Home › Forums › BulletProof Security Pro › WPADMIN-SBR 403 Forbidden Error can’t use restore file option in BPS Quarantine Page
Tagged: ModSecurity
- This topic has 4 replies, 2 voices, and was last updated 3 years, 4 months ago by Steven_Lee.
-
AuthorPosts
-
Steven_LeeParticipant
On the BPS Quarantine Page (
mydomain.com/wp-admin/admin.php?page=bulletproof-security%2Fadmin%2Fquarantine%2Fquarantine.php#bps-tabs-2
) when I click the Restore File checkbox of a root’s .htaccess it leads to a BPS 403 Error like the following:
mydomail.com 403 Forbidden Error
If you arrived here due to a search or clicking on a link click your Browser’s back button to return to the previous page. Thank you.
IP Address: my-ip-address
BPS Pro Plugin 403 Error Page
Now I can’t use the Restore File option, while clicking the View File and Delete File doesn’t have this problem, it’s fine.
Here is my secure log:
[403 POST Request: July 13, 2021 - 10:11 pm] BPS Pro: 15.6 WP: 5.7.2 Event Code: WPADMIN-SBR Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: my-ip-address Host Name: SERVER_PROTOCOL: HTTP/1.0 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: my-ip-address, my-cloudflare-proxy-ip HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: POST HTTP_REFERER: mydomain.com/wp-admin/admin.php?page=bulletproof-security%2Fadmin%2Fquarantine%2Fquarantine.php REQUEST_URI: /wp-admin/admin.php?page=bulletproof-security/admin/quarantine/quarantine.php QUERY_STRING: page=bulletproof-security/admin/quarantine/quarantine.php HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 REQUEST BODY: BPS Security Log option set to: Do Not Log POST Request Body Data
I’ve followed the answer on this page (https://forum.ait-pro.com/forums/topic/security-log-event-codes/page/4/) ,
add the either of the below 2 codes in Custom Code —> wp-admin htaccess File Custom Code—-> 3. CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES ——> then in Secure Modes —> Active wp-admin Folder BulletProof Mode (WBM)
Note: The skip rule must be [S=2] because it will be written to your wp-admin .htaccess file above skip / bypass rule [S=1]. If you have other wp-admin skip/bypass rules already then either combine them or add this skip/bypass rule separately above the other rules and change the skip #. Example: If you already have skip #’s 2 and 3 then this rule would be skip rule #4. # admin-ajax.php skip/bypass rule RewriteCond %{REQUEST_URI} (admin-ajax\.php) [NC] RewriteRule . - [S=2] or RewriteCond %{REQUEST_URI} page=bulletproof-security(.*) [NC] RewriteRule . - [S=2]
Neither these two codes works.
Can you help me with that? let me know if you need wp-admin login.
AITpro AdminKeymasterThis is a very common ModSecurity problem. ModSecurity is installed in your web host control panel and is a security feature. Unfortunately, ModSecurity prevents/blocks restoring some files from Quarantine. Typically that file is the Root htaccess file, which you can delete since you can always create a new BPS Root htaccess file by Activating Root Folder BulletProof Mode again. If the Root htaccess file is the file you cannot restore from Quarantine then just delete it from Quarantine. If the file is another file then let me know what the name of that file is.
Steven_LeeParticipantHi BPS team, thanks for the quick feedback.
Yes, we are on a Plesk dedicated server that indeed has mod_security2 enabled, it also has the imunify360 in front of the WordPress application.
I’ve tried to modify php . ini, it has been quarantined and when clicking the Restore File option, it’s fine, don’t see a 403 forbidden error.
I’ve tried to modify wp – config. php (I modified wp-config.php by removing a line of code define(‘CONCATENATE_SCRIPTS’, false); then I WordPress admin dashboard show broken layout),
and the wp – config .php has been quarantined and when clicking the Restore File option, it’s fine, don’t see a 403 forbidden error.
It’s ok to not use the Restore File option for only root’s .htaccess file, so I tried use the Exclude Folders|Files from being checked by AutoRestore —–>Exclude An Individual File option —-> insert my file path /var/www/vhosts/xxx/mydomain.com/.htaccess ——> when clicking Exclude Folder File|File button, it also generate the same 403 forbidden error.
We have limited access to the imunify360, I saw there are a few logs in imunify360, we’ve already whitelist some of these files with “Ignore all rules for the file “, but not sure it relating this issue, the 403 forbidden error still occurs. see below imunify360 Detected Events not sure it relating this problem, but it seems it doesn’t work when ignoring these rules.
Detection Date/Time | Description | Script Path | First script call from | Action
a day ago | WPCP Rule 2. Forbid malware drop to WP core folders | /var/www/vhosts/xxx/mydomain.com/wp-content/plugins/bulletproof-security/admin/wizard/pwizard-functions.php | my-ip-address-1 | Block
2 days ago | WPCP Rule 2. Forbid malware drop to WP core folders | /var/www/vhosts/xxx/mydomain.com/wp-content/plugins/bulletproof-security/admin/core/core-forms.php | my-ip-address-2 | Block
9 days ago | WPCP Rule 2. Forbid malware drop to WP core folders | /var/www/vhosts/xxx/mydomain.com/wp-content/plugins/bulletproof-security/admin/wizard/pwizard-functions.php | my-ip-address-2 | Block
What kind of rule should we tell our hosting provider to whitelist it?
Kind regards,
AITpro AdminKeymasterI’ve seen this problem before. What is being blocked is the .htaccess filename itself literally: .htaccess. I’m pretty sure ModSecurity is causing that problem if I remember correctly. So you can try and ask your host support folks to create a ModSecurity whitelist rule for that, but most likely they will not do that or will not be able to figure out how to do that. Or you can just delete the .htaccess file (auto_.htaccess) in Quarantine.
If you are unable to delete the wp-admin htaccess file in Quarantine then use the steps below.
1. Go the BPS Pro > Pro-Tools menu/page > DB Table Cleaner|Remover tool tab page.
2. Delete the quarantine database table by clicking the Drop Radio button for this database table: xx_bpspro_arq_quarantine
3. Click the Empty|Drop button to delete the BPS quarantine database table. A new empty BPS quarantine database table will be automatically created.
4. Use FTP or your web host control panel file manager and delete all folders under the BPS Quarantine folder located here: /wp-content/bps-backup/quarantine/Steven_LeeParticipantThank you.
When we completely turn off the web application firewall (ModSecurity), we can restore the .htaccess.
-
AuthorPosts
- You must be logged in to reply to this topic.