Wordfence admin-ajax.php Authentication Required

[AITpro Admin]

Email Question:

What I really wanted to say was in response to this post: http://forum.ait-pro.com/forums/topic/bps-pro-compatibility-with-other-wordpress-security-plugins/ I had BPS Free and WordFence installed on multiple blogs – all working well. I upgraded WP, BPS and WF to the latest 1 day ago, and now all have the same problem: going to the blog home page I get a “Authentication Required” box. View Source shows: And indeed, when I Temporarily disabled “Enable Live Traffic View” in WF, it fixes the problem. So Wordfence has a script on the home page that calls wp-admin/admin-ajax.php which triggers “Authentication Required”. I tried tips in http://www.ait-pro.com/aitpro-blog/2252/bulletproof-security-plugin-support/checking-plugin-compatibility-with-bps-plugin-testing-to-do-list/#Full-Screen-Background-Images-Pro

On /wp-admin/.htaccss:

# BEGIN CUSTOM CODE WPADMIN PLUGIN FIXES" (but they did nothing):
# Wordfence has a script on the home page that calls wp-admin/admin-ajax.php which triggers "Authentication Required".
RewriteCond %{REQUEST_URI} (admin-ajax.php) [NC]
RewriteRule ^(.*)$ - [F,L]
RewriteCond %{QUERY_STRING} action=wordfence_logHuman&hid=(.*) [NC]
RewriteRule ^(.*)$ - [F,L]

[AITpro Admin]

Are you saying that you have already tried to use the BPS admin-ajax.php skip/bypass rule in the wp-admin .htaccess file?  Nothing changed regarding BPS and admin-ajax.php in a long while and many BPS versions so if it was working before then it should still be working now without having to create this skip/bypass rule, unless of course if Wordfence is now doing something differently then before.  Have you checked the BPS Security Log file for an error related to Wordfence or admin-ajax.php?

# admin-ajax.php skip/bypass rule
RewriteCond %{REQUEST_URI} (admin-ajax\.php) [NC]
RewriteRule . - [S=2]

 

[AITpro Admin]

Oh too funny Wordfence is forbidding access to the admin-ajax.php file so forget that route.  If Wordfence is forbidding this file then Wordfence obviously does not to use it for anything.  This Wordfence rule below says Forbid access to the admin-ajax.php file.  😉

# Wordfence has a script on the home page that calls wp-admin/admin-ajax.php which triggers “Authentication Required”.

RewriteCond %{REQUEST_URI} (admin-ajax.php) [NC]
RewriteRule ^(.*)$ - [F,L]

To check if BPS is causing an issue/problem use these troubleshooting steps:  http://forum.ait-pro.com/forums/topic/read-me-first-free/#bps-free-general-troubleshooting

[AITpro Admin]

Actually I did some more checking and Wordfence definitely needs to be able to call admin-ajax.php.

1. Add the admin-ajax.php skip/bypass rule below to this wp-admin Custom Code text box: CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES
2. Click the Save wp-admin Custom Code button.
3. Go to the Security Modes page and Activate wp-admin Folder BulletProof Mode.

Note:  The skip rule must be [S=2] because it will be written to your wp-admin .htaccess file above skip / bypass rule [S=1].  If you have other wp-admin skip/bypass rules already then either combine them or add this skip/bypass rule separately above the other rules and change the skip #.  Example:  If you already have skip #’s 2 and 3 then this rule would be skip rule #4.

# admin-ajax.php skip/bypass rule
RewriteCond %{REQUEST_URI} (admin-ajax\.php) [NC]
RewriteRule . - [S=2]

[No Signal]

Hi. Thanks for the tips. I tried adding:

# admin-ajax.php skip/bypass rule
RewriteCond %{REQUEST_URI} (admin-ajax\.php) [NC]
RewriteRule . - [S=2]

to wp-admin/.htaccess using the exact technique you outlined above, including activating, etc. I confirmed that it was in the actual .htaccess file – it was. However, when I turned on “Enable Live Traffic View” in WF, I get “Authentication Required” again. When I comment out the new lines, it makes no difference. I even tried manually changing “AuthName Restricted” to “AuthName Restricted2” – this change was shown in the “Authentication Required” window, so I know it is using the updated .htaccess file.

Thanks for the tips – now I know how to do it via the BPS control panel, and my own attempt was missing a \ before the .    but unfortunately your solution made no change either. It seems sensible, so I am mystified.

For completeness, this is what is in my CUSTOM CODE WPADMIN TOP:

# Make any web access to this folder require another password.
AuthUserFile /deliberately obscured/blog/wp-admin/.htpasswd
AuthType Basic
AuthName "restricted"
Order Deny,Allow
Deny from all
Require valid-user
Satisfy any

[No Signal]

Oh, and in order to view the blog as an end user, I need to use chrom incognito mode, otherwise chrome remembers my auth password.

[AITpro Admin]

hmm maybe this is actually a different issue or multiple issues since you have Basic Authentication on your wp-admin .htaccess file.

Try doing this and let me know what happens.  Look for this htaccess code in your Root .htaccess file…

ErrorDocument 400 /wp-content/plugins/bulletproof-security/400.php
ErrorDocument 403 /wp-content/plugins/bulletproof-security/403.php
ErrorDocument 404 /404.php

…and add ErrorDocument 401 default as shown below and let me know what happens…

ErrorDocument 400 /wp-content/plugins/bulletproof-security/400.php
ErrorDocument 401 default
ErrorDocument 403 /wp-content/plugins/bulletproof-security/403.php
ErrorDocument 404 /404.php

[No Signal]

Hi. I tried the “ErrorDocument 401 default”   and unfortunately it had no effect on the original problem listed above. In the last week, I also upgraded to Wordfence Security Version 3.6.1 – it made no difference. To be clear, I tried “ErrorDocument 401 default” by itself – without any of the other suggestions above.

Many thanks for you help.

[AITpro Admin]

Ok well I really do not know how Wordfence works and have not looked at the code in that plugin for several versions (6 months or so) so you should ask the author of the plugin about his plugin/the issue/problem in relation to using Basic Authentication .htaccess code and the Wordfence authentication error.  I have taken some logical guesses, but like I said I have no idea what that plugin does or does not do.  😉

 

[Author]

Posts