Custom Login Page Redirect – 403 error

Home Forums BulletProof Security Free Custom Login Page Redirect – 403 error

Tagged: 

This topic contains 20 replies, has 2 voices, and was last updated by  AITpro Admin 2 years, 6 months ago.

Viewing 15 posts - 1 through 15 (of 21 total)
  • Author
    Posts
  • #25495

    Rick
    Participant

    I get a 403 error page when trying to login to a support desk setup on my domain. Any solution or help would be great. Thank you.

    [403 GET / HEAD Request: October 5, 2015 3:30 pm]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 24.115.202.239
    Host Name: 24.115.202.239.res-cmts.pbg.ptd.net
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: 1.1.1.1
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: http://www.my.com/my-help-desk/
    REQUEST_URI: /my-help-desk/login/?redirect=http://www.my.com/my-help-desk/
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
    #25500

    AITpro Admin
    Keymaster

    If you are unable to login to the site then use FTP or your web host control panel file manager and delete the root and wp-admin htaccess files.

    http://forum.ait-pro.com/forums/topic/read-me-first-free/#bps-free-general-troubleshooting

    Note: These steps above apply to issues/problems that are directly related to your root .htaccess file. If your are unable to login to your site due to an issue/problem with Login Security, rename the /bulletproof-security plugin folder to /_bulletproof-security, log back into your website, rename the /_bulletproof-security/ plugin folder to /bulletproof-security/ and correct the issue/problem.

    I need more information.  It appears /login/ is a custom login page and that custom login page then redirects to another custom login page /my-help-desk/ or maybe /my-help-desk/ is not another login page and is something else.  If /my-help-desk/ is something else then what is it exactly?  Are the custom login pages created by a plugin?  If so, post the name of the plugin.  If not, are they created with custom code that you created in your theme’s functions.php file?

    Do these BPS troubleshooting steps to determine if the issue is being caused by either the root htaccess file or the wp-admin htaccess file or both files.  It could also be possible there is a Login/Login Security issue going on – do step 4.

    http://forum.ait-pro.com/forums/topic/read-me-first-free/#bps-free-general-troubleshooting

    #25507

    Rick
    Participant

    Ok, it is the root htaccess file causing the issue.

    There are two plugins needed for this operation. First the SupportEzzy Ticket System plugin and the Front-end Membership Modules plugin created by the same developer. The second step after clicking login from the login link takes you to the protected page for actual logging in.

    Thank you.

    #25514

    AITpro Admin
    Keymaster

    Try this first:

    1.  Go to the BPS htaccess File Editor page, click on the Your Current Root htaccess File tab, scroll down in your Root .htaccess file code until you see this .htaccess code below.

    # WP REWRITE LOOP START
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]

    2.  Copy your # WP REWRITE LOOP START code to this BPS Root Custom Code text box:  CUSTOM CODE WP REWRITE LOOP START
    3.  After you have copied your WP Rewrite Loop Start .htaccess code then add your RewriteRule code shown below.  Your code should look like this example below.
    4.  Click the Save Root Custom Code button.
    5. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    # WP REWRITE LOOP START
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    
    # Custom Login RewriteRule skip/bypass
    RewriteRule ^login/ - [L]
    #25523

    Rick
    Participant

    Ok, it did work for that particular link and login page. EXCELLENT! The only thing I noticed that I had to place it in the custom code dsection and then go back and place it in the active root .htaccess file section for some reason when I clicked create secure .htaccess file after inserting custom code it did not adhere to the root .htaccess file. But I placed it in there manually and then recreated the secure .htaccess file. Little wordy I know  but it worked. Now do I need to add any additional pages in the same maner under the custom rewriterule?

    Example:

    RewriteRule ^edit/ - [L]
    #25527

    AITpro Admin
    Keymaster

    Great! Thanks for confirming that worked.

    Did you do all of the Custom Code steps?  ie Activate Root BulletProof Mode?  You would only need to add additional whitelist rules if they are needed.  The same whitelisting method/rule will probably not be the same for a different issue/problem.  If you see 403 log entries for something legitimate that is being blocked then that is when you need to create a whitelist rule for that, otherwise you do not need to do anything.

    Root htaccess File Custom Code Setup Steps
    1. Enter your custom code in the appropriate Root Custom Code text box.
    2. Click the Save Root Custom Code button to save your Root custom code.
    3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    #25533

    Rick
    Participant

    Bad news. The 403 error is gone for login and register. However when submitting any information it loops right back to the protected login screen and does not give access. In other words after submitting any information in the form it just loops right back.

    #25547

    Rick
    Participant

    I noticed on the second level with the protect login form it shows in the url at the end for each of these. Is this anything that would prevent logging in or any of the other functions with the loop start?

    /?show=login
    /?show=forgot-password
    /?show=register
    #25548

    AITpro Admin
    Keymaster

    Yep, I thought that was a very likely thing that would happen.  You mentioned SupportEzzy Ticket System plugin and the Front-end Membership Modules plugin created by the same developer.  So was a custom redirect or rewrite created using any htaccess code to do this custom redirect/rewrite or is the redirect being done using only PHP code?  Instead of trying to guess how these things work, it would be better to get these answers first from the developer who created these plugins.  Once you get those answers from the developer then post the answers here.

    Is this anything that would prevent logging in or any of the other functions with the loop start?

    I cannot answer that question since this is a custom solution and not a standard WordPress setup.

    #25553

    AITpro Admin
    Keymaster

    Something has to be wrong with this.  This does not seem correct.  Why would you redirect back to the home page from the /login/ page?  That would create an infinite redirect looping problem when doing any sort of redirection.  Example:  doing a redirect from /login/ to /somewhere-else/ is fine, but redirecting back a URI level is not good. If the redirect is supposed to happen AFTER login processing is completed then the redirect is fine, but if it is happening BEFORE login processing is completed then that is definitely a mistake.

    /my-help-desk/login/?redirect=http://www.my.com/my-help-desk/
    #25557

    AITpro Admin
    Keymaster

    Here is some code we use on our main site to redirect Users after they login. This example code demonstrates how to redirect a User AFTER they have logged into the site since you would not want to do a redirect for any reason BEFORE a User logs in. That is just not logical to do that.

    And of course the most obvious problem is passing login information from one form to another form is very dangerous and a huge security risk that will probably get your website hacked eventually.  You want login processing data processed on the login page and would NEVER send login information from one form to another form – you are asking to get hacked if you do that.

    // redirect non-admins into the Secure Download Area
    function example_redirect( $redirect_to, $request, $user ) {
    global $user;
    	
    	if ( isset( $user->roles ) && is_array( $user->roles ) ) {
    
    		if ( in_array( 'administrator', $user->roles ) ) {
    			// redirect to /wp-admin
    			return $redirect_to;
    		
    		} else {
    			
    			return site_url('/pd/');
    		}
    	
    	} else {
    		
    		return $redirect_to;
    	}
    }
    add_filter( 'login_redirect', 'example_redirect', 10, 3 );
    #25562

    Rick
    Participant

    Yeah, its funny because it used to work and after some updates to BPS it does not work now with updated versions. When I deactivate BPS altogether everything works just fine.  I didn’t see any .htaccess files within the plugins directory. I contacted the developer of the plugin. Waiting for their reply.  Anything else to try it comes up in the security logs as a threat.

    #25563

    AITpro Admin
    Keymaster

    Well the problem could also be caused by something that changed in either of the other plugins you are using and not BPS.
    http://forum.ait-pro.com/forums/topic/bps-changelog/
    Significant htaccess code and file changes were made in versions .52.6 and .52.5 and .51.2, but nothing that I can think of that would cause this type of problem.

    Anything else to try it comes up in the security logs as a threat.

    Yes, of course it is seen as a security threat because it definitely is a security risk/threat for your website.
    Without knowing exactly how this custom solution is being done I cannot make any guesses.

    #25570

    Rick
    Participant

    What if the redirect is going to a different page on the same domain? Is that safe or should it be a redirect to a different domain? I need to know if this is a safe plugin or not?

    #25571

    AITpro Admin
    Keymaster

    However when submitting any information it loops right back to the protected login screen and does not give access. In other words after submitting any information in the form it just loops right back.

    The issue is bigger than just a redirect. My interpretation of what you said above is you are entering login information in 1 form and then that login information is being passed/sent to another login form to process that sensitive login data: username|password. Is that correct?

Viewing 15 posts - 1 through 15 (of 21 total)

You must be logged in to reply to this topic.