Easy Digital Downloads – 403 error

Home Forums BulletProof Security Pro Easy Digital Downloads – 403 error

This topic contains 8 replies, has 3 voices, and was last updated by  AITpro Admin 5 years, 4 months ago.

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • #12862

    AITpro Admin
    Keymaster

    I came across this post today that was dated September 5, 2013 so I downloaded and tested the Easy Digital Downloads plugin to see if a whitelist rule needed to be created in BPS security code for this plugin.

    https://easydigitaldownloads.com/support/topic/bullet-proof-security-plug-in/

    It would go to checkout but said “My Cart Was Empty” other times it bypassed the checkout page and went directly to processing the transaction via paypal. The thing is I don’t use paypal – I use the authorization.net plugin.

    Testing results of Easy Digital Downloads version 1.9.4 with BulletProof Security
    Add to Cart/Remove from Cart
    Checkout
    Purchase
    Download of digital product

    I would like to say that I am very impressed with the Easy Digital Downloads plugin.  It is very easy to setup and use and has tons of options and features – Very Impressive Plugin!

    All functions above worked normally in Easy Digital Downloads and there were no error messages, issues or problems and BPS did not block anything in Easy Digital Downloads.  So either the issue/problem that existed back in September 2013 is no longer occurring anymore or the issue/problem involved something else/another factor that was not tested during the Easy Digital Downloads plugin testing.

    BPS contains a Security Log that logs blocked hacking and spamming attempts and also serves as a troubleshooting tool.  If BPS is blocking something that another plugin is doing then whatever is being blocked is logged in the BPS Security Log.  A whitelist rule can then be created for that plugin based on what is being blocked.  Since BPS is a security plugin it is designed to block malicious vectors/attack strings/etc.  Certain legitimate strings/URL’s etc. in plugins that appear to be malicious URL’s/attack strings/attack vectors may be blocked and just need to be whitelisted in BPS.  This is typically the standard routine with all security based plugins/Firewalls/WAF’s/scanners/ etc.

    Plugin Conflict Misconception about BPS
    The BPS plugin is a security plugin that intentionally blocks malicious things. Some legitimate things in another plugin or theme may trigger one or more of the security rules/filters in BPS and be blocked by BPS.  Creating a whitelist rule in BPS allows that plugin or theme to do what it needs to do without being blocked by BPS.  This is pretty much industry standard when it comes to website security.  Plugin conflicts are typically caused by 2 plugins using the same WordPress hooks – actions/filters that hook into WordPress functions to perform a task in a plugin or theme.  If 2 plugins are calling the same hooks to perform the same or a similar task then there will most likely be a conflict.  Typically 1 plugin will override the other plugin or both plugins end up cancelling out each others functionality/tasks.  We see this with the Login Security feature in BPS where 2 Login Security features are being used at the same time in 2 different plugins.  This is a standard plugin conflict example where the website owner would need to choose which Login Security feature to use in 1 of the plugins and turn off Login Security in the other plugin.

    Misconceptions About a Web Host’s Responsibilties for Customers Websites
    I see from the post that there are a couple of things that were said that are a bit misleading so this is intended to clear those misconceptions up and is not intended as a “you’re wrong, I’m right” thing.  What is the most important thing is that folks have all the facts so that they make the best choices based on those facts.

    Web hosts do of course protect their Servers and the customer’s websites in general, but they do not provide individualized security measures by site type.  Implementing and supporting individualized security measures would be very costly and is not realistic.  Hosts do not create .htaccess files or php.ini files for websites or they may provide these security measures generally, but they are not custom tailored by site type.  The differences between HTML and PHP site types are night and day when it comes to website security/attack vectors/methods of attack/etc.  Example:  One of the most common attacks on PHP sites with databases is SQL Injection attacks.  HTML sites are static (not DB Based) vs PHP sites, which are dynamic (DB based).  PHP hacking attacks are different then hacking attacks made on HTML websites due to the differences in these site types.  htaccess and php.ini website security issues are more complex to troubleshoot and would increase Hosts support costs significantly so since a one size fits all solution cannot really be done for all site types and is not really effective doing this generally then I imagine most Hosts decide against implementing this on their Servers for a lot of very smart reasons and not just the support cost factor.

    It is up to each individual website owner to implement their own individualized/customized website security measures for their particular website type and not the Host’s responsibility to implement this.  It is also the website owners responsibility when it comes to what they add or install on their particular website.  If a website owners installs something that has a security vulnerability that causes the site to get hacked then this would not be the Host’s fault or responsibility.  It is unrealistic to believe that a web host would implement and support individualized/customized website security measures for all of the many different types of customer website that they host on their Servers.  Hopefully this info clears up some of the misconceptions about what a Host is reponsible for when it comes to providing website security for customers websites.

    Misconception about removing website security as being a solution
    If for some reason a whitelist rule cannot be created in BPS to allow another plugin to do what it needs to do (that would be a first since that has never happened before) then use/install an alternative website security plugin or use other website security measures or just use a disaster recovery plan without any website security – do regular backups of the website so if/when the site gets hacked you can quickly and easily restore it from a good backup.

    #15468

    Mark
    Participant

    How do I allow downloads from the Easy Digital Downloads folder?

    [403 GET / HEAD Request: June 8, 2014 - 11:47 am]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 97.90
    Host Name: 97-
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-content/uploads/edd/FileName.pdf
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.76.4 (KHTML, like Gecko) Version/7.0.4 Safari/537.76.4
    #15469

    AITpro Admin
    Keymaster

    The Uploads Anti-Exploit Guard (UAEG) .htaccess file does not block pdf files by default so my assumption is that there are other files that are in the /edd folder that are file extension types that are blocked by UAEG – php, js, etc. that are doing something to process the pdf download.  To confirm something like that is occurring do troubleshooting step #4.

    http://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting
    4. On the Security Modes page, click the UAEG BulletProof Mode Deactivate button.

    If the pdf download works correctly then the easiest/quickest solution is to add a RewriteEngine Off .htaccess file in the /edd folder.
    http://forum.ait-pro.com/forums/topic/rewriteengine-off-htaccess-file/

    #15470

    Mark
    Participant

    Sorry to complicate the issue. Yes, in this case the download is a .zip file.

    #15471

    AITpro Admin
    Keymaster

    The Uploads Anti-Exploit Guard (UAEG) .htaccess file does not block zip files by default.  Same troubleshooting steps apply.  Let me know the results after doing the troubleshooting step above.

    #15518

    Mark
    Participant

    Just an FYI, apparently the issue I was having had to do with multiple price settings for a single item and nothing to do with BPS Pro but still unsure why I was getting the 403.

    #15519

    AITpro Admin
    Keymaster

    BPS Security Logging logs all 403 HTTP Status code events whether or not they are related to or caused by BPS.  Unfortunately, the Security Log entry does not show exactly which plugin script/file name is the real source of the 403 error.  Tricky one to figure out.

    What usually works in these cases if BPS is blocking something in a plugin is to create a Plugin skip/bypass rule for that plugin’s folder.
    Example:

    # Some Example Plugin skip/bypass rule
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/example-plugin-folder-name/ [NC]
    RewriteRule . - [S=13]
    #15630

    simon
    Participant

    [Topic has been merged into this relevant topic]

    Hi,

    i use a plugin called “Easy digital Downloads” for mp3 download. Files up to ca. 22 mb are downloadable without a problem. But bigger files can not be found! I get the message: File not found or a download window where file size is 0.

    If i type in the url directly, then i can see an dl the file. The Hoster has is no problem aswell. Could it be a restriction of BPS for the plugin?

    Regards

    #15638

    AITpro Admin
    Keymaster

    @ simon – BPS does not do anything with file sizes/file size restrictions.  File upload settings are changed by changing these php.ini directive settings in your website’s php.ini file, but I don’t think that would affect file downloads, unless Easy Digital Downloads requires that you make these php.ini changes.  Check with the Easy Digital Downloads plugin folks and see what they say about this.

    post_max_size = 20M
    upload_max_filesize = 20M
Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.