WordPress Logout – 403 error

[Paul Mersel]

Hi,

Activating the RBM security causes users to be unable to logout. They will get a 403 error page.
When I deactivate RBM all is well.
What can I do to fix this? I have not been able to find a whitelist rule myself.

Regards,

Paul Mersel

Log:

[403 GET Request: 25/04/2018 - 12:42 PM]
BPS: 2.9
WP: 4.9.5
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 83.86.xxx.xxx
Host Name: 5356EEBE.cm-6-7d.dynamic.ziggo.nl
SERVER_PROTOCOL: HTTP/1.0
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR: 83.86.xxx.xxx
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: https://www.xxxxxx.nl/my-account/
REQUEST_URI: /wp-login.php?action=logout&redirect_to=https%3A%2F%2Fwww.xxxxxx.nl%2Fmy-account%2F&_wpnonce=60876719b7
QUERY_STRING: action=logout&redirect_to=https%3A%2F%2Fwww.xxxxxx.nl%2Fmy-account%2F&_wpnonce=60876719b7
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36

[AITpro Admin]

Go to the BPS htaccess File Editor tab page > Your Current Root htaccess File tab > copy your entire Root htaccess file contents and paste it in your forum reply. Or if you currently have RBM deactivated then click the secure.htaccess tab and copy your entire secure.htaccess file contents and paste it in your forum reply.

[Paul Mersel]

htaccess file:
[Edited by AITpro Admin – additional non-relevant htaccess code removed]

# BULLETPROOF 2.9 SECURE .HTACCESS

# CUSTOM CODE BRUTE FORCE LOGIN PAGE PROTECTION
# BRUTE FORCE LOGIN PAGE PROTECTION
# Protects the Login page from SpamBots, HackerBots & Proxies
# that use Server Protocol HTTP/1.0 or a blank User Agent
RewriteCond %{REQUEST_URI} ^(/wp-login\.php|.*wp-login\.php.*)$
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR]
RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$
RewriteRule ^(.*)$ - [F,L]

[AITpro Admin]

The problem is being caused by this Server Protocol HTTP/1.0 Custom Code below. If you look at the Security Log entry you will see that your Proxy server is using an outdated Server Protocol > HTTP/1.0. The newer Server Protocols are: HTTP/1.1 and now HTTP/2. you cannot use the Server Protocol HTTP/1.0 Brute Force Login Protection on your server/website. You will need to delete this custom code from this BPS Root Custom Code text box: 4. CUSTOM CODE BRUTE FORCE LOGIN PAGE PROTECTION, click the Save Root Custom Code button and then click the Root Folder BulletProof Mode Activate button on the Security Modes tab page.

# BRUTE FORCE LOGIN PAGE PROTECTION
# Protects the Login page from SpamBots, HackerBots & Proxies
# that use Server Protocol HTTP/1.0 or a blank User Agent
RewriteCond %{REQUEST_URI} ^(/wp-login\.php|.*wp-login\.php.*)$
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR]
RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$
RewriteRule ^(.*)$ - [F,L]

[Paul Mersel]

Hi,

Thank you for you quick reply. I had my website moved to a newer (Server Protocol HTTP/2.0) server. Should I still remove the above mentioned custom code?

Thanks for your help.

Kind regards,

Paul Mersel

[AITpro Admin]

You can keep/use the code now since your Server Protocol is HTTP/2.  This code will only block Server Protocol HTTP/1.0: RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$, which is commonly used by spammers and hackers.

[Author]

Posts