Error updating settings. SyntaxError: Unexpected token in JSON at position 0

[Laurențiu]

Hello!

I had a similar problem with Jetpack, although I was getting another error: “Error updating settings. SyntaxError: Unexpected token < in JSON at position 0“. The browser also showed a 403 POST error.

Then I found the code described in post #32953. After adding it I didn’t get any 403 POST errors anymore in the browser console. So the solution posted by you works for me. After all, it seems that you can still use Jetpack with the POST Attack Protection Bonus Custom Code. I just wanted to say this, for the case that someone else has the same problem.

However, I still get 403 (not related to POST): Failed to load resource: the server responded with a status of 403 () /wp-json/jetpack/v4/settings

It seems that this is caused by the WP-SpamShield plugin. I’m still trying to find a solution to this, and see if the problem is from WP-SpamShield or a compatibility problem between WP-SpamShield and BPS Pro.

EDIT:
I don’t know if this is related, but I also get this error when activating the plugin:

[403 GET Request: 16. Juni 2017 - 8:55]
BPS Pro: 12.9.1
WP: 4.8
Event Code: PFWR-PSBR-HPRA
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 217.160.62.25
Host Name: infongp-fr37.kundenserver.de
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: https://www.example.com/wp-content/plugins/wp-spamshield/js/jscripts-ftr-min.js
REQUEST_URI: /wp-content/plugins/wp-spamshield/js/jscripts-ftr-min.js
QUERY_STRING:
HTTP_USER_AGENT: WordPress/4.8; https://www.example.com

However, after activating it, the plugin works normally.

[Laurențiu]

It seems that disabling WP-SpamShield solves the problem, but disabling BPS Pro while having WP-SpamShield enabled doesn’t. I even tried disabling all B-Core and P-Security options, and renaming php.ini, but it still doesn’t work. So it’s not a problem with .htaccess, php.ini or ini_set.

I also installed WP-SpamShield and Jetpack locally on my PC, but without BPS, and JetPack works correctly. It even works correctly if I add all P-Security settings from my website to wp-config.php.

So do you think that the problem is only from WP-SpamShield and I should contact them, or do you think there’s still somthing I didn’t try already?

P.S.: Should I make a new thread about my problem? Sorry for replying here, but I just wanted to confirm that your .htaccess code works.

[AITpro Admin]

Explaining the cause and solution for the Jetpack plugin “Error updating settings. SyntaxError: Unexpected token in JSON at position 0” error message so that it makes sense to anyone else who is having the same issue/problem.

If you are using the BPS POST Attack Protection Bonus Custom Code here:  https://forum.ait-pro.com/forums/topic/post-request-protection-post-attack-protection-post-request-blocker/ then you will will need to go to BPS Custom Code and edit your existing POST Attack Protection Bonus Custom Code in the BPS Root Custom Code text box and add the Jetpack JSON htaccess whitelist rule below to your existing POST Attack Protection Bonus Custom Code in the BPS Root Custom Code text box, click the Save Root Custom Code button and activate Root folder BulletProof Mode again.

This new Jetpack JSON POST Request whitelist rule has been added in the BPS POST Attack Protection Bonus Custom Code here:  https://forum.ait-pro.com/forums/topic/post-request-protection-post-attack-protection-post-request-blocker/ if you would like to see an example of where this Jetpack JSON whitelist should go in your existing POST Attack Protection Bonus Custom Code in the BPS Root Custom Code text box.

# Whitelist Jetpack wp-admin JSON POST Request
RewriteCond %{REQUEST_URI} !^.*/wp-json/jetpack/(.*) [NC]

The Security Log entry that you posted shows that the BPS Pro Plugin Firewall was blocking the wp spamshield .js script.  Plugin Firewall AutoPilot Mode should have automatically created a new Plugin Firewall whitelist rule for the wp spamshield .js script after 15 minutes.  You can verify that by either checking your BPS Security Log for this example log entry:  [Plugin Firewall AutoPilot Mode New Whitelist Rule(s) Created: xxx x, 2017 – 00:00 pm] or by checking your Plugin Firewall Plugins Script|File Whitelist Text Area box.

Since disabling the WP-Spamshield plugin worked to fix the additional problem/error then it sounds like WP-Spamshield is causing the additional problem/error.  I am not sure how you were able to install Jetpack on your Local Dev server on your computer since Jetpack does not allow you to connect to the Jetpack API server from a Local Dev server on your computer.  When I tried to test Jetpack on my Local Dev XAMPP server on my computer I was not able to/allowed to connect to Jetpack. You can install Jetpack on a Local Dev server on your computer, but without being able to connect to the Jetpack API server then would not be able to use any of the Jetpack plugin features.  So I do not think you can test Jetpack and WP-Spamshield on your Local Dev server on your computer and would only be able to test those things on a Live hosted website/server.

So the only logical explanations for the additional problem/error:  “Failed to load resource: the server responded with a status of 403 () /wp-json/jetpack/v4/settings” are these:

1. The BPS Pro Plugin Firewall is not whitelisting the WP-Spamshield .js script successfully due to something else breaking BPS Pro Plugin Firewall AutoPilot Mode on your website.  ie minification/compression, etc.

2. The problem is caused by WP-Spamshield and does not have anything to do with BPS Pro.

[Laurențiu]

Thank you for your help! An update for WP-SpamShield was just released a few hours ago and now the problem has been fixed! 🙂

I’m not sure why the whitelist rule is not being created automatically. There is another whitelist rule also for WP-SpamShield, but for another file. At the moment I also don’t have any minification/compression, because I’m still setting up the website. However, the plugin still seems to work normally.

About Jetpack on localhost: you are right, you can only use a minimum amount of features while having it installed locally. However, I even got errors on my websites on the features that don’t require a connection, so that’s why I could still test it. But it doesn’t matter anymore now, since the problem has been solved.

And since we’re already talking about .htaccess code that doesn’t block Jetpack – I found another problem with Jetpack:

[403 POST Request: 16. Juni 2017 - 21:53]
BPS Pro: 12.9.1
WP: 4.8
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 192.0.87.16
Host Name: 192.0.87.16
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: POST
HTTP_REFERER: https://www.example.com/xmlrpc.php?for=jetpack&token=HM%290vq4r58%2AP4wIuPB86gJVZXHLe%24wr%2A%3A1%3A0&timestamp=1497642831&nonce=y3v3UVZPFC&body-hash=W6pDLz02alZeab4mRplyUaVjmIk%3D&signature=8h8cSVGUv4jhcnm3M%2F0oYkKSo0g%3D
REQUEST_URI: /xmlrpc.php?for=jetpack&token=HM%290vq4r58%2AP4wIuPB86gJVZXHLe%24wr%2A%3A1%3A0&timestamp=1497642831&nonce=y3v3UVZPFC&body-hash=W6pDLz02alZeab4mRplyUaVjmIk%3D&signature=8h8cSVGUv4jhcnm3M%2F0oYkKSo0g%3D
QUERY_STRING: for=jetpack&token=HM%290vq4r58%2AP4wIuPB86gJVZXHLe%24wr%2A%3A1%3A0&timestamp=1497642831&nonce=y3v3UVZPFC&body-hash=W6pDLz02alZeab4mRplyUaVjmIk%3D&signature=8h8cSVGUv4jhcnm3M%2F0oYkKSo0g%3D
HTTP_USER_AGENT: Jetpack by WordPress.com
REQUEST BODY: <?xml version="1.0"?>
<methodCall>
<methodName>system.multicall</methodName>
<params>
<param><value><array><data>
<value><struct>
<member><name>methodName</name><value><string>jetpack.jsonAPI</string></value></member>
<member><name>params</name><value><array><data>
<value><array><data>
<value><string>GET</string></value>
<value><string>https://public-api.wordpress.com/rest/v1.1/sites/130074581?http_envelope=1</string></value>
<value><string></string></value>
<value><int>130074581

At the moment I found this code in one of your posts and used it:

# Whitelist Jetpack POST Request to wp-load.php by Query String
RewriteCond %{QUERY_STRING} !^for=jetpack(.*) [NC]

I’m not sure if this is the right code for this issue, but I’ll monitor the situation and see if it occurs again. For now I didn’t get any further errors, but I don’t know when this request is being made, so I can’t test if it works.

[AITpro Admin]

Jetpack makes a direct Request to the WP wp-load.php file so you also probably need to add this additional whitelist rule below.  Also if you are using any other BPS Bonus Custom Code that blocks the xmlrpc.php file then I am pretty sure that you will need to delete it if you are using Jetpack.  These days WP has added additional security protection for the WP xmlrpc.php file.  So any BPS Bonus Custom Code that blocks the xmlrpc.php file is no longer necessary.

# Whitelist Jetpack POST Requests to wp-load.php
RewriteCond %{REQUEST_URI} !^.*/wp-load.php [NC]
# Whitelist Jetpack POST Request to wp-load.php by Query String
RewriteCond %{QUERY_STRING} !^for=jetpack(.*) [NC]

[Laurențiu]

You are right, I’m using the double bonus code that blocks XML-RPC, pingbacks and trackbacks, but the version recommended for Jetpack – so it should actually already work. So you are saying that I shouldn’t block XML-RPC because now it’s secure, but I should still block pingbacks and trackbacks? Is this correct? Then the right code would be this:

<FilesMatch "^(wp-trackback\.php)">
Order Deny,Allow
Deny from all
</FilesMatch>

P.S.: The firewall just whitelisted some files from WP-SpamShield, so it works correctly 🙂

[AITpro Admin]

Yep, that is the correct code that blocks trackbacks and pingbacks.

I am not 100% sure what does and does not work now with the Jetpack XML-RPC Bonus Custom Code.  WP made some changes to XML-RPC a while back and Jetpack also made some changes to how Jetpack works with XML-RPC a while back.  Since Jetpack cannot be installed on a Local Development server for testing and since we have been working on a new feature in BPS and BPS Pro for the last 2 months, then we have not been able to thoroughly test what does and does not work any longer regarding Jetpack and XML-RPC.  Once we get the new Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) feature completed and released in BPS Pro 13 and BPS 2.0 then we will install Jetpack on a Live hosted site and do some thorough testing.

[Laurențiu]

Ahhh I just found out what the problem was. I used BPS POST Attack Protection Bonus Custom Code and forgot that Jetpack uses xmlrpc.php, so I removed it from the whitelist a few days ago. Now I didn’t check that code anymore and just found out now that it gets blocked because of that. So I may not need the code for wp-load.php anymore, since I didn’t get any blocked request for it, and theoretically I could even block XML-RPC + trackbacks with the recommended bonus code for Jetpack, because I’m whitelisting it anyway.

Thank you again for your great help! I learned a few new things 🙂

Last but not least, I can’t thank you enough for making such an amazing plugin! 😀 I’m looking forward to BPS Pro 13, it sounds very promising!

[Author]

Posts