403 Forbidden openresty

Hi @epicfail5000

It is strange that you are getting 403 error while making changes on admin section you are already logged in.

Please add below constant in wp-config.php to cross check if it is due to firewall.

If it is firewall please try disable Firewall rules. WP REST API, 5G , 6G rules and cross check which firewall option is making the issue.

define( 'AIOS_NO_FIREWALL', true);

and if still an issue please try below also.

 define( 'AIOS_DISABLE_LOGIN_WHITELIST', true );

Hi,

Thank you for the prompt and specific details. I will save the notes in my error spreadsheet.

I decided to do a one click deactivate of all my plugins. Then I reactivated them with one click. Strangely, that seems to have resolved the problem. (knock on wood ??

Side question: When I clicked the Enable debug button I was expecting that to turn off the firewall temporarily. I did not notice any difference. What is the purpose of that debug feature?

Thanks. Jason

Hi @epicfail5000,

Glad to know the issue is resolved.

WP security > Settings > General settings have Enable debug: It will enable debug mode and will save debug logs of AIOS plugin to check further.

https://snipboard.io/lcYeOJ.jpg

WP security > Dashbaord > Debug logs will have that list of logs.

Regards

Thanks for the information.

Jason

Hi again,

After days without a problem the 403 error popped up again. This time it appeared on the second browser. I make changes in my WordPress site in Chrome. I have Safari open to look at how my changes appear. I am “NOT” logged in to my site on Safari. I want to look at the site as other users.

Does the AIOS plugin work with Mod Security in cPanel?

I have Mod Security on in cPanel. It is on by default from the hosting company. I have not made changes in there.

Thanks. Jason

Hi @epicfail5000,

If a 403 error showing and you have in cpanel mod security or any firewall there please contact server hosting provider.

Generally cpanel firewall works with Apache server requests prior to the AIOS plugin it is at PHP scripting language level.

So AIOS plugin do not work with Modsecurity of CPanel

Regards

Hi again,

I wonder if the cPanel security settings are a conflict with AIOS?

And I wonder if they are duplicating the same functions for WordPress security?

Here are the settings that can be turned on in cPanel:

• Restrict access to files and directories
• Configure security keys
• Block access to xmlrpc.php
• Block directory browsing
• Forbid execution of PHP scripts in the wp-includes directory
• Forbid execution of PHP scripts in the wp-content/uploads directory
• Block access to wp-config.php
• Disable scripts concatenation for WordPress admin panel
• Turn off pingbacks
• Disable PHP execution in cache directories
• Disable file editing in WordPress Dashboard
• Change default database table prefixEnable bot protection
• Block access to sensitive files
• Block access to potentially sensitive files
• Block access to .htaccess and .htpasswd
• Block author scans
• Change default administrator’s username

Hi @epicfail5000,

Below list of features are also supported in AIOS.

IF Mod security in cpanle works as wordpress plugin it will have conflict .

IF it is at apache / nginx server runs then it will be applied prior to the AIOS plugin.

If it is in .htaccess rules then WP Security > firewall > .htaccess rules will have conflict. other rules in .htaccess will run first then by AIOS.

Block access to xmlrpc.php
disable directory and file listing
Block access to wp-config.php
Turn off pingbacks
Disable file editing in WordPress
Change default database table prefix
Enable fake googlebot protection
Block access to debuglog
Prevent access to WP default install files:
Enable basic firewall protection:
1) Protect your htaccess file by denying access to it.
4) Protect your wp-config.php file by denying access to it.
Block author scans
Suggest to change admin username if it is admin etc.

Regards

Thanks for your thorough response.

I will contact my hosting company and ask about the process you laid out.

Cheers. Jason

Hi @epicfail5000

Ok, keep me posted.

Regards

Hi again,

My hosting company says ModSecurity runs on the server.

***The list of security settings I provided earlier are in the WP Toolkit within cPanel. I did not include that note.

Theory: I should turn off any security features in AIOS that are duplicates to WP Toolkit. The reason is the WP Toolkit is on the server.

I am not a developer. I’m learning as I go.

Thoughts?

Hi @epicfail5000,

Yes it is advisable to enable security feature at one place only.

Here the WP toolkit run ( at server level) before the AIOS so it is better any security features is enabled in the WP toolkit.

Regards