WordPress for Android Mobile App – unable to access website

Home Forums BulletProof Security Free WordPress for Android Mobile App – unable to access website

This topic contains 17 replies, has 3 voices, and was last updated by  AITpro Admin 1 year, 2 months ago.

Viewing 15 posts - 1 through 15 (of 18 total)
  • Author
    Posts
  • #29480

    Christian Fetsch
    Participant

    I’ve been searching for an answer to this issue for a long time and can’t find any mentions of this anywhere.  I’m trying to access my sites using my WordPress for Android app, but am unable to do so, unless I turn off BPS.  I figure there should be a way to whitelist this phone/tablet app’s access to my website/admin, but after looking in the forums for a long time, I’m unable to find how to do it. How do I configure BPS to allow me to do this?  Thanks in advance for any help you can give!

    No Security codes show up, so is this some WordPress.com to my sites linking issue, or do I need to whitelist WordPress.com in some way?  Or, possibly a Jetpack issue?

    #29487

    AITpro Admin
    Keymaster

    Solution: http://forum.ait-pro.com/forums/topic/cant-postaccess-pages-using-android-wordpress-app/#post-29683

    Is this the WordPress for Android Mobile App you are using:  https://apps.wordpress.com/mobile/
    Is your website hosted on your own website hosting? Is your website hosted on WordPress.com?
    If BPS is blocking something in Jetpack then have you added the XML-RPC Bonus Custom Code here: http://forum.ait-pro.com/forums/topic/wordpress-xml-rpc-ddos-protection-protect-xmlrpc-php-block-xmlrpc-php-forbid-xmlrpc-php/ If you are using that XML-RPC Bonus Custom Code are you using the code that is specifically intended for Jetpack plugin users?

    http://forum.ait-pro.com/forums/topic/read-me-first-free/#bps-free-general-troubleshooting
    Do BPS troubleshooting step #1 and let me know if you can access your site.
    1. On the Security Modes page, click the Root Folder BulletProof Mode Deactivate button.

    #29634

    Christian Fetsch
    Participant

    Hi thanks for your reply!
    I am using the WordPress for Android app you listed. I use Bluehost – the main domain is http://www.naturalhealthandfertility.com and I also have a subdomain- kingfieldca.com. I was not using the specific XML-RPC code, I changed it to Jetpack version, but it didn’t work. I then tried the step 2 you outlined above, and lost access to my website and had to have bluehost reset it after getting multiple error 500 messages. Since reestablishing acces,I deleted the jetpack xml-rpc code to see if the simple POST request attack code was conflicting with the specialized Jetpack xml-rpc code, but it still doesn’t work. I am going to try re-adding the specialized Jetpack POST request code again to see if there’s any change- here’s the custom code added to the custom code bottom hotlinking etc custom code area:

    # WP AUTHOR ENUMERATION BOT PROBE PROTECTION
    # Redirects to author=999999 that does not actually exist
    # which results in a standard 404 error. To the hacker bot
    # it appears that this author does not exist without giving
    # any clues that the author does actually exist.
    
    RewriteCond %{QUERY_STRING} ^author=([0-9]){1,}$ [NC]
    RewriteRule ^(.*)$ $1?author=999999 [L]
    # Block/Forbid Referer Spammers/Referer Phishing
    RewriteCond %{HTTP_REFERER} ^.*(ranksonic\.|semalt\.|kambasoft\.|buttons-for-website\.|buttons-for-your-website\.com|4webmasters\.org|social-buttons\.com|best-seo-offer\.com|best-seo-solution\.com).*$ [NC]
    RewriteRule ^(.*)$ - [F]
    
    # Jetpack XML-RPC DDoS PROTECTION
    # You can whitelist your IP address if you use A Weblog Client
    # or want to whitelist an IP address for any other reasons.
    # Example: Add this line of code RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.xxx) [OR]
    # inbetween the first and second lines of code below. Then replace the x's with the
    # actual IP address you want to whitelist.
    # Note: It is recommended that you use 3 octets x.x.x. of your IP address
    # instead of 4 octets x.x.x.x of your IP address.
    # Example: RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.) [OR]
    RewriteCond %{REQUEST_URI} ^.*(xmlrpc\.php)$
    RewriteCond %{HTTP_USER_AGENT} !^(.*Jetpack.*)$
    RewriteRule ^(.*)$ - [F]
    
    # BPS POST Request Attack Protection
    RewriteCond %{REQUEST_METHOD} POST [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-admin/ [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-cron.php [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-login.php [NC]
    # Whitelist the WordPress Theme Customizer
    RewriteCond %{HTTP_REFERER} !^.*/wp-admin/customize.php
    # Whitelist XML-RPC Pingbacks, JetPack and Remote Posting POST Requests
    RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC]
    # Whitelist Network|Multisite Signup POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-signup.php [NC]
    # Whitelist Network|Multisite Activate POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-activate.php [NC]
    # Whitelist Trackback POST Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-trackback.php [NC]
    # Whitelist Comments POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-comments-post.php [NC]
    # Example 1: Whitelist Star Rating Calculator POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/star-rating-calculator.php [NC]
    # Example 2: Whitelist Contact Form POST Requests
    RewriteCond %{REQUEST_URI} !^.*/contact/ [NC]
    # Example 3: Whitelist PayPal IPN API Script POST Requests
    RewriteCond %{REQUEST_URI} !^.*/ipn_handler.php [NC]
    RewriteRule ^(.*)$ - [F]
    #29639

    AITpro Admin
    Keymaster

    Solution: http://forum.ait-pro.com/forums/topic/cant-postaccess-pages-using-android-wordpress-app/#post-29683

    Do these steps and let me know if the WordPress for Android Mobile App works or not.

    1. Use FTP or your web host control panel file manager and delete the root htaccess file (in the same folder as your wp-config.php file) and the wp-admin htaccess file.
    2. Deactivate the BPS plugin on the WordPress Plugins page.
    3. Test the WordPress for Android Mobile App and see if you can now access your website.

    #29673

    Christian Fetsch
    Participant

    OK, if I do that, I do get access

    #29674

    AITpro Admin
    Keymaster

    Solution: http://forum.ait-pro.com/forums/topic/cant-postaccess-pages-using-android-wordpress-app/#post-29683

    Ok now let’s isolate which exact BPS feature is causing the block.  Activate the BPS plugin again, but do NOT activate Root or wp-admin BulletProof Modes.  Can you still access the site at this point or is access blocked again?  If you can access the site at this point then activate Root Folder BulletProof Mode.  Can you still access the site at this point or is access blocked again?

    #29676

    Christian Fetsch
    Participant

    OK, there is access with just the plugin itself activated.  No go with root folder activated.  I tried accessing my subsite, and the WordPress app’s log shows xml-rpc is indeed being locked out for the app

    #29680

    AITpro Admin
    Keymaster

    Solution: http://forum.ait-pro.com/forums/topic/cant-postaccess-pages-using-android-wordpress-app/#post-29683

    Ok now do these steps and let me if you can access the site or not.

    1. Go to BPS Custom Code and click the Delete button to delete all custom htaccess code that is currently in BPS Custom Code.
    2. Add this code below in this BPS Root Custom Code text box: CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS
    3. Click the Save Root Custom Code button.
    4. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    # BEGIN BPSQSE BPS QUERY STRING EXPLOITS
    # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
    # Good sites such as W3C use it for their W3C-LinkChecker. 
    # Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
    # User Agent filters directly below or to modify/edit/change any of the other security code rules below.
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F]
    # END BPSQSE BPS QUERY STRING EXPLOITS
    #29682

    Christian Fetsch
    Participant

    OK, added the code – I do have access after doing the above steps

    #29683

    AITpro Admin
    Keymaster

    Confirmed Working Solution
    Ok I am pretty sure that the particular lines of Query String Exploits code that are causing the WP Android App block is going to be the User Agent String security filters.  I have modified the BPS Query String Exploits code below and commented out the User Agent String security filters.  Do the steps below and let me know what happens.

    1. Add this code below in this BPS Root Custom Code text box: CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS and overwrite the other code that I previously had you add to this Custom Code text box.
    2. Click the Save Root Custom Code button.
    3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    # BEGIN BPSQSE BPS QUERY STRING EXPLOITS
    # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
    # Good sites such as W3C use it for their W3C-LinkChecker. 
    # Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
    # User Agent filters directly below or to modify/edit/change any of the other security code rules below.
    #RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
    #RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    #RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
    RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
    RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
    RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
    RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
    RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
    RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] 
    RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
    RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
    RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
    RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
    RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F]
    # END BPSQSE BPS QUERY STRING EXPLOITS
    #29687

    Christian Fetsch
    Participant

    After replacing the code, I do have access via the Android app. FYI- this error has shown up since reactivating the secure.htaccess root file: Broken Link Checker plugin HEAD Request Method filter problem detected.

    #29689

    AITpro Admin
    Keymaster

    Great!  That means that my logical guess was correct that the User Agent being sent by the WP Android App is being blocked.  The BPS Query String User Agent security filters are not really security filters and are more “nuisance” filters to block scrapers and other bots that scan or scrape your site content.  So you really do not need them as they are not considered that important to use.

    The Broken Link Checker Dismiss Notice is now being displayed because I had you delete all of your previous Custom Code.  Click the link in the BLC Dismiss Notice to get the solution and add it back to BPS Custom Code.

    #29690

    Christian Fetsch
    Participant

    OK, great thanks! I will check back if I have other questions, or if other issues arise while reinstating other Custom Codes…any codes I should be wary of or NOT reinstate?

    I really appreciate your help, especially on Memorial Day weekend! I usually only have time to address website issues when I’m “on vacation”, so I appreciate your help, and quite frankly was surprised that you were helping me! Very best wishes to you!

    #29691

    AITpro Admin
    Keymaster

    The general rule of thumb if you want to add any additional Bonus Custom Code is this:  After you add any particular Bonus Custom Code you want to check your BPS Security Log for 2-3 days to make sure that the Bonus Custom Code is not blocking anything legitimate.  If something legitimate is being blocked by Bonus Custom Code then you will normally (99% of the time) see a Security Log entry that shows what is being blocked.  You can either search this forum for a solution or post the Security Log entry so we can provide a solution for whatever is being blocked.

    Very welcome and have a nice rest of your “vacation” (vacation to us means a decrease in the normal workload).  Since you mentioned you have a young child then “vacation” to you means 8 hours of sleep.  LOL 🙂

    #32803

    Mohamad Hegazy
    Participant

    hello @AITpro Admin ,

    I bought BPS Pro and i’m really happy with it thanks for the effort and super product,

    i used jetpack plugin and i use wordpress for android and they were blocked so i

    implement those custom codes

    jetpack monitor worked but i cannot login via android application “i can login from wordpress application on iphone” so the codes are working some how on IOS but not Android
    i had to allow my 2 ip address but the problem is i dont have fixed ip so they keep changing.

    # BEGIN BPSQSE BPS QUERY STRING EXPLOITS
    ...
    ...
    ...
    # END BPSQSE BPS QUERY STRING EXPLOITS
    # Jetpack XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION
    # You can whitelist your IP address if you use A Weblog Client
    # or want to whitelist an IP address for any other reasons.
    # Example: Add this line of code RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.xxx) [OR]
    # inbetween the first and second lines of code below. Then replace the x's with the
    # actual IP address you want to whitelist.
    # Note: It is recommended that you use 3 octets x.x.x. of your IP address
    # instead of 4 octets x.x.x.x of your IP address.
    # Example: RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.) [OR]
    RewriteCond %{REQUEST_URI} ^.*(xmlrpc\.php|wp-trackback\.php)$
    RewriteCond %{HTTP_USER_AGENT} !^(.*Jetpack.*)$
    RewriteCond %{REMOTE_ADDR} ^(31\.218\.\.)
    RewriteCond %{REMOTE_ADDR} ^(92\.96\.\.)
    RewriteRule ^(.*)$ - [F]
    

    here’s the error log

    [403 POST Request: 25  2017 - 10:16 ]
    BPS Pro: 12.8
    WP: 4.7.3
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 92.96.87.14
    Host Name: 92.96.87.14
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: POST
    HTTP_REFERER: 
    REQUEST_URI: /xmlrpc.php
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Linux; Android 7.1.1; Nexus 6P Build/N4F26T; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.2924.87 Mobile Safari/537.36 wp-android/6.9.1
    REQUEST BODY: <?xml version='1.0' ?><methodCall><methodName>wp.getPages</methodName><params><param><value><i4>125939990</i4></value></param><param><value><string>MTM-Reviews</string></value></param><param><value><string>I&3NP%3$SL</string></value></param><param><value><i4>20</i4></value></param></params></methodCall>
    

    i know its something be be add in custom codes for that particular HTTP_USER_AGENT but unfortunately i’m not a coder.

    hope you can help me, thank again for your effort,time, and this awesome security plugin.

Viewing 15 posts - 1 through 15 (of 18 total)

You must be logged in to reply to this topic.