No permission to access captcha image

Some wordpress set ups have a .htaccess with rules that block web access to the plugins directory.

Some security plugins do that

Mike

Hi, Mike. Okay, so what do I need to look for and what can I try?

I know that there was some manual .htaccess modification on my part for security reasons. What needs to exist for the contact form plugin to be happy?

The .htaccess file in my wp-contents has the following code, which seems like it might be the culprit (…I’m not a programmer, so I’m just making an educated guess here):

<Files *.php>
deny from all
</Files>

Could I add anything to this to make an exception for your contact form plugin?

Yes that file is probably the cause, it is not part of a standard WP install.
You can temporarily remove it to find out.

The file you would want to white list is:
wp-content/plugins/si-contact-form/captcha/securimage_show.php

I don’t know how to do that, if you figure it out, let know, I can add it to a FAQ page

you might consider removing the .htaccess file from /wp-contents/
or determine how to whitelist the securimage_show.php file

Seems like if you wanted to whitelist an IP, you would do with this:

allow from 29.xxx.xx.xxx

But, I don’t know how you would code it for a file.

Hi @laer, try the following link . It gives you many alternatives.

Kind regards

Did you find a solution or take out the .htaccess, did that resolve the problem?

Thanks for your input, mbrsolution!

@mike: I’ve now managed to get input from a few people, including mbrsolution (above). Each snippet of code they have provided may be a solution, however since I’m not well-versed in that sort of coding, I can’t really tell what each example does. Each snippet I’ve received is different from the others, so I’m not sure if one is better than the other, or if any of them would even address the matter, so it’s hard to say. I have to read further on this, using some of the links some of the people provided.

Taking out the .htaccess would solve it, but I DO want to block access to the other plugins for security reasons. I’m surprised the whitelisting isn’t as easy as the global block (Deny All).

I tried adding the same .htacces file to my /wp-contents/ and more than just the captcha broke, the default WordPress theme twentytwelve also broke. It lost the styles.

The .htacces file you are using should come with a warning “this will break plugins and themes”. I would take that out and reconsider your security methods. The core PHP files in my plugin do not allow direct access anyway, they only allow access when you are logged into WP and click on the menu to access it.

The FAQ page for “CAPTCHA image does not show”
https://www.fastsecurecontactform.com/problem-captcha-image

If anything new comes up, I will update the page

Got it working now. I had to add an additional .htaccess file within the Captcha folder that contains this whitelist code:

<Files securimage_show.php>
allow from all
</Files>

This addresses the securimage_show.php script not being accessable due to the global Deny All coding higher up in the directory structure which protects the other plugins.

I think you might be able to put that in /plugins/, then it will not get deleted when you update the plugin.

I think it has to be on the same level as the target script, but I’ll try that out, thanks.

Yes, you’re right. That seems to work. Thanks.