WP Defender PHP Execution Problems??

OK, I should let you know how this problem all began because I'm not sure where the issue lies at this point. The styling on one of my sub sites became distorted. I though there may be a plugin conflict, but upon disabling plugins I didn't see any change regarding the problem.

I then tried to reupload the theme and that did nothing. I went to the theme developer to see if there was a newer version and there was not. He took a look at this issue for me and found that the style.php file was not a readable file. In fact, when he tried to visit the site, it gave a 403 error. I reviewed people's sites who had a similar theme and when I went to the directory that contained the style.php file, I was able to see it just fine. But mine had the 403 error.

So I went to my hosting company (at the direction of the Theme developer) and told them that although the permissions for the file were set at 755, the file was not readable like other sites.

They looked into it and here is what they said:

Code:

## WP Defender - Prevent PHP Execution ##
<Files *.php>
Order allow,deny
Deny from all
</Files>

This code denies the access to all the PHP files in the directory wp-content and all subdirectories recursively.

I have renamed the file .htaccess-BLOCK and I was able to access the file:

curl -I http://hotmommadesignz.com/wp-content/themes/FlowAway/style.php
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 24 Sep 2016 01:45:20 GMT
Content-Type: text/css
Connection: keep-alive
Vary: Cookie
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=d2a3afi1gdqop049v7bip45kk0; path=/
Host-Header: 192fc2e7e50945beb8231a492d6a8024

Please check the results and let me know if you need further assistance.

So when I went to visit the link, I noticed that I no longer got the 403 error and that the file was readable. I thought the issue might be resolved, but the style of the site is still looking distorted.

Also, I wanted to see what I could do to still use php execution, but to also ensure it doesn't deny critical files that I need to run my sites. I'm also not sure if WP Defender has written code into any other files that may be causing my sub site problems. I know when I disabled the plugin, the results were still the same, but again I'm not sure it there was still coding in place that would cause a problem with my styling...

  • Sajid

    Hi Jerone,
    Hope you are doing good today!

    Thank you so much for detailed explanation and the background of the issue. Yes, wp-defender plugin adds that code to prevent execution of .php files.

    However, in some cases like this you might exclude some files that you thing are important for your website to function correctly.

    <Files filename.php>
    Allow from all
    </Files>

    Add this code in .htaccess file and rename filename with your file name, in this case it will be style.

    It does not add this code any where else except the .htaccess file. So you are good to go now.

    If you are still getting this issue then there is some thing else going on with other plugin or theme. A detailed conflict test may help.

    Take care and have a nice day :slight_smile:

    Best Regards,
    Sajid

  • Jerone

    Well at first the site was still distorted... but now it's good... I attempted to do the conflict test again and disable all the plugins. The time the site looked fine... I had to leave, so I figured I would mess with it later, so I reactivated all the plugins and surprisingly everything is still good to go... so I'm not sure what did it, but it doesn't seem to be a plugin. It looks normal now... So thanks for all your help...

    On another note, I now have some concerns about WP Defender's php execution. I understand the purpose, but I don't understand the logic. If Wordpress uses php files throughout its file structure, then how does WP Defender not cripple the entire infrastructure of Wordpress and all its php files? The code says Deny all. I mean I'm glad it doesn't, but i'm curious as to how that works and also how I can be mindful of this as I begin to build more sites. At the end of the day, I'm not sure how to prevent this from happening again. I know the solution is to at the file name to the .htaccess file, but i'd like to prevent it from happening period. Is this possible? I like WP Defender, so at this point, disabling that plugin isn't really an option...

  • Sajid

    Hi Jerone,
    Hope you are doing good today!

    Good question! It basically prevents the execution of PHP files which are accessed directly. So you should not be worried about the WordPress files and also plugins PHP files. They run successfully because they are not being called directly via HTTP request.

    I am sorry but I don't have any option to prevent this happening. If Defender will look some files are being accessed directly it will block. That's what it is designed for.

    If there are files that are required to work and you think are not harmful then you can white list in .htaccess. In case you need to whitelist more than one files then you can separate the names of files with pipe (|) like below.

    <Files filename.php|filename2.php|filename3.php>
    Allow from all
    </Files>

    Take care and have a nice day :slight_smile:

    Best Regards,
    Sajid