HMWG (Free ver) possible bug

Gyztor
(@gyztor)

1 year, 8 months ago
I have been having an odd issue lately that seems to only affect the places changed by HMWG specially the wp-admin area. Normally everything works fine and but certain pages like admin/post.php?post=38&action=edit (which is basically the admin path but changed with HMWG active to change the admin directory) would show only a “Sorry, you are not allowed to edit posts in this post type.” this happens only in other specific areas but usually are all within wp-admin/* that seem to need some hidden permission(?) that I can’t see. after doing some digging into my docker logs and changing a LOT of nginx configs I have narrowed it down using the only error that appears (and only with HMWG active) when using the rewritten urls
[error] 23#23: *1225 FastCGI sent in stderr: "PHP message: PHP Warning: Undefined array key 1 in /var/www/html/wp-includes/vars.php on line 32" while reading response header from upstream
when going to this place in the file it seems to be this;
```
// On which page are we?
if ( is_admin() ) {
        // wp-admin pages are checked more carefully.
        if ( is_network_admin() ) {
                preg_match( '#/wp-admin/network/?(.*?)$#i', $_SERVER['PHP_SELF'], $self_matches );
        } elseif ( is_user_admin() ) {
                preg_match( '#/wp-admin/user/?(.*?)$#i', $_SERVER['PHP_SELF'], $self_matches );
        } else {
                preg_match( '#/wp-admin/?(.*?)$#i', $_SERVER['PHP_SELF'], $self_matches );
        }
        $pagenow = $self_matches[1];
        $pagenow = trim( $pagenow, '/' );
        $pagenow = preg_replace( '#\?.*?$#', '', $pagenow );
        if ( '' === $pagenow || 'index' === $pagenow || 'index.php' === $pagenow ) {
                $pagenow = 'index.php';
        } else {
                preg_match( '#(.*?)(/|$)#', $pagenow, $self_matches );
                $pagenow = strtolower( $self_matches[1] );
                if ( '.php' !== substr( $pagenow, -4, 4 ) ) {
                        $pagenow .= '.php'; // For <code>Options +Multiviews</code>: /wp-admin/themes/index.php (themes.php is queried).
                }
        }
} else {
        if ( preg_match( '#([^/]+\.php)([?/].*?)?$#i', $_SERVER['PHP_SELF'], $self_matches ) ) {
                $pagenow = strtolower( $self_matches[1] );
        } else {
                $pagenow = 'index.php';
        }
}
```
and its breaking at the $pagenow = $self_matches[1]; part.
This is honestly all I could find after 20 hours of searching
I have made sure all my file permissions are correct. Nginx is correct and doesn’t not block anything it seems to just be when this plugin with the wordpress panel. I hope we could find a fix for this as i love this plugin and constantly typing in “wp-admin” over my rewritten address is getting a bit annoying :/
note: yes i tried downgrading. did not work.
- This topic was modified 1 year, 8 months ago by Gyztor. Reason: fixing some info

Viewing 10 replies - 16 through 25 (of 25 total)

← 1 2

Thread Starter

Gyztor

(@gyztor)

1 year, 8 months ago

yes i did the test with 5.0.13

Thread Starter

Gyztor

(@gyztor)

1 year, 8 months ago

still no change in activity with it since the change. still blocking me permissions wise

Plugin Author

John Darrel

(@johndarrel)

1 year, 8 months ago

Hi Gyztor,

With all our tests we could not reproduce the permission error you have.

Can you create me a stage clone website for testing the plugin with your configuration?

You can send us an email on contact@hidemywpghost.com and continue the support by email.

John

Thread Starter

Gyztor

(@gyztor)

1 year, 8 months ago

Yes i can send a stage clone. give me some time to make it and i will email you the stage clone

Moderator

Steven Stern (sterndata)

(@sterndata)

Volunteer Forum Moderator

1 year, 8 months ago

@johndarrel I’m am 100% sure you mean well but please never ask for credentials on these forums.

https://wordpress.org/support/guidelines/#the-bad-stuff

Now for the why: The internet is a wonderful place full of very nice people and a few very bad ones. I’m sure everyone here is very nice however, by giving some ones keys to your house you are trusting they wont steal anything. Likewise the person who takes the keys is now responsible for the house FOREVER.

If something was to go wrong, then you the author may well legally become liable for damages, which they would not normally have been as their software is provided without warranty.

Please be aware that repeatedly asking for credentials will result in us escalating this to the plugins team.

It’s never necessary to do that. Here’s why.

There are many ways to get information you need and accessing the user’s site is not one of them. That’s going too far.

Ask for a link to the http://pastebin.com/ log of the user’s web server error log.
Ask the user to create and post a link to their phpinfo(); output.
Ask the user to install the Health Check plugin and get the data that way.
Walk the user through enabling WP_DEBUG and how to log that output to a file and how to share that file.
Walk the user through basic troubleshooting steps such and disabling all other plugins, clear their cache and cookies and try again.
Ask the user for the step-by-step on how they can reproduce the problem.

You get the idea.

Volunteer support is not easy. But these forums need to a safe place for all users, experienced or new. Accessing their system that way is a short cut that will get you into real trouble in these forums.

Thread Starter

Gyztor

(@gyztor)

1 year, 7 months ago

I am sorry for the late reply but after reading through and doing lots of testing I have just decided to deal with it, going through everything and doing everything I could possibly think of I decided to make an ENTIRELY SEPARATE AND NEW website testing environment just with similar nginx rules and this STILL happens, which means its not nginx but wordpress. Since the wordpress is a clean install the last thing it could be is the plugin, I feel really bad about this bad news but that just looks like that’s how it is going to be. I really like this plugin and hope i can find a compromise with the configurations on this but for now i will leave the nginx configurations here for anyone to be able to replicate this. I really hope this gets fixed but I somewhat don’t have any hope for it to get fixed at this time since nothing has really helped.
configurations for docker container nginx:1.21.6-alpine
nginx/conf.d/example.com.conf:

server {
    listen                  0.0.0.0:443 ssl http2 reuseport;
    server_name             example.com www.example.com;
    set                     $base /var/www/html;
    root                    /var/www/html/example;

    # SSL
    ssl_certificate         /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;

    proxy_busy_buffers_size   512k;
    proxy_buffers   4 512k;
    proxy_buffer_size   256k;
    fastcgi_buffers 16 256k;
    fastcgi_buffer_size 256k;

    include /var/www/html/example/hidemywpghost.conf;

    # security
    include                 nginxconfig.io/security.conf;

    # index.php
    index                   index.php;

    # index.php fallback
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    # additional config
    include nginxconfig.io/general.conf;
    include nginxconfig.io/wordpress.conf;

    # handle .php
    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php-socket.sock;
        fastcgi_index index.php;
        fastcgi_param PHP_VALUE "upload_max_filesize = 5120M \n post_max_size=5124M"; #just for testing purposes ignore the large file size, this can be changed without any interference
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME /var/www/html/example$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_intercept_errors on;
    }
    include     nginxconfig.io/letsencrypt.conf;
}
# HTTP redirect
server {
    listen      0.0.0.0:80 reuseport;
    server_name example.com *.example.com;
    include     nginxconfig.io/letsencrypt.conf;

    location / {
        rewrite ^ https://$host$request_uri? permanent;
    }
}

nginx/nginxconfig.io/letsencrypt.conf:

# ACME-challenge
location ^~ /.well-known/acme-challenge/ {
    allow all;
    root /var/www/html/example;
}

nginx/nginxconfig.io/general.conf:

# favicon.ico
location = /favicon.ico {
    log_not_found off;
    access_log    off;
}

# robots.txt
location = /robots.txt {
    log_not_found off;
    access_log    off;
}

# assets, media
location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
    expires    1y;
    access_log off;
}

# svg, fonts
location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
    add_header Access-Control-Allow-Origin "*";
    expires    1y;
    access_log off;
}

# gzip
gzip            on;
gzip_vary       on;
gzip_proxied    any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
#this is somewhere else hence why its commented out
#gzip_types image/svg+xml text/plain text/html text/xml text/css text/javascript application/xml application/xhtml+xml application/rss+xml application/javascript application/x-javascript application/x-font-ttf application/vnd.ms-fontobject font/opentype font/ttf font/eot font/otf;

nginx/nginxconfig.io/security.conf:

# security headers
add_header X-Frame-Options           "SAMEORIGIN" always;
add_header X-XSS-Protection          "1; mode=block" always;
add_header X-Content-Type-Options    "nosniff" always;
add_header Referrer-Policy           "no-referrer-when-downgrade" always;
#add_header Content-Security-Policy   "<INSERT YOUR HEADERS HERE>" always;
add_header Permissions-Policy        "interest-cohort=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

# . files
location ~ /\.(?!well-known) {
    deny all;
}

nginx/nginxconfig.io/wordpress:

# restrict methods
if ($request_method !~ ^(GET|POST|HEAD|CONNECT)$) {
    #return '405';
    return '444';
}

# WordPress: deny wp-content, wp-includes php files
location ~* ^/(?:wp-content|wp-includes)/.*\.php$ {
    deny all;
}

# WordPress: deny wp-content/uploads nasty stuff
location ~* ^/wp-content/uploads/.*\.(?:s?html?|php|js|swf)$ {
    deny all;
}

# WordPress: deny wp-content/plugins (except earlier rules)
location ~ ^/wp-content/plugins {
    deny all;
}

# WordPress: deny general stuff
location ~* ^/(?:xmlrpc\.php|wp-links-opml\.php|wp-config\.php|wp-config-sample\.php|readme\.html|license\.txt)$ {
    deny all;
}
location ~ ^/\.user\.ini {
    deny all;
}
location ~ /\.ht {
    deny all;
}

#location = /wp-admin/install.php { deny all; }
location ~ /\.htaccess$ { deny all; }
location ~ /readme\.txt$ { deny all; }
#location ~ ^/wp-admin/includes/ { deny all; }
# Disable PHP in Uploads - Security > Settings > System Tweaks > PHP in Uploads
location ~* \.(xml|xsl)$ { add_header Cache-Control "no-cache, no-store, must-revalidate, max-age=0"; expires -1; }
location /robots.txt { add_header Cache-Control "no-cache, no-store, must-revalidate, max-age=0"; expires -1; }
location ~* \.(css|js|pdf)$ { add_header Cache-Control "public, must-revalidate, proxy-revalidate, immutable, max-age=2592000, stale-while-revalidate=86400, stale-if-error=604800"; expires 30d; }
location ~* \.(jpg|jpeg|png|gif|ico|eot|swf|svg|webp|avif|ttf|otf|woff|woff2|ogg|mp4|mpeg|avi|mkv|webm|mp3)$ { add_header Cache-Control "public, must-revalidate, proxy-revalidate, immutable, max-age=31536000, stale-while-revalidate=86400, stale-if-error=604800"; expires 365d; }
location /wp-cron.php { add_header Cache-Control "no-cache, no-store, must-revalidate, max-age=0"; expires -1; }
location = /wp-content/wp-cloudflare-super-page-cache/example.com/debug.log { access_log off; deny all; }

nginx/nginx.conf:

user                 nginx;
pid                  /var/run/nginx.pid;
worker_processes     4;
worker_rlimit_nofile 65535;

include              /etc/nginx/modules-enabled/*.conf;

events {
    multi_accept       on;
    worker_connections 65535;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    keepalive_timeout  65;

    #gzip  on;

    charset                utf-8;
    sendfile               on;
    tcp_nopush             on;
    tcp_nodelay            on;
    log_not_found          off;
    types_hash_max_size    2048;
    types_hash_bucket_size 64;
    client_max_body_size   256M;

    # MIME
    include                /etc/nginx/mime.types;
    default_type           application/octet-stream;

    # Logging
    access_log             /var/log/nginx/access.log;
    error_log              /var/log/nginx/error.log warn;

    # SSL
    ssl_session_cache shared:le_nginx_SSL:10m;
    ssl_session_timeout 1440m;
    ssl_session_tickets off;

    # Diffie-Hellman parameter for DHE ciphersuites
    ssl_dhparam            /etc/letsencrypt/certs/dhparam.pem;
    ssl_prefer_server_ciphers off;

    # Mozilla Intermediate configuration
    ssl_protocols          TLSv1.2 TLSv1.3;
    ssl_ciphers            ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

    # OCSP Stapling
    ssl_stapling           on;
    ssl_stapling_verify    on;
    resolver               1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
    resolver_timeout       2s;

    # Load configs
    include                /etc/nginx/conf.d/*.conf;
    server_tokens off;
}

this is everything I have, I hope this helps anyone who has an idea of what could be wrong with it

Thread Starter

Gyztor

(@gyztor)

1 year, 7 months ago

at this point the steps to recreate is
1. use the nginx rules provided in a docker container
2. get wordpress using docker
3. set them up to work correctly
4. install the plugins
5. change the wp-admin path to literaly anything
6. you loose permission to certain things like editing pages

Thread Starter

Gyztor

(@gyztor)

1 year, 7 months ago

and for reference this is the php i am using in docker
gyztor/add-general-use-php:php8.1-fpm-alpine
all it really does it add stuff that would normally be in the wordpress docker’s php

Plugin Author

John Darrel

(@johndarrel)

1 year, 7 months ago

I see that the WordPress rules are present in the file

nginx/nginxconfig.io/wordpress

Add the include line from Hide My WP Ghost at the beginning of this file and restart Nginx after you save the new paths in Hide My WP > Change Paths.

One more thing, after you save the new paths, make sure the file exists at this path and the file hidemywpghost.conf has content:

/var/www/html/example/hidemywpghost.conf;

Restart Nginx after every path change in Hide My WP to make sure Nginx loads the new paths.

Thread Starter

Gyztor

(@gyztor)

1 year, 7 months ago

The include is already there check the nginx/conf.d/example.com.conf
and i do restart it every single time i update something, the issue still persists. Nothing outside of the plugin has fixed the issue when you change the admin panel link. Luckily that seems to be the only one having issues at the moment

This reply was modified 1 year, 7 months ago by Gyztor. Reason: format fix

Viewing 10 replies - 16 through 25 (of 25 total)

← 1 2

The topic ‘HMWG (Free ver) possible bug’ is closed to new replies.

HMWG (Free ver) possible bug

Topic Tags

Views