• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

How to exception "wp-tinymce.php" with wordpress toolkit?

최지훈

최지훈

New Pleskian
Hello

I'm using Wordpress Toolkit with Plesk 12 for Linux(OS : Ubuntu).
and i setting wordpress security option with "wp-includes".
but, these days, wordpress has a update 4.2.x.
and someone say to something wrong, and i check that.
and i found wordpress 4.2 using called like this
"http://www.aaa.com/wp-includes/js/tinymce/wp-tinymce.php?c=1&ver=4107-20150118"
so i just want to prevent webshell attack and also allow access wp-tinymce.php file.
how to do? can you explain anything, please.(apache directive and something else)

Thanks
Alan
 

Attachments

  • 스크린샷 2015-04-28 오후 6.19.36.png
    스크린샷 2015-04-28 오후 6.19.36.png
    90.1 KB · Views: 8
I'm not sure if I understood you correctly, so I'd suggest you to do the following:

1. Disable "security of wp-includes".
2. Open WP instance and go to creation of a new post (opening existing post for editing will also work).
3. Enable "security of wp-includes" again.

Let me know if this solves the issue I think you're having.
 
Hello guys,

Thanks this workaround worked fine for me because i had this same issue.
See topic http://talk.plesk.com/threads/visua...pgrade-to-wordpress-4-1-1.332890/#post-779315

@alan my apologizes for adding details to your topic :)

@custer
I wonder if this issue is caused when you use Wordpress Toolkit and press "Select all subscriptions" and apply Security measures to subscriptions that already have been secured in the past.

for example: I did noticed something unusual when i followed your steps 1-to-3 in Plesk12. When i have selected one subscription and Disabled "security of wp-includes" and would select a different subscription with the "Security tool". I would notice that the "wp-includes" folder would show an exclamation mark instead of an round green circle. Suggesting to me that i need to set it to enable. However the 'hint' field suggests "The WP-includes folder is secure on 1 Wordpress installations". So infact it should show an green circle suggesting that you do not have to apply changes to this wp-includes folder. This makes it very unclear wheather or not you would need to secure the wp-includes folder.
 
Noturns said:
@custer
I wonder if this issue is caused when you use Wordpress Toolkit and press "Select all subscriptions" and apply Security measures to subscriptions that already have been secured in the past.
Click to expand...

This issue was thought to be fixed in Plesk 12.0.18 MU#18, but it looks like it keeps appearing anyway, so we're taking a good look at it again. It is connected to script compression in PHP. Can you check if there are any JS issues when you open affected WordPress instance and don't see TinyMCE?

for example: I did noticed something unusual when i followed your steps 1-to-3 in Plesk12. When i have selected one subscription and Disabled "security of wp-includes" and would select a different subscription with the "Security tool". I would notice that the "wp-includes" folder would show an exclamation mark instead of an round green circle. Suggesting to me that i need to set it to enable. However the 'hint' field suggests "The WP-includes folder is secure on 1 Wordpress installations". So infact it should show an green circle suggesting that you do not have to apply changes to this wp-includes folder. This makes it very unclear wheather or not you would need to secure the wp-includes folder.
Click to expand...

This looks like a usability issue - have you tried reproducing it on Plesk 12.1 demo at https://a93-91-167-251.ec.parallels-summit.com:8443/login_up.php3?login_name=admin&passwd=panel?
 
custer said:
This issue was thought to be fixed in Plesk 12.0.18 MU#18, but it looks like it keeps appearing anyway, so we're taking a good look at it again. It is connected to script compression in PHP. Can you check if there are any JS issues when you open affected WordPress instance and don't see TinyMCE?



This looks like a usability issue - have you tried reproducing it on Plesk 12.1 demo at https://a93-91-167-251.ec.parallels-summit.com:8443/login_up.php3?login_name=admin&passwd=panel?
Click to expand...

=======================

Hello.

I tried to secure again wp-includes working fine in Plesk 12.0.18.
Thank you so much.

Thanks
Alan
 
custer said:
This issue was thought to be fixed in Plesk 12.0.18 MU#18, but it looks like it keeps appearing anyway, so we're taking a good look at it again. It is connected to script compression in PHP. Can you check if there are any JS issues when you open affected WordPress instance and don't see TinyMCE?
Click to expand...

Following your question, this was the only error that was logged on my server

Code: 
[error] [client xx.xx.xxx.xx] client denied by server configuration: /var/www/vhosts/xxxxxxxxx.xxx/httpdocs/wp-includes/js/tinymce/wp-tinymce.php, referer: http://www.xxxxxxxxx.xxx/wp-admin/post.php?post=xx&action=edit

So far the issue has not reoccurred any more
 
Update for you, guys: we have fixed this issue in Plesk 12.0.18 MU #46. Details are in release notes here: http://kb.odin.com/125492

We've also made sure that the fix is more foolproof than the last time, so the problem should not be recurring in the future (at least we hope so!)
 
Yup, some of us are indeed fools :)
Click to expand...

Not really ;) WordPress upgrade scripts sometimes work in a way that overrides some of our customizations, so we had to work around that.
 
Though we have "12.0.18 Update #46" installed, we still experienced problems with all WP installations that used "Security of the wp-includes folder".

For each install we rolled back "Security of the wp-includes folder" and reapplied it, now the visual editors appear again.
 
The fix cannot repair WP instances that were already broken -- it prevents the issue from happening after you've installed it. The workaround you've applied is the way to go for already broken instances.
 
Hello Forum,
I have Plesk Version 12.0.18 Update Nr. 57 installed, and the problem still exists.
The files wp-tinymce.php is blocked and the Wordpress Editor not work.

Jochen
 
Hi gmmed,

Try rolling back "Security of the wp-includes folder" item and then reapplying it.
 
Hello custer,
thanks for the fast answer.
I had already deactivated that option. After activation it again, the editor is still working now.
The file wp-tinymce.php is still blocked: "You do not have permission to access this document."
I dont know, if the editor is now in the cache...
 
You must log in or register to reply here.

Similar threads

D
Resolved [WP Toolkit] Cloning tld site to subdomain also changed the tld site
Replies
6
Views
3K
Evgeny
E
W
Issue scheduled task ERROR | /opt/psa/admin/bin/php -dauto_prepend_file=sdk.php '/opt/psa/admin/plib/modules/wp-toolkit/scripts/instances-auto-update.php'
Replies
3
Views
912
Wolfgang Reidlinger
W
V
Issue WP Toolkit Wordpress Login fails with AIOS Firewall
Replies
1
Views
2K
Peter Debik
P
A
Resolved WP Toolkit: Live site cloned, clones using plugins folder of original site
Replies
5
Views
1K
ArmReu
A
P
Resolved WordPress Toolkit - Different wp-content path
Replies
2
Views
2K
Alexey Baturin
Alexey Baturin
Back
Top