Sucuri recommendations

[Krzysztof]

Hello,

While runing sucuri check it gave some reocmendations on how to harden wordpress. Maybe this could be implemented into BPS PRO?
– protest upload directory – It checks if your upload directory allows PHP execution or if it is browsable.
– restrict wp-content access-

This option blocks direct PHP access to any file inside wp-content.
WARN: Do not enable this option if your site uses TimThumb or similar scripts. If you enable and you need to disable, please remove the .htaccess from wp-content.
– restrict wp-includes access –

This option blocks direct PHP access to any file inside wp-includes.
wp-includes directory not hardened.

[AITpro Admin]

BPS Pro already protects the uploads folder/directory with the Uploads Anti-Exploit Guard (UAEG).

If you use the wp-content one-click hardening option in Sucuri then you will break the functionality of a lot of plugins including BPS Pro.  The BPS Pro Plugin Firewall protects the /plugins folder and if we one day decide to expand that protection to the /wp-content root folder then in order to do this without breaking and blocking other plugins functionality then the same whitelisting methods that are used for the Plugin Firewall to whitelist other plugin’s scripts would need to be created for the /wp-content folder.  The Sucuri wp-content one-click hardening option does not include a way to whitelist anything so that is why it will break the functionality of other plugins.

BUT 99% of all attacks in the /wp-content folder target the /plugins folder so most likely adding a Firewall in the root of the /wp-content folder is not necessary.

It is fine to use the Sucuri wp-includes one-click hardening option and I am pretty sure that this will not break other plugin’s functionality or affect WordPress adversely.  We will look at adding something like this.  It will require research and testing so this could take a very long time to add if this security option has value.

[Author]

Posts