[WordPress] htaccess woocomerce uploads - public accessible

[alexookah]

Describe your issue as much as you can

I am trying to secure the woocommerce_uploads directory in my Bitnami WordPress installation using Apache 2.4 by denying access through the directive in the APPNAME-htaccess.conf file. However, the configuration does not seem to be applied as expected, and unauthorized access to the files within this directory is still possible.

Environment
Platform: Bitnami WordPress
Apache Version: 2.4.58 (Unix)

Location of Configuration File: /opt/bitnami/apache/conf/vhosts/htaccess/APPNAME-htaccess.conf
Steps to Reproduce
Configuration File:
I added the following configuration to /opt/bitnami/apache/conf/vhosts/htaccess/wordpress-htaccess.conf

<Directory "/opt/bitnami/wordpress/wp-content/uploads/woocommerce_uploads">
    Require all denied
</Directory>

Testing Access:

Attempted to access files in the woocommerce_uploads directory via a browser to check if the access was correctly denied.

Expected Behavior

Access to the woocommerce_uploads directory and all its files should be denied, preventing unauthorized users from accessing any files within this directory.

Actual Behavior

Despite the configuration in the APPNAME-htaccess.conf file, files within the woocommerce_uploads directory are still accessible. The Require all denied directive does not seem to be enforced.

Troubleshooting Steps Taken

Verified Configuration:
Confirmed that the configuration file is correctly edited and saved.

Restarted Apache:
Restarted Apache multiple times to ensure the new configuration is loaded.

Checked Apache Syntax:
Ran the configuration test command:

sudo apachectl configtest
This returned Syntax OK.

Additional Information

APPNAME-htaccess.conf Path: Confirmed that the file path is correct and changes are reflected in the file.
Module Check: Verified that mod_authz_core is loaded, as the configuration is intended for Apache 2.4.

Suspicion and Request for Clarification

I suspect that the current .htaccess configuration setup in Bitnami might only be effective for plugin-related directories and not other directories like woocommerce_uploads. Could you please confirm if the .htaccess management in Bitnami WordPress installations is restricted to certain directories or types of content?

Request for Assistance

Please help identify why the directive is not being applied as expected. Are there any additional configurations or steps required to ensure that access to the woocommerce_uploads directory is properly restricted?

[jotamartos]

Could you please confirm if the .htaccess management in Bitnami WordPress installations is restricted to certain directories or types of content?

https://docs.bitnami.com/general/apps/wordpress/administration/use-htaccess/

No, whatever you write in the wordpress-htaccess.conf file will be taken into account. Please remember to restart Apache by using /opt/bitnami/ctlscript.sh

sudo /opt/bitnami/ctlscript.sh restart apache

Please make sure to write the correct path in the Directory block. I understand you used the correct path there but just to double check.

[alexookah]

WooCommerce automatically generates an .htaccess file within the wp-content/uploads/woocommerce_uploads/ directory to prevent unauthorized access to files. The content of this .htaccess file is:
Deny from all

This should block all direct HTTP requests to files within this directory, but it seems to be ineffective. I beleive because we have to add this entry manually in the apache conf.

Steps Taken to Secure Directory
To reinforce this restriction, I’ve tried the following approaches in my Apache configuration:

Defined Access Restrictions for the Main Directory

I added a directive for the wp-content/uploads/woocommerce_uploads directory in my Apache configuration:

This is my conf file:

<Directory "/opt/bitnami/wordpress/wp-content/plugins/akismet">
  # Only allow direct access to specific Web-available files.
  
  # Apache 2.2
  <IfModule !mod_authz_core.c>
  Order Deny,Allow
  Deny from all
  </IfModule>
  
  # Apache 2.4
  <IfModule mod_authz_core.c>
  Require all denied
  </IfModule>
  
  # Akismet CSS and JS
  <FilesMatch "^(form\.js|akismet(-frontend|-admin)?\.js|akismet(-admin)?(-rtl)?\.css|inter\.css)$">
  <IfModule !mod_authz_core.c>
  Allow from all
  </IfModule>
  
  <IfModule mod_authz_core.c>
  Require all granted
  </IfModule>
  </FilesMatch>
  
  # Akismet images
  <FilesMatch "^(logo-(a|full)-2x\.png|akismet-refresh-logo\.svg|akismet-refresh-logo@2x\.png|arrow-left\.svg)$">
  <IfModule !mod_authz_core.c>
  Allow from all
  </IfModule>
  
  <IfModule mod_authz_core.c>
  Require all granted
  </IfModule>
  </FilesMatch>
</Directory>

<Directory "/opt/bitnami/wordpress/wp-content/uploads/woocommerce_uploads">
  # Apache 2.2
<IfModule !mod_authz_core.c> 
Deny from all
</IfModule>

 # Apache 2.4
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
</Directory>

Attempted to Restrict only Subdirectories Specifically

<Directory "/opt/bitnami/wordpress/wp-content/uploads/woocommerce_uploads/2024/01">
...

Restarted Apache

After each configuration change, I ensured that Apache was restarted to apply the new settings.

Despite these configurations, files within the wp-content/uploads/woocommerce_uploads/ directory and its subdirectories files are still accessible when accessed directly (e.g., via an incognito browser session).

I have a feeling that those Directory entries are working only for plugins and not for other wordpress directories.
Are you sure this should work when there is also an htaccess file in the same directory?
Is this the correct way to do this? Could you check if this should work?

[jotamartos]

Are you sure this should work when there is also an htaccess file in the same directory?

Yes, Apache is not reading the .htaccess files by default and it uses the information in the htaccess.conf file you edited.

Is this the correct way to do this? Could you check if this should work?

Apache reads that file and the configuration should be working as expected. I do not know if there are other .htaccess files in the woocommerce_uploads directory tree that should be moved to the general htaccess.conf file.

As a workaround, you can edit the WordPress vhosts files inside the /opt/bitnami/apache/conf/vhosts folder and set AllowOverride All to read the htaccess files.

[alexookah]

Ok eventually after some days it suddenly worked.
Closing this issue as resolved. not sure why it wasnt working at first place