Symptoms
-
WordPress instance was installed using WordPress Toolkit or from Domains > example.com > Applications
-
One of the following messages is shown when accessing different website pages in web browser, such as
readme.html,license.html,changelog.html,wp-config.phpetc.403 Forbidden
nginxForbidden
You don't have permission to access /readme.html on this server.
Apache Server at example.com Port 80 -
Vhost configuration files for the affected domain contain the following lines:
-
For Nginx:
/var/www/vhosts/system/example.com/conf/nginx.conf#extension wp-toolkit begin
...
location ~* "(?:wp-config.bak|.wp-config.php.swp|(?:readme|license|changelog|-config|-sample).(?:php|md|txt|htm|html))" {
return 403;
}
... -
For Apache:
/var/www/vhosts/system/example.com/conf/httpd.conf...
<LocationMatch "(?i:(?:wp-config.bak|.wp-config.php.swp|(?:readme|license|changelog|-config|-sample).(?:php|md|txt|htm|html)))">
Order allow,deny
Deny from all
</LocationMatch>
...
-
Cause
Additional directives are added by the Security Measure Block access to sensitive files that is enabled automatically when WordPress is installed via Plesk.
Resolution
Such behaviour is expected – the Nginx and Apache rules are automatically added into virtual host configuration files to improve the security of the WordPress sites.
In order to disable these directives, perform the following steps:
Warning: Executing the below instructions will reduce WordPress security and mark the status as Danger on the WordPress Toolkit
-
Navigate to WordPress > example.com.
-
Click View near the Security Status:
-
Select the Security Measure Block access to sensitive files and click Revert:
