Post comments 403 Error, malformed Query String

Home Forums BulletProof Security Pro Post comments 403 Error, malformed Query String

Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
  • #5626
    AITpro Admin

    BPS Pro Question – Topic copied from the site:


    After updating to the latest BPS version there is a 403 Error when you try to post a comment. Commenting does not work on my IP, even if I am logged in as admin, and not for any other users either. The error is happening on Firefox, Chrome, and Safari and appears as:

    You don’t have permission to access /blog-article-title/ on this server.
    Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

    I have already tried commenting out and even deleting the entire # FORBID COMMENT SPAMMERS ACCESS TO YOUR wp-comments-post.php FILE code in the root htacces, but it doesn’t work at all. I keep getting the same error.

    Also tried adding a skip rule, but it only made the BPS Error page appear. The actual error was the same.

    To clarify, the actual comment WILL appear if the page is refreshed and if you try to re-enter the same comment the duplicate comment alert works. But strangely, it’s showing the user a 403 when submitting the comment.

    FYI: We’re using the paid BPS Pro version on wordpress 3.5.1. The host is LiquidWeb and the site works 100% fine with htaccess permissions of 404 and 644 — so I don’t think that’s the issue. Lock/unlock works without any issues from within the BPS console. We’re also using W3TC but it does not touch comments at all.

    We’ve tried pretty much all of the trouble shooting tips available in the forums, but nothing works so far.

    Hope you can help! We’d like to get comments again. Thanks in advance!

    AITpro Admin

    What WordPress site type do you have?  Standard single installation of WordPress?  Network/Multisite?  BuddyPress?

    Are you using a comment plugin?

    AITpro Admin

    Please post any errors that you see in your BPS Pro Security Log file that are related to this issue/problem.


    Thanks for the reply. It’s a single WordPress install. No multisite or buddypress. No comment plugins and no errors regarding the comments issue in the security log. Only typical spambots there as far as I can tell. The comment appears for moderation as usual, but only shows the 403 error on the user side during submission.

    AITpro Admin

    Hmm no errors in the Security Log that is odd.  Post a link to the site so I can see what is happening.


    Thanks for the fast reply. Please see email for direct link and we can continue here. Thanks!

    AITpro Admin

    Ok the problem is this.  Either your Theme or your WordPress installation type is creating malformed/bad Query strings for your comment form, which are being blocked by BPS because they match a hacking pattern.  I cannot tell which WordPress installation type you have (single standard, Network, BuddyPress, etc).

    The malformed Query String is this:  ?#comment-126

    Go to the BPS Pro htaccess File Editor tab page, click on the Your Current Root htaccess File tab, scroll down until you see this security filter in your root .htaccess file…

    RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]

    and comment it out by putting a pound sign # in front of this security rule as shown below.

    #RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]

    Thanks very much for the extremely fast & expert help. Yes, this fixed the issue and posting comments works again!

    Just to confirm this is a single standard wordpress installation — not a multisite or buddypress install.

    Thanks again!

    Mosharraf Hossain

    If you have to install the All in One WP Security plugin on your WordPress site. Such a problem happened on my own site.

    Go to All in One WP Security > FireWall > Additional Firewall Rules > Proxy Comment Posting > Forbid Proxy Comment Posting:

    (Uncheck) Check this if you want to forbid proxy comment posting.

    Save this.

    I just found this solution after many attempts.

    AITpro Admin

    @ Mosharraf – Use caution with the All in One WP Security plugin.  While the plugin authors are pretty good coders, they are not website security experts.  They tend to copy features that are in other security plugins.  They also add features that I do not consider security features.  I think they got carried away with the “All in one” concept if you know what I mean.  😉

    On a personal note, I bought the premium WP Affiliate Platform plugin from them many years ago and it was packed with security vulnerabilities. It had some really dangerous SQL Injection security vulnerabilities that got one of my websites hacked. I had to recode that plugin to make it safe to use.

Viewing 10 posts - 1 through 10 (of 10 total)
  • You must be logged in to reply to this topic.