403 Forbidden Error on widgets

  • Resolved wpdesignuser

    (@wpdesignuser)


    2 years, 9 months ago

    Hi, in several sites, i get a 403 error when i try to edit widgets.

    This is the error log:

    ———————————————————-
    [403 GET Request: 23 julio, 2021 – 8:27 am]
    BPS: 5.0
    WP: 5.8
    Event Code: WPADMIN-SBR
    Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: myip
    Host Name: r190-135-60-153.dialup.adsl.anteldata.net.uy
    SERVER_PROTOCOL: HTTP/2.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: https://mysiteurl/wp-admin/widgets.php
    REQUEST_URI: /wp-admin/widgets.php?legacy-widget-preview%5BidBase%5D=text&legacy-widget-preview%5Binstance%5D%5Bencoded%5D=YTo0OntzOjU6InRpdGxlIjtzOjA6IiI7czo0OiJ0ZXh0IjtzOjEwMToiPGltZyBzdHlsZT0id2lkdGg6MTAwJTsiIHNyYz0iaHR0cHM6Ly9hZWIuY29tLmFyL3dwLWNvbnRlbnQvdXBsb2Fkcy8yMDIxLzA2L0xvZ28tZm9vdGVyLXdoaXRlLnBuZyIgLz4iO3M6NjoiZmlsdGVyIjtiOjE7czo2OiJ2aXN1YWwiO2I6MTt9&legacy-widget-preview%5Binstance%5D%5Bhash%5D=1fff5c9c6bfdf0f8c0250eaa2d043ef9&legacy-widget-preview%5Binstance%5D%5Braw%5D%5Btitle%5D=&legacy-widget-preview%5Binstance%5D%5Braw%5D%5Btext%5D=%3Cimg%20style%3D%22width%3A100%25%3B%22%20src%3D%22https%3A%2F%2Fmysiteurl%2Fwp-content%2Fuploads%2F2021%2F06%2FLogo-footer-white.png%22%20%2F%3E&legacy-widget-preview%5Binstance%5D%5Braw%5D%5Bfilter%5D=true&legacy-widget-preview%5Binstance%5D%5Braw%5D%5Bvisual%5D=true
    QUERY_STRING: legacy-widget-preview%5BidBase%5D=text&legacy-widget-preview%5Binstance%5D%5Bencoded%5D=YTo0OntzOjU6InRpdGxlIjtzOjA6IiI7czo0OiJ0ZXh0IjtzOjEwMToiPGltZyBzdHlsZT0id2lkdGg6MTAwJTsiIHNyYz0iaHR0cHM6Ly9hZWIuY29tLmFyL3dwLWNvbnRlbnQvdXBsb2Fkcy8yMDIxLzA2L0xvZ28tZm9vdGVyLXdoaXRlLnBuZyIgLz4iO3M6NjoiZmlsdGVyIjtiOjE7czo2OiJ2aXN1YWwiO2I6MTt9&legacy-widget-preview%5Binstance%5D%5Bhash%5D=1fff5c9c6bfdf0f8c0250eaa2d043ef9&legacy-widget-preview%5Binstance%5D%5Braw%5D%5Btitle%5D=&legacy-widget-preview%5Binstance%5D%5Braw%5D%5Btext%5D=%3Cimg%20style%3D%22width%3A100%25%3B%22%20src%3D%22https%3A%2F%2Fmysiteurl%2Fwp-content%2Fuploads%2F2021%2F06%2FLogo-footer-white.png%22%20%2F%3E&legacy-widget-preview%5Binstance%5D%5Braw%5D%5Bfilter%5D=true&legacy-widget-preview%5Binstance%5D%5Braw%5D%5Bvisual%5D=true
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36
    ———————————————————-

    Can you help me solve it?
    Thank you!

Viewing 15 replies - 1 through 15 (of 15 total)
  • Plugin Author AITpro

    (@aitpro)

    2 years, 9 months ago

    There are a few things in the Request Query String that are being blocked by the BPS wp-admin .htaccess file. Do the steps below to create a skip/bypass rule for the /wp-admin/widgets,php file. Note: If you are still seeing a 403 error after doing the steps below then something else like ModSecurity (installed in your web host control panel) is also blocking that Query String.

    1. Copy this widgets.php file skip/bypass rule code below into this BPS wp-admin Custom Code text box: 3. CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES.
    2. Click the Save wp-admin Custom Code button.
    3. Go to the BPS Setup Wizard page and click the Setup Wizard button.

    # Skip/bypass rule for the widgets.php file
RewriteCond %{REQUEST_URI} (widgets\.php) [NC]
RewriteRule . - [S=2]
    • This reply was modified 2 years, 9 months ago by AITpro.
    Thread Starter wpdesignuser

    (@wpdesignuser)

    2 years, 9 months ago

    Thanks for the prompt response!

    A query, is this a general error, or does it only affect me? I consult because it happens to me on sites on different servers.

    If it is a general issue that will be resolved in an update, I prefer to wait (the widgets I do not touch much).
    Thanks!

    Plugin Author AITpro

    (@aitpro)

    2 years, 9 months ago

    Well I’m not really sure what is causing/generating that Query String, which contains several dangerous code characters that should be blocked. Are you using the new Block Widgets or Classic Widgets? Which specific Widget are you using? Is it a standard WP Widget or is a Widget that is provided by a Plugin or Theme? Also post the exact string/code that you are adding in the Widget. Once I get this info from you I can test things.

    Thread Starter wpdesignuser

    (@wpdesignuser)

    2 years, 9 months ago

    Hi, thank you for your answer.

    Let me know if this is enough for testing or something else is needed:

    Are you using the new Block Widgets or Classic Widgets?
    New Block Widgets. The new version of WP activated it by default in the sites that I manage

    Which specific Widget are you using?
    Text Widget

    Is it a standard WP Widget or is a Widget that is provided by a Plugin or Theme?
    Standard WP Widget

    Also post the exact string/code that you are adding in the Widget.
    img src=”https://mysite/wp-content/uploads/2021/06/Logo-footer-white.png” /

    Between <>

    Thank you!

    • This reply was modified 2 years, 9 months ago by wpdesignuser.
    • This reply was modified 2 years, 9 months ago by wpdesignuser.
    Plugin Author AITpro

    (@aitpro)

    2 years, 9 months ago

    hmm ok yeah I thought that might be the issue. I used the new Image Block Widget since you are adding an image and that worked fine without any errors or problems. Most likely the Text Widget or your manual HTML code is causing the issue. Try using the new Image Block Widget instead of the Text Widget to add your image file. Let me know what happens.

    Plugin Author AITpro

    (@aitpro)

    2 years, 9 months ago

    I also attempted to use the new Text > Code Block Widget, but I could not get it to work. I’m not very familiar with using Blocks and use the Classic Widgets Plugin and Classic Editor instead of using Gutenberg Blocks.

    Thread Starter wpdesignuser

    (@wpdesignuser)

    2 years, 9 months ago

    Thank you, I’m not very familiar with the new widget either, but it was activated by default

    Perhaps the best thing is to go to the previous one with the plugin that mentions

    The image went well, but I also have problems with the Custom HTML Widget

    For example with this code:

    a href=”https://mysite.com/terms-and-conditions/”><font style=”font-size:16px; font-weight:bold; border:1px #000 solid; padding:5px;”>VER TERMINOS Y CONDICIONES</font></a

    between <>

    • This reply was modified 2 years, 9 months ago by wpdesignuser.
    Plugin Author AITpro

    (@aitpro)

    2 years, 9 months ago

    I tested the Custom HTML Block Widget and your HTML code worked fine for me without any issues or errors, but the formatting of the link is broken into 2 lines and looks terrible. Note: I did see an error message that said something about the “Property not being defined” on first save, but on the second save it saved fine. I know very little about Gutenberg. So if this is a procedural question then you would probably get a better answer somewhere else. Where that might be I have no idea.

    Plugin Author AITpro

    (@aitpro)

    2 years, 9 months ago

    With the old Classic Widgets there used to be a Links widget that you could just add any links in the Widget. I can’t find it under the new Blocks Widgets. Maybe try installing the Classic Widgets plugin > https://wordpress.org/plugins/classic-widgets/.

    Plugin Author AITpro

    (@aitpro)

    2 years, 9 months ago

    Hmm the old Links Widget is gone or maybe it was added by a plugin that I used to use. Yeah I think it was a plugin, but can’t remember the name of the plugin since it has been many years since I used it.

    Thread Starter wpdesignuser

    (@wpdesignuser)

    2 years, 9 months ago

    Thank you very much for the help! I think I’ll move on to the Classic Widget for now
    Greetings!

    ibiza69

    (@ibiza69)

    2 years, 8 months ago

    If anyone wants to go back and use the “Classic Widgets”, just place this code at your theme functions.php, better if you have a child theme (same at functions.php).

    Thanks @dphi, this worked for us:

    // deactivate new block editor
function phi_theme_support() {
    remove_theme_support( 'widgets-block-editor' );
}
add_action( 'after_setup_theme', 'phi_theme_support' );

    And thanks to @aitpro too, that we faced same problem before including that code at functions.php, that all widgets gaved error and this solved it:

    1. Copy this widgets.php file skip/bypass rule code below into this BPS wp-admin Custom Code text box: 3. CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES.
    2. Click the Save wp-admin Custom Code button.
    3. Go to the BPS Setup Wizard page and click the Setup Wizard button.

    # Skip/bypass rule for the widgets.php file
RewriteCond %{REQUEST_URI} (widgets\.php) [NC]
RewriteRule . - [S=2]
    terriz

    (@terriz)

    2 years, 8 months ago

    Thanks @aitpro and @ibiza69 for the detailed fix!

    To clarify for my client – is it accurate to say that this rule will make BPS Pro stop giving the error, but the actual problem is some type of conflict between the new widgets block editor and widgets that may not yet be compatible with it?

    Peace,
    Terri Z

    Plugin Author AITpro

    (@aitpro)

    2 years, 8 months ago

    It’s not a compatibility issue or a conflict. What it looks like to me is that the WP folks changed the way widget Form Requests are made (maybe just for legacy (old) widgets?). So technically this falls under a “coding procedural change” in newer versions of WP. I’m going to whitelist the widgets.php file in the BPS wp-admin htaccess file by default in the next BPS version release. This is completely safe to do and will prevent this type of issue from occurring.

    terriz

    (@terriz)

    2 years, 8 months ago

    Thanks @aitpro!

Viewing 15 replies - 1 through 15 (of 15 total)
  • The topic ‘403 Forbidden Error on widgets’ is closed to new replies.