Content Egg – Findall search feature 403 error

[Andrew]

Hi

(Sorry, I have submitted this previously, but I neglected to add a Topic Title and, thus, the original post is not showing up)

On one of my sites, BPS Pro is inhibiting a Youtube parser in a plugin.

I have followed the troubleshooting steps (1) and (2). Upon deactivating Root Folder BulletProof Mode (RBM) and wp-admin Folder BulletProof Mode (WBM), the Youtube parser works fine. According to the instructions on the Troubleshooting page, I’m to delete any custom code. However, I don’t have any custom code; its just the default settings.

Can you please advise how to correct this? I’m happy to provide admin to the site if necessary.

Please advise.

Regards,
Andrew

[AITpro Admin]

Sounds like an htaccess whitelist rule needs to be created for whichever plugin is calling/using the YouTube parser.  What is the name of the plugin that is calling/using the YouTube parser?  Go to your BPS Security Log page and copy and paste the Security Log entry in your reply that shows what is being blocked in whichever plugin this is.

[AITpro Admin]

I checked your website pages Source Code and I see that you have a plugin installed called:  Clever YouTube Plugin.  Is this the plugin with the YouTube parser that is being blocked by BPS root or wp-admin htaccess code?

[Andrew]

Thank you so much for checking and apologies for not replying earlier. Unfortunately, that’s not the site that’s playing up. This is a brand new site that I’m building which is in its infancy.

The plugin is called Content Egg and on this site -> http://www.starsandcelebs.world/

There’s quite a few parsers that come with this plugin. For the Youtube parser, I’m getting the following error:

Error:403 Forbidden
<h1>Forbidden</h1>
You don't have permission to access /wp-admin/admin-ajax.php on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

I’m getting the same error with a Pixabay parser in the Content Egg plugin.

Please advise. Thank you for your awesome support!

Regards,
Andrew

[AITpro Admin]

Is this the free version of the Content Egg plugin here:  https://wordpress.org/plugins/content-egg/ or the Pro version?  Also I need to see any BPS Security Log entries that show what is being blocked in this plugin.  The 403 error that you posted above is a standard/generic host 403 error and not the BPS 403 error template page.  So if you still have BPS root and wp-admin BulletProof Modes deactivated and you are seeing that standard/generic host 403 error then something on your host server is also blocking something in the Content Egg plugin, which is pretty common.  ie a plugin is doing something that looks shady and BPS blocks whatever that is and your host server also blocks whatever that is using Mod Security or some other security measure on your host server.

Also it looks like there is a problem with the BPS Pro Plugin Firewall on this site.  When the check the frontend of the site with Google Chrome Developer Tools I see blocked frontloading plugin scripts.  Go ahead and send me a WordPress Admin login to this site to:  info at ait-pro dot com.  Also send me detailed information on how to check/test the YouTube Parser on your site.

[Andrew]

Thank you for that. The site is on a small VPS. I’m using Content Egg Pro. I will send you details of the site and how to test shortly. 🙂

[AITpro Admin]

UPDATE: BPS Pro 13+ and BPS 2.0+ versions have a feature called: Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) that automatically creates plugin and theme whitelist rules and automatically sets up and cleans up caching plugins htaccess code.

The original problem is fixed and additional things were fixed and additional host server problems were found.  See details below:

Troubleshooting, fixes, other
#############################

WooCommerce Custom Code fix added: https://forum.ait-pro.com/forums/topic/woocommerce-read-me-first/

Visual Composer Custom Code fix added: https://forum.ait-pro.com/forums/topic/visual-composer-blocked-by-bps-pro/

BPS Speed Boost Cache code added to Custom Code: https://forum.ait-pro.com/forums/topic/htaccess-caching-code-speed-boost-cache-code/

Language files restored from Quarantine and created an AutoRestore /languages/ folder exclude rule in AutoRestore.

Turned on Plugin Firewall Test Mode and checked all website pages. Something on your host server is breaking the BPS Pro Plugin Firewall and BPS Security Logging. I assume that is either Mod Security or some other security measure on your server. So if you have cPanel installed then recently cPanel added a new Mod Security feature that breaks BPS Pro and lots and lots of other things – disable the nightmare Mod Security feature in cPanel. If that is not the cause of the problem then you will need to contact your web host support folks and ask them what is breaking BPS Security Logging and the BPS Plugin Firewall. This is the second case that I have seen like this recently. So I assume these problems are being caused by cPanel Mod Security. For now I have deactivated the BPS Plugin Firewall feature since something on your host server is breaking it, which then breaks your website.

Note: since BPS Security logging is also being broken by something on your server then until that problem is fixed you cannot use the BPS Pro Plugin Firewall. The Plugin Firewall uses BPS Security Log entries in order to create Plugin Firewall AutoPilot Mode whitelist rules for the Plugin Firewall.

Content Egg Pro 403 error/problem:
##################################
Cause: admin-ajax.php file is being blocked by the BPS wp-admin htaccess file when using the Content Egg Findall search feature.

403 error: GET http://www.starsandcelebs.world/wp-admin/admin-ajax.php?_contentegg_nonce=e21c69318b&action=content-egg-module-api&module=Pixabay&query=%7B%22image_size%22:%22_640%22,%22image_type%22:%22all%22,%22orientation%22:%22all%22,%22category%22:%22%22,%22order%22:%22popular%22,%22keyword%22:%22jennifer+garner%22%7D

Solution: created an admin-ajax.php skip/bypass rule in BPS wp-admin Custom Code (see below).
Additionally “order” is used in the Content Egg Query String, which is triggering the wp-admin htaccess file SQL Injection security rule. Copied wp-admin BPS Query String code to wp-admin Custom Code and commented out the SQL Injection security rule (see below).

Note: since something on your host server is breaking BPS Security Logging I had to use Google Chrome Developer Tools to get the 403 error above

Note:  BPS Pro 13 and BPS free 2.0 have a new feature called Setup Wizard AutoFix, which will automatically create these fixes below.

1. Copy the wp-admin htaccess code below into this BPS wp-admin Custom Code text box: 3. CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES
2. Click the save wp-admin Custom Code button.
3. Go to the Security Modes page and click the wp-admin folder BulletProof Mode Activate button.

Note: The skip rule must be [S=2] because it will be written to your wp-admin .htaccess file above skip / bypass rule [S=1]. If you have other wp-admin skip/bypass rules already then either combine them or add this skip/bypass rule separately above the other rules and change the skip #. Example: If you already have skip #’s 2 and 3 then this rule would be skip rule #4.

# admin-ajax.php skip/bypass rule
RewriteCond %{REQUEST_URI} (admin-ajax\.php) [NC]
RewriteRule . - [S=2]

1. Copy the modified wp-admin htaccess code below to this BPS wp-admin Custom Code text box: 4. CUSTOM CODE BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS
2. Click the Save wp-admin Custom Code button.
3. Go to the Security Modes page and click the wp-admin BulletProof Mode Activate button.

# BEGIN BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS
# WORDPRESS WILL BREAK IF ALL THE BPSQSE FILTERS ARE DELETED
# Use BPS wp-admin Custom Code to modify/edit/change this code and to save it permanently.
RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR]
RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR]
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
#RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F]
# END BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS

[Andrew]

Oh, my god, this is the most complete response to a support question I’ve received so far from anyone. Thank you so much for your amazing support!

As suggested, I have disabled Mod Security on the server.

I’m not a developer. But I so love the idea of using htaccess. It’s such a neat way of stopping someone at your front door unlike other security plugins that you have get out of your house as the front door is wide open.

Looking forward to BPS13 and beyond!

[Author]

Posts