/wp-json/ Blocked by .htaccess

Home Forums BulletProof Security Pro /wp-json/ Blocked by .htaccess

Viewing 4 posts - 16 through 19 (of 19 total)
  • Author
    Posts
  • #36787
    AITpro Admin
    Keymaster

    Uh yeah and LOL.  I definitely do not have a Network subdomain test site with anywhere near that setup.  😉  Our test servers are in-house and there are some limitations with Network/Multisite subdomain site types.  We used to have a Live Hosted Network site, but that was nuked a year or two ago.  Hate to say it, but I don’t think MMode is going to work with the POST Attack Protection Bonus Custom Code on that particular site setup.  You could try another WordPress Maintenance Mode plugin or maybe just not use the POST Attack Protection Bonus Custom Code on that particular site.  Or just turn off MMode when updating Posts or Pages.

    #36799
    Living Miracles
    Participant

    Thank you! Since the issue is only on the subsite that has Maintenance Mode enabled, perhaps we’ll just remove the Post Attach Protection code once that site will be developed (it’s currently dormant).

    Thanks for looking into this!

    #38813
    Andres
    Participant

    Hi Edward!

    Hope all is well with you in the midst of this craziness…

    This one has me stumped on a new client’s website (running regular BPS, and Yoast Pro – WP and all plugins up to date). Posting it here since it’s related to wp-json.

    [403 GET Request: March 27, 2020 - 9:39 pm]
    BPS: 3.9
    WP: 5.3.2
    Event Code: WPADMIN-SBR
    Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: XXXXXXX
    Host Name: XXXXXXXX.hsd1.fl.comcast.net
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: XXXXXXXX
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: XXXXX/wp-admin/post.php?post=5901&action=edit
    REQUEST_URI: /wp-json/yoast/v1/prominent_words?word=governor%27s+executive+order
    QUERY_STRING: word=governor%27s+executive+order
    HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:74.0) Gecko/20100101 Firefox/74.0

    It happens every time I update a specific post. The post saves fine (not even with a delay), but it generates a similar entry in the security log with every post update.

    I tried adding this whitelist rule to the wp-admin htaccess file but to no avail:

    # Whitelist Yoast JSON Request
    RewriteCond %{REQUEST_URI} !^.*/wp-json/yoast/(.*) [NC]
    RewriteRule . – [S=3]

    Any ideas?

    Thanks in advance and stay safe!!

    Andres

    #38819
    AITpro Admin
    Keymaster

    Hey Andres – I’m assuming that you typed in that Query String somewhere?  It’s kind of risky in itself to use that Query String. I can provide a solution to this problem, but honestly you really don’t want to use %27 + exec + order together in a Query String. What I recommend that you do is to literally change the words in that Query String.  ie word=governor-governors-words (no apostrophe).

Viewing 4 posts - 16 through 19 (of 19 total)
  • You must be logged in to reply to this topic.