Home › Forums › BulletProof Security Pro › Jetpack – xmlrpc.php POST 403 error
Tagged: 403 error, Jetpack, xmlrpc.php
- This topic has 16 replies, 2 voices, and was last updated 7 years, 8 months ago by AITpro Admin.
-
AuthorPosts
-
Rafael Da CostaParticipant
Sorry, both codes did not work – there was a delay in the system before the error msg come up. Below follows the error and my custom code.
Error:[403 POST Request: January 24, 2017 - 12:21 pm] BPS Pro: 12.6 Event Code: BFHS - Blocked/Forbidden Hacker or Spammer Solution: N/A - Hacker/Spammer Blocked/Forbidden REMOTE_ADDR: 192.0.81.121 Host Name: 192.0.81.121 SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: POST HTTP_REFERER: http://www.cruxdev.com.au/xmlrpc.php?for=jetpack&token=%40gke%29qwlHn3dPj%5EmthCOcuis%5E%25Citx%239%3A1%3A2×tamp=1485231675&nonce=RWKYO2pLTk&body-hash=kxsvRNYFgM151fS0hpl3UD%2BzEMY%3D&signature=bSkFBwmJrlOEnPCi9SNqm97xDFo%3D REQUEST_URI: /xmlrpc.php?for=jetpack&token=%40gke%29qwlHn3dPj%5EmthCOcuis%5E%25Citx%239%3A1%3A2×tamp=1485231675&nonce=RWKYO2pLTk&body-hash=kxsvRNYFgM151fS0hpl3UD%2BzEMY%3D&signature=bSkFBwmJrlOEnPCi9SNqm97xDFo%3D QUERY_STRING: HTTP_USER_AGENT: Jetpack by WordPress.com REQUEST BODY: <?xml version="1.0"?> <methodCall> <methodName>system.multicall</methodName> <params> <param><value><array><data> <value><struct> <member><name>methodName</name><value><string>jetpack.jsonAPI</string></value></member> <member><name>params</name><value><array><data> <value><array><data> <value><string>GET</string></value> <value><string>https://public-api.wordpress.com/rest/v1/sites/122171471/sync/object?module_name=posts&object_type=post&object_ids%5B0%5D=13&http_envelope
My custom code:
# BPS POST Request Attack Protection RewriteCond %{REQUEST_METHOD} POST [NC] # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON RewriteCond %{REQUEST_URI} !^.*/wp-admin/ [NC] # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON RewriteCond %{REQUEST_URI} !^.*/wp-cron.php [NC] # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON RewriteCond %{REQUEST_URI} !^.*/wp-login.php [NC] # Whitelist the WordPress Theme Customizer RewriteCond %{HTTP_REFERER} !^.*/wp-admin/customize.php [NC] # Whitelist XML-RPC Pingbacks, JetPack and Remote Posting POST Requests RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC] # Whitelist Network|Multisite Signup POST Form Requests RewriteCond %{REQUEST_URI} !^.*/wp-signup.php [NC] # Whitelist Network|Multisite Activate POST Form Requests RewriteCond %{REQUEST_URI} !^.*/wp-activate.php [NC] # Whitelist Trackback POST Requests RewriteCond %{REQUEST_URI} !^.*/wp-trackback.php [NC] # Whitelist Comments POST Form Requests RewriteCond %{REQUEST_URI} !^.*/wp-comments-post.php [NC] # Whitelist Jetpack POST Request to wp-load.php by Query String RewriteCond %{QUERY_STRING} !^for=jetpack(.*) [NC] # Whitelist updraft RewriteCond %{REQUEST_URI} !^.*/updraft [NC] #EXAMPLES FOR WHITELIST # Example 2: Whitelist Contact Form POST Requests RewriteCond %{REQUEST_URI} !^.*/contact/ [NC] # Example 3: Whitelist PayPal IPN API Script POST Requests RewriteCond %{REQUEST_URI} !^.*/ipn_handler.php [NC] RewriteRule ^(.*)$ - [F] # WP AUTHOR ENUMERATION BOT PROBE PROTECTION # Rewrites to author=999999 that does not actually exist # which results in a standard 404 error. To the hacker bot # it appears that this author does not exist without giving # any clues that the author does actually exist. RewriteCond %{QUERY_STRING} ^author=([0-9]){1,}$ [NC] RewriteRule ^(.*)$ $1?author=999999 [L]
This is the code at CUSTOM CODE REQUEST METHODS FILTERED:
# REQUEST METHODS FILTERED # If you want to allow HEAD Requests use BPS Custom Code and copy # this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code # text box: CUSTOM CODE REQUEST METHODS FILTERED. # See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps. RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC] RewriteRule ^(.*)$ - [F] RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC] RewriteCond %{HTTP_USER_AGENT} !^(.*Jetpack.*)$ RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]
AITpro AdminKeymasterI have tested and confirmed that the Jetpack Query String whitelist rule does work, but if you have additional xmlrpc.php blocking htaccess code in your Root htaccess file then the xmlrpc.php file will still be blocked and it will will appear that a POST Request is being blocked when in fact both GET and POST Requests are being blocked. Or in other words – everything is blocked. So you need to check for any other xmlrpc.php blocking code in Custom Code and remove/delete it if you would like to allow access to the xmlrpc.php file.
Example:
<FilesMatch "^(xmlrpc.php|wp-trackback.php)"> Order Deny,Allow Deny from all #Allow from x.x.x. </FilesMatch>
Also you should not need the additional Query String whitelist rule as long as you are whitelisting the xmlrpc.php file with this whitelist rule below. So that pretty much confirms that you have additional xmlrpc.php blocking htaccess code. These days WP has secured the xmlrpc.php file so that the old exploit that was possible a long time ago is no longer possible. So really you do not need to add any additional htaccess protection code for the xmlrpc.php file any longer.
# XML-RPC Pingbacks, JetPack and Remote Posting POST Requests RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC]
-
AuthorPosts
- You must be logged in to reply to this topic.