WordPress.org

Ready to get started?Download WordPress

Forums

Adding new users / Error 403 Forbidden / Permissions ok / mod_security ok (5 posts)

  1. caratage
    Member
    Posted 2 years ago #

    Dear all,

    I stumbled upon a strange behaviour in WP 3.3.1 MS. Ok, here's what I did: I tried to add a new user. I am in the admin as registrations from the front-end are disabled. I have successfully added users before, but this time something went wrong:

    Add User - 1st Attempt

    1. I am in the user admin area of the respective blog, my capabilities are SuperAdmin.
    2. I click "Add New", so it takes me to /wp-admin/user-new.php
    3. I want to add a new user, so I use the 2nd form
    4. I supply the username and email, select the role and Add New User
    5. I get an error 403 Forbidden

    Add User - 2nd Attempt

    1. I am in the user admin area of the network, my capabilities are SuperAdmin.
    2. I click "Add New", so it takes me to /wp-admin/network/user-new.php
    3. Just one form to fill here
    4. I supply the username and email, and Add User
    5. I get an error 403 Forbidden

    Hey, what's up? Permissions?

    Ok, let's do CHMOD wp-admin to 777. Repeated the above steps.

    Again Error 403

    I start to google a bit, find about and this mod_security thing and add some .htaccess magic.

    <IfModule mod_security.c>
      SecFilterEngine Off
    </IfModule>

    Repeated the above steps.

    Oh, again Error 403

    I google a bit more, find about and this mod_env thing and add some.htaccess magic.

    <IfModule mod_env.c>
        SetEnv MODSEC_ENABLE Off
        PassEnv MODSEC_ENABLE
    </IfModule>

    Repeated the above steps.

    Oh no, not again Error 403

    Ok. Rewind. Fully Rewind.

    Add User - 3rd Attempt

    1. Overwrite wp-admin with pristine one to restore permissions to default
    2. Remove .htaccess magic
    3. Let's try register another test user (user test, email test@mydomain.com) from the blog. Hey, it worked! Happy
    4. Let's try register another test user (user test, email test@mydomain.com) from network Hey, it worked! Happy
    5. Let's try register the real user (user myrealuser, email myrealuser@yahoo.com) ....

    BOOM: Error 403

    Just thinking: Are there any filters preventing myrealuser or myrealuser@yahoo.com from being registered?

    Yes: I remember that in the network admin (/wp-admin/network/settings.php), you can supply banned names from registering sites. Maybe that is true for usernames as well? But myrealuser is a trivial name and not included in that list...

    Add User - 4th Attempt

    1. Let's try register another test user (user myrealuser, email test@mydomain.com) from the blog or from the network. Hey, it worked! Happy
    2. Let's change myrealuser's email to myrealuser@yahoo.com

    Error 403, still getting Error 403 Forbidden

    So my question: Has anyone had a similar problem registering users with a @yahoo.com address? Does a blacklist/spam filter for registering user emails exist?

    Any help or hint greatly appreciated!

  2. Mod Security cannot be turned off via .htaccess in most modern installs of Apache.

    Check your server's error log. You should be able to check if it's mod security and, if so, you need to add something like this to your whitelist for mod_sec :/

    ## WordPress
    <LocationMatch "/index.php">
    SecRuleRemoveById 300015 300016 300017
    </LocationMatch>
    
    <LocationMatch "/wp-admin/post.php">
    SecRuleRemoveById 300015 300016 300017
    </LocationMatch>
    <LocationMatch "/wp-admin/admin-ajax.php">
    SecRuleRemoveById 300015 300016 300017
    SecRuleRemoveById 300013
    </LocationMatch>
    <LocationMatch "/wp-admin/page.php">
    SecRuleRemoveById 300015 300016 300017
    </LocationMatch>
  3. caratage
    Member
    Posted 2 years ago #

    Would that also be the case if error 403 is only happening in combination with certain email addresses/domains? As I said, I can register most users, just a few cause the error.

    So I put the above in /usr/local/apache/conf/modsec2/whitelist.conf?
    And my LocationMatch for /wp-admin/user-new.php?
    Will I have to change those numbers as described here?

    But yeah, will try your solution out first. Let's see if my hosting provider allows me to do so (cheap virtual server without root or SSH)...

  4. Would that also be the case if error 403 is only happening in combination with certain email addresses/domains? As I said, I can register most users, just a few cause the error.

    Yes. Because mod security is looking for a pattern of words/letters that tell it OMG! Evil! And it's possible yahoo.com is banned somehow. If it was WP's blacklist, you'd get a different error.

    That post you linked to is a great one.

    I recently added this to mine to make it shut up about posts.

    SecRule REQUEST_URI "/wp-admin/post.php"
    phase:1,nolog,allow,ctl:ruleEngine=Off
  5. caratage
    Member
    Posted 2 years ago #

    Ok, will try that out as soon I find some time... Thanks for the ideas. Will post here again with results.

Topic Closed

This topic has been closed to new replies.

About this Topic