Articles in this section

Unable to open readme.html and other files after installing WordPress in Plesk: Forbidden

Gabriel Aznarez
Updated
Plesk for Linux kb: technical ext: wptk ABT: Group B

Applicable to:

  • Plesk for Linux

Symptoms

  • WordPress instance was installed using WP Toolkit or from Domains > example.com > Applications

  • One of the following messages is shown when accessing different website pages in web browser, such as readme.html, license.html, changelog.html, wp-config.php etc.

    CONFIG_TEXT: 403 Forbidden
    nginx

    CONFIG_TEXT: Forbidden
    You don't have permission to access /readme.html on this server.
    Apache Server at example.com Port 80

  • The following error is being output to /var/www/vhosts/system/example.com/logs/error_log:

    CONFIG_TEXT: [Mon Dec 19 16:10:01.758907 2022] [authz_core:error] [pid 1912909:tid 140615702517312] [client 203.0.113.2:0] AH01630: client denied by server configuration: /var/www/vhosts/example.com/httpdocs/README.html

  • Vhost configuration files for the affected domain contain the following lines:

    • For Nginx: /var/www/vhosts/system/example.com/conf/nginx.conf

      CONFIG_TEXT: #extension wp-toolkit begin
      ...
      location ~* "(?:wp-config\.bak|\.wp-config\.php\.swp|(?:readme|license|changelog|-config|-sample)\.(?:php|md|txt|htm|html))" {
      return 403;
      }
      ...

    • For Apache: /var/www/vhosts/system/example.com/conf/httpd.conf

      CONFIG_TEXT: ...
      <LocationMatch "(?i:(?:wp-config\\.bak|\\.wp-config\\.php\\.swp|(?:readme|license|changelog|-config|-sample)\\.(?:php|md|txt|htm|html)))">
      Order allow,deny
      Deny from all
      </LocationMatch>
      ...

Cause

Additional directives are added by the Security Measure Block access to sensitive files that is enabled automatically when WordPress is installed via Plesk.

Resolution

Such behaviour is expected - the Nginx and Apache rules are automatically added into virtual host configuration files to improve the security of the WordPress sites.

In order to disable these directives, perform the following steps:

Warning: Executing the below instructions will reduce Wordpress security and mark the status as Danger on the WP Toolkit

  1. Log in to Plesk.

  2. Navigate to WordPress > example.com.

  3. Click View near the Security Status:
    1.png

  4. Select the Security Measure Block access to sensitive files and click Revert:

    2.png3.png
Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.