Malformed syntax admin-ajax, possibly firewall issue

[Tina Dubinsky]

I have an addon domain with its own IP and SSL.

I’ve just migrated it from a non secure domain and a different host, but where it had all the same plugins with BPS Pro working fine.

When I migrated my process included deactivating and uninstalling BPS Pro.

Once the dedicated IP and SSL were set up, I did a fresh install of wordpress, added all the same plugins (except BPS Pro at this stage) and then took my saved SQL database (minus BPS Pro data) and installed it.

In SQL tables, i changed the http reference to https for the options.

Noticed some things (mostly images) weren’t showing as secure so began editing the code etc.

Installed BPS Pro and requested a new activation code. Set up BPS Pro and added custom code. I noticed after installing BPS that a couple of pages which had previously indicated they had some unsecure elements no longer stated this even though I hadn’t yet edited them.

I then went to edit another page and when clicking on the update button, received a 400 error as a pop-up above the button: /wp-admin/admin-ajax.php?action=proxy_atd&_wpnonce=1fe627c361&url=/checkDocument

I can still save the changes by clicking it a second time or third time. I noticed the grammar check function doesn’t happen. My first thought was it might be a Yoast SEO conflict, then a Redirection (plugin) conflict. I deactivated both of these plugins but the error continues to appear. Then perhaps a custom code .htaccess issue so I removed the code I had added for permanently changing http to https but the error continued.

In the security log this appears:

400 GET Bad Request: October 20, 2017 - 2:08 am]
BPS Pro: 13.3.3
WP: 4.8.2
Event Code: The request could not be understood by the server due to malformed syntax.
Solution: N/A - Malformed Request - Not an Attack
REMOTE_ADDR: My IP
Host Name: My host
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: https://tinadubinsky.com/wp-admin/post.php?post=9625&action=edit
REQUEST_URI: /wp-admin/admin-ajax.php?action=proxy_atd&_wpnonce=fb0db4c4dc&url=/checkDocument
QUERY_STRING: action=proxy_atd&_wpnonce=fb0db4c4dc&url=/checkDocument
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36

I originally thought this might be a WordPress error, so I posted about this issue over at WordPress Support. The response I’ve received is that it’s probably a firewall issue, which is why I’m posting here about it and wondering if you might be able to help me shed some light on it.

website: tinadubinsky.com

I’ve just moved my website to a new host and server and updated to an SSL certificate.

I’m currently editing pages for non-secure items. (mostly images)

When I’m pressing the update button 50% of the time, I’m getting the following error message: /wp-admin/admin-ajax.php?action=proxy_atd&_wpnonce=1fe627c361&url=/checkDocument

Normally, when I press this after editing I would get the message about WordPress making suggestions. (That’s only happened once since I moved to SSL.)

Pressing the update button a second time generaly saves the page. If not, it does on the third attempt.

I’m just wondering how to fix the ajax error that I’m getting, so it works the first time around.

My host is using modsecurity. But I probably need to eliminate BPS as the problem firewall before asking them to look into modsecurity.

Cheers

Tina

[AITpro Admin]

When I google this part of the Query String – “action=proxy_atd” I found 2 search results that show this has to do with Jetpack > After the deadline module.  My guess would be that you would need to resave your jetpack After the deadline module settings to update them after you have done a migration.  Most likely the jetpack After the deadline module settings still have your old site settings saved and once you update the settings they will be current to your newly migrated site.

[Tina Dubinsky]

Thanks, I’ve tried turning off and turning back on the settings that appear to be triggering it but it’s still happening (when turned off no error came up, but turning back on, it came back). So, I’ve now taken the issue to Jetpack support to see if we can sort out a solution. Thanks for your help, greatly appreciate it.

[Tina Dubinsky]

Just an update:  Jetpack have confirmed that this is their spellcheck module. They believe BPS is blocking it from working. I attempted to write a skip rule for it without success.  I’ll go back to working through the troubleshooting steps tomorrow.

Cheers

-Tina

[Added by AITpro Admin to keep all info one place]
https://wordpress.org/support/topic/malformed-syntax/#post-9604424

Through further investigations (trial and error), I have discovered that when I turn the “proofreading” feature in Jetpack off the error goes away. Which is not really ideal as I’d like to use this feature.
______________________________________

That call is indeed made by Jetpack’s spellchecker feature. If you use the most recent version of Jetpack it should work out of the box, but obviously something is blocking that call on your new site.

I ran a few extra tests on your site, and it seems that some of our requests are blocked by your security plugin, Bulletproof Security. Here is the response we get when we try to make XML-RPC requests and communicate with your site from some of our servers:
https://gist.github.com/jeherve/e64e3486ad3d940b49a9690f46e68cdf

When we try to push data to your site, still via XML-RPC, the response still fails but is a bit different:
https://gist.github.com/jeherve/f6236065260e955d6243e730d239b9a0

The bpsMessage container added around the message tells me that page is also outputted by Bulletproof Security.

Could you try to play with your Bulletproof Security settings and see if you can find something to unblock those requests? That should help!

[Tina Dubinsky]

Thanks for all your help in getting this sorted both here and over at the WordPress.org.

Much appreciated.

-Tina

[Author]

Posts