BPS blocking Link whisper plugin

[Carlo]

just noticed recently that my plugin (Link Whisper) has a license error, which was unusual as it had been working fine since I had it.

i re-enter the license to reactivate and I get:

mysitename.com 403 Forbidden Error

If you arrived here due to a search or clicking on a link click your Browser’s back button to return to the previous page. Thank you.

IP Address:XXXXXXXX

could this be from the latest BPS update? anyway how do I fix this?

thanks

[AITpro Admin]

Go to the BPS Pro > Logs & Info menu > Security Log page > copy the Security Log entry for the Link Whisper plugin and post it in your forum reply so I can see what is being blocked.

[Carlo]

[403 GET Request: January 18, 2021 5:13 pm]
BPS Pro: 15.1
WP: 5.4.4
Event Code: WPADMIN-SBR
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 172.69.162.162
Host Name: 172.69.162.162
SERVER_PROTOCOL: HTTP/1.0
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR: 172.69.162.162
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: https://mysitehere.com/wp-admin/admin.php?page=link_whisper_license
REQUEST_URI: /wp-admin/admin.php?page=link_whisper_license&sl_activation=false&msg=The+License+Key+%xxxxxxplaceholderherexxxxxxxxxxxxx%60+doesn%27t+go+to+any+known+products.+Fairly+often+this+is+caused+by+a+mistake+in+entering+the+License+Key.
QUERY_STRING: page=link_whisper_license&sl_activation=false&msg=The+License+Key+%xxxxxxplaceholderherexxxxxxxxxxxxx%60+doesn%27t+go+to+any+known+products.+Fairly+often+this+is+caused+by+a+mistake+in+entering+the+License+Key.
HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Edg/87.0.664.75

[403 GET Request: January 18, 2021 5:38 pm]
BPS Pro: 15.1
WP: 5.4.4
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 172.68.65.62
Host Name: 172.68.65.62
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR: 172.68.65.62
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /.well-known/security.txt
QUERY_STRING:
HTTP_USER_AGENT: python-requests/2.25.1

[AITpro Admin]

What is being blocked is the %27 single quote code character in this wp-admin htaccess file security rule:  RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]. The second Security Log entry has to do with Cloudflare making a python request to this file: /.well-known/security.txt. You can safely ignore that log entry.

To fix this problem do the steps below:
1. Copy the modified BPS wp-admin Query String Exploits htaccess code below into this BPS wp-admin Custom Code text box: 4. CUSTOM CODE BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS
2. Click the Save wp-admin Custom Code button.
3. Go to the BPS Setup Wizard page and run the Pre-Installation Wizard and Setup Wizard.

# BEGIN BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS
# WORDPRESS WILL BREAK IF ALL THE BPSQSE FILTERS ARE DELETED
# Use BPS wp-admin Custom Code to modify/edit/change this code and to save it permanently.
RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR]
RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] 
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
#RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F]
# END BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS

[AITpro Admin]

Oh and do you have the pro/premium version of the Link Whisper plugin or the free version?  If you have the pro/premium version then let me know the path to the main plugin file so that I can add this fix to the BPS Setup Wizard AutoFix feature.

Example of a path to the main plugin file: /bulletproof-security/bulletproof-security.php

[Carlo]

just making sure i dont mess anything up, you said in 4. CUSTOM CODE BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS
custom code 4 is (4. CUSTOM CODE BRUTE FORCE LOGIN PAGE PROTECTION:)
did you mean custom code 12: (12. CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS:)
as there is code already in there, do I just overwrite what is already in there?

also, im using the “Paid” version of Link whisper, how do I find out the correct path?

[AITpro Admin]

wp-admin Custom Code is under the “wp-admin htaccess File Custom Code” accordion tab/button.  Click the wp-admin htaccess File Custom Code accordion tab/button.

You can find the path to the Link Whisper main plugin file by going to the BPS Pro > Logs & Info menu > System Info page > click the Get Plugins List button > copy the the Link Whisper plugin information and paste it in your forum reply.

Example:
BuddyPress 6.1.0 – Activated: buddypress/bp-loader.php
BulletProof Security Pro 15.1 – Activated: bulletproof-security/bulletproof-security.php
Classic Editor 1.6 – Activated: classic-editor/classic-editor.php

[Carlo]

Link Whisper 1.5.8 – Activated: link-whisper-premium/link-whisper.php

as for the fix you suggested above. i overwrote the code on box 4 with the modified one you added above but that gave all sorts of 403 errors, even when browsing in the dashboard, and still wont allow me to activate my license. it just re-freshes the screen and nothing happens?

i had to revert back to the original code, any other suggestions?

[AITpro Admin]

To confirm or eliminate that BPS Pro is causing the 403 errors do the troubleshooting steps here > https://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting

[Author]

Posts