• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

How to exception "wp-tinymce.php" with wordpress toolkit?

최지훈

New Pleskian
Hello

I'm using Wordpress Toolkit with Plesk 12 for Linux(OS : Ubuntu).
and i setting wordpress security option with "wp-includes".
but, these days, wordpress has a update 4.2.x.
and someone say to something wrong, and i check that.
and i found wordpress 4.2 using called like this
"http://www.aaa.com/wp-includes/js/tinymce/wp-tinymce.php?c=1&ver=4107-20150118"
so i just want to prevent webshell attack and also allow access wp-tinymce.php file.
how to do? can you explain anything, please.(apache directive and something else)

Thanks
Alan
 

Attachments

  • 스크린샷 2015-04-28 오후 6.19.36.png
    스크린샷 2015-04-28 오후 6.19.36.png
    90.1 KB · Views: 8
I'm not sure if I understood you correctly, so I'd suggest you to do the following:

1. Disable "security of wp-includes".
2. Open WP instance and go to creation of a new post (opening existing post for editing will also work).
3. Enable "security of wp-includes" again.

Let me know if this solves the issue I think you're having.
 
Hello guys,

Thanks this workaround worked fine for me because i had this same issue.
See topic http://talk.plesk.com/threads/visua...pgrade-to-wordpress-4-1-1.332890/#post-779315

@alan my apologizes for adding details to your topic :)

@custer
I wonder if this issue is caused when you use Wordpress Toolkit and press "Select all subscriptions" and apply Security measures to subscriptions that already have been secured in the past.

for example: I did noticed something unusual when i followed your steps 1-to-3 in Plesk12. When i have selected one subscription and Disabled "security of wp-includes" and would select a different subscription with the "Security tool". I would notice that the "wp-includes" folder would show an exclamation mark instead of an round green circle. Suggesting to me that i need to set it to enable. However the 'hint' field suggests "The WP-includes folder is secure on 1 Wordpress installations". So infact it should show an green circle suggesting that you do not have to apply changes to this wp-includes folder. This makes it very unclear wheather or not you would need to secure the wp-includes folder.
 
Noturns said:
@custer
I wonder if this issue is caused when you use Wordpress Toolkit and press "Select all subscriptions" and apply Security measures to subscriptions that already have been secured in the past.

This issue was thought to be fixed in Plesk 12.0.18 MU#18, but it looks like it keeps appearing anyway, so we're taking a good look at it again. It is connected to script compression in PHP. Can you check if there are any JS issues when you open affected WordPress instance and don't see TinyMCE?

for example: I did noticed something unusual when i followed your steps 1-to-3 in Plesk12. When i have selected one subscription and Disabled "security of wp-includes" and would select a different subscription with the "Security tool". I would notice that the "wp-includes" folder would show an exclamation mark instead of an round green circle. Suggesting to me that i need to set it to enable. However the 'hint' field suggests "The WP-includes folder is secure on 1 Wordpress installations". So infact it should show an green circle suggesting that you do not have to apply changes to this wp-includes folder. This makes it very unclear wheather or not you would need to secure the wp-includes folder.

This looks like a usability issue - have you tried reproducing it on Plesk 12.1 demo at https://a93-91-167-251.ec.parallels-summit.com:8443/login_up.php3?login_name=admin&passwd=panel?
 
This issue was thought to be fixed in Plesk 12.0.18 MU#18, but it looks like it keeps appearing anyway, so we're taking a good look at it again. It is connected to script compression in PHP. Can you check if there are any JS issues when you open affected WordPress instance and don't see TinyMCE?



This looks like a usability issue - have you tried reproducing it on Plesk 12.1 demo at https://a93-91-167-251.ec.parallels-summit.com:8443/login_up.php3?login_name=admin&passwd=panel?

=======================

Hello.

I tried to secure again wp-includes working fine in Plesk 12.0.18.
Thank you so much.

Thanks
Alan
 
This issue was thought to be fixed in Plesk 12.0.18 MU#18, but it looks like it keeps appearing anyway, so we're taking a good look at it again. It is connected to script compression in PHP. Can you check if there are any JS issues when you open affected WordPress instance and don't see TinyMCE?

Following your question, this was the only error that was logged on my server

Code:
[error] [client xx.xx.xxx.xx] client denied by server configuration: /var/www/vhosts/xxxxxxxxx.xxx/httpdocs/wp-includes/js/tinymce/wp-tinymce.php, referer: http://www.xxxxxxxxx.xxx/wp-admin/post.php?post=xx&action=edit

So far the issue has not reoccurred any more
 
Update for you, guys: we have fixed this issue in Plesk 12.0.18 MU #46. Details are in release notes here: http://kb.odin.com/125492

We've also made sure that the fix is more foolproof than the last time, so the problem should not be recurring in the future (at least we hope so!)
 
Yup, some of us are indeed fools :)

Not really ;) WordPress upgrade scripts sometimes work in a way that overrides some of our customizations, so we had to work around that.
 
Though we have "12.0.18 Update #46" installed, we still experienced problems with all WP installations that used "Security of the wp-includes folder".

For each install we rolled back "Security of the wp-includes folder" and reapplied it, now the visual editors appear again.
 
The fix cannot repair WP instances that were already broken -- it prevents the issue from happening after you've installed it. The workaround you've applied is the way to go for already broken instances.
 
Hello Forum,
I have Plesk Version 12.0.18 Update Nr. 57 installed, and the problem still exists.
The files wp-tinymce.php is blocked and the Wordpress Editor not work.

Jochen
 
Hi gmmed,

Try rolling back "Security of the wp-includes folder" item and then reapplying it.
 
Hello custer,
thanks for the fast answer.
I had already deactivated that option. After activation it again, the editor is still working now.
The file wp-tinymce.php is still blocked: "You do not have permission to access this document."
I dont know, if the editor is now in the cache...
 
Back
Top