Discover Centmin Mod today
Register Now

Wordpress 403 forbidden

Discussion in 'Blogs & CMS usage' started by Megaplex21, Oct 1, 2016.

  1. Megaplex21

    Megaplex21 New Member

    29
    2
    3
    Sep 28, 2016
    Ratings:
    +2
    Local Time:
    8:45 AM
    1.10.1
    hello, i want upload logo to my wp-admin but it show 403 forbidden. what should i do? and my theme not load fully cause some file get message "Failed to load resource: the server responded with a status of 403 (Forbidden)" i check this with inspect element in chrome.
     
  2. eva2000

    eva2000 Administrator Staff Member

    30,156
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    11:45 AM
    Nginx 1.13.x
    MariaDB 5.5
    1. How did you install wordpress ?
    2. What wordpress plugin does the url or php belong to ?
    3. Which Centmin Mod version 123.08stable or 123.09beta01 ?
    4. Was it via centmin.sh menu option 22 auto installer Wordpress Nginx Auto Installer (WP Super Cache) ? If so the default wpsecure conf file at /usr/local/nginx/conf/wpsecure_${vhostname}.conf where vhostname is your domain name, blocks php scripts from executing in wp-content for security
    Below links you can see examples of setting up specific wordpress location matches to punch a hole in the wpsecure blocking to whitelist specific php files that need to be able to run.
    what is the exact url path to your theme directory ? and errors in detail ?
     
  3. Megaplex21

    Megaplex21 New Member

    29
    2
    3
    Sep 28, 2016
    Ratings:
    +2
    Local Time:
    8:45 AM
    1.10.1
    yes, i use Centmin Mod version 123.08stable, yes i isntall via centmin.sh menu option 22 auto installer, i found conf file in /usr/local/nginx/conf/wpsecure_${vhostname}.conf what should i do?
     
  4. eva2000

    eva2000 Administrator Staff Member

    30,156
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    11:45 AM
    Nginx 1.13.x
    MariaDB 5.5
    what is the exact url path to your theme directory ? and errors in detail ?

    it maybe your path is caught in one of the defined wpsecure_*.conf location matches and need to break them out by whitelisting and adding a location match for your theme.

    Below links you can see examples of setting up specific wordpress location matches to punch a hole in the wpsecure blocking to whitelist specific php files that need to be able to run.
     
  5. Megaplex21

    Megaplex21 New Member

    29
    2
    3
    Sep 28, 2016
    Ratings:
    +2
    Local Time:
    8:45 AM
    1.10.1
    my theme directory in here /home/nginx/domains/mydomain.com/public/wp-content/themes/

    error log
    Code:
    2016/09/28 01:27:56 [error] 5627#0: *88 access forbidden by rule, client: 96.9.72.211, server: bioskopbokep.com, request: "GET /wp-content/themes/novavideo/css/small.php?responsive=yes&ver=4.6.1 HTTP/1.1", host: "bioskopbokep.com", referrer: "http://bioskopbokep.com/"
    2016/09/28 01:27:56 [error] 5627#0: *85 access forbidden by rule, client: 96.9.72.211, server: bioskopbokep.com, request: "GET /wp-content/themes/novavideo/css/horizontal.php?responsive=yes&ver=4.6.1 HTTP/1.1", host: "bioskopbokep.com", referrer: "http://bioskopbokep.com/"
    2016/09/28 01:27:56 [error] 5627#0: *88 access forbidden by rule, client: 96.9.72.211, server: bioskopbokep.com, request: "GET /wp-content/themes/novavideo/css/colors.php?color=bd1515&ver=4.6.1 HTTP/1.1", host: "bioskopbokep.com", referrer: "http://bioskopbokep.com/"
    
     
  6. eva2000

    eva2000 Administrator Staff Member

    30,156
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    11:45 AM
    Nginx 1.13.x
    MariaDB 5.5
    so just add to very top of your wpsecure_*.conf include file for your domain a whitelisted location allowing php to be processed in your specific theme directory
    Code (Text):
    # Whitelist Exception for wp-content/themes/themename
    location ~ ^/wp-content/themes/themename {
      include /usr/local/nginx/conf/php.conf;
    }
    

    then restart nginx and php
    Code (Text):
    nprestart

    basically you break wp-content/themes/themename directory out of the default deny all rule further down in wpsecure_*.conf by positioning this location context above and before it.

    php.conf include file allows php files to be processed in that specified location path
     
  7. Megaplex21

    Megaplex21 New Member

    29
    2
    3
    Sep 28, 2016
    Ratings:
    +2
    Local Time:
    8:45 AM
    1.10.1
    i add this code
    Code:
    # Whitelist Exception for wp-content/themes/
    location ~ ^/wp-content/themes/ {
      include /usr/local/nginx/conf/php.conf;
    }
    to very top my wpsecure_*.conf file, and then i restart "nprestart" the result is my wordpress gone, i can't access, it show test page by centminmod
    i try wp-login.php and show 404 not found
     
  8. eva2000

    eva2000 Administrator Staff Member

    30,156
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    11:45 AM
    Nginx 1.13.x
    MariaDB 5.5
  9. Megaplex21

    Megaplex21 New Member

    29
    2
    3
    Sep 28, 2016
    Ratings:
    +2
    Local Time:
    8:45 AM
    1.10.1
    Code:
    # Whitelist Exception for wp-content/themes/
    location ~ ^/wp-content/themes/novavideo/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # prevent .zip, .gz, .tar, .bzip2 files from being accessed by default
    # impossible for centmin mod to know which wp backup plugins they installed
    # which may save backups to directories in wp-content/
    # such plugins may deploy .htaccess protection but that isn't supported installed
    # nginx, so blocking access to these extensions is a workaround to cover all bases
    location ~* ^/(wp-content)/(.*?)\.(zip|gz|tar|bzip2|7z)$ { deny all; }
    
    # Deny access to any files with a .php extension in the uploads directory
    # Works in sub-directory installs and also in multisite network
    location ~ ^/wp-content/updraft { deny all; }
    
    location ~* /(?:uploads|files)/.*\.php$ {
    deny all;
    }
    
    # Whitelist Exception for https://wordpress.org/plugins/theme-check/
    location ~ ^/wp-content/plugins/theme-check/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Whitelist Exception for https://wordpress.org/plugins/woocommerce/
    location ~ ^/wp-content/plugins/woocommerce/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Whitelist Exception for https://wordpress.org/plugins/woocommerce-csvimport/
    location ~ ^/wp-content/plugins/woocommerce-csvimport/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Whitelist Exception for https://wordpress.org/plugins/advanced-custom-fields/
    location ~ ^/wp-content/plugins/advanced-custom-fields/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Whitelist Exception for https://wordpress.org/plugins/contact-form-7/
    location ~ ^/wp-content/plugins/contact-form-7/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Whitelist Exception for https://wordpress.org/plugins/duplicator/
    location ~ ^/wp-content/plugins/duplicator/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Whitelist Exception for https://wordpress.org/plugins/jetpack/
    location ~ ^/wp-content/plugins/jetpack/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Whitelist Exception for https://wordpress.org/plugins/nextgen-gallery/
    location ~ ^/wp-content/plugins/nextgen-gallery/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Whitelist Exception for https://wordpress.org/plugins/tinymce-advanced/
    location ~ ^/wp-content/plugins/tinymce-advanced/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Whitelist Exception for https://wordpress.org/plugins/updraftplus/
    location ~ ^/wp-content/plugins/updraftplus/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Whitelist Exception for https://wordpress.org/plugins/wordpress-importer/
    location ~ ^/wp-content/plugins/wordpress-importer/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Whitelist Exception for https://wordpress.org/plugins/wordpress-seo/
    location ~ ^/wp-content/plugins/wordpress-seo/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Whitelist Exception for https://wordpress.org/plugins/wpclef/
    location ~ ^/wp-content/plugins/wpclef/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Whitelist Exception for https://wordpress.org/plugins/mailchimp-for-wp/
    location ~ ^/wp-content/plugins/mailchimp-for-wp/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Whitelist Exception for https://wordpress.org/plugins/wp-optimize/
    location ~ ^/wp-content/plugins/wp-optimize/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Whitelist Exception for https://wordpress.org/plugins/si-contact-form/
    location ~ ^/wp-content/plugins/si-contact-form/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Whitelist Exception for https://wordpress.org/plugins/akismet/
    location ~ ^/wp-content/plugins/akismet/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Whitelist Exception for https://wordpress.org/plugins/bbpress/
    location ~ ^/wp-content/plugins/bbpress/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Whitelist Exception for https://wordpress.org/plugins/buddypress/
    location ~ ^/wp-content/plugins/buddypress/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Whitelist Exception for https://wordpress.org/plugins/all-in-one-seo-pack/
    location ~ ^/wp-content/plugins/all-in-one-seo-pack/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Whitelist Exception for https://wordpress.org/plugins/google-analytics-for-wordpress/
    location ~ ^/wp-content/plugins/google-analytics-for-wordpress/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Whitelist Exception for https://wordpress.org/plugins/regenerate-thumbnails/
    location ~ ^/wp-content/plugins/regenerate-thumbnails/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Whitelist Exception for https://wordpress.org/plugins/wp-pagenavi/
    location ~ ^/wp-content/plugins/wp-pagenavi/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Whitelist Exception for https://wordpress.org/plugins/wordfence/
    location ~ ^/wp-content/plugins/wordfence/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Whitelist Exception for https://wordpress.org/plugins/really-simple-captcha/
    location ~ ^/wp-content/plugins/really-simple-captcha/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Whitelist Exception for https://wordpress.org/plugins/wp-pagenavi/
    location ~ ^/wp-content/plugins/wp-pagenavi/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Whitelist Exception for https://wordpress.org/plugins/ml-slider/
    location ~ ^/wp-content/plugins/ml-slider/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Whitelist Exception for https://wordpress.org/plugins/black-studio-tinymce-widget/
    location ~ ^/wp-content/plugins/black-studio-tinymce-widget/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Whitelist Exception for https://wordpress.org/plugins/disable-comments/
    location ~ ^/wp-content/plugins/disable-comments/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Whitelist Exception for https://wordpress.org/plugins/better-wp-security/
    location ~ ^/wp-content/plugins/better-wp-security/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Whitelist Exception for http://wlmsocial.com/
    location ~ ^/wp-content/plugins/wlm-social/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Whitelist Exception for mediagrid timthumb
    location ~ ^/wp-content/plugins/media-grid/classes/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Block PHP files in content directory.
    location ~* /wp-content/.*\.php$ {
      deny all;
    }
    
    # Block PHP files in includes directory.
    location ~* /wp-includes/.*\.php$ {
      deny all;
    }
    
    # Block PHP files in uploads, content, and includes directory.
    location ~* /(?:uploads|files|wp-content|wp-includes)/.*\.php$ {
      deny all;
    }
    
    # Make sure files with the following extensions do not get loaded by nginx because nginx would display the source code, and these files can contain PASSWORDS!
    location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_
    {
    return 444;
    }
    
    #nocgi
    location ~* \.(pl|cgi|py|sh|lua)$ {
    return 444;
    }
    
    #disallow
    location ~* (w00tw00t) {
    return 444;
    }
    
    location ~* /(\.|wp-config\.php|wp-config\.txt|changelog\.txt|readme\.txt|readme\.html|license\.txt) { deny all; }
    
     
  10. eva2000

    eva2000 Administrator Staff Member

    30,156
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    11:45 AM
    Nginx 1.13.x
    MariaDB 5.5
    looks right so shouldn't cause any wordpress redirects to main hostname vhost index page

    When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)
    • Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
    • Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
    • Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
    • Vhost public web root will be at /home/nginx/domains/newdomain.com/public
    • Vhost log directory will be at /home/nginx/domains/newdomain.com/log
    Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)

    Also what does your /usr/local/nginx/conf/conf.d/virtual.conf and /usr/local/nginx/conf/conf.d/yourdomain.com.conf contents look like ? Make sure virtual.conf main hostname's server_name isn't same as any added nginx vhost site's domain name as per Getting Started Guide step 1, the main hostname needs to be unique.
     
  11. Megaplex21

    Megaplex21 New Member

    29
    2
    3
    Sep 28, 2016
    Ratings:
    +2
    Local Time:
    8:45 AM
    1.10.1
    i use option 22, so database and user create by system.
    this is code from /usr/local/nginx/conf/conf.d/mydomain.com.conf
    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    
    # redirect from non-www to www
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    #server {
    #            listen   80;
    #            server_name bioskopbokep.com;
    #            return 301 $scheme://www.bioskopbokep.com$request_uri;
    #       }
    
    server {
      listen 80;
      server_name www.bioskopbokep.com;
      return 301 $scheme://bioskopbokep.com$request_uri;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/bioskopbokep.com/log/access.log combined buffer=256k flush=60m;
      error_log /home/nginx/domains/bioskopbokep.com/log/error.log;
    
      root /home/nginx/domains/bioskopbokep.com/public;
    
      include /usr/local/nginx/conf/wpsupercache_bioskopbokep.com.conf;   
    
      location / {
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # for wordpress super cache plugin
      try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?q=$uri&$args;
    
      # Wordpress Permalinks
      #try_files $uri $uri/ /index.php?q=$uri&$args; 
    
      }
    
    location ~* /(wp-login\.php) {
        limit_req zone=xwplogin burst=1 nodelay;
        #limit_conn xwpconlimit 30;
        auth_basic "Private";
        auth_basic_user_file /home/nginx/domains/bioskopbokep.com/htpasswd_wplogin;   
        include /usr/local/nginx/conf/php-wpsc.conf;
    }
    
    location ~* /(xmlrpc\.php) {
        limit_req zone=xwprpc burst=45 nodelay;
        #limit_conn xwpconlimit 30;
        include /usr/local/nginx/conf/php-wpsc.conf;
    }
    
      include /usr/local/nginx/conf/wpsecure_bioskopbokep.com.conf;
      include /usr/local/nginx/conf/php-wpsc.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
    i'm not use SSL, and this one from /usr/local/nginx/conf/conf.d/virtual.conf
    Code:
    server {
    #         listen   80;
                listen   80 default_server backlog=2048;
                server_name BB;
                root   html;
    
            access_log              /var/log/nginx/localhost.access.log     main buffer=256k flush=5m;
            error_log               /var/log/nginx/localhost.error.log      error;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
    # limit_conn limit_per_ip 16;
    # ssi  on;
    
            location /nginx_status {
            stub_status on;
            access_log   off;
            allow 127.0.0.1;
            #allow youripaddress;
            deny all;
            }
    
                location / {
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
    #         Enables directory listings when index file not found
    #        autoindex  on;
    
    #        Shows file listing times as local time
    #        autoindex_localtime on;
    
    #        Enable for vBulletin usage WITHOUT vbSEO installed
    #        try_files        $uri $uri/ /index.php;
                
                }
    
            # example nginx-http-concat
            # /csstest/??one.css,two.css
            #location /csstest {
            #concat on;
            #concat_max_files 20;
            #}
    
    include /usr/local/nginx/conf/staticfiles.conf;
    include /usr/local/nginx/conf/php.conf;
    #include /usr/local/nginx/conf/phpstatus.conf;
    include /usr/local/nginx/conf/drop.conf;
    #include /usr/local/nginx/conf/errorpage.conf;
    include /usr/local/nginx/conf/vts_mainserver.conf;
    
           }
     
  12. eva2000

    eva2000 Administrator Staff Member

    30,156
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    11:45 AM
    Nginx 1.13.x
    MariaDB 5.5
    there's your problem you are missing non-www version in server_name as you redirect to non-www via redirect 301 but your vhost doesn't process non-www so goes to main vhost

    change
    Code (Text):
      server_name www.bioskopbokep.com;
      return 301 $scheme://bioskopbokep.com$request_uri;

    to
    Code (Text):
      server_name bioskopbokep.com www.bioskopbokep.com;
      return 301 $scheme://bioskopbokep.com$request_uri;
     
  13. Megaplex21

    Megaplex21 New Member

    29
    2
    3
    Sep 28, 2016
    Ratings:
    +2
    Local Time:
    8:45 AM
    1.10.1
    The bioskopbokep.com page isn’t working
    bioskopbokep.com redirected you too many times.



    that's what my browser showed. i already clear cookies and change different browser, but same result
     
  14. eva2000

    eva2000 Administrator Staff Member

    30,156
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    11:45 AM
    Nginx 1.13.x
    MariaDB 5.5
    whoops sorry should of enabled your redirect server context

    you should change
    Code (Text):
    #server {
    #            listen   80;
    #            server_name bioskopbokep.com;
    #            return 301 $scheme://www.bioskopbokep.com$request_uri;
    #       }
    
    server {
      listen 80;
      server_name www.bioskopbokep.com;
      return 301 $scheme://bioskopbokep.com$request_uri;
    

    to
    Code (Text):
    server {
                listen   80;
                server_name www.bioskopbokep.com;
                return 301 $scheme://bioskopbokep.com$request_uri;
           }
    
    server {
      listen 80;
      server_name bioskopbokep.com;
    

    that tells nginx to redirect www to non-www and then serve non-www
     
  15. Megaplex21

    Megaplex21 New Member

    29
    2
    3
    Sep 28, 2016
    Ratings:
    +2
    Local Time:
    8:45 AM
    1.10.1
    eva, your my idol. help me with one question again. are centminmod not have robots.txt and .httaccess?
     
  16. eva2000

    eva2000 Administrator Staff Member

    30,156
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    11:45 AM
    Nginx 1.13.x
    MariaDB 5.5
    nginx doesn't support .htaccess it uses nginx rewrite rules you add yourself to nginx vhost file

    as to robots.txt that is something you add to your site web root as required for your web app/site