• Home
  • Cloud
    • General
    • SaaS
    • BPaaS
    • PaaS
    • IaaS
    • Other Internet Hosted Applications
      • WordPress
        • WooThemes Canvas
          • WooThemes Canvas CSS
  • About me
  • Why Badly Wired?
  • Contact

Badly Wired

Connecting WordPress via APIs, Plugins and other stuff - a technical notebook

You are here: Home / Server setup / WordPress Plugin install fails with Forbidden, you don’t have permission to wp-admin/update.php on your server

WordPress Plugin install fails with Forbidden, you don’t have permission to wp-admin/update.php on your server

21st June 2017 by Alan Leave a Comment

Fully Managed UK Hosting - Only £1+VAT till 1st Jan 2021 on Shared, Reseller and Dedicated Hosting! .... read more ....

This issue is fairly common on servers that are running Apache with mod_sec  ( mod security ). Mod security is a complex system that looks at the sort of web traffic ‘bay guys’ use to hack servers and stops them.

In this case it is thinking that your actions are suspicious and blocks them.  This is actually quite common on WordPress when uploading large plugins.  Of course, if you sure your plugin is safe and want to upload it this is a problem for you.

Fully Managed UK Hosting - Only £1+VAT till 1st Jan 2021 on Shared, Reseller and Dedicated Hosting! .... read more ....

This is something that normally has to be fixed at host level, especially if you are on a shared server, where the hosting company may be very reluctant to reduce security.

However if you are on your own VPS or server than the steps are fairly easy.

First inspect your Apache log file for your site, normally error_log.  You can do this visually ( looking for the words Mod Security and the value after id )or if you have shell access this command line is good.

grep ModSecurity path/to_my_domain/logs/error_log | sed -e 's#^.*\[id "\([0-9]*\).*hostname "
\([a-z0-9\-\_\.]*\)"\].*uri "#\1 \2 #' | cut -d\" -f1 | sort -n | uniq -c | sort -n

Which will give a result like

3 200004 example.com /wp-admin/update.php

The next step is to compose this directive ( based on the above )

<LocationMatch "/wp-admin/update.php">
    SecRuleRemoveById 200004
</LocationMatch>

And add it to the appropriate Apache .conf file.  If your domain is a <VirtualHost>  then just before the </VirtualHost> for your domain is appropriate.

If you want the rule to apply to all sites /etc/apache2/conf-available/security.conf might be more appropriate

Let me know where you put this on your system, please feel free to comment below.

 

[Next] Find out where to host WordPress [Read the full article…]

Filed Under: Server setup, Tech Tips, Wordpress  

About Alan

I'm Alan from Fullworks Digital Ltd, where I develop WordPress Plugins and support and manage WordPress websites.

My day job consists of solving clients' WordPress issues and developing new code and solutions.

I started as a professional programmer in 1979 and had been involved with the IT of business technology in virtually every area that exist.

Badlywired.com is my personal blog and my aide memoire of the many interesting facts that I come across. As I spend a lot of time gathering parts of solutions from the internet and assembling them into my own solutions, and also just learning how to do things, this blog is primarily my 'note book' and a way of giving something back to the online community that has helped me extensively.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Categories

  • Applications
  • Cloud
    • General
    • Google Cloud
    • IaaS
    • Other Internet Hosted Applications
      • Wordpress
        • WooThemes Canvas
        • WooThemes Canvas CSS
    • SaaS
  • Code snippets
  • Discounts
  • Genesis
  • Google Apps for Works
  • Linux
  • News
  • SEO
  • Server setup
  • Services
  • Tech Tips
  • Uncategorised
  • Useful Images
  • Useful Stuff
  • WordPress Hosting
  • WordPress Plugins

Tags

background jobs beadcrumbs bind brandings Cache canvas Centos chrome css fail2ban Find firefox Flash fraud genesis gocardless godaddy Google google maps hackers internet explorer javascript KashFlow Linus linux Magento mapquest maps microsoft mysql news nohup php plugin plugins queens diamond jubilee replace SED SEO skype Varnish Virtualmin Webmin woothemes Wordpress

 

Affiliate and Privacy Notices

This site is free to use, but hopes to cover some costs through affiliate income, some products and links are affiliates and may earn the site advertising income.

Some affiliates use Cookies to track if you purchase from them, this allows them to apportion revenue to us you will need to refer to their specific privacy notices as to how you are tracked.

This site is a participant in the Amazon EU Associates Programme, an affiliate advertising programme designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.co.uk.

  • Privacy Policy

Copyright © 2021 · Badly Wired