Custom login page – unable to login – 403 error

[Bea]

Hi – have an issue with a 403 I cannot quite clear –

New install single domain single site.
BPS – when users attempt to login cannot with a 403

Troubleshooting –  Only when Root is deactivated can they login as expected.
There is no custom code entered as yet (new site) with the exception of what appears to have been automatically placed

11. CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE:
12. CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS: 

Log :

[403 GET Request: July 11, 2017 3:03 am]
BPS: 2.2
WP: 4.7.3
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 58.108.174.177
Host Name: static-58-108-174-177.optusnet.com.au
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /?login=http://site.international
QUERY_STRING: login=http://site.international
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

[AITpro Admin]

The custom login page Request is simulating an RFI hacking attempt.  Do the steps below.

1. Edit your existing 12. CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS htaccess code and comment out these 3 security rules below with # signs as shown below.
2. Click the Save Root Custom Code button.
3. Go to the Security Modes page and click the Root Folder BulletProof Mode Activate button.

# RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
# RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
# RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR]

[Bea]

Hi again – the issue has reappeared and I wonder if you could please assist.
I have the 3 strings above commented out.
It is oddly not logging all of the attempts from eg an admin IP

[403 GET Request: October 28, 2017 1:46 am]
BPS: 2.8
WP: 4.8.1
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 58.108.174.177
Host Name: static-58-108-174-177.optusnet.com.au
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http://site.org/
REQUEST_URI: /wp-login.php?action=logout&redirect_to=http%3A%2F%2Fsite.org%2F&_wpnonce=31b2e8bfb4
QUERY_STRING: action=logout&redirect_to=http%3A%2F%2Fsite.org%2F&_wpnonce=31b2e8bfb4
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36

But has a load of others as well.

[403 GET Request: October 27, 2017 6:16 pm]
BPS: 2.8
WP: 4.8.1
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 66.249.79.157
Host Name: crawl-66-249-79-157.googlebot.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-login.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

[AITpro Admin]

Are you still using a Custom Login page?  These 403 error log entries appear to be attempts to login to the standard/normal WordPress login page. You can disregard the Google Bot 403 error.  I’m not sure why that is occurring since obviously the Google Bot should not be trying to login to your website.  Are you using any IP address blocking custom code in BPS Custom Code for your WordPress Login page?

[Author]

Posts