Integromat’s GET requests to /wp/v2/posts blocked with 403 error

[Rex]

Recently Integromat, a Zapier like service, updated its WordPress integration to make calls to wp-json using an api.

They have several functions available.  In my case, I employ calls to search for post ids and later on during the day, I delete unwanted post via said post id.

When the routines run, search calls work perfectly with RBM activated, but post deletions are blocked with a 403 error , unless I deactivate RBM.

If I disable BPS’s RBM the error goes away and the process completes as expected.

—

Since I use CloudFlare 99% of the time with these WordPress sites.  I initially thought the problem was with CloudFlare.

Here is my security log when using CloudFlare:

[403 GET Request: 26/06/2021 - 9:43 am]
BPS Pro: 15.5
WP: 5.4.2
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 162.158.94.15
Host Name: 162.158.94.15
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR: 82.208.14.112
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-json/wp/v2/posts/228102?force=false
QUERY_STRING: force=false
HTTP_USER_AGENT: Integromat/production

–

When I deactivate CloudFlare’s proxy my security log reads a bit different mainly in the REMOTE_ADDR: and does not include HTTP_X_FORWARDED_FOR:

Here is my security log w/o CloudFlare:

[403 GET Request: 26/06/2021 - 9:29 am]
BPS Pro: 15.5
WP: 5.4.2
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 82.208.14.112
Host Name: core03.farm.integromat.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-json/wp/v2/posts/228182?force=false
QUERY_STRING: force=false
HTTP_USER_AGENT: Integromat/production

—

There are several solutions mentioned that I have tried.  I’ve already whitelisted integromat’s and cloudflare’s ips. I also tried the fixes in this forum referring to whitelisting  /wp-json to no avail.

So far the only way I get the desired result regardless of CloudFlare’s Satus is by turning off RBM.

—

BTW: I would like to thank AIT for such an excellent product. I had been using the free version of BulletProof Security for many years.   I then made the mistake of believing the hype of other company’s and switched twice away from BPS to other plugins, only to get hacked or defaced multiple times.  Only when I restarted using BPS again, did I become “really protected” once again , finally stop wasting time cleaning the hacks away and could concentrate once more on content.  Now I’ve upgraded and I am extremely happy.

[AITpro Admin]

Thanks for the Kudos.  From time to time I ask myself in an objective way if I would choose BPS Pro over all the other WordPress security plugins and the answer is always yes.  😉  I do that exercise so that I don’t take BPS Pro for granted and to keep motivated.

Are you using this BPS Bonus Custom Code, which blocks WP JSON Requests > https://forum.ait-pro.com/forums/topic/wp-rest-api-block-json-requests-to-users-comments-routes/ .  Check your BPS Root Custom Code text boxes for the JSON Bonus Custom Code and delete it.  When WP JSON first came out there were some vulnerabilities that could be exploited, but WP patched those vulnerabilities a long time ago.  If you are not using that BPS Bonus Custom then activate Root folder BulletProof Mode and copy your entire root htaccess file code in your forum reply.  So I can see what htaccess code is blocking WP JSON Requests.

Another possibility could be that when you are deleting JSON Posts the DELETE Request Method is being used and being blocked by BPS.  Open the Google Chrome Developer Tools window by pressing your F12 keyboard key, click on the Console tab/window and then try to delete a JSON POST.  Post the entire 403 error in the GCDT Console window.  So I can take a look at it.

[Rex]

Yes, I had added JSON Bonus Custom Code too.

I am including my root .htaccess below without the custom code and after verifying that the 403 error still occurs.
—

#   BULLETPROOF PRO 15.5 SECURE .HTACCESS          

# PHP/PHP.INI HANDLER/CACHE CODE
# Use BPS Custom Code to add php/php.ini Handler and Cache htaccess code and to save it permanently.
# Most Hosts do not have/use/require php/php.ini Handler htaccess code

# TURN OFF YOUR SERVER SIGNATURE
# Suppresses the footer line server version number and ServerName of the serving virtual host
ServerSignature Off

# DO NOT SHOW DIRECTORY LISTING
# Disallow mod_autoindex from displaying a directory listing
# If a 500 Internal Server Error occurs when activating Root BulletProof Mode 
# copy the entire DO NOT SHOW DIRECTORY LISTING and DIRECTORY INDEX sections of code 
# and paste it into BPS Custom Code and comment out Options -Indexes 
# by adding a # sign in front of it.
# Example: #Options -Indexes
Options -Indexes

# DIRECTORY INDEX FORCE INDEX.PHP
# Use index.php as default directory index file. index.html will be ignored.
# If a 500 Internal Server Error occurs when activating Root BulletProof Mode 
# copy the entire DO NOT SHOW DIRECTORY LISTING and DIRECTORY INDEX sections of code 
# and paste it into BPS Custom Code and comment out DirectoryIndex 
# by adding a # sign in front of it.
# Example: #DirectoryIndex index.php index.html /index.php
DirectoryIndex index.php index.html /index.php

# BRUTE FORCE LOGIN PAGE PROTECTION
# PLACEHOLDER ONLY
# Use BPS Custom Code to add Brute Force Login protection code and to save it permanently.
# See this link: https://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/
# for more information.

# BPS PRO ERROR LOGGING AND TRACKING
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# BPS Pro has premade 400 Bad Request, 403 Forbidden, 404 Not Found, 405 Method Not Allowed and 
# 410 Gone template logging files that are used to track and log 400, 403, 404, 405 and 410 errors 
# that occur on your website. When a hacker attempts to hack your website the hackers IP address, 
# Host name, Request Method, Referering link, the file name or requested resource, the user agent 
# of the hacker and the query string used in the hack attempt are logged.
# All BPS Pro log files are htaccess protected so that only you can view them. 
# The 400.php, 403.php, 404.php, 405.php and 410.php files are located in /wp-content/plugins/bulletproof-security/
# The 400, 403, 405 and 410 Error logging files are already set up and will automatically start logging errors
# after you install BPS Pro and have activated BulletProof Mode for your Root folder.
# If you would like to log 404 errors you will need to copy the logging code in the BPS Pro 404.php file
# to your Theme's 404.php template file. Simple instructions are included in the BPS Pro 404.php file.
# You can open the BPS Pro 404.php file using the WP Plugins Editor or by using the BPS Pro File Manager.
# NOTE: By default WordPress automatically looks in your Theme's folder for a 404.php Theme template file.

ErrorDocument 400 /wp-content/plugins/bulletproof-security/400.php
ErrorDocument 401 default
ErrorDocument 403 /wp-content/plugins/bulletproof-security/403.php
ErrorDocument 404 /404.php
ErrorDocument 405 /wp-content/plugins/bulletproof-security/405.php
ErrorDocument 410 /wp-content/plugins/bulletproof-security/410.php

# DENY ACCESS TO PROTECTED SERVER FILES AND FOLDERS
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# Files and folders starting with a dot: .htaccess, .htpasswd, .errordocs, .logs
RedirectMatch 403 \.(htaccess|htpasswd|errordocs|logs)$

# WP-ADMIN/INCLUDES
# Use BPS Custom Code to remove this code permanently.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F]
RewriteRule ^wp-includes/theme-compat/ - [F]

# WP REWRITE LOOP START
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]

# REQUEST METHODS FILTERED
# If you want to allow HEAD Requests use BPS Custom Code and copy 
# this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code 
# text box: CUSTOM CODE REQUEST METHODS FILTERED.
# See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F]
RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]

# PLUGINS/THEMES AND VARIOUS EXPLOIT FILTER SKIP RULES
# To add plugin/theme skip/bypass rules use BPS Custom Code.
# The [S] flag is used to skip following rules. Skip rule [S=12] will skip 12 following RewriteRules.
# The skip rules MUST be in descending consecutive number order: 12, 11, 10, 9...
# If you delete a skip rule, change the other skip rule numbers accordingly.
# Examples: If RewriteRule [S=5] is deleted than change [S=6] to [S=5], [S=7] to [S=6], etc.
# If you add a new skip rule above skip rule 12 it will be skip rule 13: [S=13]

# Adminer MySQL management tool data populate
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/adminer/ [NC]
RewriteRule . - [S=12]
# Comment Spam Pack MU Plugin - CAPTCHA images not displaying 
RewriteCond %{REQUEST_URI} ^/wp-content/mu-plugins/custom-anti-spam/ [NC]
RewriteRule . - [S=11]
# Peters Custom Anti-Spam display CAPTCHA Image
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/peters-custom-anti-spam-image/ [NC] 
RewriteRule . - [S=10]
# Status Updater plugin fb connect
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/fb-status-updater/ [NC] 
RewriteRule . - [S=9]
# Stream Video Player - Adding FLV Videos Blocked
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/stream-video-player/ [NC]
RewriteRule . - [S=8]
# XCloner 404 or 403 error when updating settings
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/xcloner-backup-and-restore/ [NC]
RewriteRule . - [S=7]
# BuddyPress Logout Redirect
RewriteCond %{QUERY_STRING} action=logout&redirect_to=http%3A%2F%2F(.*) [NC]
RewriteRule . - [S=6]
# redirect_to=
RewriteCond %{QUERY_STRING} redirect_to=(.*) [NC]
RewriteRule . - [S=5]
# Login Plugins Password Reset And Redirect 1
RewriteCond %{QUERY_STRING} action=resetpass&key=(.*) [NC]
RewriteRule . - [S=4]
# Login Plugins Password Reset And Redirect 2
RewriteCond %{QUERY_STRING} action=rp&key=(.*) [NC]
RewriteRule . - [S=3]

# CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
# TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# Remote File Inclusion (RFI) security rules
# Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files
RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
RewriteRule .* index.php [F]
# 
# Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php)
RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
# Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*
RewriteCond %{HTTP_REFERER} ^.*mejico.pitirre.info.*
RewriteRule . - [S=1]

# CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS
# BEGIN BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
# Good sites such as W3C use it for their W3C-LinkChecker. 
# Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
# User Agent filters directly below or to modify/edit/change any of the other security code rules below.
RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] 
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F]
# END BPSQSE BPS QUERY STRING EXPLOITS

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# WP REWRITE LOOP END

# CUSTOM CODE DENY BROWSER ACCESS TO THESE FILES
<FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|readme\.html|bb-config\.php)">
Order Allow,Deny
Deny from all
#Allow from 127.0.0.1
</FilesMatch>

# CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE
# BPS POST Request Attack Protection
RewriteCond %{REQUEST_METHOD} POST [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-admin/ [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-cron.php [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-login.php [NC]
# Whitelist WP JSON POST Requests by Query String
RewriteCond %{QUERY_STRING} !^_locale=(.*) [NC]
# Whitelist the WordPress Theme Customizer
RewriteCond %{HTTP_REFERER} !^.*/wp-admin/customize.php [NC]
# Whitelist XML-RPC Pingbacks, JetPack and Remote Posting POST Requests
RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC]
# Whitelist JSON POST Requests - Jetpack|Contact Form 7|etc.
RewriteCond %{REQUEST_URI} !^.*/wp-json/(.*) [NC]
# Whitelist Network|Multisite Signup POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/wp-signup.php [NC]
# Whitelist Network|Multisite Activate POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/wp-activate.php [NC]
# Whitelist Trackback POST Requests
RewriteCond %{REQUEST_URI} !^.*/wp-trackback.php [NC]
# Whitelist Comments POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/wp-comments-post.php [NC]
# Example 1: Whitelist Star Rating Calculator POST Form Requests
#RewriteCond %{REQUEST_URI} !^.*/star-rating-calculator.php [NC]
# Example 2: Whitelist Contact Form POST Requests
#RewriteCond %{REQUEST_URI} !^.*/contact/ [NC]
# Example 3: Whitelist PayPal IPN API Script POST Requests
#RewriteCond %{REQUEST_URI} !^.*/ipn_handler.php [NC]
#RewriteRule ^(.*)$ - [F]
<IfModule mod_setenvif>
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
</IfModule>

—
When I ran the command manually, I might have done something wrong because I did not get a 403 and instead got this blob of text as the output:

{"id":228250,"date":"2021-06-26T03:21:45","date_gmt":"2021-06-26T07:21:45","guid":{"rendered":"https:\/\/puertorico.yocahu.net\/?p=228250"},"modified":"2021-06-26T03:21:45","modified_gmt":"2021-06-26T07:21:45","slug":"alhanna-presenta-su-nuevo-sencillo-pa-atras","status":"publish","type":"post","link":"https:\/\/puertorico.yocahu.net\/06\/26\/alhanna-presenta-su-nuevo-sencillo-pa-atras\/","title":{"rendered":"Alhanna presenta su nuevo sencillo Pa’ Atras"},"content":{"rendered":"<div >\n<div class=\"inline-asset inline-video  subscriber-hide tnt-inline-asset tnt-inline-relcontent tnt-inline-video tnt-inline-relation-child tnt-inline-presentation-default tnt-inline-alignment-default tnt-inline-width-default\">\n<div class=\"arve-wrapper\" data-mode=\"normal\" data-provider=\"youtube\" id=\"arve-cL38tasSo8\" style=\"max-width:900px;\" itemscope itemtype=\"http:\/\/schema.org\/VideoObject\">\n<div class=\"arve-embed-container\" style=\"padding-bottom:56.250000%\"><iframe allow=\"accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen class=\"arve-iframe fitvidsignore\" frameborder=\"0\" name sandbox=\"allow-scripts allow-same-origin allow-presentation allow-popups allow-popups-to-escape-sandbox\" scrolling=\"no\" src=\"https:\/\/www.youtube-nocookie.com\/embed\/_cL38tasSo8?iv_load_policy=3&modestbranding=1&rel=0&autohide=1&playsinline=1&autoplay=0\" width=\"480\" height=\"270\"><\/iframe><\/div>\n<\/div>\n<\/p><\/div>\n<p>Con un lenguaje e imagen seductora, la interprete de musica urbana Alhanna introduce en las plataformas digitales el nuevo sencillo \u201cPa’ Atras\u201d. Este es el septimo tema que presenta la novel voz del genero.<\/p>\n<p>Compuesto por Jonathan Vargas y producido por Los de La Formula, el sencillo es una provocativa apuesta al juego intimo desde la perspectiva femenina sobre una base ritmica altamente pegajosa. Alhanna proyecta esta vez una imagen mas atrevida y directa, tal como propone la letra.<\/p>\n<p>\u201cEste es el septimo tema que lanzamos y quise que fuera para bailar. Siento que aunque hemos ido poco a poco mi carrera se ha mantenido firme y al titulo de este tema jamas he ido Pa\u2019 Atras. Yo estoy muy orgullosa de que he podido continuar haciendo lo que amo que es cantar\u201d, expreso la joven interprete.<\/p>\n<p>\u201cPa’ Atras\u201d llega al mercado musical con un video dirigido por LabTwenty, cuya ambientacion alimenta el juego picaro al que invita Alhanna. Un maquillaje de fantasia, vestimenta sexy e iluminacion neon son elementos que enmarcan el trabajo audiovisual, unido a un cuerpo de ocho bailarines que dan movimiento a las imagenes.<\/p>\n<p>El video se realizo en un estudio de la zona metropolitana en San Juan.<\/p>\n<\/p><\/div>\n<p>img alt="Alhanna presenta su nuevo sencillo Pa' Atras" src="https:\/\/bloximages.newyork1.vip.townnews.com\/elvocero.com\/content\/tncms\/assets\/v3\/editorial\/b\/c6\/bc6c7e60-d620-11eb-8f74-4fe88a8c4044\/60d687ad8b95a.preview.jpg?resize=1120%2C630" /<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Con un lenguaje e imagen seductora, la interprete de musica urbana Alhanna introduce en las plataformas digitales el nuevo sencillo \u201cPa’ Atras\u201d. Este es el septimo tema que presenta la novel voz del genero. Compuesto por Jonathan Vargas y producido […]<\/p>\n","protected":false},"author":13,"featured_media":228251,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[25037],"tags":[],"_links":{"self":[{"href":"https:\/\/puertorico.yocahu.net\/wp-json\/wp\/v2\/posts\/228250"}],"collection":[{"href":"https:\/\/puertorico.yocahu.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/puertorico.yocahu.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/puertorico.yocahu.net\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/puertorico.yocahu.net\/wp-json\/wp\/v2\/comments?post=228250"}],"version-history":[{"count":0,"href":"https:\/\/puertorico.yocahu.net\/wp-json\/wp\/v2\/posts\/228250\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/puertorico.yocahu.net\/wp-json\/wp\/v2\/media\/228251"}],"wp:attachment":[{"href":"https:\/\/puertorico.yocahu.net\/wp-json\/wp\/v2\/media?parent=228250"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/puertorico.yocahu.net\/wp-json\/wp\/v2\/categories?post=228250"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/puertorico.yocahu.net\/wp-json\/wp\/v2\/tags?post=228250"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

[AITpro Admin]

This is odd > your website domain is this in your htaccess file: mejico.pitirre.info, but when I try and visit that site I get a connection timed out error. When I checked your main domain and ran a JSON test on it I get a 404 error, not a 403 error.  What is your actual website domain URL?

Another possibility could be that when you are deleting JSON Posts the DELETE Request Method is being used and being blocked by BPS. Open the Google Chrome Developer Tools window by pressing your F12 keyboard key, click on the Console tab/window and then try to delete a JSON POST. Post the entire 403 error in the GCDT Console window. So I can take a look at it.

[AITpro Admin]

I see Google indexed pages for your subdomain site using: site:mejico.pitirre.info. So the site was working normally at some point. When I click on any of your Google indexed website pages I am now seeing a DNS error.  If you want me to figure out what is causing the JSON problem then send me a WordPress Administrator login to your site:  info at ait-pro dot com.

[AITpro Admin]

This subdomain is working: mexico.pitirre.info, but it is probably a completely different subdomain site. I get a 404 error when testing JSON on that subdomain site. I used the BPS Pro > Pro-Tools > DNS Finder tool and yep the mejico subdomain is fubar and does not return any DNS info.

[Rex]

Oops, since I imported my custom codes, It seems and old subdomain stayed on the code.

the actual subdomain is https://puertorico.yocahu.net

I made the changes and that was not the caue of the 403, so I will send login info to the website via email.

[AITpro Admin]

I logged into your site and ran into numerous non-BPS Pro problems.  At this point I am not going to continue working through all of these problems because I am getting nowhere.  So I am going to put this on hold for now.  I can’t spend hours trying to figure out all the non-BPS Pro problems occurring on this site.  What I need for you to do is to install a new test website without any plugins install and without CloudFlare enabled/installed on that test site.  I need to eliminate CloudFlare, your host server and any/all plugins you have installed.  Once those things are eliminated I will attempt to figure out the non-BPS Pro problems on your puertorico.yocahu.net website.

When I tried to login in I saw an error message that the username was incorrect. When I reloaded your Login page I was then logged in.

The BPS Pro Dashboard Status Display is not being displayed.

I am seeing a lot of 500, 404 and 503 errors for image files in your WordPress /uploads/ folder when using the Google Chrome Developer Tool > Console logger and visiting your website home page.  This is probably the cause for your site performance being terrible/extremely slow loading. Or there may be other additional problems.

The BPS Pro Plugin Firewall is not working correctly. You have already whitelisted the CloudFlare IP addresses. I am troubleshooting things to figure out what is breaking the BPS Pro Plugin Firewall.  The Plugin Firewall AutoPilot Mode cron was set to run every 60 minutes. It should be set to run every 5 or 10 minutes. I have changed that setting to run every 5 minutes.
My IP address is being whitelisted by Plugin Firewall AutoPilot Mode as an IPv4 IP address and not by my IPv6 IP address shown 0n the BPS Pro System Info page: Proxy X-Forwarded-For IP Address: 2602:306:cd55:e790:edd6:a560:cf0c:4ef1
Normally using the Plugin Firewall > Additional Roles IP Whitelist tool fixes that problem (typically caused by CloudFlare), but the Additional Roles IP Whitelist tool is also being broken by something.  I tried whitelisting my IPv6 IP address in the Whitelist by Hostname (domain name) and IP Address tool to get the Plugin Firewall working for me, but it is still being broken by something.  I believe the root cause of the Plugin Firewall being broken is due to how you have setup CloudFlare. At this point I have no choice, but to deactivate the Plugin Firewall since it is being broken by CloudFlare and cannot be fixed from your website since you have setup CloudFlare from your web host control panel and not by using a CloudFlare WordPress plugin from your website.

When I try to run an MScan Scan I see this error: Error establishing a database connection. Then I see a CloudFlare 524 error “A timeout occurred” on page reload.  I have never seen these error messages before when running an MScan scan.

AutoRestore is turned Off.
AutoRestore Root files, wp-admin files, wp-includes and wp-content files were not backed up. Backed up all files.

You had this old Wordfence htaccess file/code in your WordPress /uploads/ folder, which I have deleted.

# BEGIN Wordfence code execution protection
<IfModule mod_php5.c>
php_flag engine 0
</IfModule>
<IfModule mod_php7.c>
php_flag engine 0
</IfModule>

AddHandler cgi-script .php .phtml .php3 .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI
# END Wordfence code execution protection

The Integromat plugin is using the DELETE Request Method to delete JSON Posts. So my logical guess was correct.
I created this Custom Code fix below for that problem. I am now seeing a 401 Unauthorized error and not a 403 Forbidden error
I assume that is because of how I am testing deleting a JSON Post that may have already been deleted.

Copied the modified Request Method Filtered code into this Custom Code text box: 9. CUSTOM CODE REQUEST METHODS FILTERED

# REQUEST METHODS FILTERED
# If you want to allow HEAD Requests use BPS Custom Code and copy
# this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
# text box: CUSTOM CODE REQUEST METHODS FILTERED.
# See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F]
RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]

I was able run an MScan scan on my second attempt with the Database Scan option turned Off.  I found this additional problem in your wp-config.php file.  You had this code below in your wp-config.php file.  This will break BPS Pro crons and all other plugin and theme crons.  I have commented out that code in your wp-config.php file. I’m sure there will be other additional problems as well. Basically this site is pretty much a disaster. 😉

/**
* Make sure a cron process cannot run more than once every WP_CRON_LOCK_TIMEOUT seconds
*/
define('WP_CRON_LOCK_TIMEOUT', 60);

Found an index.php file in your WordPress /uploads/ folder with this code in it. I have never seen this before. I have commented out that code. Your image files still have these status codes: 500 and 404. MScan is detecting a lot of suspicious WP Core file hashes. I have done a general check of your website to see if it is hacked, but it does not appear to be hacked. So I believe the site just has a lot of technical problems that could be caused a lot of different possible problems.

php die();

Your WordPress version is: 5.4.2. You are not getting any notifications for the current version of WordPress, which is: 5.7.2.  On your WordPress Updates page it says you have the latest version of WordPress installed, but WP 5.4.2 was released on June 10, 2020 (1 year ago).

When I check your PHP Error Log I am seeing a lot of: Disk Quota Exceeded php errors.

[AITpro Admin]

What might be happening is that you have an incomplete/damaged installation of WordPress.  Try manually reinstalling WordPress by doing these steps below.

1. Download the WordPress Zip file to your computer and unzip it.
2. Make zip files for the WordPress wp-admin and wp-includes folders by right mouse clicking on each folder and selecting Send to > Compressed (zipped) folder (assuming you have Windows installed).  Other computer OS’s will have something similar to this or you can use a zip app like 7-Zip or WinZip to zip the wp-admin and wp-includes folders.
3. Upload the WordPress wp-admin and wp-includes zip files to your website and extract/unzip them using your web host control panel file manager. Note: Unzip/extract the wp-admin and wp-includes folders in the same website folder where the old wp-admin and wp-includes folder were.
4. Upload the WordPress Core root files (index.php, license.txt, readme.html, etc.) to your WordPress installation folder.

See if some or all of the problems (BPS Pro features not working, Dashboard Status Display not displaying, other non-BPS problems, etc.) are no longer occurring.  If you are actually out of Disk Quota in your hosting account then you may not be able to successfully do the steps above.

[Author]

Posts