403 Forbidden Error for wp-login.php

  • Hi,
    since I activated Cloudflare I have a problem that occurs not every time but mostly.

    I go to mydomain.com/wp-admnin/ and login into the Admin Dashboard. Then I get redirected (not every time) to:
    /wp-login.php?redirect_to=https%3A%2F%2Fmydomain.com%2Fwp-admin%2F&reauth=1

    and I see a 403 Forbidden page.

    What I did so far:
    – I followed these instructions and created page rules:
    https://support.cloudflare.com/hc/en-us/articles/200169526-Disabling-Cloudflare-features-on-admin-pages-for-content-management-systems-like-WordPress
    – I deleted htaccess and created a new one through WordPress Dashboard
    – I checked all permissions on my ftp server and all files are on 644 and all folders are on 755
    – I cleared the server cache and browser cache and cookies

    I really don’t know what else to do.
    I appreciate any hint.

    Regards,
    Kristina

Viewing 5 replies - 1 through 5 (of 5 total)

  • Hello Kritina,

    I did a quick R&D and found one reference link, may be following the steps mentioned in there can help and get your problem solved.

    Check this link

    See if this helps.

    Thanks.

    Thread Starter kris0603

    (@kris0603)

    Hi Kartik,
    thanks for your reply. That means i need to whitelist all Cloudflare IP Ranges in my htaccess?

    I am not sure if I understand what is described in this blog post.

    Yes Kritina, I believe that is what the blog post says.

    Give it a try and if you still face a problem let us know and we will find some alternative solution.

    Thanks.

    Thread Starter kris0603

    (@kris0603)

    Hi Kartik,
    can you help me to define the text that needs to be added to the htaccess file?

    This is the example:
    Deny from All
    SetEnvIF X-Forwarded-For “1.2.3.4” AllowIP
    SetEnvIF X-Forwarded-For “2.3.4.5” AllowIP
    Allow from env=AllowIP
    Allow from 1.2.3.4
    Allow from 2.3.4.5

    And these are the Cloudflare IPs:
    https://www.cloudflare.com/ips/

    Moderator bcworkz

    (@bcworkz)

    Unless you have additional WP security for wp-login.php requests, you shouldn’t need additional .htaccess rules. But if you do, determine which IP range is actually being used by checking the request’s data with your browser’s network developer tool. More than likely all requests will be within the CIDR range specified. At worst maybe 2 or 3 of them. Start with the currently used range. If you run into trouble in the future, a new range has come into play. Determine which range and add it to the .htaccess rules.

    If you don’t have additional WP security, I think the problem is more likely due to your host’s modSecurity app. They’d need to whitelist your login requests to suppress the 403 errors.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘403 Forbidden Error for wp-login.php’ is closed to new replies.