Whitelist fix for LiteSpeed Cache plugin – 403 Forbidden Error

[Frank]

Hello

I need help with formulating a Skip/Bypass rule or some whitelist fix for the LiteSpeed Cache plugin to add to BPS Custom Code for the wp-admin .htaccess file.

This is because I cannot save changes to the LiteSpeed settings without getting a BPS 403 Forbidden Error message.

The entry in the Security Log is:

Event Code: WPADMIN-SBR

HTTP_REFERER: https://mysite/wp-admin/admin.php?page=litespeed-page_optm

REQUEST_URI: /wp-admin/admin.php?page=litespeed-page_optm

QUERY_STRING: page=litespeed-page_optm

I have tried searching the BPS Forums but not found anything specific for this situation.

When convenient I would greatly appreciate if you could advise what rule I need to whitelist the LiteSpeed Cache please and which box I should put it, being a non-coder.

Thank you in advance for your time.

[AITpro Admin]

Try this wp-admin Query String skip/bypass rule.

Copy the LiteSpeed Cache Query String bypass rule below into this wp-admin Custom Code text box:  3. CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES
Click the save wp-admin Custom Code button.
Go to the Setup Wizard page, run the Pre-Installation Wizard and Setup Wizard.

# LiteSpeed Cache wp-admin plugin skip/bypass rule
RewriteCond %{QUERY_STRING} page=litespeed-page_optm(.*) [NC]
RewriteRule . - [S=2]

[Frank]

Thank you for the fast reply.  Unfortunately that didn’t work.  The BPS 403 Forbidden Error was triggered when trying to save changes in Page Optimizations.

The same entry as before in the Security Log but now with lines and lines of code (not all posted) following “REQUEST BODY”.

HTTP_REFERER: https://mysite.com.au/wp-admin/admin.php?page=litespeed-page_optm
REQUEST_URI: /wp-admin/admin.php?page=litespeed-page_optm
QUERY_STRING: page=litespeed-page_optm
HTTP_USER_AGENT: deleted
REQUEST BODY: LSCWP_CTRL=save-settings&LSCWP_NONCE=a6fe8db92d&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dlitespeed-page_optm&_settings-enroll%5B%5D=optm-css_min&optm-css_min=1&_settings-enroll%5B%5D=optm-css_comb&optm-css_comb=0&_settings-enroll%5B%5D=optm-ucss&optm-ucss=0&_settings-enroll%5B%5D=optm-ucss_inline&optm-ucss_inline=0&_settings-enroll%5B%5D=optm-css_comb_ext_inl&optm-css_comb_ext_inl=0&_settings-enroll%5B%5D=optm-css_async&optm-css_async=0&_settings-enroll%5B%5D=optm-ccss_per_url&optm-ccss_per_url=0&_settings-enroll%5B%5D=optm-css_async_inline&optm-css_async_inline=0&_settings-enroll%5B%5D=optm-css_font_display&optm-..........

I deactivated the UAEG and the Plugin Firewall in turn but each time I tried to save changes in LiteSpeed still got the 403 error.

I then renamed the HT Access file to HT Access-old and tried again to save changes in LiteSpeed Page Optimization in.  Below appeared on a white screen:

XXX.XXX.XXX.XXX/wp-admin/admin.php?page=litespeed-page_optmmysite.com.au …..deleted user agent

I noticed the below entry in the PHP Error Log:

PHP Notice:  unserialize(): Error at offset 0 of 15 bytes in /home/mysite/public_html/wp-content/plugins/bulletproof-security/bulletproof-security.php on line 237

Is this related?  Or is it something I can ignore?

I look forward to your reply and thank you for your time.

[AITpro Admin]

You can deactivate Root folder BulletProof Mode and wp-admin BulletProof Mode instead of renaming the root htaccess file and wp-admin htaccess file.  If you are still seeing a 403 error after deactivating both the root and wp-admin files then most likely ModSecurity CRS installed on your web host is blocking the POST Request.

[Frank]

Thanks for your response.

When I deactivated Root folder BulletProof Mode and wp-admin BulletProof Mode I did not see a 403 error but saw below on a white page, same as before after renaming htaccess:

My IP/wp-admin/admin.php?page=litespeed-page_optmXXXXXX.comXXXuser agentdetails

Also there was a BPS message in red that “LiteSpeed Cache Plugin htaccess code was not found in your Root htaccess file”.

Weirdly it is only the LiteSpeed Cache Page Optimization page, url: /wp-admin/admin.php?page=litespeed-page_optm where I can’t save changes, I see the 403.  I can save changes in the other pages/tabs without issues.

What else can I try, another whitelist rule?   Skip, bypass?

Thanks again for your time.

 

[AITpro Admin]

I’ll test the LiteSpeed Cache plugin later today and figure out what is going on.  Try deactivating just wp-admin BulletProof Mode and see if that works.

[Frank]

Thank you so much.  I deactivated just wp-admin BulletProof Mode but still the 403.  In desperation I put /litespeed-cache/ into the Whitelist Text Area, saved, activated but still the 403.

I look forward to your reply, and thanks again.

[AITpro Admin]

Try adding a Query String skip/bypass rule in Root Custom Code as well as wp-admin Custom code.  Maybe the page is doing both a POST and a GET Request by posting back to itself, which of course is awful amateur design if that is what is going on. I will be testing LiteSpeed Cache tomorrow if you want to wait until I figure out what is going on.

Copy the code below into this Root htaccess file Custom Code text box:  10. CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES
Click the Save Root Custom Code button.
Run the Pre-Installation Wizard and Setup Wizard.

# LiteSpeed Cache plugin Root htaccess skip/bypass rule
RewriteCond %{QUERY_STRING} page=litespeed-page_optm(.*) [NC]
RewriteRule . - [S=13]

[Frank]

Many thanks, I will wait until tomorrow or when you get a chance to test. Very grateful for your time.

 

[AITpro Admin]

The LiteSpeed Cache plugin is using professional and well coded methods to process option settings on the LiteSpeed Cache Page Optimization page.

I have tested the LiteSpeed Cache plugin and specifically saving option settings on the LiteSpeed Cache Page Optimization page and no 403 errors are occurring.  Logically this would mean that your server or CloudFlare or something else is doing something silly like caching the wp-admin backend area or something similarly ridiculous, which would of course break things.  If you would like for me to assess what ridiculousness is occurring with your host server or site setup then send a WordPress Administrator login to:  info@ait-pro.com.

[Frank]

Thank you so much for testing!  You mentioned caching of wp-admin so I unchecked caching of both wp-admin and logged-in users  in the litespeed settings.  Still saw the 403.

I use Cloudflare turnstile on my contact form.  I don’t know what the correct file name is for https://challenges.cloudflare.com/turnstile/v0/api.js so I put /turnstile/v0/api.js.  Still the 403.

I don’t know if this sheds any light for troubleshooting:

Recently I upgraded my site to have four times as much memory and CPU. Same host, different (shared) server.  Before that I could not run the BPS Pre-Install/Setup Wizard (saw 503 error) but was able to save all changes in Litespeed including page=litespeed-page_optm.  It makes no sense now that I can run the Wizard but not save changes on that one page.

I would greatly appreciate it if you could look at my site setup as suggested and have emailed you a login as advised.

Please let me know any problems with that as I have not done that before.

I have left out the above code you provided in both places for the purposes of investigation.

Thank you again for your time.

 

[AITpro Admin]

I hope my statements don’t come across as negative towards caching plugins, but with that said I spent months trying to get the most popular caching plugins to work around 10 years ago. I eventually gave up and went a different route > I created a stripped down custom theme that eliminates all the standard WP bloat. This site loads in under 1 second without any caching plugins installed because the WP custom theme itself is fast.  My point > sometimes a quick solution like a caching plugin is pretty much a band-aid solution.

A 503 error when running the setup wizard is one of 2 things > a ModSecurity CRS problem or a web host resource limitation problem.

[AITpro Admin]

BPS is not blocking the POST Request on the LiteSpeed Cache Page Optimization page.  It is definitely ModSecurity CRS.  Contact your web host support folks and ask them to whitelist the POST Request for this LiteSpeed Cache plugin page > /wp-admin/admin.php?page=litespeed-page_optm

Note: In order to save Custom Code I had to use the Encrypt Custom Code buttons to bypass/evade ModSecurity CRS installed on your host server.

[Frank]

Thank you so much for looking into it, greatly appreciate your time.  ModSecurity seems to cause some issues, I have contacted my host.

Re caching plugins if you have the knowledge to do something different why not? Your setup sounds ideal.   Novices like me need something of sorts to meet the rigours of Google’s web vitals or get punished.  I spent many weeks, months last year trying to improve my scores on Google Page Speed etc with all manner of tweaks.  Such a waste of time though.

Thanks again.

 

[Frank]

A follow up, you were correct.  My Host said my account had hit a couple of ModSecurity rules.  They have now excluded one and I can save changes.

Thanks again!

[Author]

Posts