Whitelist fix for LiteSpeed Cache plugin – 403 Forbidden Error

Home Forums BulletProof Security Pro Whitelist fix for LiteSpeed Cache plugin – 403 Forbidden Error

Tagged: 

Viewing 15 posts - 1 through 15 (of 16 total)
  • Author
    Posts
  • #43943
    Iris
    Participant

    Hello

    I need help with formulating a Skip/Bypass rule or some whitelist fix for the LiteSpeed Cache plugin to add to BPS Custom Code for the wp-admin .htaccess file.

    This is because I cannot save changes to the LiteSpeed settings without getting a BPS 403 Forbidden Error message.

    The entry in the Security Log is:

    Event Code: WPADMIN-SBR
    
    HTTP_REFERER: https://mysite/wp-admin/admin.php?page=litespeed-page_optm
    
    REQUEST_URI: /wp-admin/admin.php?page=litespeed-page_optm
    
    QUERY_STRING: page=litespeed-page_optm

    I have tried searching the BPS Forums but not found anything specific for this situation.

    When convenient I would greatly appreciate if you could advise what rule I need to whitelist the LiteSpeed Cache please and which box I should put it, being a non-coder.

    Thank you in advance for your time.

    #43945
    AITpro Admin
    Keymaster

    Try this wp-admin Query String skip/bypass rule.

    Copy the LiteSpeed Cache Query String bypass rule below into this wp-admin Custom Code text box:  3. CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES
    Click the save wp-admin Custom Code button.
    Go to the Setup Wizard page, run the Pre-Installation Wizard and Setup Wizard.

    # LiteSpeed Cache wp-admin plugin skip/bypass rule
    RewriteCond %{QUERY_STRING} page=litespeed-page_optm(.*) [NC]
    RewriteRule . - [S=2]
    #43946
    Iris
    Participant

    Thank you for the fast reply.  Unfortunately that didn’t work.  The BPS 403 Forbidden Error was triggered when trying to save changes in Page Optimizations.

    The same entry as before in the Security Log but now with lines and lines of code (not all posted) following “REQUEST BODY”.

    HTTP_REFERER: https://mysite.com.au/wp-admin/admin.php?page=litespeed-page_optm
    REQUEST_URI: /wp-admin/admin.php?page=litespeed-page_optm
    QUERY_STRING: page=litespeed-page_optm
    HTTP_USER_AGENT: deleted
    REQUEST BODY: LSCWP_CTRL=save-settings&LSCWP_NONCE=a6fe8db92d&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dlitespeed-page_optm&_settings-enroll%5B%5D=optm-css_min&optm-css_min=1&_settings-enroll%5B%5D=optm-css_comb&optm-css_comb=0&_settings-enroll%5B%5D=optm-ucss&optm-ucss=0&_settings-enroll%5B%5D=optm-ucss_inline&optm-ucss_inline=0&_settings-enroll%5B%5D=optm-css_comb_ext_inl&optm-css_comb_ext_inl=0&_settings-enroll%5B%5D=optm-css_async&optm-css_async=0&_settings-enroll%5B%5D=optm-ccss_per_url&optm-ccss_per_url=0&_settings-enroll%5B%5D=optm-css_async_inline&optm-css_async_inline=0&_settings-enroll%5B%5D=optm-css_font_display&optm-..........

    I deactivated the UAEG and the Plugin Firewall in turn but each time I tried to save changes in LiteSpeed still got the 403 error.

    I then renamed the HT Access file to HT Access-old and tried again to save changes in LiteSpeed Page Optimization in.  Below appeared on a white screen:

    XXX.XXX.XXX.XXX/wp-admin/admin.php?page=litespeed-page_optmmysite.com.au …..deleted user agent

    I noticed the below entry in the PHP Error Log:

    PHP Notice:  unserialize(): Error at offset 0 of 15 bytes in /home/mysite/public_html/wp-content/plugins/bulletproof-security/bulletproof-security.php on line 237

    Is this related?  Or is it something I can ignore?

    I look forward to your reply and thank you for your time.

    #43947
    AITpro Admin
    Keymaster

    You can deactivate Root folder BulletProof Mode and wp-admin BulletProof Mode instead of renaming the root htaccess file and wp-admin htaccess file.  If you are still seeing a 403 error after deactivating both the root and wp-admin files then most likely ModSecurity CRS installed on your web host is blocking the POST Request.

    #43949
    Iris
    Participant

    Thanks for your response.

    When I deactivated Root folder BulletProof Mode and wp-admin BulletProof Mode I did not see a 403 error but saw below on a white page, same as before after renaming htaccess:

    My IP/wp-admin/admin.php?page=litespeed-page_optmXXXXXX.comXXXuser agentdetails

    Also there was a BPS message in red that “LiteSpeed Cache Plugin htaccess code was not found in your Root htaccess file”.

    Weirdly it is only the LiteSpeed Cache Page Optimization page, url: /wp-admin/admin.php?page=litespeed-page_optm where I can’t save changes, I see the 403.  I can save changes in the other pages/tabs without issues.

    What else can I try, another whitelist rule?   Skip, bypass?

    Thanks again for your time.

     

    #43950
    AITpro Admin
    Keymaster

    I’ll test the LiteSpeed Cache plugin later today and figure out what is going on.  Try deactivating just wp-admin BulletProof Mode and see if that works.

    #43956
    Iris
    Participant

    Thank you so much.  I deactivated just wp-admin BulletProof Mode but still the 403.  In desperation I put /litespeed-cache/ into the Whitelist Text Area, saved, activated but still the 403.

    I look forward to your reply, and thanks again.

    #43958
    AITpro Admin
    Keymaster

    Try adding a Query String skip/bypass rule in Root Custom Code as well as wp-admin Custom code.  Maybe the page is doing both a POST and a GET Request by posting back to itself, which of course is awful amateur design if that is what is going on. I will be testing LiteSpeed Cache tomorrow if you want to wait until I figure out what is going on.

    Copy the code below into this Root htaccess file Custom Code text box:  10. CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES
    Click the Save Root Custom Code button.
    Run the Pre-Installation Wizard and Setup Wizard.

    # LiteSpeed Cache plugin Root htaccess skip/bypass rule
    RewriteCond %{QUERY_STRING} page=litespeed-page_optm(.*) [NC]
    RewriteRule . - [S=13]
    #43960
    Iris
    Participant

    Many thanks, I will wait until tomorrow or when you get a chance to test. Very grateful for your time.

     

    #43961
    AITpro Admin
    Keymaster

    The LiteSpeed Cache plugin is using professional and well coded methods to process option settings on the LiteSpeed Cache Page Optimization page.

    I have tested the LiteSpeed Cache plugin and specifically saving option settings on the LiteSpeed Cache Page Optimization page and no 403 errors are occurring.  Logically this would mean that your server or CloudFlare or something else is doing something silly like caching the wp-admin backend area or something similarly ridiculous, which would of course break things.  If you would like for me to assess what ridiculousness is occurring with your host server or site setup then send a WordPress Administrator login to:  info@ait-pro.com.

    #43962
    Iris
    Participant

    Thank you so much for testing!  You mentioned caching of wp-admin so I unchecked caching of both wp-admin and logged-in users  in the litespeed settings.  Still saw the 403.

    I use Cloudflare turnstile on my contact form.  I don’t know what the correct file name is for https://challenges.cloudflare.com/turnstile/v0/api.js so I put /turnstile/v0/api.js.  Still the 403.

    I don’t know if this sheds any light for troubleshooting:

    Recently I upgraded my site to have four times as much memory and CPU. Same host, different (shared) server.  Before that I could not run the BPS Pre-Install/Setup Wizard (saw 503 error) but was able to save all changes in Litespeed including page=litespeed-page_optm.  It makes no sense now that I can run the Wizard but not save changes on that one page.

    I would greatly appreciate it if you could look at my site setup as suggested and have emailed you a login as advised.

    Please let me know any problems with that as I have not done that before.

    I have left out the above code you provided in both places for the purposes of investigation.

    Thank you again for your time.

     

    #43963
    AITpro Admin
    Keymaster

    I hope my statements don’t come across as negative towards caching plugins, but with that said I spent months trying to get the most popular caching plugins to work around 10 years ago. I eventually gave up and went a different route > I created a stripped down custom theme that eliminates all the standard WP bloat. This site loads in under 1 second without any caching plugins installed because the WP custom theme itself is fast.  My point > sometimes a quick solution like a caching plugin is pretty much a band-aid solution.

    A 503 error when running the setup wizard is one of 2 things > a ModSecurity CRS problem or a web host resource limitation problem.

    #43966
    AITpro Admin
    Keymaster

    BPS is not blocking the POST Request on the LiteSpeed Cache Page Optimization page.  It is definitely ModSecurity CRS.  Contact your web host support folks and ask them to whitelist the POST Request for this LiteSpeed Cache plugin page > /wp-admin/admin.php?page=litespeed-page_optm

    Note: In order to save Custom Code I had to use the Encrypt Custom Code buttons to bypass/evade ModSecurity CRS installed on your host server.

    #43968
    Iris
    Participant

    Thank you so much for looking into it, greatly appreciate your time.  ModSecurity seems to cause some issues, I have contacted my host.

    Re caching plugins if you have the knowledge to do something different why not? Your setup sounds ideal.   Novices like me need something of sorts to meet the rigours of Google’s web vitals or get punished.  I spent many weeks, months last year trying to improve my scores on Google Page Speed etc with all manner of tweaks.  Such a waste of time though.

    Thanks again.

     

    #43969
    Iris
    Participant

    A follow up, you were correct.  My Host said my account had hit a couple of ModSecurity rules.  They have now excluded one and I can save changes.

    Thanks again!

Viewing 15 posts - 1 through 15 (of 16 total)
  • You must be logged in to reply to this topic.