Hardening rules for Nginx breaks tinymce | WordPress.org

Resolved Joe McGill
(@joemcgill)

8 years, 7 months ago

The plugin’s hardening suggestions for Nginx server configurations needs to add an exception for wp-includes/js/tinymce/wp-tinymce.php. Otherwise, the editor won’t load and will instead return a 403 error.

https://wordpress.org/plugins/sucuri-scanner/

Viewing 2 replies - 1 through 2 (of 2 total)

ramdamnest
(@ramdamnest)

8 years, 3 months ago
The way I got it working is by adding a rule allowing TinyMCE
followed by a rule denying all php files in the wp-includes directory.

The rule for allowing TinyMCE MUST contains directives connecting Nginx to PHP application server (php5-fpm in my case).
Basically i copied over the directives i had under the location ~ \.php$ block.

So for me the solution looked like this:
```
# Allowing TinyMCE only
location = /wp-includes/js/tinymce/wp-tinymce.php {
        allow all;
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_read_timeout 300s;

}

# Blocking other PHP files in wp-includes
location ~* /wp-includes/.*.php$ {
        deny all;
}
```
yorman
(@yorman)

8 years, 3 months ago

Task finished with pull-request #2 [1] and more specifically with commit 7666c43 [2]; once the changes are merged in the master branch and pushed to the WordPress repositories you will see the new Nginx rules in the hardening panel.

PS. @ramdamnest thanks for your help.

[1] https://github.com/Sucuri/sucuri-wordpress-plugin/pull/2
[2] https://github.com/cixtor/sucuri-wordpress-plugin/commit/7666c43

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Hardening rules for Nginx breaks tinymce’ is closed to new replies.

In: Plugins
2 replies
3 participants
Last reply from: yorman
Last activity: 8 years, 3 months ago
Status: resolved