/wp-json/ Blocked by .htaccess

[Living Miracles]

Hello,

Since updating to WordPress 5.0.x, I’ve encountered issues with not being able to update pages and posts. I’m getting the following errors in the Chrome Inspector Console:

POST https://website.com/wp-json/wp/v2/pages/xxx?_locale=user 403

I’ve done some troubleshooting and it seems that this block of code in the .htaccess file is somehow causing the issues:

# BPS POST Request Attack Protection
RewriteCond %{REQUEST_METHOD} POST [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-admin/ [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-cron.php [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-login.php [NC]
# Whitelist ManageWP/Orion IP Addresses
RewriteCond %{REMOTE_ADDR} !^(192\.155\.230\.147|174\.37\.199\.34|89\.216\.23\.220|77\.105\.2\.4[234567]|52\.24\.62\.11|52\.24\.187\.29|52\.25\.116\.116|52\.26\.122\.21|52\.27\.171\.126|52\.27\.181\.126|52\.88\.96\.110|52\.88\.119\.122|52\.88\.197\.180|52\.88\.215\.225|52\.89\.85\.107|52\.89\.94\.121|52\.89\.155\.51|54\.148\.73\.118|54\.186\.37\.105|54\.186\.128\.167|54\.186\.143\.184|54\.187\.92\.57|54\.191\.32\.65|54\.191\.40\.136|54\.191\.67\.23|54\.191\.80\.119|54\.191\.135\.209|54\.191\.136\.176|54\.191\.137\.17|54\.191\.148\.85|54\.191\.148\.225|54\.191\.149\.8|54\.191\.151\.18)$
# Whitelist the WordPress Theme Customizer
RewriteCond %{HTTP_REFERER} !^.*/wp-admin/customize.php
# Whitelist XML-RPC Pingbacks, JetPack and Remote Posting POST Requests
# RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC]
# Whitelist Network|Multisite Signup POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/wp-signup.php [NC]
# Whitelist Network|Multisite Activate POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/wp-activate.php [NC]
# Whitelist Trackback POST Requests
# RewriteCond %{REQUEST_URI} !^.*/wp-trackback.php [NC]
# Whitelist Comments POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/wp-comments-post.php [NC]
RewriteRule ^(.*)$ - [F]

I can’t figure out exactly how it’s causing the issue. Any idea?

Thank you so much!

[AITpro Admin]

Try adding this additional whitelist rule below and let me know if it works or not.

# Whitelist JSON POST Request
RewriteCond %{REQUEST_URI} !^.*/wp-json/(.*) [NC]

[Living Miracles]

Thanks! My code looks like this now, but it doesn’t seem to make a difference. Still have issues updating; same error as before.

# BPS POST Request Attack Protection
RewriteCond %{REQUEST_METHOD} POST [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-admin/ [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-cron.php [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-login.php [NC]
# Whitelist ManageWP/Orion IP Addresses
RewriteCond %{REMOTE_ADDR} !^(192\.155\.230\.147|174\.37\.199\.34|89\.216\.23\.220|77\.105\.2\.4[234567]|52\.24\.62\.11|52\.24\.187\.29|52\.25\.116\.116|52\.26\.122\.21|52\.27\.171\.126|52\.27\.181\.126|52\.88\.96\.110|52\.88\.119\.122|52\.88\.197\.180|52\.88\.215\.225|52\.89\.85\.107|52\.89\.94\.121|52\.89\.155\.51|54\.148\.73\.118|54\.186\.37\.105|54\.186\.128\.167|54\.186\.143\.184|54\.187\.92\.57|54\.191\.32\.65|54\.191\.40\.136|54\.191\.67\.23|54\.191\.80\.119|54\.191\.135\.209|54\.191\.136\.176|54\.191\.137\.17|54\.191\.148\.85|54\.191\.148\.225|54\.191\.149\.8|54\.191\.151\.18)$
# Whitelist the WordPress Theme Customizer
RewriteCond %{HTTP_REFERER} !^.*/wp-admin/customize.php
# Whitelist XML-RPC Pingbacks, JetPack and Remote Posting POST Requests
# RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC]
# Whitelist Network|Multisite Signup POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/wp-signup.php [NC]
# Whitelist Network|Multisite Activate POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/wp-activate.php [NC]
# Whitelist Trackback POST Requests
# RewriteCond %{REQUEST_URI} !^.*/wp-trackback.php [NC]
# Whitelist Comments POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/wp-comments-post.php [NC]
# Whitelist JSON POST Request
RewriteCond %{REQUEST_URI} !^.*/wp-json/(.*) [NC]
RewriteRule ^(.*)$ - [F]

Did I add your code correctly (towards the bottom)?

[AITpro Admin]

Yep, the spot where you added the whitelist rule is fine.  Did you do all of the Custom Code steps.  ie after adding the new whitelist rule in Custom Code did you click the Save Root Custom Code button and Activate Root folder BulletProof Mode again?  Also how you using WP JSON?  WP JSON is not included in the standard method of updating Pages and Posts.

[AITpro Admin]

Disregard my last response about WP JSON.  Rats, we thought we had tested everything with WP 5.0, but obviously missed the POST Attack Protection Bonus Custom Code.  I just tested posting with Gutenberg and see the error.  I’m going to have to look at this in more depth on our testing server tomorrow.  For now you will need to remove/delete the POST Protection code.

[AITpro Admin]

Ok got it figured out.  It is a very simple solution, but was still in Holiday Mode yesterday.  🙂

# Whitelist WP JSON POST Requests by Query String
RewriteCond %{QUERY_STRING} !^_locale=(.*) [NC]

Note: The POST Attack Protection Bonus Custom Code forum topic now has this new default/standard whitelist rule added: https://forum.ait-pro.com/forums/topic/post-request-protection-post-attack-protection-post-request-blocker/

[Living Miracles]

Thank you so much!!! That works perfectly 🙂 Appreciate the super fast help!

[AITpro Admin]

Great!  Thanks for confirming that works.

[Living Miracles]

One more thing I noticed is that page updating still does not work for one of my site which has the BPS Pro Maintenance Mode enabled. I see the following Console error for that one:

GET https://lisa.i-am-one.net/wp-json/wp/v2/users/?who=authors&per_page=100&_locale=user 500
GET https://lisa.i-am-one.net/wp-json/wp/v2/taxonomies?context=edit&_locale=user 500

Page updating on this site works, if I take it out of Maintenance Mode, so it seems to be related to that for some reason. Any idea how to fix that issue?

Thank you so much!

[AITpro Admin]

Try this code below instead and let me know if it works or not.
[testing code deleted since it did not work – the problem has to do with the particular site setup]

[Living Miracles]

Thank you! Just tried it; same errors. I get those errors on initial page load (backend for editing). Then upon pressing the “Update” button, I get these errors:

POST https://lisa.i-am-one.net/wp-json/wp/v2/pages/64?_locale=user 500
POST https://lisa.i-am-one.net/wp-json/wp/v2/pages/64/autosaves?_locale=user 500

[AITpro Admin]

Oops just noticed they are 500 errors and not 403 errors.  What type of WordPress site is this?  Standard/Single site or Network/Multisite?  I’ll do some testing on one of test servers with a Standard/Single site to check this.

[Living Miracles]

Thanks! It’s a network/multisite… 🙃

 

[AITpro Admin]

Everything worked fine on a Single/Standard testing site.  I seem to remember you have a very complex Network site setup.  So I don’t think we have similar testing site to check with.  Is it a subdomain or subdirectory site and did you do some sort of additional DNS stuff?  I may have you confused with someone else, but I seem to remember that your Network setup was pretty complex.

[Living Miracles]

LOL, you’re probably right that our setup is pretty complex. Let’s see:

This multisite (https://i-am-one.net) installation is configured to use subdomains, but there are corresponding subdirectories/subfolders with their own URLs (which just redirect to the subdomains). For example, i-am-one.net/lisa redirects to lisa.i-am-one.net.

Is that enough information?

[Author]

Posts