Discover Centmin Mod today
Register Now

Wordpress Wordfence: Hiding user ini

Discussion in 'Blogs & CMS usage' started by Mrbo, Jul 11, 2019.

  1. Mrbo

    Mrbo Member

    109
    7
    18
    Jun 17, 2018
    Ratings:
    +7
    Local Time:
    11:19 PM
    Hi, I installed wordfence and they said that I need to hide user.ini if im running on NGINX: Hiding .user.ini if your server runs NGINX. Do I need to do that or is it preconfigured on CMM? If I need to configure it, where is the file located, and is there a way to do it globally for all installed vhosts?
     
  2. Jay Chen

    Jay Chen Member

    95
    30
    18
    Sep 10, 2017
    Ratings:
    +51
    Local Time:
    12:19 PM
    You will have to add it. Just copy and paste the corresponding code from below to nginx.conf

    upload_2019-7-10_17-37-30.png
     
    • Like Like x 1
    • Informative Informative x 1
  3. Mrbo

    Mrbo Member

    109
    7
    18
    Jun 17, 2018
    Ratings:
    +7
    Local Time:
    11:19 PM
    Ok, so then it becomes global or do I have to user the 2nd option if I have multiple vhosts? How can I check if its working?

    Edit: Idk what I might have done wrong. I added it to this file, /usr/local/nginx/conf/nginx.conf, and added the code snippet right before the closing tag. But when I tried to restart nginx+php I got an error.
     

    Attached Files:

    Last edited: Jul 11, 2019
  4. eva2000

    eva2000 Administrator Staff Member

    41,321
    9,274
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,229
    Local Time:
    2:19 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    you'd want to put in in your nginx domain vhost /usr/local/nginx/conf/conf.d/yourdomain.com.conf and/or /usr/local/nginx/conf/conf.d/yourdomain.com.ssl.conf

    though depending if you used centmin.sh menu option 22 to install wordpress, access to /.endingfile/directories with dot . prefix are denied by default via your include file created at /usr/local/nginx/conf/wpincludes/yourdomain.com/wpsecure_yourdomain.com.conf.

    or via include file /usr/local/nginx/conf/drop.conf via
    Code (Text):
    location ~ /\.          { access_log off; log_not_found off; deny all; }


    You can verify by manually accessing yourdomain.com/wordpress/.user.ini or yourdomain.com/.user.ini to see if you can access it
     
    • Like Like x 1