I manage a small website for a private school, needing to post a variety of photos of videos. Most files larger than a few mb attempt to upload, usually the progress bar finishing (for whatever that's worth) and then before it reloads the Media Library it just gives a vague HTTP error on the page.
I've researched this as much as possible and nothing I've tried seems to do anything.
Current htaccess settings based on others' suggestions...
SetEnv MAGICK_THREAD_LIMIT 1
<FilesMatch "(async-upload\.php|wp-cron\.php|xmlrpc\.php)$">
Satisfy Any
Order allow,deny
Allow from all
Deny from none
</FilesMatch>
<IfModule mod_php5.c>
php_value post_max_size 128M
php_value upload_max_filesize 128M
php_value memory_limit 256M
</IfModule>
Tried disabling all plugins and no change I was able to notice.
Server setup..
GoDaddy Deluxe Shared
Wordpress 4.8 (latest)
PHP Version 5.6.30
CGI/FastCGI
I know it makes more sense to let Vimeo/YT/etc handle videos but they're worried about privacy since it's kids so preferred to keep everything on-site and as far as I can tell you can't embed videos with privacy options enabled, which makes sense.
GoDaddy's not much help. Can anyone point me in the right direction or have a fix that works? Happy to provide any other info needed.
Thanks! Rich
Related
I am trying to increase the maximum post size limit on my server.
Here is the .htaccess file:
php_value upload_max_filesize 20M
php_value post_max_size 20M
php_value max_execution_time 200
php_value max_input_time 200
However it does not seem to work and throws a 500 Internal server error.
Any ideas why this could be happening and how to overcome this?
As far as I can tell, your syntax is correct. However, the php_value Apache directive is provided by the mod_php module. If you don't run PHP as Apache module (e.g., it runs as FastCGI or with some other SAPI) that directive won't be defined, thus the 500 error.
There're many ways to change PHP settings. In practice, I've found that hosting services that run CGI often provide a custom php.ini file somewhere in your FTP account. Additionally, if you run PHP/5.3.0 or newer you can use .user.ini files. Last but not least, there's ini_set() within code.
I am no expert on apache conf files, but I am reasonably familiar with them. A security plugin I have installed on one of my wordpress sites (https://ithemes.com/security/) makes edits to an .htaccess files in order to enforce automated IP bans (for example, if you have too many failed login attempts in a short period of time). Here is the block that it generated: (xxx added by me for the IP address)
<IfModule mod_authz_core.c>
<RequireAll>
Require all granted
Require not env DenyAccess
Require not ip xxx.xxx.xxx.xxx
</RequireAll>
</IfModule>
<IfModule !mod_authz_core.c>
Order allow,deny
Deny from env=DenyAccess
Deny from xxx.xxx.xxx.xxx
Allow from all
</IfModule>
Now, this causes the site to bomb out with a 500 error. The error I get in my log is
Expected </RequireAll>> but saw </RequireAll>
(Note the extra trailing >). And, lo and behold, if I add an extra >, the site works again.
What syntax rule is at play here? Why on earth do I need the extra > in a closing tag? Why would the (popular and genreally respected) plugin be generating an invalid .htaccess? Since this looks so wrong to me I'm inclined to believe I have some obscure server setting or an outdated apache or something causing this. Any insight would be much appreciated.
Using Apache/2.0.46
I've tried everything. I read other how to threads here and elsewhere. I have the following in my apache2 site configuration file:
<Directory /var/www/html/site_root/>
AllowOverride All
</Directory>
</VirtualHost>
There is no other occurence of "AllowOverride" in the site conf file so it's not a case of something earlier in the file overriding this (don't even know if that's possible). I also tried '/var/www/html/site_root'.
If I try either of the following (or both) in my /var/www/html/site_root/.htaccess file:
<Files .htaccess>
Order Allow,Deny
Deny from all
</Files>
<Files "xmlrpc.php">
Order Allow,Deny
Deny from all
</Files>
I get 520s and the whole site is crashed. I also tried /xmlrpc.php or "xmlrpc.php" without "" and ./xmlrpc.php etc. No matter what I do my error log is full of:
[Thu Dec 03 18:05:25.628237 2015] [core:alert] [pid 6956] [client 192.168.0.1:56529] /var/www/html/site_root/.htaccess: order not allowed here
How can this be and why is this so difficult to do?
My purpose is to block access to /xmlrpc.php. This is an absolute Achilles heel for WordPress. It is very easy to crash and burn any site by just hitting this over and over and over again. For some reason WordPress leaves it wide open by default and Cloudflare is not able to detect or protect against these attacks. They happen all the time and it brings down the server completely.
Thanks.
The best answer I found is this:
If your server is an Apache, you can block access before WordPress is even reached with one line in your .htaccess:
Redirect 403 /xmlrpc.php
You can add another line to keep the response short:
ErrorDocument 403 "die"
That will send a very minimal response (three bytes plus HTTP headers), and it will save your resources for better traffic.
Source:
https://wordpress.stackexchange.com/questions/156522/restrict-access-to-xmlrpc-php
Please go vote up the answer at the wordpress stack, by user #toscho. I don't have enough reputation. Toscho's answer is is way better than the accepted answer because you can deny access in .htaccess and still burn up server resources loading the 404 in Wordpress. His answer actually saves you one byte over mine.
Well did you restart your server after you made changes to apache2.config? Secondly there is a difference between order allow,deny AND order deny,allow
Try using this
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
You can also disable the XML-RPC Feature, from the system itself. Just put this in your wp-config
add_filter('xmlrpc_enabled', '__return_false');
Update: Some clarification:
I agree with jason, blocking xmlrpc.php at the htaccess level is always a much better idea because even if you disable it through the filter, the site still goes through the whole request cycle. Here filters is just being used as a safeguard from someone getting in, but the site is still open to DDOS attacks. In short usage of filters is only for people who are using it for some other purposes and not finding an escape from DDOS attacks, for eg if someone doesn't have access to the htaccess file.
I have a WordPress site hosted on MediaTemple. I don't know anything about .htaccess editing, so I copied and pasted from online sources (MT and others). I added the following lines to my .htaccess file to prevent hotlinking:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)mydomain.com/.*$ [NC]
RewriteRule \.(png|jpg)$ http://example.com/example.png [F]
The problem is of all the png and jpg image files I have on my site, one of them isn't showing up on my iPad or iPhone. All image files are located in the same directory.
At first, none of images on my home page weren't showing up. I did some Googling and found other ways to construct the last line, so I've tried changing [F] to [NC,F,L] and [NC,R,L] as well. I got 2 of the 3 images to show up. At one point, some of the images didn't even show up in my media library when logging into wp-admin on my desktop. Everything works just fine, of course, when I comment out the lines. I tried clearing the cache on my devices, but that didn't work either.
There is no rhyme or reason I can find. MT tech support had no solution. Googling has turned up nothing. Can't find an answer specific to my problem on SO, but got some insight here - Prevent Hotlinking through CSS via .htaccess - where user states "some browsers will don't send HTTP_REFERER and legitimate users will end up seeing broken images." But if my other images are showing up, this can't be a problem with HTTP_REFERER.
I don't have a problem with hotlinking because I don't have any images worth hotlinking, so I personally can live without this, but in the event I design a site for a client who wants to prevent hotlinking, I need to have .htaccess work.
Don't know if this matters, but I also have .htaccess files in my wp-content and wp-admin folders, too, but I don't think they're causing the problem.
I have disabled ini_set in PHP. I however want a specific domain to use ini_set. How do I enable ini_set for a specific domain?
Thanks
You can't. If you disable it there's no way from that function.
Maybe you can enable php.ini overrride, and put a individual php.ini to the desired folder to enable it and use set_ini again.
If you're using php as module, you can use .htaccess with php_flag or php_value to set desired values or flags.
Example:
php_value memory_limit 32M or php_flag display_errors 1 (display errors must work with value and flag rule as well)