Blocking access to .user.ini
-
I’ve read the WordFence doc about blocking access to .user.ini (which I’m using only to preload the wordfence waf script), I have mod authz_core enabled, and my apache virtual hosts all have this in both http and https configs:
<Files “.user.ini”>
Require all denied
</Files>However, the file is still accessible.
I’m not using .htaccess at all – all my config is in main apache configs and AllowOverride is set to None, but I don’t see that that should make any difference – the Files directive should still apply.
The only thing I can think of is that access to the file is being allowed by some other directive that’s overriding Files, but I can’t find a definitive docs on the precedence between the likes of Files, Directory, Location that may have some bearing on this. I’m assuming it should be first or last amongst such directives, but I’ve been unable to block it.
Any suggestions?
- The topic ‘Blocking access to .user.ini’ is closed to new replies.