Want to subscribe to topics you're interested in?
Become a Member

Wordpress Wordfence: Hiding user ini

Discussion in 'Blogs & CMS usage' started by Mrbo, Jul 11, 2019.

  1. Mrbo

    Mrbo Member

    109
    7
    18
    Jun 17, 2018
    Ratings:
    +7
    Local Time:
    3:15 AM
    Hi, I installed wordfence and they said that I need to hide user.ini if im running on NGINX: Hiding .user.ini if your server runs NGINX. Do I need to do that or is it preconfigured on CMM? If I need to configure it, where is the file located, and is there a way to do it globally for all installed vhosts?
     
  2. Jay Chen

    Jay Chen Member

    83
    26
    18
    Sep 10, 2017
    Ratings:
    +43
    Local Time:
    4:15 PM
    You will have to add it. Just copy and paste the corresponding code from below to nginx.conf

    upload_2019-7-10_17-37-30.png
     
    • Like Like x 1
    • Informative Informative x 1
  3. Mrbo

    Mrbo Member

    109
    7
    18
    Jun 17, 2018
    Ratings:
    +7
    Local Time:
    3:15 AM
    Ok, so then it becomes global or do I have to user the 2nd option if I have multiple vhosts? How can I check if its working?

    Edit: Idk what I might have done wrong. I added it to this file, /usr/local/nginx/conf/nginx.conf, and added the code snippet right before the closing tag. But when I tried to restart nginx+php I got an error.
     

    Attached Files:

    Last edited: Jul 11, 2019
    style="display:inline-block;min-width:400px;max-width:970px;width:95%;height:90px" data-ad-client="ca-pub-6669518204467592" data-ad-slot="4024536743" data-ad-format="auto">
  4. eva2000

    eva2000 Administrator Staff Member

    40,634
    9,023
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,891
    Local Time:
    6:15 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    you'd want to put in in your nginx domain vhost /usr/local/nginx/conf/conf.d/yourdomain.com.conf and/or /usr/local/nginx/conf/conf.d/yourdomain.com.ssl.conf

    though depending if you used centmin.sh menu option 22 to install wordpress, access to /.endingfile/directories with dot . prefix are denied by default via your include file created at /usr/local/nginx/conf/wpincludes/yourdomain.com/wpsecure_yourdomain.com.conf.

    or via include file /usr/local/nginx/conf/drop.conf via
    Code (Text):
    location ~ /\.          { access_log off; log_not_found off; deny all; }


    You can verify by manually accessing yourdomain.com/wordpress/.user.ini or yourdomain.com/.user.ini to see if you can access it
     
    • Like Like x 1