Forbidden

Messages
565
Name
Philip
Edit My Images
No
#1
Why do I keep getting this on Chrome?

----------------------------------------------------------

Forbidden
You don't have permission to access /khfc/ on this server.

-----------------------------------------------------------

This is my own website at http://harriers-online.co.uk/khfc/ but i can't seem to get on it even though I can through Edge. I get the same thing when I try to go onto the forum at http://www.harriers-online.co.uk/forum/index.php

I've cleared out the cache and cookies countless times now and it'll work at first then ten minutes later it comes back.
 
Last edited:
OP
OP
Harriers9
Messages
565
Name
Philip
Edit My Images
No
#5
Same, works on android.

Any reason the site isn't https too?
Nothing is sold through it so really shouldn't need to be https.

Having converted two other sites to https and the way that Google then seem to mess up the analytic tracking of it makes me reticent to do it to a site the size of Harriers Online.

BTW the problem seems to have cured itself overnight. KOD!
 
Messages
1,610
Name
Richard
Edit My Images
No
#7
Nothing is sold through it so really shouldn't need to be https.

Having converted two other sites to https and the way that Google then seem to mess up the analytic tracking of it makes me reticent to do it to a site the size of Harriers Online.

BTW the problem seems to have cured itself overnight. KOD!
You are collecting passwords. Chrome on iOS 11 shows it as insecure and warns you not to enter any data.:( I think eventually google will block non https sites :)
 
Messages
1,992
Name
Jonathan
Edit My Images
No
#8
You are collecting passwords. Chrome on iOS 11 shows it as insecure and warns you not to enter any data.:( I think eventually google will block non https sites :)
Which is a pain as my site doesn't use cookies, doesn't ask for or store any data and doesn't need any input from the user other than clicking through photos so there's no need for it to be https. I've no idea how I would implement it anyway, assuming my hosting company can set it up, as my front page is just a Word document converted to html.
 
Messages
894
Edit My Images
No
#11
Yes you do need https. Your host may offer a free lets encrypt certificate. I've certainly got all my sites "secured" using lets encrypt, but then I'm self-hosting so it's relatively easy for me to do. If you are hosting content, I'd look into learning to do this (or paying someone to do it for you).

No idea why it's forbidden from Chrome. I'd try temporarily disabling all of your Chrome plugins.
 
OP
OP
Harriers9
Messages
565
Name
Philip
Edit My Images
No
#13
Yes you do need https. Your host may offer a free lets encrypt certificate. I've certainly got all my sites "secured" using lets encrypt, but then I'm self-hosting so it's relatively easy for me to do. If you are hosting content, I'd look into learning to do this (or paying someone to do it for you).

No idea why it's forbidden from Chrome. I'd try temporarily disabling all of your Chrome plugins.
Yes in the forum, Chrome give a message something like “do not enter any passwords here”.
I use TSOHOST so no problem there but the forum is a sub folder of the main site so I would need to have the whole site SSL enabled.

Does WP automatically rewrite internal links due to all images and posts being absolute addresses? If it doesn't then I can't see how I can enable it with thousands of pages to go through manually
 
Messages
894
Edit My Images
No
#14
For everything that you are hosting on the site, you should be using relative URLs (e.g. /images/image1.png). If you have used absolute URLS (http://mysite.sometld/images/image1.png) then those URLs will need to be changed. It's possible that you could write a script and run it against the wordpress database to correct all of the URLs, but I would back the database up first.

Quite honestly if you are taking responsibility for hosting web content, you should host it yourself and learn to do it properly or pay someone to do it for you. Or use a service like Wix/Squarespace etc.. I make no apologies for sounding overly critical. The sad fact is that without the skills you are creating fodder for script kiddies and other nefarious actors.
 
OP
OP
Harriers9
Messages
565
Name
Philip
Edit My Images
No
#15
On all of the WP sites I've created they default to absolute addresses. As does this site:

<span class="crust selectedTabCrumb">
<a href="https://www.talkphotography.co.uk/" class="crumb"><span>Home</span></a>
<span class="arrow"><span>&gt;</span></span>
</span>

BTW Harriers Online has been going since 1999 so I'm not some novice at this game. Just annoyed that Google foist crap on us at every turn. Once every site throughout the world has been made secure they'll come up with something else to put us back to square one.
 
Messages
894
Edit My Images
No
#18
On all of the WP sites I've created they default to absolute addresses. As does this site:
BTW Harriers Online has been going since 1999 so I'm not some novice at this game. Just annoyed that Google foist crap on us at every turn. Once every site throughout the world has been made secure they'll come up with something else to put us back to square one.
Log in to your wordpress site without HTTPS and your VPNFilter pwned modem can be used to sniff the credentials. Your precious website can then be used for crypto mining (if you are lucky) or as a command and control server for a botnet.
Worse still, you have a forum for which other people are entering credentials. People have a habit of making mistakes, like re-using usernames and passwords. So if any of those are sniffed, you are putting your users at risk. This has you in breach of DPA let alone GDPR. You are inviting advertisers to sponsor the site, so it's likely you should be registered with the ICO and have a GDPR compliant privacy policy.

It's not just simply a case of of "Google foisting crap on us". It's a legal obligation to protect personal information!
 
Last edited:
Messages
894
Edit My Images
No
#19
I've looked in the settings Neil and can see no way that I could set for relative when I first started the WP version last year. The permalinks defaulted to absolute
FTR I've converted two Wordpress sites to fully use HTTPS with Lets Encrypt*. I can't remember the exact details, but I did have to do something to deal with the image/media links.

*Previously used a certificate from my own certificate authority for the admin pages, which was fine as I was the only administator and I had the CA ceritificate (public key) in my machines certificate store.
 
OP
OP
Harriers9
Messages
565
Name
Philip
Edit My Images
No
#20
I see the goalposts are moving again:

https://www.paypal.com/stories/uk/system-security-is-your-business-ready-for-30th-june

Transport Layer Security (TLS) – and its predecessor, Secure Sockets Layer (SSL), which is now deprecated by the Internet Engineering Task Force [1] (IETF) – are cryptographic protocols that provide communications security over a computer network.[2] Several versions of the protocols find widespread use in applications such as web browsing, email, instant messaging, and voice over IP (VoIP). Websites are able to use TLS to secure all communications between their servers and web browsers.
https://en.wikipedia.org/wiki/Transport_Layer_Security

-----------------------------------------------------------------------

So how do I make sure my SSL enabled sites that use Paypal are TLS compliant if there is no mention of this on the hosts website (TSOHOST) or on Paypal
 
Messages
4,173
Name
Mark
Edit My Images
Yes
#22
Those of us who handle integration with payment processors have already long been aware of all versions of SSL and versions of TLS before 1.2 being deprecated by the processors, I made the transition for our sites a year ago.

This is part of what goes behind an HTTPS connection on the server. If you're running wordpress on a server provided by a hosting company it's not something you need to worry about, they should handle making sure the server supports the relevant, modern, security layer without you having to do anything low level, basically just provide a certificate.
 
Messages
4,173
Name
Mark
Edit My Images
Yes
#23
The site and the forum are now secure using a Let's Encrypt SSL certificate. I'll have to wait and see how I can encrypt it for TLS next
It already supports TLS v1.2 which is a standard acceptable in online payment processing, and gets an "A" rating for connection security at ssl labs.

"SSL" is a generic term still used when referring to connection security, though the SSL protocol itself has been superseded by TLS.
 
Messages
894
Edit My Images
No
#26
I'm getting the original problem again today.

Been working on the site for about twenty minutes. Go to open a page up to work on that and get told I'm forbidden access. I can't get onto the forum either now.

What on earth is going on?
Are you able to view the web server logs via the shared hosting panel?
One possibility, It sounds like you are tripping an intrusion detection system (IDS) that the host maybe running??
 
Messages
2,547
Edit My Images
Yes
#27
Try checking your .htaccess file, you may have inadvertently got yourself on a blacklist of banned users.
 
Top