Wishlist Member blocked – 403 error

Home Forums BulletProof Security Pro Wishlist Member blocked – 403 error


Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
  • #36624

    I am seeing the following log entry when using Wishlist Member plugin and it is not allowing new members to be added that purchase. It is also apparently blocking Wishlist Member to add new members to my Aweber autoresponder.

    [403 GET Request: November 14, 2018 - 12:31 am]
    BPS Pro: 13.7
    WP: 4.9.8
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    Host Name:
    HTTP_REFERER: https://theonlinemarketingnewsletter.com
    REQUEST_URI: /cgi-bin/webscr?cmd=_xclick-subscriptions&subscription_fallback=true&force_sa=true&xo_node_fallback=true&cmd=_xclick-subscriptions&business=sales%40theonlinemarketingnewsletter.com&item_name=Newsletter%20Product&item_number=1528327010&no_note=1&no_shipping=1&rm=2&bn=WishListProducts_SP&cancel_return=https%3A%2F%2Ftheonlinemarketingnewsletter.com&notify_url=https%3A%2F%2Ftheonlinemarketingnewsletter.com%2Findex.php%2Fregister%2FMVlmtz&return=https%3A%2F%2Ftheonlinemarketingnewsletter.com%2Findex.php%2Fregister%2FMVlmtz&currency_code=USD&charset=utf-8&a3=4.95&p3=1&t3=M&src=1&merchant_country=US&merchant_id=8XQNHQUWACG2U&merchant_email=sales%40theonlinemarketingnewsletter.com&wa_type=Subscription&fallback=1&force_sa=true&xo_node_fallback=true&shopping_cart_node_fallback=true
    QUERY_STRING: cmd=_xclick-subscriptions&subscription_fallback=true&force_sa=true&xo_node_fallback=true&cmd=_xclick-subscriptions&business=sales%40theonlinemarketingnewsletter.com&item_name=Newsletter%20Product&item_number=1528327010&no_note=1&no_shipping=1&rm=2&bn=WishListProducts_SP&cancel_return=https%3A%2F%2Ftheonlinemarketingnewsletter.com&notify_url=https%3A%2F%2Ftheonlinemarketingnewsletter.com%2Findex.php%2Fregister%2FMVlmtz&return=https%3A%2F%2Ftheonlinemarketingnewsletter.com%2Findex.php%2Fregister%2FMVlmtz&currency_code=USD&charset=utf-8&a3=4.95&p3=1&t3=M&src=1&merchant_country=US&merchant_id=8XQNHQUWACG2U&merchant_email=sales%40theonlinemarketingnewsletter.com&wa_type=Subscription&fallback=1&force_sa=true&xo_node_fallback=true&shopping_cart_node_fallback=true
    HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 8.50
    AITpro Admin

    What is being blocked is:  cgi-bin in this BPS root htaccess file security rule:  RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]. To fix this issue do the steps below.

    1. Copy the modified BPS Query String Exploits code below to this BPS Root Custom Code text box: 12. CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS. Note: If you already see existing BPSQSE code in this Custom Code text box then overwrite it. Rerunning the Wizards will run Setup Wizard AutoFix, which will add/combine any previous whitelisted rules back into the BPSQSE code in this Custom Code text box.
    2. Click the Save Root Custom Code button.
    3. Go to the Setup Wizard page and run the Pre-Installation Wizard and Setup Wizard.

    # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
    # Good sites such as W3C use it for their W3C-LinkChecker.
    # Use BPS Custom Code to add or remove user agents temporarily or permanently from the
    # User Agent filters directly below or to modify/edit/change any of the other security code rules below.
    RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
    RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
    #RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
    RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
    RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
    RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
    RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR]
    RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
    RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
    RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
    RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F]

    I entered the code as you instructed but now I get this error after a person purchases:

    [14-Nov-2018 22:37:18 UTC] WordPress database error Illegal mix of collations (utf8mb4_unicode_ci,IMPLICIT) and (utf8mb4_unicode_520_ci,IMPLICIT) for operation '=' for query DELETE omn_wlm_contentlevels FROM omn_wlm_contentlevels LEFT JOIN omn_posts ON omn_wlm_contentlevels.content_id=omn_posts.ID AND omn_wlm_contentlevels.type=omn_posts.post_type WHERE omn_wlm_contentlevels.type NOT LIKE '~%%' AND omn_posts.ID IS NULL made by require('wp-blog-header.php'), require_once('wp-load.php'), require_once('wp-config.php'), require_once('wp-settings.php'), do_action('init'), WP_Hook->do_action, WP_Hook->apply_filters, call_user_func_array, WishListMember->Init, call_user_func, WishListMember->Paypal, WishListMemberCore->__call, call_user_func_array, WLM_INTEGRATION_PAYPAL->Paypal, WishListMemberPluginMethods->ShoppingCartRegistration, WishListMemberPluginMethods->WPMRegister, WishListMemberPluginMethods->SyncContent
    AITpro Admin

    That PHP error means exactly what it says, which is that 1 of the database tables is using utf8mb4_unicode_ci collation and the other 1 is using utf8mb4_unicode_520_ci collation.  I recommend that you send or post this PHP error to the Wishlist member plugin folks in case they need to change some of their plugin code that creates database tables/collation. The PHP error is not related to BPS in any way.  If you are familiar with phpMyAdmin then you can change the collation for 1 of the tables so the collation matches, but I can’t tell you which 1 to use. So I recommend that you ask the Wishlist member plugin folks about that.

    This SO forum post explains this PHP error in more detail > https://stackoverflow.com/questions/3029321/troubleshooting-illegal-mix-of-collations-error-in-mysql


    Hi Edward,

    I’m in contact with the lead dev of WishList Member to try of fixing that WLM PHP error that is at least 2 years old now.

    He kindly asked my FTP credentials to see what’s wrong but I don’t know him, and so I am reluctant to do so.

    I’d like to suggest him to download BPS Free so that he tries to replicate the error on a test site by himself?

    But does BPS Free log that type of error or would he need the BPS Pro?


    AITpro Admin

    @ Laurent – The php error has nothing to do with BPS or BPS Pro.  If the php error is the same as the php error that Terry posted then you would need to send these things to the WLM plugin author:  The php error and a screenshot of your database tables using phpMyAdmin or a list of all of your database table collations.


    That’s what I did Edward. But it looks like ot is not enough.

    I’m afraid he is not able to replicate the problem and wants to see it on my site.

    That’s why I came up with the idea of suggesting him to download BPS Free to see and test it by himself to see if his version of BPS also flags some PHP errors too.

    AITpro Admin

    @ Laurent – BPS free does not come with a built-in PHP Error Log feature. I can tell you how to fix this php error.  Send me the php error and a screenshot of your DB or a list of database table collations. Send to: info at ait-pro dot com.


    You’re awesome, I’l do it right away. 🙂

    AITpro Admin

    I’m going to document this issue in this forum topic to help any other people who run into this issue in the future.

    The problem is that your xx_posts database table is using this collation: utf8mb4_unicode_520_ci and the WLM plugin is using this collation: utf8mb4_unicode_ci and WLM is trying to get relevant data (LEFT JOIN) from the xx_posts db table to delete something relevant in the xx_wlm_contentlevels db table.

    utf8mb4_unicode_ci vs utf8mb4_unicode_520_ci database table collations basically comes down to particular needs, but in your particular case I don’t think “particular needs” is relevant here.


    When in doubt use:  utf8mb4_unicode_520_ci



    After knowing all this, it may still be difficult to choose a charset and a collation. My suggestion is that you should always use utf8mb4 charsets over utf8 charsets, and when in doubt, use utf8mb4_unicode_520_ci as it offers the greatest number of characters that you can store, and it sorts characters in the most correct way possible.

    Do these steps to see if this fixes the problem. Since your WordPress DB tables are using utf8mb4_unicode_520_ci collation and this particular DB collation is recommended over other collations then the logical choice is to change the WLM DB tables from: utf8mb4_unicode_ci to: utf8mb4_unicode_520_ci.

    1. Create a DB Backup of your entire Database in case a problem occurs so that you can restore your DB backup if needed.
    2. Use the phpMyAdmin general steps in this link to change your database collation > https://mediatemple.net/community/products/dv/204403914/default-mysql-character-set-and-collation
    3. Test WLM, other plugins and things in general on your website to see if any errors or problems occur.

Viewing 10 posts - 1 through 10 (of 10 total)
  • You must be logged in to reply to this topic.