Beaver Builder – 403 error – UAEG blocking js scripts

[AITpro Admin]

Terry Chadban – The older fix in this forum topic may still actually work, but if not use the newer fix listed in this topic.

[Terry Chadban]

I have already tried the ‘solutions’ under https://forum.ait-pro.com/forums/topic/uploads-anti-exploit-guard-uaeg-read-me-first/ with no success. Either ARQ or UAEG is overwriting the whitelisted folder I added. I have isolated the problem to the Root Folder because when I deactivated the Root Folder Bulletproof Mode Beaver Builder started working.

The only custom code now in Root Folder is the TimThumb and BPS Query Strings code which is added by default, I have removed all the code I added, which was the same custom code which you present as bonus scripts, the Brute Force and Bottom Hotlinking codes which I have added to every other website with no problems.

But as soon as I re-activate Root Folder Bulletproof Mode, Beaver Builder hangs and the same alerts come back. I need Beaver Builder to work on this website so it is BPS Pro that will be going if I can’t get them working together, but obviously I would prefer to keep BPS Pro rather than go back to iThemes Security or Wordfence if possible.

Terry

[AITpro Admin]

Terry Chadban – The problem is being caused by the BPS POST Attack Protection Bonus Custom Code.  Most likely this whitelist rule would work: page_id=(.*)_builder. Important Notes: Your BPS POST Attack Protection Bonus Custom Code should be added to this BPS Custom Code text box: 8. CUSTOM CODE WP REWRITE LOOP START and you would need to include your standard BPS WP REWRITE LOOP START. So the end block of code(s) would look something like this example code below.

# WP REWRITE LOOP START
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]

# BPS POST Request Attack Protection
RewriteCond %{REQUEST_METHOD} POST [NC]
...
...
...
# Query String Whitelist rule for Beaver Builder
RewriteCond %{REQUEST_URI} !^.*page_id=(.*)_builder(.*) [NC]
RewriteRule ^(.*)$ - [F]

[Terry Chadban]

I have applied the following rules in 8. Custom Code WP Rewrite Loop Start:

# WP REWRITE LOOP START
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
# BPS POST Request Attack Protection
RewriteCond %{REQUEST_METHOD} POST [NC]
# Query String Whitelist rule for Beaver Builder
RewriteCond %{REQUEST_URI} !^.*page_id=(.*)_builder(.*) [NC]
RewriteRule ^(.*)$ - [F]

reactivated Bulletproof Mode and even did a complete new Setup, and still getting the following alerts:

BPS PRO SECURITY LOG
=====================
=====================


[403 GET Request: November 13, 2017 - 1:24 pm]
BPS Pro: 13.3.3
WP: 4.8.3
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 50.28.105.92
Host Name: peter.uswebhost.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: POST
HTTP_REFERER: https://mybizaus.com/wp-cron.php?doing_wp_cron=1510539845.4635488986968994140625
REQUEST_URI: /wp-cron.php?doing_wp_cron=1510539845.4635488986968994140625
QUERY_STRING: doing_wp_cron=1510539845.4635488986968994140625
HTTP_USER_AGENT: WordPress/4.8.3; https://mybizaus.com

[403 GET Request: November 13, 2017 - 1:24 pm]
BPS Pro: 13.3.3
WP: 4.8.3
Event Code: UAEGWR-HPRA
Solution: https://forum.ait-pro.com/forums/topic/uploads-anti-exploit-guard-uaeg-read-me-first/
REMOTE_ADDR: 27.96.200.58
Host Name: 27-96-200-58-cpe.spintel.net.au
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: https://mybizaus.com/?page_id=46&fl_builder
REQUEST_URI: /wp-content/uploads/bb-plugin/cache/46-layout-draft.js
QUERY_STRING: 
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36

[403 POST Request: November 13, 2017 - 1:24 pm]
BPS Pro: 13.3.3
WP: 4.8.3
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 27.96.200.58
Host Name: 27-96-200-58-cpe.spintel.net.au
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: POST
HTTP_REFERER: https://mybizaus.com/?page_id=46&fl_builder
REQUEST_URI: /?page_id=46&fl_builder
QUERY_STRING: page_id=46&fl_builder
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36
REQUEST BODY: BPS Security Log option set to: Do Not Log POST Request Body Data

[403 GET Request: November 13, 2017 - 1:25 pm]
BPS Pro: 13.3.3
WP: 4.8.3
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 50.28.105.92
Host Name: peter.uswebhost.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: POST
HTTP_REFERER: https://mybizaus.com/wp-cron.php?doing_wp_cron=1510539907.8256819248199462890625
REQUEST_URI: /wp-cron.php?doing_wp_cron=1510539907.8256819248199462890625
QUERY_STRING: doing_wp_cron=1510539907.8256819248199462890625
HTTP_USER_AGENT: WordPress/4.8.3; https://mybizaus.com

The IP addresses are mine, and the domain’s. Do I need to include the full WP Rewrite Loop, or just the Loop Start as you said above and which I did?

Terry

 

[AITpro Admin]

Terry Chadban – Try removing (cut and paste somewhere – Notepad, Notepad++, etc) the POST Attack Protection Bonus Custom Code just to make sure that is what is causing the problem.  Resave your Custom Code changes and activate Root BulletProof Mode again. Let me know if that temporarily works and then we can work from there.

[Terry Chadban]

This morning when I tried to log in to wp-admin I got a ‘403 Forbidden’ error from BPS Pro, obviously I have been flagged as a hacker even though my IP address was supposedly whitelisted! So I spat the dummy and deleted and re-installed BPS Pro and ran the Setup Wizard again.

This time I got this code installed in 8. Custom Code:

 

# WP REWRITE LOOP START
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
# BPS POST Request Attack Protection
RewriteCond %{REQUEST_METHOD} POST [NC]
# Query String Whitelist rule for Beaver Builder
RewriteCond %{REQUEST_URI} !^.*page_id=(.*)_builder(.*) [NC]
RewriteRule ^(.*)$ - [F]

which has improved things a bit, in that the BB page will load, but options are still hanging and IPs getting blocked. Here is what I currently have in UAEG Custom Code:

# BULLETPROOF PRO UPLOADS FOLDER .HTACCESS
#
# BPS LiteSpeed mod_rewrite
#
# BEGIN WHITELIST
# Examples of whitelisting are commented out below. To create whitelist rules you would delete the # sign in front
# of the whitelist rule you want to use and add the actual filename or folder name you want to whitelist.
# Whitelist a specific js file in the uploads folder: example.js
#RewriteRule ^example.js$ - [L]
# Whitelist an entire folder in the uploads folder: /uploads/example-folder/
#RewriteRule ^example-folder/.*$ - [L]
RewriteRule ^/wp-content/uploads/bb-plugin/cache/7172-layout.js?ver=a1d3869e9df6cdc4be634d507ec278e6/.*$ - [L]
# END WHITELIST
#
# FORBID THESE FILE EXTENSIONS FROM BEING ACCESSED OR EXECUTED REMOTELY
RewriteCond %{REQUEST_URI} ^.*\.(7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htm|html|htx|idc|ini|ins|isp|jar|jav|java|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|rar|shtm|shtml|sql|swf|sys|tar|taz|tgz|tpl|vb|vbe|vbs|war|ws|wsf|xhtml|xml|z)$ [NC]
RewriteRule ^(.*)$ - [F]

# FORBID PHP FILES DISGUISED AS AN IMAGE FILE - example.php.jpg - example.PHP.jpg
<FilesMatch "\.(php|PHP|\.+(php)|\.+(PHP)).*$">
Order Allow,Deny
Deny from all
</FilesMatch>

Terry

[AITpro Admin]

Terry Chadban – At this point send me an Admin login to this site so we can get this problem resolved:  info at ait-pro dot com.

[Author]

Posts