Home › Forums › BulletProof Security Pro › 403 forbidden, access to server denied, unable to save htaccess & Cloudflare
- This topic has 7 replies, 2 voices, and was last updated 1 week, 1 day ago by
Frank.
-
AuthorPosts
-
Frank
ParticipantHello,
A few days ago I installed Cloudflare -free. I implemented some WAF rules, one using their template.
Today I was unable to save changes to the Root htaccess File Custom Code. On saving I got a 403 Forbidden Error from BPS Pro Plugin Error Page each time referencing an IPv6 address. My host said they didn’t see any ModSec errors for that IP but they did for other IPs, none of which were to do with me, an example below. The IPs are those of the MJ12 bot which I block in robots.txt. A BPS Security Log entry is below. This makes no sense to me.
This is an example
Jun 27 09:45:37 httpd [modsecurity] [Fri Jun 27 09:45:27.811803 2025] [error] [client 65.108.125.120] ModSecurity: Access denied with code 403, [Rule: 'REQUEST_HEADERS:User-Agent' 'MJ12bot'] [id "333515"] [rev "4"] [msg "Atomicorp.com WAF Rules: MJ12 Distributed bot detected (Disable this rule if you want to allow this bot)"] [severity "WARNING"] [tag "no_ar"] [hostname "my domain"] [uri "/robots.txt"] [unique_id "xxxxxxx"]
[403 GET Request: 27 Jun 2025 - 7:47 pm] BPS Pro: 17.5 WP: 6.8.1 Event Code: BFHS - Blocked/Forbidden Hacker or Spammer Solution: N/A - Hacker/Spammer Blocked/Forbidden REMOTE_ADDR: 147.135.212.217 Host Name: ns3118804.ip-147-135-212.eu SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /robots.txt QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)
I turned off the Cloudflare WAF rules but the 403s still occurred. I disabled Cloudflare to sort this out and cleared the cache. I find it all weird. It looks like something on my site is being interpreted as the MJBot? Things were going alright initially on Cloudflare. I have the their IPs whitelisted in the CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE box and also in Wordfence.
While I can now save ip changes to the Root htaccess File Custom Code upon clicking on another tab in WordPress I immediately get the 403 error again. Nor can I save to the wp-admin htaccess File Custom Code here without getting a “403 access to the server forbidden” response. This was not a BPS message.
https://my domain/wp-admin/admin.php?page=bulletproof-security/admin/core/core.php#bps-tabs-7
I would greatly appreciate any advice on what to do.
Thank you for your time.AITpro Admin
KeymasterDisregard the mj12bot. It has nothing to do with the problem. I think the problem is being caused by the Plugin Firewall. Go to the BPS Pro > Plugin Firewall feature and click the Deactivate button. If you are no longer seeing 403 errors when trying to save custom htaccess code then use this solution > https://forum.ait-pro.com/forums/topic/bps-admin-js-files-403-forbidden/#post-38580
KeymasterAlso since you have ModSecurity on your server you may need to click the Encrypt htaccess Code button/Encrypt Custom Code button first before clicking the Save button.
ParticipantThank you for your prompt reply. The Plugin Firewall was already deactivated and I deactivated the UAEG Mode. I routinely encrypt changes to htaccess before saving.
Unfortunately I am still unable to save changes to htaccess CC in either the Root Folder or the wp-admin Folder on that page:
/wp-admin/admin.php?page=bulletproof-security%2Fadmin%2Fcore%2Fcore.php without getting a 403 Forbidden response.
My Host confirmed that ModSecurity blocks were triggered by requests from my IP when accessing that page. They said they could whitelist the the specific ModSecurity rule(s) causing the false positives for my IP if it is static and doesn’t change to prevent the 403 errors when I save changes via BPS. However my IP, an IPv4 address does sometimes change.
In any event I want to re-enable Cloudflare which means IP changes, to IPv6, so this whitelisting for my current IP won’t help going forward. I have installed Cloudflare directly from the website. I don’t know, but maybe if it were possible to keep to an IPv4 address, even on Cloudflare whether that would help? When I installed Cloudflare it went straight to IPv6 addresses, I could not uncheck the box to revert to IPv4.
I don’t know what to do, please can you advise any other options to try?
Thank you again for your time.KeymasterSend me a WordPress Admin login to the site and I’ll figure out the problem. Send the login info to: info@ait-pro.com
ParticipantThank you! A WP admin login now sent.
KeymasterThe problem is fixed. You had invalid htaccess code in Root Custom Code text box 14 and wp-admin Custom Code text box 1. You don’t need to add/whitelist Cloudflare IP addresses in the root and wp-admin htaccess files. The only case where you would need to whitelist Cloudflare IP’s would be using the link I posted in my first reply to add the IP addresses to the Plugin Firewall feature.
ParticipantThank you for looking at that and fixing it, a big relief! I have entered the Cloudflare IPs according to your link and turned the Plugin Firewall back on. So far all good. I will monitor things for awhile before re-enabling Cloudflare.
Thanks again for your prompt reply, helpful practical advice as always.
-
AuthorPosts
- You must be logged in to reply to this topic.