Home › Forums › BulletProof Security Free › Custom Login Page Redirect – 403 error
Tagged: 403 error
- This topic has 20 replies, 2 voices, and was last updated 8 years, 6 months ago by
AITpro Admin.
-
AuthorPosts
-
Rick
ParticipantI get a 403 error page when trying to login to a support desk setup on my domain. Any solution or help would be great. Thank you.
[403 GET / HEAD Request: October 5, 2015 3:30 pm] Event Code: BFHS - Blocked/Forbidden Hacker or Spammer Solution: N/A - Hacker/Spammer Blocked/Forbidden REMOTE_ADDR: 24.115.202.239 Host Name: 24.115.202.239.res-cmts.pbg.ptd.net SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: 1.1.1.1 HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: http://www.my.com/my-help-desk/ REQUEST_URI: /my-help-desk/login/?redirect=http://www.my.com/my-help-desk/ QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
AITpro Admin
KeymasterIf you are unable to login to the site then use FTP or your web host control panel file manager and delete the root and wp-admin htaccess files.
http://forum.ait-pro.com/forums/topic/read-me-first-free/#bps-free-general-troubleshooting
Note: These steps above apply to issues/problems that are directly related to your root .htaccess file. If your are unable to login to your site due to an issue/problem with Login Security, rename the /bulletproof-security plugin folder to /_bulletproof-security, log back into your website, rename the /_bulletproof-security/ plugin folder to /bulletproof-security/ and correct the issue/problem.
I need more information. It appears /login/ is a custom login page and that custom login page then redirects to another custom login page /my-help-desk/ or maybe /my-help-desk/ is not another login page and is something else. If /my-help-desk/ is something else then what is it exactly? Are the custom login pages created by a plugin? If so, post the name of the plugin. If not, are they created with custom code that you created in your theme’s functions.php file?
Do these BPS troubleshooting steps to determine if the issue is being caused by either the root htaccess file or the wp-admin htaccess file or both files. It could also be possible there is a Login/Login Security issue going on – do step 4.
http://forum.ait-pro.com/forums/topic/read-me-first-free/#bps-free-general-troubleshooting
ParticipantOk, it is the root htaccess file causing the issue.
There are two plugins needed for this operation. First the SupportEzzy Ticket System plugin and the Front-end Membership Modules plugin created by the same developer. The second step after clicking login from the login link takes you to the protected page for actual logging in.
Thank you.
KeymasterTry this first:
1. Go to the BPS htaccess File Editor page, click on the Your Current Root htaccess File tab, scroll down in your Root .htaccess file code until you see this .htaccess code below.
# WP REWRITE LOOP START RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L]
2. Copy your # WP REWRITE LOOP START code to this BPS Root Custom Code text box: CUSTOM CODE WP REWRITE LOOP START
3. After you have copied your WP Rewrite Loop Start .htaccess code then add your RewriteRule code shown below. Your code should look like this example below.
4. Click the Save Root Custom Code button.
5. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.# WP REWRITE LOOP START RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] # Custom Login RewriteRule skip/bypass RewriteRule ^login/ - [L]
ParticipantOk, it did work for that particular link and login page. EXCELLENT! The only thing I noticed that I had to place it in the custom code dsection and then go back and place it in the active root .htaccess file section for some reason when I clicked create secure .htaccess file after inserting custom code it did not adhere to the root .htaccess file. But I placed it in there manually and then recreated the secure .htaccess file. Little wordy I know but it worked. Now do I need to add any additional pages in the same maner under the custom rewriterule?
Example:
RewriteRule ^edit/ - [L]
KeymasterGreat! Thanks for confirming that worked.
Did you do all of the Custom Code steps? ie Activate Root BulletProof Mode? You would only need to add additional whitelist rules if they are needed. The same whitelisting method/rule will probably not be the same for a different issue/problem. If you see 403 log entries for something legitimate that is being blocked then that is when you need to create a whitelist rule for that, otherwise you do not need to do anything.
Root htaccess File Custom Code Setup Steps
1. Enter your custom code in the appropriate Root Custom Code text box.
2. Click the Save Root Custom Code button to save your Root custom code.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.ParticipantBad news. The 403 error is gone for login and register. However when submitting any information it loops right back to the protected login screen and does not give access. In other words after submitting any information in the form it just loops right back.
ParticipantI noticed on the second level with the protect login form it shows in the url at the end for each of these. Is this anything that would prevent logging in or any of the other functions with the loop start?
/?show=login /?show=forgot-password /?show=register
KeymasterYep, I thought that was a very likely thing that would happen. You mentioned SupportEzzy Ticket System plugin and the Front-end Membership Modules plugin created by the same developer. So was a custom redirect or rewrite created using any htaccess code to do this custom redirect/rewrite or is the redirect being done using only PHP code? Instead of trying to guess how these things work, it would be better to get these answers first from the developer who created these plugins. Once you get those answers from the developer then post the answers here.
Is this anything that would prevent logging in or any of the other functions with the loop start?
I cannot answer that question since this is a custom solution and not a standard WordPress setup.
KeymasterSomething has to be wrong with this. This does not seem correct. Why would you redirect back to the home page from the /login/ page? That would create an infinite redirect looping problem when doing any sort of redirection. Example: doing a redirect from /login/ to /somewhere-else/ is fine, but redirecting back a URI level is not good. If the redirect is supposed to happen AFTER login processing is completed then the redirect is fine, but if it is happening BEFORE login processing is completed then that is definitely a mistake.
/my-help-desk/login/?redirect=http://www.my.com/my-help-desk/
KeymasterHere is some code we use on our main site to redirect Users after they login. This example code demonstrates how to redirect a User AFTER they have logged into the site since you would not want to do a redirect for any reason BEFORE a User logs in. That is just not logical to do that.
And of course the most obvious problem is passing login information from one form to another form is very dangerous and a huge security risk that will probably get your website hacked eventually. You want login processing data processed on the login page and would NEVER send login information from one form to another form – you are asking to get hacked if you do that.
// redirect non-admins into the Secure Download Area function example_redirect( $redirect_to, $request, $user ) { global $user; if ( isset( $user->roles ) && is_array( $user->roles ) ) { if ( in_array( 'administrator', $user->roles ) ) { // redirect to /wp-admin return $redirect_to; } else { return site_url('/pd/'); } } else { return $redirect_to; } } add_filter( 'login_redirect', 'example_redirect', 10, 3 );ParticipantYeah, its funny because it used to work and after some updates to BPS it does not work now with updated versions. When I deactivate BPS altogether everything works just fine. I didn’t see any .htaccess files within the plugins directory. I contacted the developer of the plugin. Waiting for their reply. Anything else to try it comes up in the security logs as a threat.
KeymasterWell the problem could also be caused by something that changed in either of the other plugins you are using and not BPS.
http://forum.ait-pro.com/forums/topic/bps-changelog/
Significant htaccess code and file changes were made in versions .52.6 and .52.5 and .51.2, but nothing that I can think of that would cause this type of problem.Anything else to try it comes up in the security logs as a threat.
Yes, of course it is seen as a security threat because it definitely is a security risk/threat for your website.
Without knowing exactly how this custom solution is being done I cannot make any guesses.ParticipantWhat if the redirect is going to a different page on the same domain? Is that safe or should it be a redirect to a different domain? I need to know if this is a safe plugin or not?
KeymasterHowever when submitting any information it loops right back to the protected login screen and does not give access. In other words after submitting any information in the form it just loops right back.
The issue is bigger than just a redirect. My interpretation of what you said above is you are entering login information in 1 form and then that login information is being passed/sent to another login form to process that sensitive login data: username|password. Is that correct?
-
AuthorPosts
- You must be logged in to reply to this topic.