I created a custom WordPress website for a client. I designed it, did the css/html and had a developer help me with the back-end database code. The url is http://www.davidoates.info
It is not used as a blog. There are no posts/comments or other outside input.
Host: qwk.net; php version: 5; WordPress version: 2.92 There are no active plugins.
The "Events" page on this site (http://www.davidoates.info/events) has not updated correctly since first publishing. When the client tries to add content, the following error message displays:
Error 403: Forbidden
Your PHP settings have been disabled by an H-Sphere administrator.
• Your current PHP configuration: -->
• This configuration was changed:
Please bring your PHP configuration in compliance with admin settings or request your administrator to re-enable support of your settings.
You don't have permissions to access this page. This usually means one of the following:
• this file and directory permissions make them unavailable from the Internet.
• .htaccess contains instructions that prevent public access to this file or directory.
Please check file and directory permissions and .htaccess configuration if you are able to do this. Otherwise, request your webmaster to grant you access
The site is hosted by qwk.net. They give minimal assistance for WP sites, but their answer follows. The WP version used was up to date at the time it went live.
This is the mod_security apache firewall blocking your request.
The first and foremost thing to check is to make sure you are running the most recent install of WordPress that is available. Many of the old versions have different security vulnerabilities and this may be what is generating the 403.
If an update does not fix this issue you can install the following htaccess directive: <IfModule mod_security.c> SecFilterEngine Off SecFilterScanPOST Off </IfModule> This is a last resort thing to do. Mod_security protects your site from many different kinds of attacks from hackers. Installing this does not mean you will be hacked, but it does open your site up a little bit.
The developer confirmed that there was an SQL injection filter issue with the content, and suggested that the client use the words "select" and "selection" more sparingly in the content. His work-around solution was to format those words in the code. For example: select = "<span>sel</span>ect"
This solution was not the best option for the client. When writing subsequent content and updating the error has happened again on a regular basis. Disabling the filters was not a permanent fix.
Are there issues with host server file permission configurations vs ftp or wp permissions involved? Are there any other solutions to this problem?