ManageWP 403 Error – POST

Home Forums BulletProof Security Pro ManageWP 403 Error – POST

Tagged: 

Viewing 15 posts - 31 through 45 (of 46 total)
  • Author
    Posts
  • #32026
    AITpro Admin
    Keymaster

    @ James – The only logical explanation for why the “is” condition works is that all the whitelist rules are “and” conditions.  So that means this is happening:  if A “is not” B and C “is not” D then forbid/block.  Or in other words, there are 2 conditions being matched/evaluated in that code for the ManageWP POST Request.  Try this method/approach code below and see if it works. The ManageWP IP address skip/bypass rule says if “is” IP address X, Y or Z then skip 1 RewriteRule, which would be this RewriteRule: RewriteRule ^(.*)$ - [F]

    # Whitelist ManageWP IP Addresses skip/bypass rule
    RewriteCond %{REQUEST_METHOD} POST [NC]
    RewriteCond %{REMOTE_ADDR} ^(35\.162\.254\.253|52\.11\.12\.231|52\.11\.29\.70|52\.11\.54\.161|52\.24\.142\.159|52\.25\.191\.255|52\.27\.181\.126|52\.34\.126\.117|52\.34\.254\.47|52\.35\.82\.99|52\.36\.28\.80|52\.38\.106\.97|52\.39\.177\.152|52\.41\.230\.148|52\.41\.237\.12|52\.42\.126\.166|52\.43\.13\.71|52\.43\.76\.224|52\.88\.96\.110|52\.89\.155\.51|54\.148\.73\.118|54\.186\.37\.105|54\.187\.92\.57|54\.191\.32\.65|54\.191\.67\.23|54\.191\.80\.119|54\.191\.135\.209|54\.191\.136\.176|54\.191\.137\.17|54\.191\.148\.85|54\.191\.149\.8|52\.26\.122\.21|52\.24\.187\.29|52\.89\.85\.107|54\.186\.128\.167|54\.191\.40\.136|52\.24\.62\.11|52\.88\.119\.122|54\.191\.148\.225|54\.191\.151\.18|52\.89\.94\.121|52\.25\.116\.116|52\.88\.215\.225|54\.186\.143\.184|52\.88\.197\.180|52\.27\.171\.126)$
    RewriteRule . - [S=1]
    
    # BPS POST Request Attack Protection
    RewriteCond %{REQUEST_METHOD} POST [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-admin/ [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-cron.php [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-login.php [NC]
    # Whitelist the WordPress Theme Customizer
    RewriteCond %{HTTP_REFERER} !^.*/wp-admin/customize.php
    # Whitelist XML-RPC Pingbacks, JetPack and Remote Posting POST Requests
    RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC]
    # Whitelist Network|Multisite Signup POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-signup.php [NC]
    # Whitelist Network|Multisite Activate POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-activate.php [NC]
    # Whitelist Trackback POST Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-trackback.php [NC]
    # Whitelist Comments POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-comments-post.php [NC]
    RewriteRule ^(.*)$ - [F]
    #32027
    James
    Participant

    No, that doesn’t work either I’m afraid, sorry!

    #32029
    AITpro Admin
    Keymaster

    @ James – Try removing the POST condition.  If that does not work then I guess you will not be able to use the POST Attack Protection code with ManageWP.

    # Whitelist ManageWP IP Addresses skip/bypass rule
    RewriteCond %{REMOTE_ADDR} ^(35\.162\.254\.253|52\.11\.12\.231|52\.11\.29\.70|52\.11\.54\.161|52\.24\.142\.159|52\.25\.191\.255|52\.27\.181\.126|52\.34\.126\.117|52\.34\.254\.47|52\.35\.82\.99|52\.36\.28\.80|52\.38\.106\.97|52\.39\.177\.152|52\.41\.230\.148|52\.41\.237\.12|52\.42\.126\.166|52\.43\.13\.71|52\.43\.76\.224|52\.88\.96\.110|52\.89\.155\.51|54\.148\.73\.118|54\.186\.37\.105|54\.187\.92\.57|54\.191\.32\.65|54\.191\.67\.23|54\.191\.80\.119|54\.191\.135\.209|54\.191\.136\.176|54\.191\.137\.17|54\.191\.148\.85|54\.191\.149\.8|52\.26\.122\.21|52\.24\.187\.29|52\.89\.85\.107|54\.186\.128\.167|54\.191\.40\.136|52\.24\.62\.11|52\.88\.119\.122|54\.191\.148\.225|54\.191\.151\.18|52\.89\.94\.121|52\.25\.116\.116|52\.88\.215\.225|54\.186\.143\.184|52\.88\.197\.180|52\.27\.171\.126)$
    RewriteRule . - [S=1]
    #32033
    AITpro Admin
    Keymaster

    @ James – I recreated this scenario on my test site and the problem I found is that if you do not whitelist your own IP address with the ManageWP IP addresses rule then you will be blocked too.  The only reason the “is” condition is working is because 2 things are being matched in the POST Attack Protection rules.  I am not exactly sure what those 2 things are for ManageWP, but I think the second thing that is being matched is the root site URI / since it looks like ManageWP is sending a POST Request to your root site URI.

    Example test code: The POST Request is allowed and not blocked: My IP address is 127.0.0.1. The 2 conditions say if IP address is not 127.0.0.1 and the Request URI is not example-post-form-uri.php then block/forbid the Request.

    RewriteCond %{REQUEST_METHOD} POST [NC]
    RewriteCond %{REMOTE_ADDR} !^(127\.0\.0\.1|xxx\.xxx\.xxx\.xxx)$
    RewriteCond %{REQUEST_URI} !^.*/example-post-form-uri.php [NC]
    RewriteRule ^(.*)$ - [F]

    Example test code: The POST Request is not allowed and is blocked: My IP address is 127.0.0.1. The 2 conditions say if IP address is not xxx.xxx.xxx.xxx and the Request URI is not example-post-form-uri.php then block/forbid the Request.

    RewriteCond %{REQUEST_METHOD} POST [NC]
    RewriteCond %{REMOTE_ADDR} !^(xxx\.xxx\.xxx\.xxx)$
    RewriteCond %{REQUEST_URI} !^.*/example-post-form-uri.php [NC]
    RewriteRule ^(.*)$ - [F]

    Example test code: The POST Request is allowed and not blocked: My IP address is 127.0.0.1. The 2 conditions say if IP address is 127.0.0.1 and the Request URI is not example-post-form-uri.php then block/forbid the Request.

    RewriteCond %{REQUEST_METHOD} POST [NC]
    RewriteCond %{REMOTE_ADDR} ^(127\.0\.0\.1|xxx\.xxx\.xxx\.xxx)$
    RewriteCond %{REQUEST_URI} !^.*/example-post-form-uri.php [NC]
    RewriteRule ^(.*)$ - [F]

    Example test code: The POST Request is not allowed and is blocked: My IP address is 127.0.0.1. The 2 conditions say if IP address is 127.0.0.1 and the Request URI is not the root site URI / then block/forbid the Request.

    RewriteCond %{REQUEST_METHOD} POST [NC]
    RewriteCond %{REMOTE_ADDR} ^(127\.0\.0\.1|xxx\.xxx\.xxx\.xxx)$
    RewriteCond %{REQUEST_URI} !^.*/$ [NC]
    RewriteRule ^(.*)$ - [F]

    Summary: So that means the ManageWP request is not matching any of the other existing URI’s in the POST Attack Protection code and that is why the “is” IP Address condition does not block the Request. Most likely based on the Security Log entry, ManageWP is posting to the root site URI /.

    #32040
    James
    Participant

    Thanks for your efforts in trying to resolve this, much appreciated. I can follow your login as explained, but don’t really understand what to do next (other than not use the POST protection code). I have just messaged ManageWP tech support to ask them to take a look at this thread and see if they can offer and ideas or solutions. I’ll let you know if I hear anything back (or if one of the ManageWP tech guys are reading this, please post and suggestions here!).

    Cheers, James

    #32041
    James
    Participant

    Just looking at the security log entries:
    and I see that the Request_URI is /wp-load.php. So is there a reason that I cannot just add this as another RewriteCond %{REQUEST_URI} to the list of the standard ones in the standard POST protection code, like this (see the very end):

    # BPS POST Request Attack Protection
    RewriteCond %{REQUEST_METHOD} POST [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-admin/ [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-cron.php [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-login.php [NC]
    # Whitelist the WordPress Theme Customizer
    RewriteCond %{HTTP_REFERER} !^.*/wp-admin/customize.php [NC]
    # Whitelist Network|Multisite Signup POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-signup.php [NC]
    # Whitelist Network|Multisite Activate POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-activate.php [NC]
    # Whitelist Comments POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-comments-post.php [NC]
    # Example 1: Whitelist Star Rating Calculator POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/star-rating-calculator.php [NC]
    # Example 2: Whitelist Contact Form POST Requests
    RewriteCond %{REQUEST_URI} !^.*/contact/ [NC]
    # Example 3: Whitelist PayPal IPN API Script POST Requests
    RewriteCond %{REQUEST_URI} !^.*/ipn_handler.php [NC]
    # Whitelist for ManageWP ???
    RewriteCond %{REQUEST_URI} !^.*/wp-load.php [NC]
    RewriteRule ^(.*)$ - [F]
    

    (I have had to remove the “White list Track back PO-ST Requests” and “White list XML-RPC Ping backs, Jet Pack and Remote Posting PO-ST Requests” lines from the above in order for the code to post on this forum. Even typing those comment lines here without breaking them up with spaces prevents posting, I think it is the word “post” causing the problem?).

    The above code seems to work and allows ManageWP to connect to the WP site for sign up. I have completely removed anything to do with the ManageWP IP address list at the moment, lets see whether I need to reinstate this later on for ManageWP to work (but at the moment I am just trying to allow the WP site to signup with ManageWP).

    So, what is wrong with this approach???

    #32042
    James
    Participant

    Just ran through complete website signup and connect with ManageWP with above code in place. The signup went through no problem, I can view the WP site via the ManageWP dashboard and the couple of maintenance functions I have tested seem to have worked ok. There was one entry in the BPS log after signup, but doesn’t seem to have stopped anything working:

    [403 GET Request: January 6, 2017 10:19 am]
    BPS: .54.2
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 54.191.137.17
    Host Name: ec2-54-191-137-17.us-west-2.compute.amazonaws.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 54.191.137.17
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: http://mysite.com/
    REQUEST_URI: /?wc-ajax=get_refreshed_fragments
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36
    
    #32045
    AITpro Admin
    Keymaster

    Great!  You figured out which file ManageWP is posting too.  Since you are whitelisting the POST Request to the wp-load.php file then yep you do not need to whitelist the ManageWP IP addresses.  I believe this is safe to do, but of course that means that anyone can send a POST Request to the wp-load.php file.  The reason I believe this is still safe to do is that ManageWP has code internally (plugin or other internal ManageWP file) on your website that continues processing whatever ManageWP is doing with the wp-load.php file.  If someone else posted to the wp-load.php file then nothing would happen because they would not have any internal processing code (plugin or theme or other internal file on your website).

    This looks like a WooCommerce string: wc-ajax=get_refreshed_fragments. If you have WooCommerce installed then see this forum topic for the solution: https://forum.ait-pro.com/forums/topic/woocommerce-read-me-first/

    #32050
    AITpro Admin
    Keymaster

    @ James – The problem with being able to post a Reply with “trackback” or “pingback” in the text was that a new blacklist filter had been created in the WP Settings > Comment Blacklist option setting.  Oops.  Someone is going to get smacked for that. 😉

    #32123
    James
    Participant

    Morning guys,

    So, think I am getting there with working out how to use ManageWP with BPS (although no word back from ManageWP tech support unfortunately). I just realised this thread is in the BPS Pro (as opposed to free version forum), but I came here direct from Google previously. So please note all of my previous posts were with regards to the BPS FREE plugin.

    BPS FREE version

    In conclusion, for the BPS FREE plugin, it does not seem necessary to whitelist the ManageWP IP addresses as per the earlier discussion in this thread. It is however necessary to allow ManageWP access to the /wp-load.php file for the initial signup and adding the whitelist rule below to the end of the “BPS POST Request Attack Protection” code seems to do the trick. However once the website has been added to the ManageWP dashboard, then it might be possible to remove / hash-out this code as it may no longer be required.

    # BPS POST Request Attack Protection
    ....
    # Example 3: Whitelist PayPal IPN API Script POST Requests
    RewriteCond %{REQUEST_URI} !^.*/ipn_handler.php [NC]
    # Whitelist for ManageWP ???
    RewriteCond %{REQUEST_URI} !^.*/wp-load.php [NC]
    RewriteRule ^(.*)$ - [F]
    

    BPS PRO version

    So after the excellent support from you guys in this thread and others, I figured it was about time I actually gave you some money. I therefore purchased the BPS PRO plugin (even though the free version seems to do everything I needed). But this level of service deserves proper (i.e. paid for by me) support!

    Anyway, just logged in to ManageWP again after upgrading from BPS FREE to PRO, and got the following error message in the ManageWP dashboard:

    “Connection problem (403 Forbidden). It looks like some of our IP addresses are not properly whitelisted in your security plugin or WAF. For more information about whitelisting view our FAQ.”

    So it looks like the new ManageWP IP whitelisting code (with their long list of new IP addresses) that you posted earlier in the thread and is actually required, but only for the PRO version of the plugin.

    The */wp-load.php described above for the BPS FREE plugin seems also to be required in order for ManageWP to be able to connect to the WP site with the BPS PRO version. Presumably it would be better to only whitelist the wp-load.php file for the ManageWP IPs, rather than for all IPs which would be the case (right?) if we add both the IP number whitelist and wp-load.php file whitelist rules? So I will try the alternative code you posted previously which I think only whitelists wp-load.php for the ManageWP IPs (and blocks it for all other IPs), i.e. the code you posted here.

    Hope this helps. Regards, James

    #32125
    AITpro Admin
    Keymaster

    @ James – I believe ManageWP is being blocked by the BPS Pro Plugin Firewall.  Go to the BPS Security Log page and post a Security Log entry that shows what is being blocked.  Or I seem to remember that ManageWP makes a HEAD Request to your website.  The Security Log entry will show whether the Plugin Firewall is blocking something or a HEAD Request is what is being blocked.

    #32126
    James
    Participant

    Would I be correct in thinking that this approach (from here):

    # Whitelist ManageWP IP Addresses skip/bypass rule
    RewriteCond %{REQUEST_METHOD} POST [NC]
    RewriteCond %{REMOTE_ADDR} ^(35\.162\.254\.253|52\.11\.12\.231|52\.11\.29\.70|52\.11\.54\.161|52\.24\.142\.159|52\.25\.191\.255|52\.27\.181\.126|52\.34\.126\.117|52\.34\.254\.47|52\.35\.82\.99|52\.36\.28\.80|52\.38\.106\.97|52\.39\.177\.152|52\.41\.230\.148|52\.41\.237\.12|52\.42\.126\.166|52\.43\.13\.71|52\.43\.76\.224|52\.88\.96\.110|52\.89\.155\.51|54\.148\.73\.118|54\.186\.37\.105|54\.187\.92\.57|54\.191\.32\.65|54\.191\.67\.23|54\.191\.80\.119|54\.191\.135\.209|54\.191\.136\.176|54\.191\.137\.17|54\.191\.148\.85|54\.191\.149\.8|52\.26\.122\.21|52\.24\.187\.29|52\.89\.85\.107|54\.186\.128\.167|54\.191\.40\.136|52\.24\.62\.11|52\.88\.119\.122|54\.191\.148\.225|54\.191\.151\.18|52\.89\.94\.121|52\.25\.116\.116|52\.88\.215\.225|54\.186\.143\.184|52\.88\.197\.180|52\.27\.171\.126)$
    RewriteRule . - [S=1]
    

    would be better than this approach:

    # BPS POST Request Attack Protection
    RewriteCond %{REQUEST_METHOD} POST [NC]
    ...
    # Whitelist for ManageWP
    # RewriteCond %{REQUEST_URI} !^.*/wp-load.php [NC]
    RewriteRule ^(.*)$ - [F]
    

    …as the former only whitelists POST requests from the specified ManageWP IPs, whereas the latter allows any IP to POST to wp-load.php? Have I understood that correctly?

    #32127
    AITpro Admin
    Keymaster

    @ James – I don’t think you can use IP whitelisting anymore with ManageWP and the POST Attack Protection code.  I assume something changed with ManageWP at some point.  If you are referring to the new 403 error you are seeing then I would need to see a Security Log entry to see what is being blocked.

    #32138
    James
    Participant

    So been having a play around with this for the last few hours, trying various options to try and whitelist the ManageWP IPs, but with no success. The only thing that seems to work is to add the line in bold below to the standard POST attack whitelisting code so that NO POSTs to wp-load.php (irrespective of where they come from) are blocked:

    # THIS CODE SEEMS TO WORK WITH MANAGEWP
    
    # BPS POST Request Attack Protection
    RewriteCond %{REQUEST_METHOD} POST [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-admin/ [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-cron.php [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-login.php [NC]
    # Whitelist the WordPress Theme Customizer
    RewriteCond %{HTTP_REFERER} !^.*/wp-admin/customize.php [NC]
    # Whitelist XML-RPC Pingbacks, JetPack and Remote Posting POST Requests
    RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC]
    # Whitelist Network|Multisite Signup POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-signup.php [NC]
    # Whitelist Network|Multisite Activate POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-activate.php [NC]
    # Whitelist Trackback POST Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-trackback.php [NC]
    # Whitelist Comments POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-comments-post.php [NC]
    # Example 1: Whitelist Star Rating Calculator POST Form Requests
    # RewriteCond %{REQUEST_URI} !^.*/star-rating-calculator.php [NC]
    # Example 2: Whitelist Contact Form POST Requests
    RewriteCond %{REQUEST_URI} !^.*/contact/ [NC]
    # Example 3: Whitelist PayPal IPN API Script POST Requests
    RewriteCond %{REQUEST_URI} !^.*/ipn_handler.php [NC]
    # Whitelist for ManageWP
    RewriteCond %{REQUEST_URI} !^.*/wp-load.php [NC]
    RewriteRule ^(.*)$ - [F]
    

    I was trying to find a way of allowing access to wp-load.php only for the ManageWP IP addresses (i.e. if request URI is wp-load.php and remote address is one of the ManageWP IPs then skip the standard rewrite rule). Something along the lines of this perhaps?:

    # THIS CODE DOES NOT WORK - PLEASE DO NOT USE!!!!!!
    
    # Whitelist ManageWP IP Addresses skip/bypass rule
    # Bypass rewrite for POSTS from ManageWP IP to wp-load.php only
    RewriteCond %{REQUEST_METHOD} POST [NC]
    # For simplicity in testing, just the single ManageWP IP that blocked posts seem to come from
    RewriteCond %{REMOTE_ADDR} ^54\.191\.137\.17$
    RewriteCond %{REQUEST_URI} ^.*/wp-load.php [NC]
    RewriteRule . - [S=1]
    
    # BPS POST Request Attack Protection
    RewriteCond %{REQUEST_METHOD} POST [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-admin/ [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-cron.php [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-login.php [NC]
    # Whitelist the WordPress Theme Customizer
    RewriteCond %{HTTP_REFERER} !^.*/wp-admin/customize.php [NC]
    # Whitelist XML-RPC Pingbacks, JetPack and Remote Posting POST Requests
    RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC]
    # Whitelist Network|Multisite Signup POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-signup.php [NC]
    # Whitelist Network|Multisite Activate POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-activate.php [NC]
    # Whitelist Trackback POST Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-trackback.php [NC]
    # Whitelist Comments POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-comments-post.php [NC]
    # Example 1: Whitelist Star Rating Calculator POST Form Requests
    # RewriteCond %{REQUEST_URI} !^.*/star-rating-calculator.php [NC]
    # Example 2: Whitelist Contact Form POST Requests
    RewriteCond %{REQUEST_URI} !^.*/contact/ [NC]
    # Example 3: Whitelist PayPal IPN API Script POST Requests
    RewriteCond %{REQUEST_URI} !^.*/ipn_handler.php [NC]
    RewriteRule ^(.*)$ - [F]
    

    But any mention of the ManageWP IPs in the whitelisting rules seems to stop it working. Comment out

    RewriteCond %{REMOTE_ADDR} ^54\.191\.137\.17$

    on line 2 and the above code seems to work. Way over my head to understand why adding the IP address breaks this, but maybe someone else can come up with some code that works….

    For info, the ManageWP error message is “Connection problem (403 Forbidden). It looks like some of our IP addresses are not properly whitelisted in your security plugin or WAF. For more information about whitelisting view our FAQ.” and the security log entry looks like:

    [403 POST Request: January 13, 2017 - 5:37 pm]
    BPS Pro: 12.5
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 54.191.137.17
    Host Name: ec2-54-191-137-17.us-west-2.compute.amazonaws.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 54.191.137.17
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: POST
    HTTP_REFERER: https://mysite.com
    REQUEST_URI: /wp-load.php?mwprid=58789fde148310.77805311
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36
    REQUEST BODY: {"params":{"refresh":"transient","doAdminInit":true,"item_filter":{"get_stats":{"0":["updates",{"plugins":true,"themes":true,"premium":false,"translations":true}],"1":["core_update",{"core":true}],"2":["posts",{"numberposts":5}],"3":["drafts",{"numberposts":5}],"4":["scheduled",{"numberposts":5}],"5":["comments",{"numberposts":5}],"6":["hit_counter"],"plugins":{"cleanup":{"overhead":[],"revisions":{"num_to_keep":"r_5"},"spam":[]}},"7":["site_statistics",{"users":true,"approvedComments":true,"act
    

    So in conclusion, it seems that to use ManageWP along with the POST protection code you must whitelist wp-load.php as per the code at the top of this post, and forget about trying to whitelist the ManageWP IP addresses. Unless anyone has any better ideas….

    #32142
    AITpro Admin
    Keymaster

    @ James – You can probably use a Query String whitelist rule instead of whitelisting the wp-load.php file.  Note:  I am seeing several plugins that are now posting directly to wp-load.php.  So I will look around and try to figure out what has changed about WordPress 4.7 and why plugins would now be doing this.  I assume it will have something to do with new features in WP 4.7 such as the REST API or something else that is new to WP 4.7.  Logically the same Query String whitelisting method could also be used for any other plugins that are now also posting directly to the wp-load.php file, which would slim the attack vector down nicely instead of allowing anything/anyone to POST to the wp-load.php file.

    # Whitelist ManageWP POST Request to wp-load.php by Query String
    RewriteCond %{QUERY_STRING} !^mwprid=(.*) [NC]
Viewing 15 posts - 31 through 45 (of 46 total)
  • You must be logged in to reply to this topic.