Title: 403 Forbidden error when using EDD – software licensing plugin Last modified: August 22, 2016 --- # 403 Forbidden error when using EDD – software licensing plugin * Resolved [nuggetsol](https://wordpress.org/support/users/nuggetsol/) * (@nuggetsol) * [11 years, 5 months ago](https://wordpress.org/support/topic/403-forbidden-error-when-using-edd-software-licensing-plugin/) * [403 GET / HEAD Request: November 19, 2014 3:06 pm] Event Code: BFHS – Blocked/ Forbidden Hacker or Spammer Solution: N/A – Hacker/Spammer Blocked/Forbidden REMOTE_ADDR: 38.100.7.2 Host Name: 38.100.7.2 SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: [https:///my-account?action=manage_licenses…](https:///my-account?action=manage_licenses…);. REQUEST_URI: /my-account?action=manage_licenses&edd_action=deactivate_site&site_url = QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/ 600.1.25 * I want to allow the above action. What changes do I need to do to allow the above action? * [https://wordpress.org/plugins/bulletproof-security/](https://wordpress.org/plugins/bulletproof-security/) Viewing 15 replies - 1 through 15 (of 29 total) 1 [2](https://wordpress.org/support/topic/403-forbidden-error-when-using-edd-software-licensing-plugin/page/2/?output_format=md) [→](https://wordpress.org/support/topic/403-forbidden-error-when-using-edd-software-licensing-plugin/page/2/?output_format=md) * Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/) * (@aitpro) * [11 years, 5 months ago](https://wordpress.org/support/topic/403-forbidden-error-when-using-edd-software-licensing-plugin/#post-5499097) * What is /my-account/? Is it a physical folder? If so, is the physical folder outside of your WordPress installation folder? Or is /my-account/ a WordPress Page or Post? * Thread Starter [nuggetsol](https://wordpress.org/support/users/nuggetsol/) * (@nuggetsol) * [11 years, 5 months ago](https://wordpress.org/support/topic/403-forbidden-error-when-using-edd-software-licensing-plugin/#post-5499100) * /my-account is just a Page in WordPress. It embeds a short code from EDD * Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/) * (@aitpro) * [11 years, 5 months ago](https://wordpress.org/support/topic/403-forbidden-error-when-using-edd-software-licensing-plugin/#post-5499102) * Yep disregard. I looked at the Easy Digital Downloads new Software Licensing API and see how it is supposed to work and what was intended by this above: < another-site-url>. This is literally a URL to another website domain name. * The URL simulates an RFI hacking attempt so you will need to use this modified BPS Query String Exploits code below and add it to BPS Custom Code. Be sure to do ALL 3 Custom Code steps below. * 1. Copy the modified BPS Query String Exploits below to this BPS Root Custom Code text box: **CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS** * ``` # BEGIN BPSQSE BPS QUERY STRING EXPLOITS # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too. # Good sites such as W3C use it for their W3C-LinkChecker. # Use BPS Custom Code to add or remove user agents temporarily or permanently from the # User Agent filters directly below or to modify/edit/change any of the other security code rules below. RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR] RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR] RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)HTTP(:/|/) [NC,OR] RewriteCond %{THE_REQUEST} etc/passwd [NC,OR] RewriteCond %{THE_REQUEST} cgi-bin [NC,OR] RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR] RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR] RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR] RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR] #RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [NC,OR] #RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR] #RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR] RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR] RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR] RewriteCond %{QUERY_STRING} ftp\: [NC,OR] #RewriteCond %{QUERY_STRING} http\: [NC,OR] #RewriteCond %{QUERY_STRING} https\: [NC,OR] RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR] RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR] RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR] RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR] RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR] RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR] RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR] RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR] RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR] RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR] RewriteCond %{QUERY_STRING} (sp_executesql) [NC] RewriteRule ^(.*)$ - [F] # END BPSQSE BPS QUERY STRING EXPLOITS ``` * 2. Click the Save Root Custom Code button. 3. Go to the Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root folder BulletProof Mode. * Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/) * (@aitpro) * [11 years, 5 months ago](https://wordpress.org/support/topic/403-forbidden-error-when-using-edd-software-licensing-plugin/#post-5499106) * Using this modified BPS Query String code above is safe to do since these are general/secondary RFI security filters. The Primary security filter for RFI attacks is the TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE security filter in your root htaccess file. * Thread Starter [nuggetsol](https://wordpress.org/support/users/nuggetsol/) * (@nuggetsol) * [11 years, 5 months ago](https://wordpress.org/support/topic/403-forbidden-error-when-using-edd-software-licensing-plugin/#post-5499111) * Thanks for the code snippet. * I tried it, but it didn’t work 🙁 * To be doubly sure, I checked the .htaccess file and it does have the above code. * Your analysis is correct. Essentially, the user is trying to deactivate the license on “another site” from his account. * Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/) * (@aitpro) * [11 years, 5 months ago](https://wordpress.org/support/topic/403-forbidden-error-when-using-edd-software-licensing-plugin/#post-5499115) * Hmm worked fine on my testing site, but I did not install EDD and just tested the URL structure itself so there could be something additional going on with EDD. Or of course this URL structure could be blocked by something else on your server. Let’s start troubleshooting by eliminating/confirming that BPS is blocking this. * 1. Click the Create default.htaccess File AutoMagic button and activate Default Mode. Test the URL’s. Are the URL’s still being blocked? If so, do step 2. If not, stop here. 2. Delete the wp-admin htaccess file. * Thread Starter [nuggetsol](https://wordpress.org/support/users/nuggetsol/) * (@nuggetsol) * [11 years, 5 months ago](https://wordpress.org/support/topic/403-forbidden-error-when-using-edd-software-licensing-plugin/#post-5499116) * I stopped at step 1; after going back to the default .htaccess, I was able to deactivate (in other words, I’m not getting the 403 error) * Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/) * (@aitpro) * [11 years, 5 months ago](https://wordpress.org/support/topic/403-forbidden-error-when-using-edd-software-licensing-plugin/#post-5499117) * Ok so something in the root htaccess file is blocking the Software Licensing API. Since the Addon is a premium feature then I cannot test it and will have to take some logical guesses. * The most logical thing to do first would be to create a skip/bypass rule for the EDD plugin. * 1. Copy this skip/bypass rule below to this Root Custom Code text box: **CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES** NOTE: this skip/bypass rule is in addition to the modified BPS Query String Custom Code. You will probably need both of these whitelisting methods. * ``` # EDD plugin skip/bypass rule RewriteCond %{REQUEST_URI} ^/wp-content/plugins/easy-digital-downloads/ [NC] RewriteRule . - [S=13] ``` * 2. Click the Save Root Custom Code button. 3. Go to the Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root folder BulletProof Mode. * Thread Starter [nuggetsol](https://wordpress.org/support/users/nuggetsol/) * (@nuggetsol) * [11 years, 5 months ago](https://wordpress.org/support/topic/403-forbidden-error-when-using-edd-software-licensing-plugin/#post-5499119) * I added that, and still that didn’t help. * Just so that I include the premium feature (edd-software-licensing) to that bypass rule, I added the following * > # EDD software licensing plugin skip/bypass rule > RewriteCond %{REQUEST_URI} > ^/wp-content/plugins/edd-software-licensing/ [NC] RewriteRule . – [S=14] # > EDD plugin skip/bypass rule RewriteCond %{REQUEST_URI} ^/wp-content/plugins/ > easy-digital-downloads/ [NC] RewriteRule . – [S=13] * Even the above didn’t help. 🙁 * Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/) * (@aitpro) * [11 years, 5 months ago](https://wordpress.org/support/topic/403-forbidden-error-when-using-edd-software-licensing-plugin/#post-5499120) * hmm ok. Repost these 2 lines below in the Security Log entry, but do not add any additional coding characters. you can use x’s to hide the domain name, but do not alter the actual structure of the URL. * HTTP_REFERER: REQUEST_URI: * Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/) * (@aitpro) * [11 years, 5 months ago](https://wordpress.org/support/topic/403-forbidden-error-when-using-edd-software-licensing-plugin/#post-5499123) * And also check for any new different Security Log entries. ie you might see a new different log entry for whatever else is being blocked. * Thread Starter [nuggetsol](https://wordpress.org/support/users/nuggetsol/) * (@nuggetsol) * [11 years, 5 months ago](https://wordpress.org/support/topic/403-forbidden-error-when-using-edd-software-licensing-plugin/#post-5499124) * HTTP_REFERER: [https:///my-account?action=manage_licenses&payment_id=XXX&license_id=XXX](https:///my-account?action=manage_licenses&payment_id=XXX&license_id=XXX) * REQUEST_URI: /my-account?action=manage_licenses&payment_id=XXX&license_id=XXX& edd_action=deactivate_site&site_url=&license=XXX * XXX – represents some number. * Thread Starter [nuggetsol](https://wordpress.org/support/users/nuggetsol/) * (@nuggetsol) * [11 years, 5 months ago](https://wordpress.org/support/topic/403-forbidden-error-when-using-edd-software-licensing-plugin/#post-5499125) * > HTTP_REFERER: [https:///my-account?action=manage_licenses&payment_id=XXX&license_id=XXX](https:///my-account?action=manage_licenses&payment_id=XXX&license_id=XXX) > REQUEST_URI: /my-account?action=manage_licenses&payment_id=XXX&license_id=XXX& > edd_action=deactivate_site&site_url=&license=XXX * Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/) * (@aitpro) * [11 years, 5 months ago](https://wordpress.org/support/topic/403-forbidden-error-when-using-edd-software-licensing-plugin/#post-5499126) * I assume you are adding the angle bracket code characters < and > correct? Those coding characters are not actually in the URL structure are they? * Thread Starter [nuggetsol](https://wordpress.org/support/users/nuggetsol/) * (@nuggetsol) * [11 years, 5 months ago](https://wordpress.org/support/topic/403-forbidden-error-when-using-edd-software-licensing-plugin/#post-5499131) * that’s correct. Those are not part of the URL structure. Viewing 15 replies - 1 through 15 (of 29 total) 1 [2](https://wordpress.org/support/topic/403-forbidden-error-when-using-edd-software-licensing-plugin/page/2/?output_format=md) [→](https://wordpress.org/support/topic/403-forbidden-error-when-using-edd-software-licensing-plugin/page/2/?output_format=md) The topic ‘403 Forbidden error when using EDD – software licensing plugin’ is closed to new replies. * ![](https://ps.w.org/bulletproof-security/assets/icon-128x128.png?rev=1731938) * [BulletProof Security](https://wordpress.org/plugins/bulletproof-security/) * [Support Threads](https://wordpress.org/support/plugin/bulletproof-security/) * [Active Topics](https://wordpress.org/support/plugin/bulletproof-security/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/bulletproof-security/unresolved/) * [Reviews](https://wordpress.org/support/plugin/bulletproof-security/reviews/) * 29 replies * 2 participants * Last reply from: [AITpro](https://wordpress.org/support/users/aitpro/) * Last activity: [11 years, 5 months ago](https://wordpress.org/support/topic/403-forbidden-error-when-using-edd-software-licensing-plugin/page/2/#post-5499295) * Status: resolved