Topic: ManageWP Backups Blocked by BPS Pro | BulletProof Security Forum

ManageWP Backups Blocked by BPS Pro

This topic has 28 replies, 2 voices, and was last updated 4 years, 4 months ago by AITpro Admin.

Viewing 15 posts - 1 through 15 (of 29 total)

1 2 →

Author

Posts
November 23, 2019 at 4:15 pm #38265
Living Miracles
Participant

Hello,

We recently started having some issues with our ManageWP backups and contacted them about this. They sent us the following in response which includes a screenshot of the BPS Pro 403 Forbidden error page:

I took a look at our logs for the websites that you mentioned and I could see the following error message – The server at https://websiteURL/?execute_php_code responded with a “403 Forbidden”, please make sure that the server is not blocking our requests. Please see the screenshot of the response: http://prntscr.com/pyg9e6

I read your https://forum.ait-pro.com/forums/topic/managewp-read-me-first/ post, but it doesn’t address backup issues.

Could you tell me how we can whitelist ManageWP in BPS Pro so the backups start working again? I don’t see anything in our Security Error Log or PHP Error Log that indicates what is getting blocked.

Thank you!
November 23, 2019 at 7:11 pm #38267
AITpro Admin
Keymaster

Typically a HEAD Request is made as a test connection test and BPS specifically blocks HEAD Requests because hackers and spammers use HEAD Request tests as well before they launch a full scale attack. Post the Security Log entry that shows what was blocked regarding the ManageWP test, which I assume was a HEAD Request.
November 23, 2019 at 7:54 pm #38269
Living Miracles
Participant

Hi there,

Thanks! Unfortunately, I’m not able to find a Security Log entry that shows ManageWP getting blocked. All I have is the screenshot they provided: http://prntscr.com/pyg9e6

I have asked them to tell me more about the action ManageWP is trying to accomplish/certain file they’re trying to access or execute. So perhaps when they respond, this will help! Let me know if you have any other thoughts for now though!

Thank you!
November 23, 2019 at 8:05 pm #38270
AITpro Admin
Keymaster

Ok well I don’t have much to go on so I’m going to take a guess that you need to allow all HEAD Requests > https://forum.ait-pro.com/forums/topic/itunes-cannot-read-feed/#post-2787
November 23, 2019 at 8:30 pm #38271
Living Miracles
Participant

Hi,

Thank you. They’ve just responded with the following:

We use POST and GET methods to make the backups. Usually, you can whitelist IPs in security plugins by accessing the section Whitelist IPs, Blocked IPs or similar. If you are not sure how to do that, it’s best to contact BulletProof Security Pro support, they will surely be able to assist you.

Does that help in any way?
November 24, 2019 at 8:16 am #38272
AITpro Admin
Keymaster

Do the BPS Pro troubleshooting steps and let me know which BPS Pro feature is causing the 403 error > https://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting
November 24, 2019 at 11:30 am #38278
Living Miracles
Participant
Hi there,

Unfortunately, I don’t think I’ll be able to troubleshoot this myself, as I cannot recreate the error that ManageWP is seeing on their end during the backups. Here’s what they said:

We are seeing that [error] in our internal tool, and it is something that cannot be shared. However, I will provide you with a more detailed response we are getting. The response is the same for these websites, only the URL changes, so I think there is no need to send all of them. 🙂

The response we are getting is:

===== RESPONSE 0-1102 =====
```
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/<wbr />DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/<wbr />xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>403 Forbidden</title> <style type="text/css">  </style> </head> <body> <div id="bpsMessage"> <p>example.com 403 Forbidden Error Page</p> <p>If you arrived here due to a search or clicking on a link click your Browser's back button to return to the previous page. Thank you.</p> <p>IP Address: 192.88.134.15</p> </div> </body> </html>
```
Can we not just whitelist ManageWP generally in BPS Pro, so their processes can happen without interference. They’re trying to do POST and GET requests. Can I get any more specific information from ManageWP that will help you help me troubleshoot this issue?
November 24, 2019 at 11:41 am #38279
AITpro Admin
Keymaster

What needs to happen first is to isolate which BPS Pro security feature is causing the problem. Do the BPS Pro troubleshooting steps and let me know which BPS Pro feature is causing the 403 error > https://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting

It’s going to be 1 of these 4 things…

1. On the Security Modes page, click the Root Folder BulletProof Mode Deactivate button. See Custom Code Note if doing this step works.
2. On the Security Modes page, click the wp-admin Folder BulletProof Mode Deactivate button. See Custom Code Note if doing this step works.
3. On the Security Modes page, click the Plugin Firewall BulletProof Mode Deactivate button. See Plugin Firewall Test Mode Note.
4. On the Security Modes page, click the UAEG BulletProof Mode Deactivate button.
November 24, 2019 at 2:04 pm #38282
Living Miracles
Participant
Hi,

Thank you. Ok, I’ve gone through the troubleshooting and tried running a manual backup after each change.

It seems the cause is not with wp-admin Folder BulletProof Mode, Plugin Firewall BulletProof Mode, or UAEG BulletProof Mode, but rather is with the root .htaccess code. I’ve gone through the other troubleshooting steps to isolate which Custom Code is causing the issue. We have added code to Box 1, 8, 9, 11, and 12. I removed the code one-by-one from the bottom up, and it seems our Box 8 code is causing the problem for the ManageWP backups. I added all code back to all the boxes except box 8 and tried another ManageWP backup manually, which completed successfully.

Here is our Box 8 Custom Code:
```
# WP REWRITE LOOP START
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
# WP AUTHOR ENUMERATION BOT PROBE PROTECTION
# Rewrites to author=999999 that does not actually exist
# which results in a standard 404 error. To the hacker bot
# it appears that this author does not exist without giving
# any clues that the author does actually exist.
RewriteCond %{QUERY_STRING} ^author=([0-9]){1,}$ [NC]
RewriteRule ^(.*)$ $1?author=999999 [L]

# BPS POST REQUEST ATTACK PROTECTION
RewriteCond %{REQUEST_METHOD} POST [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-admin/ [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-cron.php [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-login.php [NC]
# Whitelist the WordPress Theme Customizer
RewriteCond %{HTTP_REFERER} !^.*/wp-admin/customize.php [NC]
# Whitelist XML-RPC Pingbacks, JetPack and Remote Posting POST Requests
# RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC]
# Whitelist Network|Multisite Signup POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/wp-signup.php [NC]
# Whitelist Network|Multisite Activate POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/wp-activate.php [NC]
# Whitelist Trackback POST Requests
# RewriteCond %{REQUEST_URI} !^.*/wp-trackback.php [NC]
# Whitelist Comments POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/wp-comments-post.php [NC]
# Whitelist ManageWP POST Request to wp-load.php by Query String
RewriteCond %{QUERY_STRING} !^mwprid=(.*) [NC]
# Whitelist WP JSON POST-related Requests by Query String to prevent Gutenberg from breaking
RewriteCond %{QUERY_STRING} !^_locale=(.*) [NC]
# Whitelist Divi contact form URI POST Requests
RewriteCond %{REQUEST_URI} !^.*/contact-us-about-acim-resources/ [NC]
RewriteRule ^(.*)$ - [F]
```
Can you see what is in here that would stop the ManageWP backups from completing?
Thank you!
November 24, 2019 at 2:29 pm #38283
AITpro Admin
Keymaster
Ok perfect. So what is happening is that ManageWP is making a POST Request, which is being blocked by the BPS POST Attack Protection code. Unfortunately, there is not a Security Log entry to figure out exactly what is being blocked so that a whitelist rule can be created from that Security Log entry. The most logical guess would be that ManageWP is making a POST Request to the root of your website URI. Typically there would be a Query String in the POST Request to the root of your site URI that could be used to create a whitelist rule. I wonder if ManageWP could confirm that and give you the Query String they use in their POST Request so that you can create a whitelist rule. If they can’t do that then your only available option is to not use the BPS POST Attack Protection code.

This code below should not be in Custom Code text box #8. Cut and paste it into this Custom Code text box: 14. CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE
```
# WP AUTHOR ENUMERATION BOT PROBE PROTECTION
# Rewrites to author=999999 that does not actually exist
# which results in a standard 404 error. To the hacker bot
# it appears that this author does not exist without giving
# any clues that the author does actually exist.
RewriteCond %{QUERY_STRING} ^author=([0-9]){1,}$ [NC]
RewriteRule ^(.*)$ $1?author=999999 [L]
```
November 24, 2019 at 2:33 pm #38284
Living Miracles
Participant

Ok, awesome! I will pass on what you wrote to ManageWP, and thanks for the note about the WP AUTHOR ENUMERATION BOT PROBE PROTECTION code. We’ll make sure to clean that up and put it in the right box (14) on our sites. Will keep you posted about ManageWP’s response.
November 24, 2019 at 2:59 pm #38285
Living Miracles
Participant
ManageWP just responded:

The way we try to connect to your website is via POST requests through the /wp-load.php* page on your website, we send this request from our Management IP address, 54.191.137.17, and we try to reach your website over the port 80 or 443.

Does this help at all? We have the following code in Box 8 already:
```
# Whitelist ManageWP POST Request to wp-load.php by Query String
RewriteCond %{QUERY_STRING} !^mwprid=(.*) [NC]
```
But maybe that’s no longer a viable solution. It has always worked for us before.
November 24, 2019 at 3:13 pm #38286
AITpro Admin
Keymaster
Hmm they are using a pretty standard method to ping the site minus using a Query String in the URI. This might do the trick below. Give it a try and let me know if it works or not. This is going to have to use a Skip rule, otherwise you would end up blocking POST Requests from all other IP addresses.
```
# IMPORTANT - This Skip rule MUST be at the very top of the BPS POST Attack Protection code
# right after the first POST condition as shown below.
RewriteCond %{REQUEST_METHOD} POST [NC]
# Whitelist/Skip the ManageWP API server POST Request
RewriteCond %{REMOTE_ADDR} !^(54.191.137.17) [NC]
RewriteRule . - [S=1]
...
...
...
# this is just an example visually. don't use this code below.
# bbPress/BuddyPress Members/profile form
RewriteCond %{REQUEST_URI} !^.*/members/ [NC]
# bbPress/BuddyPress Activate User Account URL/form
RewriteCond %{REQUEST_URI} !^.*/activate/.* [NC]
RewriteRule ^(.*)$ - [F]
```
November 24, 2019 at 3:14 pm #38287
AITpro Admin
Keymaster
Oops that rule should be this instead.
```
# IMPORTANT - This Skip rule MUST be at the very top of the BPS POST Attack Protection code
# right after the first POST condition as shown below.
RewriteCond %{REQUEST_METHOD} POST [NC]
# Whitelist/Skip the ManageWP API server POST Request
RewriteCond %{REMOTE_ADDR} ^(54.191.137.17) [NC]
RewriteRule . - [S=1]
...
...
...
# this is just an example visually. don't use this code below.
# bbPress/BuddyPress Members/profile form
RewriteCond %{REQUEST_URI} !^.*/members/ [NC]
# bbPress/BuddyPress Activate User Account URL/form
RewriteCond %{REQUEST_URI} !^.*/activate/.* [NC]
RewriteRule ^(.*)$ - [F]
```
November 24, 2019 at 5:32 pm #38288
Living Miracles
Participant
Ok, great. So the whole code in Box 8 would look like this on my end? I added the skip rule right after “RewriteCond %{REQUEST_METHOD} POST [NC]”.
```
# WP REWRITE LOOP START
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]

# BPS POST REQUEST ATTACK PROTECTION
RewriteCond %{REQUEST_METHOD} POST [NC]
# Whitelist/Skip the ManageWP API server POST Request
RewriteCond %{REMOTE_ADDR} !^(54.191.137.17) [NC]
RewriteRule . - [S=1]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-admin/ [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-cron.php [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-login.php [NC]
# Whitelist the WordPress Theme Customizer
RewriteCond %{HTTP_REFERER} !^.*/wp-admin/customize.php [NC]
# Whitelist XML-RPC Pingbacks, JetPack and Remote Posting POST Requests
# RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC]
# Whitelist Network|Multisite Signup POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/wp-signup.php [NC]
# Whitelist Network|Multisite Activate POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/wp-activate.php [NC]
# Whitelist Trackback POST Requests
# RewriteCond %{REQUEST_URI} !^.*/wp-trackback.php [NC]
# Whitelist Comments POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/wp-comments-post.php [NC]
# Whitelist ManageWP POST Request to wp-load.php by Query String
RewriteCond %{QUERY_STRING} !^mwprid=(.*) [NC]
# Whitelist WP JSON POST-related Requests by Query String to prevent Gutenberg from breaking
RewriteCond %{QUERY_STRING} !^_locale=(.*) [NC]
# Whitelist Divi contact form URI POST Requests
RewriteCond %{REQUEST_URI} !^.*/contact-us-about-acim-resources/ [NC]
RewriteRule ^(.*)$ - [F]
```
Author

Posts

Viewing 15 posts - 1 through 15 (of 29 total)

1 2 →

You must be logged in to reply to this topic.

BulletProof Security Forum

ManageWP Backups Blocked by BPS Pro

Search Forums

Topic Tags