WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Theme Editor triggering server security - Error 403, 404 (5 posts)

  1. MyGoToOffice
    Member
    Posted 8 years ago #

    I suddenly began experiencing this problem yesterday. I can edit all pages EXCEPT sidebar.php (I could earlier). When I try to edit, I receive the error:

    "You don't have permission to access /wpblog/bobg/wp-admin/theme-editor.php on this server.

    "Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request."

    I can edit the file through CPanel.

    I queried my host. Here is the response:

    "We have mod_security configured for the server. This is used for security purpose. On submitting your file, it contains certain pattern,in post payload. This is what causing trouble. You need to contact your programmer and remove the patterns like ":space:"."

    Anybody have any ideas?

  2. Mark (podz)
    Support Maven
    Posted 8 years ago #

    What are you trying to edit into the sidebar?

  3. MyGoToOffice
    Member
    Posted 8 years ago #

    Actually, just changing some text in the Author description. Nothing major. I get the permissions error even when I haven't changed a thing, however.

    I am also having the same problem with phpBB installations. A note in the phpBB forum indicates that the installation of mod_security on my host server is the problem. The host can apparently configure the security so that it is compatible with WordPress, phpBB, etc. I just have to convince them that it can/should be done.

    I searched for the pattern noted by my host (:space:) but cannot find it in sidebar.php or theme-editor.php.

  4. MyGoToOffice
    Member
    Posted 8 years ago #

    From the ModSecurity.org web site:

    "Note: These rules were designed to work in detection mode. Although it is possible to use the rules in prevention (block) mode, this works well only certain types of web applications. Content management applications and forums, in particular, are expected to produce a higher number of false positives. Use prevention mode at your own risk, and only after you've completed a test run in detection mode."

    It is apparent that my host's application of mod_security in detection mode is generating an excessive number of false positives related to WordPress and phpBB. I am trying to get them to adjust the rules so that legitimate accesses are not blocked. The most common php threats should have been identified during their testing of mod_security prior to setting it to detection mode.

  5. Mark (podz)
    Support Maven
    Posted 8 years ago #

    What was the text?

Topic Closed

This topic has been closed to new replies.

About this Topic