Home › Forums › BulletProof Security Pro › Jetpack – xmlrpc.php POST 403 error
Tagged: 403 error, Jetpack, xmlrpc.php
- This topic has 16 replies, 2 voices, and was last updated 7 years, 8 months ago by AITpro Admin.
-
AuthorPosts
-
Rafael Da CostaParticipant
Hi there,
I am having this issue:
[403 POST Request: January 7, 2017 - 4:06 pm] BPS Pro: 12.5 Event Code: BFHS - Blocked/Forbidden Hacker or Spammer Solution: N/A - Hacker/Spammer Blocked/Forbidden REMOTE_ADDR: 192.0.112.57 Host Name: 192.0.112.57 SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: POST HTTP_REFERER: http://www.cruxdev.com.au/xmlrpc.php?for=jetpack&token=%40gke%29qwlHn3dPj%5EmthCOcuis%5E%25Citx%239%3A1%3A2×tamp=1483776359&nonce=zAR1VmEOpl&body-hash=aOIkn63jBYoKZYuP3PFCWC%2Bwr8E%3D&signature=OJ4rCg3TmRVk3hVXLaacTQTLM9A%3D REQUEST_URI: /xmlrpc.php?for=jetpack&token=%40gke%29qwlHn3dPj%5EmthCOcuis%5E%25Citx%239%3A1%3A2×tamp=1483776359&nonce=zAR1VmEOpl&body-hash=aOIkn63jBYoKZYuP3PFCWC%2Bwr8E%3D&signature=OJ4rCg3TmRVk3hVXLaacTQTLM9A%3D QUERY_STRING: HTTP_USER_AGENT: Jetpack by WordPress.com REQUEST BODY: <?xml version="1.0"?> <methodCall> <methodName>system.multicall</methodName> <params> <param><value><array><data> <value><struct> <member><name>methodName</name><value><string>jetpack.jsonAPI</string></value></member> <member><name>params</name><value><array><data> <value><array><data> <value><string>GET</string></value> <value><string>https://public-api.wordpress.com/rest/v1/sites/122171471/sync/object?module_name=posts&object_type=post&object_ids%5B0%5D=444&http_envelop
I have added every custom code that whitelist the Jetpack User Agent. On CUSTOM CODE BOTTOM and CUSTOM CODE REQUEST.
Not sure what else I should do.
ThanksAITpro AdminKeymasterThe Jetpack POST Request to the xmlrpc.php file is being blocked by one or both of the Bonus Custom Codes listed in either of these Bonus Custom Code links below. Are you doing all of the Custom Code steps? Add/edit code, save code and activate Root BulletProof Mode again? Post your Root htaccess file contents from the > htaccess File Editor page > Your Current Root htaccess File tab so I can take a look at it.
Rafael Da CostaParticipantThanks so much for your quick reply.
“Are you doing all of the Custom Code steps?”
Yes, I have followed all the codes in both links. I have posted my “Current Root htaccess” as requested.
[code edited and removed any irrelevant code]
# CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE # BPS POST Request Attack Protection ... ... ... # Jetpack XML-RPC DDoS PROTECTION # You can whitelist your IP address if you use A Weblog Client # or want to whitelist an IP address for any other reasons. # Example: Add this line of code RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.xxx) [OR] # inbetween the first and second lines of code below. Then replace the x's with the # actual IP address you want to whitelist. # Note: It is recommended that you use 3 octets x.x.x. of your IP address # instead of 4 octets x.x.x.x of your IP address. # Example: RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.) [OR] RewriteCond %{REMOTE_ADDR} ^(27\.33\.230\.) RewriteCond %{REQUEST_URI} ^.*(xmlrpc\.php)$ RewriteCond %{HTTP_USER_AGENT} !^(.*Jetpack.*)$ RewriteRule ^(.*)$ - [F] # Jetpack XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION # You can whitelist your IP address if you use A Weblog Client # or want to whitelist an IP address for any other reasons. # Example: Add this line of code RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.xxx) [OR] # inbetween the first and second lines of code below. Then replace the x's with the # actual IP address you want to whitelist. # Note: It is recommended that you use 3 octets x.x.x. of your IP address # instead of 4 octets x.x.x.x of your IP address. # Example: RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.) [OR] RewriteCond %{REMOTE_ADDR} ^(27\.33\.230\.) RewriteCond %{REQUEST_URI} ^.*(xmlrpc\.php|wp-trackback\.php)$ RewriteCond %{HTTP_USER_AGENT} !^(.*Jetpack.*)$ RewriteRule ^(.*)$ - [F]
Thanks.
Regards
Rafael
AITpro AdminKeymasterYour POST Attack Protection code looks fine and I did not see any other problems in your Root htaccess file code.
I believe the problem is you are missing the [OR] condition in your IP address whitelist line of code. Correct this code as shown below. The “OR” flag was missing from this line of code:
RewriteCond %{REMOTE_ADDR} ^(27\.33\.230\.)
# Jetpack XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION # You can whitelist your IP address if you use A Weblog Client # or want to whitelist an IP address for any other reasons. # Example: Add this line of code RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.xxx) [OR] # inbetween the first and second lines of code below. Then replace the x's with the # actual IP address you want to whitelist. # Note: It is recommended that you use 3 octets x.x.x. of your IP address # instead of 4 octets x.x.x.x of your IP address. # Example: RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.) [OR] RewriteCond %{REMOTE_ADDR} ^(27\.33\.230\.) [OR] RewriteCond %{REQUEST_URI} ^.*(xmlrpc\.php|wp-trackback\.php)$ RewriteCond %{HTTP_USER_AGENT} !^(.*Jetpack.*)$ RewriteRule ^(.*)$ - [F]
Also delete this duplicate code in Custom Code.
# Jetpack XML-RPC DDoS PROTECTION # You can whitelist your IP address if you use A Weblog Client # or want to whitelist an IP address for any other reasons. # Example: Add this line of code RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.xxx) [OR] # inbetween the first and second lines of code below. Then replace the x's with the # actual IP address you want to whitelist. # Note: It is recommended that you use 3 octets x.x.x. of your IP address # instead of 4 octets x.x.x.x of your IP address. # Example: RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.) [OR] RewriteCond %{REMOTE_ADDR} ^(27\.33\.230\.) RewriteCond %{REQUEST_URI} ^.*(xmlrpc\.php)$ RewriteCond %{HTTP_USER_AGENT} !^(.*Jetpack.*)$ RewriteRule ^(.*)$ - [F]
Rafael Da CostaParticipantthanks for your reply.
I have added the [OR] condition, then I could not see my page. Instead this msg was shown:
cruxdev.com.au 403 Forbidden Error Page
If you arrived here due to a search or clicking on a link click your Browser’s back button to return to the previous page. Thank you.
IP Address: 27.33.230.57This is the msg at the log:
[403 GET Request: January 9, 2017 - 5:24 pm] BPS Pro: 12.5 Event Code: BFHS - Blocked/Forbidden Hacker or Spammer Solution: N/A - Hacker/Spammer Blocked/Forbidden REMOTE_ADDR: 27.33.230.57 Host Name: 27-33-230-57.tpgi.com.au SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: / QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
For that reason, I have deleted the [OR] so I could see my page again.
I also have deleted the duplicate code – Thanks
Jetpack nightmare continues:
Thanks for your help
RafaAITpro AdminKeymasterOk yeah then the problem is the IP address you have added or the code itself. Delete the IP address line of code or just delete all of this code if that does not work on your particular website/server. Another thing that might be causing the problem is that this is a new method of posting to the xmlrpc.php file by Jetpack that I have not see before. So this is probably something new that has changed in Jetpack. You may need to change this line of code to this:
^.*(xmlrpc\.php|wp-trackback\.php).*$
# Jetpack XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION # You can whitelist your IP address if you use A Weblog Client # or want to whitelist an IP address for any other reasons. # Example: Add this line of code RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.xxx) [OR] # inbetween the first and second lines of code below. Then replace the x's with the # actual IP address you want to whitelist. # Note: It is recommended that you use 3 octets x.x.x. of your IP address # instead of 4 octets x.x.x.x of your IP address. # Example: RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.) [OR] RewriteCond %{REQUEST_URI} ^.*(xmlrpc\.php|wp-trackback\.php)$ RewriteCond %{HTTP_USER_AGENT} !^(.*Jetpack.*)$ RewriteRule ^(.*)$ - [F]
Rafael Da CostaParticipantI have changed the code to:
# Jetpack XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION # You can whitelist your IP address if you use A Weblog Client # or want to whitelist an IP address for any other reasons. # Example: Add this line of code RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.xxx) [OR] # inbetween the first and second lines of code below. Then replace the x's with the # actual IP address you want to whitelist. # Note: It is recommended that you use 3 octets x.x.x. of your IP address # instead of 4 octets x.x.x.x of your IP address. # Example: RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.) [OR] RewriteCond %{REQUEST_URI} ^.*(xmlrpc\.php|wp-trackback\.php).*$ RewriteCond %{HTTP_USER_AGENT} !^(.*Jetpack.*)$ RewriteRule ^(.*)$ - [F]
This is what showed in the log:
[403 POST Request: January 12, 2017 - 8:59 am] BPS Pro: 12.5 Event Code: BFHS - Blocked/Forbidden Hacker or Spammer Solution: N/A - Hacker/Spammer Blocked/Forbidden REMOTE_ADDR: 192.0.99.18 Host Name: wordpress.com SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: POST HTTP_REFERER: http://www.cruxdev.com.au/xmlrpc.php?for=jetpack&token=%40gke%29qwlHn3dPj%5EmthCOcuis%5E%25Citx%239%3A1%3A2×tamp=1484182760&nonce=ixoT9LO1Iv&body-hash=kxsvRNYFgM151fS0hpl3UD%2BzEMY%3D&signature=i79MLEaqbO1Nkz%2BsUX0nBbjnQDU%3D REQUEST_URI: /xmlrpc.php?for=jetpack&token=%40gke%29qwlHn3dPj%5EmthCOcuis%5E%25Citx%239%3A1%3A2×tamp=1484182760&nonce=ixoT9LO1Iv&body-hash=kxsvRNYFgM151fS0hpl3UD%2BzEMY%3D&signature=i79MLEaqbO1Nkz%2BsUX0nBbjnQDU%3D QUERY_STRING: HTTP_USER_AGENT: Jetpack by WordPress.com REQUEST BODY: <?xml version="1.0"?> <methodCall> <methodName>system.multicall</methodName> <params> <param><value><array><data> <value><struct> <member><name>methodName</name><value><string>jetpack.jsonAPI</string></value></member> <member><name>params</name><value><array><data> <value><array><data> <value><string>GET</string></value> <value><string>https://public-api.wordpress.com/rest/v1/sites/122171471/sync/object?module_name=posts&object_type=post&object_ids%5B0%5D=13&http_envelope
Thanks for your help
AITpro AdminKeymasterHmm ok well I guess you just cannot use any xmlrpc protection code with Jetpack then. So just delete the code that is causing the xmlrpc block. It could be the POST Attack Protection code. So you will need to test which code is causing the problem and delete it.
Rafael Da CostaParticipantWhat vulnerabilities this could give to my website?
I am not using Jetpack much anyway. I could find a replacement for me needs.
What would you recommend?
This error is also showing on Search console:URL: http://www.cruxdev.com.au/xmlrpc.php?for=jetpack&token=%40gke)qwlHn3dPj%5EmthCOcuis%5E%25Citx%239%3A1%3A2×tamp=1483776359&nonce=zAR1VmEOpl&body-hash=aOIkn63jBYoKZYuP3PFCWC%2Bwr8E%3D&signature=OJ4rCg3TmRVk3hVXLaacTQTLM9A%3D Error details: Googlebot couldn't crawl your URL because your server either requires authentication to access the page, or it is blocking Googlebot from accessing your site. Find out more
Thanks
AITpro AdminKeymasterBack in 2014 around 3 years ago when the BPS the XML-RPC protection code was created it protected against the XML Quadratic Blowup Attack as well as other various XML-RPC exploits. At some point WordPress eliminated any/all XML-RPC exploits by adding new protection code directly in WordPress itself to protect XML-RPC. So the XML-RPC protection code is now considered anti-nuisance code vs important security protection code. So you really do not need to use any XML-RPC protection code anymore.
Rafael Da CostaParticipantthanks for your help.
Rafael Da CostaParticipantHi there,
I still having problems.
I’ve deleted the XML-RPC protection code as suggested the new code is below.# BPS POST Request Attack Protection RewriteCond %{REQUEST_METHOD} POST [NC] # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON RewriteCond %{REQUEST_URI} !^.*/wp-admin/ [NC] # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON RewriteCond %{REQUEST_URI} !^.*/wp-cron.php [NC] # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON RewriteCond %{REQUEST_URI} !^.*/wp-login.php [NC] # Whitelist the WordPress Theme Customizer RewriteCond %{HTTP_REFERER} !^.*/wp-admin/customize.php [NC] # Whitelist XML-RPC Pingbacks, JetPack and Remote Posting POST Requests RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC] # Whitelist Network|Multisite Signup POST Form Requests RewriteCond %{REQUEST_URI} !^.*/wp-signup.php [NC] # Whitelist Network|Multisite Activate POST Form Requests RewriteCond %{REQUEST_URI} !^.*/wp-activate.php [NC] # Whitelist Trackback POST Requests RewriteCond %{REQUEST_URI} !^.*/wp-trackback.php [NC] # Whitelist Comments POST Form Requests RewriteCond %{REQUEST_URI} !^.*/wp-comments-post.php [NC] # Whitelist updraft RewriteCond %{REQUEST_URI} !^.*/updraft [NC] #EXAMPLES FOR WHITELIST # Example 2: Whitelist Contact Form POST Requests RewriteCond %{REQUEST_URI} !^.*/contact/ [NC] # Example 3: Whitelist PayPal IPN API Script POST Requests RewriteCond %{REQUEST_URI} !^.*/ipn_handler.php [NC] RewriteRule ^(.*)$ - [F] # WP AUTHOR ENUMERATION BOT PROBE PROTECTION # Rewrites to author=999999 that does not actually exist # which results in a standard 404 error. To the hacker bot # it appears that this author does not exist without giving # any clues that the author does actually exist. RewriteCond %{QUERY_STRING} ^author=([0-9]){1,}$ [NC] RewriteRule ^(.*)$ $1?author=999999 [L]
LOG Information:
[403 POST Request: January 13, 2017 - 2:19 pm] BPS Pro: 12.5 Event Code: BFHS - Blocked/Forbidden Hacker or Spammer Solution: N/A - Hacker/Spammer Blocked/Forbidden REMOTE_ADDR: 192.0.84.104 Host Name: 192.0.84.104 SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: POST HTTP_REFERER: http://www.cruxdev.com.au/xmlrpc.php?for=jetpack&token=%40gke%29qwlHn3dPj%5EmthCOcuis%5E%25Citx%239%3A1%3A2×tamp=1484288389&nonce=8ekfk6F0Sc&body-hash=kxsvRNYFgM151fS0hpl3UD%2BzEMY%3D&signature=CGq9q2CO0bEyk%2BFHc0qXmtzOCBY%3D REQUEST_URI: /xmlrpc.php?for=jetpack&token=%40gke%29qwlHn3dPj%5EmthCOcuis%5E%25Citx%239%3A1%3A2×tamp=1484288389&nonce=8ekfk6F0Sc&body-hash=kxsvRNYFgM151fS0hpl3UD%2BzEMY%3D&signature=CGq9q2CO0bEyk%2BFHc0qXmtzOCBY%3D QUERY_STRING: HTTP_USER_AGENT: Jetpack by WordPress.com REQUEST BODY: <?xml version="1.0"?> <methodCall> <methodName>system.multicall</methodName> <params> <param><value><array><data> <value><struct> <member><name>methodName</name><value><string>jetpack.jsonAPI</string></value></member> <member><name>params</name><value><array><data> <value><array><data> <value><string>GET</string></value> <value><string>https://public-api.wordpress.com/rest/v1/sites/122171471/sync/object?module_name=posts&object_type=post&object_ids%5B0%5D=13&http_envelope
The IP is always the same – can I put it in the whitelist?
Thanks
AITpro AdminKeymasterJetpack makes a POST Request to the wp-load.php file. So add this additional whitelist rule for the Jetpack POST Request to wp-load.php.
# Whitelist Jetpack POST Requests to wp-load.php RewriteCond %{REQUEST_URI} !^.*/wp-load.php [NC]
Rafael Da CostaParticipantIt worked – thanks
AITpro AdminKeymasterAnd even better method is to whitelist the jetpack Query String. Example: https://forum.ait-pro.com/forums/topic/managewp-403-error-post/page/3/#post-32142
# Whitelist Jetpack POST Request to wp-load.php by Query String RewriteCond %{QUERY_STRING} !^for=jetpack(.*) [NC]
-
AuthorPosts
- You must be logged in to reply to this topic.