Akeeba Backup – 403 error

Home Forums BulletProof Security Free Akeeba Backup – 403 error

Viewing 1 post (of 1 total)
  • Author
    Posts
  • #24487
    AITpro Admin
    Keymaster

    The Akeeba Backup 403 error is a nuisance error that is being caused by the Akeeba Backup htaccess file/code.  The Akeeba Backup htaccess file is here: /app/backups/.htaccess (see below). Akeeba Backup has created a workaround solution for this Akeeba Backup htaccess file/code problem:  https://www.akeebabackup.com/documentation/akeeba-solo/using-with-bulletproof-security.html  If Akeeba Backup chooses to permanently fix the Akeeba Backup htaccess file/code problem then they can use the same method/htaccess file/code that BPS uses for BPS DB Backup/Backup folder (see Notes below).

    Important: BPS and BPS Pro use the Security Log entries created in the BPS Security Log to automatically create htaccess whitelist rules for your website.  So if you use the Akeeba Backup workaround on your website then both BPS and BPS Pro automated features that get and use Security Log entries will be broken.  The BPS Security Log is also used for troubleshooting problems occurring on your website.  You would no longer have Security Log troubleshooting capability if you use the Akeeba Backup workaround and would have to manually create any htaccess code whitelist rules and would have to check your host server log files for any 403 errors occurring on your website to figure out any issues/problems that are occurring on your site.

    Reference:  https://wordpress.org/support/topic/dso-server-setup-steps?replies=12

    [403 GET / HEAD Request: August 13, 2015 - 1:49 pm]
    Event Code: WPADMIN-SBR
    Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 127.0.0.1
    Host Name: Z666P-HP
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: http://demo5.local/wp-admin/admin.php?page=akeebabackupwp-core%2Fakeebabackupwp.php&view=main
    REQUEST_URI: /wp-content/plugins/akeebabackupwp-core/app//backups/index.html?_=1439498971140
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36

    Akeeba Backup htaccess file: /app/backups/.htaccess

    <IfModule !mod_authz_core.c>
    Order deny,allow
    Deny from all
    </IfModule>
    
    <IfModule mod_authz_core.c>
      <RequireAll>
        Require all denied
      </RequireAll>
    </IfModule>

    Notes: Akeeba Backup is making this incorrect statement: “BulletProof Security is intentionally taking over your server’s error page handling. Unfortunately they do this in a way that makes session handling impossible, breaking Akeeba Backup.”  The statement is misleading and inaccurate.  BPS logs 403 errors in the BPS Security Log.  403 errors will still be logged by your Apache web host server in your web host server log files.  The problem in Akeeba Backup that creates a 403 error that should not be occurring is due to using htaccess code that does not factor in correct usage and accessibility for end users.  A 403 error means that an error/problem has occurred and is not a normal HTTP Status Response code, such as 200, 301 or 302. A 403 error should and does mean stop normal processing/session handling/any other normal website/server processing. So the root cause of the problem is the incorrect htaccess file/code in Akeeba Backup that is causing the 403 error and not how BPS is handling that problem in Akeeba Backup that is causing the 403 error.

    A permanent simple solution and the correct way to permanently handle/fix this in Akeeba Backup if they choose to permanently fix this instead of using a workaround would be to create new code that writes a new htaccess file/code on page load that contains the user’s current IP address.  BPS has very similar functionality with BPS DB Backup and is already doing that in the BPS plugin with this code/function:  /bulletproof-security/admin/db-backup-security/db-backup-security.php and function: bpsPro_DBBackup_deny_all().

    The BPS backup folder htaccess file that is automatically created with the user’s current IP address in the BPS Backup folder (/wp-content/bps-backup/backups_xxxxxxxxxxx/.htaccess) on page load (BPS DB Backup page).

    # BPS mod_authz_core IfModule BC
    <IfModule mod_authz_core.c>
    Require ip 127.0.0.1
    </IfModule>
    
    <IfModule !mod_authz_core.c>
    <IfModule mod_access_compat.c>
    <FilesMatch "(.*)$">
    Order Allow,Deny
    Allow from 127.0.0.1
    </FilesMatch>
    </IfModule>
    </IfModule>
Viewing 1 post (of 1 total)
  • You must be logged in to reply to this topic.