Easy Digital Downloads – 403 error

[AITpro Admin]

I came across this post today that was dated September 5, 2013 so I downloaded and tested the Easy Digital Downloads plugin to see if a whitelist rule needed to be created in BPS security code for this plugin.

https://easydigitaldownloads.com/support/topic/bullet-proof-security-plug-in/

It would go to checkout but said “My Cart Was Empty” other times it bypassed the checkout page and went directly to processing the transaction via paypal. The thing is I don’t use paypal – I use the authorization.net plugin.

Testing results of Easy Digital Downloads version 1.9.4 with BulletProof Security
Add to Cart/Remove from Cart
Checkout
Purchase
Download of digital product

I would like to say that I am very impressed with the Easy Digital Downloads plugin.  It is very easy to setup and use and has tons of options and features – Very Impressive Plugin!

All functions above worked normally in Easy Digital Downloads and there were no error messages, issues or problems and BPS did not block anything in Easy Digital Downloads.  So either the issue/problem that existed back in September 2013 is no longer occurring anymore or the issue/problem involved something else/another factor that was not tested during the Easy Digital Downloads plugin testing.

BPS contains a Security Log that logs blocked hacking and spamming attempts and also serves as a troubleshooting tool.  If BPS is blocking something that another plugin is doing then whatever is being blocked is logged in the BPS Security Log.  A whitelist rule can then be created for that plugin based on what is being blocked.  Since BPS is a security plugin it is designed to block malicious vectors/attack strings/etc.  Certain legitimate strings/URL’s etc. in plugins that appear to be malicious URL’s/attack strings/attack vectors may be blocked and just need to be whitelisted in BPS.  This is typically the standard routine with all security based plugins/Firewalls/WAF’s/scanners/ etc.

Plugin Conflict Misconception about BPS
The BPS plugin is a security plugin that intentionally blocks malicious things. Some legitimate things in another plugin or theme may trigger one or more of the security rules/filters in BPS and be blocked by BPS.  Creating a whitelist rule in BPS allows that plugin or theme to do what it needs to do without being blocked by BPS.  This is pretty much industry standard when it comes to website security.  Plugin conflicts are typically caused by 2 plugins using the same WordPress hooks – actions/filters that hook into WordPress functions to perform a task in a plugin or theme.  If 2 plugins are calling the same hooks to perform the same or a similar task then there will most likely be a conflict.  Typically 1 plugin will override the other plugin or both plugins end up cancelling out each others functionality/tasks.  We see this with the Login Security feature in BPS where 2 Login Security features are being used at the same time in 2 different plugins.  This is a standard plugin conflict example where the website owner would need to choose which Login Security feature to use in 1 of the plugins and turn off Login Security in the other plugin.

Misconceptions About a Web Host’s Responsibilties for Customers Websites
I see from the post that there are a couple of things that were said that are a bit misleading so this is intended to clear those misconceptions up and is not intended as a “you’re wrong, I’m right” thing.  What is the most important thing is that folks have all the facts so that they make the best choices based on those facts.

Web hosts do of course protect their Servers and the customer’s websites in general, but they do not provide individualized security measures by site type.  Implementing and supporting individualized security measures would be very costly and is not realistic.  Hosts do not create .htaccess files or php.ini files for websites or they may provide these security measures generally, but they are not custom tailored by site type.  The differences between HTML and PHP site types are night and day when it comes to website security/attack vectors/methods of attack/etc.  Example:  One of the most common attacks on PHP sites with databases is SQL Injection attacks.  HTML sites are static (not DB Based) vs PHP sites, which are dynamic (DB based).  PHP hacking attacks are different then hacking attacks made on HTML websites due to the differences in these site types.  htaccess and php.ini website security issues are more complex to troubleshoot and would increase Hosts support costs significantly so since a one size fits all solution cannot really be done for all site types and is not really effective doing this generally then I imagine most Hosts decide against implementing this on their Servers for a lot of very smart reasons and not just the support cost factor.

It is up to each individual website owner to implement their own individualized/customized website security measures for their particular website type and not the Host’s responsibility to implement this.  It is also the website owners responsibility when it comes to what they add or install on their particular website.  If a website owners installs something that has a security vulnerability that causes the site to get hacked then this would not be the Host’s fault or responsibility.  It is unrealistic to believe that a web host would implement and support individualized/customized website security measures for all of the many different types of customer website that they host on their Servers.  Hopefully this info clears up some of the misconceptions about what a Host is reponsible for when it comes to providing website security for customers websites.

Misconception about removing website security as being a solution
If for some reason a whitelist rule cannot be created in BPS to allow another plugin to do what it needs to do (that would be a first since that has never happened before) then use/install an alternative website security plugin or use other website security measures or just use a disaster recovery plan without any website security – do regular backups of the website so if/when the site gets hacked you can quickly and easily restore it from a good backup.

[Mark]

How do I allow downloads from the Easy Digital Downloads folder?

[403 GET / HEAD Request: June 8, 2014 - 11:47 am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 97.90
Host Name: 97-
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-content/uploads/edd/FileName.pdf
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.76.4 (KHTML, like Gecko) Version/7.0.4 Safari/537.76.4

[AITpro Admin]

The Uploads Anti-Exploit Guard (UAEG) .htaccess file does not block pdf files by default so my assumption is that there are other files that are in the /edd folder that are file extension types that are blocked by UAEG – php, js, etc. that are doing something to process the pdf download.  To confirm something like that is occurring do troubleshooting step #4.

http://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting
4. On the Security Modes page, click the UAEG BulletProof Mode Deactivate button.

If the pdf download works correctly then the easiest/quickest solution is to add a RewriteEngine Off .htaccess file in the /edd folder.
http://forum.ait-pro.com/forums/topic/rewriteengine-off-htaccess-file/

[Mark]

Sorry to complicate the issue. Yes, in this case the download is a .zip file.

[AITpro Admin]

The Uploads Anti-Exploit Guard (UAEG) .htaccess file does not block zip files by default.  Same troubleshooting steps apply.  Let me know the results after doing the troubleshooting step above.

[Mark]

Just an FYI, apparently the issue I was having had to do with multiple price settings for a single item and nothing to do with BPS Pro but still unsure why I was getting the 403.

[AITpro Admin]

BPS Security Logging logs all 403 HTTP Status code events whether or not they are related to or caused by BPS.  Unfortunately, the Security Log entry does not show exactly which plugin script/file name is the real source of the 403 error.  Tricky one to figure out.

What usually works in these cases if BPS is blocking something in a plugin is to create a Plugin skip/bypass rule for that plugin’s folder.
Example:

# Some Example Plugin skip/bypass rule
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/example-plugin-folder-name/ [NC]
RewriteRule . - [S=13]

[simon]

[Topic has been merged into this relevant topic]

Hi,

i use a plugin called “Easy digital Downloads” for mp3 download. Files up to ca. 22 mb are downloadable without a problem. But bigger files can not be found! I get the message: File not found or a download window where file size is 0.

If i type in the url directly, then i can see an dl the file. The Hoster has is no problem aswell. Could it be a restriction of BPS for the plugin?

Regards

[AITpro Admin]

@ simon – BPS does not do anything with file sizes/file size restrictions.  File upload settings are changed by changing these php.ini directive settings in your website’s php.ini file, but I don’t think that would affect file downloads, unless Easy Digital Downloads requires that you make these php.ini changes.  Check with the Easy Digital Downloads plugin folks and see what they say about this.

post_max_size = 20M
upload_max_filesize = 20M

[Author]

Posts