Forbidden Error when following links from Google Search

Is the /directory-name/ another folder outside of this WordPress site’s WordPress folders (wp-content, etc)? If so you can treat it like a 3rd party app folder by doing one of these things listed in the link below.

https://www.ait-pro.com/aitpro-blog/2252/bulletproof-security-plugin-support/checking-plugin-compatibility-with-bps-plugin-testing-to-do-list/#Custom-PHP-Applications-Outside-WordPress

Thanks for the quick response! No, the directories are the equivalent of /%postname%/ (Pretty Permalinks). They all resolve to WordPress pages.

The ‘old’ site structure was similar to the current WordPress structure: https://www.site-name.com/directory-name/index.php, and in some cases the directory name of the ‘new’ site match the old site ( example: /contact/ ) but most of the directory names are different, hence the need for redirects.

Strangely, even the link to the home page https://www.site-name.com results in a “forbidden” error message when I activate BPS in the root directory. As soon as I switch to Default Mode, the Google links work fine.

Something else: if I click the Google link, it resolves to the Forbidden page, but if I place my cursor in the address bar and hit enter, the browser resolves to the correct page. So it’s something to do with the inbound link from Google….

Ideas….?
Thanks again!
PK
BlackCapDesign

Ok then most likely the issue/problem is with how the Redirection plugin that you are using is doing the redirects. The Redirection plugin does redirects at the php level and does not use .htaccess code to do redirects so there would not be an .htaccess code conflict.

What I suspect is happening is that BPS is blocking this plugin from doing what it needs to do. Check your BPS Security log and post a logged entry that has this plugins folder name in the URI path or Query String. Only post a couple of Security Log entries and not your entire Security log per the WordPress Forum posting guidelines.

Also doing redirects with .htaccess code is a very simple thing to do and especially with the way BPS is designed for adding redirection .htaccess code in BPS Custom Code.

CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE: Add miscellaneous code here

# 301 Redirects
RedirectMatch 301 ^/some-URI/some-folder/$ https://www.example.com/a-different-folder/

Makes sense, although when I was testing this yesterday, I deactivated the Redirection plugin, and it made no difference; following Google links to the Home page – the index.php file in the root directory – were resulting a “Forbidden” page – even with the Redirects plugin deactivated. Disabling BulletProof Mode in the root directory caused the links to start working again.

After I received your message(today), I reactivated BulletProof Mode and turned on Error Logging – no errors have been logged.

I do have a firewall on the server (CSF – LFD)…I’m wondering if something in BPS is triggering the Firewall to throw the forbidden error …although if that were the case it should be affecting other sites on the server too, and it’s not.

Thanks for your suggestions!
PK
BlackCapDesign

Re: Redirects; thanks – the problem was happening before I installed the Redirects plugin. I tried the Custom Code method already (I use it on other sites). The reason I’m using the Redirects plugin is because I’ve had to disable BulletProof Mode on the root directory – because of the weird broken link problem.

…if I click the Google link, it resolves to the Forbidden page, but if I place my cursor in the address bar and hit enter, the browser resolves to the correct page…

Maybe the problem is with the URL’s themselves. ie they contain dangerous coding characters that are being blocked by BPS.

Post one of the URL’s that is being blocked and grab this directly from Google before url encoding/decoding is processed. My guess is that %27 is in the URL’s, which is the single quote code character/Apostrophe in grammar.

I checked the links using Firebug (in Firefox) and there are no special characters. There is a JavaScript onmousedown event:
<a href="...">

…but the URL itself if clean and uses this format:
href=”https://www.sitename.com/”
href=”https://www.sitename.com/about/”

I have a sneaking suspicion this is going to be something dead-simple and I will soon be smacking my forehead….

Thanks again for your suggestions!
PK
BlackCapDesign

Yep, if it is not a simple issue with something directly having to do URLs/Permalinks then the next thing to check would be your CSF – LFD firewall error logs. It is possible that some BPS .htaccess code is blocked/restricted/etc. by CSF – LFD and the chain reaction/end result is 403 errors.

Problem resolved!

The problem was NOT the BPS plugin – rather an email obfuscation plugin that works fine in HTML 4 but throws header errors in HTML 5. The combination of BPS and CSF firewall were catching this and directing traffic to the forbidden page. I THOUGHT I had disabled the obfuscation plugin during testing – but clearly I did not. If anyone’s interested, I replaced the OLD email obfuscation plugin with the Email Encoder Bundle plugin and it works great with BPS.

Thanks again for BPS; excellent plugin and stellar support.

PK
BlackCapDesign

Follow-up to this:
There was more going on here than I realized. Despite the change I made (above), I continued to get 403 Forbidden messages when following links from Google. I tried removing all instances of %27 (single quote) from the BPS root .htaccess file and the forbidden errors stopped completely.

I have since determined the offending single quote was in the Site Title (Dashboard > Settings > General Settings > Site Title) …as in “Bob’s Website”. I replaced ‘ with ’ and once the change is reflected on Google, I’ll try replacing all instance of %27 in the root .htaccess file.

Any idea why a single quote in the Site Title would trigger the BPS filter? And do you think replacing ‘ with ’ will do the trick?

Thanks again for a great plugin!

BPS explicitly and specifically looks for and blocks the single quote coding character in several security filters, but there are overlapping security filters in the root .htaccess file so it is actually ok to create BPS Custom Code for your BPS Query String Exploits section of code.

What you would want to do is copy the entire # BPSQSE BPS QUERY STRING EXPLOITS section of code and paste it into this Custom Code text box: CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS: Modify Query String Exploit code here and then you would edit the security filters and remove all instances of of the single quote or %27 which is also the single quote code character.

https://forum.ait-pro.com/forums/topic/apostrophe-single-quote-code-character/#post-6939

and a the Custom Code video tutorial is here

https://www.ait-pro.com/aitpro-blog/2841/bulletproof-security-pro/bulletproof-security-pro-overview-video-tutorial/