Block error_log file from being viewed in a Browser

[Johnny]

Hi,

My website produces error_log files sometimes and I’d like to have a way to hide them so they are not visible from any other IPs except mine. At the moment anyone can access www.example.com/wp-admin/error_log or www.example.com/error_log and read the logs. How can I do this in BPS? I notice in your root .htaccess file you have included:

# DENY ACCESS TO PROTECTED SERVER FILES AND FOLDERS
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# Files and folders starting with a dot: .htaccess, .htpasswd, .errordocs, .logs
RedirectMatch 403 \.(htaccess|htpasswd|errordocs|logs)$

So how would I go about blocking the error_log file for everyone except myself?

[AITpro Admin]

You would block the error_log files from being viewed in a Browser in this BPS htaccess code below and add it to BPS Root Custom Code.

1. Copy the modified DENY BROWSER ACCESS TO THESE FILES below into this BPS Root Custom Code text box: 13. CUSTOM CODE DENY BROWSER ACCESS TO THESE FILES
2. Click the Save Root Custom Code button.
3. Go to the Security Modes page and click the Root Folder BulletProof Mode Activate button.

# DENY BROWSER ACCESS TO THESE FILES
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# wp-config.php, bb-config.php, php.ini, php5.ini, readme.html
# To be able to view these files from a Browser, replace 127.0.0.1 with your actual
# current IP address. Comment out: #Require all denied and Uncomment: Require ip 127.0.0.1
# Comment out: #Deny from all and Uncomment: Allow from 127.0.0.1
# Note: The BPS System Info page displays which modules are loaded on your server.

<FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|readme\.html|bb-config\.php|error_log)">
<IfModule mod_authz_core.c>
Require all denied
#Require ip 127.0.0.1
</IfModule>

<IfModule !mod_authz_core.c>
<IfModule mod_access_compat.c>
Order Allow,Deny
Deny from all
#Allow from 127.0.0.1
</IfModule>
</IfModule>
</FilesMatch>

[Johnny]

Okay I’ve tried it, but I can still access them… I’ve even cleared all my caches (browser, W3TC, Cloudflare) and switched to a different IP, and yet those error_log files still remain accessible. I can confirm that the code was updated into my root .htaccess though…

[AITpro Admin]

Very strange.  I tested this solution before posting it and it worked fine on my test site and the main ait-pro.com website:  https://www.ait-pro.com/error_log  If you click the link you will see a 403 error message since the error_log file is currently blocked on the main ait-pro.com website.  Maybe your server processes files without file extensions (ie .php, .txt, .log) differently?  The only other thing I can think of to try is to block or redirect by URI instead of by file.

RedirectMatch 301 ^/error_log$ https://www.example.com/
RedirectMatch 301 ^/wp-admin/error_log$ https://www.example.com/

[Johnny]

This one does block them though:

# DENY BROWSER ACCESS TO THESE FILES
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# wp-config.php, bb-config.php, php.ini, php5.ini, readme.html
# To be able to view these files from a Browser, replace 127.0.0.1 with your actual
# current IP address. Comment out: #Deny from all and Uncomment: Allow from 127.0.0.1
# Note: The BPS System Info page displays which modules are loaded on your server.

<FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|readme\.html|bb-config\.php|error_log)">
Order Allow,Deny
Deny from all
#Allow from 127.0.0.1
</FilesMatch>

What is the difference between the two codes?

[AITpro Admin]

That means your server does allow IfModule conditions to be used, which is bizarre since IfModule conditions have been an Apache standard for decades now.  Instead of processing the IfModule conditions your particular server just ignores the IfModule conditions and will not process any code inside of the IfModule conditions.  The code works exactly the same.  And actually that is why the standard BPS htaccess files do not contain IfModule conditions. Ie compensate for Hosts that are doing wierd stuff or not doing industry standard stuff. 😉

[Johnny]

You mean my server doesn’t allow IfModule conditions to be used? For example, I know that this one:

<IfModule mod_headers.c>
# Using DENY will block all iFrames including iFrames on your own website
# Header set X-Frame-Options DENY
# Recommended: SAMEORIGIN - iFrames from the same site are allowed - other sites are blocked
# Block other sites from displaying your website in iFrames
# Protects against Clickjacking
Header always append X-Frame-Options SAMEORIGIN
# Protects against Drive-by Download attacks
# Protects against MIME/Content/Data sniffing
Header set X-Content-Type-Options nosniff
Header set X-XSS-Protection "1; mode=block"
</IfModule>

Works, since the Sucuri Scanner stops picking up the X-XSS attack vulnerability for example. So why would it only not work in that case?

[AITpro Admin]

I guess I should have been absolutely specific.  What we have seen is some Hosts do stuff like they ignore this specific module name in this specific IfModule conditions below.   I have absolutely no idea why that is. It doesn’t make any logical sense so I have no idea how someone would even do that. 😉

<IfModule mod_authz_core.c> and/or <IfModule mod_access_compat.c>

[AITpro Admin]

The BPS and BPS Pro plugins have an Apache IfModule checker that tests what works with your server or not and creates htaccess code in your BPS htaccess files that works on your particular server.  I should have had you grab your actual Root htaccess file code instead of having you use the example code I posted above, which works fine on our particular server. 😉

[Johnny]

Okay yes I understand! No worries, it got fixed in the end 🙂 Thanks!

[Author]

Posts