something legitimate is blocked : 403 Request

Home Forums BulletProof Security Pro something legitimate is blocked : 403 Request

Viewing 15 posts - 1 through 15 (of 15 total)
  • Author
    Posts
  • #43751
    pdlc
    Participant

    Hi,

    i need help for a woocommerce website, BPS Pro: 17.4, WP: 6.4.3.
    Today in the security_log file, i see a lot of 403 error for .css file like this sample :

    [403 GET Request: 15 avril 2024 - 10 h 19 min]
    BPS Pro: 17.4
    WP: 6.4.3
    Event Code: PFWR-PSBR-HPRA
    Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 94.xxx.xxx.xx
    Host Name: 94.xxx.xxx.xx.---.-------.---------.net
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: https://monsite.fr/
    REQUEST_URI: /wp-content/plugins/monplugin/css/slick-theme.css?ver=1.0
    QUERY_STRING: ver=1.0
    HTTP_USER_AGENT: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0

    I don’t understand why this 403 errors concern only some visitors (IP adress) and not all the visitors, and why today and not last week : i didn’t change any file on the website.

    I read the forum and the help, you advise to use the Whitelist Tools to add all the file blocked, but there is only .js file inside the Whitelist no .css file…
    Some of this blocked visitors are already client and last week the could buy the meal without problem.
    I’m lost, Any advice ?

    Best regards,

    Monica

    #43752
    AITpro Admin
    Keymaster

    There is nothing in the Security Log entry that should be blocked.  The Plugin Firewall does not protect .css files so it is very odd that a 403 error would be occurring for that file.  Maybe the Plugin Firewall htaccess file has an invalid whitelist rule somewhere?  Are you seeing any error messages then you go to the Plugin Firewall feature? I need to see what is going on myself.  Send a WordPress admin login for this site to: info@ait-pro.com.

     

    #43754
    pdlc
    Participant

    hi,

    i check the Firewall htaccess file and i see that :

    # BULLETPROOF PRO .HTACCESS PLUGIN FIREWALL
    #
    # BPS Pro 11 mod_rewrite
    #
    # BEGIN WHITELIST: Frontend Loading Website Plugin scripts/files
    (...)
    
    # END WHITELIST
    
    #
    
    # FORBID REMOTE ACCESS TO THESE PLUGIN FILE TYPES FROM ANYONE EXCEPT YOU
    
    RewriteCond %{REQUEST_URI} ^.*\.(7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htm|html|html5|htx|ico|idc|ini|ins|isp|jar|jav|java|js|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|rar|shtm|shtml|sql|swf|sys|tar|taz|tgz|tpl|txt|vb|vbe|vbs|war|ws|wsf|xhtml|z|zip)$ [NC]
    
    # BEGIN PUBLIC IP
    
    (..)
    # END PUBLIC IP
    RewriteRule ^(.*)$ - [F]IP
    # BEGIN ADDITIONAL ROLES IP
    RewriteCond %{REMOTE_ADDR} !^xx.xx.xx.44$
    # END ADDITIONAL ROLES IP
    (...)
    RewriteRule ^(.*)$ - [F]

    I deleted the weird content. As requested I send you a WordPress admin login for this site.

    Best regards,

    monique

    #43755
    pdlc
    Participant

    to complete my previous post: when I open the Firewall htaccess file via FTP then the invalid rule doesn’t appear?

    #43756
    AITpro Admin
    Keymaster

    I logged into your site and the problem is that the Plugin Firewall is not automatically creating new Plugin Firewall whitelist rules.  I believe the reason for that is WordPress Crons are either disabled or not working correctly.  I see that you have the WP Control plugin installed.  So that  could be causing the problem.  Or maybe WP Crons have been disabled in your wp-config.php file.  I have deactivated the Plugin Firewall feature.  I recommend that you leave it deactivated and do not use it on your site due to whatever cron issues are going on with your site.

    #43758
    pdlc
    Participant

    You deactivated the Plugin Firewall feature  : so my website is less secure ?

    #43759
    AITpro Admin
    Keymaster

    The Plugin Firewall feature is an extra layer of protection.  So not that critical.  I can try to figure out the problems going on with your site at a later time, but right now I have too much on my plate.  Next weekend I’ll have some spare time to fix whatever problems are going on with your website.

    #43760
    pdlc
    Participant

    I check the wp-config.php file  : WP-cron are not desabled.
    For info, all wordpress auto updates are disabled in the wp-config.php file (core and plugins).

    Thanks for your help 🙂

    Monique

     

    #43761
    AITpro Admin
    Keymaster

    The problem is fixed.  Something that is really strange that I have never seen before is that plugin files have this additional query string on urls > ?ver=6.4.3.  Normally you would only see that on files loading on the frontend of your site and not files loading from the /plugins folder.  Not really sure why that is.  In any case I created custom Plugin Firewall whitelist rules for any plugin url’s that have the ?ver=6.4.3 Query string.

    #43762
    pdlc
    Participant

    Hi,

    this morning same problem in the the Firewall htaccess file : wired rule like that

    # END PUBLIC IP
    
    RewriteRule ^(.*)$ - [F]��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������� IP
    
    # BEGIN ADDITIONAL ROLES IP

    I deactivated the Plugin Firewall feature and i empty the Firewall htaccess file.

    What should I do now?

    #43763
    pdlc
    Participant

    Oops sorry it looks like everything’s fine on the site now: no more weird rule and no more security log with error 403 on the .css files and the Plugin Firewall feature is reactivated, but it wasn’t me who reactivated it?

    #43766
    AITpro Admin
    Keymaster

    I just rechecked everything on your site and everything looks good.  I think this other strange problem you are seeing is coming from corrupt browser cache.  Clear/delete your browser cache.

    #43767
    pdlc
    Participant

    Yes, all is ok now :). Thank you very much for your help !

    Best regards,
    Monique

    #43768
    AITpro Admin
    Keymaster

    Very welcome.  Have to say that I’ve never seen this type of tricky problem before. Sometimes that means something has changed in the WordPress ecosphere and I would most likely be seeing more of this.  Since no one else is reporting this particular problem then I think the weird Query strings could be caused by server-side caching on your web host server.  The strange formatting characters in the Plugins htaccess file definitely looks like a corrupt browser cache issue.

    If the problem returns then yeah go ahead and deactivate the Plugin Firewall feature.  It’s not that critical in overall BPS Pro website protection.

    #43957
    AITpro Admin
    Keymaster

    Came across another person with Query Strings added to plugin urls. Why in gods name would anyone be that stupid to do something like this?  It’s not WordPress itself so some plugin or theme author is screwing up majorly.

Viewing 15 posts - 1 through 15 (of 15 total)
  • You must be logged in to reply to this topic.