Post comments 403 Error, malformed Query String

Home Forums BulletProof Security Pro Post comments 403 Error, malformed Query String

Viewing 15 posts - 1 through 15 (of 18 total)
  • Author
    Posts
  • #5626
    AITpro Admin
    Keymaster

    BPS Pro Question – Topic copied from the WordPress.org site:  http://wordpress.org/support/topic/403-forbidden-error-cannot-post-comments?replies=3

    Hi,

    After updating to the latest BPS version there is a 403 Error when you try to post a comment. Commenting does not work on my IP, even if I am logged in as admin, and not for any other users either. The error is happening on Firefox, Chrome, and Safari and appears as:

    Forbidden
    You don’t have permission to access /blog-article-title/ on this server.
    Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

    I have already tried commenting out and even deleting the entire # FORBID COMMENT SPAMMERS ACCESS TO YOUR wp-comments-post.php FILE code in the root htacces, but it doesn’t work at all. I keep getting the same error.

    Also tried adding a skip rule, but it only made the BPS Error page appear. The actual error was the same.

    To clarify, the actual comment WILL appear if the page is refreshed and if you try to re-enter the same comment the duplicate comment alert works. But strangely, it’s showing the user a 403 when submitting the comment.

    FYI: We’re using the paid BPS Pro version on wordpress 3.5.1. The host is LiquidWeb and the site works 100% fine with htaccess permissions of 404 and 644 — so I don’t think that’s the issue. Lock/unlock works without any issues from within the BPS console. We’re also using W3TC but it does not touch comments at all.

    We’ve tried pretty much all of the trouble shooting tips available in the forums, but nothing works so far.

    Hope you can help! We’d like to get comments again. Thanks in advance!

    #5628
    AITpro Admin
    Keymaster

    What WordPress site type do you have?  Standard single installation of WordPress?  Network/Multisite?  BuddyPress?

    Are you using a comment plugin?

    #5629
    AITpro Admin
    Keymaster

    Please post any errors that you see in your BPS Pro Security Log file that are related to this issue/problem.

    #5643
    Indy250
    Participant

    Thanks for the reply. It’s a single WordPress install. No multisite or buddypress. No comment plugins and no errors regarding the comments issue in the security log. Only typical spambots there as far as I can tell. The comment appears for moderation as usual, but only shows the 403 error on the user side during submission.

    #5644
    AITpro Admin
    Keymaster

    Hmm no errors in the Security Log that is odd.  Post a link to the site so I can see what is happening.

    #5687
    Indy250
    Participant

    Thanks for the fast reply. Please see email for direct link and we can continue here. Thanks!

    #5694
    AITpro Admin
    Keymaster

    Ok the problem is this.  Either your Theme or your WordPress installation type is creating malformed/bad Query strings for your comment form, which are being blocked by BPS because they match a hacking pattern.  I cannot tell which WordPress installation type you have (single standard, Network, BuddyPress, etc).

    The malformed Query String is this:  ?#comment-126

    Go to the BPS Pro htaccess File Editor tab page, click on the Your Current Root htaccess File tab, scroll down until you see this security filter in your root .htaccess file…

    RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]

    and comment it out by putting a pound sign # in front of this security rule as shown below.

    #RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
    #5699
    Indy250
    Participant

    Thanks very much for the extremely fast & expert help. Yes, this fixed the issue and posting comments works again!

    Just to confirm this is a single standard wordpress installation — not a multisite or buddypress install.

    Thanks again!

    #40741
    Mosharraf Hossain
    Participant

    If you have to install the All in One WP Security plugin on your WordPress site. Such a problem happened on my own site.

    Go to All in One WP Security > FireWall > Additional Firewall Rules > Proxy Comment Posting > Forbid Proxy Comment Posting:

    (Uncheck) Check this if you want to forbid proxy comment posting.

    Save this.

    I just found this solution after many attempts.

    #40742
    AITpro Admin
    Keymaster

    @ Mosharraf – Use caution with the All in One WP Security plugin.  While the plugin authors are pretty good coders, they are not website security experts.  They tend to copy features that are in other security plugins.  They also add features that I do not consider security features.  I think they got carried away with the “All in one” concept if you know what I mean.  😉

    On a personal note, I bought the premium WP Affiliate Platform plugin from them many years ago and it was packed with security vulnerabilities. It had some really dangerous SQL Injection security vulnerabilities that got one of my websites hacked. I had to recode that plugin to make it safe to use.

    #41814
    keewee
    Participant
    #RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR] --this is copied from above.

    I am having issue to where I can not save any formatting, make comments other than just a few letters typed out.
    It will give me 403 error if any margin changes or anything else unless I use the classic editor.
    Then I can get some stuff saved but its a guessing game.
    The above is for example that is close to my issue. I just do not have this line in my root?
    My line is much longer.

    #41815
    AITpro Admin
    Keymaster

    @ keewee – That htaccess code was changed many years ago.  Check the BPS Security Log for the 403 log entry that shows what is being blocked and post the log entry in your forum reply.  The BPS Security Log logs all 403 errors whether or not that are being caused by BPS.  To confirm or eliminate that BPS is causing the 403 error use the BPS Pro troubleshooting steps here > https://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting

    #41816
    keewee
    Participant

    I have same content twice in my root htaccess file?

    
    # BULLETPROOF PRO 16.6 SECURE .HTACCESS
    
    # CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE
    
    # PHP/php.ini handler htaccess code
    
    # The order of the code is: 1. php/php.ini handler .htaccess code (if you # have php/php.ini handler code), 2. caching plugin .htaccess cache code # # (if you are using a caching plugin) and then this Speed Boost .htaccess # # code.
    
    # BEGIN WEBSITE SPEED BOOST
    
    # Time cheat sheet in seconds
    
    # A86400 = 1 day
    
    # A172800 = 2 days
    
    # A2419200 = 1 month
    
    # A4838400 = 2 months
    
    # A29030400 = 1 year
    
    # Test which ETag setting works best on your Host/Server/Website
    
    # with Firefox Firebug, Firephp and Yslow benchmark tests.
    
    # Create the ETag (entity tag) response header field
    
    # This is probably not the optimum choice to use.
    
    #FileETag MTime Size
    
    # Remove the ETag (entity tag) response header field
    
    # This is most likely the optimum choice to use.
    
    Header unset ETag
    
    FileETag none
    
    <IfModule mod_headers.c>
    
    <FilesMatch "\.(js|css|flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|gif|jpg|jpeg|png|swf|webm)$">
    
    Header append Cache-Control "public"
    
    </FilesMatch>
    
    <FilesMatch "\.(txt|html)$">
    
    Header append Cache-Control "proxy-revalidate"
    
    </FilesMatch>
    
    <FilesMatch "\.(php|cgi|pl|htm|xml)$">
    
    Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform"
    
    Header set Pragma "no-cache"
    
    </FilesMatch>
    
    </IfModule>
    
    <IfModule mod_deflate.c>
    
    AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css text/javascript
    
    AddOutputFilterByType DEFLATE application/javascript application/x-javascript
    
    AddOutputFilterByType DEFLATE application/x-httpd-php application/x-httpd-fastphp
    
    AddOutputFilterByType DEFLATE application/xml application/xhtml+xml application/xml-dtd
    
    AddOutputFilterByType DEFLATE application/rdf+xml application/rss+xml application/atom+xml
    
    AddOutputFilterByType DEFLATE font/otf font/opentype application/font-otf application/x-font-otf
    
    AddOutputFilterByType DEFLATE font/ttf font/truetype application/font-ttf application/x-font-ttf
    
    AddOutputFilterByType DEFLATE image/svg+xml
    
    # Drop problematic browsers
    
    BrowserMatch ^Mozilla/4 gzip-only-text/html
    
    BrowserMatch ^Mozilla/4\.0[678] no-gzip
    
    BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
    
    # Make sure proxies don't deliver the wrong content
    
    Header append Vary User-Agent env=!dont-vary
    
    </IfModule>
    
    # END WEBSITE SPEED BOOST
    
    # BEGIN NON_LSCACHE
    
    ## LITESPEED WP CACHE PLUGIN - Do not edit the contents of this block! ##
    
    ### marker BROWSER CACHE start ###
    
    <IfModule mod_expires.c>
    
    ExpiresActive on
    
    ExpiresByType application/pdf A31557600
    
    ExpiresByType image/x-icon A31557600
    
    ExpiresByType image/vnd.microsoft.icon A31557600
    
    ExpiresByType image/svg+xml A31557600
    
    # BEGIN LSCACHE
    
    ## LITESPEED WP CACHE PLUGIN - Do not edit the contents of this block! ##
    
    <IfModule LiteSpeed>
    
    RewriteEngine on
    
    CacheLookup on
    
    RewriteRule .* - [E=Cache-Control:no-autoflush]
    
    RewriteRule \.litespeed_conf\.dat - [F,L]
    
    ### marker CACHE RESOURCE start ###
    
    RewriteRule wp-content/.*/[^/]*(responsive|css|js|dynamic|loader|fonts)\.php - [E=cache-control:max-age=3600]
    
    ### marker CACHE RESOURCE end ###
    
    ### marker FAVICON start ###
    
    RewriteRule favicon\.ico$ - [E=cache-control:max-age=86400]
    
    ### marker FAVICON end ###
    
    ### marker DROPQS start ###
    
    CacheKeyModify -qs:fbclid
    
    CacheKeyModify -qs:gclid
    
    CacheKeyModify -qs:utm*
    
    CacheKeyModify -qs:_ga
    
    ### marker DROPQS end ###
    
    </IfModule>
    
    ## LITESPEED WP CACHE PLUGIN - Do not edit the contents of this block! ##
    
    # END LSCACHE
    
    # BULLETPROOF PRO 16.5 SECURE .HTACCESS
    
    # CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE
    
    # PHP/php.ini handler htaccess code
    
    # The order of the code is: 1. php/php.ini handler .htaccess code (if you # have php/php.ini handler code), 2. caching plugin .htaccess cache code # # (if you are using a caching plugin) and then this Speed Boost .htaccess # # code.
    
    # BEGIN WEBSITE SPEED BOOST
    
    # Time cheat sheet in seconds
    
    # A86400 = 1 day
    
    # A172800 = 2 days
    
    # A2419200 = 1 month
    
    # A4838400 = 2 months
    
    # A29030400 = 1 year
    
    # Test which ETag setting works best on your Host/Server/Website
    
    # with Firefox Firebug, Firephp and Yslow benchmark tests.
    
    # Create the ETag (entity tag) response header field
    
    # This is probably not the optimum choice to use.
    
    #FileETag MTime Size
    
    # Remove the ETag (entity tag) response header field
    
    # This is most likely the optimum choice to use.
    
    Header unset ETag
    
    FileETag none
    
    <IfModule mod_headers.c>
    
    <FilesMatch "\.(js|css|flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|gif|jpg|jpeg|png|swf|webm)$">
    
    Header append Cache-Control "public"
    
    </FilesMatch>
    
    <FilesMatch "\.(txt|html)$">
    
    Header append Cache-Control "proxy-revalidate"
    
    </FilesMatch>
    
    <FilesMatch "\.(php|cgi|pl|htm|xml)$">
    
    Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform"
    
    Header set Pragma "no-cache"
    
    </FilesMatch>
    
    </IfModule>
    
    <IfModule mod_deflate.c>
    
    AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css text/javascript
    
    AddOutputFilterByType DEFLATE application/javascript application/x-javascript
    
    AddOutputFilterByType DEFLATE application/x-httpd-php application/x-httpd-fastphp
    
    AddOutputFilterByType DEFLATE application/xml application/xhtml+xml application/xml-dtd
    
    AddOutputFilterByType DEFLATE application/rdf+xml application/rss+xml application/atom+xml
    
    AddOutputFilterByType DEFLATE font/otf font/opentype application/font-otf application/x-font-otf
    
    AddOutputFilterByType DEFLATE font/ttf font/truetype application/font-ttf application/x-font-ttf
    
    AddOutputFilterByType DEFLATE image/svg+xml
    
    # Drop problematic browsers
    
    BrowserMatch ^Mozilla/4 gzip-only-text/html
    
    BrowserMatch ^Mozilla/4\.0[678] no-gzip
    
    BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
    
    # Make sure proxies don't deliver the wrong content
    
    Header append Vary User-Agent env=!dont-vary
    
    </IfModule>
    
    # END WEBSITE SPEED BOOST
    
    # BEGIN NON_LSCACHE
    
    ## LITESPEED WP CACHE PLUGIN - Do not edit the contents of this block! ##
    
    ## LITESPEED WP CACHE PLUGIN - Do not edit the contents of this block! ##
    
    # END NON_LSCACHE
    
    # CUSTOM CODE TURN OFF YOUR SERVER SIGNATURE
    
    # TURN OFF YOUR SERVER SIGNATURE
    
    # Suppresses the footer line server version number and ServerName of the serving virtual host
    
    ServerSignature Off
    
    # DO NOT SHOW DIRECTORY LISTING
    
    # Disallow mod_autoindex from displaying a directory listing
    
    # If a 500 Internal Server Error occurs when activating Root BulletProof Mode
    
    # copy the entire DO NOT SHOW DIRECTORY LISTING and DIRECTORY INDEX sections of code
    
    # and paste it into BPS Custom Code and comment out Options -Indexes
    
    # by adding a # sign in front of it.
    
    # Example: #Options -Indexes
    
    Options -Indexes
    
    # DIRECTORY INDEX FORCE INDEX.PHP
    
    # Use index.php as default directory index file. index.html will be ignored.
    
    # If a 500 Internal Server Error occurs when activating Root BulletProof Mode
    
    # copy the entire DO NOT SHOW DIRECTORY LISTING and DIRECTORY INDEX sections of code
    
    # and paste it into BPS Custom Code and comment out DirectoryIndex
    
    # by adding a # sign in front of it.
    
    # Example: #DirectoryIndex index.php index.html /index.php
    
    DirectoryIndex index.php index.html /index.php
    
    # BRUTE FORCE LOGIN PAGE PROTECTION
    
    # PLACEHOLDER ONLY
    
    # Use BPS Custom Code to add Brute Force Login protection code and to save it permanently.
    
    # See this link: https://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/
    
    # for more information.
    
    # BPS PRO ERROR LOGGING AND TRACKING
    
    # Use BPS Custom Code to modify/edit/change this code and to save it permanently.
    
    # BPS Pro has premade 400 Bad Request, 403 Forbidden, 404 Not Found, 405 Method Not Allowed and
    
    # 410 Gone template logging files that are used to track and log 400, 403, 404, 405 and 410 errors
    
    # that occur on your website. When a hacker attempts to hack your website the hackers IP address,
    
    # Host name, Request Method, Referering link, the file name or requested resource, the user agent
    
    # of the hacker and the query string used in the hack attempt are logged.
    
    # All BPS Pro log files are htaccess protected so that only you can view them.
    
    # The 400.php, 403.php, 404.php, 405.php and 410.php files are located in /wp-content/plugins/bulletproof-security/
    
    # The 400, 403, 405 and 410 Error logging files are already set up and will automatically start logging errors
    
    # after you install BPS Pro and have activated BulletProof Mode for your Root folder.
    
    # If you would like to log 404 errors you will need to copy the logging code in the BPS Pro 404.php file
    
    # to your Theme's 404.php template file. Simple instructions are included in the BPS Pro 404.php file.
    
    # You can open the BPS Pro 404.php file using the WP Plugins Editor or by using the BPS Pro File Manager.
    
    # NOTE: By default WordPress automatically looks in your Theme's folder for a 404.php Theme template file.
    
    ErrorDocument 400 /wp-content/plugins/bulletproof-security/400.php
    
    ErrorDocument 401 default
    
    ErrorDocument 403 /wp-content/plugins/bulletproof-security/403.php
    
    ErrorDocument 404 /404.php
    
    ErrorDocument 405 /wp-content/plugins/bulletproof-security/405.php
    
    ErrorDocument 410 /wp-content/plugins/bulletproof-security/410.php
    
    # DENY ACCESS TO PROTECTED SERVER FILES AND FOLDERS
    
    # Use BPS Custom Code to modify/edit/change this code and to save it permanently.
    
    # Files and folders starting with a dot: .htaccess, .htpasswd, .errordocs, .logs
    
    RedirectMatch 403 \.(htaccess|htpasswd|errordocs|logs)$
    
    # WP-ADMIN/INCLUDES
    
    # Use BPS Custom Code to remove this code permanently.
    
    RewriteEngine On
    
    RewriteBase /
    
    RewriteRule ^wp-admin/includes/ - [F]
    
    RewriteRule !^wp-includes/ - [S=3]
    
    RewriteRule ^wp-includes/[^/]+\.php$ - [F]
    
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F]
    
    RewriteRule ^wp-includes/theme-compat/ - [F]
    
    # CUSTOM CODE WP REWRITE LOOP START
    
    # CUSTOM CODE WP REWRITE LOOP START - Your Custom htaccess code will be created here with AutoMagic
    
    # WP REWRITE LOOP START
    
    RewriteEngine On
    
    RewriteBase /
    
    RewriteCond %{HTTP_HOST} ^www\.mysite\.com$ [NC]
    
    RewriteRule ^(.*)$ http://mysite.com/$1 [R=301,L]
    
    RewriteRule ^index\.php$ - [L]
    
    # CUSTOM CODE REQUEST METHODS FILTERED
    
    # REQUEST METHODS FILTERED
    
    # If you want to allow HEAD Requests use BPS Custom Code and copy
    
    # this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
    
    # text box: CUSTOM CODE REQUEST METHODS FILTERED.
    
    # See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
    
    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    
    RewriteRule ^(.*)$ - [F]
    
    #RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
    
    #RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]
    
    # PLUGINS/THEMES AND VARIOUS EXPLOIT FILTER SKIP RULES
    
    # To add plugin/theme skip/bypass rules use BPS Custom Code.
    
    # The [S] flag is used to skip following rules. Skip rule [S=12] will skip 12 following RewriteRules.
    
    # The skip rules MUST be in descending consecutive number order: 12, 11, 10, 9...
    
    # If you delete a skip rule, change the other skip rule numbers accordingly.
    
    # Examples: If RewriteRule [S=5] is deleted than change [S=6] to [S=5], [S=7] to [S=6], etc.
    
    # If you add a new skip rule above skip rule 12 it will be skip rule 13: [S=13]
    
    # Adminer MySQL management tool data populate
    
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/adminer/ [NC]
    
    RewriteRule . - [S=12]
    
    # Comment Spam Pack MU Plugin - CAPTCHA images not displaying
    
    RewriteCond %{REQUEST_URI} ^/wp-content/mu-plugins/custom-anti-spam/ [NC]
    
    RewriteRule . - [S=11]
    
    # Peters Custom Anti-Spam display CAPTCHA Image
    
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/peters-custom-anti-spam-image/ [NC]
    
    RewriteRule . - [S=10]
    
    # Status Updater plugin fb connect
    
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/fb-status-updater/ [NC]
    
    RewriteRule . - [S=9]
    
    # Stream Video Player - Adding FLV Videos Blocked
    
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/stream-video-player/ [NC]
    
    RewriteRule . - [S=8]
    
    # XCloner 404 or 403 error when updating settings
    
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/xcloner-backup-and-restore/ [NC]
    
    RewriteRule . - [S=7]
    
    # BuddyPress Logout Redirect
    
    RewriteCond %{QUERY_STRING} action=logout&redirect_to=http%3A%2F%2F(.*) [NC]
    
    RewriteRule . - [S=6]
    
    # redirect_to=
    
    RewriteCond %{QUERY_STRING} redirect_to=(.*) [NC]
    
    RewriteRule . - [S=5]
    
    # Login Plugins Password Reset And Redirect 1
    
    RewriteCond %{QUERY_STRING} action=resetpass&key=(.*) [NC]
    
    RewriteRule . - [S=4]
    
    # Login Plugins Password Reset And Redirect 2
    
    RewriteCond %{QUERY_STRING} action=rp&key=(.*) [NC]
    
    RewriteRule . - [S=3]
    
    # CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    
    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    
    # Use BPS Custom Code to modify/edit/change this code and to save it permanently.
    
    # Remote File Inclusion (RFI) security rules
    
    # Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files
    
    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    
    RewriteRule .* index.php [F]
    
    #
    
    # Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php)
    
    RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    
    # Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*
    
    RewriteCond %{HTTP_REFERER} ^.*mysite.com.*
    
    RewriteRule . - [S=1]
    
    # CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS
    
    # BEGIN BPSQSE BPS QUERY STRING EXPLOITS
    
    # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
    
    # Good sites such as W3C use it for their W3C-LinkChecker.
    
    # Use BPS Custom Code to add or remove user agents temporarily or permanently from the
    
    # User Agent filters directly below or to modify/edit/change any of the other security code rules below.
    
    RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
    
    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%3C|%3E|%00) [NC,OR]
    
    RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    
    RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
    
    RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
    
    RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
    
    RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
    
    RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
    
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%3C|%3E|%00) [NC,OR]
    
    RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
    
    RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
    
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
    
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
    
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
    
    RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
    
    RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
    
    RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    
    RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR]
    
    RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
    
    RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
    
    RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
    
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    
    RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
    
    RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
    
    RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
    
    RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
    
    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    
    RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
    
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    
    RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
    
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    
    RewriteCond %{QUERY_STRING} ^.*(<|>|%3c|%3e).* [NC,OR]
    
    RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
    
    RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
    
    RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
    
    RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
    
    RewriteCond %{QUERY_STRING} (<|>|%0A|%0D|%3C|%3E|%00) [NC,OR]
    
    RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
    
    RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
    
    RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
    
    RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
    
    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    
    RewriteRule ^(.*)$ - [F]
    
    # END BPSQSE BPS QUERY STRING EXPLOITS
    
    RewriteCond %{REQUEST_FILENAME} !-f
    
    RewriteCond %{REQUEST_FILENAME} !-d
    
    RewriteRule . /index.php [L]
    
    # WP REWRITE LOOP END
    
    # DENY BROWSER ACCESS TO THESE FILES
    
    # Use BPS Custom Code to modify/edit/change this code and to save it permanently.
    
    # wp-config.php, bb-config.php, php.ini, php5.ini, readme.html
    
    # To be able to view these files from a Browser, replace 127.0.0.1 with your actual
    
    # current IP address. Comment out: #Require all denied and Uncomment: Require ip 127.0.0.1
    
    # Comment out: #Deny from all and Uncomment: Allow from 127.0.0.1
    
    # Note: The BPS System Info page displays which modules are loaded on your server.
    
    <FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|readme\.html|bb-config\.php)">
    
    <IfModule mod_authz_core.c>
    
    Require all denied
    
    #Require ip 127.0.0.1
    
    </IfModule>
    
    <IfModule !mod_authz_core.c>
    
    <IfModule mod_access_compat.c>
    
    Order Allow,Deny
    
    Deny from all
    
    #Allow from 127.0.0.1
    
    </IfModule>
    
    </IfModule>
    
    </FilesMatch>
    
    # CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE
    
    # BLOCKING BOTS SNIFFING AROUND
    
    # 5G:[USER AGENTS]
    
    <IfModule mod_setenvif.c>
    
    # SetEnvIfNoCase User-Agent ^$ keep_out
    
    SetEnvIfNoCase User-Agent (binlar|casper|cmsworldmap|comodo|diavol|dotbot|feedfinder|flicky|ia_archiver|jakarta|kmccrew|nutch|planetwork|purebot|pycurl|skygrid|sucker|turnit|vikspider|zmeu) keep_out
    
    <limit GET POST PUT>
    
    Order Allow,Deny
    
    Allow from all
    
    Deny from env=keep_out
    
    </limit>
    
    </IfModule>
    
    # BEGIN WordPress
    
    # The directives (lines) between "BEGIN WordPress" and "END WordPress" are
    
    # dynamically generated, and should only be modified via WordPress filters.
    
    # Any changes to the directives between these markers will be overwritten.
    
    Options -Indexes
    
    <IfModule mod_headers.c>
    
    Header set X-Endurance-Cache-Level "2"
    
    Header set X-nginx-cache "WordPress"
    
    </IfModule>
    
    <IfModule mod_rewrite.c>
    
    RewriteEngine On
    
    RewriteBase /
    
    RewriteRule ^/wp-content/endurance-page-cache/ - [L]
    
    RewriteCond %{REQUEST_METHOD} !POST
    
    RewriteCond %{QUERY_STRING} !.*=.*
    
    RewriteCond %{HTTP_COOKIE} !(wordpress_test_cookie|comment_author|wp\-postpass|wordpress_logged_in|wptouch_switch_toggle|wp_woocommerce_session_) [NC]
    
    RewriteCond %{DOCUMENT_ROOT}/wp-content/endurance-page-cache/$1/_index.html -f
    
    RewriteRule ^(.*)$ /wp-content/endurance-page-cache/$1/_index.html [L]
    
    </IfModule>
    
    <IfModule mod_rewrite.c>
    
    RewriteEngine On
    
    RewriteCond %{REQUEST_FILENAME} !-f
    
    RewriteCond %{REQUEST_FILENAME} !-d
    
    RewriteCond %{REQUEST_URI} !(robots\.txt|[a-z0-9_\-]*sitemap[a-z0-9_\.\-]*\.(xml|xsl|html)(\.gz)?)
    
    RewriteCond %{REQUEST_URI} \.(css|htc|less|js|js2|js3|js4|html|htm|rtf|rtx|txt|xsd|xsl|xml|asf|asx|wax|wmv|wmx|avi|avif|avifs|bmp|class|divx|doc|docx|eot|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|webp|json|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|webm|mpp|otf|_otf|odb|odc|odf|odg|odp|ods|odt|ogg|ogv|pdf|png|pot|pps|ppt|pptx|ra|ram|svg|svgz|swf|tar|tif|tiff|ttf|ttc|_ttf|wav|wma|wri|woff|woff2|xla|xls|xlsx|xlt|xlw|zip)$ [NC]
    
    RewriteRule .* - [L]
    
    </IfModule>
    
    <IfModule mod_rewrite.c>
    
    RewriteEngine On
    
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
    
    RewriteBase /
    
    RewriteRule ^index\.php$ - [L]
    
    RewriteCond %{REQUEST_FILENAME} !-f
    
    RewriteCond %{REQUEST_FILENAME} !-d
    
    RewriteRule . /index.php [L]
    
    </IfModule>
    
    # END WordPress
    
    
    #41817
    AITpro Admin
    Keymaster

    @ keewee – Yes, it looks like you have copied duplicate htaccess code into BPS Root Custom Code.  Go to BPS Root Custom Code and remove the duplicate htaccess code from this Custom Code text box: 1. CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE.  Note:  Since you are using LiteSpeed htaccess caching code, you do not also need to use the BPS Speed Boost htaccess code since they do the same thing.  The only htaccess code that should be in that Custom Code text box is just your LiteSpeed Cache plugin htaccess code.  Delete all other htaccess code, save your changes and activate Root folder BulletProof Mode.

    #41818
    keewee
    Participant

    incorrect, I did not clearly write it so you understood where the duplicate code is located. The duplicate code I sent you is a copy of what is in my ‘root htaccess’ file not ‘custom root htaccess’ file. Comments cannot be made or saving changes is almost impossible? I am really not comfortable making changes to the bps root htaccess file. I will add to custom root htaccess file no problem. The duplicate stuff has happened in the secure.htaccess file also? DO I need to start over with my htaccess file? I would definitely need instructions.

Viewing 15 posts - 1 through 15 (of 18 total)
  • You must be logged in to reply to this topic.