Home › Forums › BulletProof Security Pro › ini_set question
- This topic has 5 replies, 2 voices, and was last updated 3 years ago by AITpro Admin.
-
AuthorPosts
-
TerryParticipant
I have some sites with the /** BEGIN BPS Pro ini_set Settings **/ information and others that do not. Can you tell me where the setting is to have this information added to wp-config or is it really required as the sites without seem to work fine.
Also having issues with sites that I set permissions on like htaccess to 404 and wp-config to 604 then when I select the setup wizard it changes both to 644 but never sets them back after running the setup wizard all though the autolock is set to ON.
Since you are doing away with the F-lock should it be left off?
AITpro AdminKeymasterDon’t bother with changing file permissions for the wp-config.php file. If you click the B-Core > htaccess File Editor > Lock htaccess File and Turn On AutoLock buttons and the files are reverting to 644 file permissions then your web host is automatically changing file permissions on files and there is nothing you can do about that. I just double checked locking the root htaccess file and running the Wizards on a Live testing website and the root htaccess file is still locked on my web host server.
The ini_set Options code is not critical, but if you need to add it manually for some reason then see this forum topic for how to do that > https://forum.ait-pro.com/forums/topic/php-error-log-path-does-not-match-error-log-path-seen-by-server-blank-none/ Note: If you have not upgraded to BPS Pro 15.3 then upgrade to BPS Pro 15.3 so that you will see additional troubleshooting help info in the PHP Error Log Path Does Not Match error message.
TerryParticipantJust for clarification. The wp-config file contains database credentials so if we don’t change permissions on it what protects us from someone hacking the file and reading that information?
As for the permission issue there are a number of sites on the same server and some change the permission and others don’t so I must have something set to cause it. Will keep looking.
Since F-Lock is no longer being used is there a purpose for leaving it in the program. I have clients that still try to use it.
AITpro AdminKeymasterOriginally F-Lock was created to protect against a particular type of hack that would expose the wp-config.php file DB connection information. That hack is no longer possible as of many years ago. Local files cannot be opened from a Browser unless someone makes the mistake of using 777 file permissions. 644 file permissions are safe. So the wp-config.php file DB connection information is only accessible if someone has Local file access. ie FTP, web host control panel or hacker Shell script exists under the hosting account. In other words, the wp-config.php file DB connection information is only accessible if the website/hosting account is already hacked.
I would love to completely remove F-Lock, but 100+ people contacted me after I turned Off F-Lock by default. Multiply by 10 or 20 and you have a ballpark range of the number of people still using the F-Lock feature. ie 1,000 to 2,000 people are still using F-Lock even though it is no longer useful. 😉
AITpro AdminKeymasterJust wanted to point out something additional. F-Lock was one of the very first original features that was created in BPS Pro 10 years ago. Since F-Lock was created, newer/better BPS Pro features have been created and newer/better root htaccess security rules have been created.
Example:
The BPS Pro Plugin Firewall blocks this hacking attempt to download the wp-config.php file by exploiting a security vulnerability in the wp-filemanager plugin. This hacking attempt would also be blocked by a Root htaccess file security rule. This is just 1 example and there are many more scenarios like this.[403 GET Request: March 5, 2021 - 6:47 pm] BPS Pro: 15.2 WP: 5.6.2 Event Code: PFWR-PSBR-HPRA Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: 194.246.92.220 Host Name: host220-92-246-194.lds.net.ua SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /vision-blog/wp-content/plugins/wp-filemanager/incl/libfile.php?&path=..%2F..%2F..%2F..%2F&filename=wp-config.php&action=download QUERY_STRING: &path=..%2F..%2F..%2F..%2F&filename=wp-config.php&action=download HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
AITpro AdminKeymasterAnother thing worth pointing out that I take for granted after so many years of doing this – I rarely ever have to deal with someone who has a hacked website. The only time that happens is when someone gets BPS Pro and installs BPS Pro for the first time and BPS Pro detects that the website is already hacked. BPS Pro has far exceeded my expectations. I was shooting for 95%-98% effective and realistically did not expect BPS Pro to be 100% effective. 😉
-
AuthorPosts
- You must be logged in to reply to this topic.