1. Harriers9

    Harriers9

    Messages:
    549
    Name:
    Philip
    Edit My Images:
    No
    Why do I keep getting this on Chrome?

    ----------------------------------------------------------

    Forbidden
    You don't have permission to access /khfc/ on this server.

    -----------------------------------------------------------

    This is my own website at http://harriers-online.co.uk/khfc/ but i can't seem to get on it even though I can through Edge. I get the same thing when I try to go onto the forum at http://www.harriers-online.co.uk/forum/index.php

    I've cleared out the cache and cookies countless times now and it'll work at first then ten minutes later it comes back.
     
    Last edited: Jun 12, 2018
  2. Box Brownie

    Box Brownie

    Messages:
    6,133
    Edit My Images:
    No
    FWIW

    Chrome on my Android phone is fine :)
     
  3. neil_g

    neil_g

    Messages:
    31,207
    Name:
    Neil
    Edit My Images:
    No
    Same, works on android.

    Any reason the site isn't https too?
     
  4. Gogster

    Gogster

    Messages:
    408
    Name:
    Darryl
    Edit My Images:
    No
    On mobile? It is on desktop (Firefox)
     
  5. Harriers9

    Harriers9

    Messages:
    549
    Name:
    Philip
    Edit My Images:
    No
    Nothing is sold through it so really shouldn't need to be https.

    Having converted two other sites to https and the way that Google then seem to mess up the analytic tracking of it makes me reticent to do it to a site the size of Harriers Online.

    BTW the problem seems to have cured itself overnight. KOD!
     
  6. onomatopoeia

    onomatopoeia

    Messages:
    4,143
    Name:
    Mark
    Edit My Images:
    Yes
    I haven't looked at the site, but if you have any pages that require a login to a user account, you should consider https as it stops the password being sent in clear.
     
    neil_g likes this.
  7. sphexx

    sphexx

    Messages:
    1,487
    Name:
    Richard
    Edit My Images:
    No
    You are collecting passwords. Chrome on iOS 11 shows it as insecure and warns you not to enter any data.:( I think eventually google will block non https sites :)
     
  8. Snapsh0t

    Snapsh0t

    Messages:
    1,941
    Name:
    Jonathan
    Edit My Images:
    No
    Which is a pain as my site doesn't use cookies, doesn't ask for or store any data and doesn't need any input from the user other than clicking through photos so there's no need for it to be https. I've no idea how I would implement it anyway, assuming my hosting company can set it up, as my front page is just a Word document converted to html.
     
    sphexx likes this.
  9. onomatopoeia

    onomatopoeia

    Messages:
    4,143
    Name:
    Mark
    Edit My Images:
    Yes
    This would be unfortunate, as a static site where no data is submitted does not need to be served using TLS.
     
    sphexx likes this.
  10. Harriers9

    Harriers9

    Messages:
    549
    Name:
    Philip
    Edit My Images:
    No
    Am I? Do you mean on the forum or on the actual website?
     
  11. afasoas

    afasoas

    Messages:
    893
    Edit My Images:
    No
    Yes you do need https. Your host may offer a free lets encrypt certificate. I've certainly got all my sites "secured" using lets encrypt, but then I'm self-hosting so it's relatively easy for me to do. If you are hosting content, I'd look into learning to do this (or paying someone to do it for you).

    No idea why it's forbidden from Chrome. I'd try temporarily disabling all of your Chrome plugins.
     
  12. sphexx

    sphexx

    Messages:
    1,487
    Name:
    Richard
    Edit My Images:
    No
    Yes in the forum, Chrome give a message something like “do not enter any passwords here”.
     
  13. Harriers9

    Harriers9

    Messages:
    549
    Name:
    Philip
    Edit My Images:
    No
    I use TSOHOST so no problem there but the forum is a sub folder of the main site so I would need to have the whole site SSL enabled.

    Does WP automatically rewrite internal links due to all images and posts being absolute addresses? If it doesn't then I can't see how I can enable it with thousands of pages to go through manually
     
  14. afasoas

    afasoas

    Messages:
    893
    Edit My Images:
    No
    For everything that you are hosting on the site, you should be using relative URLs (e.g. /images/image1.png). If you have used absolute URLS (http://mysite.sometld/images/image1.png) then those URLs will need to be changed. It's possible that you could write a script and run it against the wordpress database to correct all of the URLs, but I would back the database up first.

    Quite honestly if you are taking responsibility for hosting web content, you should host it yourself and learn to do it properly or pay someone to do it for you. Or use a service like Wix/Squarespace etc.. I make no apologies for sounding overly critical. The sad fact is that without the skills you are creating fodder for script kiddies and other nefarious actors.
     
  15. Harriers9

    Harriers9

    Messages:
    549
    Name:
    Philip
    Edit My Images:
    No
    On all of the WP sites I've created they default to absolute addresses. As does this site:

    <span class="crust selectedTabCrumb">
    <a href="https://www.talkphotography.co.uk/" class="crumb"><span>Home</span></a>
    <span class="arrow"><span>&gt;</span></span>
    </span>

    BTW Harriers Online has been going since 1999 so I'm not some novice at this game. Just annoyed that Google foist crap on us at every turn. Once every site throughout the world has been made secure they'll come up with something else to put us back to square one.
     
  16. neil_g

    neil_g

    Messages:
    31,207
    Name:
    Neil
    Edit My Images:
    No
    Always use relative. You're going to break a lot of stuff now trying to redirect from http to https and/or get mixed content type errors.
     
  17. Harriers9

    Harriers9

    Messages:
    549
    Name:
    Philip
    Edit My Images:
    No
    I've looked in the settings Neil and can see no way that I could set for relative when I first started the WP version last year. The permalinks defaulted to absolute
     
  18. afasoas

    afasoas

    Messages:
    893
    Edit My Images:
    No
    Log in to your wordpress site without HTTPS and your VPNFilter pwned modem can be used to sniff the credentials. Your precious website can then be used for crypto mining (if you are lucky) or as a command and control server for a botnet.
    Worse still, you have a forum for which other people are entering credentials. People have a habit of making mistakes, like re-using usernames and passwords. So if any of those are sniffed, you are putting your users at risk. This has you in breach of DPA let alone GDPR. You are inviting advertisers to sponsor the site, so it's likely you should be registered with the ICO and have a GDPR compliant privacy policy.

    It's not just simply a case of of "Google foisting crap on us". It's a legal obligation to protect personal information!
     
    Last edited: Jun 16, 2018
    sphexx likes this.
  19. afasoas

    afasoas

    Messages:
    893
    Edit My Images:
    No
    FTR I've converted two Wordpress sites to fully use HTTPS with Lets Encrypt*. I can't remember the exact details, but I did have to do something to deal with the image/media links.

    *Previously used a certificate from my own certificate authority for the admin pages, which was fine as I was the only administator and I had the CA ceritificate (public key) in my machines certificate store.
     
  20. Harriers9

    Harriers9

    Messages:
    549
    Name:
    Philip
    Edit My Images:
    No
    I see the goalposts are moving again:

    https://www.paypal.com/stories/uk/system-security-is-your-business-ready-for-30th-june

    https://en.wikipedia.org/wiki/Transport_Layer_Security

    -----------------------------------------------------------------------

    So how do I make sure my SSL enabled sites that use Paypal are TLS compliant if there is no mention of this on the hosts website (TSOHOST) or on Paypal
     
  21. Harriers9

    Harriers9

    Messages:
    549
    Name:
    Philip
    Edit My Images:
    No
    The site and the forum are now secure using a Let's Encrypt SSL certificate. I'll have to wait and see how I can encrypt it for TLS next
     
    sphexx likes this.
  22. onomatopoeia

    onomatopoeia

    Messages:
    4,143
    Name:
    Mark
    Edit My Images:
    Yes
    Those of us who handle integration with payment processors have already long been aware of all versions of SSL and versions of TLS before 1.2 being deprecated by the processors, I made the transition for our sites a year ago.

    This is part of what goes behind an HTTPS connection on the server. If you're running wordpress on a server provided by a hosting company it's not something you need to worry about, they should handle making sure the server supports the relevant, modern, security layer without you having to do anything low level, basically just provide a certificate.
     
    Harriers9 likes this.
  23. onomatopoeia

    onomatopoeia

    Messages:
    4,143
    Name:
    Mark
    Edit My Images:
    Yes
    It already supports TLS v1.2 which is a standard acceptable in online payment processing, and gets an "A" rating for connection security at ssl labs.

    "SSL" is a generic term still used when referring to connection security, though the SSL protocol itself has been superseded by TLS.
     
    Harriers9 likes this.
  24. Harriers9

    Harriers9

    Messages:
    549
    Name:
    Philip
    Edit My Images:
    No
    Thanks for that. Maybe I just get a little paranoid about it all sometimes :runaway:
     
  25. Harriers9

    Harriers9

    Messages:
    549
    Name:
    Philip
    Edit My Images:
    No
    I'm getting the original problem again today.

    Been working on the site for about twenty minutes. Go to open a page up to work on that and get told I'm forbidden access. I can't get onto the forum either now.

    What on earth is going on?
     
  26. afasoas

    afasoas

    Messages:
    893
    Edit My Images:
    No
    Are you able to view the web server logs via the shared hosting panel?
    One possibility, It sounds like you are tripping an intrusion detection system (IDS) that the host maybe running??
     
  27. frank

    frank

    Messages:
    2,547
    Edit My Images:
    Yes
    Try checking your .htaccess file, you may have inadvertently got yourself on a blacklist of banned users.
     
  28. Harriers9

    Harriers9

    Messages:
    549
    Name:
    Philip
    Edit My Images:
    No
    That's all been checked out by TSOHOST. I did a search on my desktop for stray access files downloaded when backing up and deleted those (3)

    Someone on the Cnet forum suggested it could be my DNS settings so they were flushed etc yesterday and it's been ok since. Cross fingers tap on wood
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice