- This topic has 3 replies, 3 voices, and was last updated 10 years, 6 months ago by
.
-
Posts
-
Good afternoon – I just downloaded and configured the wp eStore plugin. I am trying to view the wp eStore short codes and I keep receiving the following error – we are using wordpress version 3.9.1 – unfortunately I do not have a page to reference – since without access to the short code I am unable to place any examples into a page. Any assistance you can offer would be greatly appreciated. I have tried on both a mac and a PC on multiple browsers. Chrome, Safari, Firefox.
Forbidden
You don’t have permission to access /wp-content/plugins/wp-cart-for-digital-products/lib/eStore_shortcode_insert_window.php on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Deactivate the plugin and re-activate it and let me know if you see the same activation error. Next, use our shortcode documentation to copy and paste the shortcodes:
http://www.tipsandtricks-hq.com/ecommerce/wp-estore-shortcodes-and-functions-reference-460
I attempted to deactivate – and reactivate the plugin – I also uninstalled fully – reinstalled both manually (via FTP0 and also via WordPress itself. All were fruitless, but now I know why so I am sharing it here – in case anyone else experiences it.
Apparently an”.htaccess” file in the wp-content folder was blocking ALL PHP Transactions as part of a security precaution.
It included the code:
<Files *.php>
deny from all
</Files>
In order for the wp eStore plugin to work paths to each offending file had to be added as exceptions in this file.
For example:
<FilesMatch “eStore_shortcode_insert_window.php”>
Order allow,deny
Allow from All
</FilesMatch>
We found that we could not simply add the whole folder. Additionally, we found that there were several files that needed access. Rather than risk missing any – we remove the “.htaccess” file and now everything is working as expected.
We are looking for a more secure option (in case removing this whole file is a bad choice) – but in the meantime this seems to have fixed our issue. From some internet reading it appears that while we CAN have multiple htaccess files – it can cause just this type of confusion when having rules spread around. I am not sure who/why they were created so we will continue to investigate. I wanted to share what we discovered – because I did not find it when searching the forum and hopefully it can help someone else.
As an Information Security professional, here is my take on website security in general:
Most site owners (and hosting providers) overreact when it comes to securing their sites, and end up using sledgehammers to kill flies.
Do not just blindly install a security mechanism, unless you understand the following:
- That security is a “cost center.” It does not produce direct profit and adds to the cost of running a company.
- What specific threat said security mechanism is supposed to protect you from.
- What is the actual, rather than the “perceived,” risk you face.
In other words, I can give you the same security protocol I used for the US missile defense program; but in the end, the weakest link is still going to be your hosting provider.
Now then, the .htaccess rules you just described are primarily used to protect your site from executing PHP files that aren’t supposed to be executing. The way that occurs is by having the hacker sneak/install their own PHP files someplace on your system. For that to occur, your directory and file permissions need to be improperly setup.
You should be more worried about making sure your directory and file permissions are properly setup and never messed with; than with having to give out “hall passes” to your PHP files.
Might I suggest using our FREE Tips & Tricks HQ “All In One” security plugin? One “click” and it will ensure all your permissions are correctly setup!
https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
</Getting off soapbox>
- You must be logged in to reply to this topic.