WordPress.org

Ready to get started?Download WordPress

Forums

iThemes Security (formerly Better WP Security)
Install/Config Hide Backend Forbidden 403 error (2 posts)

  1. SoftBlue
    Member
    Posted 2 years ago #

    Background:
    Installation of Better WP Security (BWS) onto 275 sites. 170 sites complete. All sites substantially same structure offering different content (WP, Framework, Theme, & 13 Plugins the same).

    Problem:
    5 sites experience 403 Forbidden (You do not have permission to access this document). Problem presents upon logging out of site after BWS installation/configuration. Same message presents when attempting to access backend. Suspect Hide Backend feature as this is the first time I have used the feature on a large number of sites.

    Resolution:
    Compared .htaccess file contents between three sites: Broken, working with feature, and working without feature. Able to identify the block of commands associated with the feature. In my case these are the last 25 lines (including blank lines) begining with a RewriteRule which contains my login address and ending with a RewriteRule which contains ...wp-login.php?.... The last line is just before "# END Better WP Security".

    I commented out this portion of the .htaccess ('# ' used to comment). Changed the file readonly status to allow writing. Saved the result.

    I was then able to login to the site using /wp-login.php.

    I re-tried the original Hide Backend configuration and site access became forbidden. In retrospect it was interesting to note that the key generated was the same.

    I tried the original Hide Backend - this time checking the generate new key. This time the feature work as expected.

    I'm not able to figure out why one key works and another does not.

    Solution:
    Comment out the Hide Backend code within .htaccess (not labeled - see notes above to locate). Change the read/write status of the file and save.

    Open site with /wp-login.php. On the Security/Hide Backend page check the Generate New Secret Key option and save.

    Logout/login to test.

    I hope that this helps anyone encountering this problem. If I were not working with such a large number of sites I would not have uncovered it or be able to resolve the problem.

    http://wordpress.org/extend/plugins/better-wp-security/

  2. SoftBlue
    Member
    Posted 2 years ago #

    Update:
    The reason some Secret Key strings fail is because the .htaccess file filters query strings for common commands and code fragments which are used for code injection. URL queries including SQL and some other code injection attempts are filtered out before reaching the Hide Backend commands. Apparently, when the Secret Key string is created it is not checked to insure these are not inadvertently included in the Secret Key.

    Having found the source of the problem and understanding its apparent cause has reafirrmed my trust in the Better WP Security plugin.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic