Problems with "Preventing Information Disclosure"

Hi,
I installed Hummingbird and Defender. Configuring Defender, ran into problems with "Preventing Information Disclosure," and "Preventing PHP Execution."

For the "Preventing Information Disclosure," I clicked on "ADD .HTACCESS FILE," "to files into each of these directories to lock down the files and folders inside." "ADD .HTACCESS FILE" stays grayed out for a long time.

For "Preventing PHP Execution," when I clicked on "ADD .HTACCESS FILE", I receive message
"Can't write to the file /home/content/a2pnexwpnas04_data01/83/3372583/html/wp-includes/.htaccess add .htaccess"

Would this prevent you from editing the plug-in for Google Analytics?

"Regenerating Security Keys every 60 days" "will log all users out of your site.". Do I want to be logged out?

Thank you.

Michael

    Nastia

    Hello mkleiner

    I hope you are doing well today!

    I can replicate this on your site:

    Can't write to the file/wp-includes/.htaccess

    The wp-include folder permissions is set to 555, this is why you are getting this error. It should be set as 755. I've tried to change the permissions but the system denied to change permissions. Most Likely I can't do this with the credentials you have sent to us.

    Please try to do this from your end

    Read here more about folder permissions and how to change them:
    https://codex.wordpress.org/Changing_File_Permissions

    Would this prevent you from editing the plug-in for Google Analytics?

    If you mean the plugin that you have created, no, it should not prevent editing the plug-in for Google Analytics.

    Please change the folder permissions and let us know how it went!

    Kind Regards,
    Nastia

    mkleiner

    Nastia,
    This was supposed to be done on the server? I saw a .htaccess file. I right-clicked and tried to change the permissions by clicking in the Read, Write, Execute, but couldn't get to 755. The information at wordpress.org did not tell me how to make the changes, and another link started talking about inserting codes to allow certain files permission. I went back to the server and entered the number 755 in the permissions box.

    I returned to Defender dashboard and it seemed to be running Information Disclosure, but it was scanning.

    There are still the same problems with "Prevention Information Disclosure." Click on Add .HTACCESS file. It goes gray, but never tells me if it's finished.

    "Prevent php execution," when adding .htaccess file, receives "Can't write to the file /home/content/a2pnexwpnas04_data01/83/3372583/html/wp-includes/.htaccess"'

    I notice the path here says wp-includes/.htacess. The .htaccess file is not in a folder and there is no .htaccess file in wp-includes. Should I move the .htaccess file to wp-includes folder?

    Then again, why is it adding the .htaccess file if it is already there? Adding again, will that overwrite the permission changes?

    Update WordPress to latest version. "Error occurred." Version is 4.5.3. I checked, and this is the updated version.

    Regenerated security keys seems to have worked. Below that, says, "RESOLVED

    Nice one, carmin15! These security loopholes are all tightened up."
    So, the"Prevention Information Disclosure." and "Prevent php execution," issues are the ones unresolved.

    Michael

    Alex Stine

    Hello mkleiner
    Hope you are well!

    Let's try to address one issue at a time if you don't mind. Could you please set the permissions on your /wp-includes directory to "755"? This will allow Defender to create a .htaccess file here and add the required code in the file automatically. Defender will not change any of your folder permissions.

    Cheers,
    Alex

    mkleiner

    Hi Alex,
    Wouldn't let me change permissions on wp-includes folder. Tried a few times.

    Status: Connecting to mjspetsitting.com...
    Status: Connected to mjspetsitting.com
    Status: Retrieving directory listing...
    Status: Listing directory /home/d0113372583842/html
    Status: Directory listing of "/home/d0113372583842/html" successful
    Status: Set permissions of '/home/d0113372583842/html/wp-includes' to '755'
    Command: chmod 755 "wp-includes"
    Error: set attrs for /home/d0113372583842/html/wp-includes: permission denied
    Status: Retrieving directory listing of "/home/d0113372583842/html"...
    Status: Listing directory /home/d0113372583842/html
    Status: Directory listing of "/home/d0113372583842/html" successful
    Status: Retrieving directory listing of "/home/d0113372583842/html/wp-includes"...
    Status: Listing directory /home/d0113372583842/html/wp-includes
    Status: Directory listing of "/home/d0113372583842/html/wp-includes" successful
    Status: Retrieving directory listing of "/home/d0113372583842/html"...
    Status: Directory listing of "/home/d0113372583842/html" successful
    Status: Set permissions of '/home/d0113372583842/html/wp-includes' to '755'
    Command: chmod 755 "wp-includes"
    Error: set attrs for /home/d0113372583842/html/wp-includes: permission denied
    Status: Retrieving directory listing of "/home/d0113372583842/html"...
    Status: Listing directory /home/d0113372583842/html
    Status: Directory listing of "/home/d0113372583842/html" successful
    Status: Set permissions of '/home/d0113372583842/html/wp-includes' to '755'
    Command: chmod 755 "wp-includes"
    Error: set attrs for /home/d0113372583842/html/wp-includes: permission denied
    Status: Retrieving directory listing of "/home/d0113372583842/html"...
    Status: Listing directory /home/d0113372583842/html
    Status: Directory listing of "/home/d0113372583842/html" successful
    Status: Set permissions of '/home/d0113372583842/html/wp-includes' to '755'
    Command: chmod 755 "wp-includes"
    Error: set attrs for /home/d0113372583842/html/wp-includes: permission denied
    Status: Retrieving directory listing of "/home/d0113372583842/html"...
    Status: Listing directory /home/d0113372583842/html
    Status: Directory listing of "/home/d0113372583842/html" successful
    Error: Network error: Software caused connection abort
    Status: Disconnected from server
    Status: Connecting to mjspetsitting.com...
    Status: Connected to mjspetsitting.com
    Status: Set permissions of '/home/d0113372583842/html/wp-includes' to '755'
    Command: cd "/home/d0113372583842/html"
    Response: New directory is: "/home/d0113372583842/html"
    Command: chmod 755 "wp-includes"
    Error: set attrs for /home/d0113372583842/html/wp-includes: permission denied
    Status: Retrieving directory listing of "/home/d0113372583842/html"...
    Status: Listing directory /home/d0113372583842/html
    Status: Directory listing of "/home/d0113372583842/html" successful

    I tried going back to site dashboard.
    For Prevent php execution, still can't write:
    Can't write to the file /home/content/a2pnexwpnas04_data01/83/3372583/html/wp-includes/.htaccess

    Also, what address are we supposed to reply to in e-mail. Sometimes, I get an auto response that this is not a reply e-mail, sometimes I don't. I noticed if it is sent to contact@incsub.com it goes through. Yesterday, this one went to you, but twice the reply to the thread about Google Analytics, sent to that address, came back as auto response. Trying to maximize the quickest reply time.

    Alex Stine

    Hello mkleiner
    Hope you are well!

    Could you please get in touch with your web host to see if they can make the corrections for permissions on /wp-includes and write permissions on .htaccess? You can link them this ticket as a reference on what you are trying to accomplish. This should help them better understand what the problem is.
    https://premium.wpmudev.org/forums/topic/problems-with-preventing-information-disclosure

    I believe all of our emails come from contact@incsub.com. You should not however reply to this email, it does not auto add your reply here on the ticket if that is what you were asking.

    Hope this helps.

    Cheers,
    Alex

    mkleiner

    Alex or Nastia,
    I talked to godaddy. They said the .htaccess file should not be in wp-includes folder, only in the route directory, which is where it is now. Everything in the wp-includes folder is functioning well. They set the .htaccess file to 755--which I had been able to do, but I was not able to do it on the wp-includes folder--but suggested the permissions not stay on 755 for long because it opens up other security issues. We could try making a copy of .htaccess and put it in wp-includes, but not recommended. Suggested finding another plug-in that does the same thing. We're back to where we were, the .htaccess file set to 755, "Prevent Information Disclosure," (Add .htacess, grays. Does that mean it was added? Never gives me a confirmation. That remains an action that needs to be done.) and "Prevent php Execution". (Below)
    Can't write to the file /home/content/a2pnexwpnas04_data01/83/3372583/html/wp-includes/.htaccess

    Access extended for three days from today August 19.

    Michael

    Nastia

    Hello Michael, I hope you are doing well!

    First, let me explain what the Defender plugin is does. The plugin adds to each folder of WordPress installation an .htaccess file, which contains this code:

    ## WP Defender - Prevent PHP Execution ##
    <Files *.php>
    Order allow,deny
    Deny from all
    </Files>
    <Files wp-tinymce.php>
    Allow from all
    </Files>
    <Files ms-files.php>
    Allow from all
    </Files>
    ## WP Defender - End ##

    The code above denies for any files that do not belong to WordPress core files to be executed.

    I tried to upload this .htaccess file manually, but permission is denied because the wp-includes is still set to 555.

    In order to Prevent PHP execution, we need to change the wp-includes folder permission to 755. Once the permissions are set, we will be able to add this .htaccess file inside the folder. These permissions can be changed after this back to 555.

    Please contact your host again to change the folder permissions, if they diny it again, please ask them mto upload the .htaccess file I have attached here, in this thread. However it will be preferable to change the permissions to 755.

    "Prevent Information Disclosure," (Add .htacess, grays. Does that mean it was added? Never gives me a confirmation. That remains an action that needs to be done.)

    Prevent Information Disclosure protects non-php files. In order to make it work it adds the follwoing code inside the .htaccess file

    ## WP Defender - Prevent information disclosure ##
    <FilesMatch "\.(txt|md|exe|sh|bak|inc|pot|po|mo|log|sql)$">
    Order allow,deny
    Deny from all
    </FilesMatch>
    ## WP Defender - End ##

    I see that the .htaccess button is grayed after clicking, but I checked your .htaccess file and the code has been added. So you can "Ignore" this issue.

    Let me know if you have any news from GoDaddy.

    Kind regards,
    Nastia

    mkleiner

    I called godaddy and they can't change permissions to run Defender, which they can't support. I would have to switch to regular hosting plan, which means I would lose Managed WordPress Hosting. The history of this redesign, I was not going to put the client through another change when there are other plug-ins that do similar things and take the time to migrate from Managed Word Press to regular hosting. He recommended Wordfence, which has 1,000,000 downloads. I deactivated Defender. I installed Wordfence, confirmed my e-mail, combined in a minute. I went through tour, did some set-up, and a scan. The important thing is it's working.

    I installed Hummingbird, but Wordfence has a similar speed up called Falcon. Smart Crawler is installed. Google Analytics (and working if I use Edge browser on my laptop or my desktop). WP Smush. Snapshot.

    Thank you for your assistance in this long process with this site.

    Michael