BulletProof Plugin Blocking POST Requests with 403 Error

Copy the code below into this Root htaccess file Custom Code text box: 10. CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES
Click the Save Root Custom Code button.
Run the Pre-Installation Wizard and Setup Wizard.

Note: if there are already existing whitelist rules in the 10. CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES text box then paste this code above the existing code.

# Theme POST request Query String Root htaccess skip/bypass rule
RewriteCond %{QUERY_STRING} !^request=true$ [NC]
RewriteRule . - [S=13]

Hi – Thank you for your reply! I tried this but the button is still not functional. I also still get the 403 error in the console.

For what its worth, I tried clearing the browser and server/hosting cache and it still doesn’t work.

Did you run the Setup Wizard again after saving your custom code?

to me it looks like you have the rule backwards. Try this rule instead.

Theme POST request Query String Root htaccess skip/bypass rule
RewriteCond %{QUERY_STRING} request=true(.*) [NC]
RewriteRule . - [S=13]

Hello, I really appreciate your help!

I tried the updated rule you suggested above and ran the Setup Wizard after saving the custom code. I’m still getting the same behavior. Perhaps I’m doing something wrong?

For the record, I’m not an “expert” in HTACCESS, so it could be that the original rule I was using was, in fact, the wrong approach. But it did work (or at least I thought it worked) prior to installing the BPS plugin. I definitely wasn’t receiving the 403 errors and the button was functional. Each time you clicked it, it would update the text on the page with random text.

The closest issue I could find in the forum was this one: https://forum.ait-pro.com/forums/topic/something-legitimate-is-blocked-403-request/. Here, the query string was appended to the end of the ‘wp-content’ path. This is similar to the approach I’m taking, but am obviously hitting a PHP file (and not a CSS file).

Any help or insight would be greatly appreciated. I’d like to get this functional again but if all else fails, I will go with the security that the BPS plugin provides over the query string request. Security is obviously more important.

Do this test > Deactivate Root Folder BulletProof Mode on the Security Modes page. Test your POST form. If you are seeing a 403 error then add your custom rewriterule code in the top Custom Code text box. Are you using any additional custom htaccess code in any of the BPS Custom Code text boxes? Are you using the BPS POST Attack protection Bonus Custom Code?

Hi –

So I deactivated Root Folder BulletProof Mode on the Security Modes Page. I then tested the POST request, which was still raising a 403 error in the browser console. This was to be expected since deactivating Root Folder BulletProof Mode also deactivated the root folder .htaccess file.

Unless I am misunderstanding your instructions, adding the custom rewrite rule to the top Custom Code box would require Root Folder BulletProoof Mode to be reactivated. Long story short, I tried two things:

1) Manually creating a new htaccess file and adding my custom rewrite rule here. This worked, which put me back at square one, or, the state of my website PRIOR to installing the BPS plugin.

2) Adding my custom rewrite rule in the top Custom Code text box for the Root htaccess file. The only way to test this was to reactivate Root Folder BulletProoof Mode. I did this and and got the same behavior: A 403 error in the browser console.

You asked…

Are you using any additional custom htaccess code in any of the BPS Custom Code text boxes?

No, I’m not.

Are you using the BPS POST Attack protection Bonus Custom Code?

I searched for this and do not see it anywhere in the plugin. The closest thing I could find was box 4. CUSTOM CODE BRUTE FORCE LOGIN PAGE PROTECTION. The description for this box is “This Custom Code text box is for optional/Bonus code.” If this is what you are referring to, then no, there is no custom code in this box.

Oops yeah I meant for you to retest your rewriterule in the default htaccess file which you figured out. Even though the top of the security log entry says this is a POST request I see this > REQUEST_METHOD: GET. My guess is both POST and GET are being used in the Form. Ie the form does a GET to do something and also a POST. Typically when a form does both POST and GET the Security Log entry will only capture one of the 403 events because the request is seen as one event. Or in other words, something else (2 things) is being blocked and it is not being logged in the security log.

Figuring out which htaccess security rule is causing the 403 error is time consuming without seeing a security log entry for clues. Logically it is going to be one of lines of code (or maybe more) in the BPSQSE BPS QUERY STRING EXPLOITS section of code. To confirm that copy this code into the 12. CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS text box overwriting any code in that text box, save your changes and activate Root folder BulletProof mode. You should add the other rewiterule in the 10. CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES text box.

Note: this is all code below, but unfortunately I am unable to format it as code. Known Gutenberg issue.

## BEGIN BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden – Many bad bots use libwww-perl modules, but some
# good bots use it too. Good sites such as W3C use it for their W3C-LinkChecker.
# Use BPS Custom Code to add or remove user agents temporarily or permanently from the
# User Agent filters directly below or to modify/edit/change any of the other security code rules below.

RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ – [F]
END BPSQSE BPS QUERY STRING EXPLOITS

Sorry for the delay in my response, but I did a series of tests and wanted to be sure I addressed everything we’ve discussed in this thread in hopes it might help someone in the future.

I retested each of the suggestions you gave me above. Here is a recap / summarization:

1. Copy the below code into Box 10. CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES in the Root htaccess file Custom Code

<code>
# Theme POST request Query String Root htaccess skip/bypass rule
RewriteCond %{QUERY_STRING} request=true(.*) [NC]
RewriteRule . - [S=13]
</code>

2. Keep the above code in Box 10. CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES in the Root htaccess file Custom Code and replace the code in Box 12. CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS with the below code:

<code>
## BEGIN BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden – Many bad bots use libwww-perl modules, but some
# good bots use it too. Good sites such as W3C use it for their W3C-LinkChecker.
# Use BPS Custom Code to add or remove user agents temporarily or permanently from the
# User Agent filters directly below or to modify/edit/change any of the other security code rules below.

RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ – [F]
## END BPSQSE BPS QUERY STRING EXPLOITS
</code>

Both solutions actually resolved my issue. That is, whether we keep the original code in Box 12 OR replace it with the code above, I am able to click the button in my web application to make POST requests successfully. No more 403 errors.

Now, here is where it gets tricky. What appears to have been preventing the solutions above from working was an htaccess file in the ‘wp-content’ folder. I don’t even see an option for creating an htaccess file for the ‘wp-content’ folder, so I’m assuming this is created upon activating the plugin??? Or perhaps it was created by another plugin even though it references “bulletproof-security?” Could SGS possibly stand for “SiteGround Security” which is a plugin I’m using? Perhaps you could provide clarification on this.

Anyway, here were the contents of the htaccess file in the ‘wp-content’ folder:

<code>
# SGS Directory Hardening
<FilesMatch "\.(?i:php)$">
  <IfModule !mod_authz_core.c>
    <IfModule mod_setenvif.c>
SetEnvIf Request_URI "bulletproof-security/.*$" whitelist
Order Deny,Allow
Deny from all
Allow from env=whitelist
</IfModule>
  </IfModule>
  <IfModule mod_authz_core.c>
    <IfModule mod_setenvif.c>
SetEnvIf Request_URI "bulletproof-security/.*$" whitelist
Require env whitelist
Require all denied
</IfModule>
  </IfModule>
</FilesMatch>
# SGS Directory Hardening END

When I deleted that htaccess file in the ‘wp-content’ folder, everything began working correctly.

Please let me know if the htaccess file in the ‘wp-content’ folder is needed. Again, there doesn’t appear to be an option in the BPS Security plugin to create a htaccess file for the “wp-content” folder (unless I’m overlooking it). And, running the BPS Security Wizard does not seem to recreate this file.

Please let me know your thoughts, and THANK YOU for all your help!

• This reply was modified 1 month, 2 weeks ago by thomashubbard.

Yep, you are correct SGS stands for SiteGround Security. The wp-content htaccess file is created by the SiteGround Security plugin. BPS automatically checks for wp-content htaccess files since several security plugins create them. If BPS finds an htaccess file in the wp-content folder and it contains htaccess code that blocks all .php files then BPS will automatically create additional bulletproof-security whitelisting htaccess rules in that wp-content htaccess file since those htaccess files will break BPS and other plugins (and apparently themes too) as well.

Check the SSG plugin and look for an option called “wp-content hardening” and turn it off.

• This reply was modified 1 month, 2 weeks ago by AITpro.
• This reply was modified 1 month, 2 weeks ago by AITpro.
• This reply was modified 1 month, 2 weeks ago by AITpro.
• This reply was modified 1 month, 2 weeks ago by AITpro.

Oh and well done! That was a great catch.

Thank you! I couldn’t have caught it without your help. The support at BPS / AITpro is awesome! Have a great day!

• This reply was modified 1 month, 2 weeks ago by thomashubbard.

Nah that was all you my friend, but thanks for saying that.

Resolving this topic.