You don't have permission to access /wp/wp-admin/admin.php

When trying to change the "local or remote" options under WPPA+ plugin settings I get the error, "You don't have permission to access /wp/wp-admin/admin.php on this server." I have tried editing the  .htaccess file like suggested in another related forum post, but I understand you have to restart Apache.  I have admin privileges in Cpanel, but I can't find an option to restart Apache.
I have submitted a ticket to support to enable SSH.

I can change any other settings in Worpress admin and I can even enter /wp/wp-admin/admin.php into the browser address bar and the page comes up--just not when called from changing that setting.
LVL 1
Jeff swicegoodTechnicianAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jeff swicegoodTechnicianAuthor Commented:
This is what they replied.

Hello Jeff,
 This account was a dedicated server but was switched to basic shared hosting. You do have access to the files through the file manager in the control panel or through sftp using a client like WinScp. Ssh access would be an additional charge that the account owner would have to initiate.

 Please let us know if you need further assistance.

Is there a way around this?
0
COBOLdinosaurCommented:
They are giving you the options; sftp or pay for ssh.  

What are you thinking might be a workaround, to get what you want without invalidating the hosting agreement?

Cd&
0
skullnobrainsCommented:
.htaccess files are handled without a restart.
you can check this by inserting an error in your .htaccess
if the error does not produce a 500 bad config or similar error, then .htaccess are disabled altogether. also .htaccess features may be en/disabled or a per-feature basis and the disabled features will just be ignored.

anyway the error you see seems to be related to access to the file itself, by apache itself or the php process if it runs as a cgi or fastcgi. you sould be able to chmod/chown or even edit directly the file over sftp. you need the www or apache or whatever user the web server runs as to have write access to the file. this is disabled by default in wordpress for security reasons. i'd advice you make the change to the file directly
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

Jeff swicegoodTechnicianAuthor Commented:
Here is the offending call.

<h2>Import Photos</h2><br />
				
	<form action="http://bkgoswami2013.atourcity.com/wp/wp-admin/admin.php?page=wppa_import_photos" method="post">

Open in new window

I have searched, but there is no file "wppa_import_photos(.php)." How do I find out which file to edit?
0
skullnobrainsCommented:
this page is probably in your database but anyway this is not related with your error.

was your error a 403 forbidden HTTP error ?
in that case you must focus on read access rights to admin.php in the webserver config and make sure the webserver user has read access to that file

or a php error visible somewhere on the page ?
in that case you must ensure that the webserver user has write access to that file, and the php's security does not prevent you from editing it either
0
Jeff swicegoodTechnicianAuthor Commented:
It is a 403 forbidden with no php errors visible. The owner is the same as every other file in the whole public_html directory and the owner has write permissions, so I guess all that is ok. I guess I could try setting permissions to 777 to test it.

I will try to locate the webserver config files.
0
Jeff swicegoodTechnicianAuthor Commented:
@COBOLdinosaur: I'm just thinking to fix the problem without ssh. I don't know enough about sftp to know how much you can do with it, but I'm just now learning that you can at least see the ownership of files.
0
Jeff swicegoodTechnicianAuthor Commented:
Looks like I don't have permissions to look in the root directory, which I'm assuming is where the server config files can be reached from. I guess this is what is meant by shared hosting. Should I expect my hosting provider to help with this issue?
0
skullnobrainsCommented:
It is a 403 forbidden with no php errors visible

then this looks like regular wordpress settings. you should be blocked by a .htaccess file. i assume you installed wordpress yourself in your directory and the .htaccess files were in the tarball. also note that wordpress may send a 403 itself (through php's header function) if you try to access admin.php with the wrong user and/or from the wrong location

The owner is the same as every other file in the whole public_html directory and the owner has write permissions, so I guess all that is ok.

since it's a 403 we're dealing with read permissions. the user is probably not the web server user. phpinfo() for example will tell you the user name php runs under

Looks like I don't have permissions to look in the root directory, which I'm assuming is where the server config files can be reached from. I guess this is what is meant by shared hosting.

most likely those files reside in an apache or www subfolder of /etc or /usr/local/etc but you won't be allowed access to these locations either. you still can do many things through .htaccess

Should I expect my hosting provider to help with this issue?

if you're the one who installed wordpress and they do not sell wordpress or wordpress-ready hosting, most likely not. but you can be lucky. you can expect them to tell you the reason of the 403 nevertheless and information such as the user the web server runs under.
0
Jeff swicegoodTechnicianAuthor Commented:
Sorry I've been away. It's been a hectic few days.

phpinfo() gave a lot of info but I did not see the username. echo exec('whoami') gave the user atourcit. This is the owner of the file(admin.php), also. And the permissions are set to 644--any other settings make it worse.

I have tried putting a few different things in .htaccess according to post in other forums. Here is what it looks like now.

# -FrontPage-

IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*


<IfModule mod_security.so>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress



<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
AuthName atourcity.com
AuthUserFile /home/atourcit/public_html/_vti_pvt/service.pwd
AuthGroupFile /home/atourcit/public_html/_vti_pvt/service.grp

Open in new window


This does not work.
0
skullnobrainsCommented:
You Need to allow authenticated users which you forgot to do. I'll help in a while when i'm ont on a mobile phone
0
Jeff swicegoodTechnicianAuthor Commented:
Ok, no problem.
0
skullnobrainsCommented:
try something like this

<location /wp/wp-admin>
AuthName atourcity.com
AuthUserFile /home/atourcit/public_html/_vti_pvt/service.pwd
AuthGroupFile /home/atourcit/public_html/_vti_pvt/service.grp
Require valid-user
</location>
0
Jeff swicegoodTechnicianAuthor Commented:
Just pasting this into the .htaccess made all of the several websites hosted there inaccessible.

The error log shows that I tried to access pages, but .htaccess blocked it.

BTW, I emailed support and they said they whitelisted the rules they saw being triggered in mod security. But nothing changed.
0
skullnobrainsCommented:
no idea how you performed the integration.

the way your limit directives are setup in the config you posted initially forbids all access to everything. have you tried replacing them with the code i posted ?
0
Jeff swicegoodTechnicianAuthor Commented:
I tried placing the location section below the limit directives, I tried above, and I tried replacing the limit directives with it. All give me "500" errors when I access any page.

It's as if the section introduces an error in the .htaccess file. I read up on that directive and checked the syntax, but it seems right to me.

I also tried changing all the "deny from all"'s to "deny from none", but I get the same 403 forbidden error.

Here is what it looks like now. (location directive section commented out)

# -FrontPage-

IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*


<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

#<Location home/atourcit/public_html/bkgoswami2013/wp/wp-admin>
#AuthName atourcity.com
#AuthUserFile /home/atourcit/public_html/_vti_pvt/service.pwd
#AuthGroupFile /home/atourcit/public_html/_vti_pvt/service.grp
#Require valid-user
#</Location>

<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
allow from all
</Limit>
AuthName atourcity.com
AuthUserFile /home/atourcit/public_html/_vti_pvt/service.pwd
AuthGroupFile /home/atourcit/public_html/_vti_pvt/service.grp

Open in new window

0
skullnobrainsCommented:
i guess the duplication of auth information is not supported.

the info regarding what it does not like is in the apache log. removing lines one by one could also be a good way to see what apache does not like.

----

also are you sure the auth is properly setup ?
i never used authgroupfile as a directive but i can assume you have setup things properly ?

----

also it seems unclear to me wether you expect to authentify all users or just users who want to access the admin pages ?

what i was working on would only authentify users in the admin section

if you want to grant admin access to specific users, it might be a very different story

---

there is also a doubt : i cannot tell for sure wether the 403 is issued by wordpress or by apache. do you know about that ? does wordpress prompt for credentials or send a 403 when you access protected pages normally ?

a good way to make sure could be to stick a dummy static file in the admin dir and check if you can read it's contents. if yes, apache allows what it needs
0
Jeff swicegoodTechnicianAuthor Commented:
i guess the duplication of auth information is not supported.

the info regarding what it does not like is in the apache log. removing lines one by one could also be a good way to see what apache does not like.

Unfortunately I don't think I can view the  apache log since I don't have root access to this server.

also are you sure the auth is properly setup ?
i never used authgroupfile as a directive but i can assume you have setup things properly ?

.htaccess was just at the default config. I didn't mess with that part. I don't know if it was generated by Wordpress or not. I couldn't find any such file in the Wordpress install archive. According the the Apache documentation, it looks right. If fact, using the AuthGroupFile is the way they say to do it.


also it seems unclear to me wether you expect to authentify all users or just users who want to access the admin pages ?

All users. There is only one user on this system, "atourcit" So the one who is all.
Of course, wordpress has it's own user system, but I guess that wouldn't play into it. There are two users and they are both admin.
I need to learn more about security. Right now I am just trying to some how get access to the file (admin.php), even if I have to expose the whole Wordpress temporarily. I can worry about security later.

 
there is also a doubt : i cannot tell for sure wether the 403 is issued by wordpress or by apache. do you know about that ? does wordpress prompt for credentials or send a 403 when you access protected pages normally ?

It normally prompts for credentials on all pages inthe /wp/admin directory, except the dummy static file you suggested and I put in, and, I am assuming, any static files. At that time it throws a 403 Forbidden.
0
skullnobrainsCommented:
Right now I am just trying to some how get access to the file (admin.php), even if I have to expose the whole Wordpress temporarily. I can worry about security later.

for the apache part :
order allow, deny
allow from all
stick the above into the required limit, location, or directory section.

It normally prompts for credentials on all pages inthe /wp/admin directory, except the dummy static file you suggested and I put in, and, I am assuming, any static files. At that time it throws a 403 Forbidden.

if the static file does not produce a 403, has the same ACLs and owner a the sibling files, and the htaccess does not contain anything that would limit authentication to dynamic pages, wordpress is the one sending the 403

from what i can tell, either you did not setup the wordpress admin user yet or you did but you have setup authentication on both the wordpress and apache instead of just either of them.

i'd recommend you remove everything authentication-related in apache, check again you have access to a static file and then setup the wordpress part alone. you need at least on admin user. please let me know how things go.
0
Jeff swicegoodTechnicianAuthor Commented:
I guess we can rule out apache as the culprit.

I definitely have  an admin user in Wordpress.
No luck on that front. I really think this must be a bug in the plugin.
Adding users in Wordpress led me to a workaround, however. If I create a new user in Wordpress, administrator role, the setting in question goes back to default--"local" for that user. But I have to be really careful not to change it to "remote." I can change it from "Import Photos from local directory" to "import photos from remote location", but not vice versa. Maybe it is something about this page accessing the local directories containing my photos. Anyway, I have posted to the authors support forum and I can live with this workaround.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
skullnobrainsCommented:
yes, this looks like something wordpress related or rather something in the plugin that produces a weird 403 when it experiences some kind of access error.

sorry i could not be more helpful, and glad you got a workaround

feel free to post if you get to the bottom of this as it may benefit others
0
Jeff swicegoodTechnicianAuthor Commented:
Never could figure it out. The developer gave some suggestions, but they did not work.
0
Jeff swicegoodTechnicianAuthor Commented:
Not the perfect solution, but the best I was able to get.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
WordPress

From novice to tech pro — start learning today.