Title: Argo Links 403 Error
Last modified: August 20, 2016

---

# Argo Links 403 Error

 *  Resolved [justmattb](https://wordpress.org/support/users/mwbarker/)
 * (@mwbarker)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/argo-links-403-error/)
 * Trying out a new plugin, called Argo Links:
    [http://argoproject.org/argo-links.php](http://argoproject.org/argo-links.php)
 * Included with it is a bookmarklet that allows you to capture the URL from the
   website and add it to a list of links in your WordPress site. BulletProof Security
   is blocking the requests, resulting in a 403 on the pop-up. This is what the 
   bookmarklet looks like:
 * `javascript:var d=document,w=window,e=w.getSelection,k=d.getSelection,x=d.selection,
   s=(e?e():(k)?k():(x?x.createRange().text:0)),f='http://www.mysite.com/wp-content/
   plugins/argoproject-argo-links-ec58e2a/argo-this.php',l=d.location,e=encodeURIComponent,
   u=f+'?post_type=argolinks&u='+e(l.href)+'&t='+e(d.title)+'&s='+e(s)+'&v=4';a=
   function(){if(!w.open(u,'t','toolbar=0,resizable=1,scrollbars=1,status=1,width
   =720,height=570'))l.href=u;};if (/Firefox/.test(navigator.userAgent)) setTimeout(
   a, 0); else a();void(0)`
 * This is what the BPS error log shows:
 *     ```
       >>>>>>>>>>> 403 GET or Other Request Error Logged - March 20, 2013 - 3:36 am <<<<<<<<<<<
       REMOTE_ADDR: editedout
       Host Name: editedout
       HTTP_CLIENT_IP:
       HTTP_FORWARDED:
       HTTP_X_FORWARDED_FOR: editedout
       HTTP_X_CLUSTER_CLIENT_IP:
       REQUEST_METHOD: GET
       HTTP_REFERER: http://www.fromaway.com/features/how-to-start-a-food-blog
       REQUEST_URI: /wp-content/plugins/argoproject-argo-links-ec58e2a/argo-this.php?post_type=argolinks&u=http%3A%2F%2Fwww.fromaway.com%2Ffeatures%2Fhow-to-start-a-food-blog&t=How%20to%20Start%20a%20Food%20Blog&s=&v=4
       QUERY_STRING:
       HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.172 Safari/537.22
       ```
   
 * I have tried to update the .htaccess file with this line, but it does not help:
 *     ```
       # Argo Links
       RewriteCond %{REQUEST_URI} ^/wp-content/plugins/argoproject-argo-links-ec58e2a/ [NC]
       RewriteRule . - [S=13]
       ```
   
 * Any other way around this?
 * [http://wordpress.org/extend/plugins/bulletproof-security/](http://wordpress.org/extend/plugins/bulletproof-security/)

Viewing 15 replies - 1 through 15 (of 47 total)

1 [2](https://wordpress.org/support/topic/argo-links-403-error/page/2/?output_format=md)
[3](https://wordpress.org/support/topic/argo-links-403-error/page/3/?output_format=md)
[4](https://wordpress.org/support/topic/argo-links-403-error/page/4/?output_format=md)
[→](https://wordpress.org/support/topic/argo-links-403-error/page/2/?output_format=md)

 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/argo-links-403-error/#post-3579054)
 * Since this plugin is simulating an RFI hacking method you will need to whitelist
   the argo-this.php file in the TimThumb / MISC File skip/bypass security filter.
   Add the argo-this.php file name to this security filter as shown below in your
   Root .htaccess file using the BPS built-in htaccess file editor. I need to add
   this Note below for anyone else who sees this Forum Thread. 😉
 * **NOTE:** The ait-pro.com domain is shown below in this security filter because
   this code example was taken from the ait-pro.com website. You will see your domain
   instead in this security filter.
 *     ```
       # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
       # Only Allow Internal File Requests From Your Website
       # To Allow Additional Websites Access to a File Use [OR] as shown below.
       # RewriteCond %{HTTP_REFERER} ^.*YourWebsite.com.* [OR]
       # RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*
       RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
       RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
       RewriteRule .* index.php [F,L]
       RewriteCond %{REQUEST_URI} (argo-this\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
       RewriteCond %{HTTP_REFERER} ^.*ait-pro.com.*
       RewriteRule . - [S=1]
       ```
   
 *  Thread Starter [justmattb](https://wordpress.org/support/users/mwbarker/)
 * (@mwbarker)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/argo-links-403-error/#post-3579068)
 * That didn’t seem to help. With or without that entry, I can click the bookmarklet
   when browsing my own site and it works fine. Even with that entry, when I am 
   browsing another site, clicking the bookmarklet (to capture the URL and title
   of page I am on), still brings up the 403 error.
 * I also tried this to see if it was a problem with the referrer, but this didn’t
   seem to fix it (when browsing from songsterr.com).
 *     ```
       # TimThumb Forbid RFI By Host Name But Allow Internal Requests
       RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
       RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
       RewriteRule .* index.php [F,L]
       RewriteCond %{REQUEST_URI} (argo-this\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
       RewriteCond %{HTTP_REFERER} ^.*mysite.com.* [OR]
       RewriteCond %{HTTP_REFERER} ^.*songsterr.com.*
       RewriteRule . - [S=1]
       ```
   
 * If that did fix it, it wouldn’t really help, since the bookmarklet is there to
   be used when browsing any URL I want to capture (which would then be the value
   of HTTP_REFERER:)
 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/argo-links-403-error/#post-3579069)
 * I do not fully understand the issue/problem. I have a general understanding of
   what is occurring. It is a similar issue that had once occurred in the past with
   the WordPress Press This feature.
 * That issue/problem was resolved by adding a skip/bypass rule in the wp-admin .
   htaccess file and NOT the Root .htaccess file. I am assuming that this plugin
   is doing something similar and calling from the wp-admin folder to grab other
   websites content.
 * Edit your wp-admin .htaccess file and whitelist the argo-this.php file by doing
   this below and also try whitelisting admin-ajax.php.
 *     ```
       # Allow wp-admin files that are called by plugins
       # Fix for WP Press This
       RewriteCond %{REQUEST_URI} (argo-this\.php|press-this\.php|admin-ajax\.php) [NC]
       RewriteRule . - [S=1]
       ```
   
 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/argo-links-403-error/#post-3579070)
 * I am grasping at straws obviously by having you try adding the argo-this.php 
   file to the wp-admin bypass since I do not really know what this plugin is trying
   to do. The error does show that this plugin is simulating an RFI hacking attempt
   against your website and the origin of the simulated hacking attempt is wp-content
   and not wp-admin. I will post the security filters that you can comment out to
   allow RFI hacking attempts against your website in a second.
 *  Thread Starter [justmattb](https://wordpress.org/support/users/mwbarker/)
 * (@mwbarker)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/argo-links-403-error/#post-3579071)
 * Thanks; tried the admin piece, but that doesn’t work. I imagine that is because
   it is not actually calling it from wp-admin, but from within the plugin folder
   itself.
 *  Thread Starter [justmattb](https://wordpress.org/support/users/mwbarker/)
 * (@mwbarker)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/argo-links-403-error/#post-3579074)
 * If you want to look at the code for the argo-this.php file, you can see it here:
 * [https://github.com/argoproject/argo-links/blob/master/argo-this.php](https://github.com/argoproject/argo-links/blob/master/argo-this.php)
 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/argo-links-403-error/#post-3579076)
 * To allow RFI hacking attempts against your website comment out these are the 
   security filters in the Root .htaccess file that block RFI hacking attempts. 
   Try commenting out each of these individual security filters 1 by 1. It may be
   that more than 1 security filter will need to be commented out.
 *     ```
       RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
       RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]
       RewriteCond %{QUERY_STRING} http\: [NC,OR]
       RewriteCond %{QUERY_STRING} https\: [NC,OR]
       RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
       RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
       RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
       ```
   
 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/argo-links-403-error/#post-3579078)
 * I will look at the code for this plugin when I have some spare time. Currently
   I do not have any spare time available. Thanks.
 *  Thread Starter [justmattb](https://wordpress.org/support/users/mwbarker/)
 * (@mwbarker)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/argo-links-403-error/#post-3579079)
 * Thanks for looking; I commented out all of those and still have the issue. I 
   even removed the whole **# BPSQSE BPS QUERY STRING EXPLOITS** section and still
   got the same 403 error from BPS.
 *  Thread Starter [justmattb](https://wordpress.org/support/users/mwbarker/)
 * (@mwbarker)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/argo-links-403-error/#post-3579080)
 * Hmmm… I know I tried this before, but got different results. Could have been 
   mistaken… Anyways, if I take out the argo-this\.php| from the REQUEST_URI section,
   I am NOT able to use the bookmarklet from within my own site. When I add it back
   in, I am. So I guess now my question would be, how would I block everything else
   already being blocked, but allow access to this specific REQUEST_URI from any
   URL? Is there a way to do that?
 * In other words, have a separate section for:
 *     ```
       RewriteCond %{REQUEST_URI} (argo-this\.php) [NC]
       RewriteCond %{HTTP_REFERER} ^.*.*.* (not sure how to allow all)
       RewriteRule . - [S=2]
       ```
   
 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/argo-links-403-error/#post-3579081)
 * Ok then the issue probably has something to do with the wp-admin .htaccess file
   then or some other section of code in the Root .htaccess file. Take BPS completely
   out of the equation first and test. Then activate only the Root .htaccess file
   and vice versa and test to isolate which htaccess file is blocking this plugin.
 * Source: [http://forum.ait-pro.com/forums/topic/read-me-first-free/#bps-free-general-troubleshooting](http://forum.ait-pro.com/forums/topic/read-me-first-free/#bps-free-general-troubleshooting)
 * If you think that BulletProof Security is causing a plugin conflict or any other
   issue on your website that is causing something not to work, then please use 
   these steps below to take BulletProof Security out of the equation completely
   for testing. There is no need to deactivate BulletProof Security because it has
   a built-in Default Mode that allows you to put WordPress in a default state without
   deactivating BulletProof Security. If you find that BulletProof Security does
   have a conflict with another plugin then please check the BulletProof Security
   Plugin Compatibility Issues – Testing and Fixes Page to see if a fix (bypass/
   skip rule) is already listed. If your plugin is not listed and you have confirmed
   that BulletProof Security is definitely causing a conflict then please post a
   comment in this Forum.
 * 1. Make a backup of your .htaccess files using BulletProof Security built-in 
   Backup.
    2. Activate Default Mode on the Security Modes page. 3. Use the Delete
   wp-admin .htaccess feature on the Security Modes page. 4. Test your plugin or
   theme. 5. Restore your .htaccess files using BulletProof Security built-in Restore.
 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/argo-links-403-error/#post-3579082)
 * Allowing any site to exploit files is the same as removing the security filter
   entirely. So to isolate that this is the security filter that is blocking this
   plugin comment out the entire security filter.
 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/argo-links-403-error/#post-3579083)
 * CORRECTION: never mind what i said above that was dumb. What i assume is going
   to be solution is that you will need to whitelist a combination of things that
   are seen as threats/attacks against your website by this plugin.
 * In other words, if this plugin is violating several security filters/rules then
   exceptions/whitelisting will need to be done in several places.
 *  Thread Starter [justmattb](https://wordpress.org/support/users/mwbarker/)
 * (@mwbarker)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/argo-links-403-error/#post-3579087)
 * I disabled the wp-admin .htaccess file and that didn’t help, so I imagine there
   is something in the main .htaccess file that is preventing access. Without BPS
   enabled, it works, but I certainly don’t want to use that as mu solution! 😉
 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/argo-links-403-error/#post-3579088)
 * Ok I took a look at this plugins code at github. It has very similar functionality
   that Timthumb uses. Comment out all the security filters that prevent RFI attacks,
   but leave the bottom section of code uncommented as shown below. Also make sure
   you have whitelisted this plugins file – argo-this.php
 *     ```
       # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
       # Only Allow Internal File Requests From Your Website
       # To Allow Additional Websites Access to a File Use [OR] as shown below.
       # RewriteCond %{HTTP_REFERER} ^.*YourWebsite.com.* [OR]
       # RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*
       #RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
       #RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
       #RewriteRule .* index.php [F,L]
       RewriteCond %{REQUEST_URI} (argo-this\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
       RewriteCond %{HTTP_REFERER} ^.*ait-pro.com.*
       RewriteRule . - [S=1]
       ```
   

Viewing 15 replies - 1 through 15 (of 47 total)

1 [2](https://wordpress.org/support/topic/argo-links-403-error/page/2/?output_format=md)
[3](https://wordpress.org/support/topic/argo-links-403-error/page/3/?output_format=md)
[4](https://wordpress.org/support/topic/argo-links-403-error/page/4/?output_format=md)
[→](https://wordpress.org/support/topic/argo-links-403-error/page/2/?output_format=md)

The topic ‘Argo Links 403 Error’ is closed to new replies.

 * ![](https://ps.w.org/bulletproof-security/assets/icon-128x128.png?rev=1731938)
 * [BulletProof Security](https://wordpress.org/plugins/bulletproof-security/)
 * [Support Threads](https://wordpress.org/support/plugin/bulletproof-security/)
 * [Active Topics](https://wordpress.org/support/plugin/bulletproof-security/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/bulletproof-security/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/bulletproof-security/reviews/)

 * 47 replies
 * 2 participants
 * Last reply from: [justmattb](https://wordpress.org/support/users/mwbarker/)
 * Last activity: [13 years, 1 month ago](https://wordpress.org/support/topic/argo-links-403-error/page/4/#post-3579129)
 * Status: resolved