Sorry, you are not allowed to access this page – Gutenberg

[Tina Dubinsky]

Hi!

Just checking in to see if there’s any special code that I need to add to have Gutenberg work?  I’m having issues getting it to activate and my theme is supposedly compatible (Generate Press Premium).

When I tried to use the troubleshooter and activate Gutenberg in the troubleshooter, I receive the error message: “Sorry you’re not allowed to access that page.”

I can see a heap of whitelist rules for it (when not in the troubleshooter) that I have automatically set up after going through the setup Wizard but everytime I try to use the new editor it still defaults to classic (even with the classic plugin deactivated).

Just thought I should see if you’re aware of any issues or extra code needed for it with BPS Pro.

Cheers

-Tina

[AITpro Admin]

First you need to figure out what is causing the problem.  It could be something in BPS Pro or it could be something else.  Please list the exact steps to reproduce the problem so that we can test this.  What type of website do you have?  Single standard WP site, Network|Multisite subdirectory or subdomain site, GWIOD site?

Things you can try now.
Re-install WordPress on the Dashboard > Updates page
Do BPS Pro troubleshooting steps > https://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting

[Tina Dubinsky]

Hi,

Yes, I had tried reinstalling the update (twice in fact) but I now have new information and it was what I thought it might be originally. One of my theme’s addons, “Sections” wasn’t compatible. But then I was advised the issue was fixed. However, I have now learnt that this is only relevant if I decide to run the beta version for Sections and this isn’t advisable for live sites. I don’t have the luxury of running a test site, so I am going to wait until it is ready.

Relevant thread: https://generatepress.com/forums/topic/guttenberg-compatibility/

On another note, while trying to work out why it wasn’t working, I discovered some of my wp cron jobs weren’t always running. I think this may be because I use wp cache. I spoke to my webhost who recommended running  wp-cron outside of WordPress every 15 minutes (they disabled wp cron and set it up in cpanel to run), but now the firewall seems to think my  server host is a hacker (getting BFHS) when it tries to run wp_cron. I will have to add custom code so it doesn’t flag it as a hacker (which I’ll try to work out now).

Plus, is this the the best way to do the cron jobs? I’m worried it will miss the BPS checks if done this way, or will the BPS checks get run when wp cron runs?

Cheers

-Tina

 

[AITpro Admin]

So have you determined that the problem with gutenberg is a compatibility issue with your theme?  I read through the link you posted and it seems like that is the issue?

WP Cache probably does not affect or have anything to do with Cron Jobs.  Most caching plugins just perform caching and things like compression/minification, CDN stuff, etc.

I don’t understand what this means > “…but now the firewall seems to think my server host is a hacker (getting BFHS) when it tries to run wp_cron.”  What type of problem is occurring?  Are you seeing an error message?  If so, what is the error message? What is BFHS?

Sounds like your host setup a Direct Cron Job in cPanel.  BPS features that use Cron Jobs will work with Direct Cron Jobs, but I recommend that you do not disable standard WP Crons and use standard WP Crons instead of a Direct Cron.  Whatever choice you make is up to you.  Here is a rough example of how using a Direct Cron set to run every 15 minutes will affect AutoRestore|Quarantine assuming you have set the ARQ Cron frequency to run every 2 minutes > Obviously ARQ will not run every 2 minutes since the Direct Cron only runs every 15 minutes.  If the Direct Cron job is setup in a way that the Cron is not “stored” then it is possible that the ARQ Cron may not fire every 15 minutes and would miss Direct Cron job 15 minute cycles.  I cannot really tell you anything more than that without seeing the Direct Cron Job code and setup and even then I would not really be able to add any more insight or help regarding that.  Personally I recommend that you use standard WP Crons instead of Direct Cron.

[AITpro Admin]

Disregard my question about BFHS.  That is just a generic Security Log event code.  I was thinking (too deep) that this was some kind of error message.  😉  Post the relevant Security Log entry so I can take a look at it.

[Tina Dubinsky]

No problems. This is the log event code:

[403 GET Request: August 6, 2018 - 11:15 am]
BPS Pro: 13.6
WP: 4.9.8
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: GDPR Compliance On
Host Name: 205.196.23.189.icertified.net
SERVER_PROTOCOL: HTTP/1.0
HTTP_CLIENT_IP: GDPR Compliance On
HTTP_FORWARDED: GDPR Compliance On
HTTP_X_FORWARDED_FOR: GDPR Compliance On
HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-cron.php?doing_wp_cron
QUERY_STRING: doing_wp_cron
HTTP_USER_AGENT: Wget/1.12 (linux-gnu)

I wasn’t confident about stopping the WordPress wp cron events, but the “Health Check” plugin recommended for working through issues with Gutenberg kept showing messages like:

scheduled event (bpsPro_security_log_check) has failed to run. Your site still works, but this may indicate that scheduling posts or automated updates may not work as intended.

Or

A scheduled event (wp_split_shared_term_batch) has failed to run. Your site still works, but this may indicate that scheduling posts or automated updates may not work as intended.

It made me worried when the BPS log check had failed. So, when I looked into this issue, the recommendation was to run wp-cron from cpanel to make sure it ran. Regarding ARQ, I’ve actually had it set to still run at 15 minute intervals (as it used to even though I know it says it doesn’t tax resources at 2 mins). I have 5 other websites (subdomains) all using BPS Pro on the same shared server hosting account.

-Tina

[AITpro Admin]

What is being blocked is wget in the User Agent.  Do the steps below to whitelist/allow this.

1. Copy the modified BPS Query String Exploits code below to this BPS Root Custom Code text box: 12. CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS. Note: If you already see existing BPSQSE code in this Custom Code text box then overwrite it. Rerunning the Wizards will run Setup Wizard AutoFix, which will add/combine any previous whitelisted rules back into the BPSQSE code in this Custom Code text box.
2. Click the Save Root Custom Code button.
3. Go to the Setup Wizard page and run the Pre-Installation Wizard and Setup Wizard.

# BEGIN BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
# Good sites such as W3C use it for their W3C-LinkChecker.
# Use BPS Custom Code to add or remove user agents temporarily or permanently from the
# User Agent filters directly below or to modify/edit/change any of the other security code rules below.
RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR]
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F]
# END BPSQSE BPS QUERY STRING EXPLOITS

As far as Crons go they may or may not work correctly. BPS is designed to work with Direct Crons though. So just keep an eye on them for a while. If they are not working then you will probably need to switch back to normal standard WordPress Crons instead of using a Direct Cron. Can’t really offer any more advice than that.

[Tina Dubinsky]

Hi,

Thanks for going through this for me. I do appreciate your help as always and I followed your instructions (twice) but something else must have been blocking it too. I decided to just go back to the standard wp-crons.

Cheers

-Tina

[Author]

Posts