WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] 403 after updating (29 posts)

  1. Baraka777
    Member
    Posted 1 year ago #

    Hello, after updating to the latest BP version my website http://fanart.game-art-hq.com is completly unavaiable for me, and probably everyone to reach now, i can access anything and get the Forbidden

    You don't have permission to access / on this server. message

    What do i have to do to get access again?

    Greets, ray

    http://wordpress.org/extend/plugins/bulletproof-security/

  2. Baraka777
    Member
    Posted 1 year ago #

    Removed (after saving it) the ht acess file so i can access the website again, but what might have been the cause /? how can i prevent it after updating?

  3. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    I see that this is a subdomain site. is this site in a folder named /fanart or are you creating the subdomain by some sort or rewriting or from your host control panel?

    I would like to see what .htaccess code is being created by BPS for your site.
    1. click the secure.htaccess AutoMagic button.
    2. go to the Edit/Upload/Download page
    click on secure.htaccess editor tab and copy ONLY this little bit of code shown below into your reply. I only need to know what your RewriteBase is and do not need to see the rest of your htaccess file coding.

    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    
    # REQUEST METHODS FILTERED
  4. plasticgoat
    Member
    Posted 1 year ago #

    Hi,

    I've got the same error after the last 2 updates, for the 2 blogs I'm hosting (1 main domain and 1 sub-domain).
    I'm using Virtualmin as panel management.
    The .htaccess permissions become "-r-----r-- Aug 13 12:14 .htaccess" after each update.

  5. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Ahh ok it looks like then that when the .htaccess file is automatically CHMOD to 404 during the automatic upgrade then this is causing the 403 error.

    The CHMOD 404 is done based on your Server API type, but i have found a few Host's that strictly disallow using 404 permissions for .htaccess files. Which web host do you have?

    Please post these BPS System Info fields below for your website:

    Server Type:
    Operating System:
    Server API:
    Multisite:

    If you change the permissions of your root .htaccess file to 644 does the 403 error still occur?

  6. plasticgoat
    Member
    Posted 1 year ago #

    Yes, once I change the permissions back to 644, everything is fine.

    Server Type : VPS at MyHosting.com
    OS : Debian 5
    Server API : no idea ... what is that used for ?
    Multisite: Yes (2 domains, and some subdomain)

  7. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    You would find all of your System Information on the BPS System Info page in BPS. Your Host is Strato and I think they have a strict policy on .htaccess files having 644 permissions. Please check with them and post back here thanks.

  8. plasticgoat
    Member
    Posted 1 year ago #

    Ahhh! Ok :)

    Here are the right answers:

    Server Type: Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1 PHP/5.2.6-1+lenny16 with Suhosin-Patch mod_ruby/1.2.6 Ruby/1.8.7(2008-08-11) mod_ssl/2.2.9 OpenSSL/0.9.8g
    Operating System: Linux
    Server API: cgi-fcgi - Your Host Server is using CGI.
    Multisite: Multisite is Not enabled

  9. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Yep all this system info looks fine and 404 permissions should be correct/allowed, but i am pretty sure that Strato does not allow 404 permissions for .htaccess files so check with them so that we can add them to this new list we are starting here >>> http://www.ait-pro.com/aitpro-blog/297/bulletproof-security-plugin-support/bulletproof-security-wordpress-plugin-support/

    If there are enough Host's that are doing this then we will add additional coding to BPS that will not CHMOD 404 based on checking which Host you have. There are 6 that i know of so far out of 100's.

    Thanks.

  10. plasticgoat
    Member
    Posted 1 year ago #

    I have to MyHosting support for permissions restrictions on .htaccess, and here is there response :

    Thank you for contacting us back.
    We would like to inform you that we do not place any restriction with respect to .htaccess file, you have root privileges to your server hence you can edit permissions accordingly.
    Please check your .htaccess settings accordingly so that the website resolves properly.

    But regarding my configuration if I set permissions to 404, my blog is not working ... this is probably due to my Virtualmin/Webmin configuration.

  11. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    hmm ok if your host is not explicitly doing this then yeah Virtualmin/Webmin would be the next logical place to check. So give those folks a holler. I have never heard of this app before so i have no idea if it could do this or not. ;)

  12. angslycke
    Member
    Posted 1 year ago #

    Hi!

    Also got the exact same 403 error for my entire site after upgrading to BPS latest version today. Same fix, changing the .htaccess to 644 from 404. Here is my server info:

    Server Type: Apache
    Operating System: Linux
    Server API: cgi-fcgi - Your Host Server is using CGI.
    Multisite: Multisite is Not enabled

  13. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    @angslycke - I am adding new coding to BPS (will be added in .47.5) to check by Name Server to not automatically CHMOD to 404 (lock the root .htaccess file) on BPS upgrades. What is the Name Server you have when you look at the BPS System Info page? Thanks.

    DNS Name Server: xxx.yourNameServer.com

  14. angslycke
    Member
    Posted 1 year ago #

    @AITpro - thanks for getting back to me. Unfortunately I'm not using BPS any longer, moved to Wordfence. Good luck in your continued development of the plugin!

  15. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Yep Wordfence is a good scanning plugin, but you should also still have website security measures in place such as .htaccess files, php.ini files, etc. Don't rely on a scanner alone because scanners will ONLY detect the malicious files and not detect the hidden backdoor files >>> http://wordpress.org/support/topic/plugin-bulletproof-security-redirected-to-browser-homepage?replies=10#post-3186931

    So create your own .htaccess files and other security measures if you are not going to use BPS. ;)

  16. angslycke
    Member
    Posted 1 year ago #

    @AITpro: thanks for the heads up about that. Guess I'll have to check out BPS once again. ;)

  17. plasticgoat
    Member
    Posted 1 year ago #

    Hi,

    I confirm that I don't have the problem anymore with latest BPS version :)

    Thx for the fix.

  18. huubnl
    Member
    Posted 1 year ago #

    Just did an update to .47.5 and I had the same problem. I got a 403. I changed the CHMOD from 404 to 644 and I could access the site again.
    I thought you would fix the problem, what could be a solution for this ?

    I have:
    Server Type: Apache
    Operating System: Linux
    Server API: cgi-fcgi - Your Host Server is using CGI.
    Zend Engine Version: 2.3.0

    In general should the .htaccess file be CHMOD 664 ?

  19. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    We need to know this information about your Server/Host: DNS Name Server: xxx.YourNameServer.com in order to add your DNS Name Server to the new coding check that will NOT automatically lock your root .htaccess file on BPS upgrades. Please go to the sticky post below and post your DNS Name Server in that sticky post. Thank you.

    http://wordpress.org/support/topic/plugin-bulletproof-security-403-error-after-upgrade-htaccess-file-permission-issue?replies=1

  20. huubnl
    Member
    Posted 1 year ago #

    Hi ATIpro,

    In the system Information the field "DNS Name Server:" is not filled in.
    Server / Website IP Address, Host by Address and Public IP / Your Computer IP Address have a IP adress.. Do you need these instead ?
    Can I sent you thos in a private mail ?

  21. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    The coding check is only done by DNS Name Server and does not look at IP Addresses or any other information about your Server/Host/Website to perform the .htaccess file auto-lock check so if your DNS Name Server name is not being populated for some reason (blocked, hidden, http://stackoverflow.com/questions/5404811/php-get-domain-name , etc) then there is nothing that we can add to the check for your particular website. The DNS Record check is done by processing $_SERVER['SERVER_NAME'] and extracting DNS Records using dns_get_record so the DNS check would also not work by using your IP Address since it is not working by processing your domain name - they are the same thing.

  22. Ian Dunn
    Member
    Posted 1 year ago #

    One of my sites just had this issue. The permissions on .htaccess were set to 404 and the entire site went down without notice. It's a standard Media Temple VPS.

    Server Type: Apache
    Operating System: Linux
    Server API: cgi-fcgi - Your Host Server is using CGI.
    Network/Multisite: Multisite: Multisite is Not enabled

    I can't send in the DNS name because the client has strict security/privacy policies for this site, but I can't continue using the plugin if it's going to regularly crash the site.

    Can you please add a filter around the code that does the chmod? e.g.,

    $chmod404 = apply_filters( 'bps_chmod_404', true );
    if ( $chmod404 && ( substr($sapi_type, 0, 3) == 'cgi' || substr($sapi_type, 0, 9) == 'litespeed' || substr($sapi_type, 0, 7) == 'caudium' || substr($sapi_type, 0, 8) == 'webjames' || substr($sapi_type, 0, 3) == 'tux' || substr($sapi_type, 0, 5) == 'roxen' || substr($sapi_type, 0, 6) == 'thttpd' || substr($sapi_type, 0, 6) == 'phttpd' || substr($sapi_type, 0, 10) == 'continuity' || substr($sapi_type, 0, 6) == 'pi3web' || substr($sapi_type, 0, 6) == 'milter') ) {
    	chmod($filename, 0404);
    }}

    That way I can write a small functionality plugin to disable the chmod.

    Otherwise, I'll have to switch to a different plugin, but I'd prefer to continue using BPS.

  23. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Well if it is a Private Name Server then we would not add that anyway as that would become a monster of a task that we obviously do not want to attempt to do. The general idea behind this was to get DNS Name Servers for known Hosts that do not allow 404 file permissions. In general i think the ratio is 99.99% of all hosts do allow 404 permissions and then .01% do not.

    hmm interesting idea about adding a filter. I think an even better approach is to add a new DB Option setting within BPS - auto-lock or do not auto-lock .htaccess files. This would allow folks to control whether or not they want their root .htaccess file automatically locked or not during a BPS upgrade or for any other BPS form functions. The DB Option setting would be permanent so this would eliminate the possibility that the filter would not fire in time to stop the auto-lock during a BPS upgrade.

    Don't know why i didn't think of something as simple as this already. This new DB Option will be added in the BPS .47.6 upgrade so unfortunately you will have to deal with the 404 permission thing one last time. ;) Thanks.

  24. Ian Dunn
    Member
    Posted 1 year ago #

    That's awesome, thanks :)

    I can just disable the chmod directly in the code until then.

  25. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Your filter idea kicked my brain out of stupid gear. I was going down the stupid road and trying to get too fancy with something that is actually really simple to handle. I was also doing the exact same dumb thing (going too deep) with some other new Beta code and I completely scrapped that code and quickly came up with a simpler and much more effective solution. Funny how that stuff happens. ;) Thank you for getting me out of the stupid thinking zone and back to simplicity. ;) Funny how "keeping it simple" is usually the much better route to take. ;)

  26. Ian Dunn
    Member
    Posted 1 year ago #

    hehe, yeah, I think we all do that sometimes. I'm glad that the idea helped :)

  27. huubnl
    Member
    Posted 1 year ago #

    Hi, Just did an update to 47.6, but still the same problem,; after updating I had to change the CHMOD from 404 to 644 again.
    Didn't you fix this ?

  28. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Yes, I added AutoLock On and AutoLock Off buttons on the Edit/Upload/Download page so that folks who need the root .htaccess file not to be locked automatically on upgrade can turn this off permanently. So you just need to click the AutoLock Off button and this will save the option to your DB so that AutoLock is permanently turned Off.

  29. huubnl
    Member
    Posted 1 year ago #

    Great Thanks I will try that!

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.