Home › Forums › BulletProof Security Free › WordPress Logout – 403 error
Tagged: 403 error
- This topic has 5 replies, 2 voices, and was last updated 5 years, 1 month ago by
AITpro Admin.
-
AuthorPosts
-
Paul Mersel
ParticipantHi,
Activating the RBM security causes users to be unable to logout. They will get a 403 error page.
When I deactivate RBM all is well.
What can I do to fix this? I have not been able to find a whitelist rule myself.Regards,
Paul Mersel
Log:
[403 GET Request: 25/04/2018 - 12:42 PM] BPS: 2.9 WP: 4.9.5 Event Code: BFHS - Blocked/Forbidden Hacker or Spammer Solution: N/A - Hacker/Spammer Blocked/Forbidden REMOTE_ADDR: 83.86.xxx.xxx Host Name: 5356EEBE.cm-6-7d.dynamic.ziggo.nl SERVER_PROTOCOL: HTTP/1.0 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: 83.86.xxx.xxx HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: https://www.xxxxxx.nl/my-account/ REQUEST_URI: /wp-login.php?action=logout&redirect_to=https%3A%2F%2Fwww.xxxxxx.nl%2Fmy-account%2F&_wpnonce=60876719b7 QUERY_STRING: action=logout&redirect_to=https%3A%2F%2Fwww.xxxxxx.nl%2Fmy-account%2F&_wpnonce=60876719b7 HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36
AITpro Admin
KeymasterGo to the BPS htaccess File Editor tab page > Your Current Root htaccess File tab > copy your entire Root htaccess file contents and paste it in your forum reply. Or if you currently have RBM deactivated then click the secure.htaccess tab and copy your entire secure.htaccess file contents and paste it in your forum reply.
Paul Mersel
Participanthtaccess file:
[Edited by AITpro Admin – additional non-relevant htaccess code removed]# BULLETPROOF 2.9 SECURE .HTACCESS # CUSTOM CODE BRUTE FORCE LOGIN PAGE PROTECTION # BRUTE FORCE LOGIN PAGE PROTECTION # Protects the Login page from SpamBots, HackerBots & Proxies # that use Server Protocol HTTP/1.0 or a blank User Agent RewriteCond %{REQUEST_URI} ^(/wp-login\.php|.*wp-login\.php.*)$ RewriteCond %{HTTP_USER_AGENT} ^$ [OR] RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR] RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$ RewriteRule ^(.*)$ - [F,L]
AITpro Admin
KeymasterThe problem is being caused by this Server Protocol HTTP/1.0 Custom Code below. If you look at the Security Log entry you will see that your Proxy server is using an outdated Server Protocol > HTTP/1.0. The newer Server Protocols are: HTTP/1.1 and now HTTP/2. you cannot use the Server Protocol HTTP/1.0 Brute Force Login Protection on your server/website. You will need to delete this custom code from this BPS Root Custom Code text box: 4. CUSTOM CODE BRUTE FORCE LOGIN PAGE PROTECTION, click the Save Root Custom Code button and then click the Root Folder BulletProof Mode Activate button on the Security Modes tab page.
# BRUTE FORCE LOGIN PAGE PROTECTION # Protects the Login page from SpamBots, HackerBots & Proxies # that use Server Protocol HTTP/1.0 or a blank User Agent RewriteCond %{REQUEST_URI} ^(/wp-login\.php|.*wp-login\.php.*)$ RewriteCond %{HTTP_USER_AGENT} ^$ [OR] RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR] RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$ RewriteRule ^(.*)$ - [F,L]
Paul Mersel
ParticipantHi,
Thank you for you quick reply. I had my website moved to a newer (Server Protocol HTTP/2.0) server. Should I still remove the above mentioned custom code?
Thanks for your help.
Kind regards,
Paul Mersel
AITpro Admin
KeymasterYou can keep/use the code now since your Server Protocol is HTTP/2. This code will only block Server Protocol HTTP/1.0:
RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$
, which is commonly used by spammers and hackers. -
AuthorPosts
- You must be logged in to reply to this topic.