WooCommerce Product Feed Pro 403 WPADMIN-SBR error

[Nicki]

Hi,

I have a problem with the plugin Woocommerce Product Feed Pro by Webappick. It was working fine until the recent 4.7.5 wordpress update. Now I cannot save and regenerate a feed in the wp-admin as I am getting a 403 error. Below is the error message that is being logged:

[403 GET Request: 17th May 2017 - 1:45 pm]
BPS: 1.1
WP: 4.7.5
Event Code: WPADMIN-SBR
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 89.40.87.192
Host Name: 89.40.87.192
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: http://www.mydomain.com/wp-admin/admin.php?page=woo_feed_manage_feed
REQUEST_URI: /wp-admin/admin.php?page=woo_feed_manage_feed&link=http://www.mydomain.com/wp-content/uploads/woo-feed/google/xml/google-uk.xml
QUERY_STRING: 
HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:53.0) Gecko/20100101 Firefox/53.0

I have tried adding code to the skip bypass rules in both the root and wp-admin htaccess files, but I am not sure what I am doing and it hasn’t worked.

Also, and I’m not sure if this is related, but the google merchant center is now also having trouble accessing the feed, when it was working fine before. I am not seeing any block errors in the log for this, but when I activate the default htaccess file google can reach the file ok. So I wonder if the two problems are related. Google is producing a “Get file entry failed – Failed to obtain the file information. Please make sure the file exists AND that your feed has permission to access it.”

I have taken out all custom htaccess code from both the root and wp-admin htaccess files in an attempt to see if anything was conflicting, but the problems persist. So even with the base bulletproof secure htaccess files the plugin is being blocked.

Can you see what the problem might be?

Thanks for your help.

(As an aside, the domain name does have the word ‘vitamins’ in it in case that is seen as a dangerous word.)

[AITpro Admin]

UPDATE: BPS Pro 13+ and BPS 2.0+ versions have a feature called: Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) that automatically creates plugin and theme whitelist rules and automatically sets up and cleans up caching plugins htaccess code.

For the Woocommerce Product Feed Pro problem it sounds like maybe WordPress added some additional security measure in version 4.7.5 itself that is causing that problem.  The problem could also be caused by something like a new mod_security SecRule/SecFilter was created on your web host server right around the same time that you upgraded to WP 4.7.5.  So it may have appeared that WP 4.7.5 is the cause of the problem, but actually it is a change that your web host made on your web host server.  So what I would do first is ask your web host if they use mod_security or some other server security protection on your server and then ask them if anything was changed recently on your particular host server.

The google feed problem is definitely being caused by something in the BPS Root htaccess file since when you activated Default Mode that problem went away.  Are you seeing a Security Log entry for the google feed problem?  If not, then my first logical guess would be that google is making a HEAD Request to your Feed and that is what BPS is blocking.  Try doing this below and let me know if this fixes that google Feed problem.

1. Copy the REQUEST METHODS FILTERED .htaccess code below to the BPS Root Custom Code text box:  CUSTOM CODE REQUEST METHODS FILTERED
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

# REQUEST METHODS FILTERED
# If you want to allow HEAD Requests use BPS Custom Code and copy
# this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
# text box: CUSTOM CODE REQUEST METHODS FILTERED.
# See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F]
#RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
#RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]

[AITpro Admin]

Looking at the list of changes that were done in WP 4.7.5:  https://codex.wordpress.org/Version_4.7.5 I don’t see anything that would be directly related to “feeds”, but maybe the XML-RPC changes that were made would affect your feed depending on how the Woocommerce Product Feed Pro plugin does whatever it does.  I still believe it is much more likely that something changed on your host server and not in WP itself.  Also you should check the Woocommerce Product Feed Pro plugin’s support area to see if other people are also experiencing this problem.

[Nicki]

Edit: Sorry I missed your first post, only the second came through to my email.
The code above solves the problem for the google feed, google can now access the feed again without a problem. Thank you!!

I did check the support for Woocommerce Product Feed Pro plugin but there is no mention of the 403 admin problem. I will contact their support and report back with any suggestions they have. My client has a dedicated server but I think there is a firewall provided by the hosting company, I am not sure if this would cause a problem.

[AITpro Admin]

UPDATE: BPS Pro 13+ and BPS 2.0+ versions have a feature called: Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) that automatically creates plugin and theme whitelist rules and automatically sets up and cleans up caching plugins htaccess code.

Jeez.  I missed that fact that the Woocommerce Product Feed Pro problem has to do with the BPS wp-admin htaccess file and not the BPS Root htaccess file.  Sorry about that.  To confirm that the BPS wp-admin file is causing the problem – deactivate wp-admin BulletProof Mode.  If the problem is no longer occurring then the solution is this one below. Also additional whitelisting may be required since the Request String is also simulating an RFI hacking/attack method against your site.  So let me know if the Query String skip/bypass rule works or not.

1. Copy the wp-admin htaccess code below into this BPS wp-admin Custom Code text box: 3. CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES
2. Click the save wp-admin Custom Code button.
3. Go to the Security Modes page and click the wp-admin folder BulletProof Mode Activate button.

# Woocommerce Product Feed Pro Query String skip/bypass rule
RewriteCond %{QUERY_STRING} page=woo_feed_manage_feed(.*) [NC]
RewriteRule . - [S=2]

[Nicki]

So I deactivated the wp-admin bulletproof mode, but the problem remained. Deactivating the root bulletproof mode however and the problem is gone. I added your code above to the wp-admin custom code and reactivated wp-admin bulletproof mode and the problem has gone. Also reactivating root bulletproof mode and the problem is now gone. I had tried some code similar to yours above, but I obviously hadn’t got it quite right as it was causing a ‘too many redirects’ error for the site. But thank you so much for your help, and also manually sending your reply by email, everything is now working correctly again.:-)

[Author]

Posts