WordPress for Android Mobile App – unable to access website

[Christian Fetsch]

I’ve been searching for an answer to this issue for a long time and can’t find any mentions of this anywhere.  I’m trying to access my sites using my WordPress for Android app, but am unable to do so, unless I turn off BPS.  I figure there should be a way to whitelist this phone/tablet app’s access to my website/admin, but after looking in the forums for a long time, I’m unable to find how to do it. How do I configure BPS to allow me to do this?  Thanks in advance for any help you can give!

No Security codes show up, so is this some WordPress.com to my sites linking issue, or do I need to whitelist WordPress.com in some way?  Or, possibly a Jetpack issue?

[AITpro Admin]

Solution: http://forum.ait-pro.com/forums/topic/cant-postaccess-pages-using-android-wordpress-app/#post-29683

Is this the WordPress for Android Mobile App you are using:  https://apps.wordpress.com/mobile/
Is your website hosted on your own website hosting? Is your website hosted on WordPress.com?
If BPS is blocking something in Jetpack then have you added the XML-RPC Bonus Custom Code here: http://forum.ait-pro.com/forums/topic/wordpress-xml-rpc-ddos-protection-protect-xmlrpc-php-block-xmlrpc-php-forbid-xmlrpc-php/ If you are using that XML-RPC Bonus Custom Code are you using the code that is specifically intended for Jetpack plugin users?

http://forum.ait-pro.com/forums/topic/read-me-first-free/#bps-free-general-troubleshooting
Do BPS troubleshooting step #1 and let me know if you can access your site.
1. On the Security Modes page, click the Root Folder BulletProof Mode Deactivate button.

[Christian Fetsch]

Hi thanks for your reply!
I am using the WordPress for Android app you listed. I use Bluehost – the main domain is http://www.naturalhealthandfertility.com and I also have a subdomain- kingfieldca.com. I was not using the specific XML-RPC code, I changed it to Jetpack version, but it didn’t work. I then tried the step 2 you outlined above, and lost access to my website and had to have bluehost reset it after getting multiple error 500 messages. Since reestablishing acces,I deleted the jetpack xml-rpc code to see if the simple POST request attack code was conflicting with the specialized Jetpack xml-rpc code, but it still doesn’t work. I am going to try re-adding the specialized Jetpack POST request code again to see if there’s any change- here’s the custom code added to the custom code bottom hotlinking etc custom code area:

# WP AUTHOR ENUMERATION BOT PROBE PROTECTION
# Redirects to author=999999 that does not actually exist
# which results in a standard 404 error. To the hacker bot
# it appears that this author does not exist without giving
# any clues that the author does actually exist.

RewriteCond %{QUERY_STRING} ^author=([0-9]){1,}$ [NC]
RewriteRule ^(.*)$ $1?author=999999 [L]
# Block/Forbid Referer Spammers/Referer Phishing
RewriteCond %{HTTP_REFERER} ^.*(ranksonic\.|semalt\.|kambasoft\.|buttons-for-website\.|buttons-for-your-website\.com|4webmasters\.org|social-buttons\.com|best-seo-offer\.com|best-seo-solution\.com).*$ [NC]
RewriteRule ^(.*)$ - [F]

# Jetpack XML-RPC DDoS PROTECTION
# You can whitelist your IP address if you use A Weblog Client
# or want to whitelist an IP address for any other reasons.
# Example: Add this line of code RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.xxx) [OR]
# inbetween the first and second lines of code below. Then replace the x's with the
# actual IP address you want to whitelist.
# Note: It is recommended that you use 3 octets x.x.x. of your IP address
# instead of 4 octets x.x.x.x of your IP address.
# Example: RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.) [OR]
RewriteCond %{REQUEST_URI} ^.*(xmlrpc\.php)$
RewriteCond %{HTTP_USER_AGENT} !^(.*Jetpack.*)$
RewriteRule ^(.*)$ - [F]

# BPS POST Request Attack Protection
RewriteCond %{REQUEST_METHOD} POST [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-admin/ [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-cron.php [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-login.php [NC]
# Whitelist the WordPress Theme Customizer
RewriteCond %{HTTP_REFERER} !^.*/wp-admin/customize.php
# Whitelist XML-RPC Pingbacks, JetPack and Remote Posting POST Requests
RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC]
# Whitelist Network|Multisite Signup POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/wp-signup.php [NC]
# Whitelist Network|Multisite Activate POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/wp-activate.php [NC]
# Whitelist Trackback POST Requests
RewriteCond %{REQUEST_URI} !^.*/wp-trackback.php [NC]
# Whitelist Comments POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/wp-comments-post.php [NC]
# Example 1: Whitelist Star Rating Calculator POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/star-rating-calculator.php [NC]
# Example 2: Whitelist Contact Form POST Requests
RewriteCond %{REQUEST_URI} !^.*/contact/ [NC]
# Example 3: Whitelist PayPal IPN API Script POST Requests
RewriteCond %{REQUEST_URI} !^.*/ipn_handler.php [NC]
RewriteRule ^(.*)$ - [F]

[AITpro Admin]

Solution: http://forum.ait-pro.com/forums/topic/cant-postaccess-pages-using-android-wordpress-app/#post-29683

Do these steps and let me know if the WordPress for Android Mobile App works or not.

1. Use FTP or your web host control panel file manager and delete the root htaccess file (in the same folder as your wp-config.php file) and the wp-admin htaccess file.
2. Deactivate the BPS plugin on the WordPress Plugins page.
3. Test the WordPress for Android Mobile App and see if you can now access your website.

[Christian Fetsch]

OK, if I do that, I do get access

[AITpro Admin]

Solution: http://forum.ait-pro.com/forums/topic/cant-postaccess-pages-using-android-wordpress-app/#post-29683

Ok now let’s isolate which exact BPS feature is causing the block.  Activate the BPS plugin again, but do NOT activate Root or wp-admin BulletProof Modes.  Can you still access the site at this point or is access blocked again?  If you can access the site at this point then activate Root Folder BulletProof Mode.  Can you still access the site at this point or is access blocked again?

[Christian Fetsch]

OK, there is access with just the plugin itself activated.  No go with root folder activated.  I tried accessing my subsite, and the WordPress app’s log shows xml-rpc is indeed being locked out for the app

[AITpro Admin]

Solution: http://forum.ait-pro.com/forums/topic/cant-postaccess-pages-using-android-wordpress-app/#post-29683

Ok now do these steps and let me if you can access the site or not.

1. Go to BPS Custom Code and click the Delete button to delete all custom htaccess code that is currently in BPS Custom Code.
2. Add this code below in this BPS Root Custom Code text box: CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS
3. Click the Save Root Custom Code button.
4. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

# BEGIN BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
# Good sites such as W3C use it for their W3C-LinkChecker. 
# Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
# User Agent filters directly below or to modify/edit/change any of the other security code rules below.
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F]
# END BPSQSE BPS QUERY STRING EXPLOITS

[Christian Fetsch]

OK, added the code – I do have access after doing the above steps

[AITpro Admin]

Confirmed Working Solution
Ok I am pretty sure that the particular lines of Query String Exploits code that are causing the WP Android App block is going to be the User Agent String security filters.  I have modified the BPS Query String Exploits code below and commented out the User Agent String security filters.  Do the steps below and let me know what happens.

1. Add this code below in this BPS Root Custom Code text box: CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS and overwrite the other code that I previously had you add to this Custom Code text box.
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

# BEGIN BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
# Good sites such as W3C use it for their W3C-LinkChecker. 
# Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
# User Agent filters directly below or to modify/edit/change any of the other security code rules below.
#RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
#RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
#RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] 
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F]
# END BPSQSE BPS QUERY STRING EXPLOITS

[Christian Fetsch]

After replacing the code, I do have access via the Android app. FYI- this error has shown up since reactivating the secure.htaccess root file: Broken Link Checker plugin HEAD Request Method filter problem detected.

[AITpro Admin]

Great!  That means that my logical guess was correct that the User Agent being sent by the WP Android App is being blocked.  The BPS Query String User Agent security filters are not really security filters and are more “nuisance” filters to block scrapers and other bots that scan or scrape your site content.  So you really do not need them as they are not considered that important to use.

The Broken Link Checker Dismiss Notice is now being displayed because I had you delete all of your previous Custom Code.  Click the link in the BLC Dismiss Notice to get the solution and add it back to BPS Custom Code.

[Christian Fetsch]

OK, great thanks! I will check back if I have other questions, or if other issues arise while reinstating other Custom Codes…any codes I should be wary of or NOT reinstate?

I really appreciate your help, especially on Memorial Day weekend! I usually only have time to address website issues when I’m “on vacation”, so I appreciate your help, and quite frankly was surprised that you were helping me! Very best wishes to you!

[AITpro Admin]

The general rule of thumb if you want to add any additional Bonus Custom Code is this:  After you add any particular Bonus Custom Code you want to check your BPS Security Log for 2-3 days to make sure that the Bonus Custom Code is not blocking anything legitimate.  If something legitimate is being blocked by Bonus Custom Code then you will normally (99% of the time) see a Security Log entry that shows what is being blocked.  You can either search this forum for a solution or post the Security Log entry so we can provide a solution for whatever is being blocked.

Very welcome and have a nice rest of your “vacation” (vacation to us means a decrease in the normal workload).  Since you mentioned you have a young child then “vacation” to you means 8 hours of sleep.  LOL 🙂

[Mohamad Hegazy]

hello @AITpro Admin ,

I bought BPS Pro and i’m really happy with it thanks for the effort and super product,

i used jetpack plugin and i use wordpress for android and they were blocked so i

implement those custom codes

jetpack monitor worked but i cannot login via android application “i can login from wordpress application on iphone” so the codes are working some how on IOS but not Android
i had to allow my 2 ip address but the problem is i dont have fixed ip so they keep changing.

# BEGIN BPSQSE BPS QUERY STRING EXPLOITS
...
...
...
# END BPSQSE BPS QUERY STRING EXPLOITS

# Jetpack XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION
# You can whitelist your IP address if you use A Weblog Client
# or want to whitelist an IP address for any other reasons.
# Example: Add this line of code RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.xxx) [OR]
# inbetween the first and second lines of code below. Then replace the x's with the
# actual IP address you want to whitelist.
# Note: It is recommended that you use 3 octets x.x.x. of your IP address
# instead of 4 octets x.x.x.x of your IP address.
# Example: RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.) [OR]
RewriteCond %{REQUEST_URI} ^.*(xmlrpc\.php|wp-trackback\.php)$
RewriteCond %{HTTP_USER_AGENT} !^(.*Jetpack.*)$
RewriteCond %{REMOTE_ADDR} ^(31\.218\.\.)
RewriteCond %{REMOTE_ADDR} ^(92\.96\.\.)
RewriteRule ^(.*)$ - [F]

here’s the error log

[403 POST Request: 25  2017 - 10:16 ]
BPS Pro: 12.8
WP: 4.7.3
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 92.96.87.14
Host Name: 92.96.87.14
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: POST
HTTP_REFERER: 
REQUEST_URI: /xmlrpc.php
QUERY_STRING: 
HTTP_USER_AGENT: Mozilla/5.0 (Linux; Android 7.1.1; Nexus 6P Build/N4F26T; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.2924.87 Mobile Safari/537.36 wp-android/6.9.1
REQUEST BODY: <?xml version='1.0' ?><methodCall><methodName>wp.getPages</methodName><params><param><value><i4>125939990</i4></value></param><param><value><string>MTM-Reviews</string></value></param><param><value><string>I&3NP%3$SL</string></value></param><param><value><i4>20</i4></value></param></params></methodCall>

i know its something be be add in custom codes for that particular HTTP_USER_AGENT but unfortunately i’m not a coder.

hope you can help me, thank again for your effort,time, and this awesome security plugin.

[Author]

Posts