WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] Forbidden Error when following links from Google Search (13 posts)

  1. Pat K
    Member
    Posted 1 year ago #

    Great plugin! I'm seriously impressed with the prompt & comprehensive support in this forum!!!

    I manage a small dedicated server and have used BPS on other WordPress sites without incident. On this particular site, when I activate BulletProof Mode in the root directory, links from Google result in this:
    "Forbidden You don't have permission to access /directory-name/ on this server.
    Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request."

    This was a non-WordPress site that I've converted to WordPress - hence the existing history of inbound links to the site from Google etc.

    I have read through the troubleshooting guide - and all the relevant support posts here and at ait-pro.com. I tried commenting out Options -Indexes and DirectoryIndex via the Custom Code section. No joy.

    I have reset & saved Permalinks (custom - as recommended) several times and recreated & activated secure.htaccess file each time.

    I also tried changing the General URL settings removing the www - again, no joy.

    It's worth noting this site was developed on a server running Plesk - and moved to my cPanel machine (because of Plesk permission restrictions and Server API). The current machine is a linux machine running cPanel with cgi-fcgi.

    I am also using redirects via a plugin (Redirects 2.2.13) ...I tried Custom .htaccess redirects using BPS. The "Forbidden" error page problem persists regardless of which method I'm using - and persists even when redirects are completely disabled. In other words, links from Google - even to the Home page - result in the error page.

    It is worth noting that internal links work fine as do some other incoming links (from sites other than Google) e.g Bing & Yahoo. Odd.

    I have tried modifying the permission on the root .htaccess file - it didn't help.

    There are 3 differences between this site and the other sites I have running on this machine that also use BPS:
    1) this site is running WP 3.5.2 ...the others are all running 3.5.1
    2) this site is using the NextGen Gallery plugin and a few of the pages have gallery thumbs (using HighSlide js).
    3) I migrated this from the dreaded Plesk hosting platform.

    I have spent a full day trying to get this to work & I have run out of ideas ...so any suggestions you can provide would be VERY much appreciated! I want to continue using this excellent plugin.
    Thanks!
    PK
    BlackCapDesign

    http://wordpress.org/extend/plugins/bulletproof-security/

  2. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Is the /directory-name/ another folder outside of this WordPress site's WordPress folders (wp-content, etc)? If so you can treat it like a 3rd party app folder by doing one of these things listed in the link below.

    http://www.ait-pro.com/aitpro-blog/2252/bulletproof-security-plugin-support/checking-plugin-compatibility-with-bps-plugin-testing-to-do-list/#Custom-PHP-Applications-Outside-WordPress

  3. Pat K
    Member
    Posted 1 year ago #

    Thanks for the quick response! No, the directories are the equivalent of /%postname%/ (Pretty Permalinks). They all resolve to WordPress pages.

    The 'old' site structure was similar to the current WordPress structure: http://www.site-name.com/directory-name/index.php, and in some cases the directory name of the 'new' site match the old site ( example: /contact/ ) but most of the directory names are different, hence the need for redirects.

    Strangely, even the link to the home page http://www.site-name.com results in a "forbidden" error message when I activate BPS in the root directory. As soon as I switch to Default Mode, the Google links work fine.

    Something else: if I click the Google link, it resolves to the Forbidden page, but if I place my cursor in the address bar and hit enter, the browser resolves to the correct page. So it's something to do with the inbound link from Google....

    Ideas....?
    Thanks again!
    PK
    BlackCapDesign

  4. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Ok then most likely the issue/problem is with how the Redirection plugin that you are using is doing the redirects. The Redirection plugin does redirects at the php level and does not use .htaccess code to do redirects so there would not be an .htaccess code conflict.

    What I suspect is happening is that BPS is blocking this plugin from doing what it needs to do. Check your BPS Security log and post a logged entry that has this plugins folder name in the URI path or Query String. Only post a couple of Security Log entries and not your entire Security log per the WordPress Forum posting guidelines.

  5. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Also doing redirects with .htaccess code is a very simple thing to do and especially with the way BPS is designed for adding redirection .htaccess code in BPS Custom Code.

    CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE: Add miscellaneous code here

    # 301 Redirects
    RedirectMatch 301 ^/some-URI/some-folder/$ http://www.example.com/a-different-folder/
  6. Pat K
    Member
    Posted 1 year ago #

    Makes sense, although when I was testing this yesterday, I deactivated the Redirection plugin, and it made no difference; following Google links to the Home page - the index.php file in the root directory - were resulting a "Forbidden" page - even with the Redirects plugin deactivated. Disabling BulletProof Mode in the root directory caused the links to start working again.

    After I received your message(today), I reactivated BulletProof Mode and turned on Error Logging - no errors have been logged.

    I do have a firewall on the server (CSF - LFD)...I'm wondering if something in BPS is triggering the Firewall to throw the forbidden error ...although if that were the case it should be affecting other sites on the server too, and it's not.

    Thanks for your suggestions!
    PK
    BlackCapDesign

  7. Pat K
    Member
    Posted 1 year ago #

    Re: Redirects; thanks - the problem was happening before I installed the Redirects plugin. I tried the Custom Code method already (I use it on other sites). The reason I'm using the Redirects plugin is because I've had to disable BulletProof Mode on the root directory - because of the weird broken link problem.

  8. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    ...if I click the Google link, it resolves to the Forbidden page, but if I place my cursor in the address bar and hit enter, the browser resolves to the correct page...

    Maybe the problem is with the URL's themselves. ie they contain dangerous coding characters that are being blocked by BPS.

    Post one of the URL's that is being blocked and grab this directly from Google before url encoding/decoding is processed. My guess is that %27 is in the URL's, which is the single quote code character/Apostrophe in grammar.

  9. Pat K
    Member
    Posted 1 year ago #

    I checked the links using Firebug (in Firefox) and there are no special characters. There is a JavaScript onmousedown event:
    <a href="...">

    ...but the URL itself if clean and uses this format:
    href="http://www.sitename.com/"
    href="http://www.sitename.com/about/"

    I have a sneaking suspicion this is going to be something dead-simple and I will soon be smacking my forehead....

    Thanks again for your suggestions!
    PK
    BlackCapDesign

  10. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Yep, if it is not a simple issue with something directly having to do URLs/Permalinks then the next thing to check would be your CSF - LFD firewall error logs. It is possible that some BPS .htaccess code is blocked/restricted/etc. by CSF - LFD and the chain reaction/end result is 403 errors.

  11. Pat K
    Member
    Posted 1 year ago #

    Problem resolved!

    The problem was NOT the BPS plugin - rather an email obfuscation plugin that works fine in HTML 4 but throws header errors in HTML 5. The combination of BPS and CSF firewall were catching this and directing traffic to the forbidden page. I THOUGHT I had disabled the obfuscation plugin during testing - but clearly I did not. If anyone's interested, I replaced the OLD email obfuscation plugin with the Email Encoder Bundle plugin and it works great with BPS.

    Thanks again for BPS; excellent plugin and stellar support.

    PK
    BlackCapDesign

  12. Pat K
    Member
    Posted 1 year ago #

    Follow-up to this:
    There was more going on here than I realized. Despite the change I made (above), I continued to get 403 Forbidden messages when following links from Google. I tried removing all instances of %27 (single quote) from the BPS root .htaccess file and the forbidden errors stopped completely.

    I have since determined the offending single quote was in the Site Title (Dashboard > Settings > General Settings > Site Title) ...as in "Bob's Website". I replaced ' with ’ and once the change is reflected on Google, I'll try replacing all instance of %27 in the root .htaccess file.

    Any idea why a single quote in the Site Title would trigger the BPS filter? And do you think replacing ' with ’ will do the trick?

    Thanks again for a great plugin!

  13. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    BPS explicitly and specifically looks for and blocks the single quote coding character in several security filters, but there are overlapping security filters in the root .htaccess file so it is actually ok to create BPS Custom Code for your BPS Query String Exploits section of code.

    What you would want to do is copy the entire # BPSQSE BPS QUERY STRING EXPLOITS section of code and paste it into this Custom Code text box: CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS: Modify Query String Exploit code here and then you would edit the security filters and remove all instances of of the single quote or %27 which is also the single quote code character.

    http://forum.ait-pro.com/forums/topic/apostrophe-single-quote-code-character/#post-6939

    and a the Custom Code video tutorial is here

    http://www.ait-pro.com/aitpro-blog/2841/bulletproof-security-pro/bulletproof-security-pro-overview-video-tutorial/

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.