-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WordPress] htaccess woocomerce uploads - public accessible #1575
Comments
https://docs.bitnami.com/general/apps/wordpress/administration/use-htaccess/ No, whatever you write in the wordpress-htaccess.conf file will be taken into account. Please remember to restart Apache by using /opt/bitnami/ctlscript.sh
Please make sure to write the correct path in the Directory block. I understand you used the correct path there but just to double check. |
WooCommerce automatically generates an .htaccess file within the wp-content/uploads/woocommerce_uploads/ directory to prevent unauthorized access to files. The content of this .htaccess file is: This should block all direct HTTP requests to files within this directory, but it seems to be ineffective. I beleive because we have to add this entry manually in the apache conf. Steps Taken to Secure Directory Defined Access Restrictions for the Main Directory I added a directive for the wp-content/uploads/woocommerce_uploads directory in my Apache configuration:
Attempted to Restrict only Subdirectories Specifically
Restarted ApacheAfter each configuration change, I ensured that Apache was restarted to apply the new settings. Despite these configurations, files within the I have a feeling that those Directory entries are working only for plugins and not for other wordpress directories. |
Yes, Apache is not reading the .htaccess files by default and it uses the information in the htaccess.conf file you edited.
Apache reads that file and the configuration should be working as expected. I do not know if there are other .htaccess files in the woocommerce_uploads directory tree that should be moved to the general htaccess.conf file. As a workaround, you can edit the WordPress vhosts files inside the /opt/bitnami/apache/conf/vhosts folder and set |
Ok eventually after some days it suddenly worked. |
Describe your issue as much as you can
I am trying to secure the woocommerce_uploads directory in my Bitnami WordPress installation using Apache 2.4 by denying access through the directive in the APPNAME-htaccess.conf file. However, the configuration does not seem to be applied as expected, and unauthorized access to the files within this directory is still possible.
Environment
Platform: Bitnami WordPress
Apache Version: 2.4.58 (Unix)
Location of Configuration File:
/opt/bitnami/apache/conf/vhosts/htaccess/APPNAME-htaccess.conf
Steps to Reproduce
Configuration File:
I added the following configuration to
/opt/bitnami/apache/conf/vhosts/htaccess/wordpress-htaccess.conf
Testing Access:
Attempted to access files in the woocommerce_uploads directory via a browser to check if the access was correctly denied.
Expected Behavior
Access to the woocommerce_uploads directory and all its files should be denied, preventing unauthorized users from accessing any files within this directory.
Actual Behavior
Despite the configuration in the APPNAME-htaccess.conf file, files within the woocommerce_uploads directory are still accessible. The Require all denied directive does not seem to be enforced.
Troubleshooting Steps Taken
Verified Configuration:
Confirmed that the configuration file is correctly edited and saved.
Restarted Apache:
Restarted Apache multiple times to ensure the new configuration is loaded.
Checked Apache Syntax:
Ran the configuration test command:
sudo apachectl configtest
This returned Syntax OK.
Additional Information
APPNAME-htaccess.conf Path: Confirmed that the file path is correct and changes are reflected in the file.
Module Check: Verified that mod_authz_core is loaded, as the configuration is intended for Apache 2.4.
Suspicion and Request for Clarification
I suspect that the current .htaccess configuration setup in Bitnami might only be effective for plugin-related directories and not other directories like woocommerce_uploads. Could you please confirm if the .htaccess management in Bitnami WordPress installations is restricted to certain directories or types of content?
Request for Assistance
Please help identify why the directive is not being applied as expected. Are there any additional configurations or steps required to ensure that access to the woocommerce_uploads directory is properly restricted?
The text was updated successfully, but these errors were encountered: