403 Error when saving htaccess custom code

Home Forums BulletProof Security Free 403 Error when saving htaccess custom code

This topic contains 12 replies, has 3 voices, and was last updated by  Jaiji 3 months ago.

Viewing 13 posts - 1 through 13 (of 13 total)
  • Author
    Posts
  • #33625

    Hannah
    Participant

    After not logging in for a long time to a site I’ve been developing, I’m now getting 403 forbidden errors whenever I try to save changes to BPS custom code. I logged in, updated the WP core, themes and plugins, and ran the BPS whitelist tool that was prompting me, but BPS doesn’t want me to save any changes to BPS custom code, either in the custom code area or in the htaccess file editor. It doesn’t lock me out or anything, but I need to respond to the notice that I have BPS speed boost code as well as caching plugin code, and every time I remove the speed boost code and try to save, I get the 403… It seems like it’s actually BPS that’s being blocked??

    Here is an entry from the security log:

    [403 POST Request: July 13, 2017 - 3:35 PM]
    BPS: 2.2
    WP: 4.8
    Event Code: WPADMIN-SBR
    Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 68.116.119.180 (note: this is my IP, but when I search for my IP now, I get an IPV6 string...could that be part of it? I do not have login security set up at this point)
    Host Name: 68-116-119-180.dhcp.grps.or.charter.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: https://my-site.com/my-subdirectory/wp-admin/admin.php?page=bulletproof-security%2Fadmin%2Fcore%2Fcore.php
    REQUEST_URI: /my-subdirectory/wp-admin/admin.php?page=bulletproof-security/admin/core/core.php
    QUERY_STRING: page=bulletproof-security/admin/core/core.php
    HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0
    REQUEST BODY: BPS Security Log option set to: Do Not Log POST Request Body Data
    #33626

    AITpro Admin
    Keymaster

    Sounds like the latest worldwide Mod Security problem. 😉  I just created this forum topic today since we are getting bombarded with email questions about this Mod Security problem. What appears to have happened is that new Mod Security SecRules and/or SecFilters were created and distributed to web hosts worldwide:  https://forum.ait-pro.com/forums/topic/mod-security-common-known-problems/

    #33627

    Hannah
    Participant

    Thank you!

    #34463

    Hannah
    Participant

    I just migrated a client’s websites to a new host. They both have BPS free, and it’s been working fine on both sites. Now, however, I’m getting 403 errors when trying to save custom code, even with my IP whitelisted. I looked in the PHP settings and don’t see anything that looks like any of Mod Security, SecRules and/or SecFilters. What should I try next?

    #34464

    AITpro Admin
    Keymaster

    You would need to check your server logs for any Mod Security errors to see if Mod Security is causing the problem. To access, enable, disable Mod Security options you would need to login to your host control panel. Mod Security/mod_security is an Apache module. We will be adding a check for the mod_security module in the next BPS version since Mod Security issues/problems are becoming more and more common.  Typically hosts do not allow disabling Mod Security from a website and Mod Security can only be disabled via the web host control panel.

    https://forum.ait-pro.com/forums/topic/mod-security-common-known-problems/
    Mod Security is something that is installed on your web host server and can usually be accessed in your web host control panel if your web host offers that capability.  Mod Security uses SecRules and SecFilters, which are very similar to BPS htaccess security rules.  On some web hosts you can disable and enable individual Mod Security SecRules and SecFilters.  On other web hosts you only have the option to enable or disable Mod Security entirely.  To prevent Mod Security from causing any one of the common known problems below you would either remove/disable the individual Mod Security SecRule or SecFilter in your web host control panel that is causing the problem or if your web host does not offer that capability then you would need to Disable Mod Security in your web host control panel.

    #35384

    Jaiji
    Participant

    Hi, I’m having the same problem.Trying to add an http to https redirect to CUSTOM CODE WP REWRITE LOOP START but keep getting:

    Forbidden You don’t have permission to access /wp-admin/admin.php on this server.

    From what I can tell Mod Security is not enabled:

    200: mod_access_compat is Loaded|Order, Allow, Deny directives are supported|IfModule: No
    200: mod_authz_core is NOT Loaded|IfModule: Yes
    403: mod_authz_host is NOT Loaded|IfModule: Yes
    200: mod_rewrite Module is Loaded
    200: mod_security Module is not Loaded|Enabled

    I’ve deactivated root and admin modes, tried uploading a manually modified root htaccess, tried the Wizard, checked file permissions (directories 75, files 644) and scoured the forum but not making any headway. No other security plugins in place, cache and minify disabled. Sorry if I’m not seeing something obvious.

    This is the security log entry which arises:

    Event Code: WPADMIN-SBR
    Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 2.217.127.63
    Host Name: 02d97f3f.bb.sky.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 2.217.127.63
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: https://www.my-site.com/wp-admin/admin.php?page=bulletproof-security%2Fadmin%2Fcore%2Fcore.php
    REQUEST_URI: /wp-admin/admin.php?page=bulletproof-security/admin/core/core.php
    QUERY_STRING: page=bulletproof-security/admin/core/core.php
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36
    REQUEST BODY: BPS Security Log option set to: Do Not Log POST Request Body Data
    #35385

    AITpro Admin
    Keymaster

    @ Jaiji – Are you using a Proxy or VPN Browser?  Do you have BPS free or BPS Pro installed?  What happened when you manually uploaded a Root htaccess file?  Did the Root htaccess file/code change?  Was the Root htaccess file not allowed by something (server, etc)?  The Security Log entry is for the wp-admin backend of your site.  So it appears that either you are using a Proxy/VPN Browser or something else is interfering with your wp-admin backend area of your site.

    #35386

    Jaiji
    Participant

    Thanks for the quick reply. No proxy or VPN, same problem with Chrome and Firefox. I’m using BPS Free, sorry I thought that was pre-implied by this being the BPS Free forum. The manual edit/upload worked in as much as the code was added to the htaccess file, but it results in a ‘too many redirects’ message on the front and back end. I’ve contacted the host re server permissions but no reply yet.

    This is the code I’m attempting to add, should it be different?

    # WP REWRITE LOOP START
    RewriteEngine On
    RewriteBase /
    RewriteCond %{HTTPS} !=on
    RewriteCond %{SERVER_PORT} ^80
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    RewriteRule ^index\.php$ - [L]
    
    #35387

    AITpro Admin
    Keymaster

    @ Jaiji – Both BPS free and Pro issues can be in the same forum.  The Security Log entry includes which BPS version you have, but your Security Log entry was missing the top portion of the log entry. A “too many redirects” error is typically caused by having more than 1 block of Rewrite/Redirect htaccess code in your root htaccess file.  You should only have 1 block of Rewrite/Redirect htaccess code in your root htaccess file.  You can post your Root htaccess file code if you would like me to take a look at it.  It is possible that Mod Security would not be detected on all web host servers.  The Mod Security testing code assumes your host server has correctly configured htaccess “ifModule” directives on the server.  We are aware of a number of web hosts that do not have “ifModule” directive code configured correctly on the server.

    #35389

    Jaiji
    Participant

    This is what’s in it when I attempt the redirect:

    #   BULLETPROOF 2.9 SECURE .HTACCESS     
    
    # PHP/PHP.INI HANDLER/CACHE CODE
    # Use BPS Custom Code to add php/php.ini Handler and Cache htaccess code and to save it permanently.
    # Most Hosts do not have/use/require php/php.ini Handler htaccess code
    
    # TURN OFF YOUR SERVER SIGNATURE
    # Suppresses the footer line server version number and ServerName of the serving virtual host
    ServerSignature Off
    
    # DO NOT SHOW DIRECTORY LISTING
    # Disallow mod_autoindex from displaying a directory listing
    # If a 500 Internal Server Error occurs when activating Root BulletProof Mode 
    # copy the entire DO NOT SHOW DIRECTORY LISTING and DIRECTORY INDEX sections of code 
    # and paste it into BPS Custom Code and comment out Options -Indexes 
    # by adding a # sign in front of it.
    # Example: #Options -Indexes
    Options -Indexes
    
    # DIRECTORY INDEX FORCE INDEX.PHP
    # Use index.php as default directory index file. index.html will be ignored.
    # If a 500 Internal Server Error occurs when activating Root BulletProof Mode 
    # copy the entire DO NOT SHOW DIRECTORY LISTING and DIRECTORY INDEX sections of code 
    # and paste it into BPS Custom Code and comment out DirectoryIndex 
    # by adding a # sign in front of it.
    # Example: #DirectoryIndex index.php index.html /index.php
    DirectoryIndex index.php index.html /index.php
    
    # BRUTE FORCE LOGIN PAGE PROTECTION
    # PLACEHOLDER ONLY
    # Use BPS Custom Code to add Brute Force Login protection code and to save it permanently.
    # See this link: https://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/
    # for more information.
    
    # BPS ERROR LOGGING AND TRACKING
    # Use BPS Custom Code to modify/edit/change this code and to save it permanently.
    # BPS has premade 400 Bad Request, 403 Forbidden, 404 Not Found, 405 Method Not Allowed and 
    # 410 Gone template logging files that are used to track and log 400, 403, 404, 405 and 410 errors 
    # that occur on your website. When a hacker attempts to hack your website the hackers IP address, 
    # Host name, Request Method, Referering link, the file name or requested resource, the user agent 
    # of the hacker and the query string used in the hack attempt are logged.
    # All BPS log files are htaccess protected so that only you can view them. 
    # The 400.php, 403.php, 404.php, 405.php and 410.php files are located in /wp-content/plugins/bulletproof-security/
    # The 400, 403, 405 and 410 Error logging files are already set up and will automatically start logging errors
    # after you install BPS and have activated BulletProof Mode for your Root folder.
    # If you would like to log 404 errors you will need to copy the logging code in the BPS 404.php file
    # to your Theme's 404.php template file. Simple instructions are included in the BPS 404.php file.
    # You can open the BPS 404.php file using the WP Plugins Editor or manually editing the file.
    # NOTE: By default WordPress automatically looks in your Theme's folder for a 404.php Theme template file.
    
    ErrorDocument 400 /wp-content/plugins/bulletproof-security/400.php
    ErrorDocument 401 default
    ErrorDocument 403 /wp-content/plugins/bulletproof-security/403.php
    ErrorDocument 404 /404.php
    ErrorDocument 405 /wp-content/plugins/bulletproof-security/405.php
    ErrorDocument 410 /wp-content/plugins/bulletproof-security/410.php
    
    # DENY ACCESS TO PROTECTED SERVER FILES AND FOLDERS
    # Use BPS Custom Code to modify/edit/change this code and to save it permanently.
    # Files and folders starting with a dot: .htaccess, .htpasswd, .errordocs, .logs
    RedirectMatch 403 \.(htaccess|htpasswd|errordocs|logs)$
    
    # WP-ADMIN/INCLUDES
    # Use BPS Custom Code to remove this code permanently.
    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ - [F]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F]
    RewriteRule ^wp-includes/theme-compat/ - [F]
    
    # WP REWRITE LOOP START
    RewriteEngine On
    RewriteBase /
    RewriteCond %{HTTPS} !=on
    RewriteCond %{SERVER_PORT} ^80
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    RewriteRule ^index\.php$ - [L]
    
    # REQUEST METHODS FILTERED
    # If you want to allow HEAD Requests use BPS Custom Code and copy 
    # this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code 
    # text box: CUSTOM CODE REQUEST METHODS FILTERED.
    # See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F]
    RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
    RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]
    
    # PLUGINS/THEMES AND VARIOUS EXPLOIT FILTER SKIP RULES
    # To add plugin/theme skip/bypass rules use BPS Custom Code.
    # The [S] flag is used to skip following rules. Skip rule [S=12] will skip 12 following RewriteRules.
    # The skip rules MUST be in descending consecutive number order: 12, 11, 10, 9...
    # If you delete a skip rule, change the other skip rule numbers accordingly.
    # Examples: If RewriteRule [S=5] is deleted than change [S=6] to [S=5], [S=7] to [S=6], etc.
    # If you add a new skip rule above skip rule 12 it will be skip rule 13: [S=13]
    
    # Adminer MySQL management tool data populate
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/adminer/ [NC]
    RewriteRule . - [S=12]
    # Comment Spam Pack MU Plugin - CAPTCHA images not displaying 
    RewriteCond %{REQUEST_URI} ^/wp-content/mu-plugins/custom-anti-spam/ [NC]
    RewriteRule . - [S=11]
    # Peters Custom Anti-Spam display CAPTCHA Image
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/peters-custom-anti-spam-image/ [NC] 
    RewriteRule . - [S=10]
    # Status Updater plugin fb connect
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/fb-status-updater/ [NC] 
    RewriteRule . - [S=9]
    # Stream Video Player - Adding FLV Videos Blocked
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/stream-video-player/ [NC]
    RewriteRule . - [S=8]
    # XCloner 404 or 403 error when updating settings
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/xcloner-backup-and-restore/ [NC]
    RewriteRule . - [S=7]
    # BuddyPress Logout Redirect
    RewriteCond %{QUERY_STRING} action=logout&redirect_to=http%3A%2F%2F(.*) [NC]
    RewriteRule . - [S=6]
    # redirect_to=
    RewriteCond %{QUERY_STRING} redirect_to=(.*) [NC]
    RewriteRule . - [S=5]
    # Login Plugins Password Reset And Redirect 1
    RewriteCond %{QUERY_STRING} action=resetpass&key=(.*) [NC]
    RewriteRule . - [S=4]
    # Login Plugins Password Reset And Redirect 2
    RewriteCond %{QUERY_STRING} action=rp&key=(.*) [NC]
    RewriteRule . - [S=3]
    
    # CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    # Use BPS Custom Code to modify/edit/change this code and to save it permanently.
    # Remote File Inclusion (RFI) security rules
    # Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files
    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    RewriteRule .* index.php [F]
    # 
    # Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php)
    RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    # Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*
    RewriteCond %{HTTP_REFERER} ^.*MY-SITE.com.*
    RewriteRule . - [S=1]
    
    # CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS
    # BEGIN BPSQSE BPS QUERY STRING EXPLOITS
    # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
    # Good sites such as W3C use it for their W3C-LinkChecker. 
    # Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
    # User Agent filters directly below or to modify/edit/change any of the other security code rules below.
    RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
    RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
    RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
    RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
    RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
    RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
    RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] 
    RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
    RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
    RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
    RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
    RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F]
    # END BPSQSE BPS QUERY STRING EXPLOITS
    
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    # WP REWRITE LOOP END
    
    # DENY BROWSER ACCESS TO THESE FILES 
    # Use BPS Custom Code to modify/edit/change this code and to save it permanently.
    # wp-config.php, bb-config.php, php.ini, php5.ini, readme.html
    # To be able to view these files from a Browser, replace 127.0.0.1 with your actual 
    # current IP address. Comment out: #Deny from all and Uncomment: Allow from 127.0.0.1 
    # Note: The BPS System Info page displays which modules are loaded on your server. 
    
    <FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|readme\.html|bb-config\.php)">
    Order Allow,Deny
    Deny from all
    #Allow from 127.0.0.1
    </FilesMatch>
    
    # CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE
    # WP AUTHOR ENUMERATION BOT PROBE PROTECTION
    # Rewrites to author=999999 that does not actually exist
    # which results in a standard 404 error. To the hacker bot
    # it appears that this author does not exist without giving
    # any clues that the author does actually exist.
    
    RewriteCond %{QUERY_STRING} ^author=([0-9]){1,}$ [NC]
    RewriteRule ^(.*)$ $1?author=999999 [L]
    
    # XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION
    # Using this code blocks Pingbacks and Trackbacks on your website.
    # You can whitelist your IP address if you use A Weblog Client
    # or want to whitelist your IP address for any other reasons.
    # Example: uncomment #Allow from x.x.x. by deleting the # sign and
    # replace the x's with your actual IP address. Allow from 99.88.77.
    # Note: It is recommended that you use 3 octets x.x.x. of your IP address
    # instead of 4 octets x.x.x.x of your IP address.
    
    <FilesMatch "^(xmlrpc\.php|wp-trackback\.php)">
    Order Deny,Allow
    # Whitelist Jetpack/ Automattic CIDR IP Address Blocks
    Allow from 192.0.64.0/18
    Allow from 209.15.0.0/16
    Allow from 66.155.0.0/17
    Deny from all
    </FilesMatch>
    
    
    #35391

    Jaiji
    Participant

    My apologies. I remembered today that the site is set up to use Cloudflare (I was foxed by the fact that it’s set up directly through the site owner’s own Cloudflare account, not mine and not through their host.) That explains the redirect loop. I’ve adjusted Cloudflare’s settings to recognise the SLL certificate and enforce HTTPS everywhere so there’s no need for a BPS redirect.

    Before I remembered that I did a complete reinstall of BPS Free to see if that would help. Everything’s back as it was but minus the other custom code blocks, which I’m still unable to add in the normal way via BPS. Currently waiting to hear back from the hosts as to whether there’s any restriction in place at their end (they say it is possible), if necessary I’ll add the code manually via FTP.

    Sorry for the runaround, and thanks again for your attentive support.

    #35392

    AITpro Admin
    Keymaster

    @ Jaiji – Check that Cloudflare is not caching the wp-admin area, which could cause this type of problem.  If the problem is being caused by something on the host server (Mod Security, etc.) then there will be errors in the server logs showing what is causing the Custom Code Form blocks.  To make it easier for your host support to check the server log files by date/time you can send them the exact times when you tried to save custom code so that they can reference those timestamps in your server logs.

    #35397

    Jaiji
    Participant

    It was all down to Cloudflare settings. I’ve disconnected the site – mainly due to how CF handle SSL –  and everything works as expected now. Thanks again for your excellent support.

Viewing 13 posts - 1 through 13 (of 13 total)

You must be logged in to reply to this topic.