danpreston

Marko,
Beautiful! I’ll give it a try tomorrow and report back.
Looking forward to checking that “resolved” box!

Hey Marko and Adam,
It would be great if 1&1 and the Jetpack team could resolve this. I totally understand the need for security, but it sounds like you had this figured out in the past. Thanks for looking into this.
Best,
Dan

Here’s the word back from my web host tech support:

We have received an escalated case support regarding the Jetpack plugin not working correctly in the WordPress website “www.telequestinc.com”. Accessing the xmlrpc.php file directly (https://www.telequestinc.com/xmlrpc.php) will display the term “XML-RPC server accepts POST requests only”, which is part of ./wp-includes/class-IXR.php handled by WordPress itself. Instead the 403 error from (https://www.telequestinc.com/xmlrpc.php?for=jetpack) is indeed handled by 1&1 Apache mod_sec rule. The URL “xmlrpc.php\?for=jetpack” is strict protected by Apache mod_security to defend against malicious requests, and prevent brute Force Attacks. There have been many vulnerabilities and attacks in the past directed to the xmlrpc.php file with requests from sources not related to WordPress.com. The xmlrpc.php file can get updates and requests from WordPress IP addresses only, other external request are blocked by the rules set in Apache mod_sec. Based on the global rules set in our Linux shared hosting platform xmlrpc.php will run without any error in most case scenarios. Also Jetpack should run with most of the modules, however we cannot guarantee that some Jetpack modules will fully work since we cannot disable Apache mod_sec in our Shared Hosting Platform.

Any suggestions beyond getting a new web host?

Hi again.
I’ve continued to hunt for solutions to no avail.
– some forum posts suggested changing line 29 in xmlrpc from ./wp-load to wp-load (no effect)
– tried XML-RPC De Whitespacer plugin, no effect

Here’s something curious:
https://www.telequestinc.com/xmlrpc.php gives the expected response of “XML-RPC server accepts POST requests only.”
But so does https://www.telequestinc.com/xmlrpc.php?for=whatever
And so does https://www.telequestinc.com/xmlrpc.php?for=jetpac … or pretty much any string replacing “whatever” EXCEPT for https://www.telequestinc.com/xmlrpc.php?for=jetpack (or any string beginning with “jetpack”
So there’s something very specific that’s blocking Jetpack, it would seem.

Does that in any way narrow down the issue?
BTW, still waiting for meaningful response from 1and1. Will keep on them. Thanks!
FYI theme is a child theme of twentytwelve

Thanks Adam. In answer to your steps above:
1) xmlrpc.php is there at the root of the installation
2) The only security plugin is Akismet which I assume would not be a problem. I tried disabling it anyway and no change in behavior (and have since re-enabled it).
3) I have contacted 1and1 support to see if they block the file. I suspect that may be the case because last summer they blogged about xmlrpc.php security issues. Do you know if there is any current reason they might insist on disabling the file?

I’ve used the Jetpack debugger tool and it gives a green light, everything’s fine message.
Also checked the XMLRPC file and that behaves correctly.
Please let me know if there are any additional diagnostics I can do on this end. Looking forward to your help, it’ll be much appreciated.

I had the same issue: Mobile menu button of child theme of twentytwelve suddenly stopped working … And adding my thanks to junior466 for identifying the problem and finding the solution!

And I agree that theme developers, especially the official WordPress gang, should alert users via a changelog or some kind of notification system. Especially when the recommendation is to update right away. Need to be on the alert for what might break when doing that.