htaccess rule blocking REST API

[Hannah]

I’ve got two sites I’m developing and for the first time ever I’m seeing Site Health errors that indicate the REST API and wp_version_check functions are being blocked by something. Deactivating the BPS free htaccess file causes the REST API error to disappear, but I’m not sure which rule was causing the issue. The wp_version_check errors (which are apparently related to the fact that background updates aren’t working as expected, scheduled events are happening late, and the sites can’t complete loopback requests) are still present and I have no idea what’s behind those, either. I’ve contacted the host, theme and Jetpack developers about this without any success. Both are hosted with GreenGeeks (same account) and have similar plugin profiles. What information would you need to be able to diagnose/troubleshoot this?

Thank you so much for any help you might be able to offer.

[AITpro Admin]

Go to the BPS Security Log page and post any Security Log entries that show relevant log entries for your REST API in your forum reply.  Or if you are not sure which Security Log entries are relevant then copy and paste your entire Security Log into an email and send it to:  info at ait-pro dot com.  Also are you using the BPS WP REST API Block JSON Requests Bonus Custom Code to block JSON REST API requests?  https://forum.ait-pro.com/forums/topic/wp-rest-api-block-json-requests-to-users-comments-routes/ If so, then you will need to delete that Bonus Custom Code that is added/saved in BPS Custom Code.

[Hannah]

Well, strangely enough I don’t find any, just GET and POST requests from IP addresses that are not associated with any registered users. I’ll still send the security log to you via email, though the host disabled htaccess a couple of days ago so it’s not current up to today. I am not using the REST API blocking bonus custom code, so that’s not what’s causing it. This is so strange and very frustrating! Thanks for you help.

[AITpro Admin]

This appears to be the Security Log entry that shows what is being blocked in WP Site Health. I don’t see anything obvious in the Security Log entry that indicates what in the BPS wp-admin (not root) htaccess file is blocking WP Site Health. Let me do some testing in my test site to see if I can reproduce this issue.

[403 GET Request: February 21, 2020 - 12:25 pm]
BPS: 
WP: 5.3.2
Event Code: WPADMIN-SBR
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 
Host Name: chi-node37.websitehostserver.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: https://greatharvesthemp.com/wp-admin/site-health.php?health-check-test-wp_version_check=1
REQUEST_URI: /wp-admin/site-health.php?health-check-test-wp_version_check=1
QUERY_STRING: health-check-test-wp_version_check=1
HTTP_USER_AGENT: WordPress/5.3.2; https://greatharvesthemp.com

Other issues found:

The IP address is a known hacker/spammer. So I don’t believe this is something legitimate that is being blocked. What is being blocked is the xmlrpc.php file either in BPS htaccess code or by your web host or some other security plugin that you have installed.

[403 POST Request: February 8, 2020 - 9:35 am]
BPS: 3.9
WP: 5.3.2
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 156.67.218.59
Host Name: 156.67.218.59
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: POST
HTTP_REFERER:
REQUEST_URI: /?doing_wp_cron=1580979094.9305760860443115234375/xmlrpc.php
QUERY_STRING: doing_wp_cron=1580979094.9305760860443115234375/xmlrpc.php
HTTP_USER_AGENT: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
REQUEST BODY: BPS Security Log option set to: Do Not Log POST Request Body Data

You are using the Autoptimize plugin and you are using the minify/compress/combine js scripts option setting, which is known to break many things in many different plugins and themes. Recommendation: Do not minify/compress/combine js scripts.

[AITpro Admin]

Well this is interesting.  I tested 4 Live sites. All 4 Live sites are using the exact same BPS Pro htaccess code and other settings.

2 subdomain sites (this forum included) I am seeing the Site Health REST API error and loopback request error.
The REST API encountered an error
Your site could not complete a loopback request.

The other 2 sites are not subdomain sites and I am not seeing the Site Health REST API error and loopback request error.  So what that tells me is that the Site Health error check does not work correctly for subdomain websites.

Background updates are not working as expected
This “error” message is misleading. It simply means that you are not allowing WP Automatic Updates. You can ignore this “error” message.

In any case there is not really any way to tell for sure if Site Health “error” messages are actually important or not. Unfortunately, the Site Health tool is not really that useful in my opinion. So personally I recommend that you disregard any “errors” that you see in the Site Health tool since most likely they are insignificant.

[Hannah]

OK, and thank you very much for looking into this for us. I’ll keep an eye on the sites and see if we can get by without further investigation or a fix. BTW, the sites experiencing this issue are not subdomains, but it is good to know about the Site Health inaccuracies on subdomain sites.

[AITpro Admin]

Yeah, I don’t know if there are other scenarios where the Site Health “errors” may be off. Check that everything is working correctly on all your sites with these “errors” and if everything is ok then yeah disregard the Site Health “errors”. I’m sure other people have probably already mentioned this to WP and it will get fixed.

[Author]

Posts