Knowledge Base

Unable to edit posts or use plugin dashboard in WordPress dashboard after applying security measures by Plesk WP Toolkit

 
apacheapplications extensionsdomainshttphttps

Symptoms

  • The security measure Security of the wp-content folder is applied for the WordPress instance at Domains > example.com> WordPress > select a WordPress instance in question > Security Status (Check Security in older WP Toolkit versions).

  • When using a 3rd-party editor (e.g. TinyMCE Advanced or Elementor) in WordPress dashboard, the editor’s interface is not fully loaded or it is not possible to edit posts. The following error is thrown in a browser:

    PLESK_INFO: Forbidden
    You don’t have permission to access /web/wp-includes/js/tinymce/wp-tinymce.php on this server.

    In some cases, the “403 Forbidden nginx” error is shown after clicking Update/Publish/etc.

  • One of the following error messages appears:

    • in the domain’s proxy_error_log file /var/www/vhosts/example.com/logs/proxy_error_log:

      [error] 23560#0: *5116 access forbidden by rule, client: 203.0.113.2, server: example.com, request: "GET /wp-includes/js/tinymce/wp-tinymce.php?c=1&ver=4607-20171116-tadv-4.6.7 HTTP/2.0", host: "example.com", referrer: "https://example.com/wp-admin/post.php?post=198&action=edit"

    • in the domain’s error_log file /var/www/vhosts/system/example.com/logs/error_log:

      [error] [client 203.0.113.2] client denied by server configuration: /var/www/vhosts/example.com/web/wp-includes/js/tinymce/wp-tinymce.php
       [error] [client 203.0.113.2] client denied by server configuration: /var/www/vhosts/example.com/web/wp-includes/js/tinymce/wp-tinymce.php

Cause

This is a WP Toolkit bug with ID EXTWPTOOLK-1102 which was fixed in the WP Toolkit 3.5.0 version

Resolution

Update WP Toolkit extension to the latest version.

In case update is not possible, apply one of the following solutions:

Workaround 1: Exclude the sub-directory /wp-content/plugins/

  1. Log in to Plesk

  2. Go to Domains > example.com > Apache & nginx settings and add the following directives to the Additional nginx directives field:

    location ~* wp-config.php { deny all; }
     location ~* "^/wp-content/(?!plugins/).*.php" { deny all; }
  3. Check if the issue has gone. If plugin operability is still broken, revert the changes and apply the solution below.

Workaround 2: Revert the security measure

  1. Log in to Plesk

  2. Go to Domains > example.com > WordPress > select a WordPress instance in question > Security Status (Check Security in older WP Toolkit versions).

  3. Select Security of the wp-content folder and click Revert (Roll Back in older WP Toolkit versions).

    Note: If a WordPress plugin still fails to work correctly, additionally revert the security measure Security of the wp-includes folder.

    Screenshot_2018-10-04_Plesk_Onyx_17_8_11.png

Read the full article
Related Posts
Knowledge Base

Hosting Wiki

Industry
Partners

industry-partner_ALIBABA
industry-partner_GOOGLEPARTNER
industry-partner_MICROSOFT
industry-partner_REDHAT-r2
industry-partner_ALIBABA
industry-partner_AUTOMATTIC
industry-partner_AWS
industry-partner_DIGITALOCEAN
industry-partner_SCALEWAY

Follow us:

Facebook Twitter Linkedin Youtube Github

© 2023 Plesk International GmbH. All rights reserved. Plesk and the Plesk logo are trademarks of Plesk International GmbH.

Managed with love with Plesk WP Toolkit

Plesk uses LiveChat system (3rd party).

By proceeding below, I hereby agree to use LiveChat as an external third party technology. This may involve a transfer of my personal data (e.g. IP Address) to third parties in- or outside of Europe. For more information, please see our Privacy Policy.

Search
Generic filters
Exact matches only
Search in title
Search in content
Search in excerpt