Membership Pro Ultimate WP – 403 error

[AW]

Hello BPS,

I encounter errors when I login via Social Network via the Membership Pro Ultimate WP.
I have 2 website using the plugin and it works absolutely fine on the first website ( http://www.maincuisine.com )
The new website which i just installed encounter error 403 ( http://www.sixpecs.com )
Here’s the whitelist caption for sixpecs.com

/contact-form-7/includes/js/scripts.js, /contact-form-7/includes/js/jquery.form.min.js, /wp-fastest-cache/js/toolbar.js, /indeed-membership-pro/assets/js/jquery.uploadfile.min.js, /indeed-membership-pro/assets/js/functions.js, /jetpack/modules/wpgroho.js, /wpmu-dev-facebook/js/wdfb_facebook_login.js, /jetpack/_inc/twitter-timeline.js, /jetpack/modules/sharedaddy/sharing.js, /jetpack/modules/related-posts/related-posts.js, /jetpack/modules/photon/photon.js, /jetpack/_inc/postmessage.js, /jetpack/_inc/jquery.jetpack-resize.js, /jetpack/_inc/jquery.inview.js, /jetpack/modules/likes/queuehandler.js, /jetpack/_inc/spin.js, /jetpack/_inc/jquery.spin.js, /jetpack/modules/tiled-gallery/tiled-gallery/tiled-gallery.js, /jetpack/modules/carousel/jetpack-carousel.js, /jetpack/modules/minileven/theme/pub/minileven/js/small-menu.js, /jetpack/modules/sso/jetpack-sso-login.js, /jetpack/modules/holiday-snow/snowstorm.js, /jetpack/modules/widgets/gallery/js/admin.js, /jetpack/modules/widgets/gallery/js/gallery.js, /jetpack/modules/shortcodes/js/slideshow-shortcode.js, /jetpack/modules/shortcodes/js/jquery.cycle.js, /indeed-membership-pro//public/social_handler.php

Thanks man and appreciate your work and effor.
Looking forward for your reply.

Regards,
Alex

[AITpro Admin]

Go to your Security Log and post the Security Log entry that shows what is being blocked.

BPS Pro Troubleshooting Steps:  https://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting

[AW]

Hi BPS,

Here’s the security log:-

[403 GET Request: December 5, 2016 2:36 am]
Event Code: PFWR-PSBR-HPR
Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 183.78.63.148
Host Name: 183.78.63.148
SERVER_PROTOCOL: HTTP/1.0
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http://sixpecs.com/ready-to-workout/
REQUEST_URI: /wp-content/plugins/indeed-membership-pro//public/social_handler.php?sm_login=fb&ihc_current_url=http%3A%2F%2Fsixpecs.com%2Fready-to-workout%2F
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0

I browse the: https://forum.ait-pro.com/forums/topic/plugin-firewall-read-me-first-troubleshooting/
I follow the section :-
Troubleshooting: Reset|Clear The Plugin Firewall (fixes most if not all Plugin Firewall issues/problems)

Note: To find out if an issue/problem is related to or being caused by the Plugin Firewall do BPS Pro troubleshooting step #3 in the BPS Pro troubleshooting link: https://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting

Fix all general Plugin Firewall issues/problems:
[outdated steps removed]

The Error still exist.
Please guide, thanks man.

Regards,
Alex

[AITpro Admin]

[deleted – incorrect solution]

[AW]

Hi BPS,

I did as advised :- (Copied into CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE: and replace with my domain )
Result :
Unfortunately it return to the same error. Fb, twitter, google and tumblr return error 404
here’s the URL of return error :-
http://sixpecs.com/wp-content/plugins/indeed-membership-pro//public/social_handler.php?sm_login=tw&ihc_current_url=http%3A%2F%2Fsixpecs.com%2Fready-to-workout%2F

Note:
The same plugin and version installed in maincuisine.com (with BPS) and it works fine. do you need me to copy anything from maincuisine.com for you to refer and advise?

Looking forward for your reply.

Regards,

Alex

[AITpro Admin]

Do BPS Pro Troubleshooting Step #1 and test, then do #2 and test and then do #3 and test:  https://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting  Let me know which troubleshooting step allows things to work without being blocked.

[AW]

Hello BPS,

I did as what you recommend. Tried to deactivate #1 #2 and #3 and login via social media. It works fine!
Then I re-activate #1 #2 and #3 and it still works !
I guess it solved the issue.
Thanks again mate and truly, you did a good job man on securing WP platform users. (tho its a lil bit programming needed, but awesome guide from you)
All the best in improvement of BPS !

Best regards,

Alex

[AW]

Hello BPS,

Its regarding the same matter, it works well on desktop for social network login.
I just try to view via Mobile(iphone) and login using Social Network, however the error page appear ( 403 Forbidden Page ).
Is it because when i Deactivated #1 #2 and #3, i click login social network via desktop BUT i did not try to login via Mobile?
Shall I Deactivate #1,#2 and #3 and click all the plugins/forms from desktop and mobile?
Looking forward for your reply.

Regards,

Alex

[AITpro Admin]

The troubleshooting steps are only for troubleshooting to isolate exactly which BPS Pro feature is causing the problem.  The troubleshooting steps are not designed to automatically fix anything.  I still the see the 403 error when trying to use facebook login connect on your website.  At this point, create a temporary WordPress Administrator login to this website and send it to:  info at ait-pro dot com.  I will figure out what needs to be done to fix this problem.

[AW]

Hello BPS,

Temporary admin created and just email to you.
Thanks mate!

Regards,

Alex

[AITpro Admin]

I have not receive your email yet.  Did you send it to the correct email address?  [email address deleted]

[AW]

Hello,

Just resend again via desktop. Thanks

[AITpro Admin]

Ok the problem is fixed.  The Indeed Membership Pro plugin has a coding mistake that is adding double slashes // to this file path:  /indeed-membership-pro//public/social_handler.php, which is not a valid path and which was breaking the Plugin Firewall and in turn breaking the Social login connect feature in the Indeed Membership Pro plugin.  Plugin Firewall AutoPilot creates the bad whitelist rule based on the coding mistake in the Indeed Membership Pro plugin.  We have actually already created a solution for this in BPS Pro 12.5, which looks for coding mistakes in other plugins and then automatically creates only valid Plugin Firewall whitelist rules even when other plugins have coding mistakes in them.

Solution:  Manually created a Plugin Firewall whitelist rule that uses RegEx code:  /indeed-membership-pro/(.*)social_handler.php

Note:  AutoPilot Mode in BPS Pro 12.4.1 will still create the additional bad/invalid whitelist rule, but as long as a good/valid whitelist rule also exists then everything works fine.  In BPS Pro 12.5 any invalid/bad whitelist rules due to coding mistakes in other plugins are not created at all.

[Plugin Firewall AutoPilot Mode New Whitelist Rule(s) Created: December 6, 2016 - 5:12 pm]
Whitelist Rule: /wp-fastest-cache/js/toolbar.js
Whitelist Rule: /jetpack/_inc/spin.js
Whitelist Rule: /jetpack/modules/tiled-gallery/tiled-gallery/tiled-gallery.js
Whitelist Rule: /indeed-membership-pro//public/social_handler.php
Whitelist Rule: /jetpack/_inc/jquery.spin.js
Whitelist Rule: /jetpack/modules/carousel/jetpack-carousel.js
Whitelist Rule: /google-publisher/js/previewloader.js

[AW]

Hello BPS,

Thanks for the solution !
I did realized that the “//” in the url when it shows error 403.
As your advise, I put the “/indeed-membership-pro/(.*)social_handler.php” into the Plugin Firewall Whitelist Tools > Activate it.
Just to understand more, the:-

[Plugin Firewall AutoPilot Mode New Whitelist Rule(s) Created: December 6, 2016 - 5:12 pm]
Whitelist Rule: /wp-fastest-cache/js/toolbar.js
Whitelist Rule: /jetpack/_inc/spin.js
Whitelist Rule: /jetpack/modules/tiled-gallery/tiled-gallery/tiled-gallery.js
Whitelist Rule: /indeed-membership-pro//public/social_handler.php
Whitelist Rule: /jetpack/_inc/jquery.spin.js
Whitelist Rule: /jetpack/modules/carousel/jetpack-carousel.js
Whitelist Rule: /google-publisher/js/previewloader.js

which you written in the previous message, I shall leave it as it is?
In addition, the BPS Pro Plugin version 12.5 is not available yet ? I did the Manual Upgrade Check but it does not show any latest version.
Thanks again.

Regards,
Alex

[AITpro Admin]

I was telling you that I already did that/added the whitelist rule already.  So you did not need to do the same thing/add the whitelist rule again.  Yes, you can leave the Security Log entry for AutoPilot Mode in the Security Log and do not need to do anything with it.

[Author]

Posts