Topic: something legitimate is blocked : 403 Request

something legitimate is blocked : 403 Request

This topic has 13 replies, 2 voices, and was last updated 1 week, 4 days ago by AITpro Admin.

Viewing 14 posts - 1 through 14 (of 14 total)

Author

Posts
April 15, 2024 at 8:05 am #43751
pdlc
Participant
Hi,

i need help for a woocommerce website, BPS Pro: 17.4, WP: 6.4.3.
Today in the security_log file, i see a lot of 403 error for .css file like this sample :
```
[403 GET Request: 15 avril 2024 - 10 h 19 min]
BPS Pro: 17.4
WP: 6.4.3
Event Code: PFWR-PSBR-HPRA
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 94.xxx.xxx.xx
Host Name: 94.xxx.xxx.xx.---.-------.---------.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: https://monsite.fr/
REQUEST_URI: /wp-content/plugins/monplugin/css/slick-theme.css?ver=1.0
QUERY_STRING: ver=1.0
HTTP_USER_AGENT: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0
```
I don’t understand why this 403 errors concern only some visitors (IP adress) and not all the visitors, and why today and not last week : i didn’t change any file on the website.

I read the forum and the help, you advise to use the Whitelist Tools to add all the file blocked, but there is only .js file inside the Whitelist no .css file…
Some of this blocked visitors are already client and last week the could buy the meal without problem.
I’m lost, Any advice ?

Best regards,

Monica
April 15, 2024 at 2:59 pm #43752
AITpro Admin
Keymaster

There is nothing in the Security Log entry that should be blocked. The Plugin Firewall does not protect .css files so it is very odd that a 403 error would be occurring for that file. Maybe the Plugin Firewall htaccess file has an invalid whitelist rule somewhere? Are you seeing any error messages then you go to the Plugin Firewall feature? I need to see what is going on myself. Send a WordPress admin login for this site to: info@ait-pro.com.
April 16, 2024 at 12:09 am #43754
pdlc
Participant
hi,

i check the Firewall htaccess file and i see that :
```
# BULLETPROOF PRO .HTACCESS PLUGIN FIREWALL
#
# BPS Pro 11 mod_rewrite
#
# BEGIN WHITELIST: Frontend Loading Website Plugin scripts/files
(...)

# END WHITELIST

#

# FORBID REMOTE ACCESS TO THESE PLUGIN FILE TYPES FROM ANYONE EXCEPT YOU

RewriteCond %{REQUEST_URI} ^.*\.(7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htm|html|html5|htx|ico|idc|ini|ins|isp|jar|jav|java|js|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|rar|shtm|shtml|sql|swf|sys|tar|taz|tgz|tpl|txt|vb|vbe|vbs|war|ws|wsf|xhtml|z|zip)$ [NC]

# BEGIN PUBLIC IP

(..)
# END PUBLIC IP
RewriteRule ^(.*)$ - [F]IP
# BEGIN ADDITIONAL ROLES IP
RewriteCond %{REMOTE_ADDR} !^xx.xx.xx.44$
# END ADDITIONAL ROLES IP
(...)
RewriteRule ^(.*)$ - [F]
```
I deleted the weird content. As requested I send you a WordPress admin login for this site.

Best regards,

monique
April 16, 2024 at 3:03 am #43755
pdlc
Participant

to complete my previous post: when I open the Firewall htaccess file via FTP then the invalid rule doesn’t appear?
April 16, 2024 at 4:30 am #43756
AITpro Admin
Keymaster

I logged into your site and the problem is that the Plugin Firewall is not automatically creating new Plugin Firewall whitelist rules. I believe the reason for that is WordPress Crons are either disabled or not working correctly. I see that you have the WP Control plugin installed. So that could be causing the problem. Or maybe WP Crons have been disabled in your wp-config.php file. I have deactivated the Plugin Firewall feature. I recommend that you leave it deactivated and do not use it on your site due to whatever cron issues are going on with your site.
April 16, 2024 at 5:31 am #43758
pdlc
Participant

You deactivated the Plugin Firewall feature : so my website is less secure ?
April 16, 2024 at 5:48 am #43759
AITpro Admin
Keymaster

The Plugin Firewall feature is an extra layer of protection. So not that critical. I can try to figure out the problems going on with your site at a later time, but right now I have too much on my plate. Next weekend I’ll have some spare time to fix whatever problems are going on with your website.
April 16, 2024 at 5:58 am #43760
pdlc
Participant

I check the wp-config.php file : WP-cron are not desabled.
For info, all wordpress auto updates are disabled in the wp-config.php file (core and plugins).

Thanks for your help 🙂

Monique
April 17, 2024 at 7:26 am #43761
AITpro Admin
Keymaster

The problem is fixed. Something that is really strange that I have never seen before is that plugin files have this additional query string on urls > ?ver=6.4.3. Normally you would only see that on files loading on the frontend of your site and not files loading from the /plugins folder. Not really sure why that is. In any case I created custom Plugin Firewall whitelist rules for any plugin url’s that have the ?ver=6.4.3 Query string.
April 17, 2024 at 11:24 pm #43762
pdlc
Participant
Hi,

this morning same problem in the the Firewall htaccess file : wired rule like that
```
# END PUBLIC IP

RewriteRule ^(.*)$ - [F]��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������� IP

# BEGIN ADDITIONAL ROLES IP
```
I deactivated the Plugin Firewall feature and i empty the Firewall htaccess file.

What should I do now?
April 17, 2024 at 11:35 pm #43763
pdlc
Participant

Oops sorry it looks like everything’s fine on the site now: no more weird rule and no more security log with error 403 on the .css files and the Plugin Firewall feature is reactivated, but it wasn’t me who reactivated it?
April 18, 2024 at 5:44 am #43766
AITpro Admin
Keymaster

I just rechecked everything on your site and everything looks good. I think this other strange problem you are seeing is coming from corrupt browser cache. Clear/delete your browser cache.
April 18, 2024 at 6:53 am #43767
pdlc
Participant

Yes, all is ok now :). Thank you very much for your help !

Best regards,
Monique
April 18, 2024 at 7:56 am #43768
AITpro Admin
Keymaster

Very welcome. Have to say that I’ve never seen this type of tricky problem before. Sometimes that means something has changed in the WordPress ecosphere and I would most likely be seeing more of this. Since no one else is reporting this particular problem then I think the weird Query strings could be caused by server-side caching on your web host server. The strange formatting characters in the Plugins htaccess file definitely looks like a corrupt browser cache issue.

If the problem returns then yeah go ahead and deactivate the Plugin Firewall feature. It’s not that critical in overall BPS Pro website protection.
Author

Posts

Viewing 14 posts - 1 through 14 (of 14 total)

You must be logged in to reply to this topic.

BulletProof Security Forum

something legitimate is blocked : 403 Request

Search Forums

Topic Tags