Discover Centmin Mod today
Register Now

Wordpress How To Whitelist single PHP file

Discussion in 'Blogs & CMS usage' started by ivanc82, Nov 13, 2020.

  1. ivanc82

    ivanc82 New Member

    Dec 1, 2015
    Local Time:
    3:58 PM
    MariaDB 10
    Please fill in any relevant information that applies to you:
    • CentOS Version: CentOS 7 64bit
    • Centmin Mod Version Installed:123.09beta01
    • Nginx Version Installed: i.e. 1.19.4
    • PHP Version Installed: 7.4.12
    • MariaDB MySQL Version Installed: 10.2.xx
    • When was last time updated Centmin Mod code base ? : cmupdate command
    • Persistent Config: No
    Hi, how do I whitelist a template PHP folder/file, currently the Nginx is returning a 403 error for some of the files in the folder...

    e.g /wp-content/themes/templatename/templates/filename.php

  2. eva2000

    eva2000 Administrator Staff Member

    May 24, 2014
    Brisbane, Australia
    Local Time:
    5:58 PM
    Nginx 1.21.x
    MariaDB 10.x
    Centmin Mod values security and puts additional measures in place so that end users are also mindful of security. So in your case, you might need to whitelist or unblock the WP plugins related to your 403 permission denied messages.

    If you used menu option 22 auto installer Wordpress Nginx Auto Installer, the default wpsecure conf file at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf where vhostname is your domain name, blocks php scripts from executing in wp-content for security

    Below links you can see examples of setting up specific wordpress location matches to punch a hole in the wpsecure blocking to whitelist specific php files that need to be able to run.

    If on Centmin Mod 123.09beta01, you may have ran into the new tools/ cronjob feature outlined at Beta Branch - - apache .htaccess check & migration to nginx deny all | Centmin Mod Community You uploaded scripts may have .htaccess deny from all type files in their directories which may need bypassing autoprotect. It's a security feature that no other nginx based stack has as far as I know :)

    So instead, all .htaccess 'deny from all' detected directories now get auto generated Nginx equivalent location match and deny all setups except if you want to manually bypass the directory from auto protection via a .autoprotect-bypass file - details below here.

    You can read a few threads below on how may have caught some folks web apps falsely and the workarounds or improvements made to with the help of users feedback and troubleshooting.
    Check if your nginx vhost at either or both /usr/local/nginx/conf/conf.d/ and/or /usr/local/nginx/conf/conf.d/ has include file for autoprotect example
    Code (Text):
    include /usr/local/nginx/conf/autoprotect/;

    see if your directory for the script which has issues is caught in an autoprotect include entry in /usr/local/nginx/conf/autoprotect/ which has a deny all entry
    Code (Text):
    cat /usr/local/nginx/conf/autoprotect/

    Code (Text):
    # /home/nginx/domains/
    location ~* ^/subdirectory/js/ { allow; deny all; }

    If caught you can whitelist it by autoprotect bypass .autoprotect-bypass file - details below here. So if problem js file is at then it is likely /subdirectory/js has a .htaccess with deny all in it - make sure that directory is meant to be publicly accessible by contacting author of script and if so, you can whitelist it and re-run autoprotect script to regenerate your /usr/local/nginx/conf/autoprotect/ include file
    Code (Text):
    cd /home/nginx/domains/
    touch .autoprotect-bypass

    it maybe you need to also whitelist /subdirectory then it would be as follows creating bypass files at /home/nginx/domains/ and /home/nginx/domains/
    Code (Text):
    cd /home/nginx/domains/
    touch .autoprotect-bypass
    cd /home/nginx/domains/
    touch .autoprotect-bypass

    then double check to see if updated /usr/local/nginx/conf/autoprotect/ include file now doesn't show an entry for /subdirectory/js