Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Security.conf & Wordpress.conf is blocking access to WP backend!

See original GitHub issue

#103 Information

Details

*6523 access forbidden by rule *6586 access forbidden by rule *5 access forbidden by rule *1 access forbidden by rule

Description

# security headers
add_header X-Frame-Options           "SAMEORIGIN" always;
add_header X-XSS-Protection          "1; mode=block" always;
add_header X-Content-Type-Options    "nosniff" always;
add_header Referrer-Policy           "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy   "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

# . files
location ~ /\.(?!well-known) {
    deny all;
}

Is blocking access to the WP backend. When commenting out the security.conf from the sites .conf it started working.

Steps to reproduce

Create a new conf as above!

Expected behavior

To work and not block?

Screenshots

Issue Analytics

State:
Created 3 years ago
Comments:11 (4 by maintainers)

Top GitHub Comments

2reactions

MattIPv4commented, Oct 16, 2020

# WordPress: deny scripts and styles concat
location ~* \/wp-admin\/load-(?:scripts|styles)\.php {
    deny all;
}

I’m guessing this is the rule at fault then – if you comment out just that rule, do things function as expected? (These rules pre-date me maintaining this project, but will dig through the history to figure out when/why this was added)

1reaction

MattIPv4commented, Oct 19, 2020

Looks like this rule was originally added in https://github.com/digitalocean/nginxconfig.io/commit/62bd8f3e6be3d24d017f5d13365588717c7a4439

Researching the CVE, it seems this isn’t really a suggested fix for the issue, so I think the best solution may just be to remove this rule from the config completely.

Top Results From Across the Web

Can't Access WP-Admin? 9 Solutions That Always Work

Common reasons why you can't access wp-admin · Your login credentials (username/password) are incorrect · You're being blocked by your security ...

How to Fix "Sorry, You Are Not Allowed to Access This Page"

Learn how to troubleshoot and fix the "Sorry you are not allowed to access this page" message in WordPress. Here are eleven possible ......

How To Secure Your WordPress Site With WP-Config.php?

1. Change Database Prefix · 2. Disable Editing Theme/Plugins Files · 3. Prevent Users From Installing or Updating Plugin & Themes · 4....

How to secure WP-Config.php File

1. Protection through .htaccess file ... These lines basically block access to your wp-config.php from internal hacking and code modification thus ...

3 Ways To Protect The WordPress Configuration File

The first method you can use is restricting access to the configuration file via .htaccess. To use this approach, start by opening the...