WordPress Plugin install fails with Forbidden, you don’t have permission to wp-admin/update.php on your server

If you find this free website useful – why don’t you support this with a donation? It is easy…. read more ….

This issue is fairly common on servers that are running Apache with mod_sec  ( mod security ). Mod security is a complex system that looks at the sort of web traffic ‘bay guys’ use to hack servers and stops them.

In this case it is thinking that your actions are suspicious and blocks them.  This is actually quite common on WordPress when uploading large plugins.  Of course, if you sure your plugin is safe and want to upload it this is a problem for you.

This is something that normally has to be fixed at host level, especially if you are on a shared server, where the hosting company may be very reluctant to reduce security.

However if you are on your own VPS or server than the steps are fairly easy.

First inspect your Apache log file for your site, normally error_log.  You can do this visually ( looking for the words Mod Security and the value after id )or if you have shell access this command line is good.

grep ModSecurity path/to_my_domain/logs/error_log | sed -e 's#^.*\[id "\([0-9]*\).*hostname "
\([a-z0-9\-\_\.]*\)"\].*uri "#\1 \2 #' | cut -d\" -f1 | sort -n | uniq -c | sort -n

Which will give a result like

3 200004 example.com /wp-admin/update.php

The next step is to compose this directive ( based on the above )

<LocationMatch "/wp-admin/update.php">
    SecRuleRemoveById 200004

And add it to the appropriate Apache .conf file.  If your domain is a <VirtualHost>  then just before the </VirtualHost> for your domain is appropriate.

If you want the rule to apply to all sites /etc/apache2/conf-available/security.conf might be more appropriate

Let me know where you put this on your system, please feel free to comment below.


, ,

Leave a Reply

Your email address will not be published.