403 Error when saving htaccess custom code

Home Forums BulletProof Security Free 403 Error when saving htaccess custom code

Tagged: ,

Viewing 13 posts - 1 through 13 (of 13 total)
  • Author
    Posts
  • July 13, 2017 at 3:49 pm #33625
    Hannah
    Participant

    After not logging in for a long time to a site I’ve been developing, I’m now getting 403 forbidden errors whenever I try to save changes to BPS custom code. I logged in, updated the WP core, themes and plugins, and ran the BPS whitelist tool that was prompting me, but BPS doesn’t want me to save any changes to BPS custom code, either in the custom code area or in the htaccess file editor. It doesn’t lock me out or anything, but I need to respond to the notice that I have BPS speed boost code as well as caching plugin code, and every time I remove the speed boost code and try to save, I get the 403… It seems like it’s actually BPS that’s being blocked??

    Here is an entry from the security log:

    [403 POST Request: July 13, 2017 - 3:35 PM]
BPS: 2.2
WP: 4.8
Event Code: WPADMIN-SBR
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 68.116.119.180 (note: this is my IP, but when I search for my IP now, I get an IPV6 string...could that be part of it? I do not have login security set up at this point)
Host Name: 68-116-119-180.dhcp.grps.or.charter.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: https://my-site.com/my-subdirectory/wp-admin/admin.php?page=bulletproof-security%2Fadmin%2Fcore%2Fcore.php
REQUEST_URI: /my-subdirectory/wp-admin/admin.php?page=bulletproof-security/admin/core/core.php
QUERY_STRING: page=bulletproof-security/admin/core/core.php
HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0
REQUEST BODY: BPS Security Log option set to: Do Not Log POST Request Body Data
    July 13, 2017 at 4:01 pm #33626
    AITpro Admin
    Keymaster

    Sounds like the latest worldwide Mod Security problem. 😉  I just created this forum topic today since we are getting bombarded with email questions about this Mod Security problem. What appears to have happened is that new Mod Security SecRules and/or SecFilters were created and distributed to web hosts worldwide:  https://forum.ait-pro.com/forums/topic/mod-security-common-known-problems/

    July 13, 2017 at 8:25 pm #33627
    Hannah
    Participant

    Thank you!

    October 27, 2017 at 6:54 am #34463
    Hannah
    Participant

    I just migrated a client’s websites to a new host. They both have BPS free, and it’s been working fine on both sites. Now, however, I’m getting 403 errors when trying to save custom code, even with my IP whitelisted. I looked in the PHP settings and don’t see anything that looks like any of Mod Security, SecRules and/or SecFilters. What should I try next?

    October 27, 2017 at 8:10 am #34464
    AITpro Admin
    Keymaster

    You would need to check your server logs for any Mod Security errors to see if Mod Security is causing the problem. To access, enable, disable Mod Security options you would need to login to your host control panel. Mod Security/mod_security is an Apache module. We will be adding a check for the mod_security module in the next BPS version since Mod Security issues/problems are becoming more and more common.  Typically hosts do not allow disabling Mod Security from a website and Mod Security can only be disabled via the web host control panel.

    https://forum.ait-pro.com/forums/topic/mod-security-common-known-problems/
    Mod Security is something that is installed on your web host server and can usually be accessed in your web host control panel if your web host offers that capability.  Mod Security uses SecRules and SecFilters, which are very similar to BPS htaccess security rules.  On some web hosts you can disable and enable individual Mod Security SecRules and SecFilters.  On other web hosts you only have the option to enable or disable Mod Security entirely.  To prevent Mod Security from causing any one of the common known problems below you would either remove/disable the individual Mod Security SecRule or SecFilter in your web host control panel that is causing the problem or if your web host does not offer that capability then you would need to Disable Mod Security in your web host control panel.

    February 17, 2018 at 9:33 am #35384
    Jaiji
    Participant

    Hi, I’m having the same problem.Trying to add an http to https redirect to CUSTOM CODE WP REWRITE LOOP START but keep getting:

    Forbidden You don’t have permission to access /wp-admin/admin.php on this server.

    From what I can tell Mod Security is not enabled:

    200: mod_access_compat is Loaded|Order, Allow, Deny directives are supported|IfModule: No
    200: mod_authz_core is NOT Loaded|IfModule: Yes
    403: mod_authz_host is NOT Loaded|IfModule: Yes
    200: mod_rewrite Module is Loaded
    200: mod_security Module is not Loaded|Enabled

    I’ve deactivated root and admin modes, tried uploading a manually modified root htaccess, tried the Wizard, checked file permissions (directories 75, files 644) and scoured the forum but not making any headway. No other security plugins in place, cache and minify disabled. Sorry if I’m not seeing something obvious.

    This is the security log entry which arises:

    Event Code: WPADMIN-SBR
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 2.217.127.63
Host Name: 02d97f3f.bb.sky.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 2.217.127.63
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: https://www.my-site.com/wp-admin/admin.php?page=bulletproof-security%2Fadmin%2Fcore%2Fcore.php
REQUEST_URI: /wp-admin/admin.php?page=bulletproof-security/admin/core/core.php
QUERY_STRING: page=bulletproof-security/admin/core/core.php
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36
REQUEST BODY: BPS Security Log option set to: Do Not Log POST Request Body Data
    February 17, 2018 at 10:00 am #35385
    AITpro Admin
    Keymaster

    @ Jaiji – Are you using a Proxy or VPN Browser?  Do you have BPS free or BPS Pro installed?  What happened when you manually uploaded a Root htaccess file?  Did the Root htaccess file/code change?  Was the Root htaccess file not allowed by something (server, etc)?  The Security Log entry is for the wp-admin backend of your site.  So it appears that either you are using a Proxy/VPN Browser or something else is interfering with your wp-admin backend area of your site.

    February 17, 2018 at 1:28 pm #35386
    Jaiji
    Participant

    Thanks for the quick reply. No proxy or VPN, same problem with Chrome and Firefox. I’m using BPS Free, sorry I thought that was pre-implied by this being the BPS Free forum. The manual edit/upload worked in as much as the code was added to the htaccess file, but it results in a ‘too many redirects’ message on the front and back end. I’ve contacted the host re server permissions but no reply yet.

    This is the code I’m attempting to add, should it be different?

    # WP REWRITE LOOP START
RewriteEngine On
RewriteBase /
RewriteCond %{HTTPS} !=on
RewriteCond %{SERVER_PORT} ^80
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteRule ^index\.php$ - [L]
    February 17, 2018 at 2:20 pm #35387
    AITpro Admin
    Keymaster

    @ Jaiji – Both BPS free and Pro issues can be in the same forum.  The Security Log entry includes which BPS version you have, but your Security Log entry was missing the top portion of the log entry. A “too many redirects” error is typically caused by having more than 1 block of Rewrite/Redirect htaccess code in your root htaccess file.  You should only have 1 block of Rewrite/Redirect htaccess code in your root htaccess file.  You can post your Root htaccess file code if you would like me to take a look at it.  It is possible that Mod Security would not be detected on all web host servers.  The Mod Security testing code assumes your host server has correctly configured htaccess “ifModule” directives on the server.  We are aware of a number of web hosts that do not have “ifModule” directive code configured correctly on the server.

    February 17, 2018 at 2:39 pm #35389
    Jaiji
    Participant

    This is what’s in it when I attempt the redirect:

    #   BULLETPROOF 2.9 SECURE .HTACCESS     

# PHP/PHP.INI HANDLER/CACHE CODE
# Use BPS Custom Code to add php/php.ini Handler and Cache htaccess code and to save it permanently.
# Most Hosts do not have/use/require php/php.ini Handler htaccess code

# TURN OFF YOUR SERVER SIGNATURE
# Suppresses the footer line server version number and ServerName of the serving virtual host
ServerSignature Off

# DO NOT SHOW DIRECTORY LISTING
# Disallow mod_autoindex from displaying a directory listing
# If a 500 Internal Server Error occurs when activating Root BulletProof Mode 
# copy the entire DO NOT SHOW DIRECTORY LISTING and DIRECTORY INDEX sections of code 
# and paste it into BPS Custom Code and comment out Options -Indexes 
# by adding a # sign in front of it.
# Example: #Options -Indexes
Options -Indexes

# DIRECTORY INDEX FORCE INDEX.PHP
# Use index.php as default directory index file. index.html will be ignored.
# If a 500 Internal Server Error occurs when activating Root BulletProof Mode 
# copy the entire DO NOT SHOW DIRECTORY LISTING and DIRECTORY INDEX sections of code 
# and paste it into BPS Custom Code and comment out DirectoryIndex 
# by adding a # sign in front of it.
# Example: #DirectoryIndex index.php index.html /index.php
DirectoryIndex index.php index.html /index.php

# BRUTE FORCE LOGIN PAGE PROTECTION
# PLACEHOLDER ONLY
# Use BPS Custom Code to add Brute Force Login protection code and to save it permanently.
# See this link: https://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/
# for more information.

# BPS ERROR LOGGING AND TRACKING
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# BPS has premade 400 Bad Request, 403 Forbidden, 404 Not Found, 405 Method Not Allowed and 
# 410 Gone template logging files that are used to track and log 400, 403, 404, 405 and 410 errors 
# that occur on your website. When a hacker attempts to hack your website the hackers IP address, 
# Host name, Request Method, Referering link, the file name or requested resource, the user agent 
# of the hacker and the query string used in the hack attempt are logged.
# All BPS log files are htaccess protected so that only you can view them. 
# The 400.php, 403.php, 404.php, 405.php and 410.php files are located in /wp-content/plugins/bulletproof-security/
# The 400, 403, 405 and 410 Error logging files are already set up and will automatically start logging errors
# after you install BPS and have activated BulletProof Mode for your Root folder.
# If you would like to log 404 errors you will need to copy the logging code in the BPS 404.php file
# to your Theme's 404.php template file. Simple instructions are included in the BPS 404.php file.
# You can open the BPS 404.php file using the WP Plugins Editor or manually editing the file.
# NOTE: By default WordPress automatically looks in your Theme's folder for a 404.php Theme template file.

ErrorDocument 400 /wp-content/plugins/bulletproof-security/400.php
ErrorDocument 401 default
ErrorDocument 403 /wp-content/plugins/bulletproof-security/403.php
ErrorDocument 404 /404.php
ErrorDocument 405 /wp-content/plugins/bulletproof-security/405.php
ErrorDocument 410 /wp-content/plugins/bulletproof-security/410.php

# DENY ACCESS TO PROTECTED SERVER FILES AND FOLDERS
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# Files and folders starting with a dot: .htaccess, .htpasswd, .errordocs, .logs
RedirectMatch 403 \.(htaccess|htpasswd|errordocs|logs)$

# WP-ADMIN/INCLUDES
# Use BPS Custom Code to remove this code permanently.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F]
RewriteRule ^wp-includes/theme-compat/ - [F]

# WP REWRITE LOOP START
RewriteEngine On
RewriteBase /
RewriteCond %{HTTPS} !=on
RewriteCond %{SERVER_PORT} ^80
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteRule ^index\.php$ - [L]

# REQUEST METHODS FILTERED
# If you want to allow HEAD Requests use BPS Custom Code and copy 
# this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code 
# text box: CUSTOM CODE REQUEST METHODS FILTERED.
# See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F]
RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]

# PLUGINS/THEMES AND VARIOUS EXPLOIT FILTER SKIP RULES
# To add plugin/theme skip/bypass rules use BPS Custom Code.
# The [S] flag is used to skip following rules. Skip rule [S=12] will skip 12 following RewriteRules.
# The skip rules MUST be in descending consecutive number order: 12, 11, 10, 9...
# If you delete a skip rule, change the other skip rule numbers accordingly.
# Examples: If RewriteRule [S=5] is deleted than change [S=6] to [S=5], [S=7] to [S=6], etc.
# If you add a new skip rule above skip rule 12 it will be skip rule 13: [S=13]

# Adminer MySQL management tool data populate
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/adminer/ [NC]
RewriteRule . - [S=12]
# Comment Spam Pack MU Plugin - CAPTCHA images not displaying 
RewriteCond %{REQUEST_URI} ^/wp-content/mu-plugins/custom-anti-spam/ [NC]
RewriteRule . - [S=11]
# Peters Custom Anti-Spam display CAPTCHA Image
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/peters-custom-anti-spam-image/ [NC] 
RewriteRule . - [S=10]
# Status Updater plugin fb connect
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/fb-status-updater/ [NC] 
RewriteRule . - [S=9]
# Stream Video Player - Adding FLV Videos Blocked
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/stream-video-player/ [NC]
RewriteRule . - [S=8]
# XCloner 404 or 403 error when updating settings
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/xcloner-backup-and-restore/ [NC]
RewriteRule . - [S=7]
# BuddyPress Logout Redirect
RewriteCond %{QUERY_STRING} action=logout&redirect_to=http%3A%2F%2F(.*) [NC]
RewriteRule . - [S=6]
# redirect_to=
RewriteCond %{QUERY_STRING} redirect_to=(.*) [NC]
RewriteRule . - [S=5]
# Login Plugins Password Reset And Redirect 1
RewriteCond %{QUERY_STRING} action=resetpass&key=(.*) [NC]
RewriteRule . - [S=4]
# Login Plugins Password Reset And Redirect 2
RewriteCond %{QUERY_STRING} action=rp&key=(.*) [NC]
RewriteRule . - [S=3]

# CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
# TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# Remote File Inclusion (RFI) security rules
# Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files
RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
RewriteRule .* index.php [F]
# 
# Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php)
RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
# Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*
RewriteCond %{HTTP_REFERER} ^.*MY-SITE.com.*
RewriteRule . - [S=1]

# CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS
# BEGIN BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
# Good sites such as W3C use it for their W3C-LinkChecker. 
# Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
# User Agent filters directly below or to modify/edit/change any of the other security code rules below.
RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] 
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F]
# END BPSQSE BPS QUERY STRING EXPLOITS

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# WP REWRITE LOOP END

# DENY BROWSER ACCESS TO THESE FILES 
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# wp-config.php, bb-config.php, php.ini, php5.ini, readme.html
# To be able to view these files from a Browser, replace 127.0.0.1 with your actual 
# current IP address. Comment out: #Deny from all and Uncomment: Allow from 127.0.0.1 
# Note: The BPS System Info page displays which modules are loaded on your server. 

<FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|readme\.html|bb-config\.php)">
Order Allow,Deny
Deny from all
#Allow from 127.0.0.1
</FilesMatch>

# CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE
# WP AUTHOR ENUMERATION BOT PROBE PROTECTION
# Rewrites to author=999999 that does not actually exist
# which results in a standard 404 error. To the hacker bot
# it appears that this author does not exist without giving
# any clues that the author does actually exist.

RewriteCond %{QUERY_STRING} ^author=([0-9]){1,}$ [NC]
RewriteRule ^(.*)$ $1?author=999999 [L]

# XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION
# Using this code blocks Pingbacks and Trackbacks on your website.
# You can whitelist your IP address if you use A Weblog Client
# or want to whitelist your IP address for any other reasons.
# Example: uncomment #Allow from x.x.x. by deleting the # sign and
# replace the x's with your actual IP address. Allow from 99.88.77.
# Note: It is recommended that you use 3 octets x.x.x. of your IP address
# instead of 4 octets x.x.x.x of your IP address.

<FilesMatch "^(xmlrpc\.php|wp-trackback\.php)">
Order Deny,Allow
# Whitelist Jetpack/ Automattic CIDR IP Address Blocks
Allow from 192.0.64.0/18
Allow from 209.15.0.0/16
Allow from 66.155.0.0/17
Deny from all
</FilesMatch>
    February 18, 2018 at 8:16 am #35391
    Jaiji
    Participant

    My apologies. I remembered today that the site is set up to use Cloudflare (I was foxed by the fact that it’s set up directly through the site owner’s own Cloudflare account, not mine and not through their host.) That explains the redirect loop. I’ve adjusted Cloudflare’s settings to recognise the SLL certificate and enforce HTTPS everywhere so there’s no need for a BPS redirect.

    Before I remembered that I did a complete reinstall of BPS Free to see if that would help. Everything’s back as it was but minus the other custom code blocks, which I’m still unable to add in the normal way via BPS. Currently waiting to hear back from the hosts as to whether there’s any restriction in place at their end (they say it is possible), if necessary I’ll add the code manually via FTP.

    Sorry for the runaround, and thanks again for your attentive support.

    February 18, 2018 at 9:11 am #35392
    AITpro Admin
    Keymaster

    @ Jaiji – Check that Cloudflare is not caching the wp-admin area, which could cause this type of problem.  If the problem is being caused by something on the host server (Mod Security, etc.) then there will be errors in the server logs showing what is causing the Custom Code Form blocks.  To make it easier for your host support to check the server log files by date/time you can send them the exact times when you tried to save custom code so that they can reference those timestamps in your server logs.

    February 19, 2018 at 4:19 pm #35397
    Jaiji
    Participant

    It was all down to Cloudflare settings. I’ve disconnected the site – mainly due to how CF handle SSL –  and everything works as expected now. Thanks again for your excellent support.

  • Author
    Posts
Viewing 13 posts - 1 through 13 (of 13 total)
  • You must be logged in to reply to this topic.