Blocking access to .user.ini

  • Resolved Synchro

    (@synchro)


    5 years, 6 months ago

    I’ve read the WordFence doc about blocking access to .user.ini (which I’m using only to preload the wordfence waf script), I have mod authz_core enabled, and my apache virtual hosts all have this in both http and https configs:

    <Files “.user.ini”>
    Require all denied
    </Files>

    However, the file is still accessible.

    I’m not using .htaccess at all – all my config is in main apache configs and AllowOverride is set to None, but I don’t see that that should make any difference – the Files directive should still apply.

    The only thing I can think of is that access to the file is being allowed by some other directive that’s overriding Files, but I can’t find a definitive docs on the precedence between the likes of Files, Directory, Location that may have some bearing on this. I’m assuming it should be first or last amongst such directives, but I’ve been unable to block it.

    Any suggestions?

    • This topic was modified 5 years, 6 months ago by Synchro.
Viewing 4 replies - 1 through 4 (of 4 total)
  • wfdave

    (@wfdave)

    5 years, 6 months ago

    Hi @synchro,

    Here are some alternative options you can try:

    1. Rewrite the URL to restrict access

    Using .htaccess, use this rewrite rule:

    RewriteEngine On 
RewriteRule /?.user.ini$ - [F,L]

    2. If you are using a version lower than apache 2.4, try using Deny from all:

    <Files ".user.ini">  
  Order Allow,Deny
  Deny from all
</Files>

    Remember to restart apache after modifying httpd.conf, but if you edit .htaccess, you do not need to restart.

    Dave

    Thread Starter Synchro

    (@synchro)

    5 years, 6 months ago

    I am using 2.4. I tried using <FilesMatch "\.ini$"> as well but that didn’t work either, however, the rewrite suggestion does work, so thanks for that. I’d still really like to know why the Files or FilesMatch directives don’t work, especially since they are what is recommended in the docs.

    • This reply was modified 5 years, 6 months ago by Synchro.
    wfdave

    (@wfdave)

    5 years, 6 months ago

    Hi again!

    The order of directives is:

    1. Directory/DirectoryMatch
    2. Files/FilesMatch
    3. Location/LocationMatch
    4. If

    http://httpd.apache.org/docs/current/sections.html#merging

    What you said in your post was correct. You have a directory or directorymatch that is overriding the files/filesmatch.

    Dave

    brome2day

    (@brome2day)

    5 years, 6 months ago

    I added the following to htaccess and my WordFence emails concerning admin logins quit sending. Any ideas?

    # Block .user.ini access  - START
RewriteEngine On 
RewriteRule /?.user.ini$ - [forbidden,last]
# Block .user.ini access  - END

    Thanks!

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Blocking access to .user.ini’ is closed to new replies.