Home › Forums › BulletProof Security Pro › BPS Firewall conflict with WPForms-browser errors logged to consol, 403 forbidden errorsor
- This topic has 5 replies, 2 voices, and was last updated 3 months, 1 week ago by AITpro Admin.
-
AuthorPosts
-
IrisParticipant
Hi BPS Pro Support,
I use WP Forms Lite plugin for a contact form. Google PageSpeed flagged ‘Browser Errors logged to the console’ for each of the following six URLs:
- /wp-content/plugins/wpforms-lite/assets/lib/jquery.validate.min.js?ver=1.20.0
- /wp-content/plugins/wpforms-lite/assets/lib/mailcheck.min.js?ver=1.1.2
- /wp-content/plugins/wpforms-lite/assets/lib/punycode.min.js?ver=1.0.0
- /wp-content/plugins/wpforms-lite/assets/js/share/utils.min.js?ver=1.8.9.4
- /wp-content/plugins/wpforms-lite/assets/js/frontend/wpforms.min.js?ver=1.8.9.4
- /wp-content/plugins/wpforms-lite/assets/js/frontend/wpforms-modern.min.js?ver=1.8.9.4
The browser errors for each of the above were:
- “Failed to load resource: the server responded with a status of 403 (Forbidden)”
-
"Refused to execute script from 'https://home/wp-content/plugins/wpforms-lite/assets/js/frontend/wpforms.min.js?ver=1.8.9.4' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled." -for each of the above urls.
The BPS Security Log showed a GET REQUEST for each of the 6 URLs, HTTP_REFERER: https://home/contact/:
REQUEST_URI: /wp-content/plugins/wpforms-lite/assets/js/frontend/wpforms-modern.min.js?ver=1.8.9.4
QUERY_STRING: ver=1.8.9.4
REQUEST_URI: /wp-content/plugins/wpforms-lite/assets/lib/mailcheck.min.js?ver=1.1.2
QUERY_STRING: ver=1.1.2
REQUEST_URI: /wp-content/plugins/wpforms-lite/assets/lib/jquery.validate.min.js?ver=1.20.0
QUERY_STRING: ver=1.20.0
REQUEST_URI: /wp-content/plugins/wpforms-lite/assets/lib/punycode.min.js?ver=1.0.0
QUERY_STRING: ver=1.0.0
REQUEST_URI: /wp-content/plugins/wpforms-lite/assets/js/share/utils.min.js?ver=1.8.9.4
QUERY_STRING: ver=1.8.9.4
REQUEST_URI: /wp-content/plugins/wpforms-lite/assets/js/frontend/wpforms.min.js?ver=1.8.9.4
QUERY_STRING: ver=1.8.9.4On inspecting the contact page I noted the 403 Forbidden message was that I recognised from BPS. So I figured maybe a conflict.
I contacted my Host. They said my site had hit ModSecurity rules again and excluded specific rules that my account had hit.
That didn’t fix the errors. On running PageSpeed tests I still saw the same browser errors reported to the console even though they did not show up when inspecting the page.
I deactivated the BPS Plugin Firewall and the errors disappeared. No browser errors were logged to the console.
Please can you advise whitelist rule/s or some fix?
The Plugins Script/File Firewall Whitelist area has /wpforms-lite/assets/js//(.*).js in it. But obviously not enough.
Would the following possibly work if added to the Plugin Firewall Whitelist area? If so is it ok to leave off the version?
/wp-content/plugins/wpforms-lite/assets/js/frontend/wpforms-modern.min.js, /wp-content/plugins/wpforms-lite/assets/lib/mailcheck.min.js, /wp-content/plugins/wpforms-lite/assets/lib/jquery.validate.min.js, /wp-content/plugins/wpforms-lite/assets/lib/punycode.min.js, /wp-content/plugins/wpforms-lite/assets/js/share/utils.min.js, /wp-content/plugins/wpforms-lite/assets/js/frontend/wpforms.min.js,
Thank you for your time,
I look forward to your reply.
AITpro AdminKeymasterThis is something new that has started occurring around April 2024. I’m still not sure what is causing this since I can’t reproduce this problem on any of my live or dev sites. 4 people have reported this problem.
You can either deactivate the Plugin Firewall feature or you can try modifying Plugin Firewall whitelist rules like this: /wpforms-lite/assets/js/frontend/wpforms.min.js(.*)
I will most likely need to modify BPS Pro code to compensate for this problem.
IrisParticipantThank you for your prompt reply. I might leave the Plugin Firewall feature deactivated for the time being.
Interesting you mention April. Around April 5 a number of updates occurred at least in my case, within a day or two. WordPress, Astra, don’t recall the others now. From that point I began having various issues pop up and decided having everything on auto-update was a bad idea.
AITpro AdminKeymasterYep, the other people also have the Astra theme. So testing that first. What’s odd is that yes it has been a standard for WordPress to add ?ver= Query Strings to plugin and theme js and css files in Source Code, but something appears to be turning that Source Code into some kind of static cache where the Query String is not being treated like a regular Query String and instead is being seen as part of the url, which is very strange.
IrisParticipantAlso around that time I started to see “headers already sent in..” type warnings in the BPS PHP Error logs.
I had never seen these before until after the bunch of updates in early April. The four below still keep randomly occurring. I have contacted WordFence but no solution found as yet. I also see the same on another site.
Any suggestions would be greatly appreciated although I realise this is a different topic now.
Thank you again for your time.
[30-Jun-2024 17:31:26 UTC] PHP Warning: Cannot modify header information - headers already sent in /home/mysite/public_html/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/waf.php on line 1198 [30-Jun-2024 17:31:26 UTC] PHP Warning: Cannot modify header information - headers already sent in /home/mysite/public_html/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/utils.php on line 749 [30-Jun-2024 17:31:26 UTC] PHP Warning: Cannot modify header information - headers already sent in /home/mysite/public_html/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/utils.php on line 750 [30-Jun-2024 17:31:26 UTC] PHP Warning: Cannot modify header information - headers already sent in /home/mysite/public_html/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/utils.php on line 751
AITpro AdminKeymasterHeaders already sent errors can occur when debugging is turned on or when there is a caching malfunction. These days the majority of website problems that I come across are predominately caching problems. That was the main reason I decided to avoid all WP caching plugins at all costs. Hate to say it, but they cause more problems then they are worth. When I did venture down the WP caching plugin nightmare road I was running into regular problems. Been over a decade since I have had to constantly worry about what destruction a WP caching plugin was causing while I was sleeping. Went to the source of the issue and built a stripped down theme since WP themes are a major problem right out of the box due to the requirements that WP imposes on themes. They are the primary reason WP sites perform so poorly and the reason that people turn to WP caching plugins to compensate for that bloat.
-
AuthorPosts
- You must be logged in to reply to this topic.