Wordpress (Pre VirtualHost Include) protection not working anymore

[Arvy]

Hello,

since last cPanel update, my hack to protect Wordpress sites is not working anymore. Worked for years.

Scenario: avoid robots to reach Wordpress/PHP (CPU/memory intensive, password brute-force to WP-Admin). So, I do a simple basic authentication before the real WP login screen. User must basic-authentication "wp"/"wp" before reach the real login screen.

How: Pre VirtualHost Include

<FilesMatch "wp-login.php">
AuthUserFile /usr/local/apache/conf/wordpress.password
AuthName "TYPE USER wp AND PASSWORD wp"
AuthType Basic
require valid-user
</FilesMatch>

Now, WP shows a "page not found" error: https://example.org/wp-login.php?redirect_to=https://example.org/wp-admin/&reauth=1

If I remove my hack, everything works. The file has correct permissions.

Any ideas or other way to achieve the same idea?

Thank you

 

[cPRex]

Hey there! When I tested this on my end I found the wp-login.php page wasn't redirecting properly due to the default .htaccess page that is created by Wordpress. I can't say how this was working before, but I setup the password file and include and also received an error until I removed the redirect to index.php from my .htaccess file in the public_html.

 

[Arvy]

Hi @cPRex, yes, but we cannot touch the users original WP .htaccess file. It's correct and works in normal situations.

The Pre VirtualHost Include hack/code forces wp-login.php to do basic authentication globally, to all users, to any file named wp-login.php. This hack protect the server from scans (won't run PHP, so, not overload the server). Robots stop on the basic authentication, protecting the server.

This worked for years... for some reason stopped to work in latest cPanel upcp run. Server was 92.0.6 before this, so, not related to cPanel version directly. But I realized that all .htaccess files were touched, but I don't think this is related, because the problem occurs even if I install the original WP .htaccess file.

Maybe something to Easy Apache that was updated?

[2020-12-26 02:17:02 -0300]      [/usr/local/cpanel/scripts/rpmup] ---> Package ea-apache24.x86_64 0:2.4.46-2.4.4.cpanel will be updated
[2020-12-26 02:17:02 -0300]      [/usr/local/cpanel/scripts/rpmup] ---> Package ea-apache24.x86_64 0:2.4.46-3.7.1.cpanel will be an update
[2020-12-26 02:17:02 -0300]      [/usr/local/cpanel/scripts/rpmup] ---> Package ea-apache24-config.noarch 0:1.0-167.167.5.cpanel will be updated
[2020-12-26 02:17:02 -0300]      [/usr/local/cpanel/scripts/rpmup] ---> Package ea-apache24-config.noarch 0:1.0-168.168.6.cpanel will be an update
[2020-12-26 02:17:02 -0300]      [/usr/local/cpanel/scripts/rpmup] ---> Package ea-apache24-config-runtime.noarch 0:1.0-167.167.5.cpanel will be updated
[2020-12-26 02:17:02 -0300]      [/usr/local/cpanel/scripts/rpmup] ---> Package ea-apache24-config-runtime.noarch 0:1.0-168.168.6.cpanel will be an update

 

[cPRex]

Thanks for the additional details.

I didn't mean the .htaccess was an issue, but the only way I could get things working on my end was my removing the standard redirects that Wordpress does.

If you downgrade the RPMs, do things work how you expect?

 

[Arvy]

Probably yes... I cannot downgrade, server has about 200 accounts, I don't feel comfortable and don't want to have problems in these days (time to enjoy holidays).

My main concern is why FilesMatch is not working anymore after so many years... Not related with permissions or file location (wordpress.password).

<FilesMatch "wp-login.php">
AuthUserFile /etc/wordpress.password
AuthName "TYPE USER wp AND PASSWORD wp"
AuthType Basic
require valid-user
</FilesMatch>

I had to remove the code and now my server is receiving those wp-login.php attacks. CPU average changed from 9% to 31% since then.

 

[cPRex]

I checked my personal system and received those packages back in September. It might be best to open a ticket with our team so we can look at one of these systems directly and see what configurations may be coming into play. If you do that, please post the number here so I can keep the community updated with our findings.

 

[Arvy]

Well, now I'm lost

I did a test in a Non-Wordpress site. I just created a dummy wp-login.php file. And... the basic authentication worked fine, and let me run the dummy PHP after insert the correct user and password. So, the Pre VirtualHost Include hack is working, not related to the last weekend updates...

I realized that all .htaccess files, in all accounts, were touched. All have the same datetime: 2020-12-26 04:51 UTC.

Now I need to check what changed, and what is happening only in .htaccess created by WordPress...

 

[cPRex]

The plot thickens!!!! Let us know what you find!

 

[Arvy]

If I rename .htaccess to .htaccessX, Pre VirtualHost Include hack works on a Wordpress site! With it, I get a 404 error.
But we need it, due to the Wordpress "path mask" feature (ie: /foo/bar/ in the address bar instead of /index.php?id=9999).

Wordpress is redirecting based on:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

So, something happened this weekend that:
- Before: the Pre VirtualHost Include hack was running and ignoring .htaccess.
- Now: .htaccess has priority over the Pre VirtualHost Include hack.

Note: tested in 2 cPanel servers. All updated this weekend, all with the same behavior.

That's where I'm stuck.

 

[cPRex]

I'd recommend reading through the most recent release notes here to see if any of that could be related to the issues you're experiencing:

EasyApache 4 December 23 Release

EasyApache 4 December 23 Release We are happy to announce that cPanel, L.L.C. has released an update for EasyApache 4! Take a look at some highlights below, and then join us on Discord or Reddit to talk about this update and much more. 2020-12-23 ea-openssl11 EA-9478: Update ea-openssl11 to...

forums.cpanel.net

 

[Arvy]

Still no idea how to fix this.

In a non-cPanel server, the hack works. Only stopped to work after the latest cPanel update, maybe the EasyApache 4 update.

Can I open a ticket about this? Now my server is being scanned 24/7 after I removed the hack (to allow users to login).

 

[cPRex]

Absolutely - feel free to open a ticket at any time! Please share the ticket number here so I can follow along and keep the community updated.

 

[Arvy]

Hi @cPRex,

ticket created, internal reference is: #94094532

Thanks.

 

[cPRex]

I'm following along with this now, although it's possible they split this into two separate tickets.

 

[Arvy]

Probably the FilesMatch and the Basic Authentication are the same problem. Because both are related to Wordpress + Basic Authentication.

I think my FilesMatch hack is not directly related.

 

[Arvy]

SOLVED!

Eric Delorme (cPanel) wrote: "This occurs because WordPress rewrites everything and anything accessing the site's public_html to index.php as you have shown in the mod_rewrite rules set by WordPress. In order to work around this .shtml files need to be excluded so that 401.shtml can be loaded along with the Apache Basic AuthType. Unfortunately, there isn't a work around."

But he gave a tip: .shtml files. So, to fix, I just reverted 401/403 errors to its defaults, so, the hack is now:

post_virtualhost_global.conf:

ErrorDocument 401 default
ErrorDocument 403 default

<FilesMatch "wp-login.php">
AuthUserFile /usr/local/apache/conf/wordpress.password
AuthName "TYPE USER wp AND PASSWORD wp"
AuthType Basic
require valid-user
</FilesMatch>

Now the server is protected again.

Thanks @cPRex for your help!!