Allow exceptions to "Direct PHP files access"
I'd find it really useful to be able to add exceptions to this rule by specifying specific URLs you want to allow direct access for. For example AJAX calls to PHP it might be necessary to have.
I would like to see this too. FiboSearch - a popular product search engine for WooCommerce - does use a PHP file to greatly increase the speed of the AJAX results. It is very noticeable when you start typing in the search engine. Here is why they use a custom AJAX endpoint - https://fibosearch.com/documentation/troubleshooting/the-search-endpoint-url-is-blocked/#why-do-we-use-a-custom-ajax-endpoint-instead-of-using-admin-ajax-php-or-wp-rest-api-only-for-geeks
Has anyone found any workaround for this?
Mark T commented
yeah - me too... Why can't users edit and have access to this basic information?
I'm going to move away...
It is impossible to efficiently manage request rules only via .htaccess files as these 1. can be modified by plugins 2. don't work recursively properly 3. Directory rules cannot be set on a central location
Especially with the combination setup with Nginx and Apache web server (which I really like) it is hard and inefficient (high workload) to manage.
I would really appreciate if you enable customers to change some configurations (on vhosts level) for both Nginx and Apache.
I have a long ticket discussion to find a secure solution regarding "DIRECT PHP FILES ACCESS" which is unfortunately without a solution.
It could be easily managed only by giving some access to the config or even allow cloudways support staff to change the Nginx settings ...
Thank your for your help and for efforts. ;-)
With all other Cloudways setup I am very happy!
It would be nice to be able to set the "Direct PHP Files Access" setting to Disable, but still allow access to specific PHP files that require direct access. For example, I have an ajax search plugin for WordPress that needs a PHP file within its folder to publicly accessible. I'd like to open up only that file for access while blocking access to all others for the best security.
Sebastián Herrera commented
The new feature is great, but broken PageLayer plugin (200,000+ downloads). For that specific case, I've also asked for a workaround to developers: https://wordpress.org/support/topic/direct-php-execution-blocked/.
David J Cooper commented
I need to edit nginx conf to setup my application, currently this is not possible
I needed to do some security tweaks and could not access the .conf file for Nginx to make the changes. I think it would be a good idea to allow access for customization. I wanted to be able to...
1.Prevent Information Disclosure
Often servers are incorrectly configured, and can allow an attacker to get access to sensitive information that can be used in attacks.
2. Prevent PHP execution
By default, a plugin/theme vulnerability could allow a PHP file to get uploaded into your site's directories and in turn execute harmful scripts that can wreak havoc on your website. Prevent this altogether by disabling direct PHP execution in directories that don't require it.