• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved Elementor blocked by Toolkit security

R

ralph22

New Pleskian
Server operating system version
Cent OS 7
Plesk version and microupdate number
Version 18.0.47 Update #5
Hello,
It seems that the default security settings block the Elementor "stuff" from loading. I've setup a new website and install just a handful of plugins.
The Elementor editor window was not able to show the UI, as most of it's internal files were blocked by one of the security setting (502 errors on the Network tab).
I've tried revoking some of the settings but was not able to get the editor to show up.
I've ended up removing the installation and install WordPress manually, with plugins installed the old way via Plugins section of the Dash.
All seem to work fine and I haven't touch the Security settings on the site so I believe something is not setup correctly in the default profile - it is not normal to block scripts from plugins folders.
 
I never encountered any issues with the use of Elementor while using the WPT. That's not to say I am dismissive of you issue. However I suspect other issues might be at play here. 502 is an nginx error caused by an upstream problem, likely with Apache. Did you have a look a the domains error logs?

My first suspect would be the Web Application Firewall. Do you have it enabled for your domain?
 
Last edited:
Yeah, that's caused by Web Application Firewall (ModSecurity), however, the error code should not be 502, but 403. It is thinkable that the 502 results from an URL rewrite out of the 403 situation, but the rewrite target does not exist or does not deliver output.

When you check your error_log you'll find an entry similar to this:
Code: 
[client <IP Adresse>] ModSecurity: [file /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "258"] [id "33350147"] [rev "143"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: Potentially Untrusted Web Content Detected"] [data ""] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "rx ((?:submit(?:\\\\+| )?(request)?(?:\\\\+| )?>+|<<(?:\\\\+| )remove|(?:sign ?in|log ?(?:in|out)|next|modifier|envoyer|add|continue|weiter|account|results|select)?(?:\\\\+| )?>+)$|^< ?\\\\??(?: |\\\\+)?xml|^<samlp|^>> ?$)" against "ARGS:actions" required. [hostname "<Domain>"] [uri "/wp-admin/admin-ajax.php"] [unique_id "YGd3IS-RaDMGEBt0BJbDcABAAAn"], referer: https:// <Domain>/wp-
admin/post.php?post=24&action=elementor
In that entry watch out for the [id ... ] bracket. It gives a number. In the example above it is [id "33350147"]. You can exclude that ModSecurity rule by adding it to the exlusion list in the "Web Application Firewall" settings in your Plesk.
 
Error 502 means that a script from your website is unresponsive. It may be caught in an infinite loop or it may wait on external resources to deliver input (which never comes).

A Wordpress installation done through Plesk is a default WP. It is unthinkable that this causes a 502 error. It is much more likely that rewrite rules in your .htaccess file are causing this. Have you checked your .htaccess file for such rules? Are you using security plugins like Wordfence?

Also, Elementor is definitely known for the 403 issue when saving/editing content. Just to rule that one out, I suggest to also disable "Web Application Firewall" while still testing.
 
ralph22 said:
I'd like to repeat I don't have any issues with the site installed manually, only happens when created via the toolkit
Click to expand...
That's interesting. But good to hear you've got your website running now :)

Since you've got it running without the WTP there is no point in troubleshooting the issue further I think? But let me know if you like to dig a little deeper. In general I would say that Elementor and WTP go very well together. But, as is often the case with any type of software, there can always be the odd exception.

The Got bogus version 115 error can be safely ignored. It's caused by an Apache bug, which has no further consequences.
 
Last edited:
Thank you. I've setup another blank WP site with the same plugins and using the Toolkit but this time all is working no problem so not sure what happened with the original one.
We can close down the enquiry. If I come across it again, I'll make sure to check all of the above
 
You must log in or register to reply here.

Similar threads

G
Resolved WP Toolkit setup new password for admin haystack (language) error
Replies
1
Views
634
gmu-jerdj
G
G
Question How to set defaults for WP Toolkit "Updates Settings"
Replies
11
Views
4K
custer
custer
U
WordPress not found
Replies
6
Views
830
LeDuyNhat
LeDuyNhat
A
Resolved WP Toolkit: Live site cloned, clones using plugins folder of original site
Replies
5
Views
1K
ArmReu
A
michaeljoseph01
Question Imunify360 or fail2ban PLEASE give me your input
Replies
6
Views
2K
The 8th
The 8th
Back
Top