Jetpack – xmlrpc.php POST 403 error

[Rafael Da Costa]

Hi there,

I am having this issue:

[403 POST Request: January 7, 2017 - 4:06 pm]
BPS Pro: 12.5
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 192.0.112.57
Host Name: 192.0.112.57
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: POST
HTTP_REFERER: http://www.cruxdev.com.au/xmlrpc.php?for=jetpack&token=%40gke%29qwlHn3dPj%5EmthCOcuis%5E%25Citx%239%3A1%3A2&timestamp=1483776359&nonce=zAR1VmEOpl&body-hash=aOIkn63jBYoKZYuP3PFCWC%2Bwr8E%3D&signature=OJ4rCg3TmRVk3hVXLaacTQTLM9A%3D
REQUEST_URI: /xmlrpc.php?for=jetpack&token=%40gke%29qwlHn3dPj%5EmthCOcuis%5E%25Citx%239%3A1%3A2&timestamp=1483776359&nonce=zAR1VmEOpl&body-hash=aOIkn63jBYoKZYuP3PFCWC%2Bwr8E%3D&signature=OJ4rCg3TmRVk3hVXLaacTQTLM9A%3D
QUERY_STRING: 
HTTP_USER_AGENT: Jetpack by WordPress.com
REQUEST BODY: <?xml version="1.0"?>
<methodCall>
<methodName>system.multicall</methodName>
<params>
<param><value><array><data>
 <value><struct>
 <member><name>methodName</name><value><string>jetpack.jsonAPI</string></value></member>
 <member><name>params</name><value><array><data>
 <value><array><data>
 <value><string>GET</string></value>
 <value><string>https://public-api.wordpress.com/rest/v1/sites/122171471/sync/object?module_name=posts&object_type=post&object_ids%5B0%5D=444&http_envelop

I have added every custom code that whitelist the Jetpack User Agent. On CUSTOM CODE BOTTOM and CUSTOM CODE REQUEST.
Not sure what else I should do.
Thanks

[AITpro Admin]

The Jetpack POST Request to the xmlrpc.php file is being blocked by one or both of the Bonus Custom Codes listed in either of these Bonus Custom Code links below.  Are you doing all of the Custom Code steps?  Add/edit code, save code and activate Root BulletProof Mode again?  Post your Root htaccess file contents from the > htaccess File Editor page > Your Current Root htaccess File tab so I can take a look at it.

https://forum.ait-pro.com/forums/topic/wordpress-xml-rpc-ddos-protection-protect-xmlrpc-php-block-xmlrpc-php-forbid-xmlrpc-php/

https://forum.ait-pro.com/forums/topic/post-request-protection-post-attack-protection-post-request-blocker/

[Rafael Da Costa]

Thanks so much for your quick reply.

“Are you doing all of the Custom Code steps?”

Yes, I have followed all the codes in both links. I have posted my “Current Root htaccess” as requested.

[code edited and removed any irrelevant code]

# CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE
# BPS POST Request Attack Protection
...
...
...

# Jetpack XML-RPC DDoS PROTECTION
# You can whitelist your IP address if you use A Weblog Client
# or want to whitelist an IP address for any other reasons.
# Example: Add this line of code RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.xxx) [OR]
# inbetween the first and second lines of code below. Then replace the x's with the
# actual IP address you want to whitelist.
# Note: It is recommended that you use 3 octets x.x.x. of your IP address
# instead of 4 octets x.x.x.x of your IP address.
# Example: RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.) [OR]
RewriteCond %{REMOTE_ADDR} ^(27\.33\.230\.)
RewriteCond %{REQUEST_URI} ^.*(xmlrpc\.php)$
RewriteCond %{HTTP_USER_AGENT} !^(.*Jetpack.*)$
RewriteRule ^(.*)$ - [F]

# Jetpack XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION
# You can whitelist your IP address if you use A Weblog Client
# or want to whitelist an IP address for any other reasons.
# Example: Add this line of code RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.xxx) [OR]
# inbetween the first and second lines of code below. Then replace the x's with the
# actual IP address you want to whitelist.
# Note: It is recommended that you use 3 octets x.x.x. of your IP address
# instead of 4 octets x.x.x.x of your IP address.
# Example: RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.) [OR]
RewriteCond %{REMOTE_ADDR} ^(27\.33\.230\.)
RewriteCond %{REQUEST_URI} ^.*(xmlrpc\.php|wp-trackback\.php)$
RewriteCond %{HTTP_USER_AGENT} !^(.*Jetpack.*)$
RewriteRule ^(.*)$ - [F]

Thanks.

Regards

Rafael

[AITpro Admin]

Your POST Attack Protection code looks fine and I did not see any other problems in your Root htaccess file code.

I believe the problem is you are missing the [OR] condition in your IP address whitelist line of code.  Correct this code as shown below.  The “OR” flag was missing from this line of code: RewriteCond %{REMOTE_ADDR} ^(27\.33\.230\.)

# Jetpack XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION
# You can whitelist your IP address if you use A Weblog Client
# or want to whitelist an IP address for any other reasons.
# Example: Add this line of code RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.xxx) [OR]
# inbetween the first and second lines of code below. Then replace the x's with the
# actual IP address you want to whitelist.
# Note: It is recommended that you use 3 octets x.x.x. of your IP address
# instead of 4 octets x.x.x.x of your IP address.
# Example: RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.) [OR]
RewriteCond %{REMOTE_ADDR} ^(27\.33\.230\.) [OR]
RewriteCond %{REQUEST_URI} ^.*(xmlrpc\.php|wp-trackback\.php)$
RewriteCond %{HTTP_USER_AGENT} !^(.*Jetpack.*)$
RewriteRule ^(.*)$ - [F]

Also delete this duplicate code in Custom Code.

# Jetpack XML-RPC DDoS PROTECTION
# You can whitelist your IP address if you use A Weblog Client
# or want to whitelist an IP address for any other reasons.
# Example: Add this line of code RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.xxx) [OR]
# inbetween the first and second lines of code below. Then replace the x's with the
# actual IP address you want to whitelist.
# Note: It is recommended that you use 3 octets x.x.x. of your IP address
# instead of 4 octets x.x.x.x of your IP address.
# Example: RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.) [OR]
RewriteCond %{REMOTE_ADDR} ^(27\.33\.230\.)
RewriteCond %{REQUEST_URI} ^.*(xmlrpc\.php)$
RewriteCond %{HTTP_USER_AGENT} !^(.*Jetpack.*)$
RewriteRule ^(.*)$ - [F]

[Rafael Da Costa]

thanks for your reply.

I have added the [OR] condition, then I could not see my page. Instead this msg was shown:

cruxdev.com.au 403 Forbidden Error Page
If you arrived here due to a search or clicking on a link click your Browser’s back button to return to the previous page. Thank you.
IP Address: 27.33.230.57

This is the msg at the log:

[403 GET Request: January 9, 2017 - 5:24 pm]
BPS Pro: 12.5
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 27.33.230.57
Host Name: 27-33-230-57.tpgi.com.au
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: 
REQUEST_URI: /
QUERY_STRING: 
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

For that reason, I have deleted the [OR] so I could see my page again.
I also have deleted the duplicate code – Thanks
Jetpack nightmare continues:
Thanks for your help
Rafa

[AITpro Admin]

Ok yeah then the problem is the IP address you have added or the code itself.  Delete the IP address line of code or just delete all of this code if that does not work on your particular website/server. Another thing that might be causing the problem is that this is a new method of posting to the xmlrpc.php file by Jetpack that I have not see before. So this is probably something new that has changed in Jetpack. You may need to change this line of code to this: ^.*(xmlrpc\.php|wp-trackback\.php).*$

# Jetpack XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION
# You can whitelist your IP address if you use A Weblog Client
# or want to whitelist an IP address for any other reasons.
# Example: Add this line of code RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.xxx) [OR]
# inbetween the first and second lines of code below. Then replace the x's with the
# actual IP address you want to whitelist.
# Note: It is recommended that you use 3 octets x.x.x. of your IP address
# instead of 4 octets x.x.x.x of your IP address.
# Example: RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.) [OR]
RewriteCond %{REQUEST_URI} ^.*(xmlrpc\.php|wp-trackback\.php)$
RewriteCond %{HTTP_USER_AGENT} !^(.*Jetpack.*)$
RewriteRule ^(.*)$ - [F]

 

[Rafael Da Costa]

I have changed the code to:

# Jetpack XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION
# You can whitelist your IP address if you use A Weblog Client
# or want to whitelist an IP address for any other reasons.
# Example: Add this line of code RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.xxx) [OR]
# inbetween the first and second lines of code below. Then replace the x's with the
# actual IP address you want to whitelist.
# Note: It is recommended that you use 3 octets x.x.x. of your IP address
# instead of 4 octets x.x.x.x of your IP address.
# Example: RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.) [OR]
RewriteCond %{REQUEST_URI} ^.*(xmlrpc\.php|wp-trackback\.php).*$
RewriteCond %{HTTP_USER_AGENT} !^(.*Jetpack.*)$
RewriteRule ^(.*)$ - [F]

This is what showed in the log:

[403 POST Request: January 12, 2017 - 8:59 am]
BPS Pro: 12.5
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 192.0.99.18
Host Name: wordpress.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: POST
HTTP_REFERER: http://www.cruxdev.com.au/xmlrpc.php?for=jetpack&token=%40gke%29qwlHn3dPj%5EmthCOcuis%5E%25Citx%239%3A1%3A2&timestamp=1484182760&nonce=ixoT9LO1Iv&body-hash=kxsvRNYFgM151fS0hpl3UD%2BzEMY%3D&signature=i79MLEaqbO1Nkz%2BsUX0nBbjnQDU%3D
REQUEST_URI: /xmlrpc.php?for=jetpack&token=%40gke%29qwlHn3dPj%5EmthCOcuis%5E%25Citx%239%3A1%3A2&timestamp=1484182760&nonce=ixoT9LO1Iv&body-hash=kxsvRNYFgM151fS0hpl3UD%2BzEMY%3D&signature=i79MLEaqbO1Nkz%2BsUX0nBbjnQDU%3D
QUERY_STRING: 
HTTP_USER_AGENT: Jetpack by WordPress.com
REQUEST BODY: <?xml version="1.0"?>
<methodCall>
<methodName>system.multicall</methodName>
<params>
<param><value><array><data>
  <value><struct>
  <member><name>methodName</name><value><string>jetpack.jsonAPI</string></value></member>
  <member><name>params</name><value><array><data>
  <value><array><data>
  <value><string>GET</string></value>
  <value><string>https://public-api.wordpress.com/rest/v1/sites/122171471/sync/object?module_name=posts&object_type=post&object_ids%5B0%5D=13&http_envelope

Thanks for your help

[AITpro Admin]

Hmm ok well I guess you just cannot use any xmlrpc protection code with Jetpack then.  So just delete the code that is causing the xmlrpc block.  It could be the POST Attack Protection code.  So you will need to test which code is causing the problem and delete it.

[Rafael Da Costa]

What vulnerabilities this could give to my website?
I am not using Jetpack much anyway. I could find a replacement for me needs.
What would you recommend?
This error is also showing on Search console:

URL:
http://www.cruxdev.com.au/xmlrpc.php?for=jetpack&token=%40gke)qwlHn3dPj%5EmthCOcuis%5E%25Citx%239%3A1%3A2&timestamp=1483776359&nonce=zAR1VmEOpl&body-hash=aOIkn63jBYoKZYuP3PFCWC%2Bwr8E%3D&signature=OJ4rCg3TmRVk3hVXLaacTQTLM9A%3D

Error details:
Googlebot couldn't crawl your URL because your server either requires authentication to access the page, or it is blocking Googlebot from accessing your site. Find out more

Thanks

[AITpro Admin]

Back in 2014 around 3 years ago when the BPS the XML-RPC protection code was created it protected against the XML Quadratic Blowup Attack as well as other various XML-RPC exploits. At some point WordPress eliminated any/all XML-RPC exploits by adding new protection code directly in WordPress itself to protect XML-RPC. So the XML-RPC protection code is now considered anti-nuisance code vs important security protection code. So you really do not need to use any XML-RPC protection code anymore.

[Rafael Da Costa]

thanks for your help.

[Rafael Da Costa]

Hi there,
I still having problems.
I’ve deleted the XML-RPC protection code as suggested the new code is below.

# BPS POST Request Attack Protection
RewriteCond %{REQUEST_METHOD} POST [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-admin/ [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-cron.php [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-login.php [NC]
# Whitelist the WordPress Theme Customizer
RewriteCond %{HTTP_REFERER} !^.*/wp-admin/customize.php [NC]
# Whitelist XML-RPC Pingbacks, JetPack and Remote Posting POST Requests
RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC]
# Whitelist Network|Multisite Signup POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/wp-signup.php [NC]
# Whitelist Network|Multisite Activate POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/wp-activate.php [NC]
# Whitelist Trackback POST Requests
RewriteCond %{REQUEST_URI} !^.*/wp-trackback.php [NC]
# Whitelist Comments POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/wp-comments-post.php [NC]

# Whitelist updraft
RewriteCond %{REQUEST_URI} !^.*/updraft [NC]
#EXAMPLES FOR WHITELIST 
# Example 2: Whitelist Contact Form POST Requests
RewriteCond %{REQUEST_URI} !^.*/contact/ [NC]
# Example 3: Whitelist PayPal IPN API Script POST Requests
RewriteCond %{REQUEST_URI} !^.*/ipn_handler.php [NC]
RewriteRule ^(.*)$ - [F]

# WP AUTHOR ENUMERATION BOT PROBE PROTECTION
# Rewrites to author=999999 that does not actually exist
# which results in a standard 404 error. To the hacker bot
# it appears that this author does not exist without giving
# any clues that the author does actually exist.
RewriteCond %{QUERY_STRING} ^author=([0-9]){1,}$ [NC]
RewriteRule ^(.*)$ $1?author=999999 [L]

LOG Information:

[403 POST Request: January 13, 2017 - 2:19 pm]
BPS Pro: 12.5
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 192.0.84.104
Host Name: 192.0.84.104
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: POST
HTTP_REFERER: http://www.cruxdev.com.au/xmlrpc.php?for=jetpack&token=%40gke%29qwlHn3dPj%5EmthCOcuis%5E%25Citx%239%3A1%3A2&timestamp=1484288389&nonce=8ekfk6F0Sc&body-hash=kxsvRNYFgM151fS0hpl3UD%2BzEMY%3D&signature=CGq9q2CO0bEyk%2BFHc0qXmtzOCBY%3D
REQUEST_URI: /xmlrpc.php?for=jetpack&token=%40gke%29qwlHn3dPj%5EmthCOcuis%5E%25Citx%239%3A1%3A2&timestamp=1484288389&nonce=8ekfk6F0Sc&body-hash=kxsvRNYFgM151fS0hpl3UD%2BzEMY%3D&signature=CGq9q2CO0bEyk%2BFHc0qXmtzOCBY%3D
QUERY_STRING: 
HTTP_USER_AGENT: Jetpack by WordPress.com
REQUEST BODY: <?xml version="1.0"?>
<methodCall>
<methodName>system.multicall</methodName>
<params>
<param><value><array><data>
  <value><struct>
  <member><name>methodName</name><value><string>jetpack.jsonAPI</string></value></member>
  <member><name>params</name><value><array><data>
  <value><array><data>
  <value><string>GET</string></value>
  <value><string>https://public-api.wordpress.com/rest/v1/sites/122171471/sync/object?module_name=posts&object_type=post&object_ids%5B0%5D=13&http_envelope

The IP is always the same – can I put it in the whitelist?

Thanks

[AITpro Admin]

Jetpack makes a POST Request to the wp-load.php file. So add this additional whitelist rule for the Jetpack POST Request to wp-load.php.

# Whitelist Jetpack POST Requests to wp-load.php
RewriteCond %{REQUEST_URI} !^.*/wp-load.php [NC]

[Rafael Da Costa]

It worked – thanks

[AITpro Admin]

And even better method is to whitelist the jetpack Query String.  Example:  https://forum.ait-pro.com/forums/topic/managewp-403-error-post/page/3/#post-32142

# Whitelist Jetpack POST Request to wp-load.php by Query String
RewriteCond %{QUERY_STRING} !^for=jetpack(.*) [NC]

[Author]

Posts