Support » Plugin: Hide My WP Ghost - Security Plugin » HMWG (Free ver) possible bug
HMWG (Free ver) possible bug
-
I have been having an odd issue lately that seems to only affect the places changed by HMWG specially the wp-admin area. Normally everything works fine and but certain pages like admin/post.php?post=38&action=edit (which is basically the admin path but changed with HMWG active to change the admin directory) would show only a “Sorry, you are not allowed to edit posts in this post type.” this happens only in other specific areas but usually are all within wp-admin/* that seem to need some hidden permission(?) that I can’t see. after doing some digging into my docker logs and changing a LOT of nginx configs I have narrowed it down using the only error that appears (and only with HMWG active) when using the rewritten urls
[error] 23#23: *1225 FastCGI sent in stderr: "PHP message: PHP Warning: Undefined array key 1 in /var/www/html/wp-includes/vars.php on line 32" while reading response header from upstream
when going to this place in the file it seems to be this;// On which page are we? if ( is_admin() ) { // wp-admin pages are checked more carefully. if ( is_network_admin() ) { preg_match( '#/wp-admin/network/?(.*?)$#i', $_SERVER['PHP_SELF'], $self_matches ); } elseif ( is_user_admin() ) { preg_match( '#/wp-admin/user/?(.*?)$#i', $_SERVER['PHP_SELF'], $self_matches ); } else { preg_match( '#/wp-admin/?(.*?)$#i', $_SERVER['PHP_SELF'], $self_matches ); } $pagenow = $self_matches[1]; $pagenow = trim( $pagenow, '/' ); $pagenow = preg_replace( '#\?.*?$#', '', $pagenow ); if ( '' === $pagenow || 'index' === $pagenow || 'index.php' === $pagenow ) { $pagenow = 'index.php'; } else { preg_match( '#(.*?)(/|$)#', $pagenow, $self_matches ); $pagenow = strtolower( $self_matches[1] ); if ( '.php' !== substr( $pagenow, -4, 4 ) ) { $pagenow .= '.php'; // For <code>Options +Multiviews</code>: /wp-admin/themes/index.php (themes.php is queried). } } } else { if ( preg_match( '#([^/]+\.php)([?/].*?)?$#i', $_SERVER['PHP_SELF'], $self_matches ) ) { $pagenow = strtolower( $self_matches[1] ); } else { $pagenow = 'index.php'; } }
and its breaking at the
$pagenow = $self_matches[1];
part.
This is honestly all I could find after 20 hours of searching
I have made sure all my file permissions are correct. Nginx is correct and doesn’t not block anything it seems to just be when this plugin with the wordpress panel. I hope we could find a fix for this as i love this plugin and constantly typing in “wp-admin” over my rewritten address is getting a bit annoying :/
note: yes i tried downgrading. did not work.-
This topic was modified 1 year, 8 months ago by
Gyztor. Reason: fixing some info
-
This topic was modified 1 year, 8 months ago by
-
yes i did the test with 5.0.13
still no change in activity with it since the change. still blocking me permissions wise
Hi Gyztor,
With all our tests we could not reproduce the permission error you have.
Can you create me a stage clone website for testing the plugin with your configuration?
You can send us an email on contact@hidemywpghost.com and continue the support by email.
John
Yes i can send a stage clone. give me some time to make it and i will email you the stage clone
@johndarrel I’m am 100% sure you mean well but please never ask for credentials on these forums.
https://wordpress.org/support/guidelines/#the-bad-stuff
Now for the why: The internet is a wonderful place full of very nice people and a few very bad ones. I’m sure everyone here is very nice however, by giving some ones keys to your house you are trusting they wont steal anything. Likewise the person who takes the keys is now responsible for the house FOREVER.
If something was to go wrong, then you the author may well legally become liable for damages, which they would not normally have been as their software is provided without warranty.
Please be aware that repeatedly asking for credentials will result in us escalating this to the plugins team.
It’s never necessary to do that. Here’s why.
There are many ways to get information you need and accessing the user’s site is not one of them. That’s going too far.
- Ask for a link to the http://pastebin.com/ log of the user’s web server error log.
- Ask the user to create and post a link to their
phpinfo();
output. - Ask the user to install the Health Check plugin and get the data that way.
- Walk the user through enabling WP_DEBUG and how to log that output to a file and how to share that file.
- Walk the user through basic troubleshooting steps such and disabling all other plugins, clear their cache and cookies and try again.
- Ask the user for the step-by-step on how they can reproduce the problem.
You get the idea.
Volunteer support is not easy. But these forums need to a safe place for all users, experienced or new. Accessing their system that way is a short cut that will get you into real trouble in these forums.
I am sorry for the late reply but after reading through and doing lots of testing I have just decided to deal with it, going through everything and doing everything I could possibly think of I decided to make an ENTIRELY SEPARATE AND NEW website testing environment just with similar nginx rules and this STILL happens, which means its not nginx but wordpress. Since the wordpress is a clean install the last thing it could be is the plugin, I feel really bad about this bad news but that just looks like that’s how it is going to be. I really like this plugin and hope i can find a compromise with the configurations on this but for now i will leave the nginx configurations here for anyone to be able to replicate this. I really hope this gets fixed but I somewhat don’t have any hope for it to get fixed at this time since nothing has really helped.
configurations for docker container nginx:1.21.6-alpine
nginx/conf.d/example.com.conf:server { listen 0.0.0.0:443 ssl http2 reuseport; server_name example.com www.example.com; set $base /var/www/html; root /var/www/html/example; # SSL ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem; proxy_busy_buffers_size 512k; proxy_buffers 4 512k; proxy_buffer_size 256k; fastcgi_buffers 16 256k; fastcgi_buffer_size 256k; include /var/www/html/example/hidemywpghost.conf; # security include nginxconfig.io/security.conf; # index.php index index.php; # index.php fallback location / { try_files $uri $uri/ /index.php?$query_string; } # additional config include nginxconfig.io/general.conf; include nginxconfig.io/wordpress.conf; # handle .php location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/var/run/php-socket.sock; fastcgi_index index.php; fastcgi_param PHP_VALUE "upload_max_filesize = 5120M \n post_max_size=5124M"; #just for testing purposes ignore the large file size, this can be changed without any interference include fastcgi_params; fastcgi_param SCRIPT_FILENAME /var/www/html/example$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_intercept_errors on; } include nginxconfig.io/letsencrypt.conf; } # HTTP redirect server { listen 0.0.0.0:80 reuseport; server_name example.com *.example.com; include nginxconfig.io/letsencrypt.conf; location / { rewrite ^ https://$host$request_uri? permanent; } }
nginx/nginxconfig.io/letsencrypt.conf:
# ACME-challenge location ^~ /.well-known/acme-challenge/ { allow all; root /var/www/html/example; }
nginx/nginxconfig.io/general.conf:
# favicon.ico location = /favicon.ico { log_not_found off; access_log off; } # robots.txt location = /robots.txt { log_not_found off; access_log off; } # assets, media location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ { expires 1y; access_log off; } # svg, fonts location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ { add_header Access-Control-Allow-Origin "*"; expires 1y; access_log off; } # gzip gzip on; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_buffers 16 8k; gzip_http_version 1.1; #this is somewhere else hence why its commented out #gzip_types image/svg+xml text/plain text/html text/xml text/css text/javascript application/xml application/xhtml+xml application/rss+xml application/javascript application/x-javascript application/x-font-ttf application/vnd.ms-fontobject font/opentype font/ttf font/eot font/otf;
nginx/nginxconfig.io/security.conf:
# security headers add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; #add_header Content-Security-Policy "<INSERT YOUR HEADERS HERE>" always; add_header Permissions-Policy "interest-cohort=()" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # . files location ~ /\.(?!well-known) { deny all; }
nginx/nginxconfig.io/wordpress:
# restrict methods if ($request_method !~ ^(GET|POST|HEAD|CONNECT)$) { #return '405'; return '444'; } # WordPress: deny wp-content, wp-includes php files location ~* ^/(?:wp-content|wp-includes)/.*\.php$ { deny all; } # WordPress: deny wp-content/uploads nasty stuff location ~* ^/wp-content/uploads/.*\.(?:s?html?|php|js|swf)$ { deny all; } # WordPress: deny wp-content/plugins (except earlier rules) location ~ ^/wp-content/plugins { deny all; } # WordPress: deny general stuff location ~* ^/(?:xmlrpc\.php|wp-links-opml\.php|wp-config\.php|wp-config-sample\.php|readme\.html|license\.txt)$ { deny all; } location ~ ^/\.user\.ini { deny all; } location ~ /\.ht { deny all; } #location = /wp-admin/install.php { deny all; } location ~ /\.htaccess$ { deny all; } location ~ /readme\.txt$ { deny all; } #location ~ ^/wp-admin/includes/ { deny all; } # Disable PHP in Uploads - Security > Settings > System Tweaks > PHP in Uploads location ~* \.(xml|xsl)$ { add_header Cache-Control "no-cache, no-store, must-revalidate, max-age=0"; expires -1; } location /robots.txt { add_header Cache-Control "no-cache, no-store, must-revalidate, max-age=0"; expires -1; } location ~* \.(css|js|pdf)$ { add_header Cache-Control "public, must-revalidate, proxy-revalidate, immutable, max-age=2592000, stale-while-revalidate=86400, stale-if-error=604800"; expires 30d; } location ~* \.(jpg|jpeg|png|gif|ico|eot|swf|svg|webp|avif|ttf|otf|woff|woff2|ogg|mp4|mpeg|avi|mkv|webm|mp3)$ { add_header Cache-Control "public, must-revalidate, proxy-revalidate, immutable, max-age=31536000, stale-while-revalidate=86400, stale-if-error=604800"; expires 365d; } location /wp-cron.php { add_header Cache-Control "no-cache, no-store, must-revalidate, max-age=0"; expires -1; } location = /wp-content/wp-cloudflare-super-page-cache/example.com/debug.log { access_log off; deny all; }
nginx/nginx.conf:
user nginx; pid /var/run/nginx.pid; worker_processes 4; worker_rlimit_nofile 65535; include /etc/nginx/modules-enabled/*.conf; events { multi_accept on; worker_connections 65535; } http { log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; keepalive_timeout 65; #gzip on; charset utf-8; sendfile on; tcp_nopush on; tcp_nodelay on; log_not_found off; types_hash_max_size 2048; types_hash_bucket_size 64; client_max_body_size 256M; # MIME include /etc/nginx/mime.types; default_type application/octet-stream; # Logging access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log warn; # SSL ssl_session_cache shared:le_nginx_SSL:10m; ssl_session_timeout 1440m; ssl_session_tickets off; # Diffie-Hellman parameter for DHE ciphersuites ssl_dhparam /etc/letsencrypt/certs/dhparam.pem; ssl_prefer_server_ciphers off; # Mozilla Intermediate configuration ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; # OCSP Stapling ssl_stapling on; ssl_stapling_verify on; resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s; resolver_timeout 2s; # Load configs include /etc/nginx/conf.d/*.conf; server_tokens off; }
this is everything I have, I hope this helps anyone who has an idea of what could be wrong with it
at this point the steps to recreate is
1. use the nginx rules provided in a docker container
2. get wordpress using docker
3. set them up to work correctly
4. install the plugins
5. change the wp-admin path to literaly anything
6. you loose permission to certain things like editing pagesand for reference this is the php i am using in docker
gyztor/add-general-use-php:php8.1-fpm-alpine
all it really does it add stuff that would normally be in the wordpress docker’s phpHi
I see that the WordPress rules are present in the file
nginx/nginxconfig.io/wordpress
Add the include line from Hide My WP Ghost at the beginning of this file and restart Nginx after you save the new paths in Hide My WP > Change Paths.
One more thing, after you save the new paths, make sure the file exists at this path and the file hidemywpghost.conf has content:
/var/www/html/example/hidemywpghost.conf;
Restart Nginx after every path change in Hide My WP to make sure Nginx loads the new paths.
The include is already there check the
nginx/conf.d/example.com.conf
and i do restart it every single time i update something, the issue still persists. Nothing outside of the plugin has fixed the issue when you change the admin panel link. Luckily that seems to be the only one having issues at the moment-
This reply was modified 1 year, 7 months ago by
Gyztor. Reason: format fix
- The topic ‘HMWG (Free ver) possible bug’ is closed to new replies.