Wordfence admin-ajax.php Authentication Required

Home Forums BulletProof Security Free Wordfence admin-ajax.php Authentication Required

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • #2588
    AITpro Admin
    Keymaster

    Email Question:

    What I really wanted to say was in response to this post: http://forum.ait-pro.com/forums/topic/bps-pro-compatibility-with-other-wordpress-security-plugins/ I had BPS Free and WordFence installed on multiple blogs – all working well. I upgraded WP, BPS and WF to the latest 1 day ago, and now all have the same problem: going to the blog home page I get a “Authentication Required” box. View Source shows: And indeed, when I Temporarily disabled “Enable Live Traffic View” in WF, it fixes the problem. So Wordfence has a script on the home page that calls wp-admin/admin-ajax.php which triggers “Authentication Required”. I tried tips in http://www.ait-pro.com/aitpro-blog/2252/bulletproof-security-plugin-support/checking-plugin-compatibility-with-bps-plugin-testing-to-do-list/#Full-Screen-Background-Images-Pro

    On /wp-admin/.htaccss:

    # BEGIN CUSTOM CODE WPADMIN PLUGIN FIXES" (but they did nothing):
    # Wordfence has a script on the home page that calls wp-admin/admin-ajax.php which triggers "Authentication Required".
    RewriteCond %{REQUEST_URI} (admin-ajax.php) [NC]
    RewriteRule ^(.*)$ - [F,L]
    RewriteCond %{QUERY_STRING} action=wordfence_logHuman&hid=(.*) [NC]
    RewriteRule ^(.*)$ - [F,L]
    #2589
    AITpro Admin
    Keymaster

    Are you saying that you have already tried to use the BPS admin-ajax.php skip/bypass rule in the wp-admin .htaccess file?  Nothing changed regarding BPS and admin-ajax.php in a long while and many BPS versions so if it was working before then it should still be working now without having to create this skip/bypass rule, unless of course if Wordfence is now doing something differently then before.  Have you checked the BPS Security Log file for an error related to Wordfence or admin-ajax.php?

    # admin-ajax.php skip/bypass rule
    RewriteCond %{REQUEST_URI} (admin-ajax\.php) [NC]
    RewriteRule . - [S=2]

     

    #2591
    AITpro Admin
    Keymaster

    Oh too funny Wordfence is forbidding access to the admin-ajax.php file so forget that route.  If Wordfence is forbidding this file then Wordfence obviously does not to use it for anything.  This Wordfence rule below says Forbid access to the admin-ajax.php file.  😉

    # Wordfence has a script on the home page that calls wp-admin/admin-ajax.php which triggers “Authentication Required”.

    RewriteCond %{REQUEST_URI} (admin-ajax.php) [NC]
    RewriteRule ^(.*)$ - [F,L]

    To check if BPS is causing an issue/problem use these troubleshooting steps:  http://forum.ait-pro.com/forums/topic/read-me-first-free/#bps-free-general-troubleshooting

    #2855
    AITpro Admin
    Keymaster

    Actually I did some more checking and Wordfence definitely needs to be able to call admin-ajax.php.

    1. Add the admin-ajax.php skip/bypass rule below to this wp-admin Custom Code text box: CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES
    2. Click the Save wp-admin Custom Code button.
    3. Go to the Security Modes page and Activate wp-admin Folder BulletProof Mode.

    Note:  The skip rule must be [S=2] because it will be written to your wp-admin .htaccess file above skip / bypass rule [S=1].  If you have other wp-admin skip/bypass rules already then either combine them or add this skip/bypass rule separately above the other rules and change the skip #.  Example:  If you already have skip #’s 2 and 3 then this rule would be skip rule #4.

    # admin-ajax.php skip/bypass rule
    RewriteCond %{REQUEST_URI} (admin-ajax\.php) [NC]
    RewriteRule . - [S=2]
    #2860
    No Signal
    Member

    Hi. Thanks for the tips. I tried adding:

    # admin-ajax.php skip/bypass rule
    RewriteCond %{REQUEST_URI} (admin-ajax\.php) [NC]
    RewriteRule . - [S=2]

    to wp-admin/.htaccess using the exact technique you outlined above, including activating, etc. I confirmed that it was in the actual .htaccess file – it was. However, when I turned on “Enable Live Traffic View” in WF, I get “Authentication Required” again. When I comment out the new lines, it makes no difference. I even tried manually changing “AuthName Restricted” to “AuthName Restricted2” – this change was shown in the “Authentication Required” window, so I know it is using the updated .htaccess file.

    Thanks for the tips – now I know how to do it via the BPS control panel, and my own attempt was missing a \ before the .    but unfortunately your solution made no change either. It seems sensible, so I am mystified.

    For completeness, this is what is in my CUSTOM CODE WPADMIN TOP:

    # Make any web access to this folder require another password.
    AuthUserFile /deliberately obscured/blog/wp-admin/.htpasswd
    AuthType Basic
    AuthName "restricted"
    Order Deny,Allow
    Deny from all
    Require valid-user
    Satisfy any
    #2861
    No Signal
    Member

    Oh, and in order to view the blog as an end user, I need to use chrom incognito mode, otherwise chrome remembers my auth password.

    #2862
    AITpro Admin
    Keymaster

    hmm maybe this is actually a different issue or multiple issues since you have Basic Authentication on your wp-admin .htaccess file.

    Try doing this and let me know what happens.  Look for this htaccess code in your Root .htaccess file…

    ErrorDocument 400 /wp-content/plugins/bulletproof-security/400.php
    ErrorDocument 403 /wp-content/plugins/bulletproof-security/403.php
    ErrorDocument 404 /404.php

    …and add ErrorDocument 401 default as shown below and let me know what happens…

    ErrorDocument 400 /wp-content/plugins/bulletproof-security/400.php
    ErrorDocument 401 default
    ErrorDocument 403 /wp-content/plugins/bulletproof-security/403.php
    ErrorDocument 404 /404.php
    #3267
    No Signal
    Member

    Hi. I tried the “ErrorDocument 401 default”   and unfortunately it had no effect on the original problem listed above. In the last week, I also upgraded to Wordfence Security Version 3.6.1 – it made no difference. To be clear, I tried “ErrorDocument 401 default” by itself – without any of the other suggestions above.

    Many thanks for you help.

    #3271
    AITpro Admin
    Keymaster

    Ok well I really do not know how Wordfence works and have not looked at the code in that plugin for several versions (6 months or so) so you should ask the author of the plugin about his plugin/the issue/problem in relation to using Basic Authentication .htaccess code and the Wordfence authentication error.  I have taken some logical guesses, but like I said I have no idea what that plugin does or does not do.  😉

     

Viewing 9 posts - 1 through 9 (of 9 total)
  • You must be logged in to reply to this topic.