Thanks Alex :smiley:

Hi Madhusudan Did what you suggested and after refreshing... my site is still working! However the Prevent Information Disclosure issue in Defender is still there so going by Alex S's post above, should I just click Ignore until the next version comes out? Just for information, would I have to deactivate and delete the current Defender plugin before uploading and installing the beta version?

Hi Ivan Thank you for the link to the intro article about the WordPress file and folder struture, that help me understand things a lot better. I have no idea why the wp folder is there and I don't think it needs to be there so I'll probably just delete it as it does not appear to have been touched in quite a few years. (I've recently taken over administration of this site and there seems to be a whole lot of things to sort out!) I contacted my hosting provider about the Nginx solution, so here is an update with what they sent back: As your account is a shared hosting that is hosted on a server with other shared accounts, direct access to the NGinX configuration file and editing this file is not possible as it might ruin the configuration of other websites hosted on the server. Nevertheless if you want to do such configurations for your website, you can do it in the .htaccess file that is place in the root directory of your website by adding: # Turn off directory indexing Options -Indexes # Deny access to htaccess <Files .htaccess> Order Allow,Deny Deny from all </Files> # Deny access to wp-config <Files wp-config.php> Order Allow,Deny Deny from all </Files> # Block the include-only files. <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - RewriteRule ^wp-includes/[^/]+.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule> Would this solve the Defender issue? If so and having looked at my .htaccess file my question is this: Does it matter where I put the code? I'll include the .htaccess file below just in case there is a particular place it should be inserted: SetEnv PHPRC /home/******/public_html/php.ini # BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^index.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule> # END WordPress # Wordfence WAF <IfModule mod_suphp.c> suPHP_ConfigPath '/home/******/public_html' </IfModule> # END Wordfence WAF AddHandler application/x-httpd-php56 .php .php5 .php4 .php3 Thanks again for your help and patience, Scott

Hi Ivan Thank you very much for your quick reply. :smiley: Please allow me to reply back with a few queries and questions to your answers just to clarify a few things and see if this helps other people too! (Q1. How do I find the nested WP install?) Going by your example I am assuming the following path is what you are talking about: /home/(cpanel-username)/public_html Within this are the following folders: cgi-bin wp wp-admin wp-content wp-includes This to me says there are no other folders that WordPress could be installed in, would that be correct? So does this mean: "Please note the nested WP install on your site will not be scanned. Install WP Defender there to scan separately." is just for information or is it saying there is a nested WP install which I need to find? (Q2. How do I backup the database before changing the prefix?) I have installed Snapshot and backed up the database to Dropbox. :smiley: (Q3. What kind of thing would be a unique prefix?) I've changed the default database prefix (not saying to what) and everything seems to be working fine! (Q4. How do I find out if I'm using NGINX servers?) I used the link you gave me and found out I'm using NGINX servers. :smiley: (Q5. Do I just click IGNORE if I'm not using NGINX servers?) So since Defender is showing a solution for Nginx, I have Nginx! However I cannot find the location of the file to add the code! :disappointed: I contacted the hosting provider about the other issues to do with the WordPress core, here is the reply: I just scanned your whole account for malware but none was found. Therefore these files are not malicious / suspicious. Of course if anything else comes up please let us know. Going by this reply, False Alarm would be the correct choice to select. Do you agree? Kind Regards Scott