Share logins plugin blocked by BPS Pro

Home Forums BulletProof Security Pro Share logins plugin blocked by BPS Pro

This topic contains 6 replies, has 2 voices, and was last updated by  DBR 3 months ago.

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • #37681

    DBR
    Participant

    Hi, I’m using the Share Logins plugin to connect a standard WP site with a WP Multisite. Both sites are using BPS Pro 14. Logins happen on the main site and then users can access the multisite without having to log in again.

    However, since installing BPS PRO, I’m getting this message in the login security log and I’m not able to access the multisite after logging into the main site (identifying info has been replaced with [TEXT]):

    [403 GET Request: July 17, 2019 9:22 pm]
    BPS Pro: 14
    WP: 5.1.1
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: [IP]
    Host Name: [HOST]
    SERVER_PROTOCOL: HTTP/2.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: https://www.[MAIN URL].com/
    REQUEST_URI: /?rest_route=%2Fshare-logins%2Flogin&access_token=[NUMBERS AND LETTERS]&site_url=https://www.[MAIN URL].com&user_login=[NUMBERS AND LETTERS]
    QUERY_STRING: rest_route=%2Fshare-logins%2Flogin&access_token=[NUMBERS AND LETTERS]&site_url=https://www.[MAIN URL].com&user_login=[NUMBERS AND LETTERS]

    I thought this might be a query string issue so I removed all the .htaccess CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS code in both websites but I’m still not able to access both sites with a single login.

    Is there anything else in BPS Pro that could be blocking this cross-site access? The plugin firewall is deactivated on both sites.

    Many thanks in advance for your help

    #37682

    AITpro Admin
    Keymaster

    Do BPS Pro Troubleshooting steps: 1, 2, 6 and 7.  Those are the most logical things that could be causing the problem.  During testing deactivate one security feature at a time and test.  Let me know what happens.

    https://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting

    1. On the Security Modes page, click the Root Folder BulletProof Mode Deactivate button. See Custom Code Note if doing this step works.
    2. On the Security Modes page, click the wp-admin Folder BulletProof Mode Deactivate button.  See Custom Code Note if doing this step works.
    3. On the Security Modes page, click the Plugin Firewall BulletProof Mode Deactivate button.  See Plugin Firewall Test Mode Note.
    4. On the Security Modes page, click the UAEG BulletProof Mode Deactivate button.
    5. If an issue/problem is related to files being locked with F-Lock then unlock files on the F-Lock page.
    6. If an issue/problem is related to Login Security turn Off Login Security on the Login Security & Monitoring page.
    7. If an issue/problem is related to JTC Anti-Spam|Anti-Hacker turn Off JTC Anti-Spam|Anti-Hacker on all Forms by unchecking the Form checkboxes under the Enable|Disable JTC For These Forms option on the JTC Anti-Spam|Anti-Hacker page.

    #37683

    DBR
    Participant

    Thanks for getting back to me so quickly.

    I had already tried replacing both .htaccess files with the appropriate default files for each installation. Probably should have mentioned that! Login security and JTC are always disabled anyway.

    Deactivating the wp-admin .htaccess didn’t make a difference.

    #37684

    AITpro Admin
    Keymaster

    Hmm maybe BPS is not actually blocking the cross-site login.  The BPS Security Log logs all 403 errors whether or not BPS is causing the 403 error.  I’d like to make absolutely sure that BPS is not causing this 403 error before mentioning other things that could be causing the 403 error.  So just to make sure everything is completely eliminated in BPS – deactivate root and wp-admin BulletProof Modes on both sites.  Then test the cross-site login again.

    #37685

    DBR
    Participant

    Yeah, I think you’re right. Sorry about that.

    I’ve deactivated the 2 BulletProof Modes on each site…..and also deactivated the plugin. Still not working. So something else must be the cause. Which is odd because it was working before I installed BPS.

    It’s 2am here. That’s my excuse.

    Thanks for your help. I always appreciate how speedy you are at replying to support requests!

    #37686

    AITpro Admin
    Keymaster

    Well it is still possible that BPS is causing the block, but at this point it seems unlikely.  The next things to do are to turn Off Security Logging on the site where you are seeing 403 errors.  What this will hopefully do is display either a default generic host server 403 error page or maybe a Mod Security error page or if you have any other security plugins installed then a 403 error page for whichever security plugin that is.  Another possibility is that you have an htaccess file somewhere else that is causing this block.  htaccess files are hierarchical.  So if you had an htaccess file in a lower folder (parent folder) then those htaccess file security rules would be applied to all higher folders (child folders).

    #37687

    DBR
    Participant

    Thanks very much for the advice. I think the plugin uses the REST API so it’s possible that something else is blocking access. There are no other relevant errors in my logs though. Checked mySQL, PHP-fpm, apache, site error & access logs, etc. I’ll set log reporting to ‘trace’ and see if I can get more detailed info. Cheers

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.