Receiving 403 error after subscribing for “Email Subscribers & Newsletters” plugin

Home Forums BulletProof Security Free Receiving 403 error after subscribing for “Email Subscribers & Newsletters” plugin

Tagged: 

Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • June 12, 2022 at 5:45 am #41948
    stackoverflow41
    Participant

    Hi everyone:

    It appears on my site that BPS has a rule that is not liking when the WordPress plugin “Email Subscribers & Newsletters”.

    It has a submit box to subscribe to the site, and when submitted, the site returns:

    403 Forbidden Error

If you arrived here due to a search or clicking on a link click your
Browser's back button to return to the previous page. Thank you.

Website: cc.davelozinski.com

Your IP Address: 120.16.94.24

BPS Plugin 403 Error Page

    I’ve turned off all other plugins include BPS and the issue still occurs.

    Here’s the BPS security log entry for the latest try:

    [403 POST Request: June 12, 2022 12:22 pm]
BPS: 6.3
WP: 5.7.6
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 120.16.94.24
Host Name: 120.16.94.24
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR: 120.16.94.24
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: POST
HTTP_REFERER: https://cc.davelozinski.com/
REQUEST_URI: /
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.115 Safari/537.36
REQUEST BODY: esfpx_email=stackoverflow41%40mail.com&esfpx_lists%5B%5D=c8eaf1598a73&esfpx_form_id=1&es=subscribe&esfpx_es_form_identifier=f1-n1&esfpx_es_email_page=1126&esfpx_es_email_page_url=https%3A%2F%2Fcc.davelozinski.com%2Fc-sharp%2Fc-ints-vs-stringified-ints&esfpx_status=Unconfirmed&esfpx_es-subscribe=52ca08c825&esfpx_es_hp_email=&submit=Submit

    It looks like there’s a rule in the .htaccess file that is obviously redirecting to the error page, but I can’t figure out what.

    Any help, suggestions, guidance would be appreciated.

    Thanks!

    June 12, 2022 at 6:41 am #41949
    AITpro Admin
    Keymaster

    The Request is a POST Request.  Are you using this BPS POST Request attack protection code here > https://forum.ait-pro.com/forums/topic/post-request-protection-post-attack-protection-post-request-blocker/

    If so, then the rule you would want to add in your BPS POST Request attack protection code in BPS Custom Code would be this:

    # Whitelist the c-sharp Form POST Requests
RewriteCond %{REQUEST_URI} !^.*/c-sharp/c-ints-vs-stringified-ints [NC]

    If you are not using the BPS POST Request attack protection code then check your root htaccess file for any other custom htaccess code that protects against POST Requests. If you do not see any other htaccess code that does anything with POST Requests then ModSecurity installed on your web host server is causing the block.

    June 12, 2022 at 4:51 pm #41951
    stackoverflow41
    Participant

    Thank you for your response.

    Whenever I try to save anything in BPS, I receive the following:

    https://[mydomain].com/wp-admin/admin.php?page=bulletproof-security/admin/core/core.php#bps-tabs-7

Error. Page not found.

« Back / Dashboard

    Also, in regards to your response, is that code correct?

    Shouldn’t it be something along the lines of:

    RewriteCond %{REQUEST_URI} !^.*/#es_form_f1-n1 [NC]

    since the subscribe button is on almost every post and the main homepage? And if so, how should I implement the rule to escape the “#” in the URL?

    June 12, 2022 at 5:05 pm #41952
    AITpro Admin
    Keymaster

    That’s a known common problem caused by ModSecurity > https://forum.ait-pro.com/forums/topic/mod-security-common-known-problems/ Click the Encrypt buttons before clicking the Save buttons to bypass/evade ModSecurity.

    So are you using the BPS POST Request attack protection code or is ModSecurity blocking the POST Requests?

    The whitelist rule is for a REQUEST_URI, which is a URL path. You could use a Query String condition instead, but that is not necessary and anchors (#) are difficult to whitelist. So don’t even attempt that.

    It sounds like you should not use the BPS POST Request attack protection code if this affects forms that exist in many different places on your website.

    June 12, 2022 at 6:38 pm #41955
    stackoverflow41
    Participant

    “That’s a known common problem caused by ModSecurity > https://forum.ait-pro.com/forums/topic/mod-security-common-known-problems/ Click the Encrypt buttons before clicking the Save buttons to bypass/evade ModSecurity.”

    I did click the “Encrypt” button and still receive that error. The error occurs whether or not I click encrypt.

    The code in the BPS window #14 comes up by default unencrypted.

    I don’t know if I’m using mod security or not. I’ve written my hosting provider to confirm as I cannot find any settings/configurations for it in my cPanel configuration.

     

    “It sounds like you should not use the BPS POST Request attack protection code if this affects forms that exist in many different places on your website.”

    Thank you for that. I’ve tried removing that bit of code from Box #14 when editing the htaccess file. Unfortunately, it won’t save as per above. Keeps giving me the “error. Page not found” issue above, which I can’t seem to figure out how to get around either yet.

    I’ll update this thread again once I hear back from my hosting provider regarding mod security.

    June 13, 2022 at 6:40 am #41958
    stackoverflow41
    Participant

    I’ve heard from my service provider.

    This is what they said:

    "There are no Mod_Sec entries in the error logs, however, using the form will bring the following error, indicating an issue with the .htaccess file.

[....com:443] Access is denied by context rewrite.

    Hopefully that helps?

    June 13, 2022 at 7:18 am #41959
    AITpro Admin
    Keymaster

    I need to see your entire root htaccess file.  Maybe there is some custom htaccess code that is causing these problems, but that does not explain why you cannot save BPS Custom Code.  Typically that problem is caused by ModSecurity.  This process will go faster if I login to your site and check everything.  If that is ok with you then send a WordPress Administrator login to:  info@ait-pro.com.  Or post the entire contents of your root htaccess file in your forum reply.

    June 13, 2022 at 8:51 pm #41960
    stackoverflow41
    Participant

    Thank you again for your time.

    To start, I’ve sent you an email with screen captures of the file locations and the htaccess files attached.

    Hopefully you’ve received it.

    June 19, 2022 at 5:54 pm #41974
    stackoverflow41
    Participant

    UPDATE FOR EVERYONE:

    Thanks to the Superb Assistance of AITPro, we’ve discovered it was two issues:

    1. BPS POST Request attack protection code had to be removed for the “email subscription” issue.
    2. For BPS not being able to save its settings, it was caused by CloudFlare. Even though I had caching disabled and a page rule telling it to bypass everything in my domain similar as follows: *domain.com/wp-admin/*, it still wasn’t working. With CloudFlare, you also have to disable both security and performance as a page rule for the domain in addition to telling it to bypass the caching.

    See this page for more information if you’re using CloudFlare:

    https://support.cloudflare.com/hc/en-us/articles/200169526-Disabling-Cloudflare-features-on-admin-pages-for-content-management-systems-like-WordPress

     

    June 19, 2022 at 6:02 pm #41975
    AITpro Admin
    Keymaster

    Great job on figuring this out!  Glad I could offer some logical guesses for what might be causing this problem.

  • Author
    Posts
Viewing 10 posts - 1 through 10 (of 10 total)
  • You must be logged in to reply to this topic.