Home › Forums › BulletProof Security Pro › MailPoet – Form 403 error, admin-ajax.php
Tagged: 403 error, admin-ajax.php, MailPoet, wysija newsletters
- This topic has 7 replies, 2 voices, and was last updated 9 years ago by AITpro Admin.
-
AuthorPosts
-
armintzParticipant
just noticed the newsletter sign up on my site (sidebar and footer) is now throwing a 403. i’m using the popular Mailpoet plugin. upon a brief search, i found this post below which suggests I should create an exclude for my admin-ajax.php file: https://wordpress.org/support/topic/oops-there-is-a-problem-with-this-form-1
I’ve done this by going to wp admin > bps pro > autorestore > add/exclude other folders & files tab > and adding the file here… i received the green confirmation text that it was added as an exclude: /home/jd9u4yskjzx/public_html/wp-admin/admin-ajax.php has been Excluded successfully and will NOT be checked by the ARQ Cron. after clearing my cache, the site is still showing the same newsletter sign up error. here’s a screenshot of it: https://s18.postimg.org/hwmzpw13d/wd_newsletter_sign_up.png. my question: did i add the bps pro exclude correctly, or is there another protocol i.e. first deactivate root folder bulletproof mode, etc, etc. live site: https://wrestlerdeaths.com/
thanks
AITpro AdminKeymasterUPDATE: BPS Pro 13+ and BPS 2.0+ versions have a feature called: Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) that automatically creates plugin and theme whitelist rules and automatically sets up and cleans up caching plugins htaccess code.
The 403 error is caused by the BPS wp-admin htaccess file and not AutoRestore. So remove/delete the exclude rule that you created in AutoRestore. To create a wp-admin htaccess file admin-ajax.php skip/bypass rule do the the steps below:
1. Add the admin-ajax.php skip/bypass rule below to this wp-admin Custom Code text box: 3. CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES
2. Click the Save wp-admin Custom Code button.
3. Go to the Security Modes page and Activate wp-admin Folder BulletProof Mode.Note: The skip rule must be [S=2] because it will be written to your wp-admin .htaccess file above skip / bypass rule [S=1]. If you have other wp-admin skip/bypass rules already then either combine them or add this skip/bypass rule separately above the other rules and change the skip #. Example: If you already have skip #’s 2 and 3 then this rule would be skip rule #4.
# admin-ajax.php skip/bypass rule RewriteCond %{REQUEST_URI} (admin-ajax\.php) [NC] RewriteRule . - [S=2]
Other Known MailPoet issue/problem and solution:
Direct Cron job blocked: http://forum.ait-pro.com/forums/topic/blocking-of-my-own-ipv6-server-address/#post-19161armintzParticipantOkay first I re-added the admin-ajax.php… looks like I did that successfully: /home/jd9u4yskjzx/public_html/wp-admin/admin-ajax.php has been Added to /wp-content/bps-backup/autorestore/added-files successfully.
AutoRestore was turned Off as a safety precaution. You can turn AutoRestore back On now.
I then added your CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES code.
After clearing cache, unfortunately the issue persists. After more digging, it looks like mod_security may be the culprit. I’m hesitant to disable that although I guess I could try it for testing purposes?AITpro AdminKeymasterDid you do all the wp-admin Custom Code steps? And yes it is very possible that mod_security is also blocking the admin-ajax.php form. Contact your Host and have them temporarily disable mod_security for testing.
You do not want to “Add” the file in AutoRestore and instead want to remove/delete it. Do these steps to remove/delete the file you added and do these steps to remove the exclude rule you created.
1. In the Remove Added Folders|Files Search text box enter: / and click the Search button.
2. At the bottom of the page you will see the admin-ajax.php file listed under: Search Results For Added Files To Remove
3. Select the Remove Radio button for that file and click the Remove button.1. In the Remove Excluded Folders|Files Search text box enter: / and click the Search button.
2. At the bottom of the page you will see the admin-ajax.php file listed under: Search Results For Excluded Files To Remove From DB
3. Select the Remove Radio button for that file and click the Remove button.armintzParticipantthanks, i’ve removed/deleted the admin-ajax.php file with your steps above. and yes i did all of the custom code steps from post #27000 (added custom code to “CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES” box, saved, activated wp-admin Folder BulletProof Mode.) unfortunately still same issue with newsletter sign up after clearing cache. disabled modsecurity in cpanel and now it works. this warning, however, scares me: Warning: ModSecurity is disabled for one or more of your domains. Only disable ModSecurity while you troubleshoot a problem with your configuration. Without ModSecurity enabled, your domains lose the extra layer of protection that the module provides.
AITpro AdminKeymasterNothing to worry about. That warning is for people who do not have BPS or BPS Pro installed. 😉 BPS protects against all the things mod_security protects against and much, much more. So you do not need to use mod_security at all. I think mod_security is a good thing, but a major problem with mod_security is it is all or nothing – you do not have the capability (do not have permission) to whitelist anything with mod_security so unfortunately you can only turn it on or off.
armintzParticipantyour confidence in your plugin makes me sleep better at night!
thanks for the always excellent support.. so glad that I ditched wordfence and upgraded to BPS Pro
AITpro AdminKeymasterFor the entire first year that BPS Pro was publicly released back in 2011, we worried constantly about not having every single base covered, but after 4+ years of a perfect track record (0 websites hacked that are using BPS Pro) we are pretty relaxed and confident that BPS Pro is literally “BulletProof”. 😉
-
AuthorPosts
- You must be logged in to reply to this topic.