Symptoms
-
WordPress instance was installed using WP Toolkit or from Domains > example.com > Applications
-
One of the following messages is shown when accessing different website pages in web browser, such as
readme.html,license.html,changelog.html,wp-config.phpetc.403 Forbidden
nginxForbidden
You don't have permission to access /readme.html on this server.
Apache Server at example.com Port 80 - The following error is being output to /var/www/vhosts/system/example.com/logs/error_log:
[Mon Dec 19 16:10:01.758907 2022] [authz_core:error] [pid 1912909:tid 140615702517312] [client 203.0.113.2:0] AH01630: client denied by server configuration: /var/www/vhosts/example.com/httpdocs/README.html
-
Vhost configuration files for the affected domain contain the following lines:
-
For Nginx:
/var/www/vhosts/system/example.com/conf/nginx.conf#extension wp-toolkit begin
...
location ~* "(?:wp-config.bak|.wp-config.php.swp|(?:readme|license|changelog|-config|-sample).(?:php|md|txt|htm|html))" {
return 403;
}
... -
For Apache:
/var/www/vhosts/system/example.com/conf/httpd.conf...
<LocationMatch "(?i:(?:wp-config.bak|.wp-config.php.swp|(?:readme|license|changelog|-config|-sample).(?:php|md|txt|htm|html)))">
Order allow,deny
Deny from all
</LocationMatch>
...
-
Cause
Additional directives are added by the Security Measure Block access to sensitive files that is enabled automatically when WordPress is installed via Plesk.
Resolution
Such behaviour is expected - the Nginx and Apache rules are automatically added into virtual host configuration files to improve the security of the WordPress sites.
In order to disable these directives, perform the following steps:
Warning: Executing the below instructions will reduce WordPress security and mark the status as Danger on the WP Toolkit
-
Navigate to WordPress > example.com.
-
Click View near the Security Status:
-
Select the Security Measure Block access to sensitive files and click Revert:
