BackuPs

@petrichorpost that you can edit not active themes is normal. The code only checks if the php file you are editing is from a active theme. The php files from any theme that is not active can be edited without any issues. From any plugin or theme that is active it is impossible to edit any php file.

@clorith… does this plugin auto update? I still see the same version 0.60 in my admin area as i had before. Anyway on the loopback i got this.

The loopback request returned an unexpected status code, 403, this may affect tools such as WP_Cron, or theme and plugin editors.

So now the question is: What is causing that on my server?

I tried these. But they did not work https://www.danhendricks.com/2017/01/wordpress-error-http-loopback-connections-disabled/

• This reply was modified 8 years, 5 months ago by BackuPs.

@padraigbeirne does not work for me. editing by notepad++ does not help resolving the issue.

@genealogydotie @clorith I was not trying to solicit for a job or whatever. I was just trying to be friendly and help him out for free and guide him through the process of editing. Anyway it wont happen again.

@clorith

turning session.auto_start ON or OFF does not change anything i keep on having the issue that i cant edit any files from a active theme or plugin.

please advice

@winock you dont have to replace it with the old files from 4.8.3. Just open wp-admin/includes/file.php and delete lines 491-598 in that file. You then can at least edit the files again. I know it is less secure, but you can work from the editor. It is almost the same as restoring the 2 files from wp 4.8.3 🙂

Remove this complete code block

	if ( $is_active && 'php' === $extension ) {

		$scrape_key = md5( rand() );
		$transient = 'scrape_key_' . $scrape_key;
		$scrape_nonce = strval( rand() );
		set_transient( $transient, $scrape_nonce, 60 ); // It shouldn't take more than 60 seconds to make the two loopback requests.

		$cookies = wp_unslash( $_COOKIE );
		$scrape_params = array(
			'wp_scrape_key' => $scrape_key,
			'wp_scrape_nonce' => $scrape_nonce,
		);
		$headers = array(
			'Cache-Control' => 'no-cache',
		);

		// Include Basic auth in loopback requests.
		if ( isset( $_SERVER['PHP_AUTH_USER'] ) && isset( $_SERVER['PHP_AUTH_PW'] ) ) {
			$headers['Authorization'] = 'Basic ' . base64_encode( wp_unslash( $_SERVER['PHP_AUTH_USER'] ) . ':' . wp_unslash( $_SERVER['PHP_AUTH_PW'] ) );
		}

		// Make sure PHP process doesn't die before loopback requests complete.
		@set_time_limit( 300 );

		// Time to wait for loopback requests to finish.
		$timeout = 100;

		$needle_start = "###### wp_scraping_result_start:$scrape_key ######";
		$needle_end = "###### wp_scraping_result_end:$scrape_key ######";

		// Attempt loopback request to editor to see if user just whitescreened themselves.
		if ( $plugin ) {
			$url = add_query_arg( compact( 'plugin', 'file' ), admin_url( 'plugin-editor.php' ) );
		} elseif ( isset( $stylesheet ) ) {
			$url = add_query_arg(
				array(
					'theme' => $stylesheet,
					'file' => $file,
				),
				admin_url( 'theme-editor.php' )
			);
		} else {
			$url = admin_url();
		}
		$url = add_query_arg( $scrape_params, $url );
		$r = wp_remote_get( $url, compact( 'cookies', 'headers', 'timeout' ) );
		$body = wp_remote_retrieve_body( $r );
		$scrape_result_position = strpos( $body, $needle_start );

		$loopback_request_failure = array(
			'code' => 'loopback_request_failed',
			'message' => __( 'Unable to communicate back with site to check for fatal errors, so the PHP change was reverted. You will need to upload your PHP file change by some other means, such as by using SFTP.' ),
		);
		$json_parse_failure = array(
			'code' => 'json_parse_error',
		);

		$result = null;
		if ( false === $scrape_result_position ) {
			$result = $loopback_request_failure;
		} else {
			$error_output = substr( $body, $scrape_result_position + strlen( $needle_start ) );
			$error_output = substr( $error_output, 0, strpos( $error_output, $needle_end ) );
			$result = json_decode( trim( $error_output ), true );
			if ( empty( $result ) ) {
				$result = $json_parse_failure;
			}
		}

		// Try making request to homepage as well to see if visitors have been whitescreened.
		if ( true === $result ) {
			$url = home_url( '/' );
			$url = add_query_arg( $scrape_params, $url );
			$r = wp_remote_get( $url, compact( 'cookies', 'headers', 'timeout' ) );
			$body = wp_remote_retrieve_body( $r );
			$scrape_result_position = strpos( $body, $needle_start );

			if ( false === $scrape_result_position ) {
				$result = $loopback_request_failure;
			} else {
				$error_output = substr( $body, $scrape_result_position + strlen( $needle_start ) );
				$error_output = substr( $error_output, 0, strpos( $error_output, $needle_end ) );
				$result = json_decode( trim( $error_output ), true );
				if ( empty( $result ) ) {
					$result = $json_parse_failure;
				}
			}
		}

		delete_transient( $transient );

		if ( true !== $result ) {

			// Roll-back file change.
			file_put_contents( $real_file, $previous_content );
			if ( function_exists( 'opcache_invalidate' ) ) {
				opcache_invalidate( $real_file, true );
			}

			if ( ! isset( $result['message'] ) ) {
				$message = __( 'An unidentified error has occurred.' );
			} else {
				$message = $result['message'];
				unset( $result['message'] );
			}
			return new WP_Error( 'php_error', $message, $result );
		}
	}

@debresser where is your website located? What hosting company? Hostgators, BlueHost, GoDaddy? Which company do you pay for the website to serve it on the internet?

Update: you already answered the question by editing your reply. Thank you !

But this http://www.doviddebresser.info/ does not look that it is a wordpress website. 🙁

@clorith @padraigbeirne You are so right… it is indeed the active theme or when a child theme is active i cant edit the child theme and parent theme.

If i activate the parent theme i can edit the child theme. If i activate the child theme i cant edit the parent and the child theme.

BUT I can edit any theme that is not active.

Thanks for the hint.

Update: if i look at the code in the file.php they are actually checking if it is active and if so do the so called checks for security stuff…