Welcome to Centmin Mod Community
Become a Member

Wordpress Unable to access WP-Admin

Discussion in 'Blogs & CMS usage' started by KlueMaster, Aug 5, 2017.

  1. KlueMaster

    KlueMaster New Member

    13
    3
    3
    Aug 5, 2017
    Ratings:
    +3
    Local Time:
    9:44 PM
    MariaDB 10
    Hi,

    I've recently moved a site from pressable to a new CMM install by the means of file-copy and database upload. Front-end is working alright, however, I'm unable to access /wp-admin, with the error: Sorry, you are not allowed to access this page.

    Following the usual advice, I renamed the plugins folder to plugins-bak and tested, but still faced the same issue. I've reverted the folder to its original name.

    What could be the reason for this? Could anyone help?

    Thanks,
    Gaurav
     
  2. eva2000

    eva2000 Administrator Staff Member

    28,957
    6,573
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,755
    Local Time:
    2:14 AM
    Nginx 1.13.x
    MariaDB 5.5
    You'll need to post on the forums with the following info
    • Server or VPS details ? XEN, KVM, OpenVZ, VMWare or dedicated server ? OS ? CentOS 6.7 or 7.2 ? 32bit or 64bit ?
    • What version of Centmin Mod ? .07 stable or 08 stable or .09 beta01 or another branch version ?
    • Was it fresh install or upgrade ?
    • Method of install ? Via centmin.sh menu option 1, Git install or curl one liner install as outlined at centminmod.com/download.html ?
    • How long ago did you install Centmin Mod ?
    • So you didn't use centmin.sh menu option 22 for wp install ?
    Centmin Mod values security and puts additional measures in place so that end users are also mindful of security. So in your case, you might need to whitelist or unblock the WP plugins related to your 403 permission denied messages.

    If you used centmin.sh menu option 22 auto installer Wordpress Nginx Auto Installer, the default wpsecure conf file at /usr/local/nginx/conf/wpsecure_${vhostname}.conf where vhostname is your domain name, blocks php scripts from executing in wp-content for security

    Below links you can see examples of setting up specific wordpress location matches to punch a hole in the wpsecure blocking to whitelist specific php files that need to be able to run.
    If on Centmin Mod 123.09beta01, you may have ran into the new tools/autoprotect.sh cronjob feature outlined at Beta Branch - autoprotect.sh - apache .htaccess check & migration to nginx deny all | Centmin Mod Community You uploaded scripts may have .htaccess deny from all type files in their directories which may need bypassing autoprotect. It's a security feature that no other nginx based stack has as far as I know :)

    So instead, all .htaccess 'deny from all' detected directories now get auto generated Nginx equivalent location match and deny all setups except if you want to manually bypass the directory from auto protection via a .autoprotect-bypass file - details below here.

    You can read a few threads below on how autoprotect.sh may have caught some folks web apps falsely and the workarounds or improvements made to autoprotect.sh with the help of users feedback and troubleshooting.
     
  3. KlueMaster

    KlueMaster New Member

    13
    3
    3
    Aug 5, 2017
    Ratings:
    +3
    Local Time:
    9:44 PM
    MariaDB 10
    I'm using CentOS 7.3 64-bit on a dedicated server. The server was provisioned today. I've installed .09 beta01 afresh using one-line install, and used option #22 to install Wordpress. Thereafter I copied plugins, themes, and uploads folder from my earlier host and merged them to latest installation. Finally, I copied the old db entries to WordPress database via SQL file, after modifying tablenames to reflect the new prefixes. I've used Let's encrypt SSL, PageSpeed and WP-Super-Cache in my installation.

    I am facing no issues on front-end, however cannot access wp-content. Even logging-in via admin credentials, sends me to my-account page of woocommerce. I've also checked auto protect file, and it is only blocking akismet and sucuri plugin access for IPs other than 127.0.0.1.

    Does this info help?
     
  4. eva2000

    eva2000 Administrator Staff Member

    28,957
    6,573
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,755
    Local Time:
    2:14 AM
    Nginx 1.13.x
    MariaDB 5.5
    then you ran into additional security measures in 123.09beta01 outlined at Wordpress - Wordpress 403 Permission Denied Errors and above :)

    after uploading all your files, re-run /usr/local/src/centminmod/tools/autoprotect.sh and re-inspect /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf for all new generated entries picked up on by tools/autoprotect.sh (if any)
     
  5. eva2000

    eva2000 Administrator Staff Member

    28,957
    6,573
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,755
    Local Time:
    2:14 AM
    Nginx 1.13.x
    MariaDB 5.5
    Also might help if you provide your nginx vhost settings to double check.

    When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)
    • Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
    • Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
    • Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
    • Vhost public web root will be at /home/nginx/domains/newdomain.com/public
    • Vhost log directory will be at /home/nginx/domains/newdomain.com/log
    Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)

    what is output of these commands in ssh
    Code (Text):
    curl -I https://domain.com
    

    Code (Text):
    curl -I https://www.domain.com
    

    Code (Text):
    curl -I http://domain.com
    

    Code (Text):
    curl -I http://www.domain.com
    

    wrap output in CODE tags

    You may want to replace your actual domain with dummy reference domain.com if you want.
     
  6. KlueMaster

    KlueMaster New Member

    13
    3
    3
    Aug 5, 2017
    Ratings:
    +3
    Local Time:
    9:44 PM
    MariaDB 10
    After re-running autoprotect.sh there are additional entries related to uploads folder. However, there is nothing for wp-admin, and still facing the same error on wp-admin. One thing has changed though. On logging-in, now I'm getting
    405 Not Allowed
    instead of getting redirected to front-end /my-account
     
  7. KlueMaster

    KlueMaster New Member

    13
    3
    3
    Aug 5, 2017
    Ratings:
    +3
    Local Time:
    9:44 PM
    MariaDB 10
    .ssl.conf contents:
    Code:
    #x# HTTPS-DEFAULT
     server {
    
       server_name bookdlook.com www.bookdlook.com;
       return 302 https://$server_name$request_uri;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    # For SPDY SSL Setup
    
    #   server_name bookdlook.com www.bookdlook.com;
    
    server {
      listen 443 ssl http2;
      server_name bookdlook.com www.bookdlook.com;
    
      include /usr/local/nginx/conf/ssl/bookdlook.com/bookdlook.com.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers ---REDACTED---;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    
    # ngx_pagespeed & ngx_pagespeed handler
    include /usr/local/nginx/conf/pagespeed.conf;
    include /usr/local/nginx/conf/pagespeedhandler.conf;
    include /usr/local/nginx/conf/pagespeedstatslog.conf;
    pagespeed on;
    
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/bookdlook.com/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/bookdlook.com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/bookdlook.com/autoprotect-bookdlook.com.conf;
      root /home/nginx/domains/bookdlook.com/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      #include /usr/local/nginx/conf/wpincludes/bookdlook.com/wpcacheenabler_bookdlook.com.conf;
      include /usr/local/nginx/conf/wpincludes/bookdlook.com/wpsupercache_bookdlook.com.conf;
      # https://community.centminmod.com/posts/18828/
      #include /usr/local/nginx/conf/wpincludes/bookdlook.com/rediscache_bookdlook.com.conf;
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # for wordpress super cache plugin
      try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?q=$uri&$args;
    
      # for wp cache enabler plugin
      #try_files $cache_enabler_uri $uri $uri/ $custom_subdir/index.php?$args;
    
      # Wordpress Permalinks
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
      # Nginx level redis Wordpress
      # https://community.centminmod.com/posts/18828/
      #try_files $uri $uri/ /index.php?$args;
    
      }
    
    location ~* /(wp-login\.php) {
        limit_req zone=xwplogin burst=1 nodelay;
        #limit_conn xwpconlimit 30;
        auth_basic "Private";
        #auth_basic_user_file /home/nginx/domains/bookdlook.com/htpasswd_wplogin;
        include /usr/local/nginx/conf/php-wpsc.conf;
    
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /(xmlrpc\.php) {
        limit_req zone=xwprpc burst=45 nodelay;
        #limit_conn xwpconlimit 30;
        include /usr/local/nginx/conf/php-wpsc.conf;
    
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
      include /usr/local/nginx/conf/wpincludes/bookdlook.com/wpsecure_bookdlook.com.conf;
      include /usr/local/nginx/conf/php-wpsc.conf;
    
      # https://community.centminmod.com/posts/18828/
      #include /usr/local/nginx/conf/php-rediscache.conf;
      include /usr/local/nginx/conf/pre-staticfiles-local-bookdlook.com.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
    Code:
    curl -I https://bookdlook.com
    Code:
    HTTP/1.1 301 Moved Permanently
    Content-Type: text/html; charset=UTF-8
    Connection: keep-alive
    Set-Cookie: PHPSESSID=bv74sshd8h6qt0vkqs2nnnf7s2; path=/
    Pragma: no-cache
    Location: https://www.bookdlook.com/
    Server: nginx centminmod
    X-Powered-By: centminmod
    Date: Sat, 05 Aug 2017 12:10:13 GMT
    X-Page-Speed: 1.12.34.2-0
    Cache-Control: max-age=0, no-cache, no-store, must-revalidate, post-check=0, pre-check=0
    
    Code:
    # curl -I https://www.bookdlook.com
    Code:
    HTTP/1.1 200 OK
    Content-Type: text/html; charset=UTF-8
    Connection: keep-alive
    Vary: Accept-Encoding
    Set-Cookie: PHPSESSID=mfgvetnsk1tbq3r9ggoddrneo2; path=/
    Pragma: no-cache
    Link: <https://www.bookdlook.com/wp-json/>; rel="https://api.w.org/"
    Link: <https://www.bookdlook.com/>; rel=shortlink
    Server: nginx centminmod
    X-Powered-By: centminmod
    Date: Sat, 05 Aug 2017 12:10:26 GMT
    X-Page-Speed: 1.12.34.2-0
    Cache-Control: max-age=0, no-cache, no-store, must-revalidate, post-check=0, pre-check=0
    
    Code:
    # curl -I http://www.bookdlook.com
    Code:
    HTTP/1.1 302 Moved Temporarily
    Date: Sat, 05 Aug 2017 12:10:33 GMT
    Content-Type: text/html
    Content-Length: 154
    Connection: keep-alive
    Location: https://bookdlook.com/
    Server: nginx centminmod
    X-Powered-By: centminmod
    
    Code:
    # curl -I http://bookdlook.com
    Code:
    HTTP/1.1 302 Moved Temporarily
    Date: Sat, 05 Aug 2017 12:10:46 GMT
    Content-Type: text/html
    Content-Length: 154
    Connection: keep-alive
    Location: https://bookdlook.com/
    Server: nginx centminmod
    X-Powered-By: centminmod
    
     
  8. eva2000

    eva2000 Administrator Staff Member

    28,957
    6,573
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,755
    Local Time:
    2:14 AM
    Nginx 1.13.x
    MariaDB 5.5
    vhost looks good
    which url you logging in from ? /wp-login.php is usually the one
     
  9. KlueMaster

    KlueMaster New Member

    13
    3
    3
    Aug 5, 2017
    Ratings:
    +3
    Local Time:
    9:44 PM
    MariaDB 10
    Just realised, I was logged in as admin while trying to access wp-admin and getting the error. Now, when I tried to access /wp-admin after logging out, I'm getting the following screen:

    SITE MAINTENANCE

    Performing some site maintenance. Will be back shortly!

    I was using the same. However, the 405 error disappeared after restarting nginx.
     
  10. eva2000

    eva2000 Administrator Staff Member

    28,957
    6,573
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,755
    Local Time:
    2:14 AM
    Nginx 1.13.x
    MariaDB 5.5
  11. KlueMaster

    KlueMaster New Member

    13
    3
    3
    Aug 5, 2017
    Ratings:
    +3
    Local Time:
    9:44 PM
    MariaDB 10
    Actually I'm repeatedly hitting this with BookDLook ‹ Log In based wp-admin access attempt. So it is not the maintenance mode, as all other pages are accessible. However, it looks like somehow maintenance script is getting triggered.
     
  12. eva2000

    eva2000 Administrator Staff Member

    28,957
    6,573
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,755
    Local Time:
    2:14 AM
    Nginx 1.13.x
    MariaDB 5.5
    Have you tried restarting both nginx + php-fpm services
    Code (Text):
    nprestart
    

    accessing and testing that login url via http curl check https://tools.keycdn.com/curl shows HTTP 200 status ok
    Code (Text):
    HTTP/2 200
    content-type: text/html; charset=UTF-8
    vary: Accept-Encoding
    set-cookie: PHPSESSID=b1tvddf9ur1gitrmi2egebu9p0; path=/
    pragma: no-cache
    set-cookie: wordpress_test_cookie=WP+Cookie+check; path=/; secure
    x-frame-options: SAMEORIGIN
    server: nginx centminmod
    x-powered-by: centminmod
    date: Sat, 05 Aug 2017 13:08:52 GMT
    x-page-speed: 1.12.34.2-0
    cache-control: max-age=0, no-cache, must-revalidate

    Could be wp super cache issue, you can temporarily disable/comment out with hash # in front the wp super cache try_files line in both your nginx vhosts as well as uncomment the normal wp permalink try_files line, so change from
    Code (Text):
      # for wordpress super cache plugin
      try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?q=$uri&$args;
    
      # for wp cache enabler plugin
      #try_files $cache_enabler_uri $uri $uri/ $custom_subdir/index.php?$args;
    
      # Wordpress Permalinks
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    

    to
    Code (Text):
      # for wordpress super cache plugin
      #try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?q=$uri&$args;
    
      # for wp cache enabler plugin
      #try_files $cache_enabler_uri $uri $uri/ $custom_subdir/index.php?$args;
    
      # Wordpress Permalinks
      try_files $uri $uri/ /index.php?q=$uri&$args;
    

    restart both nginx + php-fpm services
    Code (Text):
    nprestart
    

    does that work ?
     
  13. KlueMaster

    KlueMaster New Member

    13
    3
    3
    Aug 5, 2017
    Ratings:
    +3
    Local Time:
    9:44 PM
    MariaDB 10
    Had tried it earlier, and tried now again. Didn't work. :(

    BTW, found this entry in error.log
    Code:
    017/08/05 13:10:05 [error] 7932#7932: *12 limiting requests, excess: 1.402 by zone "xwplogin", client: 47.247.14.37, server: bookdlook.com, request: "GET /wp-login.php?redirect_to=https%3A%2F%2Fwww.bookdlook.com%2Fwp-admin%2F&reauth=1 HTTP/2.0", host: "www.bookdlook.com"
    Also, in access.log we get
    Code:
    47.247.14.37 - - [05/Aug/2017:13:09:15 +0000] "GET /wp-admin/ HTTP/2.0" 403 1562 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/602.4.8 (KHTML, like Gecko) Version/10.0.3 Safari/602.4.8"
    I had opted for no login protection (for wp-login.php) at the time of install.
     
  14. eva2000

    eva2000 Administrator Staff Member

    28,957
    6,573
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,755
    Local Time:
    2:14 AM
    Nginx 1.13.x
    MariaDB 5.5
    is that your ip ? that is related to centmin.sh menu option 22's auto setup rate limiting for wp-login.php and xmlrpc.php requests, so that could be what you're hitting a rate limited 503 error which triggers the maintenance mode routine accidentally (unintended). It could be then wp-super cache caching the 503 ?

    in both domain.com.conf and domain.com.ssl.conf vhost config files
    Code (Text):
    location ~* /(wp-login\.php) {
       limit_req zone=xwplogin burst=1 nodelay;
       #limit_conn xwpconlimit 30;
       auth_basic "Private";
       #auth_basic_user_file /home/nginx/domains/bookdlook.com/htpasswd_wplogin;
       include /usr/local/nginx/conf/php-wpsc.conf;
    
       # https://community.centminmod.com/posts/18828/
       #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /(xmlrpc\.php) {
       limit_req zone=xwprpc burst=45 nodelay;
       #limit_conn xwpconlimit 30;
       include /usr/local/nginx/conf/php-wpsc.conf;
    
       # https://community.centminmod.com/posts/18828/
       #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    

    you could temporarily comment out the limit_req_zone line in
    Code (Text):
    location ~* /(wp-login\.php) {
       limit_req zone=xwplogin burst=1 nodelay;
    

    to
    Code (Text):
    location ~* /(wp-login\.php) {
       #limit_req zone=xwplogin burst=1 nodelay;
    

    restart nginx + php-fpm services and get logged into wp admin to clear wp super cache cache as well.

    Then try uncommenting limit_req_zone again and restarting nginx + php-fpm services and see if in incognito web browsing session if you can log in again.

    FYI, the wp-login.php rate limit is set to 40 requests/minute with burst of 1
    centminmod/nginx.conf at 6ea8fbb61d5240291600ab8fc4711a16188c72c9 · centminmod/centminmod · GitHub. Usually, that should be enough for unique IP address to log into wp-login.php. Maybe need to revise this.
     
    Last edited: Aug 6, 2017
  15. KlueMaster

    KlueMaster New Member

    13
    3
    3
    Aug 5, 2017
    Ratings:
    +3
    Local Time:
    9:44 PM
    MariaDB 10
    No-luck. :(

    BTW, I do not have domain.com.conf files, only domain.com.ssl.conf files. That's probably because I've issued the certificates with lived switch.
     
  16. KlueMaster

    KlueMaster New Member

    13
    3
    3
    Aug 5, 2017
    Ratings:
    +3
    Local Time:
    9:44 PM
    MariaDB 10
    I've installed another site on the same server and it is allowing me to access wp-admin. The difference is that I've used redis cache on this one. However, I do see Site Maintenance blue screen whenever I logout of wp-admin on this new site.
     
  17. eva2000

    eva2000 Administrator Staff Member

    28,957
    6,573
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,755
    Local Time:
    2:14 AM
    Nginx 1.13.x
    MariaDB 5.5
    Any further clues in site's access and error logs ?

    To troubleshoot Nginx and PHP-FPM issues you'd want to check the domain site's vhost access.log and error.log logs located within directory at /home/nginx/domains/yourdomain.com/logs. You can see a full overview at centminmod.com/configfiles.html

    FAQ item 19 has more info on all Centmin Mod relevant log files locations and how to use tail command to view a sample of the entries.
     
  18. KlueMaster

    KlueMaster New Member

    13
    3
    3
    Aug 5, 2017
    Ratings:
    +3
    Local Time:
    9:44 PM
    MariaDB 10
    After much trial and error, I've finally figured it out to be related to old database's migration entries. Since table names use different prefixes, I cannot use the old SQL as it is. On the Saturday's install I had modified the table prefixes in the SQL file. On Sunday's install I simply changed the prefix in wp-config.php. When I used old installs prefix 'wp-' then I was able to access the complete old site, except for wp-admin (the original issue that prompted this thread). Reverting the prefix allowed me to access new site, without access to old site's content. I believe it will require some tinkering with wp-users or wp-options where I'll be able to access both the site's contents as well as wp-admin.

    However, I would like to use this post to thank you for phenomenal support you provided on this issue. I had never looked at the time until post#14, and didn't realize how late it was for you. I hope I will find it in me to support this community with the same level of commitment as you do.
     
    • Like Like x 1
  19. eva2000

    eva2000 Administrator Staff Member

    28,957
    6,573
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,755
    Local Time:
    2:14 AM
    Nginx 1.13.x
    MariaDB 5.5
    ah wordpress prefixes indeed !

    centmin mod centmin.sh menu option 22 wordpress installs use a randomly generated prefix instead of wp_ defaults for more security (trending theme from this thread is I care about end user's security :) )

    as centmin.sh menu option 22 uses wp-cli.org's wp-cli command line too to install and configure wordpress, you can also use it to change wp database's prefixes apparently via wp-cli 3rd party packages like GitHub - iandunn/wp-cli-rename-db-prefix: A WP-CLI command to rename WordPress' database prefix. Other packages at Package Index | WP CLI

    wp-cli commands need to be run from web root of wp install i.e. /home/nginx/domains/domain.com/public if wordpress installed in web root.
     
    • Like Like x 1