post.php forbidden… sometimes

WP doesn’t reject things. Ever.

However, it sounds like your host is running mod_security and it DOES reject things based on rules or patterns it sees in the posted text.

If you have the ability to have mod_security disabled, that would fix your problem. Or, see the end of this thread for one possible way to work around mod_security.

yosemite’s solution in that thread:

—

form name=”form1″ method=”post” action=”options.php”>
options.php is called when hitting the ‘Update Options’ in Options:Reading.

So if the .htaccess workaround could work, it should be:

<Files options.php>
SecFilterInheritance Off
</Files>

*goes back to making tugboat noises, blowing bubbles in his drink*

—–

works, but isnt necessary and also breaks the functionality of mod_security completely. The BETTER way to fix any posting issues is to simply upload an .htaccess with :

SecFilterInheritance Off

into your /wp-admin directory.

Once done, files in that directory are not subject to mod_security and you have still retained the ability to use mod_security for comment filtering, sql injection protection etc..

whoami: Actually, your suggestion disables mod_security for the entire wp-admin/ directory. My suggestion was to disable it only for options.php.

indeed yosemite, you are correct on both counts Apologies for mis-reading your post.

Re the rest:

My intention WAS and IS to disable it for the entire directory. I stated that:

“Once done, files in that directory are not subject to mod_security and you …”

option.php has absolutely nothing to do with post.php which is what THIS particular topic has to do with.

Nor does option.php have anything to do with editing of posts.

I suppose a suggestion like

<Files post.php>
SecFilterInheritance Off
</Files>

could have been given for the OP here, however it’s been my experience that if mod_security is affecting one thing it’s going to affect others, and therefore its simpler to disable it all-together in that directory.

ok, i did the suggestion that should have turned it off for the whole directory and now i can’t even get into the admin panel, when i go to /blog/wp-admin (to log in) i get another forbidden error

also, how would i know if mod_security is on? would it be in the root .htaccess file? cuz there is no mention of it in there

also, it started doing this just a couple days ago, it totally randomly does the forbidden error, no ryhme or reason, i’ll start a new page, type 4 lines, post it, works fine, type 3 more lines, save and continue editing, fine, then i’ll write another 3 lines or something (or even just add some words to a sentence), save and continue editing, and then forbidden suddenly

it’s really crazy

p.s. it was doing this when i had 2.02 installed, so i upgraded to 2.03, still doing it

assuming there is nothing else in your wp-admin/.htaccess and that your host is not doing something to restrict your ability to turn mod_security off, what I suggested works —

I use it myself.

Make sure there are NO odd tabs, line breaks, what have you in your .htaccess.

To see if your host has installed mod_security, create a file, and put the following inside of it:

<?php phpinfo(); ?>

upload that file, rename it anything you like, as long as it ends in .php

Open that file in your browser, and scroll down to where you see Apache in big black letters. Under that you will see “Loaded Modules” If it’s installed, it will be listed there.

btw, a really simple test is just to prattle off a post with the word .htaccess in it ??

Thats a pretty common indicator that mod_security is the culprit.

ok, here are the loaded modules (mod_security IS installed)

mod_dosevasive, mod_security, mod_auth_passthrough, mod_log_bytes, mod_bwlimited, mod_php4, mod_frontpage, mod_ssl, mod_setenvif, mod_so, mod_expires, mod_auth, mod_access, mod_rewrite, mod_alias, mod_userdir, mod_actions, mod_imap, mod_asis, mod_cgi, mod_dir, mod_autoindex, mod_include, mod_status, mod_negotiation, mod_mime, mod_log_config, mod_env, http_core

there is nothing but the line you gave me in the .htaccess file in my wp-admin directory, and there are no weird characters or anything

still getting a 403 forbidden error

also, i tried renaming .htaccess in wp-admin but even then i still get a 403 error when trying to get into the admin panel at all, i can’t even log in

well, if your renaming the htaccess and STILL getting that error, the error is NOT related to the .htaccess

thats easy enough logic to follow.

https://www.meknow.net/blog/wp-admin/

I really hate to suggest the obvious but what are the permissions on your wp-admin dir?

ok, here’s what i meant with the htaccess, originally when i posted the problem to begin with i COULD log into the admin panel, i would just get random forbidden errors when writing pages

then i tried the fix and placed an htaccess file in the wp-admin directory, after i did that i started getting the forbidden error whenever i tried to even log into the admin panel

i renamed the htaccess file, thinking it was causing a bigger problem, but now even with the file renamed i STILL can’t even log into the admin panel

and yes, i checked the permissions, they are not the problem. no matter how i chmod that directory i still get the error

the .htaccess file suggested should be in the root dir of your wordpress installation. One level up from wp-admin, in other words.

well there were several suggestions, and i tried all of them

SecFilterInheritance Off does not seem to do anything for me

i placed htaccess files in both the wp-admin directory and in the WP root (blog/ in my case), i also tried combinations of one or the other

oldmanstan,

lets back up, and to clarify:

1. My original suggestion was for an .htaccess that existed within your wp-admin/ directory >> I mention that because if handysolo is reffering to my post, he’s incorrect, thats <b>not</b> what I suggested.

—

If you rename OR remove ANY .htaccess that exists within wp-admin, that you placed there as a result of my suggestion, and you still encounter problems —

ITS NOT THE .htaccess (atleast NOT the one you have renamed or removed)

Perhaps you have made edits to the one in the root of your blog install?

—–

This is NOT rocket science:

1. delete the .htaccess that is in /wp-admin
2. RENAME the one that is in the root of your blog install

At that point you have disabled everything within an .htaccess that might be affecting your ability to login.

ok, i placed SecFilterInheritance Off in the htaccess file in my server root directory (public_html/) and now i can log into the admin panel again, but i still don’t understand what happened? i could use it before but then suddenly it starts screwing up?

i never changed a thing before the problem started

could my host have changed something that messed it up? i’m confused

one other thing, am i creating a security hole by turning on the inheritance for the whole site?

your host could have done anything — no-one here knows anymore than you..

If you can login, and you have disabled mod-security, than the problem is solved.