Want more timely Centmin Mod News Updates?
Become a Member

Wordpress Social login plugin trouble

Discussion in 'Blogs & CMS usage' started by redbird, Dec 11, 2015.

  1. redbird

    redbird Member

    90
    15
    8
    Aug 28, 2015
    Web
    Ratings:
    +25
    Local Time:
    3:09 PM
    Installed wp via option 22.

    Tried to install social login plugin WishList Member Social Login and Registration | WLM Social and just can't make it to work.
    Contacted the developer. Here is what he is saying:

    ------------------------------------------
    I was just about to reply to you. After hours of researching and testing we discovered that it is your server security that doesn’t allow for some of the social networks to post back to your site and this is why the plugin is not working for you. Unfortunately, this is not in the ream of our support and we can not help you out.

    here is a link that you can use as example: http://www.mydomain.com/wp-content/plugins/wlm-social/hybridauth/?hauth.done=Google
    This link needs to be hit back by Google’s API so that we can authenticate the user to your site. instead we get a 403 Access Denied by nginx.
    ---------------------------------------------------


    Can someone please advise how I should tweak the nginx conf file?


    Thank you.
     
  2. redbird

    redbird Member

    90
    15
    8
    Aug 28, 2015
    Web
    Ratings:
    +25
    Local Time:
    3:09 PM
    also just tried to update wp to 4.4 without luck via wp admin dashboard. wtf?
     
  3. redbird

    redbird Member

    90
    15
    8
    Aug 28, 2015
    Web
    Ratings:
    +25
    Local Time:
    3:09 PM
    Never mind it was the cache + nginx and php-fpm needed to be restarted.
     
  4. eva2000

    eva2000 Administrator Staff Member

    54,857
    12,238
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,809
    Local Time:
    3:09 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    can you post contents of your /usr/local/nginx/conf/wpsecure_${vhostname}.conf where ${vhostname} is your domain.com name in CODE tags

    nothing in the /usr/local/nginx/conf/wpsecure_${vhostname}.conf though should block non-php requests
     
  5. redbird

    redbird Member

    90
    15
    8
    Aug 28, 2015
    Web
    Ratings:
    +25
    Local Time:
    3:09 PM
    Code:
    # Deny access to any files with a .php extension in the uploads directory
    # Works in sub-directory installs and also in multisite network
    location ~* /(?:uploads|files)/.*\.php$ {
    deny all;
    }
    
    # Block PHP files in content directory.
    location ~* /wp-content/.*\.php$ {
      deny all;
    }
    
    # Block PHP files in includes directory.
    location ~* /wp-includes/.*\.php$ {
      deny all;
    }
    
    # Block PHP files in uploads, content, and includes directory.
    location ~* /(?:uploads|files|wp-content|wp-includes)/.*\.php$ {
      deny all;
    }
    
    # Make sure files with the following extensions do not get loaded by nginx because nginx would display the source code, and these files can contain PASSWORDS!
    location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_
    {
    return 444;
    }
    
    #nocgi
    location ~* \.(pl|cgi|py|sh|lua)$ {
    return 444;
    }
    
    #disallow
    location ~* (w00tw00t) {
    return 444;
    }
    
    location ~ /(\.|wp-config\.php|wp-config\.txt|readme\.html|license\.txt) { deny all; }
    
     
  6. redbird

    redbird Member

    90
    15
    8
    Aug 28, 2015
    Web
    Ratings:
    +25
    Local Time:
    3:09 PM
  7. eva2000

    eva2000 Administrator Staff Member

    54,857
    12,238
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,809
    Local Time:
    3:09 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    none of those restrictions should block non-php requests but try commenting out
    Code:
    # Block PHP files in content directory.
    location ~* /wp-content/.*\.php$ {
      deny all;
    }
    and restart nginx and see
     
  8. eva2000

    eva2000 Administrator Staff Member

    54,857
    12,238
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,809
    Local Time:
    3:09 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    also check directory permissions too
    Code:
    ls -lah wp-content
    ls -lah /path/to/plugins/wlm-social/
     
  9. redbird

    redbird Member

    90
    15
    8
    Aug 28, 2015
    Web
    Ratings:
    +25
    Local Time:
    3:09 PM
    Tried the above even before you suggested but still no luck ((

    permissions are 750 for wp-content and 755 are for wlm-social
    Tried changing 750 to 755 still getting 403 (((
     
  10. eva2000

    eva2000 Administrator Staff Member

    54,857
    12,238
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,809
    Local Time:
    3:09 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    what about user:group ownership ? nginx:nginx or root:root ?

    if it isn't permissions, you might have another deny all or return 403 setting in your domain vhost conf file you can try searching for them all using commands
    Code:
    egrep -Rn '403|deny all' -C3 /usr/local/nginx/conf/conf.d/domain.com.conf
    
    Code:
    egrep -Rn '403|deny all' -C3 /usr/local/nginx/conf/conf.d/domain.com.ssl.conf
    
     
  11. redbird

    redbird Member

    90
    15
    8
    Aug 28, 2015
    Web
    Ratings:
    +25
    Local Time:
    3:09 PM
    Found this in both, should I comment it?

    Code:
    # prevent access to ./directories and files
    location ~ (?:^|/)\. {
    deny all;
    }
    
     
  12. eva2000

    eva2000 Administrator Staff Member

    54,857
    12,238
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,809
    Local Time:
    3:09 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yes comment it out it was commented out in more recent code so you might have older code
     
  13. redbird

    redbird Member

    90
    15
    8
    Aug 28, 2015
    Web
    Ratings:
    +25
    Local Time:
    3:09 PM
    Ok, I commented it out, but it did not change anything.

    And only when I commented the following in wpsecure_domain.com.conf it worked:

    Code:
    # Block PHP files in content directory.
    # location ~* /wp-content/.*\.php$ {
    #  deny all;
    # }
    
    # Block PHP files in uploads, content, and includes directory.
    # location ~* /(?:uploads|files|wp-content|wp-includes)/.*\.php$ {
    #  deny all;
    # }
    Now, the question is how safe is it to keep it commented out?
     
  14. eva2000

    eva2000 Administrator Staff Member

    54,857
    12,238
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,809
    Local Time:
    3:09 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    in that case just keep this one enabled
    Code:
    # Block PHP files in uploads, content, and includes directory.
    location ~* /(?:uploads|files|wp-content|wp-includes)/.*\.php$ {
      deny all;
    }
    and add to wpsecure_domain.com.conf an exclusion for your specific directory for /wp-content/plugins/wlm-social or /wp-content/plugins/wlm-social/hybridauth/ (which is better and more specific if that works)
    Code:
    location ~ ^/wp-content/plugins/wlm-social/hybridauth/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
     
  15. redbird

    redbird Member

    90
    15
    8
    Aug 28, 2015
    Web
    Ratings:
    +25
    Local Time:
    3:09 PM
    Tried to uncomment the one you mentioned and adding your suggested code for exclusion (both variants) - 403 error comes back (.
     
  16. eva2000

    eva2000 Administrator Staff Member

    54,857
    12,238
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,809
    Local Time:
    3:09 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    which position did you place the new location context make sure it's before the other one

    Code:
    location ~ ^/wp-content/plugins/wlm-social/hybridauth/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Block PHP files in uploads, content, and includes directory.
    location ~* /(?:uploads|files|wp-content|wp-includes)/.*\.php$ {
      deny all;
    }
    
    or if you need access above /hybridauth

    Code:
    location ~ ^/wp-content/plugins/wlm-social/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Block PHP files in uploads, content, and includes directory.
    location ~* /(?:uploads|files|wp-content|wp-includes)/.*\.php$ {
      deny all;
    }
    
    then double check access log for 403s and where they're coming from
     
  17. redbird

    redbird Member

    90
    15
    8
    Aug 28, 2015
    Web
    Ratings:
    +25
    Local Time:
    3:09 PM
    Finally working. Thanks a lot man for your prompt support.

    You and centminmod are the best ;)
     
  18. eva2000

    eva2000 Administrator Staff Member

    54,857
    12,238
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,809
    Local Time:
    3:09 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    great to hear :)
     
  19. ethanpil

    ethanpil Active Member

    173
    55
    28
    Nov 8, 2015
    Ratings:
    +101
    Local Time:
    3:09 PM
    Per an issue I had in another thread, I had to put the exception near the top of the file for it to work, not above the section referenced in the above posts. I am running the .09 beta at this time. My wpsecure_domain.com.conf now looks like below. The new section is commented with #Exception for timthumb

    Code:
    # Deny access to any files with a .php extension in the uploads directory
    # Works in sub-directory installs and also in multisite network
    location ~* /(?:uploads|files)/.*\.php$ {
    deny all;
    }
    
    #Exception for mediagrid timthumb
    location ~ ^/wp-content/plugins/media-grid/classes/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Block PHP files in content directory.
    location ~* /wp-content/.*\.php$ {
      deny all;
    }
    
    # Block PHP files in includes directory.
    location ~* /wp-includes/.*\.php$ {
      deny all;
    }
    
    # Block PHP files in uploads, content, and includes directory.
    location ~* /(?:uploads|files|wp-content|wp-includes)/.*\.php$ {
      deny all;
    }
    
    # Make sure files with the following extensions do not get loaded by nginx because nginx would display the source code, and these files can contain PASSWORDS!
    location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_
    {
    return 444;
    }
    
    #nocgi
    location ~* \.(pl|cgi|py|sh|lua)$ {
    return 444;
    }
    
    #disallow
    location ~* (w00tw00t) {
    return 444;
    }
    
    location ~* /(\.|wp-config\.php|wp-config\.txt|changelog\.txt|readme\.txt|readme\.html|license\.txt) { deny all; }