Deny access to a dot file (.user.ini)

#1
OK, newbie question here. I have a file called .user.ini created by the Wordpress "Wordfence" plugin. Wordfence is complaining this file (which it created) is accessible.
So the external address of the fuile would be:

https://mysite.com/.user.ini

I've tried blocking it using a RewriteRule (in the RewriteRule vhost section) such as the rule outlined in this post here:

https://forum.openlitespeed.org/threads/how-to-block-access-to-xmlrpc-php-file.2570/

Using a rule identical to the one in that post but with .user.ini added doesn't work as expected - for example:

RewriteRule ^/(xmlrpc\.php|wp-trackback\.php|\.user\.ini) - [F,L,NC]

This blocks xmlrpc.php and wp-trackback.php with a 403 fine, but access to .user.ini is still allowed. I've also tried this without backslashes (and/or removing the initial one).
I've also tried adding a context, either a unique context just for that filename or a general / context with a disallow in the rewrite rules similar to above. Still didn't work.
Is there something special about the fact it's a dot file?
 
#2
To add, I tried with a file called ".test.ini" and the following rule:

RewriteRule ^/\.test\.ini$ - [F,L,NC]

And this worked. Use equivalent rule for a file called ".user.ini" and it doesn't. Maybe something significant about the ".user.ini" filename in the code?
 

lslisa

Administrator
#4
Hey, Rufus. Glad you got it working. I'm going to leave the thread here in case it might help someone else, or maybe someone has an explanation as to why it behaved the way it did for you.
 
Top