Unable to edit posts or use plugin dashboard in WordPress dashboard after applying security measures by Plesk WordPress Toolkit

Follow

Comments

17 comments

  • Avatar
    Ben Hayes

    I'm still experiencing this issue despite following the "Resolution" step by adding the 2 lines to the additional nginx directive. I've applied this to the domain in question that is using Wordpress and the OneSignal Plugin and am still getting: A bad HTTP response code (403) was received when fetching the script.
    /wp-content/plugins/onesignal-free-web-push-notifications/sdk_files/OneSignalSDKWorker.js.php?appId=[myAppIdWouldBeHereButImHidingIt] Failed to load resource: net::ERR_INVALID_RESPONSE

  • Avatar
    Nikolay Zhmuk (Edited )

    @Ben Hayes Click on "Check Security" button for the WP instance in Plesk and check if "Security of the wp-content folder" check-box is enabled or not. Disable it and check if the issue is gone or not. If the issue is still there then the cause is different than described in the article.

    Also, check this article https://github.com/OneSignal/OneSignal-WordPress-Plugin/issues/65

  • Avatar
    info

    I have the same problem, but I don't use nginx. What is the solution for apache?

  • Avatar
    Ivan Postnikov

    Hello @info, try this article.

  • Avatar
    info

    @Ivan Postnikov I think you made a mistake, because that's totally unrelated.

  • Avatar
    Ivan Postnikov

    @Info, in case you have correct ownership for Plugin files, the further investigation is required to find the root cause.

    Consider creating a support request.

  • Avatar
    Atthawut Prathumrat

    Hello, just did following this article but the issue is still there. But if I reverted the Security of the wp-content folder as Nikolay Zhmuk said above, the problem is gone! I saw the "200 GET /wp-content/plugins/onesignal-free-web-push-notifications/sdk_files/OneSignalSDKWorker.js.php?appId=xxxxxxxxxx HTTP/1.0" occur from source Apache SSL/TLS access. So, is it nginx or apache problem?

  • Avatar
    Alexander Tsmokalyuk

    @Atthawut the problem is neither nginx, nor Apache's. This is the problem (bug) of Wordpress Toolkit extension and it is currently being worked on.

  • Avatar
    Lenor

    Hi, today we invest more than 5 hours and NOTHING happened, everytime we got a 403 from Templates JS/ CSS minify SCript. 

    Template was destroid whole time. 

    ONLY SOLUTION was to disconnect Wordpress from Toolkit. After that, it ran again. 

    Strangly before we just activated NGINX Cache over Toolkit and from that state on, nothing worked anymore. 

    Somehow he must had restrict rights to wp-content/themes/css/script.php 

  • Avatar
    Lenor

    Also Staging Site is not working... its loading the default template and not wordpress. really unessesary 

  • Avatar
    Bato Tsydenov

    @Lenor

    I would recommend you to submit a request to Plesk Support
    Please check this article for more information:
    How to submit a request to Plesk support?

  • Avatar
    Aniello Martuscelli

    Hello

    same problem with prestashop 1.7 when i try to edit page in backoffice

    main.bundle.js:292 GET https://www.domain.it/translations/cldr/datas/main/it-IT/numbers.json 403 (Forbidden)
    main.bundle.js:292 GET https://www.domain.it/translations/cldr/datas/main/it-IT/currencies.json 403 (Forbidden)
    main.bundle.js:292 GET https://www.domain.it/translations/cldr/datas/supplemental/likelySubtags.json 403 (Forbidden)
    main.bundle.js:292 GET https://www.domain.it/translations/cldr/datas/supplemental/currencyData.json 403 (Forbidden)
    main.bundle.js:292 GET https://www.domain.it/translations/cldr/datas/supplemental/plurals.json 403 (Forbidden)

    then firewall ban my ip

  • Avatar
    Alisa Kasyanova

    @Aniello Martuscelli
    Do you have Fail2Ban and ModSecurity enabled? This behaviour usually occurs because ModSecurity forbids access to some pages, and then Fail2Ban blocks the IP completely.
    Check the /var/www/vhosts/system/domain.it/logs/error_log and /var/log/fail2ban.log log files and adjust the ModSecurity settings if needed.

  • Avatar
    Aniello Martuscelli

    @Alisa Kasyanova

    yes I've both enabled. Modsecurity with "Atomic Basic ModSecurity"

    At the moment I can run prestashop 1.7 only with standalone nginx configuration. json were loaded without 403

    If I see log I can find a lot of this message

    [Wed Oct 31 19:14:50.781634 2018] [authz_core:error] [pid 393] [client xxxxxx:50416] AH01630: client denied by server configuration: /var/www/vhosts/xxxxxx.it/httpdocs/translations/cldr/datas/supplemental/currencyData.json, referer: https://www.xxxx.it/xxxxx/index.php/product/form/1844?_token=RLm

    How can fix this rule mod?

  • Avatar
    Alexandr Redikultsev

    Hi @Aniello Martuscelli.

    I would suggest checking Tools & Settings > Web Application firewall > Logs to see what rule is actually blocking you instead of domain error log.

    Also, you can play around with the settings at Tools & Settings > Web Application firewall > Settings, it might be forking with 'Fast' mode even with all the rules in place.

  • Avatar
    Miomir Besarabic

    We have other issus with Wordpress and Modsecurity where the wp-content folder isn't secured. Log show this:

    [client 37.128.181.147] ModSecurity: Access denied with code 403 (phase 2). Match of "rx ((?:submit(?:\\+| )?(request)?(?:\\+| )?>+|<<(?:\\+| )remove|(?:sign ?in|log ?(?:in|out)|next|modifier|envoyer|add|continue|weiter|account|results|select)?(?:\\+| )?>+)$|^< ?\\??(?: |\\+)?xml|^<samlp|^>> ?$)" against "ARGS:meta[60825][value]" required. [file "/etc/apache2/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "258"] [id "33350147"] [rev "143"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: Potentially Untrusted Web Content Detected"] [data "/wp-admin/post.php"] [severity "CRITICAL"] [hostname "xxxxxxxxxxx.com"] [uri "/wp-admin/post.php"] [unique_id "W-ad8n8AAAEAACkpD@MAAAAA"], referer: https://xxxxxxxxxxx.com/wp-admin/post.php?post=10981&action=edit

    and every time is the same rule id "33350147".

    ModSecurity rules are up to date as Plesk itself. This occur on few server and various customers.

     

  • Avatar
    Alexandr Redikultsev

    Hi @Miomir Besarabic,

    ModSecurity can sometimes trigger on WordPress plugins or editors, like described here for example: https://github.com/WordPress/gutenberg/issues/10075#issuecomment-426906600 

    I suggest checking whether or not the issue is the same with the different modes of ModSecurity (Tools & Settings > Web Application Firewall > Settings), Fast, Tradeoff and Thorough, maybe it will be working with one of this. 

    In case it will not, I suggest disabling the rule as shown at the link above or as described at the following link:

    https://support.plesk.com/hc/en-us/articles/115002338253-How-to-disable-Modsecurity-rule-by-its-ID

    https://support.plesk.com/hc/en-us/articles/115002531753-How-to-disable-a-single-ModSecurity-rule-for-a-website- 

Please sign in to leave a comment.

Have more questions? Submit a request