Updating WordPress Plugin 403 Forbidden Error Nginx

Engine: WordPress
Server: nginx
Plugin suggestion: Wordfence Security Plugin

This sure got me spinning in a loop, that’s for sure. To be quite honest, this is the first time I’ve ever had a vulnerability exposed in the WordPress sites, which is causing me to seriously evaluate how I deploy sites.

The Problem: 404 Forbidden Error

Everything on the front end of the WordPress site was displaying correctly. The problem was actually in the back-end when I went to update the plugins. When I selected the plugin that I wished to update, the update would take me to a new screen (which it normally does) but then it redirected to a default server embedded page instructing me there was a 404 Forbidden Error /nginx. The interesting thing about this was that the regular left sidebar – the dashboard – was still present and I could continue about doing what other things I had to do.

The problem was obviously that I couldn’t update any of the plugins.

Weirdly enough I was able to update my WordPress Engine from 3.x to 4.0 though…

The Solution: Wordfence Security Plugin & Updating Folder/File Privileges

Digging around a bit I found that indeed there were some reports of WordPress vulnerabilities. Naturally, as anything open to the internet could, especially something open to web-based uploads and downloads, there had been some reports of WordPress being compromised.

(side note: I do not like using the term hacked in a negative connotation.)

WordPress has even created a FAQ called “My site was hacked,” that will step you through some really smart security precautions to take when deploying a WordPress site.

I went through a checklist of processes to try and identify what exactly was causing this break in WordPress, which I’ll outline here.

note: it is always advised to a) make a backup of your site incase something goes horrible wrong. This includes a database backup, and the entire file/folder structure backup. There are many tools for doing this, don’t be lazy.

  1. Instead of selecting all of the plugins requiring an update I selected just one at a time to update to see if it was perhaps just a single plugin being updated that was causing the break.
  2. I disabled each of the plugins – first one at a time, then all of them together – and after disabling each plugin I would try and run a single plugin update.
  3. Sometimes having plugins deactivated but still lingering in the site can cause issues, so I deleted all plugins I don’t use.
  4. To eliminate the custom theme from being the culprit, I switched the theme to the default WordPress theme and tried to run the plugin update again.
  5. I installed a plugin for WordPress called Wordfence Security Plugin. After installing this, I ran a scan that illuminated that I had some weird code inserted into many of the theme files. Read about how the plugin works, but basically I was able to view the original file, and the modified (current) file I had on the server. After reviewing the two files, I instructed the plugin to restore the original file (for all ~15 discrepencies). There might also be some other errors that Wordfence identifies, I would advise dealing with each of them individually.

Conclusion | WordPress 404 Forbidden Plugin Update Error

It was only after I completed the full scan with Wordfence Security Plugin that I was able to identify and eliminate the random code that had been added to the site.

What this tells me is that there was a vulnerability exposed in either WordPress itself, or on the server. So, to do the best I can to rectify this from ever happening again, we must modify the permissions on the files/folders of the WordPress site.

I’m going to assume that you know how to open your terminal – or SSH – window to your server so you can type the following commands in (I’ll leave this tutorial for another day).

As a general rule, the standard privileges & commands for a WordPress install are:

DIRECTORY PERMISSIONS -> sudo find </wordpress directory/> -type d -exec chmod 755 {} \;
FILE PERMISSIONS -> sudo find </wordpress directory/> -type f -exec chmod 644 {} \;
UPLOAD DIRECTORY PERMISSIONS -> sudo chmod 0777 <wordpress directory>/wp-content/uploads

And for those of you who are going to be modifying your theme via. your WordPress dashboard, you will probably need to modify the theme directory permissions too:

MODIFY THEME DIR PERMISSIONS -> sudo chmod 0666 <wordpress directory>wp-content/themes/yourtheme/

Hope this helps!


Websites that helped identify this problem/solution:

Leave a Reply

sixteen + nine =