WPADMIN-SBR 403 Forbidden Error can’t use restore file option in BPS Quarantine Page

Home Forums BulletProof Security Pro WPADMIN-SBR 403 Forbidden Error can’t use restore file option in BPS Quarantine Page

Tagged: 

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #40508
    JUNJIE LI
    Participant

    On the BPS Quarantine Page (

    mydomain.com/wp-admin/admin.php?page=bulletproof-security%2Fadmin%2Fquarantine%2Fquarantine.php#bps-tabs-2

    ) when I click the Restore File checkbox of a root’s .htaccess it leads to a BPS 403 Error like the following:

    mydomail.com 403 Forbidden Error

    If you arrived here due to a search or clicking on a link click your Browser’s back button to return to the previous page. Thank you.

    IP Address: my-ip-address 

    BPS Pro Plugin 403 Error Page

    Now I can’t use the Restore File option, while clicking the View File and Delete File doesn’t have this problem, it’s fine.

    Here is my secure log:

    [403 POST Request: July 13, 2021 - 10:11 pm]
    BPS Pro: 15.6
    WP: 5.7.2
    Event Code: WPADMIN-SBR
    Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: my-ip-address
    Host Name:
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: my-ip-address, my-cloudflare-proxy-ip
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: POST
    HTTP_REFERER: mydomain.com/wp-admin/admin.php?page=bulletproof-security%2Fadmin%2Fquarantine%2Fquarantine.php
    REQUEST_URI: /wp-admin/admin.php?page=bulletproof-security/admin/quarantine/quarantine.php
    QUERY_STRING: page=bulletproof-security/admin/quarantine/quarantine.php
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
    REQUEST BODY: BPS Security Log option set to: Do Not Log POST Request Body Data

    I’ve followed the answer on this page (https://forum.ait-pro.com/forums/topic/security-log-event-codes/page/4/) ,

    add the either of the below 2 codes in Custom Code —> wp-admin htaccess File Custom Code—-> 3. CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES ——> then in Secure Modes —> Active wp-admin Folder BulletProof Mode (WBM)

    Note:  The skip rule must be [S=2] because it will be written to your wp-admin .htaccess file above skip / bypass rule [S=1].  If you have other wp-admin skip/bypass rules already then either combine them or add this skip/bypass rule separately above the other rules and change the skip #.  Example:  If you already have skip #’s 2 and 3 then this rule would be skip rule #4.
    # admin-ajax.php skip/bypass rule
    RewriteCond %{REQUEST_URI} (admin-ajax\.php) [NC]
    RewriteRule . - [S=2]
    or
    RewriteCond %{REQUEST_URI} page=bulletproof-security(.*) [NC]
    RewriteRule . - [S=2]

    Neither these two codes works.

    Can you help me with that? let me know if you need wp-admin login.

    #40509
    AITpro Admin
    Keymaster

    This is a very common ModSecurity problem.  ModSecurity is installed in your web host control panel and is a security feature.  Unfortunately, ModSecurity prevents/blocks restoring some files from Quarantine.  Typically that file is the Root htaccess file, which you can delete since you can always create a new BPS Root htaccess file by Activating Root Folder BulletProof Mode again.  If the Root htaccess file is the file you cannot restore from Quarantine then just delete it from Quarantine.  If the file is another file then let me know what the name of that file is.

    #40510
    JUNJIE LI
    Participant

    Hi BPS team, thanks for the quick feedback.

    Yes, we are on a Plesk dedicated server that indeed has mod_security2 enabled, it also has the imunify360 in front of the WordPress application.

    I’ve tried to modify php . ini, it has been quarantined and when clicking the Restore File option, it’s fine, don’t see a 403 forbidden error.

    I’ve tried to modify wp – config. php (I modified wp-config.php by removing a line of code define(‘CONCATENATE_SCRIPTS’, false); then I WordPress admin dashboard show broken layout),

    and the wp – config .php has been quarantined and when clicking the Restore File option, it’s fine, don’t see a 403 forbidden error.

    It’s ok to not use the Restore File option for only root’s .htaccess file,  so I tried use the Exclude Folders|Files from being checked by AutoRestore  —–>Exclude An Individual File option —-> insert my file path /var/www/vhosts/xxx/mydomain.com/.htaccess ——> when clicking Exclude Folder File|File button, it also generate the same 403 forbidden error.

    We have limited access to the imunify360, I saw there are a few logs in imunify360, we’ve already whitelist some of these files with “Ignore all rules for the file “, but not sure it relating this issue, the 403 forbidden error still occurs. see below imunify360 Detected Events not sure it relating this problem, but it seems it doesn’t work when ignoring these rules.

     

    Detection Date/Time   |     Description    |       Script Path   |     First script call from   |     Action

    a day ago |  WPCP Rule 2. Forbid malware drop to WP core folders  |  /var/www/vhosts/xxx/mydomain.com/wp-content/plugins/bulletproof-security/admin/wizard/pwizard-functions.php    |   my-ip-address-1  |  Block

    2 days ago |  WPCP Rule 2. Forbid malware drop to WP core folders  |  /var/www/vhosts/xxx/mydomain.com/wp-content/plugins/bulletproof-security/admin/core/core-forms.php    |   my-ip-address-2  |  Block

    9 days ago |  WPCP Rule 2. Forbid malware drop to WP core folders  |  /var/www/vhosts/xxx/mydomain.com/wp-content/plugins/bulletproof-security/admin/wizard/pwizard-functions.php   |   my-ip-address-2  |  Block

     

    What kind of rule should we tell our hosting provider to whitelist it?

    Kind regards,

    #40511
    AITpro Admin
    Keymaster

    I’ve seen this problem before.  What is being blocked is the .htaccess filename itself literally:  .htaccess.  I’m pretty sure ModSecurity is causing that problem if I remember correctly.  So you can try and ask your host support folks to create a ModSecurity whitelist rule for that, but most likely they will not do that or will not be able to figure out how to do that.  Or you can just delete the .htaccess file (auto_.htaccess) in Quarantine.

    If you are unable to delete the wp-admin htaccess file in Quarantine then use the steps below.

    1. Go the BPS Pro > Pro-Tools menu/page > DB Table Cleaner|Remover tool tab page.
    2. Delete the quarantine database table by clicking the Drop Radio button for this database table: xx_bpspro_arq_quarantine
    3. Click the Empty|Drop button to delete the BPS quarantine database table. A new empty BPS quarantine database table will be automatically created.
    4. Use FTP or your web host control panel file manager and delete all folders under the BPS Quarantine folder located here: /wp-content/bps-backup/quarantine/

    #40539
    JUNJIE LI
    Participant

    Thank you.

    When we completely turn off the web application firewall (ModSecurity), we can restore the .htaccess.

Viewing 5 posts - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.