Home › Forums › BulletProof Security Pro › Contact Form Submission | 403 Forbidden Error Page
- This topic has 4 replies, 2 voices, and was last updated 4 years, 11 months ago by Living Miracles.
-
AuthorPosts
-
Living MiraclesParticipant
Hi,
I just tried submitting the contact form on my https://acim.me website—a SiteGround-hosted website—and received the 403 Forbidden Error Page from BPS Pro. Could you help me troubleshoot this? Seems to be a new issue.
Thank you!
Jutta
Edit: The above error is what I’m getting in Opera with VPN enabled. In Chrome, I get the following error in the Inspector:
POST https://acim.me/wp-json/contact-form-7/v1/contact-forms/7886/feedback 403 (anonymous) @ VM14:1 send @ jquery.js:1 ajax @ jquery.js:1 wpcf7.submit @ scripts.js:16 (anonymous) @ scripts.js:3 dispatch @ jquery.js:1 r.handle @ jquery.js:1
AITpro AdminKeymasterAre you using the POST Request Attack BPS Bonus Custom Code > https://forum.ait-pro.com/forums/topic/post-request-protection-post-attack-protection-post-request-blocker/ ?
Are you using the WP REST API Block JSON Requests Bonus Custom Code > https://forum.ait-pro.com/forums/topic/wp-rest-api-block-json-requests-to-users-comments-routes/ ?
Have your tried doing the BPS Pro troubleshooting steps to isolate the problem > https://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting ?
Have you checked the BPS Pro Security Log for logged 403 errors? Post a Security Log entry related to your contact form.
Living MiraclesParticipantHi,
Thanks for the response.
- Yes, I’m using the POST Request Attack BPS Bonus Custom Code.
- No, I’m not using the WP REST API Block JSON Requests Bonus Custom Code.
- The link to the troubleshooting steps appears to be the same as to the WP REST API Block JSON Requests Bonus Custom Code page. Is it supposed to be a different link?
Here’s a Security Log entry:
[403 POST Request: May 1, 2019 - 4:12 pm] BPS Pro: 13.8 WP: 5.1.1 Event Code: BFHS - Blocked/Forbidden Hacker or Spammer Solution: N/A - Hacker/Spammer Blocked/Forbidden REMOTE_ADDR: 18.234.138.124 Host Name: ec2-18-234-138-124.compute-1.amazonaws.com SERVER_PROTOCOL: HTTP/1.0 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: POST HTTP_REFERER: https://acim.me REQUEST_URI: /contact-us/ QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 REQUEST BODY: BPS Security Log option set to: Do Not Log POST Request Body Data
Found another log entry from a different site on the same server:
[403 POST Request: May 1, 2019 - 10:51 am] BPS Pro: 13.8 WP: 5.1.1 Event Code: WPADMIN-SBR Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: 216.250.39.154 Host Name: d216-250-39-154.allwest.net SERVER_PROTOCOL: HTTP/1.0 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: POST HTTP_REFERER: https://awakening-mind.org/wp-admin/admin.php?page=wpcf7&post=4099&active-tab=1 REQUEST_URI: /wp-json/contact-form-7/v1/contact-forms/4099 QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 REQUEST BODY: BPS Security Log option set to: Do Not Log POST Request Body Data
And another one from another site on the same server:
[403 POST Request: May 1, 2019 - 4:02 pm] BPS Pro: 13.8 WP: 5.1.1 Event Code: BFHS - Blocked/Forbidden Hacker or Spammer Solution: N/A - Hacker/Spammer Blocked/Forbidden REMOTE_ADDR: 216.250.39.154 Host Name: d216-250-39-154.allwest.net SERVER_PROTOCOL: HTTP/1.0 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: POST HTTP_REFERER: https://takemehomemovie.net/contact/ REQUEST_URI: /contact/ QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36 REQUEST BODY: BPS Security Log option set to: Do Not Log POST Request Body Data
AITpro AdminKeymasterThe BPS troubleshooting link has been fixed.
It looks like you need to add this wp-json whitelist rule and the contact-us URI whitelist rule in your POST Request Attack Protection code:
# Whitelist JSON POST Request RewriteCond %{REQUEST_URI} !^.*/wp-json/(.*) [NC] # Whitelist Contact Form URI POST Requests RewriteCond %{REQUEST_URI} !^.*/contact-us/ [NC]
Living MiraclesParticipantThank you so much!! That’s helped! In case anyone else runs into similar issues, here’s what I found to work:
For sites with Contact Form 7, only this line of code is necessary:
# Whitelist JSON POST Request RewriteCond %{REQUEST_URI} !^.*/wp-json/(.*) [NC]
For sites with Divi contact forms, only this line of code is necessary (with the correct request URI, of course):
# Whitelist Contact Form URI POST Requests RewriteCond %{REQUEST_URI} !^.*/contact-us/ [NC]
-
AuthorPosts
- You must be logged in to reply to this topic.