Support » Plugin: Slimstat Analytics » No Access to Settings – forbidden

  • Resolved d1plom4t

    (@d1plom4t)


    Hi there, I can’t access the settings anymore. My efforts result in the prompt
    Forbidden
    You don’t have permission to access /wp-admin/admin.php on this server.

    Am I doing it wrong?
    Latest version of Slimstat, error received on WordPress 5 and WordPress 4.

    Thanks for help, D1plo

    The page I need help with: [log in to see the link]

Viewing 12 replies - 1 through 12 (of 12 total)
  • Plugin Author Jason Crouse

    (@coolmann)

    Hi @d1plom4t

    does this issue affect just the plugin’s settings or the other screens as well? Is that link in your bookmarks? Could you see if Slimstat is in your admin bar by any chance? If it is, you can put it back in the WP sidebar by going to Slimstat > Settings > General > WordPress Integration > Use Admin Bar (OFF).

    Best,
    Jason

    Hi @coolmann

    only the plugin’s settings are effected. Everything else works fine. Slimstat is in my admin bar (the top bar of the dashboard-screen).
    Ich would like to toggle the sidebar method – but as stated, I can’t access the settings panel anymore.

    Cheers, D1plo

    Plugin Author Jason Crouse

    (@coolmann)

    Hi @d1plom4t,

    you might be able to access the settings by changing the URL into:

    /wp-admin/index.php?page=slimconfig

    Let me know if that works,
    Jason

    That works, but saving the changes leads to wp-admin/admin.php?page=slimconfig&tab=1, which is forbidden. Changes not saving though…

    Thanks for your efforts. Other ideas?

    Plugin Author Jason Crouse

    (@coolmann)

    Not sure why this is happening, it sounds like a conflict with another plugin. If you have access to phpMyAdmin, could you please find the entry ‘slimstat_options’ in wp_options and send me its value to https://support.wp-slimstat.com ? I’ll send you back the value that you can use to replace it, and everything should go back to normal.

    Jason

    Hi, just want to let you know that this problem still persists. I have changed some SQL entries as a workaround – but this is no option for the future. I was hoping for an update.

    I didnt mention: I am using your plugin on a network install with 6 subsites. Maybe there is a network related issue?

    Please help, I would be glad to continue using your plugin?

    Sincerly, D1plo

    Plugin Author Jason Crouse

    (@coolmann)

    Hi @d1plom4t

    is the menu still in the admin bar or did you manage to move it to the sidebar? Again, we have no other users who are experiencing this issue, and we haven’t been able to reproduce on any of our environments or clients’ environments (including multisite). Is the plugin network-activated?

    Jason

    Hi Jason,

    finally I figured out a solution:
    I am running PLESK with a “Web Application Firewall” or “modsecurity” which recorded this error (private information marked XXX):

    [client 134.101…] ModSecurity: [file “/etc/httpd/conf/modsecurity.d/rules/custom/120_Apps_WPPlugin.conf”] [line “2893”] [id “77230791”] [rev “1”] [msg “IM360 WAF: CSRF vulnerability in Slimstat Analytics 4.7.8.3 plugin for WordPress||MVN:REQUEST_METHOD||MV:post||T:APACHE||PC:6440”] [severity “CRITICAL”] [tag “wp_plugin_wp_slimstat_analytics”] Access denied with code 403 (phase 2). String match “post” at REQUEST_METHOD. [hostname “XXX.de”] [uri “/wp-admin/admin.php”] [unique_id “XXX”], referer: https://xxx/wp-admin/

    Disabling the Firewall allowed me to change the settings.

    Thanks for your help. D1plo

    • This reply was modified 1 month, 3 weeks ago by  d1plom4t.

    Hi Jason,

    based on your replies, I managed to figure out a solution.
    In PLESK I use “modsecurity” firewall which apparently blocked the access to the settings page.
    Disabling modsecurity did the job – I was able to move slimstat to the sidebar. Works perfectly again.

    Cheers, D1plo

    Plugin Author Jason Crouse

    (@coolmann)

    Hi @d1plom4t,

    nice find! I’m definitely going to add this to our knowledge base for future reference. I wonder what exactly was triggering the problem. Does mod_security give you a log of some kind to let you know why it blocked a given request?

    Jason

    The above snippet is the log. I was not able to find further reference.

    Cheers, D1plo

    Plugin Author Jason Crouse

    (@coolmann)

    Ok, gotcha.

Viewing 12 replies - 1 through 12 (of 12 total)
  • You must be logged in to reply to this topic.