I am new to blogging and WordPress and although my blog page came up, when I try to login to my admin panel, it give me a message that I do not have permission to access this area. So I have a blog, but no way to do anything with it.
Also, as of this morning, I cannot even pull up my blog. It says the webpage does not exist. This is not an easy site to navigate. I almost never found my way to this forum site and had to re-register to even get to this point where I can post on the forum.
Can anyone tell me how to get into my admin panel?
I am also getting this on a new blog. Any suggestions? Settings -> Writing work fine. Settings -> Reading give a 403 error; “You don’t have permission to access /wp-admin/options.php on this server.” All else seems to work fine.
I’ve gotten this error on one of my sites before as well, except for the “Writing” option instead of the Reading. I never found a solution and just tossed it up to weird luck.
Make sure that your wp-admin/options.php (or whatever the file is) is owned by you/(your username) (chmod) and that the permissions on it are set to 644
I encountered the same problem, using WP 2.6.2, upgrading the install from 2.0.x. As with the above comments, the 403 error only presented itself when I tried to change options under a single header (‘Reading’, for me).
Permissions on all my files under /wp-admin/*.php were set to 644 to begin with. Just to make sure, I set permissions to 777 but this had no effect and the error remained.
After some Googling and translating from other languages, on a whim I inserted this into my .htaccess file at the root of my website:
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
and this seemed to fix the problem. I don’t know enough about module security to know if this is a good/bad thing, or really what it’s fixing, so I would love it if somebody could illuminate us all here.
I don’t know enough about module security to know if this is a good/bad thing, or really what it’s fixing, so I would love it if somebody could illuminate us all here.
you can google mod_security to learn what it is, and what it does.
In a nutshell:
Web services are vulnerable to several attacks. These attacks can lead to information leakage and further aid in remote command execution. By using WSDL an attacker can determine an access point and available interfaces for web services. These interfaces or methods take inputs using SOAP over HTTP/HTTPS. If these inputs are not defended well at the source code level, they can be compromised and exploited. ModSecurity operates as an Apache Web server module, ideal for defending web services against attacks that also include malicious /POST variable/content.
You dont cause any security issues by disabling it (which you have done), but you have a little more protection while you are using it.
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
Cheers m8.. that did the magic for me too..
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
WORKS!!!!!!!
If you don’t want to turn off mod_security altogether, you can turn off the global rule that forbids directory listings. mod_security considers that to be “information give-away”. I had the same problem with access upon logging in to the WordPress admin page, and the following was reported in the mod_security audit log:
Message: Access denied with code 403 (phase 4). Pattern match “(?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>\[To Parent Directory\]<\/[Aa]>
)” at RESPONSE_BODY. [file “/usr/local/apache2/conf/modsecurity/modsecurity_crs_50_outbound.conf”] [line “54”] [id “970013”] [msg “Directory Listing”] [severity “WARNING”] [tag “LEAKAGE/INFO”]
Sure enough, on line 54 of one of the rulesets, this is preventing access to the directory listing:
52 # Directory Listing
53 #SecRule RESPONSE_BODY “(?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>\[To Parent Directory\]<\/[Aa]>
)” \
54 # “phase:4,t:none,ctl:auditLogParts=+E,deny,log,auditlog,status:403,msg:’Directory Listing’,id:’970013′,tag:’LEAKAGE/INFO’,severity:’4′”
As you can see, I just commented out that one rule. Then I re-started Apache. No access errors.
In my case setting permissions to 770 worked
Hi
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
Thanks this worked for me also
Running with 2.7.1 here …
I tried adding this to the .htaccess file at the root of my site:
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
That caused my main page to no longer display, so I removed the four lines.
Next I tried changing the mode on /wp-admin/options.php to 774, but that didn’t cure the 403 error when trying to change general options.
From options-general.php, all in the world I’m trying to do is change my stupid timezone from UTC-4 to UTC-6. When I make the option change then click “Save Changes”, I get the frustrating “Error 403. Forbidden.” with /wp-admin/options.php as the URL. Very frustrating!
Is there some way to go in with phpMyAdmin and diddle some bits in the database to switch the timezone?
I’m having the same problem and getting the same results as dcs0582…sheesh! Sorry Moshu <http://wordpress.org/support/topic/207044?replies=2> but, we have not found the answer!
