wp-admin files has no permissions

  • Resolved siritinga

    (@siritinga)


    6 years, 3 months ago

    Dear group,

    A friend of mine has ask me to check his WP site that has no permissions to access wp-admin files for some unspecified reason. Users can log-in but if any user tries to access any file located in wp-admin, a message saying that the user has no permissions appears.

    I’ve tried every solution I found on Internet without success:

    * The main site loads fine, with all the styles and articles there, so the database can be accessed.
    * I have updated WordPress from commandline to 4.9.1.
    * Directories and files have the right permissions (644 for files, 755 for directories).
    * Tables prefixes seems to be fine.
    * I’ve tried to disable plugins (renaming the plugins directory) and restore a default .htaccess with no luck.
    * Users can log-in even if they get the page saying that they have no permissions for wp-admin pages. After logged in, I can go to the home page and I see the upper bar with commands like new post, add users, etc. but if I try to use any of them, then I get the no permission page.
    * I’ve checked the Admin permissions in the SQL database and seem to be fine.
    * wp-admin/about.php loads so the directory is accessible.
    * I’ve tried enabling the WP_DEBUG flag but the debug is not helpful.

    I’m running out of options of what to check next, any advice will be very welcome.

    Thank you!

Viewing 11 replies - 1 through 11 (of 11 total)
  • Moderator t-p

    (@t-p)

    6 years, 3 months ago

    Useful codex: https://codex.wordpress.org/Roles_and_Capabilities

    To rule out and theme/plugin conflict, try:
    – deactivating ALL (yes all) plugins temporarily to see if this resolves the problem (plugin functions can interfere). If this works, re-activate them individually (one-by-one) to find the problematic plugin(s).
    – switching to the unedited default Theme (Twenty Seventeen, etc.) for a moment using the WP dashboard to rule out any theme-specific issue (theme functions can interfere like plugins).

    abletec

    (@abletec)

    6 years, 3 months ago

    Hello, siritinga, & welcome. Firstly, you’ve done an incredible job of troubleshooting thus far. Congratulations! Maybe when we’re done here, you’ll consider joining the volunteers on the forum to help others who are experiencing difficulties?

    There are some things you haven’t told us, & they’re important for us to know. Is your friend hosting on Windows or Linux? I’m assuming Linux, because you speak of a .htaccess file, but well, when you assume you do things that are decidedly unhelpful :). Next, what sort of hosting are you using, ie, shared, VPS, or dedicated? The answer to that question will let us know whether & what sort of logs might be available for viewing in order to sort this out. Lastly, has this website stopped working or was it recently installed?

    Great support, right–all questions, no answers–but the answers will help us to formulate some suggestions to help.

    Thread Starter siritinga

    (@siritinga)

    6 years, 3 months ago

    @t-p, thank you for your answer. I have tried to disable all plugins (renaming the plugins directory) and did not solve anything. Regarding the theme, I don’t think I cannot access the WP dashboard (is it under wp-admin right?) so it is not possible to change it.

    @abletec, thank you for your kind words. I don’t think I could help anyone in WordPress, I seldom know about it, I just tried solutions I found around the internet.

    Regarding the system, my fault, I forgot to mention it. It is a Linux VPS running CentOS 6.8 and Apache 2.2.15. There are no more WP sites in the same VPS.

    One think I wanted to try is to install a fresh WP using the old wp-config.php file, just to check if it works but I’m worried that a fresh installation with the old tables may break or update something in the database. If you think it is safe, I could try.

    Thank you for your help.

    abletec

    (@abletec)

    6 years, 3 months ago

    Hello, again, siritinga. We all started out learning. We all still are. It’s just a mindset that makes a person a good forum volunteer, & you’ve got that.

    You did not answer my question as to whether this was a recent install or whether the website had simply stopped working. That would be an important consideration, as the causes may be very different given the 2 diverse scenarios. When dealing w/permissions, there are generally 2 types to be considered. The 1st is permissions for read/write/execute, & the 2nd is file ownership. Both have to be correct on a server in order for the install to work properly.

    In terms of read/write/execute permissions, generally the recommendation is 0644 for files & 0755 for directories. In terms of file ownership, the WordPress files need to be owned by the user & group associated w/the webserver. I believe in CentOS that user is called apache. Please therefore tell us who owns your WordPress files. Also, you should have some error logs. Do those contain any entries of note?

    Thread Starter siritinga

    (@siritinga)

    6 years, 3 months ago

    Sorry for the delay, it’s been some holidays here and I was talking to my friend about the issue. It seems that he did more things before the problem appeared.

    The VPS has a ngix proxy configured and a Apache server behind. The ngix originally had only HTTP and he added HTTPS to it. After that, he added a WordPress plugin to redirect every HTTP request to HTTPS.

    After that, there was a problem with the site being unavailable for any visitor, as there was some infinite redirection involved. To solve that, in wp-config.txt he added the following:

    define(‘WP_HOME’,’http://<url of the site>’);
    define(‘WP_SITEURL’,’http://<url of the site>’);
    $_SERVER[‘HTTPS’]=’on’;

    Adding those lines solved the redirection issue but then he noticed that the admin URLs were unavailable. He is not sure at which point the admin URL became unavailable (maybe it was before the last steps).

    The list of installed plugins (before I renamed the plugins directory to disable them) is:

    akismet
    autoptimize
    better-wp-security
    custom-404-error-page-unlimited-designs-colors-and-fonts
    easy-add-thumbnail
    really-simple-ssl-disabled
    shortcodes-ultimate
    simple-download-monitor
    ssl-insecure-content-fixer
    table-of-contents-plus
    wordpress-seo
    wp-encrypt
    wp-google-analytics
    wp-super-cache1
    yet-another-stars-rating

    I’m not sure if any of those plugins can modify WordPress itself, .htaccess or the database in a way that breaks the admin privileges. I already tried to update WordPress manually (overwriting or replacing the files as described in the manual upgrade page) and the .htaccess.

    I can access the logs in /var/log/httpd/domains but I don’t see anything suspicious.

    I also set the file permissions to 0644 and directories to 0755. Ownership is admin.admin, the same user/group of the www server.

    Is there anything else I can check?

    Thank you.

    abletec

    (@abletec)

    6 years, 3 months ago

    Hi, siritinga, this is getting a bit complicated, isn’t it :)? I’m not quite sure why I haven’t asked for the site url, but evidently I did not. Too many holidays, I guess, so my brain decided to take 1, too. But I am asking for it now.

    I am assuming you’ve got an SSL cert installed on your site? I would ask you to put a ; at the beginning of the lines in your wp-config.php file regarding your home & site url’s in order to comment these out. We should probably see your .htaccess file as well as any rewrite rules in place under Nginx.

    You can check whether your theme is the culprit by renaming the theme folder. It *will* break the homepage, but it might be interesting to see if you can log into the site w/the teme disabled. I’m also wondering if perhaps better wp security may have put something in the .htaccess file to redirect the login page? We really should see it. Please use to enclose it, ie,

    line 1
line 2
line 3

    This may ultimately be a problem that’s too complex to help with on this forum, ie, it may require someone perusing logs, configuration files, etc, to solve, &, if that be the case, there’s always http://jobs.wordpress.net where your friend can post a position in order to hire someone to help w/this. I’m not entirely sure we’ve reached that point yet, but we may be approaching it, depending on what your .htaccess file shows.

    I personally just run Nginx & PhpFM w/o Apache, but that’s just moi.

    Thread Starter siritinga

    (@siritinga)

    6 years, 3 months ago

    Dear Jackie, thank you for your help and patience. Certainly it’s getting complicated, I’ll tell my friend about the jobs page.

    I’ve commented out the WP_HOME and WP_SITEURL variables (no change).

    The site URL is https://cluedoenvivo.es , the internal links work fine, the problem is just the admin page.

    I’ve also tried to rename the theme-def directory (that’s the one being used) and as you said, the home page stopped working but I could not login in any case.

    I’m also including the .htaccess. It contains hundreds of banned IPs that I’ve removed from here (just the first one for you to see the format, I’ve removed the rest). I’ve checked that my own IP is not included there.

    I tried to turn off the RewriteEngine tags and I broke the site without being able to log in.

    Thank you!

    # BEGIN iThemes Security - No modifiques ni borres esta línea
# iThemes Security Config Details: 2
# Baneo de IP rápido. Se actualizará en el siguiente guardado de reglas normal.
SetEnvIF REMOTE_ADDR "^162\.158\.255\.9$" DenyAccess
SetEnvIF X-FORWARDED-FOR "^162\.158\.255\.9$" DenyAccess
SetEnvIF X-CLUSTER-CLIENT-IP "^162\.158\.255\.9$" DenyAccess
<IfModule mod_authz_core.c>
	<RequireAll>
		Require all granted
		Require not env DenyAccess
		Require not ip 162.158.255.9
	</RequireAll>
</IfModule>
<IfModule !mod_authz_core.c>
	Order allow,deny
	Deny from env=DenyAccess
	Deny from 162.158.255.9
	Allow from all
</IfModule>
# END iThemes Security - No modifiques ni borres esta línea

# BEGIN iThemes Security - No modifiques ni borres esta línea
# iThemes Security Config Details: 2
	# Activar la característica de lista negra de HackRepair.com - Seguridad > Ajustes > Usuarios baneados > Lista negra por defecto
	# Start HackRepair.com Blacklist
	RewriteEngine on
	# Start Abuse Agent Blocking
	RewriteCond %{HTTP_USER_AGENT} "^Mozilla.*Indy" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^Mozilla.*NEWT" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^$" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^Maxthon$" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^SeaMonkey$" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^Acunetix" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^binlar" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^BlackWidow" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^Bolt 0" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^BOT for JCE" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^Bot mailto\:craftbot@yahoo\.com" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^casper" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^checkprivacy" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^ChinaClaw" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^clshttp" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^cmsworldmap" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^Custo" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^Default Browser 0" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^diavol" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^DIIbot" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^DISCo" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^dotbot" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^Download Demon" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^eCatch" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^EirGrabber" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^EmailCollector" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^EmailSiphon" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^EmailWolf" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^Express WebPictures" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^extract" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^ExtractorPro" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^EyeNetIE" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^feedfinder" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^FHscan" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^FlashGet" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^flicky" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^g00g1e" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^GetRight" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^GetWeb\!" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^Go\!Zilla" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^Go\-Ahead\-Got\-It" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^grab" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^GrabNet" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^Grafula" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^harvest" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^HMView" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^Image Stripper" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^Image Sucker" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^InterGET" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^Internet Ninja" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^InternetSeer\.com" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^jakarta" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^Java" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^JetCar" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^JOC Web Spider" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^kanagawa" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^kmccrew" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^larbin" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^LeechFTP" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^libwww" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^Mass Downloader" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^microsoft\.url" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^MIDown tool" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^miner" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^Mister PiX" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^MSFrontPage" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^Navroad" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^NearSite" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^Net Vampire" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^NetAnts" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^NetSpider" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^NetZIP" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^nutch" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^Octopus" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^Offline Explorer" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^Offline Navigator" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^PageGrabber" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^Papa Foto" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^pavuk" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^pcBrowser" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^PeoplePal" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^planetwork" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^psbot" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^purebot" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^pycurl" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^RealDownload" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^ReGet" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^Rippers 0" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^sitecheck\.internetseer\.com" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^SiteSnagger" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^skygrid" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^SmartDownload" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^sucker" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^SuperBot" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^SuperHTTP" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^Surfbot" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^tAkeOut" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^Teleport Pro" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^Toata dragostea mea pentru diavola" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^turnit" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^vikspider" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^VoidEYE" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^Web Image Collector" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^WebAuto" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^WebBandit" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^WebCopier" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^WebFetch" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^WebGo IS" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^WebLeacher" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^WebReaper" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^WebSauger" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^Website eXtractor" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^Website Quester" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^WebStripper" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^WebWhacker" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^WebZIP" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^Widow" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^WPScan" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^WWW\-Mechanize" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^WWWOFFLE" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^Xaldon WebSpider" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^Zeus" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "^zmeu" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "360Spider" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "CazoodleBot" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "discobot" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "EasouSpider" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "ecxi" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "GT\:\:WWW" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "heritrix" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "HTTP\:\:Lite" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "HTTrack" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "ia_archiver" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "id\-search" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "IDBot" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "Indy Library" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "IRLbot" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "ISC Systems iRc Search 2\.1" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "LinksCrawler" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "LinksManager\.com_bot" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "linkwalker" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "lwp\-trivial" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "MFC_Tear_Sample" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "Microsoft URL Control" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "Missigua Locator" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "MJ12bot" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "panscient\.com" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "PECL\:\:HTTP" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "PHPCrawl" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "PleaseCrawl" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "SBIder" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "SearchmetricsBot" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "SeznamBot" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "Snoopy" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "Steeler" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "URI\:\:Fetch" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "urllib" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "Web Sucker" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "webalta" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "WebCollage" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "Wells Search II" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "WEP Search" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "XoviBot" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "YisouSpider" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "zermelo" [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} "ZyBorg" [NC,OR]
	# End Abuse Agent Blocking
	# Start Abuse HTTP Referrer Blocking
	RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?semalt\.com" [NC,OR]
	RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?kambasoft\.com" [NC,OR]
	RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?savetubevideo\.com" [NC]
	# End Abuse HTTP Referrer Blocking
	RewriteRule ^.* - [F,L]
	# End HackRepair.com Blacklist, http://pastebin.com/u/hackrepair
	# Banear servidores - Seguridad > Ajustes > Usuarios baneados
	SetEnvIF REMOTE_ADDR "^121\.205\.215\.117$" DenyAccess
	SetEnvIF X-FORWARDED-FOR "^121\.205\.215\.117$" DenyAccess
	SetEnvIF X-CLUSTER-CLIENT-IP "^121\.205\.215\.117$" DenyAccess
	SetEnvIF REMOTE_ADDR "^151\.236\.36\.17$" DenyAccess
	SetEnvIF X-FORWARDED-FOR "^151\.236\.36\.17$" DenyAccess
	SetEnvIF X-CLUSTER-CLIENT-IP "^151\.236\.36\.17$" DenyAccess
	SetEnvIF REMOTE_ADDR "^46\.24\.204\.28$" DenyAccess
	SetEnvIF X-FORWARDED-FOR "^46\.24\.204\.28$" DenyAccess
	SetEnvIF X-CLUSTER-CLIENT-IP "^46\.24\.204\.28$" DenyAccess
	SetEnvIF REMOTE_ADDR "^5\.61\.39\.15$" DenyAccess
	SetEnvIF X-FORWARDED-FOR "^5\.61\.39\.15$" DenyAccess
	SetEnvIF X-CLUSTER-CLIENT-IP "^5\.61\.39\.15$" DenyAccess
	SetEnvIF REMOTE_ADDR "^87\.219\.42\.42$" DenyAccess
	SetEnvIF X-FORWARDED-FOR "^87\.219\.42\.42$" DenyAccess
	SetEnvIF X-CLUSTER-CLIENT-IP "^87\.219\.42\.42$" DenyAccess
	SetEnvIF REMOTE_ADDR "^88\.12\.34\.67$" DenyAccess
	SetEnvIF X-FORWARDED-FOR "^88\.12\.34\.67$" DenyAccess
	SetEnvIF X-CLUSTER-CLIENT-IP "^88\.12\.34\.67$" DenyAccess
	SetEnvIF REMOTE_ADDR "^212\.159\.73\.13$" DenyAccess
	SetEnvIF X-FORWARDED-FOR "^212\.159\.73\.13$" DenyAccess
	SetEnvIF X-CLUSTER-CLIENT-IP "^212\.159\.73\.13$" DenyAccess
	SetEnvIF REMOTE_ADDR "^195\.154\.199\.66$" DenyAccess
	SetEnvIF X-FORWARDED-FOR "^195\.154\.199\.66$" DenyAccess
	SetEnvIF X-CLUSTER-CLIENT-IP "^195\.154\.199\.66$" DenyAccess
	SetEnvIF REMOTE_ADDR "^149\.202\.247\.172$" DenyAccess
	SetEnvIF X-FORWARDED-FOR "^149\.202\.247\.172$" DenyAccess
	SetEnvIF X-CLUSTER-CLIENT-IP "^149\.202\.247\.172$" DenyAccess
	SetEnvIF REMOTE_ADDR "^46\.118\.127\.120$" DenyAccess
	SetEnvIF X-FORWARDED-FOR "^46\.118\.127\.120$" DenyAccess
	SetEnvIF X-CLUSTER-CLIENT-IP "^46\.118\.127\.120$" DenyAccess
	SetEnvIF REMOTE_ADDR "^157\.55\.39\.198$" DenyAccess
	SetEnvIF X-FORWARDED-FOR "^157\.55\.39\.198$" DenyAccess
	SetEnvIF X-CLUSTER-CLIENT-IP "^157\.55\.39\.198$" DenyAccess
	SetEnvIF REMOTE_ADDR "^84\.114\.116\.188$" DenyAccess
	SetEnvIF X-FORWARDED-FOR "^84\.114\.116\.188$" DenyAccess
	SetEnvIF X-CLUSTER-CLIENT-IP "^84\.114\.116\.188$" DenyAccess
	<IfModule mod_authz_core.c>
		<RequireAll>
			Require all granted
			Require not env DenyAccess
			Require not ip 121.205.215.117
			Require not ip 151.236.36.17
			Require not ip 46.24.204.28
			Require not ip 5.61.39.15
			Require not ip 87.219.42.42
			Require not ip 88.12.34.67
			Require not ip 212.159.73.13
			Require not ip 195.154.199.66
			Require not ip 149.202.247.172
			Require not ip 46.118.127.120
			Require not ip 157.55.39.198
			Require not ip 84.114.116.188
		</RequireAll>
	</IfModule>
	<IfModule !mod_authz_core.c>
		Order allow,deny
		Allow from all
		Deny from env=DenyAccess
		Deny from 121.205.215.117
		Deny from 151.236.36.17
		Deny from 46.24.204.28
		Deny from 5.61.39.15
		Deny from 87.219.42.42
		Deny from 88.12.34.67
		Deny from 212.159.73.13
		Deny from 195.154.199.66
		Deny from 149.202.247.172
		Deny from 46.118.127.120
		Deny from 157.55.39.198
		Deny from 84.114.116.188
	</IfModule>
	# Proteger los archivos de sistema - Seguridad > Ajustes > Sistema de ajustes > Archivos de sistema
	<files .htaccess>
		<IfModule mod_authz_core.c>
			Require all denied
		</IfModule>
		<IfModule !mod_authz_core.c>
			Order allow,deny
			Deny from all
		</IfModule>
	</files>
	<files readme.html>
		<IfModule mod_authz_core.c>
			Require all denied
		</IfModule>
		<IfModule !mod_authz_core.c>
			Order allow,deny
			Deny from all
		</IfModule>
	</files>
	<files readme.txt>
		<IfModule mod_authz_core.c>
			Require all denied
		</IfModule>
		<IfModule !mod_authz_core.c>
			Order allow,deny
			Deny from all
		</IfModule>
	</files>
	<files wp-config.php>
		<IfModule mod_authz_core.c>
			Require all denied
		</IfModule>
		<IfModule !mod_authz_core.c>
			Order allow,deny
			Deny from all
		</IfModule>
	</files>
	# Desactivar navegación por directorio - Seguridad > Ajustes > Sistema de ajustes > Navegación por directorio
	Options -Indexes
	<IfModule mod_rewrite.c>
		RewriteEngine On
		# Proteger los archivos de sistema - Seguridad > Ajustes > Sistema de ajustes > Archivos de sistema
		RewriteRule ^wp-admin/install\.php$ - [F]
		RewriteRule ^wp-admin/includes/ - [F]
		RewriteRule !^wp-includes/ - [S=3]
		RewriteRule ^wp-includes/[^/]+\.php$ - [F]
		RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F]
		RewriteRule ^wp-includes/theme-compat/ - [F]
		# Deshabilitar PHP en Uploads - Seguridad > Ajustes > Ajustes del sistema > PHP en Uploads
		RewriteRule ^wp\-content/uploads/.*\.(?:php[1-7]?|pht|phtml?|phps)$ - [NC,F]
		# Inhabilitar PHP en los Plugins - Seguridad > Ajustes > Mejoras del sistema > PHP en Plugins
		RewriteRule ^wp\-content/plugins/.*\.(?:php[1-7]?|pht|phtml?|phps)$ - [NC,F]
		# Inhabilitar PHP en Temas - Seguridad > Ajustes > Mejoras del sistema > PHP en Temas
		RewriteRule ^wp\-content/themes/.*\.(?:php[1-7]?|pht|phtml?|phps)$ - [NC,F]
		# Filtrar cadenas de consulta sospechosas en la URL - Seguridad > Ajustes > Ajustes del sistema > Cadenas de consulta sospechosas
		RewriteCond %{QUERY_STRING} \.\.\/ [OR]
		RewriteCond %{QUERY_STRING} \.(bash|git|hg|log|svn|swp|cvs) [NC,OR]
		RewriteCond %{QUERY_STRING} etc/passwd [NC,OR]
		RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
		RewriteCond %{QUERY_STRING} ftp: [NC,OR]
		RewriteCond %{QUERY_STRING} https?: [NC,OR]
		RewriteCond %{QUERY_STRING} (<|%3C)script(>|%3E) [NC,OR]
		RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
		RewriteCond %{QUERY_STRING} base64_decode\( [NC,OR]
		RewriteCond %{QUERY_STRING} %24&x [NC,OR]
		RewriteCond %{QUERY_STRING} 127\.0 [NC,OR]
		RewriteCond %{QUERY_STRING} (globals|encode|localhost|loopback) [NC,OR]
		RewriteCond %{QUERY_STRING} (request|concat|insert|union|declare) [NC,OR]
		RewriteCond %{QUERY_STRING} %[01][0-9A-F] [NC]
		RewriteCond %{QUERY_STRING} !^loggedout=true
		RewriteCond %{QUERY_STRING} !^action=jetpack-sso
		RewriteCond %{QUERY_STRING} !^action=rp
		RewriteCond %{HTTP_COOKIE} !wordpress_logged_in_
		RewriteCond %{HTTP_REFERER} !^http://maps\.googleapis\.com
		RewriteRule ^.* - [F]
	</IfModule>
# END iThemes Security - No modifiques ni borres esta línea
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress
# Permanent redirections
Redirect 301 /juego_de_misterio_anos_20/ /juegos-de-misterio/the-last-shot/
Redirect 301 /producto/the-last-shot/ /juegos-de-misterio/the-last-shot/
Redirect 301 /contactenos/ /juegos-de-misterio/contacto/
Redirect 301 /cluedo-en-vivo-descargar/	/juegos-de-misterio/
Redirect 301 /categoria-producto/cluedo-en-vivo-para-descargar/ /juegos-de-misterio/
Redirect 301 /teambuilding-para-empresas/ /cluedo-para-teambuilding/
Redirect 301 /quienes-somos/mysterygames.es	/juegos-de-misterio/quienes-somos/
Redirect 301 /product-category/cluedo-en-vivo-para-descargar/ /juegos-de-misterio/
Redirect 301 /product/the-last-shot/ /juegos-de-misterio/the-last-shot/
Redirect 301 /teambuilding-para-empresas__trashed/ /cluedo-para-teambuilding/
Redirect 301 /anos-20/ /cluedo-para-descargar/
Redirect 301 /juegos-de-misterio/condiciones-generales/ /condiciones-generales/
Redirect 301 /juegos-de-misterio/feed/ /juegos-de-misterio/
Redirect 301 /quieres-un-cluedo-en-vivo/ /juegos-de-misterio/contacto/
Redirect 301 /product/the-last-shot/ /juegos-de-misterio/the-last-shot/
Redirect 301 /quienes-somos/ /juegos-de-misterio/quienes-somos/
    abletec

    (@abletec)

    6 years, 3 months ago

    Hello, again, siritinga. Here’s what let’s do.
    1) Please rename your .htaccess to htaccess, ie, w/o the initial period.
    2) Make a new .htaccess file w/just the following lines–you could actually copy/paste, provided you saved this in an ANSI format.
    # Begin WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>
    #End WordPress

    Save the file, please, & then try reaching your dashboard. Please report back. Your persistence in the face of this can only be called superheroic. I admire it. So I’m in it for the long haul also, unless or until it becomes clear to both of us that such a position is untenable.

    When I went to the /wp-admin address, I got a login screen in Spanish. I wouldn’t by any stretch of the imagination call my Spanish fluent (I’d be lying through my teeth if I did), but I do know enough to understand that I was in fact looking at a logon screen. So that part, at least, is working. But let’s try my suggestion of a barebones .htaccess file & see where that does or does not get us, ok?

    Thread Starter siritinga

    (@siritinga)

    6 years, 3 months ago

    Dear Jackie, thank you for your help.

    Yes, the wp-login page is in Spanish and it is the login page. I can login but then it says I don’t have permissions for the wp-admin/pages, with any user (not only the administrator).

    I’ve also tried your htaccess with no luck. The site seems to work fine but the wp-admin pages cannot be accessed.

    I don’t know much about this but it looks more and more like a database problem, as I’ve overwritten the installation with a fresh WordPress package (except the wp-config), I’ve removed the plugins and the .htaccess.

    I followed the instructions here https://role-editor.com/restore-lost-wordpress-admin-permissions/ to check administrator role and it is a:1:{s:13:”administrator”;b:1;} which seems to be correct. I haven’t checked the next section, “Restore default user roles”, as I don’t have a backup. I cannot think how it would be possible that the database has been altered but who knows…

    I’ve also checked that other wordpress in the same machine have different table prefixes (they do), and they work fine (so it’s not some global problem like PHP or http server configuration).

    Any other ideas I can try? 🙂

    Thanks a lot!

    abletec

    (@abletec)

    6 years, 3 months ago

    siritinga, there’s a couple things. First, let’s try disabling cache. I think you’ve already deactivated wp-supercache. Pleas check the wp-content folder for 2 files–advanced-cache.php & wp-content/wp-cache-config.php, &, if found, rename/remove them. Also, if there is an entry in your wp-config.php file defining caching, please remove it or comment it out. Now try seeing if you receive the permission errors.

    If that does not work, then would it be possible to disable Cloudflare? Sometimes their Rocketscript can break WordPress.

    Thread Starter siritinga

    (@siritinga)

    6 years, 2 months ago

    Dear Jackie, sorry for the delay in my answer.

    I’m glad to tell you that you found the problem! It was Cloudflare, somehow it broke WordPress admin pages as you said!

    I didn’t disable it (I’m not sure how I can) but I added the IP of the server to the hosts file to access it directly instead of via Cloudflare and it worked perfectly fine, also for my friend, so now he can access and manage it. He is the only one who access to server so probably he will leave it as it is now.

    A thousand thanks from both of us 😀

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘wp-admin files has no permissions’ is closed to new replies.

Tags