Home › Forums › BulletProof Security Pro › Link from Facebook sometimes leads to 403 error
- This topic has 12 replies, 2 voices, and was last updated 11 years, 5 months ago by AITpro Admin.
-
AuthorPosts
-
Ralf SkirrParticipant
I’m linking to one of my blog posts from Facebook. When clicking this link, sometimes it works like expected, sometimes BPS throws a 403 error.
This is the status update with the link (should be visible to everyone logged in at Facebook): facebook.com/ralfskirr/activity/10200349698637956
This is the link in the status update that (only sometimes) produces the error:
internetbusinessmastermind.com/facebook-promotional-cover-images?fb_action_ids=10200349698637956&fb_action_types=og.likes&fb_source=aggregation&fb_aggregation_id=288381481237582
I’m not sure if the parameters in this link are always the same, or if they are different for different users. This is the actual post I want users to go to: internetbusinessmastermind.com/facebook-promotional-cover-images. My host is Hostgator. Any idea how I can fix this?
AITpro AdminKeymaster403 Errors are not an exclusive error status code for BPS/BPS Pro – 403 Errors are an Internet Standard HTTP Status Response code. If BPS Pro was blocking this then it would be blocked 100% of the time and not some of the time. There is no middle ground – either blocked 100% or not blocked 100% are the only possible results.
Please post the error from your Security Log file. Please only post one instance of the error and not your entire Security Log file contents. Thanks.
Ralf SkirrParticipantThanks for the fast reply. I assumed it was BPS because the error page source code had some references to BPS. Where do I find the Security Logfile?
AITpro AdminKeymasterThe Security Log file is located on the Security Log tab page in B-Core. If you have completely different links/URL’s and 1 or more of those URL’s are being blocked for some reason then it would appear that this is an intermittent issue, but it would actually be a specific issue/problem with a specific link or links.
AITpro AdminKeymasterI checked all the links you posted and did not get any errors, but you are correct that if an URL contains coding characters that are blocked by BPS Pro then you will see 403 errors on your site and it may be possible that the incoming URL’s are different for different people. Typically the URL’s would contain dangerous coding characters such as: round brackets ( ) a single quote ‘, a double quote ” or angle brackets < >.
AITpro AdminKeymasterAnd then of course you have hackers who are trying to hijack the URL – those hijacking/hacking attempts will definitely result in 403 errors. 😉
AITpro AdminKeymasterYou have an extremely old version of BPS Pro installed on this site: BPS Pro 5.1.4. The Security Log page did not exist in that version and you would have to use the php.ini file editor to open your Security log file or download it from your website. If you install the latest/most current version of BPS Pro 5.6.1 then you will see the new Security Log page in B-Core. Your log file is probably gigantic so it will probably freeze your site when you try to open it.
You can download your Security Log file instead from here – /wp-content/bps-backup/logs/http_error_log.txt.
Ralf SkirrParticipantThanks again for checking! Unfortunately I can’t find any error file. Obviously missing settings, I’m trying to fix this now. Where can I get the latest version of the plugin? Wp dashboard doesn’t show that it is outdated.
AITpro AdminKeymasterBPS Pro 5.1.4 is over a year old. I cannot even remember what kind of capability it has. You are going to be very surprised by BPS Pro 5.6.1. There were several very amazing features added since 5.1.4.
Go ahead and go to the Secure Download area and download the BPS Pro 5.6.1 zip file. Install the zip file using the BPS Pro upload zip installer. Do not use the WordPress Upload zip installer.
Here is the latest BPS Pro installation and setup video tutorial: http://www.ait-pro.com/aitpro-blog/2841/bulletproof-security-pro/bulletproof-security-pro-overview-video-tutorial/
Ralf SkirrParticipantFYI, following up on this, here’s what hostgator support said:
The issue was being caused by the bulletproof .htaccess blocks. I had to comment out a couple of the rewrite rules as they were causing the query strings from Facebook to get blocked.
AITpro AdminKeymasterUsually you can create whitelist rules instead of having to comment out security filters. Are you using a facebook plugin or are these links created externally and they link back to your site? Which security filters were commented out? I have noticed that with facebook like links a lot of them contain dangerous coding characters that are blocked by BPS security filters or have URL structures that simulate RFI hacking URLs. The facebook like URL’s vary significantly in URL structure so my guess is they are generated externally and point back to your website. Please post the security filters that were commented out and I will look into this and see if a safer whitelist rule for facebook itself can be created to cover the wide range of facebook like links that simulate RFI hacking attempts or contain dangerous coding characters in the URL.
Ralf SkirrParticipantI PMed you with htaccess code.
AITpro AdminKeymasterBPS Pro is not like a typical WordPress plugin and instead has built-in troubleshooting/Turn Off/Deactivate capability for each feature. Deactivating the BPS Pro plugin does not deactivate/Turn Off all the BPS Pro features (AutoRestore/Quarantine and F-Lock are deactivated by deactivating the BPS Pro plugin). Please see this link below for how to Turn Off/Deactivate each or all of the BPS Pro features.
NOTE: By deactivating the BPS Pro plugin you no longer have access to the built-in troubleshooting/turn off/deactivate options/features in BPS Pro since the BPS Pro plugin has been deactivated.
http://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting
The .htaccess file that you posted is an extremely old htaccess file for BPS Pro version 5.1.4. Please update BPS Pro to the most current version, which is now 5.8.1. You can turn off/deactivate features that you do not want to use if you choose to go that route.
If you can post Security Log errors then I can tell you exactly what is being blocked and what whitelist/skip bypassrules/edits to your root .htaccess that are needed to solve the issue/problem.
If you would like for me to fix the issue/problem then create a temporary WordPress Admin login and send it directly to edward at ait-pro dot com. Thank you.
-
AuthorPosts
- You must be logged in to reply to this topic.