ManageWP Backups Blocked by BPS Pro

Home Forums BulletProof Security Pro ManageWP Backups Blocked by BPS Pro

This topic contains 26 replies, has 2 voices, and was last updated by  AITpro Admin 1 week, 3 days ago.

Viewing 15 posts - 1 through 15 (of 27 total)
  • Author
    Posts
  • #38265

    Living Miracles
    Participant

    Hello,

    We recently started having some issues with our ManageWP backups and contacted them about this. They sent us the following in response which includes a screenshot of the BPS Pro 403 Forbidden error page:

    I took a look at our logs for the websites that you mentioned and I could see the following error message – The server at https://websiteURL/?execute_php_code responded with a “403 Forbidden”, please make sure that the server is not blocking our requests. Please see the screenshot of the response: http://prntscr.com/pyg9e6

    I read your https://forum.ait-pro.com/forums/topic/managewp-read-me-first/ post, but it doesn’t address backup issues.

    Could you tell me how we can whitelist ManageWP in BPS Pro so the backups start working again? I don’t see anything in our Security Error Log or PHP Error Log that indicates what is getting blocked.

    Thank you!

    #38267

    AITpro Admin
    Keymaster

    Typically a HEAD Request is made as a test connection test and BPS specifically blocks HEAD Requests because hackers and spammers use HEAD Request tests as well before they launch a full scale attack.  Post the Security Log entry that shows what was blocked regarding the ManageWP test, which I assume was a HEAD Request.

    #38269

    Living Miracles
    Participant

    Hi there,

    Thanks! Unfortunately, I’m not able to find a Security Log entry that shows ManageWP getting blocked. All I have is the screenshot they provided: http://prntscr.com/pyg9e6

    I have asked them to tell me more about the action ManageWP is trying to accomplish/certain file they’re trying to access or execute. So perhaps when they respond, this will help! Let me know if you have any other thoughts for now though!

    Thank you!

    #38270

    AITpro Admin
    Keymaster

    Ok well I don’t have much to go on so I’m going to take a guess that you need to allow all HEAD Requests > https://forum.ait-pro.com/forums/topic/itunes-cannot-read-feed/#post-2787

    #38271

    Living Miracles
    Participant

    Hi,

    Thank you. They’ve just responded with the following:

    We use POST and GET methods to make the backups. Usually, you can whitelist IPs in security plugins by accessing the section Whitelist IPs, Blocked IPs or similar. If you are not sure how to do that, it’s best to contact BulletProof Security Pro support, they will surely be able to assist you.

    Does that help in any way?

    #38272

    AITpro Admin
    Keymaster

    Do the BPS Pro troubleshooting steps and let me know which BPS Pro feature is causing the 403 error > https://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting

    #38278

    Living Miracles
    Participant

    Hi there,

    Unfortunately, I don’t think I’ll be able to troubleshoot this myself, as I cannot recreate the error that ManageWP is seeing on their end during the backups. Here’s what they said:

    We are seeing that [error] in our internal tool, and it is something that cannot be shared. However, I will provide you with a more detailed response we are getting. The response is the same for these websites, only the URL changes, so I think there is no need to send all of them. 🙂

    The response we are getting is:

    ===== RESPONSE 0-1102 =====

    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/<wbr />DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/<wbr />xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>403 Forbidden</title> <style type="text/css"> <!-- body { /* Notes: */ /* If you want to add a background image uncomment the CSS properties below */ /* background-image:url(http://<wbr />www.example.com/path-to-some-<wbr />image-file/example-image-file.<wbr />jpg); /* /* background-repeat:repeat; */ background-color:#CCCCCC; line-height: normal; } #bpsMessage { text-align:center; background-color: #F7F8F9; border:5px solid #000000; padding:10px; } p { font-family: Verdana, Arial, Helvetica, sans-serif; font-size:18px; font-weight:bold; } --> </style> </head> <body> <div id="bpsMessage"> <p>example.com 403 Forbidden Error Page</p> <p>If you arrived here due to a search or clicking on a link click your Browser's back button to return to the previous page. Thank you.</p> <p>IP Address: 192.88.134.15</p> </div> </body> </html>

    Can we not just whitelist ManageWP generally in BPS Pro, so their processes can happen without interference. They’re trying to do POST and GET requests. Can I get any more specific information from ManageWP that will help you help me troubleshoot this issue?

    #38279

    AITpro Admin
    Keymaster

    What needs to happen first is to isolate which BPS Pro security feature is causing the problem.  Do the BPS Pro troubleshooting steps and let me know which BPS Pro feature is causing the 403 error > https://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting

    It’s going to be 1 of these 4 things…

    1. On the Security Modes page, click the Root Folder BulletProof Mode Deactivate button. See Custom Code Note if doing this step works.
    2. On the Security Modes page, click the wp-admin Folder BulletProof Mode Deactivate button.  See Custom Code Note if doing this step works.
    3. On the Security Modes page, click the Plugin Firewall BulletProof Mode Deactivate button.  See Plugin Firewall Test Mode Note.
    4. On the Security Modes page, click the UAEG BulletProof Mode Deactivate button.

    #38282

    Living Miracles
    Participant

    Hi,

    Thank you. Ok, I’ve gone through the troubleshooting and tried running a manual backup after each change.

    It seems the cause is not with wp-admin Folder BulletProof Mode, Plugin Firewall BulletProof Mode, or UAEG BulletProof Mode, but rather is with the root .htaccess code. I’ve gone through the other troubleshooting steps to isolate which Custom Code is causing the issue. We have added code to Box 1, 8, 9, 11, and 12. I removed the code one-by-one from the bottom up, and it seems our Box 8 code is causing the problem for the ManageWP backups. I added all code back to all the boxes except box 8 and tried another ManageWP backup manually, which completed successfully.

    Here is our Box 8 Custom Code:

    # WP REWRITE LOOP START
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    # WP AUTHOR ENUMERATION BOT PROBE PROTECTION
    # Rewrites to author=999999 that does not actually exist
    # which results in a standard 404 error. To the hacker bot
    # it appears that this author does not exist without giving
    # any clues that the author does actually exist.
    RewriteCond %{QUERY_STRING} ^author=([0-9]){1,}$ [NC]
    RewriteRule ^(.*)$ $1?author=999999 [L]
    
    # BPS POST REQUEST ATTACK PROTECTION
    RewriteCond %{REQUEST_METHOD} POST [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-admin/ [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-cron.php [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-login.php [NC]
    # Whitelist the WordPress Theme Customizer
    RewriteCond %{HTTP_REFERER} !^.*/wp-admin/customize.php [NC]
    # Whitelist XML-RPC Pingbacks, JetPack and Remote Posting POST Requests
    # RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC]
    # Whitelist Network|Multisite Signup POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-signup.php [NC]
    # Whitelist Network|Multisite Activate POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-activate.php [NC]
    # Whitelist Trackback POST Requests
    # RewriteCond %{REQUEST_URI} !^.*/wp-trackback.php [NC]
    # Whitelist Comments POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-comments-post.php [NC]
    # Whitelist ManageWP POST Request to wp-load.php by Query String
    RewriteCond %{QUERY_STRING} !^mwprid=(.*) [NC]
    # Whitelist WP JSON POST-related Requests by Query String to prevent Gutenberg from breaking
    RewriteCond %{QUERY_STRING} !^_locale=(.*) [NC]
    # Whitelist Divi contact form URI POST Requests
    RewriteCond %{REQUEST_URI} !^.*/contact-us-about-acim-resources/ [NC]
    RewriteRule ^(.*)$ - [F]

    Can you see what is in here that would stop the ManageWP backups from completing?
    Thank you!

    #38283

    AITpro Admin
    Keymaster

    Ok perfect.  So what is happening is that ManageWP is making a POST Request, which is being blocked by the BPS POST Attack Protection code.  Unfortunately, there is not a Security Log entry to figure out exactly what is being blocked so that a whitelist rule can be created from that Security Log entry.  The most logical guess would be that ManageWP is making a POST Request to the root of your website URI.  Typically there would be a Query String in the POST Request to the root of your site URI that could be used to create a whitelist rule.  I wonder if ManageWP could confirm that and give you the Query String they use in their POST Request so that you can create a whitelist rule. If they can’t do that then your only available option is to not use the BPS POST Attack Protection code.

    This code below should not be in Custom Code text box #8.  Cut and paste it into this Custom Code text box: 14. CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE

    # WP AUTHOR ENUMERATION BOT PROBE PROTECTION
    # Rewrites to author=999999 that does not actually exist
    # which results in a standard 404 error. To the hacker bot
    # it appears that this author does not exist without giving
    # any clues that the author does actually exist.
    RewriteCond %{QUERY_STRING} ^author=([0-9]){1,}$ [NC]
    RewriteRule ^(.*)$ $1?author=999999 [L]
    #38284

    Living Miracles
    Participant

    Ok, awesome! I will pass on what you wrote to ManageWP, and thanks for the note about the WP AUTHOR ENUMERATION BOT PROBE PROTECTION code. We’ll make sure to clean that up and put it in the right box (14) on our sites. Will keep you posted about ManageWP’s response.

    #38285

    Living Miracles
    Participant

    ManageWP just responded:

    The way we try to connect to your website is via POST requests through the /wp-load.php* page on your website, we send this request from our Management IP address, 54.191.137.17, and we try to reach your website over the port 80 or 443.

    Does this help at all? We have the following code in Box 8 already:

    # Whitelist ManageWP POST Request to wp-load.php by Query String
    RewriteCond %{QUERY_STRING} !^mwprid=(.*) [NC]

    But maybe that’s no longer a viable solution. It has always worked for us before.

    #38286

    AITpro Admin
    Keymaster

    Hmm they are using a pretty standard method to ping the site minus using a Query String in the URI.  This might do the trick below.  Give it a try and let me know if it works or not. This is going to have to use a Skip rule, otherwise you would end up blocking POST Requests from all other IP addresses.

    # IMPORTANT - This Skip rule MUST be at the very top of the BPS POST Attack Protection code
    # right after the first POST condition as shown below.
    RewriteCond %{REQUEST_METHOD} POST [NC]
    # Whitelist/Skip the ManageWP API server POST Request
    RewriteCond %{REMOTE_ADDR} !^(54.191.137.17) [NC]
    RewriteRule . - [S=1]
    ...
    ...
    ...
    # this is just an example visually. don't use this code below.
    # bbPress/BuddyPress Members/profile form
    RewriteCond %{REQUEST_URI} !^.*/members/ [NC]
    # bbPress/BuddyPress Activate User Account URL/form
    RewriteCond %{REQUEST_URI} !^.*/activate/.* [NC]
    RewriteRule ^(.*)$ - [F]
    #38287

    AITpro Admin
    Keymaster

    Oops that rule should be this instead.

    # IMPORTANT - This Skip rule MUST be at the very top of the BPS POST Attack Protection code
    # right after the first POST condition as shown below.
    RewriteCond %{REQUEST_METHOD} POST [NC]
    # Whitelist/Skip the ManageWP API server POST Request
    RewriteCond %{REMOTE_ADDR} ^(54.191.137.17) [NC]
    RewriteRule . - [S=1]
    ...
    ...
    ...
    # this is just an example visually. don't use this code below.
    # bbPress/BuddyPress Members/profile form
    RewriteCond %{REQUEST_URI} !^.*/members/ [NC]
    # bbPress/BuddyPress Activate User Account URL/form
    RewriteCond %{REQUEST_URI} !^.*/activate/.* [NC]
    RewriteRule ^(.*)$ - [F]
    #38288

    Living Miracles
    Participant

    Ok, great. So the whole code in Box 8 would look like this on my end? I added the skip rule right after “RewriteCond %{REQUEST_METHOD} POST [NC]”.

    # WP REWRITE LOOP START
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    
    # BPS POST REQUEST ATTACK PROTECTION
    RewriteCond %{REQUEST_METHOD} POST [NC]
    # Whitelist/Skip the ManageWP API server POST Request
    RewriteCond %{REMOTE_ADDR} !^(54.191.137.17) [NC]
    RewriteRule . - [S=1]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-admin/ [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-cron.php [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-login.php [NC]
    # Whitelist the WordPress Theme Customizer
    RewriteCond %{HTTP_REFERER} !^.*/wp-admin/customize.php [NC]
    # Whitelist XML-RPC Pingbacks, JetPack and Remote Posting POST Requests
    # RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC]
    # Whitelist Network|Multisite Signup POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-signup.php [NC]
    # Whitelist Network|Multisite Activate POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-activate.php [NC]
    # Whitelist Trackback POST Requests
    # RewriteCond %{REQUEST_URI} !^.*/wp-trackback.php [NC]
    # Whitelist Comments POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-comments-post.php [NC]
    # Whitelist ManageWP POST Request to wp-load.php by Query String
    RewriteCond %{QUERY_STRING} !^mwprid=(.*) [NC]
    # Whitelist WP JSON POST-related Requests by Query String to prevent Gutenberg from breaking
    RewriteCond %{QUERY_STRING} !^_locale=(.*) [NC]
    # Whitelist Divi contact form URI POST Requests
    RewriteCond %{REQUEST_URI} !^.*/contact-us-about-acim-resources/ [NC]
    RewriteRule ^(.*)$ - [F]
Viewing 15 posts - 1 through 15 (of 27 total)

You must be logged in to reply to this topic.