Plesk Wordpress Toolkit - how to bypass security settings

[wiwimaster]

Hi everyone
we're running a server with Plesk 17.8.11 on Ubuntu 16.04.4 LTS‬, including the Plesk Wordpress toolkit. We used this to harden our Wordpress installations (executed all security recommendations). As a result, no .php file can be executed in the /wp-content folder.

This worked well until recently, when we started to use a plugin (OneSignal) that requires PHP access in the aforementioned folder. We are dependent on using the plugin, hence need to switch on the PHP execution for 1-2 php files.

Any recommendations how this can be done e.g. by using .htaccess or additional directives?

Thanks a lot for your help
Jan

 

[Joey van Venrooij]

Probably you want to login to your server via SSH go to the directory with cd foldername/foldername till you reach the folder. and then issue the command chmod +x filename.php after that it should work

 

[wiwimaster]

Thanks Joey, that was the first thing I tried (unfortunately not successfully). This is what the WP Toolkit adds to the following files (domain replaced by URL.de):

last_ip_default.conf

<IfModule mod_ssl.c>
        #extension wp-toolkit begin
        <Files wp-config.php>
            Require all denied
        </Files>

        <Directory "/var/www/vhosts/URL.de/httpdocs">
            Options -Indexes
        </Directory>
        <Directory "/var/www/vhosts/URL.de/httpdocs/wp-content">
            <FilesMatch \.php$>
                Require all denied
            </FilesMatch>
        </Directory>
        <Directory "/var/www/vhosts/URL.de/httpdocs/wp-includes">
            <FilesMatch \.php$>
                Require all denied
            </FilesMatch>
        </Directory>
        <Directory "/var/www/vhosts/URL.de/httpdocs/wp-admin">
            <FilesMatch (load-styles|load-scripts)\.php$>
                Require all denied
            </FilesMatch>
        </Directory>

        #extension wp-toolkit end
</IfModule>

nginx_ip_default.conf

    #extension wp-toolkit begin
    location ~* wp-config.php { deny all; }

    location ~* "^/wp-content/.*\\.php" { deny all; }
    location ~* "^/wp-includes/.*\\.php" { deny all; }
    location ~* "^/wp-admin/(load-styles|load-scripts)\\.php" { deny all; }

    #extension wp-toolkit end

of course I could remove the code, but updating hosting or Apache/NGINX settings in Plesk, the code is added back again.

Can I overwrite those settings somewhere else?

thanks
Jan

 

[wiwimaster]

Hi everyone,
I was able to solve this topic with the help of Unable to use WordPress plugin: 403 Forbidden

If you encounter a similar issue, open the security panel of your domain in the WP Toolkit and uncheck "Security of the wp-content folder". This will allow to execute php files again. You may want to add additional code to