WordPress Theme Customizer – 403 error

Home Forums BulletProof Security Free WordPress Theme Customizer – 403 error

Viewing 13 posts - 1 through 13 (of 13 total)
  • Author
    Posts
  • #31715
    Akhil K A
    Participant

    Hi,

    From admin panel, I’m unable to access certain pages of theme. For example, editing CSS page, customizing theme page etc.
    Example of URL: /wp-admin/admin.php?page=customizeme
    Redirects to: /wp-admin/customize.php?url=https://www.example.com/?s=
    and ends with a 403 Forbidden page of BPS.
    If you arrived here due to a search or clicking on a link click your Browser’s back button to return to the previous page. Thank you.
    IP Address: 83.110.xxx.xxx
    Please help.

    #31716
    AITpro Admin
    Keymaster

    The Redirect is simulating an RFI hacking attempt against your website.  The WP Customizer customize.php file is being blocked by the BPS wp-admin htaccess file.  Do the steps below to whitelist the customize.php file:

    1. Add the customize.php skip/bypass rule below to this wp-admin Custom Code text box: CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES
    2. Click the Save wp-admin Custom Code button.
    3. Go to the Security Modes page and Activate wp-admin Folder BulletProof Mode.

    Note:  The skip rule must be [S=2] because it will be written to your wp-admin .htaccess file above skip / bypass rule [S=1].  If you have other wp-admin skip/bypass rules already then either combine them or add this skip/bypass rule separately above the other rules and change the skip #.  Example:  If you already have skip #’s 2 and 3 then this rule would be skip rule #4.

    # WP Theme Customizer customize.php skip/bypass rule
    RewriteCond %{REQUEST_URI} (customize\.php) [NC]
    RewriteRule . - [S=2]
    #31720
    Akhil K A
    Participant

    Hi!

    That worked. Kindly remove my domain name from the above code that I have posed in the question for the privacy.

    Thanks.

    #31724
    AITpro Admin
    Keymaster

    Your domain name has been changed to:  example.com for privacy.

    #32649
    Vintagepornbay.com
    Participant

    [Topic has been merged into this relevant Topic]
    Hi, we get

     vintagepornbay.com 403 Forbidden Error Page If you arrived here due to a search or clicking on a link click your Browser’s back button to return to the previous page. Thank you. IP Address: xxx.xxx.xxx.xxx

    Errors when I click edit css from appearance and use the search very often. It is caused by bps i am sure because when I disabled bulletproof mode it shows not found page rather than 403 error.

    I need to be sure what I did on our custom codes:

    1. CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE:
    [BPS Speed Boost cache code – no problems – checked and deleted]

    4. CUSTOM CODE BRUTE FORCE LOGIN PAGE PROTECTION:
    [BPS BRUTE FORCE LOGIN PAGE PROTECTION may be a problem]

    8. CUSTOM CODE WP REWRITE LOOP START: www/non-www http/https Rewrite code here
    [Rewrite Loop code looks fine – no problems – checked and deleted]

    14. CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE: Add miscellaneous code here
    [WP AUTHOR ENUMERATION BOT PROBE PROTECTION – no problems – checked and deleted]

    [Block/Forbid Referer Spammers/Referer Phishing – no problems – checked and deleted]

    [XML-RPC DDoS PROTECTION – possible problem if you are using Jetpack – checked and deleted]

    [BLOCK/FORBID Turkish Spammers by CIDR Blocks – appears to be ok – checked and deleted]

    [BPS POST Request Attack Protection – possible problem – checked and deleted]

    [s2Member GZIP exclusions – appears to be ok – checked and deleted]

    #32652
    AITpro Admin
    Keymaster

    https://forum.ait-pro.com/forums/topic/read-me-first-free/#bps-free-general-troubleshooting

    BPS Custom Code Troubleshooting help information:
    Custom Code Note: If you have isolated a problem to the root or wp-admin .htaccess file and you have added additional custom .htaccess code or additional .htaccess code from another plugin to BPS Custom Code then you can either use the Custom Code Export|Import|Delete Tools or manually cut (not Copy) all of your additional custom .htaccess code out of all BPS Custom Code text boxes and save that custom .htaccess code to a Notepad or Notepad++ text file, click the Save Root Custom Code button (or the wp-admin Custom Code button), go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button (and/or the wp-admin Folder BulletProof Mode Activate button). You can then further isolate which custom .htaccess code is the problem by adding only 1 block of additional custom code back to a BPS Custom Code text box at a time.

    Your BPS BRUTE FORCE LOGIN PAGE PROTECTION Custom Code may be a problem:
    Cut (not Copy) the BPS BRUTE FORCE LOGIN PAGE PROTECTION Custom Code out of the Custom Code text box, save the custom code to a Notepad or Notepad++ text file, click the Save Root Custom Code button, click the Root Folder BulletProof Mode Activate button.  Test whatever was blocked/not working.

    Your BPS POST Request Attack Protection Custom Code may be a problem:
    Cut (not Copy) the BPS POST Request Attack Protection Custom Code out of the Custom Code text box, save the custom code to a Notepad or Notepad++ text file, click the Save Root Custom Code button, click the Root Folder BulletProof Mode Activate button.  Test whatever was blocked/not working.

    Your BPS XML-RPC DDoS PROTECTION Custom Code for Jetpack is older custom code:
    Get the newer Jetpack XML-RPC DDoS PROTECTION Custom Code from this forum link and replace your older Jetpack custom code: https://forum.ait-pro.com/forums/topic/wordpress-xml-rpc-ddos-protection-protect-xmlrpc-php-block-xmlrpc-php-forbid-xmlrpc-php/ , click the Save Root Custom Code button and click the Root Folder BulletProof Mode Activate button.

    If BPS is blocking something it will be logged in your BPS Security Log.  Go to your BPS Security Log and post the Security Log entry that is related to the WordPress Customizer – you would see this file name in the Security Log entry – customize.php – if BPS is blocking the WordPress Customizer.

    #32653
    Vintagepornbay.com
    Participant

    Tried all of the above solutions but none of them worked out. Maybe another way for the fix? It is fixed if I disable the root folder bulletproof mode. But I do want to use this plugin. So why these kind of errors cause?

    Note: By the way, could you please remove the “…… (region) spammers” text from the above post of mine?

    Here is the log file for that error:

    [403 GET Request: March 12, 2017 4:58 pm]
    BPS: .54.5
    WP: 4.7.3
    Event Code: WPADMIN-SBR
    Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: xxx.xxx.xxx.xxx
    Host Name: xxx.xxx.xxx.xxx
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: http://www.vintagepornbay.com/wp-admin/admin.php?page=bulletproof-security%2Fadmin%2Fcore%2Fcore.php
    REQUEST_URI: /wp-admin/customize.php?autofocus%5Bsection%5D=custom_css&return=http://www.vintagepornbay.com/wp-admin/admin.php?page=bulletproof-security%2Fadmin%2Fcore%2Fcore.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
    #32654
    AITpro Admin
    Keymaster

    The IP address has been replaced with X’s for your server 403 error message.  I thought the Customizer problem might have been the same problem that is in this forum topic.  So that is why I merged your topic into this existing topic.  The problem is there is something else that you have installed on your website (plugin or theme) that is redirecting the Customizer URL in a way that simulates an RFI hacking attempt against your website. The WP Customizer customize.php file is being blocked by the BPS wp-admin htaccess file.  I don’t know why the BPS plugin page URL is being included in the redirects:  page=bulletproof-security.  BPS does not do anything like that.  So something else that you have installed is doing that (plugin or theme).  The solution is in this Reply in this forum topic:   https://forum.ait-pro.com/forums/topic/unable-to-access-some-pages/#post-31716

    #32655
    Vintagepornbay.com
    Participant

    This code worked. But one of our users also reported us about if he try to search too often he gets same error as well.

    Note: Could you also please remove the Hostname IP

    (REMOTE_ADDR: xxxxx Host Name: xxxxx)

    from the above code i gave.

    #32656
    AITpro Admin
    Keymaster

    BPS will either block something every time or not block something any time.  So if someone is performing a search that contains something that BPS will block then it will be blocked every time and not sometimes.  I would need to see a Security Log entry for what is being blocked.  If you do not see a Security Log entry for this then BPS is not blocking that.  It could possibly be one of these known issues below with searches using single or double quotes, but without the exact information about what the person is doing that is blocked or a Security Log entry to look at then I don’t really know what the problem is.  A logical guess would be that single or double quotes are being used by the person in your search form.

    Solution for allowing apostrophe’s/single quote code characters in search forms on the frontend of your website:  http://forum.ait-pro.com/forums/topic/apostrophe-single-quote-code-character/#post-6939

    Solution for allowing apostrophe’s/single quote code characters in search forms on the backend of your website:  http://forum.ait-pro.com/forums/topic/search-string-403-error/#post-14372

    #33138
    AITpro Admin
    Keymaster

    What is requiried to fix the problem would be 2 whitelist rules. Follow the steps below if you have any problems let us know.
    1. Add the customize.php skip/bypass rule below to this wp-admin Custom Code text box: 3. CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES
    2. Click the Save wp-admin Custom Code button.

    Note:  The skip rule must be [S=2] because it will be written to your wp-admin .htaccess file above skip / bypass rule [S=1].  If you have other wp-admin skip/bypass rules already then either combine them or add this skip/bypass rule separately above the other rules and change the skip #.  Example:  If you already have skip #’s 2 and 3 then this rule would be skip rule #4.

    # WP Theme Customizer customize.php skip/bypass rule
    RewriteCond %{REQUEST_URI} (customize\.php) [NC]
    RewriteRule . - [S=2]

    3. Add the customize.php skip/bypass rule below to this Root Custom Code text box: 10. CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES
    4. Click the Save Root Custom Code button.
    5. Go to the Security Modes page and click the Root and wp-admin BulletProof Mode Activate buttons.

    # WP Theme Customizer customize.php skip/bypass rule
    RewriteCond %{REQUEST_URI} (customize\.php) [NC]
    RewriteRule . - [S=13]
    #33223
    Valeria Mariya
    Participant

    403 is a permission error. Can you try deactivating Wordfence, and any other security plugins temporarily? Sometimes in an attempt to heighten security, things go a little too far.

    403 Forbidden errors are most definitely not caused by your theme. These usually have to do with how permalinks work on your site, and if hostgator is not setup to support WordPress mod_rewrite, or your WordPress install is inside a subfolder, you either need to implement workarounds to your htaccess file, or move the content of your install into the site root and ensure the .htaccess file is writeable by the server.

    First check the setting under Settings > Permalinks. If it is currently on Default, choose Post Name and save. This may be all you need to fix it, as long as your .htaccess file is writeable by the server. If that does not help, or you know you have a subfolder install or see index.php in all your URLs, you or your host will need to manually fix the htaccess.

    #33224
    AITpro Admin
    Keymaster

    @ Valeria Mariya – Sounds like you got your info about a 403 error being a “permission error” from this Wiki page:  https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#4xx_Client_errors

    403 Forbidden
    The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource.

    The description from that Wiki page for a HTTP Status Code 403 error is pretty vague and can easily be misinterpreted. The World Wide Web Consortium (W3C) description below explains a 403 error in much better detail.

    https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.3

    10.4.4 403 Forbidden

    The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead.

    In this specific particular case what is occurring are these things:
    https://wordpress.stackexchange.com/questions/214473/link-to-specific-customizer-section
    The autofocus Query String that is being used in the WP Toolbar link to the Customizer page is a legitimate method to link directly to a particular section of the WP Customizer.

    This additional part of the Query String: return=http://www.vintagepornbay.com/wp-admin/admin.php is also legitimate, but it matches a very common hacking method called: Remote File Injection (RFI), which BPS blocks by default in the BPS Root htaccess file using a Query String matching rule to match RFI attack Strings/patterns.

    This additional part of the Query String: ?page=bulletproof-security%2Fadmin%2Fcore%2Fcore.php appears to be some kind of mistake since it should not be in that Query String at all. The first ? in a Query String is interpreted as the start of a/the Query String and is processed as such. All following ? code characters in a Query String are interpreted as the literal question mark code character (?). So for some odd reason the BPS plugin page URI is being pulled into that particular Query String when that should not be occurring. That has no impact on the real issue though, which is that the WP Toolbar Customizer link Query String happens to match a common RFI Attack method/string.

    So in summary, the cause and effect is straight forward for this particular issue. A BPS root htaccess security rule is blocking this particular Query String because it matches an RFI hacking attack, which the BPS root htaccess security rule blocks. So all that is required to fix this particular issue is to create a whitelist rule to allow the WP Toolbar Query String/Request to be allowed and not blocked.

Viewing 13 posts - 1 through 13 (of 13 total)
  • You must be logged in to reply to this topic.