Transition Technology: Ticket #891: Issue with TTT and REconomy websites after upgrade to WP 4.4

attachment set

sam — Thu, 17 Dec 2015 11:26:12 GMT

attachment set to reconomy.png

sam — Thu, 17 Dec 2015 11:28:18 GMT

Hi Laura

The site looks OK to me (see screenshot)

I can also access the image here: https://www.reconomy.org/wp-content/uploads/2015/10/hubs-logos-landscape.jpg

It looks OK from New York too: http://tools.pingdom.com/fpt/#!/bVVveJ/www.reconomy.org

So could it be a proxy or cache on your local machine that's playing up?

Thanks

Sam

hours, totalhours changed

chris — Thu, 17 Dec 2015 11:51:06 GMT

hours changed from 0.0 to 0.5
totalhours changed from 0.0 to 0.5

Replying to sam:

The site looks OK to me (see screenshot)

I fixed it before you looked at it by the sounds of it!

Replying to chris:

I've also added Wordfence to the sites too as there are swathes of brute force attacks happening on lots of WP sites everywhere currently and this plugin seems to help somewhat currently. I don't think it's the Wordfence plugin, as disabled it to test the missing images issue.

It was this file that Wordfence created, /home/reconomy/sites/default/ .htaccess that contained:

# BEGIN Wordfence code execution protection
<IfModule mod_php5.c>
php_flag engine 0
</IfModule>
AddHandler cgi-script .php .phtml .php3 .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI
# END Wordfence code execution protection

The Apache config doesn't allow Options so if we want to disable php from running in the wp-content/uploads/ directory (which is a good idea) we need to edit the templates used to generate the Apache config, I have now done this and rebuilt the Apache config for all WordPress sites.

I agree regarding the brute force attacks, what I have been doing elsewhere is using fail2ban, I have suggested we install this, see ticket:871 and ticket:851 and I said in ticket:887#comment:1

I'd very much like to rebuild ParrotServer with a newer version of Debian and the Webarchitects hosting scripts as these support Let's Encrypt, Piwik (adding accounts and installing the wp-piwik plugin automatically), the WordPress stop-xmlrpc-attack plugin and also fail2ban for WordPress and phpMyAdmin, see also ticket:875 and ticket:851.

hours, totalhours changed

chris — Thu, 17 Dec 2015 12:11:32 GMT

hours changed from 0.0 to 0.15
totalhours changed from 0.5 to 0.65

I have also edited, /wp-content/uploads/delightful-downloads/.htaccess for both sites to comment out:

#Options -Indexes
deny from all

laura — Thu, 17 Dec 2015 18:06:18 GMT

Just a quick note to say thanks Chris for fixing, happy for other plugins such as fail2ban (not used as yet) to be added.

cc, status changed

sam — Wed, 28 Sep 2016 13:03:32 GMT

cc laura removed
status changed from new to assigned

sam — Wed, 28 Sep 2016 13:08:25 GMT

Hi Chris

We've just spotted that all the images & files seem to have disappeared from the Reconomy site.

I've just tried re-uploading an image and that doesn't seem to work. In the frontend it seems to upload & generates a URL for it: http://www.reconomy.org/wp-content/uploads/2016/09/TransitionFollowerKeywords.png

But it gives a: Server error! The server encountered an internal error and was unable to complete your request Either the server is overloaded or there was an error in a CGI script.

I do have backups that I could restore from, but I was just wondering if you had any thoughts on why this might have happened?

Googling it suggests it might be a htaccess thing? But I don't suppose you've made any changes to that recently?

Thanks

Sam

hours, totalhours changed

chris — Wed, 28 Sep 2016 13:17:46 GMT

hours changed from 0.0 to 0.15
totalhours changed from 0.65 to 0.8

Hi, fixed, it was the same issue as before, this was the error in ~/logs/error.log:

[Wed Sep 28 14:08:38 2016] [alert] [client XX.XX.XX.XX] /home/reconomy/sites/default/wp-content/uploads/.htaccess: php_flag not allowed here

So I edited that file to comment out the disallowed lines:

# BEGIN Wordfence code execution protection
#<IfModule mod_php5.c>
#php_flag engine 0
#</IfModule>
#<IfModule mod_php7.c>
#php_flag engine 0
#</IfModule>
AddHandler cgi-script .php .phtml .php3 .pl .py .jsp .asp .htm .shtml .sh .cgi
#Options -ExecCGI
# END Wordfence code execution protection

I have also edited the template that generates the Apache config to make it more permissive:

  #AllowOverride AuthConfig Indexes FileInfo Limit
  AllowOverride ALL

And rebuilt the config.

hours, totalhours changed

chris — Wed, 28 Sep 2016 13:28:44 GMT

hours changed from 0.0 to 0.1
totalhours changed from 0.8 to 0.9

I have re-edited the /home/reconomy/sites/default/wp-content/uploads/.htaccess file back to how it was originally:

# BEGIN Wordfence code execution protection
<IfModule mod_php5.c>
php_flag engine 0
</IfModule>
<IfModule mod_php7.c>
php_flag engine 0
</IfModule>
AddHandler cgi-script .php .phtml .php3 .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI
# END Wordfence code execution protection

And tested the image and it all seems fine.

chris — Wed, 28 Sep 2016 13:30:10 GMT

In terms of how it happened -- a WordPress plugin will have updated the .htaccess file and caused it, but it won't happen again as the directives not allowed before are now allowed.

status changed; resolution set

sam — Wed, 28 Sep 2016 13:32:21 GMT

status changed from assigned to closed
resolution set to fixed

Great, thanks Chris.

laura — Wed, 28 Sep 2016 19:52:46 GMT

Hi Chris and Sam Just to let you know, that Reconomy didn't update their maintenance contract with me this year and I haven't touched their site since Jan/Feb?, so I possibly don't need to be added to the ticket (I still do periodic updates on the TTT site as and when they need me) ...Wordfence (and WP core) may be set to auto update upon release or they/you may be running the updates now with the Wordfence one causing this issue every so often. Best Laura

cc changed

chris — Wed, 28 Sep 2016 20:04:02 GMT

cc laura added; ade removed

Hi Laura, The TTT sites are now running on Webarchitects shared hosting and if they use the same plugin they might also hit this issue, let me know via a direct email if you need the SFTP login for these sites, or get them from admin@….

Also it is perhaps worth noting that although this Wordfence .htaccess files is designed to make the site safer, we already have rules that cover this in the main Apache config and by not allowing some directives in .htaccess files it makes the server more secure, so the edit I did to allow the Wordfence .htaccess file makes things less secure, this isn't something we would do on our shared servers...

In terms of the Reconony site, I'm clueless what the plan is for it or where or when it is due to move, but someday the server it is running on is due to be shutdown, but again I have no idea when, see ticket:924.

laura — Wed, 28 Sep 2016 20:11:58 GMT

Hi Chris I hope all is well, yes, the TTT site needs an update of the word fence plugin as I've had an email notification saying there's an update available from their site notifications come through today (I'm not sure if TTT's is set to auto update or not 24 hours after coming available). Happy to remove word fence on TTT if not needed from your perspective. I have no news on plans or not for REconomy, the person who took over from Fi was going to get in touch at the start of the year but never did, so haven't been managing that site.