lucvdbos
Forum Replies Created
-
Thanks Eric!
It took several days to find the solution, I would never would never thought the mod_authz_core.c could be the problem!
The SOLUTION:
https://wordpress.org/support/topic/editor-tinymce-disabled-after-hardening-wp-includes?replies=14
Credits to Eric McNiece
Couple of hours of hunting here… it’s the mod_authz_core.c module in the /wp-includes/.htaccess file. My dev server (Site5) doesn’t have this module, and the production GoDaddy box does, and it causes wp-tinymce.php and its compiled scripts to be denied.
<IfModule mod_authz_core.c> Require all denied </IfModule>How I figured this out:
I created a test file at webroot (same directory as wp-config.php) named test.php and populated it with this:
<?php print_r($_REQUEST); ?>Then I edited the webroot .htaccess file and added this to the very top:
<IfModule mod_authz_core.c> RewriteCond %{REQUEST_URI} test.php RewriteRule .* test.php?authz=getbent [L] </IfModule>So if the server does have mod_authz_core.c installed, visiting /test.php will dump out an extra GET variable. The dev box that doesn’t have this module prints the following (shortened up a bit):
Array ( [_ga] => GA1.2.1458764591.1437866529 [wordpress_test_cookie] => WP Cookie check [wordpress_logged_in_d5eb8073a5244643c7eb647ae837bc24] => user|1234567890|j39f203j9j|2j03f [wp-settings-1] => editor=html&libraryContent=browse&hidetb=1&wplink=0 [wp-settings-time-1] => 1446786369 [PHPSESSID] => f3j829 )… and the same setup on the GoDaddy server prints this:
Array ( [authz] => getbent [PHPSESSID] => mnalfnli [_ga] => GA123fj3f9.232f.f [wordpress_test_cookie] => WP Cookie check [wordpress_logged_in_ab293761296bd4] => user|1234567890|j390f2j39|fa3m9j3j9pa [wp-settings-1] => editor=html&libraryContent=browse&hidetb=1&wplink=0 [wp-settings-time-1] => 1446790629 )You can confirm this yourself by simply modifying the /wp-includes/.htaccess file and commenting the module lines:
<FilesMatch "\.(?i:php)$"> <IfModule !mod_authz_core.c> Order allow,deny Deny from all </IfModule> # <IfModule mod_authz_core.c> # Require all denied # </IfModule> </FilesMatch> <Files wp-tinymce.php> Allow from all </Files> <Files ms-files.php> Allow from all </Files>Commenting these lines will permit the tinyMCE scripts. A potential solution would be to remove the mod_authz_core.c test and just stick with the good ol’ Order allow,deny directive, like so:
<FilesMatch "\.(?i:php)$"> Order allow,deny Deny from all </FilesMatch> <Files wp-tinymce.php> Allow from all </Files> <Files ms-files.php> Allow from all </Files>… but since this is a plugin-inserted file, we don’t have much control over what is generated. The only lasting solution I have right now is to disable the wp-includes protection. This is probably a good issue for investigation by Sucuri.
Now I know its’s from the htaccess in the wp-content directory.
I use SSL on my site.
The server log says: AH01630: client denied by server configuration: /home/deroos1/domains/*.nl/private_html/wp-includes/ms-files.php, referer: https://*.nl/bed-en-breakfast/
My private_html goes directly to the public dir, so that’s not the problem.
But when I remove the .htaccess from the wp-content directory the all the images are visible again.
How do I have to rewrite the htaccess to get access to the images?Current .htaccess:
<FilesMatch "\.(?i:php)$"> <IfModule !mod_authz_core.c> Order allow,deny Deny from all </IfModule> <IfModule mod_authz_core.c> Require all denied </IfModule> </FilesMatch> <Files wp-tinymce.php> Allow from all </Files> <Files ms-files.php> Allow from all </Files>Forum: Plugins
In reply to: Lightbox with facebook/instagram layout?I’m looking for the same!