Operating System & Version
linux
cPanel & WHM Version
92.0.11

HansonC

Registered
Feb 21, 2021
1
0
1
Malaysia
cPanel Access Level
Website Owner
Hi, I'm using WordPress Tookit Deluxe.

I've enabled some security options but where are the security settings/ additional files added to?

For example:
"Block unauthorized access to wp-config.php"

I have manually entered the following code in the htaccess file and WordPress Tookit managed to detect that I've blocked access to wp-config.php :

# No access to wp-config.php
<Files wp-config.php>
Order allow,deny
Deny from all
</Files>

But on a separate installation, if I DO NOT manually include the snippet in the htaccess file and use the "Secure" option provided in WordPress Toolkit, I do not see the changes made in the htaccess file although it shows that the fix is applied. In other words, shouldn't I be able to SEE the above code snippet within the htaccess file?

As for security enhancements such as to "Forbid execution of PHP scripts in the wp-content/uploads directory", I would 'traditionally' be uploading a htaccess file to that directory containing this code snippet:

<Files *.php>
deny from all
</Files>

The new htaccess file isn't there when I secure the directory through WordPress Tookit although it shows that it's secured. In case someone asks, yes, I have enabled the option to "Show Hidden Files (dotfiles)" within cPanel's File Manager.

Please advise. Thank you so much in advance!
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,029
313
cPanel Access Level
Root Administrator
Hey there! WordPress Toolkit uses an Apache include file unique to the user's vhost to write the changes. For example, for "domain.com" it would use the file here:

Code:
/etc/apache2/conf.d/userdata/std/2_4/forty/domain.com/wp-toolkit.conf
/etc/apache2/conf.d/userdata/ssl/2_4/forty/domain.com/wp-toolkit.conf
Inside the file you'll see comments with the name of the security option, such as this:

Code:
    # "Disable PHP execution in cache directories"
    # "Block access to .htaccess and .htpasswd"
    # "Enable bot protection"
Let me know if that helps!
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,029
313
cPanel Access Level
Root Administrator
Disable scripts concatenation for WordPress admin panel will also add define('CONCATENATE_SCRIPTS', false); to wp-config.php

Turn off pingbacks - is enabled/disabled by wp-cli. Changes can be found inside Wordpress database("default_ping_status" and "default_pingback_flag" option names inside "wp_options" table).

I just wanted to add that update as those things don't get written to the include.