin login:
    Admin username
    Admin password
    Login url

    - Server Login
    username (if other than root)
    Host name
    Attach key if needed

    Best regards,

    James Morris

  • Paul Kevin

    Hey there reza ,

    Hope you are well today. Kindly try the following Defender rules

    ## WP Defender - Prevent information disclosure
    ### Turn off directory indexing
    autoindex off;
    # Deny access to htaccess and other hidden files
    location ~ /\. {
      deny  all;
    # Deny access to wp-config.php file
    location = /wp-config.php {
      deny all;
    # Deny access to revealing or potentially dangerous files in the /wp-content/ directory (including sub-folders)
    location ~* ^/wp-content/.*\.(txt|md|exe|sh|bak|inc|pot|po|mo|log|sql)$ {
      deny all;
     Stop php access except to needed files in wp-includes
    location ~* ^/wp_includes/.*(?<!(js/tinymce/wp-tinymce))\.php$ {
      internal; #internal allows ms-files.php rewrite in multisite to work
    # Specifically locks down upload directories in case full wp-content rule below is skipped
    location ~* /(?:uploads|files)/.*\.php$ {
      deny all;
    # Deny direct access to .php files in the /wp-content/ directory (including sub-folders).
    #  Note this can break some poorly coded plugins/themes, replace the plugin or remove this block if it causes trouble
    location ~* ^/wp_content/.*\.php$ {
      deny all;
    ## WP Defender - End ##

    Also please check if you have any ssl errors. If any please use the following piece of code in your themes functions.php add_filter( 'defender_ssl_verify', '_return_false' );

    Warm Regards
    Paul Kevin

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.