Contact Form Submission | 403 Forbidden Error Page

Home Forums BulletProof Security Pro Contact Form Submission | 403 Forbidden Error Page

This topic contains 4 replies, has 2 voices, and was last updated by  Living Miracles 5 months, 2 weeks ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #37147

    Living Miracles
    Participant

    Hi,

    I just tried submitting the contact form on my https://acim.me website—a SiteGround-hosted website—and received the 403 Forbidden Error Page from BPS Pro. Could you help me troubleshoot this? Seems to be a new issue.

    Thank you!

    Jutta

    Edit: The above error is what I’m getting in Opera with VPN enabled. In Chrome, I get the following error in the Inspector:

    POST https://acim.me/wp-json/contact-form-7/v1/contact-forms/7886/feedback 403
    (anonymous) @ VM14:1
    send @ jquery.js:1
    ajax @ jquery.js:1
    wpcf7.submit @ scripts.js:16
    (anonymous) @ scripts.js:3
    dispatch @ jquery.js:1
    r.handle @ jquery.js:1
    
    
    		
    	
    #37148

    AITpro Admin
    Keymaster

    Are you using the POST Request Attack BPS Bonus Custom Code > https://forum.ait-pro.com/forums/topic/post-request-protection-post-attack-protection-post-request-blocker/ ?

    Are you using the WP REST API Block JSON Requests Bonus Custom Code > https://forum.ait-pro.com/forums/topic/wp-rest-api-block-json-requests-to-users-comments-routes/ ?

    Have your tried doing the BPS Pro troubleshooting steps to isolate the problem > https://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting ?

    Have you checked the BPS Pro Security Log for logged 403 errors? Post a Security Log entry related to your contact form.

    #37151

    Living Miracles
    Participant

    Hi,

    Thanks for the response.

    1. Yes, I’m using the POST Request Attack BPS Bonus Custom Code.
    2. No, I’m not using the WP REST API Block JSON Requests Bonus Custom Code.
    3. The link to the troubleshooting steps appears to be the same as to the WP REST API Block JSON Requests Bonus Custom Code page. Is it supposed to be a different link?

    Here’s a Security Log entry:

    [403 POST Request: May 1, 2019 - 4:12 pm]
    BPS Pro: 13.8
    WP: 5.1.1
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 18.234.138.124
    Host Name: ec2-18-234-138-124.compute-1.amazonaws.com
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: POST
    HTTP_REFERER: https://acim.me
    REQUEST_URI: /contact-us/
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
    REQUEST BODY: BPS Security Log option set to: Do Not Log POST Request Body Data

    Found another log entry from a different site on the same server:

    [403 POST Request: May 1, 2019 - 10:51 am]
    BPS Pro: 13.8
    WP: 5.1.1
    Event Code: WPADMIN-SBR
    Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 216.250.39.154
    Host Name: d216-250-39-154.allwest.net
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: POST
    HTTP_REFERER: https://awakening-mind.org/wp-admin/admin.php?page=wpcf7&post=4099&active-tab=1
    REQUEST_URI: /wp-json/contact-form-7/v1/contact-forms/4099
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
    REQUEST BODY: BPS Security Log option set to: Do Not Log POST Request Body Data

    And another one from another site on the same server:

    [403 POST Request: May 1, 2019 - 4:02 pm]
    BPS Pro: 13.8
    WP: 5.1.1
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 216.250.39.154
    Host Name: d216-250-39-154.allwest.net
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: POST
    HTTP_REFERER: https://takemehomemovie.net/contact/
    REQUEST_URI: /contact/
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36
    REQUEST BODY: BPS Security Log option set to: Do Not Log POST Request Body Data
    #37154

    AITpro Admin
    Keymaster

    The BPS troubleshooting link has been fixed.

    It looks like you need to add this wp-json whitelist rule and the contact-us URI whitelist rule in your POST Request Attack Protection code:

    # Whitelist JSON POST Request
    RewriteCond %{REQUEST_URI} !^.*/wp-json/(.*) [NC]
    # Whitelist Contact Form URI POST Requests
    RewriteCond %{REQUEST_URI} !^.*/contact-us/ [NC]
    #37160

    Living Miracles
    Participant

    Thank you so much!! That’s helped! In case anyone else runs into similar issues, here’s what I found to work:

    For sites with Contact Form 7, only this line of code is necessary:

    # Whitelist JSON POST Request
    RewriteCond %{REQUEST_URI} !^.*/wp-json/(.*) [NC]

    For sites with Divi contact forms, only this line of code is necessary (with the correct request URI, of course):

    # Whitelist Contact Form URI POST Requests
    RewriteCond %{REQUEST_URI} !^.*/contact-us/ [NC]
Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.