Learn about Centmin Mod LEMP Stack today
Register Now

Wordpress Wordpress 403 Permission Denied Errors

Discussion in 'Blogs & CMS usage' started by eva2000, Apr 9, 2017.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    May 24, 2014
    Brisbane, Australia
    Local Time:
    5:53 AM
    Nginx 1.25.x
    MariaDB 10.x
    Centmin Mod values security and puts additional measures in place so that end users are also mindful of security. So in your case, you might need to whitelist or unblock the WP plugins related to your 403 permission denied messages.

    wpsecure include file

    If you used centmin.sh menu option 22 auto installer Wordpress Nginx Auto Installer, the default wpsecure conf file at /usr/local/nginx/conf/wpsecure_${vhostname}.conf (for 123.08stable) and at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf (for 123.09beta01 and higher) where vhostname is your domain name, blocks php scripts from executing in wp-content for security

    Below links you can see examples of setting up specific wordpress location matches to punch a hole in the wpsecure blocking to whitelist specific php files that need to be able to run.

    tools/autoprotect.sh protections

    If on Centmin Mod 123.09beta01, you may have ran into the new tools/autoprotect.sh cronjob feature outlined at Beta Branch - autoprotect.sh - apache .htaccess check & migration to nginx deny all | Centmin Mod Community You uploaded scripts may have .htaccess deny from all type files in their directories which may need bypassing autoprotect. It's a security feature that no other nginx based stack has as far as I know :)

    So instead, all .htaccess 'deny from all' detected directories now get auto generated Nginx equivalent location match and deny all setups except if you want to manually bypass the directory from auto protection via a .autoprotect-bypass file - details below here.

    You can read a few threads below on how autoprotect.sh may have caught some folks web apps falsely and the workarounds or improvements made to autoprotect.sh with the help of users feedback and troubleshooting.

    tools/autoprotect.sh protections after adding/uploading files

    If you upload or add additional files right after running centmin.sh menu option 2, 22 or nv commands to setup nginx vhost, you may want to re-run /usr/local/src/centminmod/tools/autoprotect.sh and re-inspect /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf for all new generated entries picked up on by tools/autoprotect.sh (if any) and adjust them accordingly i.e. setup .autoprotect-bypass file - details below here and/or sepecific nginx vhost protections manually. The /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf listing is telling you that some directories listed have a .htaccess file which has 'deny all' directive and that web app's author intended it to be private and not for public access. But nginx doesn't support .htaccess, so double check your web app setup and add any nginx .htaccess equivalent HTTP protections to your nginx vhost as needed.
    Last edited: Aug 5, 2017
Thread Status:
Not open for further replies.