Home › Forums › BulletProof Security Pro › /wp-json/ Blocked by .htaccess
- This topic has 18 replies, 3 voices, and was last updated 4 years ago by AITpro Admin.
-
AuthorPosts
-
Living MiraclesParticipant
Hello,
Since updating to WordPress 5.0.x, I’ve encountered issues with not being able to update pages and posts. I’m getting the following errors in the Chrome Inspector Console:
POST https://website.com/wp-json/wp/v2/pages/xxx?_locale=user 403
I’ve done some troubleshooting and it seems that this block of code in the .htaccess file is somehow causing the issues:
# BPS POST Request Attack Protection RewriteCond %{REQUEST_METHOD} POST [NC] # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON RewriteCond %{REQUEST_URI} !^.*/wp-admin/ [NC] # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON RewriteCond %{REQUEST_URI} !^.*/wp-cron.php [NC] # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON RewriteCond %{REQUEST_URI} !^.*/wp-login.php [NC] # Whitelist ManageWP/Orion IP Addresses RewriteCond %{REMOTE_ADDR} !^(192\.155\.230\.147|174\.37\.199\.34|89\.216\.23\.220|77\.105\.2\.4[234567]|52\.24\.62\.11|52\.24\.187\.29|52\.25\.116\.116|52\.26\.122\.21|52\.27\.171\.126|52\.27\.181\.126|52\.88\.96\.110|52\.88\.119\.122|52\.88\.197\.180|52\.88\.215\.225|52\.89\.85\.107|52\.89\.94\.121|52\.89\.155\.51|54\.148\.73\.118|54\.186\.37\.105|54\.186\.128\.167|54\.186\.143\.184|54\.187\.92\.57|54\.191\.32\.65|54\.191\.40\.136|54\.191\.67\.23|54\.191\.80\.119|54\.191\.135\.209|54\.191\.136\.176|54\.191\.137\.17|54\.191\.148\.85|54\.191\.148\.225|54\.191\.149\.8|54\.191\.151\.18)$ # Whitelist the WordPress Theme Customizer RewriteCond %{HTTP_REFERER} !^.*/wp-admin/customize.php # Whitelist XML-RPC Pingbacks, JetPack and Remote Posting POST Requests # RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC] # Whitelist Network|Multisite Signup POST Form Requests RewriteCond %{REQUEST_URI} !^.*/wp-signup.php [NC] # Whitelist Network|Multisite Activate POST Form Requests RewriteCond %{REQUEST_URI} !^.*/wp-activate.php [NC] # Whitelist Trackback POST Requests # RewriteCond %{REQUEST_URI} !^.*/wp-trackback.php [NC] # Whitelist Comments POST Form Requests RewriteCond %{REQUEST_URI} !^.*/wp-comments-post.php [NC] RewriteRule ^(.*)$ - [F]
I can’t figure out exactly how it’s causing the issue. Any idea?
Thank you so much!
AITpro AdminKeymasterTry adding this additional whitelist rule below and let me know if it works or not.
# Whitelist JSON POST Request RewriteCond %{REQUEST_URI} !^.*/wp-json/(.*) [NC]
Living MiraclesParticipantThanks! My code looks like this now, but it doesn’t seem to make a difference. Still have issues updating; same error as before.
# BPS POST Request Attack Protection RewriteCond %{REQUEST_METHOD} POST [NC] # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON RewriteCond %{REQUEST_URI} !^.*/wp-admin/ [NC] # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON RewriteCond %{REQUEST_URI} !^.*/wp-cron.php [NC] # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON RewriteCond %{REQUEST_URI} !^.*/wp-login.php [NC] # Whitelist ManageWP/Orion IP Addresses RewriteCond %{REMOTE_ADDR} !^(192\.155\.230\.147|174\.37\.199\.34|89\.216\.23\.220|77\.105\.2\.4[234567]|52\.24\.62\.11|52\.24\.187\.29|52\.25\.116\.116|52\.26\.122\.21|52\.27\.171\.126|52\.27\.181\.126|52\.88\.96\.110|52\.88\.119\.122|52\.88\.197\.180|52\.88\.215\.225|52\.89\.85\.107|52\.89\.94\.121|52\.89\.155\.51|54\.148\.73\.118|54\.186\.37\.105|54\.186\.128\.167|54\.186\.143\.184|54\.187\.92\.57|54\.191\.32\.65|54\.191\.40\.136|54\.191\.67\.23|54\.191\.80\.119|54\.191\.135\.209|54\.191\.136\.176|54\.191\.137\.17|54\.191\.148\.85|54\.191\.148\.225|54\.191\.149\.8|54\.191\.151\.18)$ # Whitelist the WordPress Theme Customizer RewriteCond %{HTTP_REFERER} !^.*/wp-admin/customize.php # Whitelist XML-RPC Pingbacks, JetPack and Remote Posting POST Requests # RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC] # Whitelist Network|Multisite Signup POST Form Requests RewriteCond %{REQUEST_URI} !^.*/wp-signup.php [NC] # Whitelist Network|Multisite Activate POST Form Requests RewriteCond %{REQUEST_URI} !^.*/wp-activate.php [NC] # Whitelist Trackback POST Requests # RewriteCond %{REQUEST_URI} !^.*/wp-trackback.php [NC] # Whitelist Comments POST Form Requests RewriteCond %{REQUEST_URI} !^.*/wp-comments-post.php [NC] # Whitelist JSON POST Request RewriteCond %{REQUEST_URI} !^.*/wp-json/(.*) [NC] RewriteRule ^(.*)$ - [F]
Did I add your code correctly (towards the bottom)?
AITpro AdminKeymasterYep, the spot where you added the whitelist rule is fine. Did you do all of the Custom Code steps. ie after adding the new whitelist rule in Custom Code did you click the Save Root Custom Code button and Activate Root folder BulletProof Mode again? Also how you using WP JSON? WP JSON is not included in the standard method of updating Pages and Posts.
AITpro AdminKeymasterDisregard my last response about WP JSON. Rats, we thought we had tested everything with WP 5.0, but obviously missed the POST Attack Protection Bonus Custom Code. I just tested posting with Gutenberg and see the error. I’m going to have to look at this in more depth on our testing server tomorrow. For now you will need to remove/delete the POST Protection code.
AITpro AdminKeymasterOk got it figured out. It is a very simple solution, but was still in Holiday Mode yesterday. 🙂
# Whitelist WP JSON POST Requests by Query String RewriteCond %{QUERY_STRING} !^_locale=(.*) [NC]
Note: The POST Attack Protection Bonus Custom Code forum topic now has this new default/standard whitelist rule added: https://forum.ait-pro.com/forums/topic/post-request-protection-post-attack-protection-post-request-blocker/
Living MiraclesParticipantThank you so much!!! That works perfectly 🙂 Appreciate the super fast help!
AITpro AdminKeymasterGreat! Thanks for confirming that works.
Living MiraclesParticipantOne more thing I noticed is that page updating still does not work for one of my site which has the BPS Pro Maintenance Mode enabled. I see the following Console error for that one:
GET https://lisa.i-am-one.net/wp-json/wp/v2/users/?who=authors&per_page=100&_locale=user 500 GET https://lisa.i-am-one.net/wp-json/wp/v2/taxonomies?context=edit&_locale=user 500
Page updating on this site works, if I take it out of Maintenance Mode, so it seems to be related to that for some reason. Any idea how to fix that issue?
Thank you so much!
AITpro AdminKeymasterTry this code below instead and let me know if it works or not.
[testing code deleted since it did not work – the problem has to do with the particular site setup]Living MiraclesParticipantThank you! Just tried it; same errors. I get those errors on initial page load (backend for editing). Then upon pressing the “Update” button, I get these errors:
POST https://lisa.i-am-one.net/wp-json/wp/v2/pages/64?_locale=user 500 POST https://lisa.i-am-one.net/wp-json/wp/v2/pages/64/autosaves?_locale=user 500
AITpro AdminKeymasterOops just noticed they are 500 errors and not 403 errors. What type of WordPress site is this? Standard/Single site or Network/Multisite? I’ll do some testing on one of test servers with a Standard/Single site to check this.
Living MiraclesParticipantThanks! It’s a network/multisite… 🙃
AITpro AdminKeymasterEverything worked fine on a Single/Standard testing site. I seem to remember you have a very complex Network site setup. So I don’t think we have similar testing site to check with. Is it a subdomain or subdirectory site and did you do some sort of additional DNS stuff? I may have you confused with someone else, but I seem to remember that your Network setup was pretty complex.
Living MiraclesParticipantLOL, you’re probably right that our setup is pretty complex. Let’s see:
This multisite (https://i-am-one.net) installation is configured to use subdomains, but there are corresponding subdirectories/subfolders with their own URLs (which just redirect to the subdomains). For example, i-am-one.net/lisa redirects to lisa.i-am-one.net.
Is that enough information?
-
AuthorPosts
- You must be logged in to reply to this topic.