500 error since BulletProof Security .53.1

Thanks for getting back to me. After trying your troubleshooting steps, I found that the problem wasn’t with bulletproof. I contacted HostGator and they resolved the problem on their end (although I’m not sure what they did, so I can’t help you with that). Thank you again for your help.

@clavans – The error message is a mod_rewrite error message that is being caused by mod_security. I was unable to find any information on whether or not this is a mod_security bug or mod_security is intentionally blocking the valid Apache R=405 HTTP status response code. We will continue to research this issue/problem and may decide to create alternative htaccess code for this mod_security bug/intentional block or may eventually find mod_security information about this to see how to proceed/fix the mod_security bug/etc.

https://www.askapache.com/htaccess/mod_rewrite-variables-cheatsheet.html#Mod_Rewrite_Errors

RewriteRule: invalid HTTP response code %s for flag R

Stackoverflow topic from 2011:
https://stackoverflow.com/questions/5544919/redirect-all-files-with-php-extension

Mod_rewrite only accepts the values 301, and 302 (the default if not specified) for the R flag. If you wish to send to a 404, I’d recommend sending the request to a custom 404 page:
RewriteRule \.php$ /404.php [L],
where 404.php sets the Response Status to 404.

mod_security search for verification and/or mod-security help information/documentation:
Unable to find any information about this mod_security error on the mod_security website or the Owasp Wiki. Unable to find any mod_security information on how to allow/whitelist this in mod_security, if it can be allowed/whitelisted or any other information regarding this mod_security error message.

Apache Server Help Documentation:
Apache 2.2 was released in 2005 – 10 years ago.
https://en.wikipedia.org/wiki/Apache_HTTP_Server

Apache 2.2 R Flag HTTP response status code help info:
https://httpd.apache.org/docs/2.2/rewrite/flags.html#flag_r

Any valid HTTP response status code may be specified, using the syntax [R=305], with a 302 status code being used by default if none is specified. The status code specified need not necessarily be a redirect (3xx) status code. However, if a status code is outside the redirect range (300-399) then the substitution string is dropped entirely, and rewriting is stopped as if the L were used.

Apache 2.4 R Flag HTTP response status code help info:
https://httpd.apache.org/docs/2.4/rewrite/flags.html#flag_r

Any valid HTTP response status code may be specified, using the syntax [R=305], with a 302 status code being used by default if none is specified. The status code specified need not necessarily be a redirect (3xx) status code. However, if a status code is outside the redirect range (300-399) then the substitution string is dropped entirely, and rewriting is stopped as if the L were used.

Summary|Conclusion:
I am unable to find any information about this mod_security issue besides the fact that the 500 error is being caused by mod_security not allowing R=405. I do not know if that is a mod_security bug or if that is intentional. R=405 has been available since Apache 2.2 – 10 years ago.

@clavans – Oops forgot to thank you for posting that information. ?? Very much appreciated! Thank you.

@lolpics – Great! Glad you got it all sorted out.

I read this Stackoverflow response/answer wrong. The answer/response posted by this person on Stackoverflow is incorrect/invalid/wrong. For some odd reason I saw mod_security and not mod_rewrite when I read the response. ?? It may be that this has nothing at all to do with mod_security and is some other server configuration issue.

Stackoverflow topic from 2011:
https://stackoverflow.com/questions/5544919/redirect-all-files-with-php-extension

Mod_rewrite only accepts the values 301, and 302 (the default if not specified) for the R flag. If you wish to send to a 404, I’d recommend sending the request to a custom 404 page:
RewriteRule \.php$ /404.php [L],
where 404.php sets the Response Status to 404.

Hey guys,
Bad news. While the Hostgator fix worked initially, it’s reverted back to the 500 error. Is the above stackoverflow issue an answer I should implement, or are you still working out the problem?
Thanks

And also, the “visual” window that allows the creation of a new page on wordpress isn’t working either. When I inspect the elements, it’s giving me the same 500 error for a number of the elements.

And a number of the icons for random elements of wordpress are being visually portrayed as broken links. This includes things like facebook and tumbler link icons and the icons for the “insert flash video” button (not that I need those things, but I thought it might offer some insight).

Thanks for getting back to me. After trying your troubleshooting steps, I found that the problem wasn’t with bulletproof. I contacted HostGator and they resolved the problem on their end (although I’m not sure what they did, so I can’t help you with that). Thank you again for your help.

Intermittent problems are typically going to be related to things like: cache/caching plugins/CDN’s/VPN’s/Proxy’s/Load Balancers/Host server problems/Browser problems (corrupt cache, add-on, extension)/ISP (connectivity)/CloudFlare, etc.

Find out what your host did to fix the problem before and let me know what that is. I still believe your problem is a completely different problem caused by something else and not BPS.

I’ll look into it with my what our host and let you know. For the time being, I was able to get them to roll back the site to the day before I installed the update and it’s now working perfectly (at least for now). While I don’t know if BPS is the cause of the issue, it seems to have been what set it off.

hmm very odd. Since you previously did the BPS troubleshooting steps and the problem was still occurring then it seems like BPS does not have anything to do with whatever is going on. Keep me posted on whatever is causing this problem.

@chumtarou – resolving this thread since your problem is resolved and you were the original thread creator. If/when you do hear back from your host, please post any additional info that they provide to you. Thanks.

Hi AITpro,

The host is currently looking into this and hope to have further response this week. I can either add more to this or email you privately once I learn more.