Replies: 0
I’m on a Lightsail instance on AWS with the Bitnami WordPress stack.
Wordfence lists an issue with the .user.ini file being visible:
Publicly accessible config, backup, or log file found: .user.ini
Type: Publicly Accessible Config/Backup/Log
I’ve checked and that file *is* available publicly
But the .htaccess file contains the following code:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/?\.user\.ini$
RewriteRule .* – [F,L,NC]
</IfModule>
<IfModule !mod_rewrite.c>
<Files “.user.ini”>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>`Order deny,allow Deny from all </IfModule> </Files> </IfModule> # BEGIN WordPress # The directives (lines) between "BEGIN WordPress" and "END WordPress" are # dynamically generated, and should only be modified via WordPress filters. # Any changes to the directives between these markers will be overwritten. <IfModule mod_rewrite.c> RewriteEngine On RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule> # END WordPress # Wordfence WAF <Files ".user.ini"> <IfModule mod_authz_core.c> Require all denied </IfModule> <IfModule !mod_authz_core.c> Order deny,allow Deny from all </IfModule> </Files> # END Wordfence WAF
Any idea on how to protect this file? Thanks!