BPS reported as causing 405 errors in Link Checkers

Home Forums BulletProof Security Pro BPS reported as causing 405 errors in Link Checkers

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • March 10, 2026 at 1:39 pm #45827
    Terry
    Participant

    I have a site that shows a lot of broken links that generate a 405 error. I contacted the datacenter to check server configuration since some reports show that 405 errors can be caused by server configurations. However the response below is from the datacenter stating that BPS appears to be the cause. Any suggestions.

    Please find a summary of our checks below:
    • Verified the reported URLs directly in a browser – the pages load normally without any errors.
    • Replicated the request from the server using command-line tools to simulate crawler/scanner access.
    • Observed responses such as 405/403, which occur when the request does not include typical browser headers.
    • The response page indicates the block is generated by the BulletProof Security Pro (BPS Pro) WordPress security plugin.
    • This plugin firewall is designed to block certain automated or non-standard requests, which can cause external link scanners to report 405 errors even though the page works normally for visitors.

    Based on the investigation, the behavior appears to be related to the BPS Pro security rules within WordPress rather than a server configuration issue.
    If needed, the plugin settings can be reviewed in WordPress under BulletProof Security → Security/Firewall settings to adjust how such requests are handled.
    Please let us know if you need any other help

    March 10, 2026 at 5:10 pm #45833
    AITpro Admin
    Keymaster

    Broken links typically show this Error Code: 404 Not Found, but depending on the tool you are using to check for broken links the tool itself will be blocked with a 405 error if it is making a HEAD Request. Do the steps in the link below to allow all HEAD Requests.

    405 Method Not Allowed – means the web server understands the request and the URL is correct, but it refuses to accept the specific HTTP method (like HEAD, GET, POST, PUT, or DELETE) used for the requested resource.

    HTTP 403 Forbidden error – means the server understood your request but refuses to authorize it, often due to insufficient permissions, IP blocking, or incorrect URL access.

    BPS blocks HEAD Requests since they are typically Requests made by bots. You can allow HEAD Requests by doing the steps in this forum topic > https://forum.ait-pro.com/forums/topic/allow-uptime-robot/#post-43771

    March 10, 2026 at 5:44 pm #45834
    Terry
    Participant

    I don’t want to open the site up completely for head attacks if adding the suggest code would jeopardize the site. The plugin that is monitoring the links is Rank Math Link Genius. Following is the most recent logged entries in BPS security log. Is there a way to allow that plugin only to do the head request. Or what do you recommend. Thank you

    [405 HEAD Request: March 10, 2026 - 2:49 pm]
BPS Pro: 17.5
WP: 6.9.2
Event Code: BFHS-HEAD - HEAD Request Blocked
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 54.184.226.94
Host Name: ec2-54-184-226-94.us-west-2.compute.amazonaws.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: HEAD
HTTP_REFERER: http://naturalhormonereplacementclinicsofcolorado.com
REQUEST_URI: /
QUERY_STRING:
HTTP_USER_AGENT: Go-http-client/1.1

[405 HEAD Request: March 10, 2026 - 2:39 pm]
BPS Pro: 17.5
WP: 6.9.2
Event Code: BFHS-HEAD - HEAD Request Blocked
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 35.162.140.124
Host Name: ec2-35-162-140-124.us-west-2.compute.amazonaws.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: HEAD
HTTP_REFERER: http://naturalhormonereplacementclinicsofcolorado.com
REQUEST_URI: /
QUERY_STRING:
HTTP_USER_AGENT: Go-http-client/1.1
[Internal Usage: ARQ FailSafe Function: ARQ FS File Copy: Successful | March 10, 2026 - 2:41 pm]
[Internal Usage: AFS Cron: ARQ FS File Exists: ARQ Cron was not turned On | March 10, 2026 - 2:41 pm]
[Internal Usage: AFS Cron: ARQ FS File Exists: ARQ Cron was not turned On | March 10, 2026 - 2:43 pm]

[405 HEAD Request: March 10, 2026 - 1:43 pm]
BPS Pro: 17.5
WP: 6.9.2
Event Code: BFHS-HEAD - HEAD Request Blocked
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 3.214.136.95
Host Name: ec2-3-214-136-95.compute-1.amazonaws.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: HEAD
HTTP_REFERER:
REQUEST_URI: /acupuncture-assessment/
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 AppleWebKit/605.1.15 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/605.1.15

[405 HEAD Request: March 10, 2026 - 1:06 pm]
BPS Pro: 17.5
WP: 6.9.2
Event Code: BFHS-HEAD - HEAD Request Blocked
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 35.224.218.65
Host Name: 65.218.224.35.bc.googleusercontent.com
SERVER_PROTOCOL: HTTP/2.0
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: HEAD
HTTP_REFERER: http://naturalhormonereplacementclinicsofcolorado.com/
REQUEST_URI: /
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0
    March 10, 2026 at 5:46 pm #45835
    Terry
    Participant

    Or is there something I am doing that is causing these head request since all I am doing is adding links to other pages on the site in the content.

    March 10, 2026 at 6:15 pm #45836
    AITpro Admin
    Keymaster

    Blocking HEAD Requests is a nuisance “filter” to block Bots, not a security measure. These days it is completely unnecessary to block HEAD Request. Years ago Pre-PHP 7.4 it made a difference with website performance. If you are running at least PHP 7.4 then blocking HEAD Requests is no longer necessary. I assume Rank Math Link Genius is using the generic go-http-client/1.1 or no user agent and go-http-client/1.1 is being populated in the User Agent Header field automatically.

    The user agent string go-http-client/1.1 is the default user agent for programs making web requests using the standard Go (Golang) net/http package when no custom user agent is specified

    March 11, 2026 at 6:06 am #45847
    Terry
    Participant

    Ok, Thank you. I will go back and apply the code from the post you recommended previously to stop blocking head request.

    Have a Great day

    Terry

  • Author
    Posts
Viewing 6 posts - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.