I went through my web server logs and found a few internal errors that I would like to fix. Note that the website itself is working perfectly fine, i.e., a normal user won't notice any difference. I just see in my log that regularly (every few days) an internal error 500 occurs. I assume this is caused by automatic bot scans, but I would still like to address this properly.
When accessing the URL:
.php
For the following URIs:
/wp-includes/Requests/src/Proxy/Http.php/wp-includes/html-api/html5-named-character-references.php (and any other file in html-api)/wp-includes/Requests/src/Auth/Basic.phpCauses an error that looks like this (in /var/log/apache2/error.log):
[Thu Jan 02 15:12:18.866235 2025] [php7:error] [pid 754932] [client XXX] PHP Fatal error: Uncaught Error: Interface 'WpOrg\\Requests\\Proxy' not found in /var/www/html/wp-includes/Requests/src/Proxy/Http.php:24\nStack trace:\n#0 {main}\n thrown in /var/www/html/wp-includes/Requests/src/Proxy/Http.php on line 24
[Thu Jan 02 15:12:20.611898 2025] [php7:error] [pid 754907] [client XXX] PHP Fatal error: Uncaught Error: Class 'WP_Token_Map' not found in /var/www/html/wp-includes/html-api/html5-named-character-references.php:38\nStack trace:\n#0 {main}\n thrown in /var/www/html/wp-includes/html-api/html5-named-character-references.php on line 38
The files are all present and have the same content as a fresh Wordpress install (but I still tried completely reinstalling Wordpress as noted below)
I am using multisite. Everything else is rarely basic.
Some other internal errors could be fixed by using the updated .htaccess from here, but the ones above stayed.
I did all of the following and checked the pages after each modification, but
wp-content/sudo -u www-data wp core download --force --skip-content).htaccesswp-config.php: sudo -u www-data wp config create ...--> The errors still occurred as before
Adding the following block to my main .htaccess replaces the error by a 403 Forbidden. However, I would like to know if there is a better way to address this than blocking direct access to the file.
########################################
# Block direct access to includes folder
########################################
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=5]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
RewriteRule ^wp-includes/Requests/.*\.php$ - [F,L]
RewriteRule ^wp-includes/html-api/.*$ - [F,L]
</IfModule>
I.e., is blocking direct access to the files causing the errors the best solution and doesn't produce any other problems, or is there a better way to deal with this?
I went through my web server logs and found a few internal errors that I would like to fix. Note that the website itself is working perfectly fine, i.e., a normal user won't notice any difference. I just see in my log that regularly (every few days) an internal error 500 occurs. I assume this is caused by automatic bot scans, but I would still like to address this properly.
When accessing the URL:
https://mydomain.com/wp-includes/Requests/src/Proxy/Http.php
For the following URIs:
/wp-includes/Requests/src/Proxy/Http.php/wp-includes/html-api/html5-named-character-references.php (and any other file in html-api)/wp-includes/Requests/src/Auth/Basic.phpCauses an error that looks like this (in /var/log/apache2/error.log):
[Thu Jan 02 15:12:18.866235 2025] [php7:error] [pid 754932] [client XXX] PHP Fatal error: Uncaught Error: Interface 'WpOrg\\Requests\\Proxy' not found in /var/www/html/wp-includes/Requests/src/Proxy/Http.php:24\nStack trace:\n#0 {main}\n thrown in /var/www/html/wp-includes/Requests/src/Proxy/Http.php on line 24
[Thu Jan 02 15:12:20.611898 2025] [php7:error] [pid 754907] [client XXX] PHP Fatal error: Uncaught Error: Class 'WP_Token_Map' not found in /var/www/html/wp-includes/html-api/html5-named-character-references.php:38\nStack trace:\n#0 {main}\n thrown in /var/www/html/wp-includes/html-api/html5-named-character-references.php on line 38
The files are all present and have the same content as a fresh Wordpress install (but I still tried completely reinstalling Wordpress as noted below)
I am using multisite. Everything else is rarely basic.
Some other internal errors could be fixed by using the updated .htaccess from here, but the ones above stayed.
I did all of the following and checked the pages after each modification, but
wp-content/sudo -u www-data wp core download --force --skip-content).htaccesswp-config.php: sudo -u www-data wp config create ...--> The errors still occurred as before
Adding the following block to my main .htaccess replaces the error by a 403 Forbidden. However, I would like to know if there is a better way to address this than blocking direct access to the file.
########################################
# Block direct access to includes folder
########################################
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=5]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
RewriteRule ^wp-includes/Requests/.*\.php$ - [F,L]
RewriteRule ^wp-includes/html-api/.*$ - [F,L]
</IfModule>
I.e., is blocking direct access to the files causing the errors the best solution and doesn't produce any other problems, or is there a better way to deal with this?
Blocking access to things that should never be directly accessed is always the best solution.