Hardening wp-includes kills visual editor

I would fix it if I had the same issue, some people have reported this some times before but no one have provided more information than saying that the culprit is the hardening in the includes directory. I have applied that hardening in multiple sites (both in normal and network installations) and the visual editor still works, maybe “Visual Editor” means something different for me; can you tell me what is the URL of that interface? I am using this one [1] or this one [2] to edit an existent post/page, is that the “Visual Editor” for you?

Alternatively, if you are “fixing” that issue deleting the htaccess file (which is where the hardening is) why not just revert the hardening from the same plugin interface? I mean, that would be easier than to delete the htaccess file via FTP or a file manager if people do not know how to delete that file manually.

And if you or anyone is able to find the PHP file that is required by the visual editor, please use the “Whitelist Blocked PHP Files” panel located in the “Hardening” page to whitelist it, that will keep the hardening applied while allowing the execution of the PHP code required to power the “Visual Editor”; and please let me know which file is that so I can add it automatically in the hardening for the next version.

[1] https://example.com/wp-admin/post-new.php
[2] https://example.com/wp-admin/post.php?post=ID&action=edit

Yeh, odd. I have your plugin installed on all of my wordpress sites, but it doesn’t create a problem in all, just 2 I have seen in the last while… Though I rarely use the visual editor, so it could exist on more installs and I just haven’t noticed.

I am speaking of the visual editor tab (as opposed to the text editor tab) in the posts/pages, as you’ve referenced

“When activating the sucuri hardening of the wp-includes folder, something in the .htaccess folder”, should have been .htaccess FILE, sorry.

“why not just revert the hardening from the same plugin interface?” Six of one, half dozen of the other.

“And if you or anyone is able to find the PHP file that is required by the visual editor”
Not a clue. And I’m not bright enough to figure out how to figure it out. ?? I’d think that’d be a question for the wordpress folks, since it’s part of the wordpress core.

Did you read through that old support thread I posted the link to? I think the clue is in there:
“in my case I had an .htaccess in the folder /wp-includes/ and it blocked the Tinymce (plugin responsible of visual editor) which situated in /wp-includes/js/plugins/tinymce/
so when I deleted it, the browser could access the folder normally and display the rich editor….”

Thanks for your prompt attention!

I read through the link you posted, they are talking about these two PHP files [1][2] but they are placed in the admin folder and not in the includes folder so the hardening that is being applied by the Sucuri plugin should not affect the execution of these two files. There must be another file that is being called via Ajax that is placed in the includes folder, but is difficult for me to investigate the issue if I can not reproduce it; if I could reproduce the same environment of a website that is being affected by this problem while the hardening in the includes directory is applied then I would be able to investigate and fix it.

There is a (more or less) easy way to debug this; go to the visual editor page and open the Browser DevTools pressing the F12 key, locate the “Network” panel, reload the page so the network panel can track the HTTP requests, pay attention to the “Status” column (click on it to order it), and see if there is a request with a response code equal to 403 (or whatever that starts with 4xx); this way you will know which PHP file is being blocked.

Let me know if you find something.

[1] /wp-admin/post-new.php
[2] /wp-admin/themes.php

Okay, F12 in firefox pulls up firebug, go to console tab:

No .htaccess in wp-includes, toggle back and forth between text and visual:
POST https://josbeadedbeauties.com/wp-admin/admin-ajax.php

Activate hardening, NO page refresh, toggle back and forth between text and visual, same result

Reload page:
“NetworkError: 404 Not Found – https://josbeadedbeauties.com/wp-includes/js/tinymce/wp-tinymce.php?c=1&ver=4208-20151113”
wp-tiny…0151113
ReferenceError: tinymce is not defined

…019re looking to paste rich content from Microsoft Word, try turning this option…

And when I mouseover/click the above, switches to script tab highlighting this line:

tinymce.addI18n( ‘en’, {“Ok”:”OK”,”Bullet list”:”Bulleted list”,”Spellcheck”:”Check Spelling”,”Row properties”:”Table row properties”,”Cell properties”:”Table cell properties”,”Paste row before”:”Paste table row before”,”Paste row after”:”Paste table row after”,”Cut row”:”Cut table row”,”Copy row”:”Copy table row”,”Merge cells”:”Merge table cells”,”Split cell”:”Split table cell”,”Paste is now in plain text mode. Contents will now be pasted as plain text until you toggle this option off.”:”Paste is now in plain text mode. Contents will now be pasted as plain text until you toggle this option off.\n\nIf you\u2019re looking to paste rich content from Microsoft Word, try turning this option off. The editor will clean up text pasted from Word automatically.”,”Rich Text Area. Press ALT-F9 for menu. Press ALT-F10 for toolbar. Press ALT-0 for help”:”Rich Text Area. Press Alt-Shift-H for help”,”You have unsaved changes are you sure you want to navigate away?”:”The changes you made will be lost if you navigate away from this page.”,”Your browser doesn’t support direct access to the clipboard. Please use the Ctrl+X\/C\/V keyboard shortcuts instead.”:”Your browser does not support direct access to the clipboard. Please use keyboard shortcuts or your browser\u2019s edit menu instead.”,”Edit “:”Edit”});

That seems to be what we’re looking for. If that doesn’t help I’d be glad to create a user for you and you can go into this install and dig around.

Thanks again, I appreciate the instruction.

Yes, that is very helpful thanks. So the file that is being blocked by the plugin is this [1], the current code of the plugin skips the hardening for the file “wp-tinymce.php” and “ms-files.php” so what is happening in your website is that the rules inserted in the htaccess file are not compatible with the version of the Apache web server that your hosting provider has installed in that machine.

I will start running tests against multiple versions of Apache to see which rules will work for both 2.4 (which is the newest) and the older versions which are still being used by some hosting providers. Please keep the hardening in the includes directory reverted so it does not affects your workflow, I will try to fix this before the next version is release.

I will mark this as resolved when the new code is publicly released, since you created the ticket you will be automatically notified when I change the status. Thanks for the information you provided.

[1] https://example.com/wp-includes/js/tinymce/wp-tinymce.php

Thanks so much! Great support!