So I installed a fresh 5.2 WP and set up the Multisite network working with subdomains, then created 2 new test sites.

From the outside all works great, I can browse the main site and the 2 test sites properly.

On the admin panel though, I can go and change the main site settings tab under network admin -> Sites and it saves properly.

When I try to do the same on any of the 2 test sites though I get a 403 forbidden error, the php script URL the form sends the into to is the same as the main site though (/wp-admin/network/site-settings.php?action=update-site) which has me puzzled as it should be working.

I've checked several guides on 403 errors and all checks are OK:

• DB multisite tables are there
• File permissions seems ok, I'm even trying with all 755 atm.
• Config wise it's all WP default since it's a new installation
• Created subdomain wildcard which path is set to the same as domain
• I'm using the HTACCESS code from the network installation:

Options FollowSymlinks
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]

# add a trailing slash to /wp-admin
RewriteRule ^wp-admin$ wp-admin/ [R=301,L]

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
RewriteRule ^(.*\.php)$ $1 [L]
RewriteRule . index.php [L]
# END WordPress

• Added the network installation lines to wp-config.php as well:

  /* MULTISITE */ 
  define('WP_ALLOW_MULTISITE', true);
  define('MULTISITE', true);
  define('SUBDOMAIN_INSTALL', true);
  define('DOMAIN_CURRENT_SITE', 'mydomain');
  define('PATH_CURRENT_SITE', '/');
  define('SITE_ID_CURRENT_SITE', 1);
  define('BLOG_ID_CURRENT_SITE', 1);
  
  
  /* That's all, stop editing! Happy blogging. */
  
  /** Absolute path to the WordPress directory. */
  if ( ! defined( 'ABSPATH' ) )
      define( 'ABSPATH', dirname( __FILE__ ) . '/' );
  
  /** Sets up WordPress vars and included files. */
  require_once ABSPATH . 'wp-settings.php';`
  

Any idea what the problem could be?

So I installed a fresh 5.2 WP and set up the Multisite network working with subdomains, then created 2 new test sites.

From the outside all works great, I can browse the main site and the 2 test sites properly.

On the admin panel though, I can go and change the main site settings tab under network admin -> Sites and it saves properly.

When I try to do the same on any of the 2 test sites though I get a 403 forbidden error, the php script URL the form sends the into to is the same as the main site though (/wp-admin/network/site-settings.php?action=update-site) which has me puzzled as it should be working.

I've checked several guides on 403 errors and all checks are OK:

• DB multisite tables are there
• File permissions seems ok, I'm even trying with all 755 atm.
• Config wise it's all WP default since it's a new installation
• Created subdomain wildcard which path is set to the same as domain
• I'm using the HTACCESS code from the network installation:

Options FollowSymlinks
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]

# add a trailing slash to /wp-admin
RewriteRule ^wp-admin$ wp-admin/ [R=301,L]

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
RewriteRule ^(.*\.php)$ $1 [L]
RewriteRule . index.php [L]
# END WordPress

• Added the network installation lines to wp-config.php as well:

  /* MULTISITE */ 
  define('WP_ALLOW_MULTISITE', true);
  define('MULTISITE', true);
  define('SUBDOMAIN_INSTALL', true);
  define('DOMAIN_CURRENT_SITE', 'mydomain');
  define('PATH_CURRENT_SITE', '/');
  define('SITE_ID_CURRENT_SITE', 1);
  define('BLOG_ID_CURRENT_SITE', 1);
  
  
  /* That's all, stop editing! Happy blogging. */
  
  /** Absolute path to the WordPress directory. */
  if ( ! defined( 'ABSPATH' ) )
      define( 'ABSPATH', dirname( __FILE__ ) . '/' );
  
  /** Sets up WordPress vars and included files. */
  require_once ABSPATH . 'wp-settings.php';`
  

Any idea what the problem could be?

• multisite
• cms
• configuration

• So checking the server's log the petition was being blocked by ModSecurity because parameters contained a different subdomain. I eventually fixed it by disabling the firewall on the hosting. – Pablo.dev Commented Jul 10, 2019 at 11:06

2 Answers 2

I had the same problem - I found the rules in Apache modsecurity that include a set of exclusions for Wordpress didn't cover /network/site-settings.php, so I could do everything except edit sites in my multisite setup. In the file /usr/share/modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf I added the following lines:

SecRule REQUEST_FILENAME "@endsWith /wp-admin/network/site-settings.php" \
   "id:9009999,\
   phase:1,\
   pass,\
   t:none,\
   nolog,\
   ctl:ruleRemoveById=941140,\
   ctl:ruleRemoveById=941160,\
   ctl:ruleRemoveById=942190,\
   ctl:ruleRemoveById=942240,\
   ctl:ruleRemoveById=942240,\
   ctl:ruleRemoveById=980130,\
   ctl:ruleRemoveById=949110"

...it's my first experience of editing modsecurity rules, so there is probably a better way of doing it - but it worked.

I know this sounds ridiculous what I'm about to suggest but I've had a similar issue a number of times when running WordPress locally in Network mode.

Clear your entire cache (possibly more than once). This seems to be more problematic in Chrome than other browsers with my own experience.

Failing that, scrap your wildcard on the sub domain and set them up in either your host file (for local only) or with the correct DNS settings with your domain provider.