“ajax is blocked” message when activating Give
-
Hi,
I am trying to set up the Give plugin on my site. When activating the plugin, I see the following message:
“Your site appears to be blocking the WordPress ajax interface. This may cause issues with Give.
Please see this reference for possible solutions.”
I followed the steps in the reference link and deactivated all the plugins on my site except Give, and I still see the message.
I checked my .htaccess file, and see nothing unusual there:
# BEGIN rlrssslReallySimpleSSL rsssl_version[2.3.11]
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</IfModule>
# END rlrssslReallySimpleSSL
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress(Note I also tried removing the ReallySimpleSSL stanzas when I deactivated the plugin, but it made no difference)
Permissions for .htaccess are 444.
Here is the information from the Give SystemInfo page:
### Begin System Info ###
— Site Info
Site URL: https://staging.jenniefoundation.org
Home URL: https://staging.jenniefoundation.org
Multisite: No— Hosting Provider
Host: DBH: localhost, SRV: staging.jenniefoundation.org
— User Browser
Platform: Windows
Browser Name: Firefox
Browser Version: 48.0
User Agent String: Mozilla/5.0 (Windows NT 6.1; Win
64; x64; rv:48.0) Gecko/20100101
Firefox/48.0— WordPress Configuration
Version: 4.6.1
Language: en_US
Permalink Structure: /%year%/%monthnum%/%day%/%postname%/
Active Theme: Llorix One Lite 0.1.17
Show On Front: page
Page On Front: Home (#6)
Page For Posts: Blog (#19)
Remote Post: wp_remote_post() works
Table Prefix: Length: 5 Status: Acceptable
Admin AJAX: Inaccessible
WP_DEBUG: Disabled
Memory Limit: 128M
Registered Post Stati: publish, future, draft, pending, private, trash, auto-draft, inherit, refunded, failed, revoked, cancelled, abandoned— Give Configuration
Version: 1.6.1
Upgraded From: 1.6.1
Test Mode: Enabled
Currency Code: USD
Currency Position: before
Decimal Separator: .
Thousands Separator: ,— Give Page Configuration
Success Page: https://staging.jenniefoundation.org/donation-confirmation__trashed/
Failure Page: https://staging.jenniefoundation.org/transaction-failed__trashed/
Give Forms Slug: /donations— Give Gateway Configuration
Enabled Gateways: Test Payment, Offline Donation
Default Gateway: Test Payment— Must-Use Plugins
— WordPress Active Plugins
Akismet: 3.2
Clean Login: 1.7.5
Give – Donation Plugin: 1.6.1
Loginizer: 1.2.0
Really Simple SSL: 2.3.13
WP-SpamShield: 1.9.9.2— WordPress Inactive Plugins
Jetpack by WordPress.com: 4.3.1
SG CachePress: 2.3.10— Webserver Configuration
PHP Version: 5.6.25
MySQL Version: 5.6.28
Webserver Info: Apache— PHP Configuration
Safe Mode: Disabled
Memory Limit: 768M
Upload Max Size: 128M
Post Max Size: 128M
Upload Max Filesize: 128M
Time Limit: 120
Max Input Vars: 3000
URL-aware fopen: On (1)
Display Errors: N/A— PHP Extensions
cURL: Supported
cURL Version: 7.49.1
zlib: Supported
GD: Supported
fsockopen: Supported
SOAP Client: Installed
Suhosin: Not Installed
DOM: Installed
MBString: Installed— Session Configuration
Give Use Sessions: Enabled
Session: Enabled
Session Name: PHPSESSID
Cookie Path: /
Save Path: /tmp
Use Cookies: On
Use Only Cookies: Off### End System Info ###
I checked the Linux permissions for the wp-admin directory and the admin-ajax.php file:
drwxr-xr-x 9 jenniefo jenniefo 4096 Sep 11 08:00 wp-admin/
-rw-r–r– 1 jenniefo jenniefo 3799 Aug 17 18:51 admin-ajax.php
I’ve also Googled the problem and came up with a few hits, with one user solving the issue by removing “deny IP” lines from their .htaccess (not applicable in my case), and another who unfortunately was not able to resolve the issue. In this ticket, the user noted that attempting to open the admin-ajax.php file directly in his browser showed only “0” (zero). I have no idea what that implies, but I get the same result when I try, with both Firefox and IE.
Finally, I posted a ticket to my site host (SiteGround) and asked about the possibility of a firewall blocking access to admin-ajax. Here is there response:
“Generally, the admin-ajax scrip has been executed in your account, as the following list of executed scripts suggests:
Code:=== Top 10 Executed Scripts ====================================================================================================================================================
Count Script Local Path
—– ———————————————————————————— ———————————————————————————–
44 http://staging.jenniefoundation.org/wp-admin/plugins.php /home/jenniefo/public_html/staging/wp-admin/plugins.php
24 http://staging.jenniefoundation.org/wp-admin/admin-ajax.php /home/jenniefo/public_html/staging/wp-admin/admin-ajax.phpWe do have a firewall, however, it should not block access to the admin-ajax script. Unfortunately, we cannot disable it, since this is a shared server.
Can you please provide us with the login details of your website’s admin panel and instructions how to recreate the issue on our end, so was can see if anything can be done on the server side.
Although this seems unlikely, please also let us know if the plugin is making any connections to remote hosts on non-HTTP ports: we can open a connection in the firewall, if this is the issue. If needed, please inquire with the plugin developers.”
Note that my web host recently updated WordPress to v4.6.1. Could there be a conflict there? I don’t recall seeing this message before the upgrade (was running 4.6.0 before) but cannot swear to it.
Does anyone have any thoughts on what to try next? Thanks in advance.
-
I’m not related to this plugin, but I’ve dealt with this exact issue many times, so maybe I can help.
If a firewall restricts access to the
/wp-admin/directory, or this is blocked in the.htaccess, you will need to add an exception to your.htacess. I’ve seen this a number of times on websites that recommend people lock down their/wp-admin/directory, or sometimes in security plugins (this was more common several years ago though). They almost always forget to mention that an exception needs to be made for the/wp-admin/admin-ajax.phpfile. It’s good advice to keep the/wp-admin/locked down, as long as appropriate exceptions are made.Keep in mind that an
.htaccessfile will override any.htaccessin its parent directory (recursive), so there may be more than one…and it could cause issues. Look in the directory that is above/outside the web root, and check sub-directories as well.Try this… At the end of your .htaccess, add the following code:
<Files admin-ajax.php> Order Allow,Deny Allow from all </Files>If the above does not work, try checking if there is an
.htaccessin the actual/wp-admin/directory. If there is, it might be leftover from something else. You can either delete it, or add code to the file. (Probably the best move is to delete it…try to put your directives in the main.htaccess.) If you don’t want to delete it, the try placing the above code at the end of that.htaccess.Hope that helps.
You’re welcome. 🙂
If you only have a few users that need to access the admin, it’s a good idea to lock it down by IP, since no one else has any need to be in there. Caveat: As long as it doesn’t interfere with your ability to use the site. If it does, then it’s just a nuisance, not a security measure. 🙂
For a site with a large user base, it would not be practical to lock down by IP.
When you place an
.htaccessin a subdirectory, theDeny from Allpart is the firewall, and theAllow from 11.22.33.44(replace with IP Address) is where you’re poking a hole in the firewall to let yourself through. Using more than one .htaccess can get messy, like you just saw. So, the best way is to use the one in the root to place all your directives. It can get tricky though.The cleanest way to lock down your `/wp-admin/’ by IP, is to place the following code toward the end of the file, <em>AFTER the WordPress code</em>:
SetEnvIfNoCase Request_URI "(^|/)wp\-admin/" RESTRICTED_AREA SetEnvIfNoCase Request_URI "/wp\-admin/admin\-ajax\.php" !RESTRICTED_AREA SetEnvIf Remote_Addr "^11\.22\.33\.44$" !RESTRICTED_AREA <Files *> Order Allow,Deny Allow from all Deny from env=RESTRICTED_AREA </Files>This line sets the custom environment variable
RESTRICTED_AREA(name it whatever you like) for any request that includes/wp-admin/:
SetEnvIfNoCase Request_URI "(^|/)wp\-admin/" RESTRICTED_AREAThis unsets the
RESTRICTED_AREAvariable if the request is foradmin-ajax.phpby adding the “!” before theRESTRICTED_AREA:
SetEnvIfNoCase Request_URI "/wp\-admin/admin\-ajax\.php" !RESTRICTED_AREAThis unsets
RESTRICTED_AREAif the request comes from the IP address or range you specify (replace “11\.22\.33\.44” with whatever just be careful with regex, and write “.” as “\.”):
SetEnvIf Remote_Addr "^11\.22\.33\.44$" !RESTRICTED_AREAThis blocks the request and serves a 403 any time the
RESTRICTED_AREAvariable is set:
Deny from env=RESTRICTED_AREAUsing this method, you can add other conditions as well. It gives you a lot of options.
Just keep in mind that in
.htaccessthe order of processing becomes a big factor in how everything works, and where you place code in the file is really important.The different types of directives get processed in this order:
- mod_setenvif.c – SetEnvIf / SetEnvIfNoCase Directives – https://httpd.apache.org/docs/current/mod/mod_setenvif.html
Setting Environment variables based on a condition. (like the ‘RESTRICTED_AREA’ above. that’s an environment variable…you can rename that whatever you like. I recommend prefixing them to prevent collisions. (‘AA_RESTRICTED_AREA’, or ‘XY_RESTRICTED_AREA’, etc.) - mod_rewrite.c – RewriteRule Directives or paired RewriteCond/RewriteRule Directives – https://httpd.apache.org/docs/current/mod/mod_rewrite.html
Your rewrite rules will get processed after the SetEnvIf directives, so use them wisely. Any environment variables you set with rewrites will not be available for testing in the SetEnvIf directives. But, any environment variables you set using SetEnvIf, will be available in your rewrites. - mod_env.c – SetEnv Directives – https://httpd.apache.org/docs/current/mod/mod_env.html
Setting environment variables NOT based on a condition. These are processed last. So you can’t use these to test for in your SetEnvIf or RewriteRule directives.
It’s tricky, but really powerful.
- mod_setenvif.c – SetEnvIf / SetEnvIfNoCase Directives – https://httpd.apache.org/docs/current/mod/mod_setenvif.html
- The topic ‘“ajax is blocked” message when activating Give’ is closed to new replies.
