javascript 403 error – frontloading plugin scripts 403 error, Plugin Firewall 403 error

Home Forums BulletProof Security Pro javascript 403 error – frontloading plugin scripts 403 error, Plugin Firewall 403 error

This topic contains 14 replies, has 3 voices, and was last updated by  rafaelmagic 3 years, 1 month ago.

Viewing 15 posts - 1 through 15 (of 15 total)
  • Author
    Posts
  • #22472

    Tin Hoang
    Participant

    Hello BPS,

    I am receiving 403 Http status’s with respect to some vital javascript files, which I need to run, when I hit my server. It’s weird I can load the javascript just fine from home, but, when I try to access the same page from anywhere other than home I see 403 status’s in Chrome Debugging Tools https://www.dropbox.com/s/5gchlq8u6khmmot/403.png?dl=0 . When I try to click on the URL that chrome says is 403 error page https://www.dropbox.com/s/jbcrnyfvyk1zzey/forbidden.png?dl=0 appears.

    Do you know if this is a BPS error page? I also have WordFence installed but they say its not a page that they made.

    Thanks,
    Tin

    Google Chrome Developer Tools 403 error

    #22476

    AITpro Admin
    Keymaster

    Do these steps below:
    Note: BPS Pro Security Logging MUST be turned On on the Security Log page.

    1. Go to the Plugin Firewall.
    2. Click Plugin Firewall BulletProof Mode Deactivate button.
    3. Set the AutoPilot Mode Cron Check Frequency to 1 minute and save your settings.
    4. Cut (not copy) all of your Plugin Firewall whitelist rules out of the Plugins Script|File Whitelist Text Area and save them to a Notpad or Notepad++ text file on your computer.
    5. Click the Save Whitelist Options button.
    6. Click the Plugin Firewall BulletProof Mode Activate button.
    7. Wait until the next AutoPilot Mode Cron Check is run – see your Dashboard Status Display time.
    8. Click on the main WordPress Dashboard menu/page or any link or refresh your Browser.
    9. Go back to the Plugin Firewall and check that new Plugin Firewall whitelist rules have been created in the Plugins Script|File Whitelist Text Area

    #22505

    Tin Hoang
    Participant

    Hello,

    thank you for your reply. I did exactly as you said. When the plugin whitelist got autopopulated it was less javascript files that were in my whitelist originally…a bit concerning.

    When I tried loading http://blisshairbydesign.mysalonpage.com/book-online/ once more the javascript files did not load and I received the 403 error in Chrome Debugger (403.png). Once again when I try to open the javascript files in a new tab I received the same error page(forbidden.png). Any ideas?

    Thanks,
    Tin

    #22507

    AITpro Admin
    Keymaster

    Do these troubleshooting steps below and let me know which BPS Pro Security feature is causing the issue. After doing each step test whatever is not working.

    http://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting
    1. On the Security Modes page, click the Root Folder BulletProof Mode Deactivate button. See Custom Code Note if doing this step works.
    2. On the Security Modes page, click the wp-admin Folder BulletProof Mode Deactivate button.  See Custom Code Note if doing this step works.
    3. On the Security Modes page, click the Plugin Firewall BulletProof Mode Deactivate button.

    #22515

    Tin Hoang
    Participant

    oh my goodness. I performed step 2. I have multisite installation of WordPress and now all my sites images and javascript is not working. I tried to follow a previous issue http://forum.ait-pro.com/forums/topic/multisite-images-not-showing-and-scripts-not-loading/ I had when the images disappeared but I cant seem to

    “On the Security Modes page click the Deactivate button to deactivate/delete the Plugin Firewall .htaccess file.” Ideas?

    Check out my broken site: http://blisshairbydesign.mysalonpage.com

    Thanks,
    Tin

    #22517

    AITpro Admin
    Keymaster

    Run the Wizards to setup BPS Pro again or you can just activate root folder BulletProof Mode.  At this point send an Administrator login to this website to:  info at ait-pro dot com.  I can login tomorrow morning and fix whatever issue is occurring.

    #22522

    Tin Hoang
    Participant

    Hello,

    ran the setup again. Did not fix the issue. Also activated root folder BulletProof mode – also did not help. I would like to keep my login info private Here is my “Your current plugins htaccess file”:

    # BEGIN WHITELIST: Frontend Loading Website Plugin scripts/files
    SetEnvIf Request_URI "/bulletproof-security/400.php$" whitelist
    SetEnvIf Request_URI "/bulletproof-security/403.php$" whitelist
    SetEnvIf Request_URI "/widgetkit/cache/(*.js)$" whitelist
    SetEnvIf Request_URI "/widgetkit/widgets/slideshow/js/(*.js)$" whitelist
    SetEnvIf Request_URI "/marketpress/marketpress-includes/js/ajax-cart.js$" whitelist
    SetEnvIf Request_URI "/subscribe-by-email/assets/js/widget.js$" whitelist
    SetEnvIf Request_URI "/nextgen-gallery/products/photocrati_nextgen/modules/ajax/static/ajax.min.js$" whitelist
    SetEnvIf Request_URI "/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_gallery_display/static/common.min.js$" whitelist
    SetEnvIf Request_URI "/nextgen-gallery/products/photocrati_nextgen/modules/lightbox/static/lightbox_context.min.js$" whitelist
    SetEnvIf Request_URI "/pro-sites/pro-sites-files/js/checkout.js$" whitelist
    SetEnvIf Request_URI "/nextgen-gallery-pro/modules/nextgen_pro_lightbox/static/nextgen_pro_lightbox.js$" whitelist
    SetEnvIf Request_URI "/widgetkit/widgets/lightbox/js/(*.js)$" whitelist
    SetEnvIf Request_URI "/widgetkit/widgets/spotlight/js/(*.js)$" whitelist
    SetEnvIf Request_URI "/appointments/js/(*.js)$" whitelist
    SetEnvIf Request_URI "/contact-form-7/includes/js/jquery.form.min.js$" whitelist
    SetEnvIf Request_URI "/contact-form-7/includes/js/scripts.js$" whitelist
    # END WHITELIST

    Any ideas?
    Thanks,
    Tin

    #22528

    AITpro Admin
    Keymaster

    Running the Wizard was done to fix the other problem that occurred with step 2 and not to try and fix the original problem.  I am investigating the issue.  It will take longer for me to do this by doing this remotely instead of logging in.  I will post my findings in a little while.

    #22540

    AITpro Admin
    Keymaster

    I have downloaded, installed and tested the Appointments plugin.  The Appointements plugin requires 1 Plugin Firewall whitelist rule.  Your Plugin Firewall whitelist rules that you posted above are incorrect.  The format of whitelist rules when using Regex rules is this:  /plugin-folder-name/js/(.*).js and not /plugin-folder-name/js/(*.js) I am seeing an unusual 500 error instead of a 403 error when checking the scripts via Google Developer Tools, but these errors may actually be 403 errors that are being seen as 500 errors. That may be an additional issue/problem or just adding the correct Plugin Firewall whitelist rules may fix that unusual issue and all other issues/problems.

    These are your corrected Plugin Firewall whitelist rules below:
    1. Copy and paste the plugin scripts/whitelist rules to the Plugins Script|File Whitelist Text Area and overwrite your existing Plugin Firewall whitelist rules.
    2. Click the Save Whitelist Options button.
    3. Click the Plugin Firewall BulletProof Mode Activate button.

    /appointments/js/(.*).js, /contact-form-7/includes/js/(.*).js, /marketpress/marketpress-includes/js/(.*).js, /nextgen-gallery/products/photocrati_nextgen/modules/(.*).js, /pro-sites/pro-sites-files/js/(.*).js, /subscribe-by-email/assets/js/(.*).js, /widgetkit/cache/(.*).js, /widgetkit/widgets/(.*).js
    #22547

    Tin Hoang
    Participant

    Thank you for your reply. I see now that my regex is wrong. I pasted what you asked me too and executed steps 1-3. New problem. – now in my Dashboard admin icons are not displaying on the left hand side and appears that BPS javascript files are not running in addition to my original files not running.  See https://www.dropbox.com/s/kpps9wptyavm1zm/bps_js_failed_toload.png?dl=0. We can see here that the tabbing is now missing from BPS core screen.

    I’ve sent an email to  info at ait-pro dot com. with a new username and pw of an administrator.
    Thank you,
    Tin

    #22549

    AITpro Admin
    Keymaster

    I do not need to login for this issue/problem.  There is a mistake in the Plugin Firewall whitelist rules somewhere.  Do these steps below:

    Reset/Clear all old whitelist rules:
    1. Delete all Plugin Firewall whitelist rules in the Plugins Script|File Whitelist Text Area.
    2. Click the Save Whitelist Options button.
    3. Click the Plugin Firewall BulletProof Mode Activate button.

    Add/Create new whitelist rules:
    1. Copy and paste the plugin scripts/whitelist rules in my previous reply to the Plugins Script|File Whitelist Text Area.
    2. Click the Save Whitelist Options button.
    3. Click the Plugin Firewall BulletProof Mode Activate button.

    #22551

    Tin Hoang
    Participant

    Hello,

    I performed your steps. It does not work.  First I:

    Reset/Clear all old whitelist rules:
    1. Delete all Plugin Firewall whitelist rules in the Plugins Script|File Whitelist Text Area.
    2. Click the Save Whitelist Options button.
    3. Click the Plugin Firewall BulletProof Mode Activate button.

    after step 3 I would assume my wordpress dashboard would return to normal. Ie. icons on the left hand column would no longer be blocked by BPS. They are still not being loaded. The B-Core page also looks like its broken still. Regardless. I pasted what you put in the previous email: saved and activated Plugin Firewall BulletProof mode.

    /appointments/js/(.*).js, /contact-form-7/includes/js/(.*).js, /marketpress/marketpress-includes/js/(.*).js, /nextgen-gallery/products/photocrati_nextgen/modules/(.*).js, /pro-sites/pro-sites-files/js/(.*).js, /subscribe-by-email/assets/js/(.*).js, /widgetkit/cache/(.*).js, /widgetkit/widgets/(.*).js

    Funny thing that happens. The white list then for some reason changes to a different set of whitelist rules:

    /appointments/js/(.*).js, /contact-form-7/includes/js/(.*).js, /marketpress/marketpress-includes/js/(.*).js, /nextgen-gallery/products/photocrati_nextgen/modules/(.*).js, /pro-sites/pro-sites-files/js/(.*).js, /subscribe-by-email/assets/js/(.*).js, /widgetkit/cache/(.*).js, /widgetkit/widgets/(.*).js, /marketpress/marketpress-includes/js/ajax-cart.js, /subscribe-by-email/assets/js/widget.js, /contact-form-7/includes/js/jquery.form.min.js, /contact-form-7/includes/js/scripts.js

    The whitelist is very different. Do you know what is causing BPS to revert to a different/old whitelist? This might be what is causing the problem. Please note my AutoPilot cron Check Frequency is still set to “Run AutoPilot Cron Every 1 minute” if that makes any difference.

    Thanks,
    Tin

    #22552

    Tin Hoang
    Participant

    I just reverted my database to a backup I had. The state where it was only the Appointments and Nextgen 403 errors were happening. Fixed the regex expressions and for the most part Everything is working again. I still have to track down some other plugins that need to be in the whitelist.

    Thank you for your help.
    Tin

    #22555

    AITpro Admin
    Keymaster

    Sounds like either something else you have installed on your site (a plugin or theme) is interfering with or breaking BPS Pro or you have database damage or corruption.  The steps above are standard steps that work to clear/reset the Plugin Firewall rules and add/create new Plugin Firewall rules.  If this same problem happens again in the future then I will need to login to the site to figure out what is breaking BPS Pro on your site.

    #22561

    rafaelmagic
    Participant

    Tin,

    Activate your plugins one by one to find the culprit that is breaking BPS Pro. One of your Plugins JavaScript needs a patch because it’s loading all over the place instead of it staying in their area. When you find it, let Admin know and maybe they can share some tutorial with code that you can share with the plugin developer to update. Some developers just don’t code to WordPress Best Standard and Security.

Viewing 15 posts - 1 through 15 (of 15 total)

You must be logged in to reply to this topic.