Learn about Centmin Mod LEMP Stack today
Register Now

Wordpress Application Passwords

Discussion in 'Blogs & CMS usage' started by EckyBrazzz, Oct 9, 2022.

  1. EckyBrazzz

    EckyBrazzz Active Member

    916
    189
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +362
    Local Time:
    12:46 AM
    Latest
    Latest
    I need to enable Application Passwords, which is currently disabled on the Users => Profile.

    The site is on HTTPS, but still, this pops up
    To enable Applications Passwords, I should add the code below, but I don't know where.


    PHP:
    add_filter'wp_is_application_passwords_available''__return_true' );
    Is the above the correct way to enable it in centmin Mod or should I disable some security mod?
     
  2. eva2000

    eva2000 Administrator Staff Member

    54,546
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    1:46 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Which Web app is this for? WordPress?
     
  3. Jon Snow

    Jon Snow Active Member

    835
    170
    43
    Jun 30, 2017
    Ratings:
    +256
    Local Time:
    11:46 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    Go to your theme folder and add it to the functions.php file.
     
  4. EckyBrazzz

    EckyBrazzz Active Member

    916
    189
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +362
    Local Time:
    12:46 AM
    Latest
    Latest
  5. EckyBrazzz

    EckyBrazzz Active Member

    916
    189
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +362
    Local Time:
    12:46 AM
    Latest
    Latest
    @eva2000 Can you please help me to enable the Application passwords? I did give it a try on local (windows machine) and it works, with Centmin Mod it is blocked.

    I don't want to leave Centmin Mod and continue to use it.
    upload_2022-10-9_18-42-19.png
     
  6. eva2000

    eva2000 Administrator Staff Member

    54,546
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    1:46 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Centmin Mod values security and puts additional measures in place so that end users are also mindful of security. So in your case, you might need to whitelist or unblock the WP plugins related to your 403 permission denied messages. But from your screenshot it says may need XML-RPC - which isn't that secure and as such Centmin Mod Wordpress installer installs the plugin disable-xml-rpc to disable XML-RPC by default. So see if that plugin is causing issues.

    If you used centmin.sh menu option 22 auto installer Wordpress Nginx Auto Installer, the default wpsecure conf file at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf where vhostname is your domain name, blocks php scripts from executing in wp-content for security

    Below links you can see examples of setting up specific wordpress location matches to punch a hole in the wpsecure blocking to whitelist specific php files that need to be able to run.

    If on Centmin Mod 123.09beta01, you may have ran into the new tools/autoprotect.sh cronjob feature outlined at Beta Branch - autoprotect.sh - apache .htaccess check & migration to nginx deny all | Centmin Mod Community You uploaded scripts may have .htaccess deny from all type files in their directories which may need bypassing autoprotect. It's a security feature that no other nginx based stack has as far as I know :)

    So instead, all .htaccess 'deny from all' detected directories now get auto generated Nginx equivalent location match and deny all setups except if you want to manually bypass the directory from auto protection via a .autoprotect-bypass file - details below here.

    You can read a few threads below on how autoprotect.sh may have caught some folks web apps falsely and the workarounds or improvements made to autoprotect.sh with the help of users feedback and troubleshooting.
    Check if your nginx vhost at either or both /usr/local/nginx/conf/conf.d/domain.com.conf and/or /usr/local/nginx/conf/conf.d/domain.com.ssl.conf has include file for autoprotect example
    Code (Text):
    include /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf;
    

    see if your directory for the script which has issues is caught in an autoprotect include entry in /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf which has a deny all entry
    Code (Text):
    cat /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf
    

    i.e.
    Code (Text):
    # /home/nginx/domains/domain.com/public/subdirectory/js
    location ~* ^/subdirectory/js/ { allow 127.0.0.1; deny all; }
    

    If caught you can whitelist it by autoprotect bypass .autoprotect-bypass file - details below here. So if problem js file is at domain.com/subdirectory/js/file.js then it is likely /subdirectory/js has a .htaccess with deny all in it - make sure that directory is meant to be publicly accessible by contacting author of script and if so, you can whitelist it and re-run autoprotect script to regenerate your /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf include file
    Code (Text):
    cd /home/nginx/domains/domain.com/public/subdirectory/js
    touch .autoprotect-bypass
    /usr/local/src/centminmod/tools/autoprotect.sh
    nprestart
    

    it maybe you need to also whitelist /subdirectory then it would be as follows creating bypass files at /home/nginx/domains/domain.com/public/subdirectory/.autoprotect-bypass and /home/nginx/domains/domain.com/public/subdirectory/js/.autoprotect-bypass
    Code (Text):
    cd /home/nginx/domains/domain.com/public/subdirectory/
    touch .autoprotect-bypass
    cd /home/nginx/domains/domain.com/public/subdirectory/js
    touch .autoprotect-bypass
    /usr/local/src/centminmod/tools/autoprotect.sh
    nprestart
    

    then double check to see if updated /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf include file now doesn't show an entry for /subdirectory/js
     
  7. EckyBrazzz

    EckyBrazzz Active Member

    916
    189
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +362
    Local Time:
    12:46 AM
    Latest
    Latest
    Code (Text):
    grep location /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf
    


    Only sucuri pops up
    Code (Text):
    location ~* ^/wp-content/uploads/sucuri/ { allow 127.0.0.1; deny all; }
    


    Disabled autoprotect as mentioned here solved the issue for me. This server only has Headless-WP, all scripts/code is running as Serverless Functions on vercel.

    Thanks @eva2000 !
     
  8. eva2000

    eva2000 Administrator Staff Member

    54,546
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    1:46 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Great to hear :)