Rank Math 403 Error

Home Forums BulletProof Security Pro Rank Math 403 Error

Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • May 14, 2021 at 2:51 pm #40272
    Terry
    Participant

    I have the free version of Rank Math installed and attached to Google Analytics. When trying to save settings I get a 403 error unless I deactivate the root .htaccess. Even then I am not seeing traffic displayed even though I can log in directly to Google Analytics and select realtime and see if I browse to the site and different pages. Is there some whitelist code to allow the analytics to reach the website?

    May 14, 2021 at 2:58 pm #40273
    AITpro Admin
    Keymaster

    Go to the BPS Pro > Security Log page > copy and paste any relevant Security Log entries in your forum reply.

    May 17, 2021 at 8:58 am #40277
    Terry
    Participant

    Here is the error:

    [403 POST Request: May 17, 2021 - 9:54 am]
BPS Pro: 15.4.1
WP: 5.7.2
Event Code: WPADMIN-SBR
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 172.127.70.3
Host Name: 172-127-70-3.lightspeed.snantx.sbcglobal.net
SERVER_PROTOCOL: HTTP/2.0
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: POST
HTTP_REFERER: https://www.copsalive.com/wp-admin/admin.php?page=rank-math-options-general
REQUEST_URI: /wp-admin/admin-post.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
REQUEST BODY: BPS Security Log option set to: Do Not Log POST Request Body Data
    May 17, 2021 at 10:30 am #40278
    AITpro Admin
    Keymaster

    What is being blocked is a POST Request.  So that means you are using the BPS POST Attack Protection Bonus Custom Code.  Either remove/delete the BPS POST Attack Protection Bonus Custom Code from BPS Custom Code or do the steps below.

    1. The BPS POST Attack Protection Bonus Custom Code should be in Custom Code text box:  8. CUSTOM CODE WP REWRITE LOOP START.  See example below (Do not use the example code below – use your actual Root htaccess file code and your POST Attack Protection custom code).  If the POST Attack Protection code is any other Custom Code text box then cut and paste it into Custom Code text box #8 as shown below (Do no use the example code – use your actual code).
    2. Edit your POST Attack Protection custom code and add this whitelist rule (see example below. You can use the example whitelist rule and add it to your existing POST Attack Protection custom code.

    Important Note:  Copy your BPS Root htaccess file WP REWRITE LOOP START section of code into Custom Code text box #8.  Do not use the example code below. This example custom code is for this forum site – use your actual custom code and not this example code below.

    Whitelist rule for Rank Math (see the example code below for where the whitelist rule goes in your POST Attack Protection code):

    # Whitelist Rank Math POST Request by Query String
RewriteCond %{QUERY_STRING} !^page=rank-math-options-general(.*) [NC]
    # WP REWRITE LOOP START
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteCond %{HTTPS} !=on
RewriteCond %{SERVER_PORT} ^80
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteRule ^index\.php$ - [L]

# BPS POST Request Attack Protection
RewriteCond %{REQUEST_METHOD} POST [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-admin/ [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-cron.php [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-login.php [NC]
# Whitelist WP JSON POST Requests by Query String
RewriteCond %{QUERY_STRING} !^_locale=(.*) [NC]
# Whitelist the WordPress Theme Customizer
RewriteCond %{HTTP_REFERER} !^.*/wp-admin/customize.php [NC]
# Whitelist XML-RPC Pingbacks, JetPack and Remote Posting POST Requests
#RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC]
# Whitelist JSON POST Requests - Jetpack|Contact Form 7|etc.
RewriteCond %{REQUEST_URI} !^.*/wp-json/(.*) [NC]
# Whitelist Jetpack POST Request to wp-load.php by Query String
RewriteCond %{QUERY_STRING} !^for=jetpack(.*) [NC]
# Whitelist Network|Multisite Signup POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/wp-signup.php [NC]
# Whitelist Network|Multisite Activate POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/wp-activate.php [NC]
# Whitelist Trackback POST Requests
#RewriteCond %{REQUEST_URI} !^.*/wp-trackback.php [NC]
# Whitelist Comments POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/wp-comments-post.php [NC]
# Forum POST Search
RewriteCond %{REQUEST_URI} !^.*/search/ [NC]
# bbPress/BuddyPress forum posting
RewriteCond %{REQUEST_URI} !^.*/forums/.* [NC]
# bbPress/BuddyPress forum Register Post form
RewriteCond %{REQUEST_URI} !^.*/register/ [NC]
# bbPress/BuddyPress Members/profile form
RewriteCond %{REQUEST_URI} !^.*/members/ [NC]
# bbPress/BuddyPress Activate User Account URL/form
RewriteCond %{REQUEST_URI} !^.*/activate/.* [NC]
# Whitelist Rank Math POST Request by Query String
RewriteCond %{QUERY_STRING} !^page=rank-math-options-general(.*) [NC]
RewriteRule ^(.*)$ - [F]
    May 17, 2021 at 10:41 am #40279
    AITpro Admin
    Keymaster

    Actually the POST Attack Protection bonus Custom Code does not block any POST Requests in the wp-admin area by default.  Did you comment out this whitelist rule below?

    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-admin/ [NC]
    May 18, 2021 at 8:37 am #40281
    Terry
    Participant

    I don’t see the bonus code so couldn’t delete it. Tried it on another site with same problems. Found additional entries in security log as shown below:

    [403 POST Request: May 18, 2021 - 10:15 am]
BPS Pro: 15.4.1
WP: 5.7.2
Event Code: WPADMIN-SBR
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: GDPR Compliance On
Host Name: 172-127-70-3.lightspeed.snantx.sbcglobal.net
SERVER_PROTOCOL: HTTP/2.0
HTTP_CLIENT_IP: GDPR Compliance On
HTTP_FORWARDED: GDPR Compliance On
HTTP_X_FORWARDED_FOR: GDPR Compliance On
HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On
REQUEST_METHOD: POST
HTTP_REFERER: https://vtechteam.com/wp-admin/admin.php?page=rank-math-options-general
REQUEST_URI: /wp-admin/admin-post.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
REQUEST BODY: BPS Security Log option set to: Do Not Log POST Request Body Data
===============================================================================
[Plugin Firewall AutoPilot Mode New Whitelist Rule(s) Created: May 18, 2021 - 10:13 am]
BPS Pro: 15.4.1
WP: 5.7.2
Whitelist Rule: /seo-by-rank-math/vendor/cmb2/cmb2/js/cmb2.min.js
Whitelist Rule: /seo-by-rank-math/assets/vendor/jquery.validate.min.js
Whitelist Rule: /seo-by-rank-math/assets/vendor/select2/select2.min.js
Whitelist Rule: /seo-by-rank-math/assets/admin/js/validate.js
Whitelist Rule: /seo-by-rank-math/assets/admin/js/wizard.js
Whitelist Rule: /seo-by-rank-math/assets/admin/js/common.js
[Internal Usage: AFS Cron: Prior ARQ Cron Status: On | May 18, 2021 - 10:13 am]
[Internal Usage: AFS Cron: WP /languages/ folder backup | May 18, 2021 - 10:13 am]
[Internal Usage: AFS Cron: ARQ Cron was turned On | May 18, 2021 - 10:13 am]

[AutoRestore Turned Off Cron Check: May 18, 2021 - 10:14 am]
This Security Log entry is created when AutoRestore is turned Off on your website. To change or turn Off this setting go to the BPS Pro S-Monitor page, under Email Alerting & Log File Options change the ARQ: When AutoRestore|Quarantine is Turned Off option setting to whatever setting you would like to use instead.
================================================================================
[403 GET Request: May 18, 2021 - 10:10 am]
BPS Pro: 15
WP: 5.7.2
Event Code: PFWR-PSBR-HPRA
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: GDPR Compliance On
Host Name: 172-127-70-3.lightspeed.snantx.sbcglobal.net
SERVER_PROTOCOL: HTTP/2.0
HTTP_CLIENT_IP: GDPR Compliance On
HTTP_FORWARDED: GDPR Compliance On
HTTP_X_FORWARDED_FOR: GDPR Compliance On
HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On
REQUEST_METHOD: GET
HTTP_REFERER: https://vtechteam.com/wp-admin/admin.php?page=rank-math-wizard&step=analytics&rankmath_security=91ce8f4091
REQUEST_URI: /wp-content/plugins/seo-by-rank-math/vendor/cmb2/cmb2/js/cmb2.min.js?ver=2.9.0
QUERY_STRING: ver=2.9.0
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
==================================================================================
    May 18, 2021 at 8:38 am #40282
    Terry
    Participant

    I can give you access in to the site if needed. There is only code in a few boxes that I believe were added by BPS setup.

    May 18, 2021 at 8:45 am #40283
    AITpro Admin
    Keymaster

    Do these troubleshooting steps below and test to see if Rank Math is working or not.

    https://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting

    1. On the Security Modes page, click the Root Folder BulletProof Mode Deactivate button. See Custom Code Note if doing this step works.
    2. On the Security Modes page, click the wp-admin Folder BulletProof Mode Deactivate button.  See Custom Code Note if doing this step works.
    3. On the Security Modes page, click the Plugin Firewall BulletProof Mode Deactivate button.  See Plugin Firewall Test Mode Note.

    Also there are known issues with ModSecurity blocking/preventing saving settings in Rank Math.  If you are still seeing 403 errors after doing the BPS Pro troubleshooting steps then you will need to contact your web host and have them fix the ModSecurity problem.

    May 19, 2021 at 5:29 pm #40287
    Terry
    Participant

    I have done the troubleshooting by deactivating the security modes and see that when I deactivate the root security then it works. I then went and removed the custom code from the root and reactivated it and it would still fail. So the custom code is not the issue. Every time I activate the root security it fails and every time I deactivate the root security it works.

    The error in the error log is:

    [403 POST Request: May 19, 2021 - 7:22 pm]
BPS Pro: 15.4.1
WP: 5.7.2
Event Code: WPADMIN-SBR
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: GDPR Compliance On
Host Name: 172-127-70-3.lightspeed.snantx.sbcglobal.net
SERVER_PROTOCOL: HTTP/2.0
HTTP_CLIENT_IP: GDPR Compliance On
HTTP_FORWARDED: GDPR Compliance On
HTTP_X_FORWARDED_FOR: GDPR Compliance On
HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On
REQUEST_METHOD: POST
HTTP_REFERER: https://vtechteam.com/wp-admin/admin.php?page=rank-math-options-general
REQUEST_URI: /wp-admin/admin-post.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
REQUEST BODY: BPS Security Log option set to: Do Not Log POST Request Body Data
    June 16, 2021 at 10:40 am #40348
    AITpro Admin
    Keymaster

    Oops looks like I missed this one.  Sorry about that.  Is this problem still going on?  If so, then yeah send me a login to your site and I’ll get this fixed.

  • Author
    Posts
Viewing 10 posts - 1 through 10 (of 10 total)
  • You must be logged in to reply to this topic.