wp-config.php file does not load properly in the file manager

Shaijee

AdamM

Shaijee You need to provide more details. What kind of webserver is it?

twest

Shaijee it's been brought up a few times before, I thought Adam said it was logged and would be fixed at some point.

Shaijee

AdamM It's happening for every server and site for me as I am using Cloudflare for the control panel. Every other files are loading fine, just the wp-config.php file.

I believe EnhanceCP should fix this conflict with Cloudflare.

Andreas

It's working fine for me. I'm running apache.

ivansalloum

Shaijee Why would use CF for the panel?

Shaijee

ivansalloum for Security.

JohnB

ivansalloum Perhaps for DDOS protection if they host content that attracts the crazies.

In my opinion if a modern panel has vulns that CF WAF would block, its going to have larger security issues that CF simply can't block. Ie privledge escalation or isolation issues.

@Shaijee I assume you are blocking traffic from non cloudflare IP's otherwise its quite trivial to get the control panel IP and access it directly, bypassing cloudflare.

ivansalloum

Shaijee What exactly?

Adam

Yes it's definitely caused by CloudFlare. It might be possible to disable the rule somewhere in the Cloudflare admin panel.

We are planning to slightly obfuscate the file name in the API request to avoid triggering the rule.

I don't think there is an benefit to using the CloudFlare proxy on your control panel domain. You wouldn't want to cache any of the API responses and Enhance already has very robust protection against things like SQL injection that their WAF might otherwise protect you from.

twest

Adam so many good reasons to put the panel behind Cloudflare, such as obfuscating the IP to help prevent DDOS, also to block bad bots, block countries, endless possibilities of Page Rules.

I could swear I already tested whitelisting the editor to prevent wp-config from possibly conflicting with Cloudflare. I thought in old convos it was said to be a security config on enhance's side that prevented wp-config from being edited?

ivansalloum

twest JohnB I don’t find reasons to use CF for the panel if you have it on a separate server. It doesn’t help that much. And it may conflict with many things in the future.

This was my first question to @Adam if I need to use the proxy option or not and said no.

Shaijee

JohnB I assume you are blocking traffic from non cloudflare IP's otherwise its quite trivial to get the control panel IP and access it directly, bypassing cloudflare.

No, it's the default setup. I just enabled the Bot Protection and whitelisted the server IPs on Cloudflare.

COLBYLICIOUS

If you want to use Cloudflare with panel you can disable the Cache for the subdomain of the panel in Cache Rules.

Shaijee

COLBYLICIOUS If you want to use Cloudflare with panel you can disable the Cache for the subdomain of the panel in Cache Rules.

Does not work.

Update:
P.S.: It's actually not a cache issue. The CF Firewall is blocking wp-config.php file. I found the solution and will share it soon.

Shaijee

I have fixed the issue with Cloudflare for me. Also, whitelisted all IPs in the "IP Access Rules".

(http.request.uri contains "/fs/")

sebdemb

Shaijee this worked perfectly, thanks

Omar

Shaijee and twest thanks for sharing their solutions using the /fs/ and /filerd/ rules. This exchange of ideas is valuable for everyone. I'd like to add some security information to help people make informed decisions.

About the /fs/ or /filerd/ rules

These solutions are quick and functional, especially in urgent situations. But it's important to understand what they mean.

Here's how the path works in the File Manager:
The typical structure is: /filerd/[UUID]/websites/[UUID]/fs/public_html%2Ffile

Important risks to consider: ⚠️

Excessive breadth: They bypass any URL containing "/fs/" or "/filerd/". This includes sensitive files like .env, .htaccess, etc.
You could lose protections. If all WAF (Web Application Firewall) rules are omitted, defenses against attacks such as SQLi/XSS, rate limiting, bot protection, etc., are exposed.
Potential attack vectors: An attacker could exploit vulnerabilities in the File Manager (e.g., code injection if there's a vulnerable plugin).
Loss of visibility: Cloudflare will stop logging events on these paths.

Optimized alternative – Recommended rule: ✅

Field: URI Path > Operator: ends with > Value: %2Fwp-config.php
Expression Preview: (ends_with(http.request.uri.path, "%2Fwp-config.php"))

WAF components to omit:

🔹 ONLY:

All managed rules
Managed rules (Previous version)

Benefits:

Pinpoint accuracy → Only affects wp-config.php.
Maximum security → Keeps other protections active.
Zero false positives → Does not interfere with other files.
Avoids exposing additional files.

Here's an example of a bypass with the optimized rule, which lets you edit the wp-config file in the file manager:

📌 If you use broad rules (/fs/ or /filerd/):

To minimize risks, omit only:

"All managed rules" + "Managed rules (Previous version)"
Constantly monitor logs.

The ideal security balance is achieved by striking a balance between:

🔹 Functionality → Being able to edit what's necessary.
🔹 Protection → Not exposing other resources.

Best regards,
Omar.

Shaijee

sebdemb this worked perfectly, thanks

Welcome!

xyzulu

I recall reading somewhere (but now nowhere in release notes) that this was slated for v12.0.0
I can’t find it on the roadmap now either.. did I miss something?

sikmo

xyzulu exactly. I already had ticket for this, because I thought it was fixed in v12 but apparently not. And it's not not roadmap even in planned.

xyzulu

sikmo have you received a reply to your ticket yet? At least I won’t add to Enhance workload with another ticket about this.