POST admin-ajax.php 403 error

[Tin Hoang]

Hello, when I try to save a setting, in another plugin for a specific site, running on a network installation of WordPress I get the following error. However, when I try to save the same setting on one of my other subsites it saves ok. So the issue is happening only one 1 site. The error is below:

https://www.dropbox.com/s/f4oqr4jhi3at4ue/403.jpg?dl=0

I’ve tried to add

# admin-ajax.php & post.php skip/bypass rule
RewriteCond %{REQUEST_URI} (admin-ajax\.php) [NC]
RewriteRule . - [S=2]

to my CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES but that is not working.
any ideas would be helpful.

Thank you,

Tin

[AITpro Admin]

Go to the BPS Security Log page and post the Security Log entry for this.

[Tin Hoang]

I went to the Security Log but there is no entry with the REQUEST_URI similiar to

https://bluegemini.ca/wp-admin/admin-ajax.php

please advise.

[AITpro Admin]

Do BPS Pro troubleshooting steps #1 and #2:  https://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting  Test saving plugin settings after doing troubleshooting step #1 then test saving plugin settings after doing troubleshooting step #2. Let me know what happens.

[Tin Hoang]

Hello,

I executed 1 (1. On the Security Modes page, click the Root Folder BulletProof Mode Deactivate button. See Custom Code Note if doing this step works.)

then tried to save the setting it didnt work. Still same error 403 when I try to save the setting.

then i executed 2 –
(2. On the Security Modes page, click the wp-admin Folder BulletProof Mode Deactivate button. See Custom Code Note if doing this step works.)

same error ..403

I think it has now caused a new error after that change (attached) my images arent loading on most of my subsites! I’ve reenabled 1 and 2 with no luck.

https://www.dropbox.com/s/v5203euo386fo4w/404.png?dl=0

[AITpro Admin]

Ok so your BPS htaccess files are not causing the problem.  That means something else that you have installed (another plugin or your theme) is causing the problem.  Try deactivating all of your other plugins.  You can activate BPS htaccess files again.  The folder name shown in the 404 errors is not a valid WordPress folder:  /files/ is not a valid WordPress folder name.  If the /files/ folder is outside of WordPress in your hosting account root folder then I assume you had a skip/bypass rule for the /files/ folder in your root htaccess file and the errors should go away once you activate root folder BulletProof Mode again.

[Tin Hoang]

Hi

/files/folders/ is in my root wordpress folder – I am running a multisite installation of wordpress. I’ll check the other plugs or themes

thank you.

[Living Miracles]

[Topic has been merged into this relevant Topic]
Hi,

On our WordPress multisite, I noticed something strange yesterday. After logging into the back-end, I took a look at one of the subsites on the front-end. When clicking on certain menu items (one of them leading to a page with several embedded Spreaker audio players and another to a blog page), I got some popups with 404/forbidden errors. I checked the console for errors and found that the admin-ajax.php file showed up with: “Failed to load resource: the server responded with a status of 403 (Forbidden).” It seems like this started happening after the BPS Pro 12.8 update because I’ve never seen this issue previously.

So, I implemented the below code into the wp-admin htaccess File Custom Code box 3. CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES:

# SKIP/BYPASS RULE FOR ADMIN-AJAX.PHP
RewriteCond %{REQUEST_URI} (admin-ajax\.php) [NC]
RewriteRule . - [S=2]

Could you say what is happening here and why the admin-ajax.php was being forbidden?

Thanks so much!

[AITpro Admin]

@ Living Miracles – Go to your BPS Security Log page and post any Security Log entries for this 403 error so I can see what is being blocked.

[Living Miracles]

There are actually no entries in the security log for the admin-ajax.php file.

[AITpro Admin]

@ Living Miracles – Ok then this was definitely the correct topic to merge your forum topic post into.  What I am thinking is some other security measure on your host server is causing the 403 error.  Do BPS Pro troubleshooting steps #1 and #2 to confirm that BPS htaccess code is not causing the block/403 errors:  https://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting  If the 403 errors are still occurring after doing BPS Pro troubleshooting steps #1 and #2 then you will need to contact your web host and see if they have some security measure on the host server that is causing the 403 errors. Could be something like a mod_security SecRule or SecFilter is blocking something that appears to be malicious.

[Living Miracles]

Hi again, it’s been a little hard to troubleshoot this issue. When I deactivated the Root Folder BulletProof Mode, the issue did seem to go away, however, I couldn’t do any other troubleshooting because the issue didn’t come back after re-enabling the Root Folder BP Mode. It may have been cache-related somehow; not sure.

This issue has now returned and I think it’s a bit odd that it’s also happening when I’m not logged into the site. Somehow, even while logged out, and visiting the site just like a normal visitor would, I’m seeing the 404 pop-up error and can see the /wp-admin/admin-ajax.php file getting blocked. Why would this file even get triggered/called when I’m not even logged into this site?

Thanks for any thoughts you can share on this. I just want to understand a bit better what’s going on.

[AITpro Admin]

@ Living Miracles – So what you need to do now is either look at your Apache server logs or have your web host look at your server logs to figure out what is causing the 403/404 error.  I don’t think doing standard WP troubleshooting is the best approach.  You need to see a log entry with an error message so you will be able to figure this problem out.  I have seen quite a lot of plugins call the admin-ajax.php file from the frontend of site.  Not exactly sure why that is done by those plugins. 😉

[Living Miracles]

Hi again. Thanks, I reviewed our server logs and can’t find anything in regards to the admin-ajax.php file there. I think the reason I wrote to you initially, is because the errors seemed to start after the most recent BPS Pro update and in the changelog, it mentioned a lot of AJAX-related updates. Is there any way those updates could cause the issues I’m seeing?

Thanks so much!

[AITpro Admin]

@ Living Miracles – I don’t see anything in BPS Pro 12.8 that was updated/changed/etc. that would start causing this problem.  So that is probably just coincidental and something else changed somewhere else.  In any case, send me a WordPress Administrator login to this site so I can figure out what is causing the problem.

[Author]

Posts