ini_set question

Home Forums BulletProof Security Pro ini_set question

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #40131
    Terry
    Participant

    I have some sites with the /** BEGIN BPS Pro ini_set Settings **/ information and others that do not. Can you tell me where the setting is to have this information added to wp-config or is it really required as the sites without seem to work fine.

    Also having issues with sites that I set permissions on like htaccess to 404 and wp-config to 604 then when I select the setup wizard it changes both to 644 but never sets them back after running the setup wizard all though the autolock is set to ON.

    Since you are doing away with the F-lock should it be left off?

    #40132
    AITpro Admin
    Keymaster

    Don’t bother with changing file permissions for the wp-config.php file.  If you click the B-Core > htaccess File Editor > Lock htaccess File and Turn On AutoLock buttons and the files are reverting to 644 file permissions then your web host is automatically changing file permissions on files and there is nothing you can do about that.  I just double checked locking the root htaccess file and running the Wizards on a Live testing website and the root htaccess file is still locked on my web host server.

    The ini_set Options code is not critical, but if you need to add it manually for some reason then see this forum topic for how to do that > https://forum.ait-pro.com/forums/topic/php-error-log-path-does-not-match-error-log-path-seen-by-server-blank-none/  Note:  If you have not upgraded to BPS Pro 15.3 then upgrade to BPS Pro 15.3 so that you will see additional troubleshooting help info in the PHP Error Log Path Does Not Match error message.

    #40133
    Terry
    Participant

    Just for clarification. The wp-config file contains database credentials so if we don’t change permissions on it what protects us from someone hacking the file and reading that information?

    As for the permission issue there are a number of sites on the same server and some change the permission and others don’t so I must have something set to cause it. Will keep looking.

    Since F-Lock is no longer being used is there a purpose for leaving it in the program. I have clients that still try to use it.

    #40134
    AITpro Admin
    Keymaster

    Originally F-Lock was created to protect against a particular type of hack that would expose the wp-config.php file DB connection information.  That hack is no longer possible as of many years ago.  Local files cannot be opened from a Browser unless someone makes the mistake of using 777 file permissions.  644 file permissions are safe.  So the wp-config.php file DB connection information is only accessible if someone has Local file access.  ie FTP, web host control panel or hacker Shell script exists under the hosting account.  In other words, the wp-config.php file DB connection information is only accessible if the website/hosting account is already hacked.

    I would love to completely remove F-Lock, but 100+ people contacted me after I turned Off F-Lock by default.  Multiply by 10 or 20 and you have a ballpark range of the number of people still using the F-Lock feature.  ie 1,000 to 2,000 people are still using F-Lock even though it is no longer useful.  😉

    #40142
    AITpro Admin
    Keymaster

    Just wanted to point out something additional.  F-Lock was one of the very first original features that was created in BPS Pro 10 years ago. Since F-Lock was created, newer/better BPS Pro features have been created and newer/better root htaccess security rules have been created.

    Example:
    The BPS Pro Plugin Firewall blocks this hacking attempt to download the wp-config.php file by exploiting a security vulnerability in the wp-filemanager plugin. This hacking attempt would also be blocked by a Root htaccess file security rule. This is just 1 example and there are many more scenarios like this.

    [403 GET Request: March 5, 2021 - 6:47 pm]
    BPS Pro: 15.2
    WP: 5.6.2
    Event Code: PFWR-PSBR-HPRA
    Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 194.246.92.220
    Host Name: host220-92-246-194.lds.net.ua
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /vision-blog/wp-content/plugins/wp-filemanager/incl/libfile.php?&path=..%2F..%2F..%2F..%2F&filename=wp-config.php&action=download
    QUERY_STRING: &path=..%2F..%2F..%2F..%2F&filename=wp-config.php&action=download
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
    #40143
    AITpro Admin
    Keymaster

    Another thing worth pointing out that I take for granted after so many years of doing this – I rarely ever have to deal with someone who has a hacked website.  The only time that happens is when someone gets BPS Pro and installs BPS Pro for the first time and BPS Pro detects that the website is already hacked.  BPS Pro has far exceeded my expectations.  I was shooting for 95%-98% effective and realistically did not expect BPS Pro to be 100% effective.  😉

Viewing 6 posts - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.