Engine: WordPress
Server: nginx
Plugin suggestion: Wordfence Security Plugin
This sure got me spinning in a loop, that’s for sure. To be quite honest, this is the first time I’ve ever had a vulnerability exposed in the WordPress sites, which is causing me to seriously evaluate how I deploy sites.
The Problem: 404 Forbidden Error
Everything on the front end of the WordPress site was displaying correctly. The problem was actually in the back-end when I went to update the plugins. When I selected the plugin that I wished to update, the update would take me to a new screen (which it normally does) but then it redirected to a default server embedded page instructing me there was a 404 Forbidden Error /nginx. The interesting thing about this was that the regular left sidebar – the dashboard – was still present and I could continue about doing what other things I had to do.
The problem was obviously that I couldn’t update any of the plugins.
Weirdly enough I was able to update my WordPress Engine from 3.x to 4.0 though…
The Solution: Wordfence Security Plugin & Updating Folder/File Privileges
Digging around a bit I found that indeed there were some reports of WordPress vulnerabilities. Naturally, as anything open to the internet could, especially something open to web-based uploads and downloads, there had been some reports of WordPress being compromised.
(side note: I do not like using the term hacked in a negative connotation.)
WordPress has even created a FAQ called “My site was hacked,” that will step you through some really smart security precautions to take when deploying a WordPress site.
I went through a checklist of processes to try and identify what exactly was causing this break in WordPress, which I’ll outline here.
note: it is always advised to a) make a backup of your site incase something goes horrible wrong. This includes a database backup, and the entire file/folder structure backup. There are many tools for doing this, don’t be lazy.
- Instead of selecting all of the plugins requiring an update I selected just one at a time to update to see if it was perhaps just a single plugin being updated that was causing the break.
- I disabled each of the plugins – first one at a time, then all of them together – and after disabling each plugin I would try and run a single plugin update.
- Sometimes having plugins deactivated but still lingering in the site can cause issues, so I deleted all plugins I don’t use.
- To eliminate the custom theme from being the culprit, I switched the theme to the default WordPress theme and tried to run the plugin update again.
- I installed a plugin for WordPress called Wordfence Security Plugin. After installing this, I ran a scan that illuminated that I had some weird code inserted into many of the theme files. Read about how the plugin works, but basically I was able to view the original file, and the modified (current) file I had on the server. After reviewing the two files, I instructed the plugin to restore the original file (for all ~15 discrepencies). There might also be some other errors that Wordfence identifies, I would advise dealing with each of them individually.
Conclusion | WordPress 404 Forbidden Plugin Update Error
It was only after I completed the full scan with Wordfence Security Plugin that I was able to identify and eliminate the random code that had been added to the site.
What this tells me is that there was a vulnerability exposed in either WordPress itself, or on the server. So, to do the best I can to rectify this from ever happening again, we must modify the permissions on the files/folders of the WordPress site.
I’m going to assume that you know how to open your terminal – or SSH – window to your server so you can type the following commands in (I’ll leave this tutorial for another day).
As a general rule, the standard privileges & commands for a WordPress install are:
DIRECTORY PERMISSIONS -> sudo find </wordpress directory/> -type d -exec chmod 755 {} \;
FILE PERMISSIONS -> sudo find </wordpress directory/> -type f -exec chmod 644 {} \;
UPLOAD DIRECTORY PERMISSIONS -> sudo chmod 0777 <wordpress directory>/wp-content/uploads
And for those of you who are going to be modifying your theme via. your WordPress dashboard, you will probably need to modify the theme directory permissions too:
MODIFY THEME DIR PERMISSIONS -> sudo chmod 0666 <wordpress directory>wp-content/themes/yourtheme/
Hope this helps!
Websites that helped identify this problem/solution: