Problem with Defender hardening

Hi,
I have a problem with Defender not writing the .htaccess files in the relevant folders for the hardening/prevent information disclosure. Can I set them manually (in which case I would need some details) or could you have a look?

Cheers,
Peter

  • Dimitris

    Hey there Peter,

    hope you're doing good! :slight_smile:

    This may be a matter of permissions and ownership assigned to folders and .htaccess file.
    All directories should be 755 or 750. All files should be 644 or 640.
    References:
    https://codex.wordpress.org/Changing_File_Permissions
    https://codex.wordpress.org/Changing_File_Permissions#Using_an_FTP_Client
    https://www.smashingmagazine.com/2014/05/proper-wordpress-filesystem-permissions-ownerships/

    If this troubles you, I'll definitely need to see this in action. Could you please grant us with support access to your website to better investigate this? You can do so via WPMUDEV Dashboard plugin as described here (no need to share credentials):
    https://premium.wpmudev.org/docs/getting-started/getting-support/#chapter-4

    Just let us know here in your next reply that access is granted as we don't get any kind of notifications about it.

    Warm regards,
    Dimitris

  • Peter

    Thanks Dimitris,
    I am a little miffed about my webhost. Their backend especially their oneclick installer for wordpress is simply erratic. Sometimes it feels like things work or don't depending on the weather.
    On top of that Wordpress and especially the plugins feel like flying a plane made of papermache and you never know what's going to break something or I'll get an error message for something that worked just fine the first 100 times before.

    Turns out the website is going to be a little more complex and with getting plugins to work together and keeping a good site speed even the order in which the plugins get activated makes all the difference in the world. So with n! combinations to test where n is the number of plugins....

    I still haven't given up hope. I think I have identified the trouble makers though so any luck I'll get it right soon including Defender. Fingers crossed.

  • Predrag Dubajic

    Hi Peter,

    I can say that you're not the only one worried about one click installers, I'm not saying they are all bad but I had encountered couple of them where things just refused to work properly on WP installed that way, reinstalling it in the old fashioned way usually fixed the issues in those cases.

    Here are Defender rules for .htaccess files in case you want to try adding them manually:

    - For .htaccess inside root WP folder:

    ## WP Defender - Prevent information disclosure ##
    Options -Indexes
    <FilesMatch "\.(txt|md|exe|sh|bak|inc|pot|po|mo|log|sql)$">
    Order allow,deny
    Deny from all
    </FilesMatch>
    <Files robots.txt>
    Allow from all
    </Files>
    ## WP Defender - End ##

    - For .htaccess inside wp-includes folder:

    ## WP Defender - Prevent PHP Execution ##
    <Files *.php>
    Order allow,deny
    Deny from all
    </Files>
    <Files wp-tinymce.php>
    Allow from all
    </Files>
    <Files ms-files.php>
    Allow from all
    </Files>
    ## WP Defender - End ##

    - And last .htaccess which is in wp-content folder:

    ## WP Defender - Prevent PHP Execution ##
    <Files *.php>
    Order allow,deny
    Deny from all
    </Files>
    ## WP Defender - End ##

    Best regards,
    Predrag

  • Peter

    Hi Pedrag,

    got sidetracked with a lot of other issues.

    Thanks for posting a manual solution. I should be able to make that work.

    Looking into fixing other problems with my current install though I tried something drastic. To make sure it had nothing to do with file permissions I just created a new install of WP manually. Then set all files and folders to 777 and on a hunch tested Defender "Prevent Information Disclosure" - and it still didn't work. So there seems to be something fishy you guys might need to look into. Unless you have an idea if there is another way my host could be preventing this from working.

    Cheers,
    Peter

  • Predrag Dubajic

    Hi Peter,

    Defender adds those rules to .htaccess files but it's still up to your host to allow these changes to be made this way.
    There are hosts that preconfigure their server settings in their desired way and disable these changes to be made via .htaccess rules.

    You can get in touch with your hosting provider and ask them to enable desired hardening rules, or allow these changes to be made via .htaccess.

    Best regards,
    Predrag

  • Peter

    Ah. Yes. But that's probably never going to happen with regard to this webhost.

    Regarding Defender: If this is a known source for problems. Wouldn't it be better if Defender would display a proper error message instead of the "apply changes" button just going back to it's orignial color?
    Especially after you posted the code I would have never thought twice and just assumed that the code did it's job once it's there. I knew about server side php restrictions but in this case I would have never ever made that connection.

  • Peter

    Hi again.

    I sussed it out: It's not a problem with the file permissions. I even had Defender run on a trial WP install with all files and folders set to 777. Still didn't work.

    It happens when I am logged in to admin via https. Possible connection to the WP settings where you define the ULRs and set it to https://
    If it generally works with https then it would be down to the Comodo certificate and the way that the webhost is handling it. The certificate it not personalised to the URL.

    Hope that gives you some clues to determine wether this is a general bug or just with my SSL setup.
    It also causes a problem with restoring Snaphot. Got a thread for that here: https://premium.wpmudev.org/forums/topic/snapshot-backup-locks-me-out-of-admin?replies=4#post-1235728

    Cheers,
    Peter

  • Dimitris

    Hey there Peter,

    hope you're doing good today! :slight_smile:

    I just re-tested that in a multisite environment with an active Let's Encrypt certificate binded to my test domain name and I wasn't able to replicate either of your issues.

    My main site has a site_url and home_url already set with https:// and all Defender's Hardener settings were able to get activated and they are showing a "resolved" green status.

    Have you tried to test this in a clean installation? Like only with Defender plugin and a default theme like TwentySeventeen?
    If these issues remain, I think you should either contact your hosting provider on this like my colleague Predrag mentioned before, or search for another, more reliable and more cooperative, hosting provider.

    Warm regards,
    Dimitris

  • Peter

    Hello again, all you wonderful helpers.

    So. Tons of coffee later and double the amount of grey hair....

    My host: The are very eager to help. At least in their mind. But the communication is dada-esque. At best. Which is somewhat ironic since the topic of the blog will be about "communication" in the broadest sense. Unfortunately I am stuck with them for the time being. On a shoestring and all.
    Anyway. Loads of lemons = loads of lemonade.

    Regarding Defender: I still had some issues when reinstalling Wordpress over and over with activating the plugins I need in various orders and trying out alternatives if one plugin seemed to by connected to trouble.

    I also checked the htaccess files you posted above. And the code seemed to be there. But then yesterday the weirdest thing happend. Fresh Multisite install. Standard theme. I think TwentySeventeen. First Plugin: Defender. Again the problem with the "information disclosure" code.
    Checked the htaccess files immediately. And Defender was definitely writing code. But in the htaccess file in Wordpress root directory were missing some lines. Most visbly all the ## BEGINN Defender and ## END Defender bits. And since I had tried pressing the button inside Defender several times there were multiple versions of the whole code. Well - with the bits missing here and there.

    I had checked the files on earlier occasions following your advice and I think I did a thorough job but I couldn't find any code missing. Possibly I did miss something though. Because this time I copied the code manually into the htaccess files. Even when it looked perfect. Saved everything. Went back to WP admin. Defender still showed the 1 for an outstanding task. Went on to perfom a couple of non Defender related tasks. And then all the sudden the 1 disappeared and Defender was happy.

    So. Basically I am surprised. Everything seems to work for the first time ever after months of trial and error. I must have reinstalled WP more than a hundred times to get to this point.

    Thanks again for your support.
    Peter

  • Dimitris

    Hey there Peter,

    hope you're doing good today! :slight_smile:

    I'm glad that you've manage to sort that out eventually! I wonder if this was a matter of caching, that you were seeing one issue in Defender; and after a while this was resolved. You can try to deactivate all caches from your website, coming from other plugins and any other server side mechanisms you may use, next time you install Defender.

    Have a good one,
    Dimitris

  • Peter

    Hi Dimitris,

    yeah. REALLY happy myself.

    But now that you mention server side... there's a varnish cache running on that server. And the host doesn't give out information how to purge it. I just got this nagging feeling that I might have been looking in the wrong direction when trying to get Workpress to run. Like one of those rookie mistakes that you learn the hard way and will never forget. Ever.

    I most definitely deactivated any Wordpress Cache. But of course Varnish I never disabled that one. One of the problems that I had debugging Wordpress was, that once a I got a problem while trying the various plugins to work together I was never able to revert to a working state by uninstalling the plugins. So that formed the impression in my head that those plugins would always leave code somewhere that was messing with Wordpress even when you uninstall them. So sloppy programming basically. But a bloody server side cache that just won't purge... would show the same symptoms. And I knew about that cache. Just never put one and one together. Wow. I just love these moments.
    Not sure this will solve the Defender issue because that seems to be down to HTTPS on that server. Unless HTTPS has an influence on Varnish that then in turn somehow does funny things with Defender.
    If I ever reinstall this project from scratch I will definitely try it. Right now I am so fed up that I hope it will just keep working. No experiments.

    Thanks again
    Peter

  • Dimitris

    Hey there Peter,

    hope you're doing good today! :slight_smile:

    Having a server with no control over its different programs, like Varnish, isn't optimal.
    In my opinion, you should at least been provided with some options:
    1. to purge cache
    2. to exclude any specific URLs from caching

    I'd rather advise to find some alternatives to host your sites or build some contact with current hosting provider on how they could possibly help you with that.

    Have a good one,
    Dimitris

  • Peter

    Hi Dimitris,

    regarding Varnish purge and URL exclusion: I so agree with you there. All I can do is disable it in htaccess.

    This host... communication with them has been surreal. I've started collecting support transcripts. For evidence. And fun.
    Last question regarding Varnish I had was if I could use "Varnish HTTP Purge" Plugin with the server/varnish settings. Or more to the point if this plugin would work especially with the focus on the function to purge the entire Varnish cache. First answer: yes. Me asking again to clarify to make REALLY sure that we were on the same page: answer was no this time.
    Conversation then dragged on. I ask again: Yes of course it will work. I have told you so already. Me: regarding making changes to posts yes. But what about the advertised function to purge the entire cache? - I have told you already.

    Basically at the end of this I was apparently the undereducated one that had no clue about php and mysql.

    Unfortunately I am stuck with them for the time being. This is a project on a very thin shoestring.

    And guess what. I did set up the entire thing again last night. Again as Multisite. Tried Defender hardening as the second plugin after Dashboard. With Varnish enabled. Still, no beans. Same old problem.
    Disabled Varnish: Voila. Sweet and easy. And all the other hardening procedures seemed to finish a lot quicker too.

    So. Final verdict: There is a chance that Comodo SSL had something to do with it in single site and possible also multisite install. But on multisite it feels it is a 99% guarantee that Varnish cache was the culprit.

    What a nasty piece of business this was.

    Thanks again for all the advice and patience.

    Peter