I have had this problem various times in the last 6 months on my WordPress blog. For whatever reason all of a sudden when I access my wp-admin page I receive an access denied on wp-admin / wp-login.php. Really annoying as you can imagine as it means you cannot get in to the back-end of your blog making it impossible to manage it. The blog it self is still available though when this happens so I figured I would write down the fix, as I somehow keep forgetting it.
- FTP in to host
- Check file permissions on wp-login.php, in my case permissions on this file are somehow magically always “00”
- Change permissions back to 0644
- Fixed, you should be able to login again
Simple solution, for a strange problem. If I ever find the rootcause I will post it here as well.
James Hess says
That sounds very strange indeed. I haven’t ever seen or heard WordPress do anything like that, so, perhaps a 3rd party plugin; I might diff the contents of the file, and verify it hasn’t been tampered with….
Some software update or PHP script or other process running in the OS environment, perhaps an automatic update tool with an unusually restrictive umask, must be re-creating the file (and neglecting to fix permissions) or modifying the chmod to 600 directly. This generally requires the script be running either as the owner of the file, or with root / server administrator permissions.
As far as I know; wordpress never writes to its own script files: except when performing a software update. Even that requires providing WordPress with FTP credentials. Unless the website runs the PHP scripts under the same userid as the user id credential that owns the files, instead of an unprivileged anonymous user (the latter is the norm).
It does not make sense that wp-login.php would be the only file targetted.
Duncan Epping says
Was told today that some hosting companies have tools setting it to “0000” when there is an attack on-going. This in order to prevent their servers will also go down during the DoS. Apparently this happens every once in a while. I guess that could be it.
@Duncan I have experienced that and similar errors, in one case it was the result of a mis-behaving plugin install/update where the solution was to find the offending plugin (e.g. disable them, turn them on one by one). In other situations somehow the owner ships were changed.
Something else to watch for is if and when you get that error again, see if you can access some of your other site admin sub pages or not as that can indicate another issue.
Also have you installed any site security scanning plugins yet?
BTW FWIW: My sites are on a dedicated private server (DPS) hence not in a shared hosting, or virtual private server (VPS). However the DPS is not a bare metal server as it has the same software, setup, config etc as would see in the shared “gen pop” environment with WP etc that the provider also helps manage.
I thought the security plugin that i have installed on my blog was causing this problem . Thanks for sharing this useful tip mate . It worked for me .
James Hess says
Personally, I would invest in a Web application Firewall; or mod_security based protections before buying scanning plugins, that probably mostly just check a predefined version list, or look for specific script blobs in PHP files.
Attack resistance over detecting compromise or detecting individual bugs 🙂
I’ve experimented in setting up WordPress implementations and found the combination of Apache with mod_security (w/ OWASP Modsecurity Core Ruleset) fronted by Cloudflare for the optimization and DoS protection parts, quite effective….
After working out which rules needed to be turned off, for the WP administration to work right.
Well, that was before I realized I could just setup an Authenticated proxy over SSL server, just allow only the trusted IP access to the /wp-admin directory, and bypass mod_security for the trusted source IP.
Instant HTTP 403 forbidden error for any IP other than the trusted one reaching into /wp-admin…. not useful at all as a DoS or brute force target 🙂
Kirk Ishii says
A similar option, give your web hosting stack ownership by running this at the shell:
chown -R apache:wordpress wp-includes wp-admin wp-content
Or your app pool identity proper security rights if it is hosted on Windows and IIS.
I just experienced the same thing “Access Denied” when I try to access /wp-admin/. However, my case is different because my hosting provider set it intentionally due to a massive brute force attack. I submitted ticked to my hosting and hopefully they will allow access again shortly.
Hoa sen vàng says
Me too, the hosting service they get attack from hack. here their solution for this case……
Due to the extremely high amount of distributed WordPress brute force attacks our servers have received over the past few weeks, we have had no choice but to block the file wp-login.php on our servers in order to maintain an acceptable level of performance.
Therefore if you attempt to log into your WordPress dashboard, you will be presented with an error:
Access is denied
In order to bypass the error and log into your WordPress dashboard, you will need to add the following code to your .htaccess file located in the root of your WordPress installation(s):
Deny from all
# Allow from X.X.X.X
Remove the “#” and replace “X.X.X.X” with your current IP address.
To get your current IP address, go to Google.com and search “what is my ip”
James Hess says
Well, I have an idea of why they would be doing that, but I still think it is disappointing. Imagine if you have a blog with multiple posters, or you have “Require users to register and login in order to post a comment”.
I would be curious as to which hosting providers are using such a customer-inconveniencing solution to their PHP memory resource consumption problems caused by just plain ol’ everyday brute force attempts.
There are of course, plenty of good ways for a hosting provider to help address systemic brute force attacks of that nature, if they become an issue for the server: without interfering with legitimate use, such as source IP based rate limiting, based on filename, methods that impact the viewer, or 3rd party proxy-based CDN services that do filtering.
And there are WordPress plugins to present a captcha or “trivial math question” for login.
I guess: for hosting a WordPress blog in a shared hosting environment…. let the buyer beware. VPS or Dedicated, preferable.
Sine Solutions says
Sine Solutions provides outsourced Server Admins specializing in Linux and Windows server setup, optimization, security , backup and recovery.
the problem is that, i can access the wp-admin but my friend in malayasia can not and the permission is 0644, so what should i do?
Have her give you her IP and white list it. That might work…
Nicholas Bowman says
Ugh. just had this problem on a site I manage. Any updates?
I am having a similar issue were I am able to login as an admin with no problems, however subscribers or any access level below admin gets a “Access Denied” message when they enter their credentials in wp-login.php
Turns out a plugin that I installed “Advanced Access Manager” which is designed to create user accounts with custom access levels was the culprit. I have clients that would wreck websites if I gave them any access beyond dashboard view. Funny thing though! I disabled the plugin, and everything works great! and the user access levels I implemented stuck? Masde me laugh, but what the heck… So check those plugins folks, Just test by disabling ones that you might feel have a connection with access levels especially.