Hi @tylertork,
The settings below are known to cause likewise (in general, not specifically for the Matomo plugin) problems:
1. Security > Settings > CONFIGURE > Lockouts > BAN USERS – Default Ban List
2. Security > Settings > Advanced > SYSTEM TWEAKS – (PHP Execution) Disable PHP in Uploads/Plugins/Themes
If currently enabled, disabling one or more of these (4) settings may help.
+++++ To prevent any confusion, I’m not iThemes +++++
-
This reply was modified 2 years, 3 months ago by
nlpro.
-
This reply was modified 2 years, 3 months ago by nlpro.
-
This reply was modified 2 years, 3 months ago by nlpro.
-
This reply was modified 2 years, 3 months ago by nlpro.
-
This reply was modified 2 years, 3 months ago by nlpro.
I confirm unchecking “Disable PHP in Plugins” was enough to get it working. I ask again that iThemes just make this work for Matomo and maybe a few other popular plugins that have a legitimate need for this.
Hi @tylertork, I’m glad to hear that nlpro’s recommendation helped resolve the conflict with the Matomo plugin. Thank you for documenting it as well. I’ll now mark this topic as resolved. Please don’t hesitate to reach out to us if you have other concerns that you’d like us to assist with.
It sounds like you have no intention of doing anything to make this less of a problem in the future. Can your program not write the .htaccess rules to exempt certain folders of plugins known to securely use PHP files, so we can have the benefits of PHP-execution protection generally while still allowing it where needed?
Hi @tylertork, thank you for your feedback. I can submit this as a feature request, but I can’t provide an exact date for when this feature will be available or, if possible, as certain factors must be considered before implementing one.
Hi @tylertork,
The Disable PHP in Plugins setting generates the .htaccess rule below (when using Apache web server):
# Disable PHP in Plugins - Security > Settings > System Tweaks > PHP in Plugins
RewriteRule ^wp\-content/plugins/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]
IMHO plugin directory exceptions can easily be implemented using additional (negating) RewriteCond entries. eg:
# Disable PHP in Plugins - Security > Settings > System Tweaks > PHP in Plugins
RewriteCond %{REQUEST_URI} !/wp\-content/plugins/matomo/.*$ [NC]
RewriteRule ^wp\-content/plugins/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F,L]
Also note the additional L flag in the RewriteRule line.
So when the plugin UI provides a means of specifying plugin directories to exclude, this enhancement can easily be realised.
I actually tested the above writing a piece of PHP code that overrules the default .htaccess rule and by including that PHP code into the active theme’s functions.php file. Works perfectly;-)
Correction. According to the Apache RewriteRule Flags doc:
When using [F], an [L] is implied – that is, the response is returned immediately, and no further rules are evaluated.
So please ignore the note about the added L flag. There is no need for the L flag in the RewriteRule.
-
This reply was modified 2 years, 3 months ago by nlpro.
