Jetpack – xmlrpc.php POST 403 error

Home Forums BulletProof Security Pro Jetpack – xmlrpc.php POST 403 error

Viewing 15 posts - 1 through 15 (of 17 total)
  • Author
    Posts
  • #32063
    Rafael Da Costa
    Participant

    Hi there,

    I am having this issue:

    [403 POST Request: January 7, 2017 - 4:06 pm]
    BPS Pro: 12.5
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 192.0.112.57
    Host Name: 192.0.112.57
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: POST
    HTTP_REFERER: http://www.cruxdev.com.au/xmlrpc.php?for=jetpack&token=%40gke%29qwlHn3dPj%5EmthCOcuis%5E%25Citx%239%3A1%3A2&timestamp=1483776359&nonce=zAR1VmEOpl&body-hash=aOIkn63jBYoKZYuP3PFCWC%2Bwr8E%3D&signature=OJ4rCg3TmRVk3hVXLaacTQTLM9A%3D
    REQUEST_URI: /xmlrpc.php?for=jetpack&token=%40gke%29qwlHn3dPj%5EmthCOcuis%5E%25Citx%239%3A1%3A2&timestamp=1483776359&nonce=zAR1VmEOpl&body-hash=aOIkn63jBYoKZYuP3PFCWC%2Bwr8E%3D&signature=OJ4rCg3TmRVk3hVXLaacTQTLM9A%3D
    QUERY_STRING: 
    HTTP_USER_AGENT: Jetpack by WordPress.com
    REQUEST BODY: <?xml version="1.0"?>
    <methodCall>
    <methodName>system.multicall</methodName>
    <params>
    <param><value><array><data>
     <value><struct>
     <member><name>methodName</name><value><string>jetpack.jsonAPI</string></value></member>
     <member><name>params</name><value><array><data>
     <value><array><data>
     <value><string>GET</string></value>
     <value><string>https://public-api.wordpress.com/rest/v1/sites/122171471/sync/object?module_name=posts&object_type=post&object_ids%5B0%5D=444&http_envelop

    I have added every custom code that whitelist the Jetpack User Agent. On CUSTOM CODE BOTTOM and CUSTOM CODE REQUEST.
    Not sure what else I should do.
    Thanks

    #32065
    AITpro Admin
    Keymaster

    The Jetpack POST Request to the xmlrpc.php file is being blocked by one or both of the Bonus Custom Codes listed in either of these Bonus Custom Code links below.  Are you doing all of the Custom Code steps?  Add/edit code, save code and activate Root BulletProof Mode again?  Post your Root htaccess file contents from the > htaccess File Editor page > Your Current Root htaccess File tab so I can take a look at it.

    https://forum.ait-pro.com/forums/topic/wordpress-xml-rpc-ddos-protection-protect-xmlrpc-php-block-xmlrpc-php-forbid-xmlrpc-php/

    https://forum.ait-pro.com/forums/topic/post-request-protection-post-attack-protection-post-request-blocker/

    #32072
    Rafael Da Costa
    Participant

    Thanks so much for your quick reply.

    “Are you doing all of the Custom Code steps?”

    Yes, I have followed all the codes in both links. I have posted my “Current Root htaccess” as requested.

    [code edited and removed any irrelevant code]

    # CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE
    # BPS POST Request Attack Protection
    ...
    ...
    ...
    
    # Jetpack XML-RPC DDoS PROTECTION
    # You can whitelist your IP address if you use A Weblog Client
    # or want to whitelist an IP address for any other reasons.
    # Example: Add this line of code RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.xxx) [OR]
    # inbetween the first and second lines of code below. Then replace the x's with the
    # actual IP address you want to whitelist.
    # Note: It is recommended that you use 3 octets x.x.x. of your IP address
    # instead of 4 octets x.x.x.x of your IP address.
    # Example: RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.) [OR]
    RewriteCond %{REMOTE_ADDR} ^(27\.33\.230\.)
    RewriteCond %{REQUEST_URI} ^.*(xmlrpc\.php)$
    RewriteCond %{HTTP_USER_AGENT} !^(.*Jetpack.*)$
    RewriteRule ^(.*)$ - [F]
    
    # Jetpack XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION
    # You can whitelist your IP address if you use A Weblog Client
    # or want to whitelist an IP address for any other reasons.
    # Example: Add this line of code RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.xxx) [OR]
    # inbetween the first and second lines of code below. Then replace the x's with the
    # actual IP address you want to whitelist.
    # Note: It is recommended that you use 3 octets x.x.x. of your IP address
    # instead of 4 octets x.x.x.x of your IP address.
    # Example: RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.) [OR]
    RewriteCond %{REMOTE_ADDR} ^(27\.33\.230\.)
    RewriteCond %{REQUEST_URI} ^.*(xmlrpc\.php|wp-trackback\.php)$
    RewriteCond %{HTTP_USER_AGENT} !^(.*Jetpack.*)$
    RewriteRule ^(.*)$ - [F]

    Thanks.

    Regards

    Rafael

    #32073
    AITpro Admin
    Keymaster

    Your POST Attack Protection code looks fine and I did not see any other problems in your Root htaccess file code.

    I believe the problem is you are missing the [OR] condition in your IP address whitelist line of code.  Correct this code as shown below.  The “OR” flag was missing from this line of code: RewriteCond %{REMOTE_ADDR} ^(27\.33\.230\.)

    # Jetpack XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION
    # You can whitelist your IP address if you use A Weblog Client
    # or want to whitelist an IP address for any other reasons.
    # Example: Add this line of code RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.xxx) [OR]
    # inbetween the first and second lines of code below. Then replace the x's with the
    # actual IP address you want to whitelist.
    # Note: It is recommended that you use 3 octets x.x.x. of your IP address
    # instead of 4 octets x.x.x.x of your IP address.
    # Example: RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.) [OR]
    RewriteCond %{REMOTE_ADDR} ^(27\.33\.230\.) [OR]
    RewriteCond %{REQUEST_URI} ^.*(xmlrpc\.php|wp-trackback\.php)$
    RewriteCond %{HTTP_USER_AGENT} !^(.*Jetpack.*)$
    RewriteRule ^(.*)$ - [F]

    Also delete this duplicate code in Custom Code.

    # Jetpack XML-RPC DDoS PROTECTION
    # You can whitelist your IP address if you use A Weblog Client
    # or want to whitelist an IP address for any other reasons.
    # Example: Add this line of code RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.xxx) [OR]
    # inbetween the first and second lines of code below. Then replace the x's with the
    # actual IP address you want to whitelist.
    # Note: It is recommended that you use 3 octets x.x.x. of your IP address
    # instead of 4 octets x.x.x.x of your IP address.
    # Example: RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.) [OR]
    RewriteCond %{REMOTE_ADDR} ^(27\.33\.230\.)
    RewriteCond %{REQUEST_URI} ^.*(xmlrpc\.php)$
    RewriteCond %{HTTP_USER_AGENT} !^(.*Jetpack.*)$
    RewriteRule ^(.*)$ - [F]
    #32074
    Rafael Da Costa
    Participant

    thanks for your reply.

    I have added the [OR] condition, then I could not see my page. Instead this msg was shown:

    cruxdev.com.au 403 Forbidden Error Page
    If you arrived here due to a search or clicking on a link click your Browser’s back button to return to the previous page. Thank you.
    IP Address: 27.33.230.57

    This is the msg at the log:

    [403 GET Request: January 9, 2017 - 5:24 pm]
    BPS Pro: 12.5
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 27.33.230.57
    Host Name: 27-33-230-57.tpgi.com.au
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: 
    REQUEST_URI: /
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

    For that reason, I have deleted the [OR] so I could see my page again.
    I also have deleted the duplicate code – Thanks
    Jetpack nightmare continues:
    Thanks for your help
    Rafa

    #32076
    AITpro Admin
    Keymaster

    Ok yeah then the problem is the IP address you have added or the code itself.  Delete the IP address line of code or just delete all of this code if that does not work on your particular website/server. Another thing that might be causing the problem is that this is a new method of posting to the xmlrpc.php file by Jetpack that I have not see before. So this is probably something new that has changed in Jetpack. You may need to change this line of code to this: ^.*(xmlrpc\.php|wp-trackback\.php).*$

    # Jetpack XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION
    # You can whitelist your IP address if you use A Weblog Client
    # or want to whitelist an IP address for any other reasons.
    # Example: Add this line of code RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.xxx) [OR]
    # inbetween the first and second lines of code below. Then replace the x's with the
    # actual IP address you want to whitelist.
    # Note: It is recommended that you use 3 octets x.x.x. of your IP address
    # instead of 4 octets x.x.x.x of your IP address.
    # Example: RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.) [OR]
    RewriteCond %{REQUEST_URI} ^.*(xmlrpc\.php|wp-trackback\.php)$
    RewriteCond %{HTTP_USER_AGENT} !^(.*Jetpack.*)$
    RewriteRule ^(.*)$ - [F]

     

    #32097
    Rafael Da Costa
    Participant

    I have changed the code to:

    # Jetpack XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION
    # You can whitelist your IP address if you use A Weblog Client
    # or want to whitelist an IP address for any other reasons.
    # Example: Add this line of code RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.xxx) [OR]
    # inbetween the first and second lines of code below. Then replace the x's with the
    # actual IP address you want to whitelist.
    # Note: It is recommended that you use 3 octets x.x.x. of your IP address
    # instead of 4 octets x.x.x.x of your IP address.
    # Example: RewriteCond %{REMOTE_ADDR} ^(xxx\.xxx\.xxx\.) [OR]
    RewriteCond %{REQUEST_URI} ^.*(xmlrpc\.php|wp-trackback\.php).*$
    RewriteCond %{HTTP_USER_AGENT} !^(.*Jetpack.*)$
    RewriteRule ^(.*)$ - [F]
    

    This is what showed in the log:

    [403 POST Request: January 12, 2017 - 8:59 am]
    BPS Pro: 12.5
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 192.0.99.18
    Host Name: wordpress.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: POST
    HTTP_REFERER: http://www.cruxdev.com.au/xmlrpc.php?for=jetpack&token=%40gke%29qwlHn3dPj%5EmthCOcuis%5E%25Citx%239%3A1%3A2&timestamp=1484182760&nonce=ixoT9LO1Iv&body-hash=kxsvRNYFgM151fS0hpl3UD%2BzEMY%3D&signature=i79MLEaqbO1Nkz%2BsUX0nBbjnQDU%3D
    REQUEST_URI: /xmlrpc.php?for=jetpack&token=%40gke%29qwlHn3dPj%5EmthCOcuis%5E%25Citx%239%3A1%3A2&timestamp=1484182760&nonce=ixoT9LO1Iv&body-hash=kxsvRNYFgM151fS0hpl3UD%2BzEMY%3D&signature=i79MLEaqbO1Nkz%2BsUX0nBbjnQDU%3D
    QUERY_STRING: 
    HTTP_USER_AGENT: Jetpack by WordPress.com
    REQUEST BODY: <?xml version="1.0"?>
    <methodCall>
    <methodName>system.multicall</methodName>
    <params>
    <param><value><array><data>
      <value><struct>
      <member><name>methodName</name><value><string>jetpack.jsonAPI</string></value></member>
      <member><name>params</name><value><array><data>
      <value><array><data>
      <value><string>GET</string></value>
      <value><string>https://public-api.wordpress.com/rest/v1/sites/122171471/sync/object?module_name=posts&object_type=post&object_ids%5B0%5D=13&http_envelope
    

    Thanks for your help

    #32101
    AITpro Admin
    Keymaster

    Hmm ok well I guess you just cannot use any xmlrpc protection code with Jetpack then.  So just delete the code that is causing the xmlrpc block.  It could be the POST Attack Protection code.  So you will need to test which code is causing the problem and delete it.

    #32105
    Rafael Da Costa
    Participant

    What vulnerabilities this could give to my website?
    I am not using Jetpack much anyway. I could find a replacement for me needs.
    What would you recommend?
    This error is also showing on Search console:

    URL:
    http://www.cruxdev.com.au/xmlrpc.php?for=jetpack&token=%40gke)qwlHn3dPj%5EmthCOcuis%5E%25Citx%239%3A1%3A2&timestamp=1483776359&nonce=zAR1VmEOpl&body-hash=aOIkn63jBYoKZYuP3PFCWC%2Bwr8E%3D&signature=OJ4rCg3TmRVk3hVXLaacTQTLM9A%3D
    
    Error details:
    Googlebot couldn't crawl your URL because your server either requires authentication to access the page, or it is blocking Googlebot from accessing your site. Find out more

    Thanks

    #32107
    AITpro Admin
    Keymaster

    Back in 2014 around 3 years ago when the BPS the XML-RPC protection code was created it protected against the XML Quadratic Blowup Attack as well as other various XML-RPC exploits. At some point WordPress eliminated any/all XML-RPC exploits by adding new protection code directly in WordPress itself to protect XML-RPC. So the XML-RPC protection code is now considered anti-nuisance code vs important security protection code. So you really do not need to use any XML-RPC protection code anymore.

    #32136
    Rafael Da Costa
    Participant

    thanks for your help.

    #32137
    Rafael Da Costa
    Participant

    Hi there,
    I still having problems.
    I’ve deleted the XML-RPC protection code as suggested the new code is below.

    # BPS POST Request Attack Protection
    RewriteCond %{REQUEST_METHOD} POST [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-admin/ [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-cron.php [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-login.php [NC]
    # Whitelist the WordPress Theme Customizer
    RewriteCond %{HTTP_REFERER} !^.*/wp-admin/customize.php [NC]
    # Whitelist XML-RPC Pingbacks, JetPack and Remote Posting POST Requests
    RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC]
    # Whitelist Network|Multisite Signup POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-signup.php [NC]
    # Whitelist Network|Multisite Activate POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-activate.php [NC]
    # Whitelist Trackback POST Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-trackback.php [NC]
    # Whitelist Comments POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-comments-post.php [NC]
    
    # Whitelist updraft
    RewriteCond %{REQUEST_URI} !^.*/updraft [NC]
    #EXAMPLES FOR WHITELIST 
    # Example 2: Whitelist Contact Form POST Requests
    RewriteCond %{REQUEST_URI} !^.*/contact/ [NC]
    # Example 3: Whitelist PayPal IPN API Script POST Requests
    RewriteCond %{REQUEST_URI} !^.*/ipn_handler.php [NC]
    RewriteRule ^(.*)$ - [F]
    
    # WP AUTHOR ENUMERATION BOT PROBE PROTECTION
    # Rewrites to author=999999 that does not actually exist
    # which results in a standard 404 error. To the hacker bot
    # it appears that this author does not exist without giving
    # any clues that the author does actually exist.
    RewriteCond %{QUERY_STRING} ^author=([0-9]){1,}$ [NC]
    RewriteRule ^(.*)$ $1?author=999999 [L]

    LOG Information:

    [403 POST Request: January 13, 2017 - 2:19 pm]
    BPS Pro: 12.5
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 192.0.84.104
    Host Name: 192.0.84.104
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: POST
    HTTP_REFERER: http://www.cruxdev.com.au/xmlrpc.php?for=jetpack&token=%40gke%29qwlHn3dPj%5EmthCOcuis%5E%25Citx%239%3A1%3A2&timestamp=1484288389&nonce=8ekfk6F0Sc&body-hash=kxsvRNYFgM151fS0hpl3UD%2BzEMY%3D&signature=CGq9q2CO0bEyk%2BFHc0qXmtzOCBY%3D
    REQUEST_URI: /xmlrpc.php?for=jetpack&token=%40gke%29qwlHn3dPj%5EmthCOcuis%5E%25Citx%239%3A1%3A2&timestamp=1484288389&nonce=8ekfk6F0Sc&body-hash=kxsvRNYFgM151fS0hpl3UD%2BzEMY%3D&signature=CGq9q2CO0bEyk%2BFHc0qXmtzOCBY%3D
    QUERY_STRING: 
    HTTP_USER_AGENT: Jetpack by WordPress.com
    REQUEST BODY: <?xml version="1.0"?>
    <methodCall>
    <methodName>system.multicall</methodName>
    <params>
    <param><value><array><data>
      <value><struct>
      <member><name>methodName</name><value><string>jetpack.jsonAPI</string></value></member>
      <member><name>params</name><value><array><data>
      <value><array><data>
      <value><string>GET</string></value>
      <value><string>https://public-api.wordpress.com/rest/v1/sites/122171471/sync/object?module_name=posts&object_type=post&object_ids%5B0%5D=13&http_envelope

    The IP is always the same – can I put it in the whitelist?

    Thanks

    #32141
    AITpro Admin
    Keymaster

    Jetpack makes a POST Request to the wp-load.php file. So add this additional whitelist rule for the Jetpack POST Request to wp-load.php.

    # Whitelist Jetpack POST Requests to wp-load.php
    RewriteCond %{REQUEST_URI} !^.*/wp-load.php [NC]
    #32240
    Rafael Da Costa
    Participant

    It worked – thanks

    #32241
    AITpro Admin
    Keymaster

    And even better method is to whitelist the jetpack Query String.  Example:  https://forum.ait-pro.com/forums/topic/managewp-403-error-post/page/3/#post-32142

    # Whitelist Jetpack POST Request to wp-load.php by Query String
    RewriteCond %{QUERY_STRING} !^for=jetpack(.*) [NC]
Viewing 15 posts - 1 through 15 (of 17 total)
  • You must be logged in to reply to this topic.