Can't log out, 403 forbidden

Should I take out that entire brute force protection code just as I did?

And should I turn brute force protection bad on in options, even if that code is not there?

Thanks, I am glad I can help.

You can either remove the code or make this modification.

Change this code…

RewriteCond %{HTTP_USER_AGENT} ^(|-?)$ [NC,OR]

…to this…

RewriteCond %{HTTP_USER_AGENT} ^$ [OR]

# BRUTE FORCE LOGIN PAGE PROTECTION
# Protects the Login page from SpamBots & Proxies
# that use Server Protocol HTTP/1.0 or a blank User Agent
RewriteCond %{REQUEST_URI} ^(/wp-login\.php|.*wp-login\.php.*)$
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR]
RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$
RewriteRule ^(.*)$ - [F,L]

I just wanted to toss my own 2 cents worth here. I had the same issue as Jose. I noticed it after adding in another plugin, but removing it didn’t seem to help.

I followed some of his methods above, removing the Brute-Force block and changing the permissions to 404 and the problem has gone away. I had previously turned off the Login Security but the code was still present.

Hopefully, you’ll figure out why it is affecting only a few of us. Until then, we seem to have a solution of sorts.

Thanks AIT for all the work you’ve put into this, and thanks Jose for your fix.

We have conclusively found that some Servers just cannot use this code so if you are seeing a 403 error then just delete the code.

https://forum.ait-pro.com/forums/topic/403-error-after-upgrading-to-version-49-3/#post-10534

I’ll have to keep doing this it appears. The latest update (.49.4) replaced that bit of code on me.

At least it’s easy enough to fix once you know what’s going on. I’ll just have to ensure that I’m in the position to modify the .htaccess file immediately after updating until the problem goes away.

I’ll just have to ensure that I’m in the position to modify the .htaccess file immediately after updating until the problem goes away.

I do not think you will have to do that if you first put what you want to keep in the Custom Code editor since BPS always defers to whatever you have there.

Actually what we will do is automate this in .49.5. Create a check for the previous version of BPS installed and then check for the code in the root .htaccess file. If the previous version is .49.3 or .49.4 and the code does not exist then do NOT create the code again. Also adding a single pound sign # in this BPS Custom Code text box: CUSTOM CODE BRUTE FORCE LOGIN PAGE PROTECTION: will prevent the code from being automatically created again when clicking the AutoMagic button.

There is one issue that just cannot be fixed, which is some Servers just do not allow checking for the Server Protocol condition. So unfortunately, those folks just cannot use the code. The majority of folks can use the code without any issues/problems.

Awesome! That will eliminate some worry on my part.

@eric_the_grey, you’re welcome, glad I could help.

I also updated and the change in code still results in the same problem, so I am going to add the “#” into the custom code as suggested and see if that works the next time I have to use automagic buttons and create a new .htaccess.

Thanks for everything, AIT.