Can’t edit main theme php files after upgrading to 4.9

@backups If you press the line which links to my blog, you’ll get to the WordPress website. Sorry for not explaining this.

• This reply was modified 7 years, 3 months ago by Debresser. Reason: To avoid suggestion it was an intentional mistake

Experiencing the same issue on hostgator site. No caching plugins whatsoever.

I also have the problem on more then 30 sites….all together more then 8 different hosting companys in Belgium, German and Austria!

At my opinion it have nothing to do with Hosting Providers!

I did what @backups wrote:
quote:

Note if i replace
wp-admin/theme-editor.php
wp-admin/includes/file.php
With the same named files from build 4.8.3

unquote

And everything works!!!

• This reply was modified 7 years, 3 months ago by Patrick Horemans.

@clorith It is the same for plugins. I can edit any not active plugin. But not a activated one.

@winock you dont have to replace it with the old files from 4.8.3. Just open wp-admin/includes/file.php and delete lines 491-598 in that file. You then can at least edit the files again. I know it is less secure, but you can work from the editor. It is almost the same as restoring the 2 files from wp 4.8.3 ??

Remove this complete code block

	if ( $is_active && 'php' === $extension ) {

		$scrape_key = md5( rand() );
		$transient = 'scrape_key_' . $scrape_key;
		$scrape_nonce = strval( rand() );
		set_transient( $transient, $scrape_nonce, 60 ); // It shouldn't take more than 60 seconds to make the two loopback requests.

		$cookies = wp_unslash( $_COOKIE );
		$scrape_params = array(
			'wp_scrape_key' => $scrape_key,
			'wp_scrape_nonce' => $scrape_nonce,
		);
		$headers = array(
			'Cache-Control' => 'no-cache',
		);

		// Include Basic auth in loopback requests.
		if ( isset( $_SERVER['PHP_AUTH_USER'] ) && isset( $_SERVER['PHP_AUTH_PW'] ) ) {
			$headers['Authorization'] = 'Basic ' . base64_encode( wp_unslash( $_SERVER['PHP_AUTH_USER'] ) . ':' . wp_unslash( $_SERVER['PHP_AUTH_PW'] ) );
		}

		// Make sure PHP process doesn't die before loopback requests complete.
		@set_time_limit( 300 );

		// Time to wait for loopback requests to finish.
		$timeout = 100;

		$needle_start = "###### wp_scraping_result_start:$scrape_key ######";
		$needle_end = "###### wp_scraping_result_end:$scrape_key ######";

		// Attempt loopback request to editor to see if user just whitescreened themselves.
		if ( $plugin ) {
			$url = add_query_arg( compact( 'plugin', 'file' ), admin_url( 'plugin-editor.php' ) );
		} elseif ( isset( $stylesheet ) ) {
			$url = add_query_arg(
				array(
					'theme' => $stylesheet,
					'file' => $file,
				),
				admin_url( 'theme-editor.php' )
			);
		} else {
			$url = admin_url();
		}
		$url = add_query_arg( $scrape_params, $url );
		$r = wp_remote_get( $url, compact( 'cookies', 'headers', 'timeout' ) );
		$body = wp_remote_retrieve_body( $r );
		$scrape_result_position = strpos( $body, $needle_start );

		$loopback_request_failure = array(
			'code' => 'loopback_request_failed',
			'message' => __( 'Unable to communicate back with site to check for fatal errors, so the PHP change was reverted. You will need to upload your PHP file change by some other means, such as by using SFTP.' ),
		);
		$json_parse_failure = array(
			'code' => 'json_parse_error',
		);

		$result = null;
		if ( false === $scrape_result_position ) {
			$result = $loopback_request_failure;
		} else {
			$error_output = substr( $body, $scrape_result_position + strlen( $needle_start ) );
			$error_output = substr( $error_output, 0, strpos( $error_output, $needle_end ) );
			$result = json_decode( trim( $error_output ), true );
			if ( empty( $result ) ) {
				$result = $json_parse_failure;
			}
		}

		// Try making request to homepage as well to see if visitors have been whitescreened.
		if ( true === $result ) {
			$url = home_url( '/' );
			$url = add_query_arg( $scrape_params, $url );
			$r = wp_remote_get( $url, compact( 'cookies', 'headers', 'timeout' ) );
			$body = wp_remote_retrieve_body( $r );
			$scrape_result_position = strpos( $body, $needle_start );

			if ( false === $scrape_result_position ) {
				$result = $loopback_request_failure;
			} else {
				$error_output = substr( $body, $scrape_result_position + strlen( $needle_start ) );
				$error_output = substr( $error_output, 0, strpos( $error_output, $needle_end ) );
				$result = json_decode( trim( $error_output ), true );
				if ( empty( $result ) ) {
					$result = $json_parse_failure;
				}
			}
		}

		delete_transient( $transient );

		if ( true !== $result ) {

			// Roll-back file change.
			file_put_contents( $real_file, $previous_content );
			if ( function_exists( 'opcache_invalidate' ) ) {
				opcache_invalidate( $real_file, true );
			}

			if ( ! isset( $result['message'] ) ) {
				$message = __( 'An unidentified error has occurred.' );
			} else {
				$message = $result['message'];
				unset( $result['message'] );
			}
			return new WP_Error( 'php_error', $message, $result );
		}
	}

@clorith @backups
Yes, activated plugins return the error.
Deactivated plugins can be edited without a problem.

@padraigbeirne Yes because the function that produces the error message is only doing its stuff on active themes or plugins

if ( $is_active && 'php' === $extension ) {

 and here it does something to make things more secure.... 

}

So any edit for a non active plugin or theme works just fine.

So a hacker turns of the plugin or theme, does his stuff and turns it back on. So much for extra security.

Crazy part: I have wordpress installation that runs with W3TC plugin, protected by hardware load balancer, two varnish installations, and cloudflare on top of all of the above… And it updates active theme and plugin php files with no problem whatsoever.

• This reply was modified 7 years, 3 months ago by Wace.

Just to add to the broadness of this, I am also finding the exact same, when I try to edit/add to the functions.php file in child themes… This happens so far on several sites, two significantly different servers/hosting situations…

OK, this is getting a bit out of hand here.

If you intend to post a reply here, please do not post “me too”, instead I want the following information:

– What webhost are you using
– Which hosting package with that host are you using (they usually have many options)
– The exact error you are seeing
– Deactivate ALL plugins (alternatively leave the Health Check plugin enabled to copy debug data for us) and use a default theme (such as Twenty Seventeen)

And please do not modify WordPress core files, with the exception of steps asked to perform troubleshooting steps outlined, and in such cases please undo the modifications right away after.

The steps above are so that it’s actually possible to keep track of the topic at hand, or else it’ll just end up being spammed down and that’s when volunteers stop caring ??

—

Moving on!
A few of you have said what hosts you are using, but could you elaborate on what package you use with them (as noted above in my requests for what should be posted)?

1and1 ‘unlimited Pro’ package

Unable to communicate back with site to check for fatal errors, so the PHP change was reverted. You will need to upload your PHP file change by some other means, such as by using SFTP.

All plugins deactivated

Theme set to Twenty Seventeen

Editor works fine

My problem starts when a child theme is created and active

• This reply was modified 7 years, 3 months ago by centrespot.
• This reply was modified 7 years, 3 months ago by centrespot.

Thanks Marius for your patience and help.
Webhost: Blacknight (Maximus shared hosting package)
Exact Error: Unable to communicate back with site to check for fatal errors, so the PHP change was reverted. You will need to upload your PHP file change by some other means, such as by using SFTP.
When does it occur?: A few seconds after clicking the Update button on editing an active Theme php file or active plugin php files (css or txt files are not affected) in the WP theme or plugin editor.

Error still occurs with plugins de-activated and 2017 theme activated. Re-activated plugins and ran Health Check with the following results:

Server architecture: Linux 2.6.32-673.26.1.lve1.4.30.el6.x86_64 x86_64
PHP Version: 7.0.25 (Supports 64bit values)
PHP SAPI: cgi-fcgi
PHP max input variables: 2048
PHP time limit: 120
PHP memory limit: 256M
Upload max filesize: 32M
PHP post max size: 32M
cURL Version: 7.54.0 OpenSSL/1.0.2k
SUHOSIN installed: No
Is the Imagick library available: No

MySQL
Server version: 5.5.57
Client version: 5.6.37

Your PHP install supports JSON.
Your MySQL version supports utf8mb4
www.ads-software.com is reachable from your server.
You are using HTTPS to access this website.
Your WordPress install can communicate securely with other services.
No version control systems were detected.
Your installation of WordPress doesn’t require FTP credentials to perform updates.
All of your WordPress files are writable.

– A scheduled event (nxs_querypost_event) has failed to run. Your site still works, but this may indicate that scheduling posts or automated updates may not work as intended.

x The WP_AUTO_UPDATE_CORE constant is defined and enabled. [I have this set intentionally].
x WordPress security and maintenance releases are blocked by define( ‘WP_AUTO_UPDATE_CORE’, false );. [I have this set intentionally so I can review updates on a test site first]

x Unable to perform a loopback request to your site, this may prevent WP_Cron from working, along with theme and plugin editors.

I have never edited the core files. But i think it’s time to do it.
Just replaced
“if ( $is_active && ‘php‘ === $extension ) {”
for
“if ( $is_active && ‘123‘ === $extension ) {”

But I still hope someone fix this issue, because I edit/save theme files about 1000 times by day.

Two hosts/servers where it is occurring:

Radiant Solutions – https://www.radiantsolutions.net/resellerhosting.html
Advanced Reseller package – all sites php 7.1

12Wonder – https://my.12wonder.com/cart.php?gid=9
Business Hosting package – php 5.6

Error occurs modifying functions.php file in child theme, and also in experimenting without child theme, directly to core functions.php… I occasionally edit other .php files in a child, but functions is the only place I’ve needed to edit since 4.9…

Error is:

Unable to communicate back with site to check for fatal errors, so the PHP change was reverted. You will need to upload your PHP file change by some other means, such as by using SFTP.

Experimenting on Radiant Soulutions in two dev sites it is narrowed down for me to the ShortPixel plugin, when activated by itself the issue/error occurs. deactivated it goes away…

Happens with Divi theme and a child theme in one dev site after narrowing down through a whole bunch of plugins I often use… And then again to confirm, identical issue/error on another fresh dev site with just 2017, no child and just ShortPixel activated… Either of these sites are available for experimenting…

Experimenting happened in my Radiant Solutions reseller account… The 12Wonder site is a single cPanel account I am currently working on with a client and cannot disrupt…

BUT, when I deactivate ShortPixel on the 12Wonder site, all other plugins good to go, the issue/error goes way… Reactivate ShortPixel and it reappears…

This is only one pattern though, others are reporting issue/error with different configurations, patterns…??

I am going to post this to the ShortPixel WP forum and also to their main site…

Below is info from the Health Check plugin, first is the Dev 2017 fresh install site, and second the Dev Divi site…

(Since the Health Check plugin updated a few hours ago it has been taking a HUGE huge incredibly long time to go through its paces and load info… Before the update it was very fast, pretty immediate even…)

==========

### WordPress ### awakenedheart.life

Version: 4.9
Language: en_US
Permalink structure: /%year%/%monthnum%/%day%/%postname%/
Is this site using HTTPS?: Yes
Can anyone register on this site?: No
Default comment status: open
Is this a multisite?: No
User Count: 2
Communication with www.ads-software.com: www.ads-software.com is reachable
Create loopback requests: Unable to perform a loopback request to your site, this may prevent WP_Cron from working, along with theme and plugin editors.

### Active theme ###

Name: Twenty Seventeen
Version: 1.4
Author: the WordPress team
Author website: https://www.ads-software.com/
Parent theme: Not a child theme
Supported theme features: automatic-feed-links, title-tag, post-thumbnails, menus, html5, post-formats, custom-logo, customize-selective-refresh-widgets, editor-style, starter-content, custom-header, widgets

### Other themes (2) ###

Twenty Fifteen (twentyfifteen): version 1.9 by the WordPress team
Twenty Sixteen (twentysixteen): version 1.4 by the WordPress team

### Active Plugins (2) ###

Health Check: version 0.5.1 by The www.ads-software.com community
ShortPixel Image Optimizer: version 4.8.2 by ShortPixel

### Inactive Plugins (6) ###

Akismet Anti-Spam: version 4.0.1 by Automattic
Better Plugin Compatibility Control: version 4.9.0 by Oliver Schl?be
ManageWP – Worker: version 4.2.27 by ManageWP
Really Simple SSL: version 2.5.23 by Rogier Lankhorst
Wordfence Assistant: version 1.0.4 by Mark Maunder
Wordfence Security: version 6.3.21 by Wordfence

### Server ###

Server architecture: Linux 2.6.32-773.26.1.lve1.4.35.el6.x86_64 x86_64
PHP Version: 7.1.11 (Supports 64bit values)
PHP SAPI: cgi-fcgi
PHP max input variables: 5000
PHP time limit: 600
PHP memory limit: 512M
Upload max filesize: 1G
PHP post max size: 500M
cURL Version: 7.54.0 OpenSSL/1.0.2k
SUHOSIN installed: No
Is the Imagick library available: Yes

### Database ###

Extension: mysqli
Server version: 5.5.5-10.0.33-MariaDB
Client version: mysqlnd 5.0.12-dev – 20150407 – $Id: b396954eeb2d1d9ed7902b8bae237b287f21ad9e $
Database prefix: awake_

### WordPress constants ###

ABSPATH: /home/awakenedheart/public_html/
WP_HOME: Undefined
WP_SITEURL: Undefined
WP_DEBUG: Disabled
WP_MAX_MEMORY_LIMIT: 512M
WP_DEBUG_DISPLAY: Enabled
WP_DEBUG_LOG: Disabled
SCRIPT_DEBUG: Disabled
WP_CACHE: Disabled
CONCATENATE_SCRIPTS: Undefined
COMPRESS_SCRIPTS: Undefined
COMPRESS_CSS: Undefined
WP_LOCAL_DEV: Undefined

### Filesystem permissions ###

The main WordPress directory: Writable
The wp-content directory: Writable
The uploads directory: Writable
The plugins directory: Writable
The themes directory: Writable
The Must Use Plugins directory: Writable

===========================================

### WordPress ### (spiritawake.life)

Version: 4.9
Language: en_US
Permalink structure: /%postname%/
Is this site using HTTPS?: Yes
Can anyone register on this site?: No
Default comment status: closed
Is this a multisite?: No
User Count: 1
Communication with www.ads-software.com: www.ads-software.com is reachable
Create loopback requests: Unable to perform a loopback request to your site, this may prevent WP_Cron from working, along with theme and plugin editors.

### Active theme ###

Name: Divi Spirit Designs Child
Version: 1.0.0
Author: SpiritAwake
Author website: https://www.spiritawake.net
Parent theme: Divi
Supported theme features: custom-background, automatic-feed-links, post-thumbnails, menus, title-tag, post-formats, woocommerce, wc-product-gallery-zoom, wc-product-gallery-lightbox, wc-product-gallery-slider, customize-selective-refresh-widgets, editor-style, widgets

### Other themes (4) ###

Divi (Divi): version 3.0.89 by Elegant Themes
Twenty Fifteen (twentyfifteen): version 1.9 by the WordPress team
Twenty Fourteen (twentyfourteen): version 2.1 by the WordPress team
Twenty Sixteen (twentysixteen): version 1.4 by the WordPress team

### Active Plugins (2) ###

Health Check: version 0.5.1 by The www.ads-software.com community
ShortPixel Image Optimizer: version 4.8.2 by ShortPixel

### Inactive Plugins (75) ###

Admin Columns: version 3.0.5 by AdminColumns.com
Admin Menu Editor: version 1.8.1 by Janis Elsts
Advanced Menu Widget: version 0.4.1 by Ján Bo?ínec
Akismet Anti-Spam: version 4.0.1 by Automattic
bbP Manage Subscriptions: version 1.2.0 by Pascal Casier
bbPress: version 2.6-alpha by The bbPress Contributors
bbPress – Private Replies: version 1.3.3 by Pippin Williamson and Remi Corson
bbPress Move Topics: version 1.1.3 by Pascal Casier
bbPress Notify (No-Spam): version 1.15.9.1 by Vinny Alves (UseStrict Consulting)
bbPress Reply Titles: version 1.0 by Boone B Gorges
bbP Toolkit: version 1.0.10 by Pascal Casier
Better Notifications for WordPress: version 1.6.7 by Made with Fuel
Better Plugin Compatibility Control: version 4.9.0 by Oliver Schl?be
Birds Custom Login: version 1.0.8 by Frédéric Serva
Bulk Attachment Download: version 1.2.3 by Jon Anwyl
Category to Pages WUD: version 2.3.6 by Danny WUD
Clean Login: version 1.8.1 by codection
Conditional Widgets: version 2.2 by Jason Lemahieu and Kevin Graeme (Cooperative Extension Technology Services)
Contact Form 7: version 4.9.1 by Takayuki Miyoshi
Contact Form 7 Honeypot: version 1.12 by Nocean
CSSHero: version 2.31 by CssHero.org
CSS Hero Animator: Version 0.71
CSS Hero Inspector PRO: Version 1.0b1
Custom Content Shortcode: version 3.6.7 by Eliot Akira
Custom Menu Wizard: version 3.3.0 by Roger Barrett
Custom Post Type UI: version 1.5.6 by WebDevStudios
Decent Comments: version 1.5.0 by itthinx
Divi/Extra Layout Injector: version 3.1 by Sean Barton – Tortoise IT
Divi Display Logic: version 1.3 by Sean Barton (Tortoise IT)
Duplicate Menu: version 0.2.1 by Jonathan Christopher
Dynamic Widgets: version 1.5.13 by Qurl
Elegant Themes Support: version 1.3 by Elegant Themes
Enable Media Replace: version 3.1.1 by M?ns Jonasson
Enhanced Text Widget: version 1.4.6 by Boston Dell-Vandenberg
Flamingo: version 1.7 by Takayuki Miyoshi
Google Analytics Dashboard for WP (GADWP): version 5.1.2.2 by Alin Marcu
Gutenberg: version 1.7.0 by Gutenberg Team
Head, Footer and Post Injections: version 3.1.0 by Stefano Lissa
Heartbeat Control: version 1.2.2 by Jeff Matson
Image Widget: version 4.4.6 by Modern Tribe, Inc.
IP Geo Block: version 3.0.4.6 by tokkonopapa
jQuery Archive List Widget: version 3.0.6 by Miguel Useche
ManageWP – Worker: version 4.2.27 by ManageWP
Media Library Assistant: version 2.62 by David Lingren, Fair Trade Judaica
Optimize Database after Deleting Revisions: version 4.4.1 by CAGE Web Design | Rolf van Gelder, Eindhoven, The Netherlands
PHP Code Widget: version 2.3 by Otto
Post Duplicator: version 2.20 by Metaphor Creations
Post Type Switcher: version 3.0.0 by John James Jacoby
Profile Builder: version 2.7.0 by Cozmoslabs, Madalin Ungureanu, Antohe Cristian, Barina Gabriel, Mihai Iova
Really Simple SSL: version 2.5.23 by Rogier Lankhorst
Recent Posts Widget Extended: version 0.9.9.7 by Satrya
Remember Me: version 2.1.1 by David Gewirtz
Remove Widget Titles: version 1.0 by Stephen Cronin
Search Everything: version 8.1.9 by Sovrn, zemanta
Simple Comment Editing: version 2.1.7 by Ronald Huereca
Simple History: version 2.19 by P?r Thernstr?m
Simple Image Sizes: version 3.1.1 by Rahe
Simple Image Widget: version 4.4.2 by Cedaro
Subscribe to Comments Reloaded: version 170607 by reedyseth, camu
Subtitles: version 3.0.0 by Philip Arthur Moore, We Cobble
TinyMCE Advanced: version 4.6.7 by Andrew Ozz
Title and Nofollow For Links: version 1.02 by Flector
Transients Manager: version 1.7.3 by Pippin Williamson
Wider Admin Menu: version 1.2.3 by Chris Dillon
Widget Clone: version 1.1 by 93digital
Widget Title Links: version 1.4.1 by Illimar Tambek
Wordfence Assistant: version 1.0.4 by Mark Maunder
Wordfence Security: version 6.3.21 by Wordfence
WP All Export: version 1.1.5 by Soflyy
WP All Import: version 3.4.6 by Soflyy
WP Crontrol: version 1.5 by John Blackbourn & contributors
WP Fastest Cache: version 0.8.7.4 by Emre Vona
WPFront Scroll Top: version 1.5 by Syam Mohan
WP Widget As Link & Widget Background & CSS: version 1.5.3 by Alex Egorov
Yoast SEO: version 5.8 by Team Yoast

### Server ###

Server architecture: Linux 2.6.32-773.26.1.lve1.4.35.el6.x86_64 x86_64
PHP Version: 7.1.11 (Supports 64bit values)
PHP SAPI: cgi-fcgi
PHP max input variables: 5000
PHP time limit: 600
PHP memory limit: 512M
Upload max filesize: 1G
PHP post max size: 500M
cURL Version: 7.54.0 OpenSSL/1.0.2k
SUHOSIN installed: No
Is the Imagick library available: Yes

### Database ###

Extension: mysqli
Server version: 5.5.5-10.0.33-MariaDB
Client version: mysqlnd 5.0.12-dev – 20150407 – $Id: b396954eeb2d1d9ed7902b8bae237b287f21ad9e $
Database prefix: splife_

### WordPress constants ###

ABSPATH: /home/purelight/public_html/
WP_HOME: Undefined
WP_SITEURL: Undefined
WP_DEBUG: Disabled
WP_MAX_MEMORY_LIMIT: 512M
WP_DEBUG_DISPLAY: Enabled
WP_DEBUG_LOG: Disabled
SCRIPT_DEBUG: Disabled
WP_CACHE: Disabled
CONCATENATE_SCRIPTS: Undefined
COMPRESS_SCRIPTS: Undefined
COMPRESS_CSS: Undefined
WP_LOCAL_DEV: Undefined

### Filesystem permissions ###

The main WordPress directory: Writable
The wp-content directory: Writable
The uploads directory: Writable
The plugins directory: Writable
The themes directory: Writable
The Must Use Plugins directory: Writable

• This reply was modified 7 years, 3 months ago by crzyhrse.

Just a heads up as the Health Check plugin was updated to do loopback checks, and to account for slow sites and various situations it does have he same timeout as core uses for the theme/plugins editors (100 seconds), so unfortunately if something is blocking them it will become slower.

Thank you for the detailed breakdown of your findings though! We definitely appreciate the time taken to look into it.