Jetpack – xmlrpc.php POST 403 error

Home Forums BulletProof Security Pro Jetpack – xmlrpc.php POST 403 error

Viewing 2 posts - 16 through 17 (of 17 total)
  • Author
    Posts
  • #32242
    Rafael Da Costa
    Participant

    Sorry, both codes did not work – there was a delay in the system before the error msg come up. Below follows the error and my custom code.
    Error:

    [403 POST Request: January 24, 2017 - 12:21 pm]
    BPS Pro: 12.6
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 192.0.81.121
    Host Name: 192.0.81.121
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: POST
    HTTP_REFERER: http://www.cruxdev.com.au/xmlrpc.php?for=jetpack&token=%40gke%29qwlHn3dPj%5EmthCOcuis%5E%25Citx%239%3A1%3A2&timestamp=1485231675&nonce=RWKYO2pLTk&body-hash=kxsvRNYFgM151fS0hpl3UD%2BzEMY%3D&signature=bSkFBwmJrlOEnPCi9SNqm97xDFo%3D
    REQUEST_URI: /xmlrpc.php?for=jetpack&token=%40gke%29qwlHn3dPj%5EmthCOcuis%5E%25Citx%239%3A1%3A2&timestamp=1485231675&nonce=RWKYO2pLTk&body-hash=kxsvRNYFgM151fS0hpl3UD%2BzEMY%3D&signature=bSkFBwmJrlOEnPCi9SNqm97xDFo%3D
    QUERY_STRING: 
    HTTP_USER_AGENT: Jetpack by WordPress.com
    REQUEST BODY: <?xml version="1.0"?>
    <methodCall>
    <methodName>system.multicall</methodName>
    <params>
    <param><value><array><data>
     <value><struct>
     <member><name>methodName</name><value><string>jetpack.jsonAPI</string></value></member>
     <member><name>params</name><value><array><data>
     <value><array><data>
     <value><string>GET</string></value>
     <value><string>https://public-api.wordpress.com/rest/v1/sites/122171471/sync/object?module_name=posts&object_type=post&object_ids%5B0%5D=13&http_envelope

    My custom code:

    # BPS POST Request Attack Protection
    RewriteCond %{REQUEST_METHOD} POST [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-admin/ [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-cron.php [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-login.php [NC]
    # Whitelist the WordPress Theme Customizer
    RewriteCond %{HTTP_REFERER} !^.*/wp-admin/customize.php [NC]
    # Whitelist XML-RPC Pingbacks, JetPack and Remote Posting POST Requests
    RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC]
    # Whitelist Network|Multisite Signup POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-signup.php [NC]
    # Whitelist Network|Multisite Activate POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-activate.php [NC]
    # Whitelist Trackback POST Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-trackback.php [NC]
    # Whitelist Comments POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-comments-post.php [NC]
    
    
    # Whitelist Jetpack POST Request to wp-load.php by Query String
    RewriteCond %{QUERY_STRING} !^for=jetpack(.*) [NC]
    # Whitelist updraft
    RewriteCond %{REQUEST_URI} !^.*/updraft [NC]
    
    #EXAMPLES FOR WHITELIST 
    # Example 2: Whitelist Contact Form POST Requests
    RewriteCond %{REQUEST_URI} !^.*/contact/ [NC]
    # Example 3: Whitelist PayPal IPN API Script POST Requests
    RewriteCond %{REQUEST_URI} !^.*/ipn_handler.php [NC]
    RewriteRule ^(.*)$ - [F]
    
    # WP AUTHOR ENUMERATION BOT PROBE PROTECTION
    # Rewrites to author=999999 that does not actually exist
    # which results in a standard 404 error. To the hacker bot
    # it appears that this author does not exist without giving
    # any clues that the author does actually exist.
    RewriteCond %{QUERY_STRING} ^author=([0-9]){1,}$ [NC]
    RewriteRule ^(.*)$ $1?author=999999 [L]
    

    This is the code at CUSTOM CODE REQUEST METHODS FILTERED:

    # REQUEST METHODS FILTERED
    # If you want to allow HEAD Requests use BPS Custom Code and copy
    # this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
    # text box: CUSTOM CODE REQUEST METHODS FILTERED.
    # See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F]
    RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
    RewriteCond %{HTTP_USER_AGENT} !^(.*Jetpack.*)$
    RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]
    
    #32243
    AITpro Admin
    Keymaster

    I have tested and confirmed that the Jetpack Query String whitelist rule does work, but if you have additional xmlrpc.php blocking htaccess code in your Root htaccess file then the xmlrpc.php file will still be blocked and it will will appear that a POST Request is being blocked when in fact both GET and POST Requests are being blocked.  Or in other words – everything is blocked. So you need to check for any other xmlrpc.php blocking code in Custom Code and remove/delete it if you would like to allow access to the xmlrpc.php file.

    Example:

    <FilesMatch "^(xmlrpc.php|wp-trackback.php)">
    Order Deny,Allow
    Deny from all
    #Allow from x.x.x.
    </FilesMatch>

    Also you should not need the additional Query String whitelist rule as long as you are whitelisting the xmlrpc.php file with this whitelist rule below.  So that pretty much confirms that you have additional xmlrpc.php blocking htaccess code.  These days WP has secured the xmlrpc.php file so that the old exploit that was possible a long time ago is no longer possible.  So really you do not need to add any additional htaccess protection code for the xmlrpc.php file any longer.

    # XML-RPC Pingbacks, JetPack and Remote Posting POST Requests
    RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC]
Viewing 2 posts - 16 through 17 (of 17 total)
  • You must be logged in to reply to this topic.