admin-ajax.php, post.php, 403 error

[Terry Chadban]

Hey guys,

Today I uploaded and scheduled a post to go out tomorrow, and when I checked my HTTP Error Log I got all these errors. The IP address is mine, but I don’t know what is firing up BPS or what I have done wrong. Can anyone explain what the problem is in non-geek speak for me and what I need to do to fix it? TIA.

Terry

BPS SECURITY / HTTP ERROR LOG
==============================
==============================

>>>>>>>>>>> 403 GET or Other Request Error Logged - June 9, 2013 - 12:10 pm <<<<<<<<<<<
REMOTE_ADDR: 121.218.212.117
Host Name: CPE-121-218-212-117.lnse4.cht.bigpond.net.au
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http: //portmacquarieonlinemarketing.com/wp-admin/post.php?post=369&action=edit&message=10
REQUEST_URI: /wp-admin/admin-ajax.php?action=tp_gp&tl=fr&q%5B%5D=social+media+management&q%5B%5D=%C2%A0tool&q%5B%5D=TechRepublic&q%5B%5D=Wed&q%5B%5D=Jun&q%5B%5D=Get+highlights+on+five%C2%A0&q%5B%5D=%C2%A0tools+that+could+work+for+a+variety+of+businesses&q%5B%5D=Our+current+clients+already+know+that%C2%A0&q%5B%5D=HootSuite&q%5B%5D=%C2%A0is+our+weapon+of+choice&q%5B%5D=and+the+one+that+we+recommend+to+all+our+clients+for+managing+their+social+media+updates&q%5B%5D=You+can+also+check+out+the&q%5B%5D=HootSuite+Pro&q%5B%5D=Pro+version&q%5B%5D=free+for&q%5B%5D=days%C2%A0&q%5B%5D=here&q%5B%5D=%C2%A0which+will+be+more+than+enough+for+most+small+business+owners&q%5B%5D=Image+representing+HootSuite+as+depicted+in+Cr..&q%5B%5D=Next+up&q%5B%5D=and+in+a+similar+vein
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0

[AITpro Admin]

1. Add the admin-ajax.php & post.php skip/bypass rule below to this wp-admin Custom Code text box: CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES
2. Click the Save wp-admin Custom Code button.
3. Go to the Security Modes page and Activate wp-admin Folder BulletProof Mode.

Note:  The skip rule must be [S=2] because it will be written to your wp-admin .htaccess file above skip / bypass rule [S=1].  If you have other wp-admin skip/bypass rules already then either combine them or add this skip/bypass rule separately above the other rules and change the skip #.  Example:  If you already have skip #’s 2 and 3 then this rule would be skip rule #4.

# admin-ajax.php & post.php skip/bypass rule
RewriteCond %{REQUEST_URI} (admin-ajax\.php|post\.php) [NC]
RewriteRule . - [S=2]

[Terry Chadban]

Sorry about the delay in getting back to you, but two of my personal websites are under siege as we speak — I have bumped up Wordfence to Level Four and they are holding up okay ATM.

I have added the custom code to the site, but I have two questions:
[1] What is it doing and what was causing the problem in the first place, and
[2] Will I need to add this custom code to EVERY site that I manage?  TIA.

Terry

[AITpro Admin]

Yep, our websites are logging 1,000’s of blocked Brute Force Password cracking attacks again, which BPS Pro is handling without even blinking an eye.  😉  We are experimenting with some new code and methods since the hackers are so kindly providing us with a testing environment.  LOL

1.  By default BPS Pro protects all files in your wp-admin folder from being directly or indirectly exploited in attacks against your website.  By whitelisting admin-ajax.php and post.php you are telling BPS not to apply security filter checks when these files are called by whatever is calling them.  This is safe to allow for these particular files.

2.  If you are doing the same thing that you are doing on this site and you are seeing admin-ajax.php errors in your Security Log for a website then yes you would need to add this skip/bypass rule to Custom Code for that site.  BPS Pro Custom Code is saved permanently to your WordPress database so this would be a one time thing that you would never have to do again.

[Terry Chadban]

Yes, it looks like the amateurs are at it again. The morons are (so far this time) using either ‘admin’ or ‘Admin’ as a user name, so they aren’t even close! Other variations we got last time were ‘Administrator’ or my favourite ‘adminadmin’ — even I hadn’t thought of that one.

Is there any way to tell what is triggering the errors? So far I have found similar problems on both websites I have checked, one had an error log of nearly 1mb which was a bastard to delete, so my guess it is a plugin that is common to most of the websites but I don’t know where to start. Guess I could play it safe and install the script on all sites just in case, because I don’t have time to check every error log every day.

Would it be possible to incorporate this script in a future revision of the plugin, because it seems to be a common problem, so my guess is it is a popular plugin or plugins causing the problem.

BTW, some of these losers are actually readers of the BPS forums, because they have made the connection between my comments on this forum and my main websites — both have come under intense fire recently, not just from the brute force clowns, but also targetted direct attacks on BPS’s and Wordfence’s internal files, they have been trying to access the files directly instead of going through the login page, but the result is the same, both websites are still standing tall, and a testament to BPS’s effectiveness, so keep trying, clowns!  🙂

Terry

[AITpro Admin]

BPS and BPS Pro start from the maximum security settings and allow folks to decrease that security as needed.  In this particular case, whitelisting these 2 particular files does not decrease your website security in any way.  The BPS Pro general philosophy still applies here though so nope we would not whitelist these files as a standard/by default.

What we have already set in motion starting with BPS Pro 5.9 is this:  http://forum.ait-pro.com/forums/topic/flare-plugin-security-log-error/#post-6749

[Terry Chadban]

The new version sounds good. As a compromise, could you add the above code to the Custom Code page as an example so that we can just copy’n’paste the code directly, rather than having to keep a copy handy to add to new websites? You already have a number of example codes on the page, but this one would be popular by the look of the number of threads related to these 403 errors.

BTW, looks like the losers have given up and moved on — no hits in the last two hours, after one website reported 200 in half an hour at one stage! Score one more for BPS!  🙂

Terry

[AITpro Admin]

The Admin Dismiss Notice will include the fix so it can be copied and pasted from the Notice itself.

Example:
Plugin X is using admin-ajax.php which is being blocked by BPS.  To resolve this issue add this custom code skip/bypass rule… (will have full instructions on what to do with the admin-ajax.php skip/bypass rule and the .htaccess skip/bypass rule itself in the Notice).

[Author]

Posts