Want more timely Centmin Mod News Updates?
Become a Member

autoprotect <Files> protects the entire directory

Discussion in 'Blogs & CMS usage' started by fablab, Jan 8, 2023.

  1. fablab

    fablab New Member

    12
    1
    3
    May 23, 2020
    Ratings:
    +2
    Local Time:
    6:13 AM
    1.17.10
    10.3.23-1.el7.centos
    Hi !
    I think the autoprotect.sh is not handling <Files xxxx> properly:

    One of the plugins I use recently added a .htaccess which protects one file with <Flies> option:
    Code:
    cat /home/nginx/domains/hejazultra.org/public/wp-content/.htaccess
    <Files debug_xxxxxxx.log>
                Order Allow,Deny
                Deny from all
            </Files>
    running
    Code:
    /usr/local/src/centminmod/tools/autoprotect.sh
    adds the following lines:
    Code:
    # /home/nginx/domains/hejazultra.org/public/wp-content
    location ~* ^/wp-content/ { allow 127.0.0.1; deny all; }
    ( I confirmed by removing the .htaccess and re-running autoprotect.sh . the 2 lines disappear.)


    something is off:)
     
  2. eva2000

    eva2000 Administrator Staff Member

    49,741
    11,438
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,773
    Local Time:
    1:13 PM
    Nginx 1.21.x
    MariaDB 10.x
    Looks correct to be to protect /wp-content/ which is where .htaccess is located. Autoprotect works only on directories not files
     
  3. fablab

    fablab New Member

    12
    1
    3
    May 23, 2020
    Ratings:
    +2
    Local Time:
    6:13 AM
    1.17.10
    10.3.23-1.el7.centos
    Thanks for the quick answer, as always...

    Well noted that Autoprotect currently works only on Directories and not on Files.
    it would be tempting to say "maybe it should...", but since I am not the once coding it, I will refrain from doing that , as I do not know how complex it would be to do that (especially that there are both a https://httpd.apache.org/docs/2.4/mod/core.html#files & the regexp cousin https://httpd.apache.org/docs/2.4/mod/core.html#filesmatch) and I assume it is not much in use, otherwise others would have asked this feature before.

    Perhaps I can make another suggestion though: It seems others have been bitten by the autoprotect feature before me. Until my site stopped working suddenly (*), I wasn't aware of the feature. It is a great feature. It is a must-have feature even now that I know about it, it makes perfect sense to have it. and it is a great differentiator from other hosting frameworks. Yes, it is better to have the site stopped working properly than the site hacked. But it would be great to be notified when a change happens.
    I see autoprotects runs regularly and is detecting if there is a DIFF in the protection.
    so when a new .htaccess is detected or a diff from previous version is detected, it would be a good time to notify the server/site owner by an email. ( not dissimilar to the cron'ed emails generated with wp-updater-domain.sh )
    Thoughts?
     
  4. eva2000

    eva2000 Administrator Staff Member

    49,741
    11,438
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,773
    Local Time:
    1:13 PM
    Nginx 1.21.x
    MariaDB 10.x
    It's probably something end user would look at doing as Centmin Mod doesn't have a default way to

    1) collect users email address (unless using centmin.sh menu option 22 asked email address)

    2) ensure you have your server setup properly as per https://community.centminmod.com/th...ver-email-doesnt-end-up-in-spam-inboxes.6999/ for proper reliable email delivery. Otherwise email notifications may not necessary reach the destination email address

    May I ask which Wordpress plugin sets a /wp-content/.htaccess as
    Code (Text):
    <Files debug_xxxxxxx.log>
               Order Allow,Deny
               Deny from all
           </Files>
    

    It is similar to Cloudflare Super Page Cache plugin which already has
    Code (Text):
    location ~ ^/wp-content/wp-cloudflare-super-page-cache/yourdomain.com/(debug.log)$ {
      deny all;
    }
    

    set automatically in centmin.sh menu option 22 generated /usr/local/nginx/conf/wpincludes/yourdomain.com/wpsecure_yourdomain.com.conf

    so for yours would be something like
    Code (Text):
    location ~ ^/wp-content/(debug_XXXXX.log)$ {
      deny all;
    }