How to exception "wp-tinymce.php" with wordpress toolkit?

최지훈 · Apr 28, 2015

Hello

I'm using Wordpress Toolkit with Plesk 12 for Linux(OS : Ubuntu).
and i setting wordpress security option with "wp-includes".
but, these days, wordpress has a update 4.2.x.
and someone say to something wrong, and i check that.
and i found wordpress 4.2 using called like this
"http://www.aaa.com/wp-includes/js/tinymce/wp-tinymce.php?c=1&ver=4107-20150118"
so i just want to prevent webshell attack and also allow access wp-tinymce.php file.
how to do? can you explain anything, please.(apache directive and something else)

Thanks
Alan

custer · Apr 28, 2015

I'm not sure if I understood you correctly, so I'd suggest you to do the following:

1. Disable "security of wp-includes".
2. Open WP instance and go to creation of a new post (opening existing post for editing will also work).
3. Enable "security of wp-includes" again.

Let me know if this solves the issue I think you're having.

Noturns · Apr 29, 2015

Hello guys,

Thanks this workaround worked fine for me because i had this same issue.
See topic http://talk.plesk.com/threads/visua...pgrade-to-wordpress-4-1-1.332890/#post-779315

@alan my apologizes for adding details to your topic

@custer
I wonder if this issue is caused when you use Wordpress Toolkit and press "Select all subscriptions" and apply Security measures to subscriptions that already have been secured in the past.

for example: I did noticed something unusual when i followed your steps 1-to-3 in Plesk12. When i have selected one subscription and Disabled "security of wp-includes" and would select a different subscription with the "Security tool". I would notice that the "wp-includes" folder would show an exclamation mark instead of an round green circle. Suggesting to me that i need to set it to enable. However the 'hint' field suggests "The WP-includes folder is secure on 1 Wordpress installations". So infact it should show an green circle suggesting that you do not have to apply changes to this wp-includes folder. This makes it very unclear wheather or not you would need to secure the wp-includes folder.

최지훈 · Apr 29, 2015

Hello

I have solution.

see this post : http://bobmckay.com/i-t-support-net...rror-and-not-working-since-4-2-plesk-hosting/

but, that is need to edit wp-config.php file.

Thanks
Alan

custer · Apr 30, 2015

Noturns said:
@custer
I wonder if this issue is caused when you use Wordpress Toolkit and press "Select all subscriptions" and apply Security measures to subscriptions that already have been secured in the past.

This issue was thought to be fixed in Plesk 12.0.18 MU#18, but it looks like it keeps appearing anyway, so we're taking a good look at it again. It is connected to script compression in PHP. Can you check if there are any JS issues when you open affected WordPress instance and don't see TinyMCE?

for example: I did noticed something unusual when i followed your steps 1-to-3 in Plesk12. When i have selected one subscription and Disabled "security of wp-includes" and would select a different subscription with the "Security tool". I would notice that the "wp-includes" folder would show an exclamation mark instead of an round green circle. Suggesting to me that i need to set it to enable. However the 'hint' field suggests "The WP-includes folder is secure on 1 Wordpress installations". So infact it should show an green circle suggesting that you do not have to apply changes to this wp-includes folder. This makes it very unclear wheather or not you would need to secure the wp-includes folder.

This looks like a usability issue - have you tried reproducing it on Plesk 12.1 demo at https://a93-91-167-251.ec.parallels-summit.com:8443/login_up.php3?login_name=admin&passwd=panel?

최지훈 · May 5, 2015

custer said:
This issue was thought to be fixed in Plesk 12.0.18 MU#18, but it looks like it keeps appearing anyway, so we're taking a good look at it again. It is connected to script compression in PHP. Can you check if there are any JS issues when you open affected WordPress instance and don't see TinyMCE?

This looks like a usability issue - have you tried reproducing it on Plesk 12.1 demo at https://a93-91-167-251.ec.parallels-summit.com:8443/login_up.php3?login_name=admin&passwd=panel?

=======================

Hello.

I tried to secure again wp-includes working fine in Plesk 12.0.18.
Thank you so much.

Thanks
Alan

Noturns · May 12, 2015

custer said:
This issue was thought to be fixed in Plesk 12.0.18 MU#18, but it looks like it keeps appearing anyway, so we're taking a good look at it again. It is connected to script compression in PHP. Can you check if there are any JS issues when you open affected WordPress instance and don't see TinyMCE?

Following your question, this was the only error that was logged on my server

Code:

[error] [client xx.xx.xxx.xx] client denied by server configuration: /var/www/vhosts/xxxxxxxxx.xxx/httpdocs/wp-includes/js/tinymce/wp-tinymce.php, referer: http://www.xxxxxxxxx.xxx/wp-admin/post.php?post=xx&action=edit

So far the issue has not reoccurred any more

custer · May 14, 2015

Update for you, guys: we have fixed this issue in Plesk 12.0.18 MU #46. Details are in release notes here: http://kb.odin.com/125492

We've also made sure that the fix is more foolproof than the last time, so the problem should not be recurring in the future (at least we hope so!)

Noturns · May 14, 2015

custer said:
We've also made sure that the fix is more foolproof

Yup, some of us are indeed fools

Many thanks for the update

custer · May 15, 2015

Yup, some of us are indeed fools

Not really

WordPress upgrade scripts sometimes work in a way that overrides some of our customizations, so we had to work around that.

Laurens_Meurs · May 19, 2015

Though we have "12.0.18 Update #46" installed, we still experienced problems with all WP installations that used "Security of the wp-includes folder".

For each install we rolled back "Security of the wp-includes folder" and reapplied it, now the visual editors appear again.

custer · May 20, 2015

The fix cannot repair WP instances that were already broken -- it prevents the issue from happening after you've installed it. The workaround you've applied is the way to go for already broken instances.

gmmed · Aug 5, 2015

Hello Forum,
I have Plesk Version 12.0.18 Update Nr. 57 installed, and the problem still exists.
The files wp-tinymce.php is blocked and the Wordpress Editor not work.

Jochen

custer · Aug 5, 2015

Hi gmmed,

Try rolling back "Security of the wp-includes folder" item and then reapplying it.

gmmed · Aug 6, 2015

Hello custer,
thanks for the fast answer.
I had already deactivated that option. After activation it again, the editor is still working now.
The file wp-tinymce.php is still blocked: "You do not have permission to access this document."
I dont know, if the editor is now in the cache...

UFHH01 · Aug 6, 2015

Hi gmmed,

you seem to have a permission(s) problem, which either result from false/broken directives ( php5-fpm? nginx? apache? .htaccess - file? ), or because of wrong folder permissions. Please investigate your services and directives and check, that the folder have the right permissions for the "right" users and groups. Please read as well the Wordpress guide ( http://codex.wordpress.org/Changing_File_Permissions#Permission_Scheme_for_WordPress )

How to exception "wp-tinymce.php" with wordpress toolkit?

최지훈

New Pleskian

Attachments

custer

Administrator

Noturns

Regular Pleskian

최지훈

New Pleskian

custer

Administrator

최지훈

New Pleskian

Noturns

Regular Pleskian

custer

Administrator

Noturns

Regular Pleskian

custer

Administrator

Laurens_Meurs

New Pleskian

custer

Administrator

gmmed

New Pleskian

custer

Administrator

gmmed

New Pleskian

UFHH01

Guest

Similar threads