Ninja Forms – 403 error unable to delete forms

[WayneM]

Have not been able to delete no-longer-needed forms in Ninja Forms (free).

Checked my server logs and found this 403 error:

... "DELETE /wp-admin/admin-ajax.php?action=nf_forms&form_id=2 HTTP/1.1" 403 609 "http://mywebsite.com/wp-admin/admin.php?page=ninja-forms" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.109 Safari/537.36"

Tried turning off ModSecurity. That did not help. Then…

Did the BPS trouble shooting steps of deactivating BPS Security modes:

First individually deactivated RBM – attempted to delete form failed. Reactivated RBM

Then individually deactivated WBM – attempted to delete form failed.

Then deactivated both RBM and WBM – attempted to delete form = successful 🙂

I thought I would be clever and add the following skip rule to the secure wp-admin .htaccess:

# admin-ajax.php skip/bypass rule
RewriteCond %{REQUEST_URI} (admin-ajax\.php) [NC]
RewriteRule . - [S=2]

That did not help, so removed it.

Nothing is showing up in the BPS security log related to this issue.

I’m pretty sure my trouble shooting steps indicate that BPS is doing something to block the delete forms in Ninja Forms.

Any ideas on what my next steps to find a fix would be?

[AITpro Admin]

I have installed and tested the Ninja Forms plugin and the BPS Root Request Methods Filtered code does not cause the problem.  So you just need to remove/delete the wp-admin Request Methods Filtered code and replace it with the new wp-admin htaccess code in BPS Pro 13+ and BP 2.0+ versions.

1. Go to the B-Core > htaccess File Editor tab page, click the wp-admin-secure.htaccess tab, scroll down in the contents of your Master wp-admin htaccess file and delete the entire block of htaccess code that is shown below and replace it with the new BPS Pro 13+ and BPS 2.0+ version code. Note: This code has already been removed and replaced in the BPS Pro 13+ and BPS 2.0+ Master wp-admin htaccess files.
2. Click the Update File button to save your wp-admin Master htaccess file edit.
3. Go to the Security Modes page and click the wp-admin Folder BulletProof Mode Activate button.

Delete/remove this old htaccess code block…

# REQUEST METHODS FILTERED
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F]

…and add this new BPS Pro 13+ and BPS 2.0+ htaccess code in the same exact place in the wp-admin Master htaccess file…

# BPS REWRITE ENGINE
RewriteEngine On

Security Log entry for Ninja Forms blocked form delete option:

[403 GET Request: June 21, 2017 - 7:56 am]
BPS Pro: 13
WP: 4.8
Event Code: WPADMIN-SBR
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 127.0.0.1
Host Name: Z666P-HP
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http://demo5.local/wp-admin/admin.php?page=ninja-forms
REQUEST_URI: /wp-admin/admin-ajax.php?action=nf_forms&form_id=3
QUERY_STRING: action=nf_forms&form_id=3
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36

[WayneM]

The BPS security log on my site never logged any events for this issue.

I’ll implement the method you showed in your follow up post, and give that a try.

I’m currently running BPS 1.1  I do not see 2.0 available in the WP repository. Will BPS 2.0 fix this issue? Or, would I still need to modify the wp-admin Master htaccess file? (wouldn’t that file get over written on any future BPS updates? Thought that’s what the custom code editor is for.)

[AITpro Admin]

Mod Security can break BPS Security Logging if certain Mod Security SecRules/SecFilters are used.  Some web hosts allow you to add/remove individual Mod Security SecRules/SecFilters, but most web hosts only offer the option to enable or disable Mod Security.  If you would like to find out if Mod Security is breaking BPS Security Logging on your website then do these steps.

1. Disable Mod Security.
2. Use this test URL to see if BPS Security Logging is now working:  http://www.example.com/?sp_executesql.  Change the website domain name to your actual website domain name/URL.
3. You should see a Security Log entry that shows that the sp_executesql Query String was blocked.

BPS Pro 13 and BPS 2.0 are scheduled for release sometime in the next 3-6 days.  The wp-admin Request Methods Filtered htaccess code does not have a wp-admin Custom Code text box.  Since we already decided to phase that old htaccess code out then the new wp-admin Master file will contain the new htaccess code.  Yes, your old wp-admin Master file will be overwritten and will contain the new wp-admin htaccess code that does not have the Request Methods Filtered htaccess code in it any longer for BPS Pro 13+ and BPS 2.0+ versions.

[WayneM]

Made the changes you indicated to the Master wp-admin htaccess file. That did it. Can now delete forms. 🙂

Just wanted to note that when I tried to change the Master wp-admin htaccess file by using the BPS .htaccess file editor, I got a 501 Error. So, I had to change it using cPanel file manager.

My server is currently running with Mod Security on. I did the test you indicated with MS both on and off – got a BPS 403 error, and the event was logged in the BPS Security Log file in both instances 🙂

Thanks once again for your awesome plugin, and your stellar support! 🙂

[AITpro Admin]

Great!  Thanks for confirming the fix worked.

[Author]

Posts