Issue with TTT and REconomy websites after upgrade to WP 4.4

[chris]

Email from Laura:

Just to let you know there's a bit of an oddity going on with both the TTT and
Reconomy websites.

I upgraded to WP 4.4 after running full tests on my local copies here, and for
some odd reason images aren't showing on the site. If you try to open an
image in the browser eg
​https://www.reconomy.org/wp-content/uploads/2015/10/hubs-logos-landscape.jpg
takes you to the -
"Server error!
The server encountered an internal error and was unable to complete your
request
Either the server is overloaded or there was an error in a CGI script.
Please return to the front page of the site."

I've updated over 20 sites over the past few days (!) and these are the only
two this has happened on.
There are a few discussions here, (and have tried the temp fix of various
functions.php tweaks in the theme files to see if that helps, but it
doesn't)...
​https://wordpress.org/support/topic/after-upgrade-to-44-media-files-are-not-showing
and even though sites are not appearing to use SSL wondering if related
somehow to that or other? Has this happened to any other WP 4.4 sites on your
servers?

I'll let TTT and REconomy know their site has been updated, but there is a
glitch at present.

I've also added Wordfence to the sites too as there are swathes of brute force
attacks happening on lots of WP sites everywhere currently and this plugin
seems to help somewhat currently. I don't think it's the Wordfence plugin, as
disabled it to test the missing images issue.

[sam]

Hi Laura

The site looks OK to me (see screenshot)

I can also access the image here: ​https://www.reconomy.org/wp-content/uploads/2015/10/hubs-logos-landscape.jpg

So could it be a proxy or cache on your local machine that's playing up?

Thanks

Sam

[chris]

Replying to sam:

The site looks OK to me (see screenshot)

I fixed it before you looked at it by the sounds of it!

Replying to chris:

I've also added Wordfence to the sites too as there are swathes of brute force
attacks happening on lots of WP sites everywhere currently and this plugin
seems to help somewhat currently. I don't think it's the Wordfence plugin, as
disabled it to test the missing images issue.

It was this file that Wordfence created, /home/reconomy/sites/default/ .htaccess that contained:

# BEGIN Wordfence code execution protection
<IfModule mod_php5.c>
php_flag engine 0
</IfModule>

AddHandler cgi-script .php .phtml .php3 .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI
# END Wordfence code execution protection

The Apache config doesn't allow Options so if we want to disable php from running in the wp-content/uploads/ directory (which is a good idea) we need to edit the templates used to generate the Apache config, I have now done this and rebuilt the Apache config for all WordPress sites.

I agree regarding the brute force attacks, what I have been doing elsewhere is using fail2ban, I have suggested we install this, see ticket:871 and ticket:851 and I said in ticket:887#comment:1

I'd very much like to rebuild ParrotServer with a newer version of Debian and the Webarchitects hosting scripts as these support ​Let's Encrypt, ​Piwik (adding accounts and installing the wp-piwik plugin automatically), the WordPress stop-xmlrpc-attack plugin and also fail2ban for WordPress and phpMyAdmin, see also ticket:875 and ticket:851.

[chris]

I have also edited, /wp-content/uploads/delightful-downloads/.htaccess for both sites to comment out:

#Options -Indexes
deny from all

[laura]

Just a quick note to say thanks Chris for fixing, happy for other plugins such as fail2ban (not used as yet) to be added.

[sam]

Hi Chris

We've just spotted that all the images & files seem to have disappeared from the Reconomy site.

I've just tried re-uploading an image and that doesn't seem to work. In the frontend it seems to upload & generates a URL for it: ​http://www.reconomy.org/wp-content/uploads/2016/09/TransitionFollowerKeywords.png

But it gives a:
Server error!
The server encountered an internal error and was unable to complete your request
Either the server is overloaded or there was an error in a CGI script.

I do have backups that I could restore from, but I was just wondering if you had any thoughts on why this might have happened?

Googling it suggests it might be a htaccess thing? But I don't suppose you've made any changes to that recently?

Thanks

Sam

[chris]

Hi, fixed, it was the same issue as before, this was the error in ~/logs/error.log:

[Wed Sep 28 14:08:38 2016] [alert] [client XX.XX.XX.XX] /home/reconomy/sites/default/wp-content/uploads/.htaccess: php_flag not allowed here

So I edited that file to comment out the disallowed lines:

# BEGIN Wordfence code execution protection
#<IfModule mod_php5.c>
#php_flag engine 0
#</IfModule>
#<IfModule mod_php7.c>
#php_flag engine 0
#</IfModule>

AddHandler cgi-script .php .phtml .php3 .pl .py .jsp .asp .htm .shtml .sh .cgi
#Options -ExecCGI
# END Wordfence code execution protection

I have also edited the template that generates the Apache config to make it more permissive:

  #AllowOverride AuthConfig Indexes FileInfo Limit
  AllowOverride ALL

And rebuilt the config.

[chris]

I have re-edited the /home/reconomy/sites/default/wp-content/uploads/.htaccess file back to how it was originally:

# BEGIN Wordfence code execution protection
<IfModule mod_php5.c>
php_flag engine 0
</IfModule>
<IfModule mod_php7.c>
php_flag engine 0
</IfModule>

AddHandler cgi-script .php .phtml .php3 .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI
# END Wordfence code execution protection

And tested the image and it all seems fine.

[chris]

In terms of how it happened -- a WordPress plugin will have updated the .htaccess file and caused it, but it won't happen again as the directives not allowed before are now allowed.

[sam]

Great, thanks Chris.

[laura]

Hi Chris and Sam
Just to let you know, that Reconomy didn't update their maintenance contract with me this year and I haven't touched their site since Jan/Feb?, so I possibly don't need to be added to the ticket (I still do periodic updates on the TTT site as and when they need me) ...Wordfence (and WP core) may be set to auto update upon release or they/you may be running the updates now with the Wordfence one causing this issue every so often.
Best Laura

[chris]

Hi Laura, The TTT sites are now running on Webarchitects shared hosting and if they use the same plugin they might also hit this issue, let me know via a direct email if you need the SFTP login for these sites, or get them from admin@….

Also it is perhaps worth noting that although this Wordfence .htaccess files is designed to make the site safer, we already have rules that cover this in the main Apache config and by not allowing some directives in .htaccess files it makes the server more secure, so the edit I did to allow the Wordfence .htaccess file makes things less secure, this isn't something we would do on our shared servers...

In terms of the Reconony site, I'm clueless what the plan is for it or where or when it is due to move, but someday the server it is running on is due to be shutdown, but again I have no idea when, see ticket:924.

[laura]

Hi Chris
I hope all is well, yes, the TTT site needs an update of the word fence plugin as I've had an email notification saying there's an update available from their site notifications come through today (I'm not sure if TTT's is set to auto update or not 24 hours after coming available). Happy to remove word fence on TTT if not needed from your perspective. I have no news on plans or not for REconomy, the person who took over from Fi was going to get in touch at the start of the year but never did, so haven't been managing that site.