Blocking Legitimate Visitors To My Blog Posts

[BuildPath]

Hi,

BP Pro seems to be blocking legitimate visitors, but I’m not sure. I cannot find any documentation on how to help this situation… only finding documentation about blocked plugins.

[403 GET Request: February 21, 2017 10:41 am]
BPS Pro: 12.7
WP: 4.7.2
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 54.162.91.14
Host Name: ec2-54-162-91-14.compute-1.amazonaws.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR: 54.162.91.14
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /my-blog-post-url/ [edited out for privacy]
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.43 Safari/536.11

[BuildPath]

[Topic has been merged into this related Topic]
Hi,

I can’t login. Captcha hover isn’t working. 🙁

Property user here

[AITpro Admin]

When I check your site:  homesxxxxxxxxxxxxx.com I see 403 errors for all frontloading plugin scripts.  The Plugin Firewall does not appear to be working correctly on this site.  Most likely causes have something to do with:  CloudFlare Rocket and/or CDN settings.  I would like to login to this site to figure out what is causing this problem since I cannot tell exactly what the cause of the problem is by looking at the frontend of your site using Google Chrome Developer Tools.  Create a temporary WordPress Administrator login to this site and send the login info to:  info at ait-pro dot com.

[AITpro Admin]

Also I have merged your Captcha login problem into this forum topic because the root cause of the problem is related.  The first obvious problem that I see is that CloudFlare Rocket/CDN is caching your Login page.  Your Login page and any/all Forms should never be cached for any reason.  You always want to exclude Forms from being cached.  Typically all caching plugins have option settings to exclude pages/URI’s/URLs. I also see that frontloading plugin scripts are also being blocked on your Login page, which is also because something is breaking the BPS Pro Plugin Firewall.

[BuildPath]

thank you.
That is strange – I have never had login page problems as i have a cache bypass rule in cloudlfare to bypass cache on *site.com/wp-login.php*

[AITpro Admin]

Ok.  I was just going by the Source Code below that I see in your Login page code:

try{if (!window.CloudFlare) {var CloudFlare=[{verbose:0,p:1487699329,byc:1,owlid:"cf",bag2:1,mirage2:0,oracle:0,paths:{cloudflare:"/cdn-cgi/nexp/dok3v=1613a3a185/"},atok:"f6504a17e37022fee687bf3fbdb19e15",petok:"e524b840701a782178d6f5e865ef50248214f74a-1487700017-1800",zone:"homesecuritylist.com",rocket:"m",apps:{}}];document.write('<script type="text/javascript" src="//ajax.cloudflare.com/cdn-cgi/nexp/dok3v=f2befc48d1/cloudflare.min.js"><'+'\/script>');}}catch(e){};

What might be going on is a chain reaction problem. Deactivate the BPS Pro Plugin Firewall for now and check things. Something is breaking the BPS Pro Plugin Firewall, which is then breaking other things. I am not really sure what the root cause of the problem is so far. There are known issues with CloudFlare Rocket and js scripts. ie CloudFlare Rocket is known to commonly break js scripts.

[BuildPath]

Did you not want the admin access anymore then? I had already sent it to you 30 min ago. Also i got logged in on my main pc when I got home (still had session) and disabled jc captcha since it wasn’t working

[AITpro Admin]

Oh I didn’t see the login info email that you sent to me.  Ok will be logging into the site now.  Thanks.

[AITpro Admin]

Oh my.  I see that you have quite a few security plugins installed.  Everything/all of them should work together, but that makes for a very complex troubleshooting scenario.  ie pinpointing which security plugin is actually doing what or a combo/chain reaction issue between the security plugins, which then causes other non-obvious problems.  So this is going to take me a bit of time to work through this/your complex environment. 😉

[BuildPath]

I only just added Sucuri last night so I’m not attached to it. I’m just desperate to find some way to block this person who has been injecting porn links and backdoors into my site almost every day for over 1 month. Nothing I do seems to help until yesterday when I installed sucuri and your plugin.

[BuildPath]

I’d feel more ok if we can continue this convo privately via email and then report any solutions back in this thread.

[AITpro Admin]

Typically I would not proceed trying to get a hacked website working.  The reason for that is installing security plugins after a site is hacked is not going to remove/clean up the hacked site and hosting account.  You would actually need to do that first.  The problems that are occurring may be caused by the fact that your website is still hacked even though it does not appear obvious that it is still hacked.  We created this forum topic that has the steps to cleanup a hacked website/hosting account here:  https://forum.ait-pro.com/forums/topic/wordpress-hacked-wordpress-hack-cleanup-wordpress-hack-repair/

So at this point I am assessing if this site is salvageable or if you need to restore it from a good backup or do the steps in the forum link above to cleanup the hacked website/hosting account.  I will let you know shortly what needs to happen.

[BuildPath]

Ok, let me know.. After I installed Sucuri and Wordfence I started getting user login attempt/success alerts, and I found that he had been using bruteforce attempts and eventually getting in… I was vulnerable to username enum so changed all usernames and passwords among many other things. He has tried to get in since then but has failed.

[AITpro Admin]

Hate to say it, but here is the typical scenario:  Once your site is hacked by 1 hacker or hacker group then other hackers/hacker groups will also find that your site is already hacked and also start hacking your site.  So in other words, several different hackers could be have installed things and are using several different methods to take control/login/repeatedly hack your site.

At this point, several BPS Pro security features were completely malfunctioning/not working correctly or at all.  That specific problem was caused by the Sucuri wp-content hardening feature, but what I think is going to happen is that by turning off the Sucuri wp-content hardening feature the hack will return.  The reason for that is that Sucuri feature is blocking hacker scripts/files that still exist as well as blocking BPS Pro security features.  I believe the hack or hacks are deeply embedded into your site and hosting account at this point.  It appears other BPS Pro features are being disabled intentionally.  So in my opinion at this point you should assume the worst and unfortunately that means following the steps in this forum topic to cleanup a hacked website/hosting account:  https://forum.ait-pro.com/forums/topic/wordpress-hacked-wordpress-hack-cleanup-wordpress-hack-repair/  Overall for peace of mind it is the best approach to take at this point.  ie you know for sure that your site/hosting account is actually really 100% clean.

I am logged out of your site now.

[BuildPath]

thanks for the advice. Unfortunately it’s not within my ability/means at this point to safely do what you’re requiring here.
I’ll just have to disable BPS even though I paid for it, and keep sucuri running since you said that wp-content hardening is what’s stopping them right now…. and of course I have to just hope the hacks don’t come back.
It was the same one over and over again. The guy kept coming back just to put the same link to the same porn site in the same place, either via editing the header template file or by adding a widget.

Since you said there are scripts/files that still exist, do you mean you found more backdoor php files, or you are assuming based on experience?

[Author]

Posts