"YML files should not be accessible - warning"

[Tomxcontents]

Hi! In the diagnostics i got this warning: "The .yml files in the wp-content/plugins/matomo/app/vendor directory are accessible from the internet. This can cause some web security tools to flag your website as suspicious. If you are using Apache, it is probably due to your server configuration disabling the use of .htaccess files. If you are instead using nginx, it is due to your nginx configuration allowing .yml files. You may need to contact your hosting provider to fix this."

I wrote to my host provider to solve it, they said they did what think should be but still this the warning exist. They wrote me this: "We did whatever required from our end, still it showing same warning, it may be due to cache, by the way it's not a critical issue, still you can co-ordinate with the plugin developer and ask them what exactly they want us to disable from our server, we'll do that accordingly."

Can you be more specific how can they solve this problem? Thank you!

[diosmosis]

Hi @Tomxcontents, what needs to be done depends on the hosting provider. Can you visit https://yoursite.com/wp-content/plugins/app/vendor/matomo/device-detector/regexes/bots.yml in a browser (replace yoursite.com with your website)? If you see text data in your browser, then the file is still accessible. In this case you can tell your hosting provider that the warning will go away when accessing that URL is not allowed.

[Tomxcontents]

I get this massage. If its good and cant access any files why the plugin write still warning?

[diosmosis]

This means the hosting provider is returning a 200-300 HTTP response code for the request to that file (which in non-technical terms means, the hosting provider is saying the request was a success, even though the file wasn't found). It should ideally be sending a 404 or 403 code (which means "not found" or "not authorized" respectively). Would you be able to share the URL here or by email? I can check whether this is the case, and if so you can let your hosting provider know. (If by email, email dizzy (at) innocraft (dot) com.)

[Tomxcontents]

Thank you your help!

[redacted for security reasons]

[diosmosis]

Strange, everything looks fine there. Can you provide a copy of your system report: https://matomo.org/faq/wordpress/how-do-i-find-and-copy-the-system-report-in-matomo-for-wordpress/ ?

[Tomxcontents]

Sure.

              # Matomo

• Matomo Plugin Version: 5.1.0
• Config exists and is writable.: Yes ("$abs_path/wp-content/uploads/matomo/config/config.ini.php" )
• JS Tracker exists and is writable.: Yes ("$abs_path/wp-content/uploads/matomo/matomo.js" )
• Plugin directories: Yes ([{"pluginsPathAbsolute":"$abs_path\/wp-content\/plugins\/matomo\/plugins","webrootDirRelativeToMatomo":"..\/plugins"}])
• Tmp directory writable: Yes ($abs_path/wp-content/cache/matomo)
• Matomo Version: 5.1.0
• Matomo Blog idSite: 1
• Matomo Install Version: 4.15.3 (Install date: 2024-01-01 08:58:42)
• Upgrades outstanding: No
• Upgrade in progress: No

Endpoints

• Matomo JavaScript Tracker URL: ($site_url/wp-content/uploads/matomo/matomo.js)
• Matomo JavaScript Tracker - WP Rest API: ($site_url/wp-json/matomo/v1/hit/)
• Matomo HTTP Tracking API: ($site_url/wp-content/plugins/matomo/app/matomo.php)
• Matomo HTTP Tracking API - WP Rest API: ($site_url/wp-json/matomo/v1/hit/)

Crons

• Server time: 2024-07-08 05:09:19
• Blog time: 2024-07-08 06:09:19 (Below dates are shown in blog timezone)
• Sync users & sites: Next run: 2024-07-08 08:14:18 (2 hours 4 min) ( Last started: 2024-07-07 08:14:18 (-21 hours 55 min). Last ended: 2024-07-07 08:14:18 (-21 hours 55 min). Interval: daily)
• Archive: Next run: 2024-07-08 06:14:18 (4 min 59s) ( Last started: 2024-07-08 05:15:08 (-54 min 11s). Last ended: 2024-07-08 05:15:16 (-54 min 3s). Interval: hourly)
• Update GeoIP DB: Next run: 2024-08-03 08:14:18 (26 days 2 hours) ( Last started: 2024-07-04 08:14:32 (-3 days 21 hours). Last ended: 2024-07-04 08:14:33 (-3 days 21 hours). Interval: matomo_monthly)

Mandatory checks

• PHP version >= 7.2.5: ok
• PDO extension: ok
• PDO\MYSQL extension: ok
• MYSQLI extension: ok
• Other required extensions: ok
• Required functions: ok
• Required PHP configuration (php.ini): ok
• Directories with write access: ok
• Directories with write access for Tag Manager: ok

Optional checks

• 64-bit PHP Binary: ok
• Tracker status: ok
• Memory limit: ok
• Time zone: ok
• Open URL: ok
• GD > 2.x + FreeType (graphics): ok
• Other extensions: ok
• Other functions: ok
• Filesystem: ok
• Last Successful Archiving Completion: ok
• Database abilities: ok
• Max Packet Size: ok
• Geolocation: ok
• Update over HTTPS: ok
• Mobile Messaging SMS Provider: ok
• Supports Async Archiving: Yes
• Async Archiving Disabled in Setting: No
• Location provider ID: geoip2php
• Location provider available: Yes
• Location provider working: Yes
• Had visit in last 5 days: Yes
• Matomo URL: Yes ($site_url/wp-content/plugins/matomo/app/)
• Warning YML files should not be accessible: warning (The .yml files in the wp-content/plugins/matomo/app/vendor directory are accessible from the internet. This can cause some web security tools to flag your website as suspicious. If you are using Apache, it is probably due to your server configuration disabling the use of .htaccess files. If you are instead using nginx, it is due to your nginx configuration allowing .yml files. You may need to contact your hosting provider to fix this.)

Matomo Settings

• Track mode: default
• Track ecommerce: Yes
• Track codeposition: footer
• Track api endpoint: default
• Track js endpoint: default
• Version history: 5.1.0, 5.0.6, 5.0.5, 5.0.4, 5.0.3
• Core version: 5.1.0
• Last tracking settings update: 1720076894
• Last settings update: 1720076956
• Track content: all
• Track search: Yes
• Track 404: Yes
• Track jserrors: Yes

Logs

• None:

WordPress

• Home URL: $site_url
• Site URL: $site_url
• WordPress Version: 6.5.5
• Number of blogs: 1
• Multisite Enabled: No
• Network Enabled: No
• WP_DEBUG: No
• WP_DEBUG_DISPLAY: Yes
• WP_DEBUG_LOG: No
• DISABLE_WP_CRON: -
• FORCE_SSL_ADMIN: Yes
• WP_CACHE: Yes
• CONCATENATE_SCRIPTS: -
• COMPRESS_SCRIPTS: -
• COMPRESS_CSS: -
• ENFORCE_GZIP: -
• WP_LOCAL_DEV: -
• WP_CONTENT_URL: $site_url/wp-content
• WP_CONTENT_DIR: $abs_path/wp-content
• UPLOADS: -
• BLOGUPLOADDIR: -
• DIEONDBERROR: -
• WPLANG: -
• ALTERNATE_WP_CRON: -
• WP_CRON_LOCK_TIMEOUT: 60
• WP_DISABLE_FATAL_ERROR_HANDLER: -
• MATOMO_SUPPORT_ASYNC_ARCHIVING: -
• MATOMO_ENABLE_TAG_MANAGER: -
• MATOMO_SUPPRESS_DB_ERRORS: -
• MATOMO_ENABLE_AUTO_UPGRADE: -
• MATOMO_DEBUG: -
• MATOMO_SAFE_MODE: -
• MATOMO_GLOBAL_UPLOAD_DIR: -
• MATOMO_LOGIN_REDIRECT: -
• Permalink Structure: /%postname%/
• Possibly uses symlink: No
• Upload base url: $site_url/wp-content/uploads
• Upload base dir: $abs_path/wp-content/uploads
• Upload url: $site_url/wp-content/uploads/2024/07
• Custom upload_path:
• Custom upload_url_path:
• Compatible content directory: Yes
• WP_Filesystem Initialized: Yes

WordPress Plugins

• AdAce: 1.3.28
• Advanced Ads: 1.52.4
• Akismet Anti-spam: Spam Protection: 5.3.2
• Custom Twitter Feeds: 2.2.2
• Disable & Remove Google Fonts: 1.6.3
• Elementor: 3.22.3
• Forminator: 1.32
• Google Analytics for WordPress by MonsterInsights: 8.27.0
• Jetpack: 13.6
• Jetpack Boost: 3.4.6
• LiteSpeed Cache: 6.2.0.1
• Matomo Analytics - Ethical Stats. Powerful Insights.: 5.1.0
• Microsoft Clarity: 0.9.4
• NextGEN Gallery: 3.59.3
• OptinMonster: 2.16.3
• Paid Memberships Pro: 2.12.6
• Paid Member Subscriptions: 2.12.3
• Paid Member Subscriptions Pro: 1.4.4
• Portfolio Filter Gallery: 1.5.6
• Redirect Redirection: 1.2.2
• Redis Object Cache: 2.5.2 (Network enabled)
• Semrush SEO Writing Assistant: 1.2.1
• Simple Share Buttons Adder: 8.5.1
• Site Kit by Google: 1.130.0
• Super Page Cache for Cloudflare: 4.7.10
• Temporary Login Without Password: 1.8.3
• UserFeedback Lite: 1.0.16
• WordPress Hide Posts: 1.1.1
• WordPress Popular Posts: 7.0.1
• WPBakery Page Builder: 6.10.0
• WPCode Lite: 2.1.14
• WP Telegram Widget: 2.1.22
• XML Sitemap Generator for Google: 4.1.21
• Yoast Duplicate Post: 4.5
• Yoast SEO: 23.0
• Active Plugins: 29 (ad-ace:1.3.28 advanced-ads:1.52.4 custom-twitter-feeds:2.2.2 disable-remove-google-fonts:1.6.3 duplicate-post:4.5 google-analytics-for-wordpress:8.27.0 google-site-kit:1.130.0 insert-headers-and-footers:2.1.14 jetpack-boost:3.4.6 jetpack:13.6 jetpack:13.6 litespeed-cache:6.2.0.1 matomo:5.1.0 microsoft-clarity:0.9.4 paid-member-subscriptions-pro:1.4.4 paid-member-subscriptions:2.12.3 paid-memberships-pro:2.12.6 portfolio-filter-gallery:1.5.6 redirect-redirection:1.2.2 redis-cache:2.5.2 semrush-seo-writing-assistant:1.2.1 simple-share-buttons-adder:8.5.1 temporary-login-without-password:1.8.3 whp-hide-posts:1.1.1 wordpress-popular-posts:7.0.1 wordpress-seo:23.0 wp-cloudflare-page-cache:4.7.10 wptelegram-widget:2.1.22 nextgen-gallery:3.59.3)
• Theme: bimber (bimber)

Server

• Server Info: LiteSpeed
• PHP OS: Linux
• PHP Version: 8.1.27
• PHP SAPI: litespeed
• PHP Maxmind DB extension: Not loaded
• PHP Error Reporting: 4437 After bootstrap: 4437
• PHP Found Binary: /bin/php -q
• Timezone: UTC
• WP timezone: +01:00
• Locale: en_US
• User Locale: en_US
• Memory Limit: 20G (At least 128MB recommended. Depending on your traffic 256MB or more may be needed.)
• WP Memory Limit: 40M
• WP Max Memory Limit: 20G
• Timezone version: 2023.3
• Time: 1720415359
• Max Execution Time: 300
• Max Post Size: 8G
• Max Upload Size: 2147483648
• Max Input Vars: 10000
• Disabled PHP functions: No
• zlib.output_compression is off: Yes
• Curl Version: 7.61.1, OpenSSL/1.1.1k
• Suhosin installed: No

PHP cli

• PHP CLI Version: 8.1.27
• MySQLi support: ok
• PHP CLI configuration: Configured correctly

Database

• MySQL Version: 10.3.39
• Mysqli Connect: Yes
• Force MySQL over Mysqli: No
• DB Prefix: wp_
• DB CHARSET: utf8
• DB COLLATE:
• SHOW ERRORS: No
• SUPPRESS ERRORS: No
• Uses Socket: No
• Uses IPv6: No
• Matomo tables found: 69
• DB tables exist: Yes
• Matomo users found: 1
• Matomo sites found: 1
• Required permissions: OK

Browser

• Browser: (Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36)
• Language: en-us,en

[diosmosis]

Thanks @Tomxcontents, I think I see the problem. It seems like your hosting provider blocks access to a file when a user tries to access it through the internet, but not when the server itself tries to access it. Your hosting provider could make a change to do things this way, but it's not really that important.

We'll also change the plugin to avoid this situation, but it may be a while before the change is released. For now, the issue is effectively fixed for you and you can ignore the warning.