Community Events – Custom Login page 403 error

Home Forums BulletProof Security Pro Community Events – Custom Login page 403 error

This topic contains 5 replies, has 2 voices, and was last updated by  AITpro Admin 1 year, 4 months ago.

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #32036

    Mark
    Participant

    I have a plugin called Community Events that is a part of the “Events Calendar” plugin from Events Tribe. The particular “Community Events” plugin allows users to log in through the front end via a particular url that will then redirect them to the event add page. For whatever reason the front end log in fields of this plugin are conflicting with BPSpro and I don’t know how to resolve the problem. Here is the error:

    [Login Form - POST Request Logged: January 6, 2017 - 4:23 am]
    BPS Pro: 12.5
    CAPTCHA Entered:
    BOT/HUMAN: Most Likely a SpamBot
    REMOTE_ADDR: 47.186.117.47
    Host Name: 47.186.117.47
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: POST
    HTTP_REFERER: http://theoilyprofessor.com/events/community/add
    REQUEST_URI: /wp-login.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
    #32037

    AITpro Admin
    Keymaster

    Do BPS Pro troubleshooting steps #6 and #7 to turn off BPS Pro Login Security and BPS Pro JTC for troubleshooting: https://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting Since several different things are occurring with your login and handled by 2 or more plugins then you need to take BPS Pro LSM and JTC out of the equation to see if the problem is with Jetpack SSO and the Community Events custom login page. In any case, Jetpack SSO is overriding BPS Pro Login Security and it also appears the Jetpack SSO is also overriding BPS Pro JTC. So you may not be able to use both Jetpack SSO and BPS Pro LSM and JTC together since they are doing a very similar or the same thing – Login security/login page processing/handling. Pending additional Jetpack SSO module testing.

    Technical Notes: The custom login page form here:  /events/community/add redirects to the standard wp login page in the forum action (relevant form code below). The standard WP Login page has BPS Pro JTC captacha form field displayed. The Login page is not being processed by BPS Pro Login Security and Monitoring and is instead being handled/processed by the Jetpack Single Sign On Module.

    <form name="loginform" id="loginform" action="http://theoilyprofessor.com/wp-login.php" method="post">
    ...
    ...
    ...
    <input type="hidden>" name="redirect_to" value="http://theoilyprofessor.com/events/community/add<" />

    Also are you using the Brute Force Login page protection Bonus Custom Code here that protects by Server Protocol:  https://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/  The Security Log entry shows that the Server Protocol is HTTP/1.0.  So what may have been blocked if you are using the code below was Server Protocol HTTP/1.0, which is commonly used by bots.

    # BRUTE FORCE LOGIN PAGE PROTECTION
    # Protects the Login page from SpamBots, HackerBots & Proxies
    # that use Server Protocol HTTP/1.0 or a blank User Agent
    RewriteCond %{REQUEST_URI} ^(/wp-login\.php|.*wp-login\.php.*)$
    RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
    RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR]
    RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$
    RewriteRule ^(.*)$ - [F,L]
    #32044

    Mark
    Participant

    If I shut off LSM and JTC and that seemed to solve the problem. I then shut off the Jetpack SSO. I was able to turn JTC back on and everything worked fine, but when I turned LSM back on, I get the following report:

    [Login Form - POST Request Logged: January 6, 2017 - 3:50 pm]
    BPS Pro: 12.5
    CAPTCHA Entered:
    BOT/HUMAN: Most Likely a SpamBot
    REMOTE_ADDR: 72.64.71.26
    Host Name: static-72-64-71-26.dllstx.fios.frontiernet.net
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: POST
    HTTP_REFERER: http://theoilyprofessor.com/events/community/add
    REQUEST_URI: /wp-login.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

    I also don’t see any recaptcha form when visiting the add page. I tried the above with the brute force extra code that you had included.
    When I delete that brute for code I get the following with Jetpack SSO turned off, LSM off, and JTC on:

    [Login Form - POST Request Logged: January 6, 2017 - 3:57 pm]
    BPS Pro: 12.5
    CAPTCHA Entered:
    BOT/HUMAN: Most Likely a SpamBot
    REMOTE_ADDR: 72.64.71.26
    Host Name: static-72-64-71-26.dllstx.fios.frontiernet.net
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: POST
    HTTP_REFERER: http://theoilyprofessor.com/events/community/add
    REQUEST_URI: /wp-login.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

    Should I be using the brute force code or not?

    #32047

    AITpro Admin
    Keymaster

    You definitely do not want to use the Brute Force Login protection code that I posted. So delete that code.  Ok so you need to make a decision about which plugin/features you want to use since you cannot use all of them together.  That is fairly common problem with handling/processing logins.  The reason for that is WordPress provides Hooks – Actions and Filters that allow plugins and themes to hook into the normal WordPress functionality.  The Login page and Login processing is a special case and typically only 1 plugin or plugin feature can handle/process logins.  You cannot use multiple plugins or plugin features that use the same WordPress login hooks to process/handle logins because 1 plugin or plugin feature will override any other plugins or plugin features that are also trying to handle/process logins.

    #32299

    Mark
    Participant

    [Topic has been merged into this relevant Topic]
    On my site I have the event calendar plus plugin installed. I’ve created a menu tab that will allow my users to create a new event, however, you must be logged in first, so the menu tab will land them on a log in page first (http://theoilyprofessor.com/events/community/add). You can also log in through the userpro profile plugin menu item (http://theoilyprofessor.com/member-login/).

    Once you are logged in it is possible to create a new event. The only problem is that when bps is active it will not allow someone to log in through http://theoilyprofessor.com/events/community/add, only http://theoilyprofessor.com/member-login/

    I’m getting the following security warning: Is there a way to resolve this problem?

    [Login Form - POST Request Logged: January 31, 2017 - 1:15 pm]
    BPS Pro: 12.6
    CAPTCHA Entered:
    BOT/HUMAN: Most Likely a SpamBot
    REMOTE_ADDR: 72.64.71.26
    Host Name: static-72-64-71-26.dllstx.fios.frontiernet.net
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: POST
    HTTP_REFERER: http://theoilyprofessor.com/events/community/add
    REQUEST_URI: /wp-login.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
    #32301

    AITpro Admin
    Keymaster

    Since this is a custom login page and not a standard WordPress Login page then JTC will not work correctly since there are not any standard WordPress Hooks to hook into.  As of BPS Pro 12.6 you can now use Login Security and JTC independently.  Go to the JTC Anti-Spam|Anti-Hacker page and uncheck the Login Form checkbox.  If you would like for us to test everything then you need to send us all the plugins involved that handle Login Processing.  If the plugins include Actions then we can create code in BPS Pro to use those custom Actions to hook into so that JTC will work using the custom hooks in these plugins.

    For example, as of BPS Pro 12.6 we created additional code that hooks into the custom Actions that WooCommerce created for their WooCommerce Login page, which allows Login Security and JTC to work on the WooCommerce custom Login page.

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.