MailPoet – Form 403 error, admin-ajax.php

[armintz]

just noticed the newsletter sign up on my site (sidebar and footer) is now throwing a 403. i’m using the popular Mailpoet plugin. upon a brief search, i found this post below which suggests I should create an exclude for my admin-ajax.php file: https://wordpress.org/support/topic/oops-there-is-a-problem-with-this-form-1

I’ve done this by going to wp admin > bps pro > autorestore > add/exclude other folders & files tab > and adding the file here… i received the green confirmation text that it was added as an exclude: /home/jd9u4yskjzx/public_html/wp-admin/admin-ajax.php has been Excluded successfully and will NOT be checked by the ARQ Cron. after clearing my cache, the site is still showing the same newsletter sign up error. here’s a screenshot of it: https://s18.postimg.org/hwmzpw13d/wd_newsletter_sign_up.png. my question: did i add the bps pro exclude correctly, or is there another protocol i.e. first deactivate root folder bulletproof mode, etc, etc. live site: https://wrestlerdeaths.com/

thanks

[AITpro Admin]

UPDATE: BPS Pro 13+ and BPS 2.0+ versions have a feature called: Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) that automatically creates plugin and theme whitelist rules and automatically sets up and cleans up caching plugins htaccess code.

The 403 error is caused by the BPS wp-admin htaccess file and not AutoRestore.  So remove/delete the exclude rule that you created in AutoRestore.  To create a wp-admin htaccess file admin-ajax.php skip/bypass rule do the the steps below:

1. Add the admin-ajax.php skip/bypass rule below to this wp-admin Custom Code text box: 3. CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES
2. Click the Save wp-admin Custom Code button.
3. Go to the Security Modes page and Activate wp-admin Folder BulletProof Mode.

Note:  The skip rule must be [S=2] because it will be written to your wp-admin .htaccess file above skip / bypass rule [S=1].  If you have other wp-admin skip/bypass rules already then either combine them or add this skip/bypass rule separately above the other rules and change the skip #.  Example:  If you already have skip #’s 2 and 3 then this rule would be skip rule #4.

# admin-ajax.php skip/bypass rule
RewriteCond %{REQUEST_URI} (admin-ajax\.php) [NC]
RewriteRule . - [S=2]

Other Known MailPoet issue/problem and solution:
Direct Cron job blocked:  http://forum.ait-pro.com/forums/topic/blocking-of-my-own-ipv6-server-address/#post-19161

[armintz]

Okay first I re-added the admin-ajax.php… looks like I did that successfully: /home/jd9u4yskjzx/public_html/wp-admin/admin-ajax.php has been Added to /wp-content/bps-backup/autorestore/added-files successfully.
AutoRestore was turned Off as a safety precaution. You can turn AutoRestore back On now.
I then added your CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES code.
After clearing cache, unfortunately the issue persists. After more digging, it looks like mod_security may be the culprit. I’m hesitant to disable that although I guess I could try it for testing purposes?

[AITpro Admin]

Did you do all the wp-admin Custom Code steps?  And yes it is very possible that mod_security is also blocking the admin-ajax.php form.  Contact your Host and have them temporarily disable mod_security for testing.

You do not want to “Add” the file in AutoRestore and instead want to remove/delete it.  Do these steps to remove/delete the file you added and do these steps to remove the exclude rule you created.

1. In the Remove Added Folders|Files Search text box enter:  / and click the Search button.
2. At the bottom of the page you will see the admin-ajax.php file listed under:  Search Results For Added Files To Remove
3. Select the Remove Radio button for that file and click the Remove button.

1. In the Remove Excluded Folders|Files Search text box enter:  / and click the Search button.
2. At the bottom of the page you will see the admin-ajax.php file listed under: Search Results For Excluded Files To Remove From DB
3. Select the Remove Radio button for that file and click the Remove button.

[armintz]

thanks, i’ve removed/deleted the admin-ajax.php file with your steps above. and yes i did all of the custom code steps from post #27000 (added custom code to “CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES” box, saved, activated wp-admin Folder BulletProof Mode.) unfortunately still same issue with newsletter sign up after clearing cache. disabled modsecurity in cpanel and now it works. this warning, however, scares me: Warning: ModSecurity is disabled for one or more of your domains. Only disable ModSecurity while you troubleshoot a problem with your configuration. Without ModSecurity enabled, your domains lose the extra layer of protection that the module provides.

[AITpro Admin]

Nothing to worry about.  That warning is for people who do not have BPS or BPS Pro installed. 😉  BPS protects against all the things mod_security protects against and much, much more.  So you do not need to use mod_security at all.  I think mod_security is a good thing, but a major problem with mod_security is it is all or nothing – you do not have the capability (do not have permission) to whitelist anything with mod_security so unfortunately you can only turn it on or off.

[armintz]

your confidence in your plugin makes me sleep better at night!

thanks for the always excellent support.. so glad that I ditched wordfence and upgraded to BPS Pro

[AITpro Admin]

For the entire first year that BPS Pro was publicly released back in 2011, we worried constantly about not having every single base covered, but after 4+ years of a perfect track record (0 websites hacked that are using BPS Pro) we are pretty relaxed and confident that BPS Pro is literally “BulletProof”. 😉

[Author]

Posts