Subdomain broke main and subdomain admin panels

It’s 3 am here, so I won’t see any replies until tomorrow.

I had a site and wanted to create a subdomain

I created the subdomain in cPanel and put it under:

The main site already had CP on it and was working as it should. I then installed CP on the subdomain.

However, both sites now behave weirdly in the admin panel.

I cannot access anything by hovering over the sidebar links or even open the “Screen options” or “Help” dropdowns. The Petitions widget won’t even load.

If I try to edit a page, for example, I can’t use the dropdown to set the meta boxes that show.

This doesn’t make any sense and I have never had this happen before. Creating a subdomain should be a simple process and the two shouldn’t affect each other.

Anyone got any ideas why this is happening? They each have their own .htaccess file and separate database, albeit with the same prefix before the database name.

Too late at night for me to think clearly, so thought I’d just post it so people can think about it.


1 Like

Dont put sub folders inside public_html … give them all their own root folders like

public_html ← this would be ← this would be the subsite

That way the webserver cannot ( easily ) get confused.

what is that they do strange? if you can explain that I might be able to see if I can reproduce (it’s 8pm here and I still have some brainpower in me to try and figure it out)
One thing that comes to mind is… is that a multisite setting? from your description it seems not but I don’t think assuming is a good troubleshooting policy.

Edited to add, Do you see something in the error logs?

Everything fine with SSL setup?

Just so I don’t get it wrong, you do NOT have multisite active on the maindomain? Otherwise it can come to conflicts if you install a ClassicPress under a subdomain.

On the other hand, if you don’t use Multisite with subdomain, why not, it would be easier, you only have to manage one installation.

Well I’m awake again, just! So time to investigate.

It’s not a multisite and the SSL is working. There are no error log messages.

While the subdomain had just and index.php file, there was no problem. It only arose once I installed CP on it.

I was confused where to put the subdomain when I made it. The cPanel docs said to normally put it in the home folder, but you can put it under public_html if you really want to. This may very well be the problem.

Will have a play and see what I can find.

Deleted the subdomain, problem remained.

Deleted entire cPanel and recreated main domain. Restored from backup, problem remained.

Something fishy going on here. So I tried my other websites - they are all doing it!

Looks like something changed with my hosting at the same time I was making my subdomain. Murphy’s Law!

So it’s time to contact my hosting company.

Edit: I have one WP site and it is unaffected.

Reply from webhost:

“The issue is related to new mod_sec rules. I will check further and find a permanent solution and will update you shortly.”

They fixed my one site as a guinea pig, but the change obviously needs to be applied server-wide.

1 Like

Further reply:

“Imunify360 authority has released a new rule set and one of them has caused the issue. I have rerported the rule and working with them.”

They have fixed all my sites, so time to try the subdomain again.

Subdomain setup under public_html and both it and main site are working correctly now.

The issue was the new Imunify360 rule that was causing a mod-sec error.

This new rule may cause the same problem with other hosting providers.


Now the browser is showing the normal site but it frequently shows an error message when I visit my recently installed clasic press site.

I have not taken any screenshot because nothing appears on the screen and at the right hand lower corner appears the error:

ERROR for site owner:
Invalid domain for site key

Also the string “Captcha” appears in the browser tab.

Not sure whether this is due to immunify360.
What does it mean? Will viewers see my site as usual while it shows this error to me?
What could be the solution?

@freebird @Simone @Dernerd
That is beyond my ability I’m afraid. I’m not any sort of expert.

So I have pinged Simone and Dernerd so they can read the post too. Maybe they can shed some light on it.

1 Like

@freebird googling around seems that also this is dued to immunify360, but can’t help more because I don’t use it.
If you are on some kind of managed hosting I think the best option is to contact them.

1 Like

Hello here I am. Please contact via PM, I’ll see if I can give you support.

I have just experienced the Captcha too. My host confirms it’s caused by Immunify360 thinking that CP is an out-of-date version of WP and susceptible to a specific hack that this modsec rule is designed to prevent.

My host has also agreed to remove that rule for my sites.


Thank you Tim.
Can you point to the rule(s) giving a false positive?

This is the information I was given:

Rule: 'REQUEST_URI' '@rx (?i:\/wp-admin\/load-(styles|scripts)\.php\?[^(?:load)]*load\[\]=([^&,]*[&,]){20,})'] [id "77225200"] [msg "IM360 WAF: Unauthenticated attackers can cause a denial of service in WordPress through 4.9.2 (CVE-2018-6389)

Aye correct. The developers did not have ClassicPress on their radar and since ClassicPress is still too related to WordPress, the rules usually cannot distinguish whether it is WordPress or ClassicPress. Should possibly be a topic at the next core meeting, because in the future these false/positive messages will probably accumulate the more the original WordPress 4.9 is outdated

The CVE refers to a bug with WP <= 4.9.2 and CP is like WP 4.9.22, so maybe that rule is not so performant.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.