Updated on July 15th

The issue is now fixed in Elementor 3.30.2, so the below procedure is no longer required, just update Elementor and enjoy!

The below fix is no longer necessary

Elementor 3.30 Security Issue: Temporary Fix Guide

Elementor 3.30 introduced a major issue on many websites due to changes in the way it handles user permissions.

Elementor now depends on the default WordPress JSON REST user enumeration endpoint, which reveals the list of users on a WordPress website.

This endpoint exposes websites to a medium-level vulnerability known as user enumeration.

Once an attacker identifies the usernames on a website, they can attempt a brute-force attack to discover the passwords.

For this reason, most hosting providers, including Pro Radio hosting, block this endpoint. Unfortunately, Elementor now relies on it to function, resulting in a blocked editor.

We already submitted a complete bug report to Elementor earlier today. Given that hundreds of thousands of websites are affected as we write, they are expected to release a fix within hours.

In the meantime, there is a way to restore functionality to the editor. However, it may expose your site to user enumeration. We strongly recommend installing WordFence with a free account and setting a very strong password. Additionally, you may want to enable 2 factors authentication in the Wordfence login settings, for added security.

How to fix your Elementor editor

1. Go to your cPanel. If you use Pro Radio hosting, from the client area > services, choose your website, and click “Log into cPanel” on the left
2. Open “WordPress Manager” from the left menu
3. Select your website and open “Security measures”
4. Select all options and click “Apply”
5. Disable “Block author scans” and click “Apply” again
6. Set a very secure password for your WordPress administrators.
   Disabling author scans allows attackers to find administrator usernames, reducing the effort needed to gain access. However, using a strong password like “hypersensitive-platitudinized203” could make it virtually impossible to guess within decades. (Obviously, do NOT use this exact password.)

Still having issues?

1. Edit your .htaccess file via FTP and rename the file in _htaccess . Please make sure you see the hidden files to do this
2. Go to settings > Permalink in WordPress and save, this will regenerate the .htaccess file
3. Now the security measures blocking Elementor are cleaned, please retry editing the pages

Since Elementor now requires this protection to be disabled in order to function, we consider this a security concern. Previous Elementor versions didn’t rely on this method, so we expect the developers to release a patch to restore the previous behavior.

This is likely a temporary issue, expected to be resolved within 1–2 days. If you’re not in a hurry to edit your homepage, you may choose to wait for the Elementor patch.