WordPress.org

Forums

BulletProof Security
[resolved] Can't log out, 403 forbidden (40 posts)

  1. jcervantes28
    Member
    Posted 1 year ago #

    Hello!

    Since the new BPS update, I can't log out of my site when BPS security mode is active.

    My WP is installed in a subfolder root/example/

    I tried to log out while in default mode and still get 403 code telling me to go back and try again.

    I delete .htaccess and poof, I log out np.

    With BPS active, it adds a nonceXXXXXX to the end of logout=true link.

    Not sure how all this connects, but I want BPS active. I tried going into the code to see what new things were added with the update, removed some buddypress logout code in there, deleted it, that didn't work.

    I also tried saving permalinks again after activating.

    The BPS .htaccess does have the correct rewrite rule for my subfolder /root/example.

    Please let me know your thoughts.

    thank you,
    Jose

    http://wordpress.org/plugins/bulletproof-security/

  2. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    To get the correct RewriteBase in your root .htaccess file click the AutoMagic buttons before activating Root folder BulletProof Mode. Let me know if doing this solves the issue.

  3. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Also are you using any other Login protection or CAPTCHA plugins? If so, then they are probably competing with each other since they are calling the same WordPress hooks - actions/filters. Are you using any additional custom .htaccess code? If so, post that custom .htaccess code.

  4. martmiguel
    Member
    Posted 1 year ago #

    Same here, I cant log in or out unless I delete the .htaccess file, what can I do?

    I have used the buttons, it worked yesterday but today is not working,

    Thanks

  5. jcervantes28
    Member
    Posted 1 year ago #

    AIT:

    I create the secure access through automagic and enabled it in root of install and in wp-admin, and I get the same issue.

    I do have other plugins: Wordfence security plugin which I believe also monitors logging attempts...but this was the case before and it was all working just fine?

    I also have a plugin that makes you input a pin in the beginning, but it's not a complicated plugin--that's all it does. And this was also there before so not sure what changed?

    One thing I feel could be an issue is just the fact that I have the blog installed on a subfolder. This just seems to complicate things.

    One big question I have is:

    if I have the install in root/example, then what should the rewrite base be on the root folder? Should it be:

    RewriteBase /example

    or

    RewriteBase /

    And similar question for the htaccess in the example folder (which BPS creates). Should the rewrite be:

    RewriteBase /blog/

    or

    RewriteBase /

    Should they be the same, or does the example folder have /blog and the root folder not?

    I feel this creates an issue.

    Thank you for your help,

    Jose

  6. jcervantes28
    Member
    Posted 1 year ago #

    I just turned off BPS login protection so that only wordfence could stay active, did automagic buttons again for secure access, and same problem. cant log out.

    The issue is not logging in for me, it is logging out. I get:

    403 Forbidden Error Page

    If you arrived here due to a search or clicking on a link click your Browser's back button to return to the previous page. Thank you.

  7. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    If this is a WordPress subfolder/subdirectory site named example-root-site.com/example/:
    RewriteBase /example/
    /example-root-site.com/example

    If this is a subdomain site named example.examplesite.com:
    RewriteBase /
    subdomain folder: /example
    DNS A or CNAME record pointing to the example folder/WP installation

    I am not clear about all the other things you stated?

  8. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    For your second Post/Question do this:

    FTP to your site and rename the /bulletproof-security plugin folder to /bulletproof-security-hold.

    log in and out of your site - does the same problem occur or not?

  9. martmiguel
    Member
    Posted 1 year ago #

    It didnt work, "page not found" when I tried to login... Also the plugin was deactivated and caused a fatal error to the site when I tried to activate it...

    It was working fine before the update...

  10. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    We have over 10,000 confirmed successful upgrades to BPS .49.3 so it is not an issue with anything in BPS .49.3.

    Do the standard WordPress troubleshooting steps:

    deactivate all plugins. Activate only BPS and test.
    switch your Theme to the WordPress 2013 Theme and test.

  11. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Also do the standard BPS setup steps again.

    Click the AutoMagic buttons and activate Root and wp-admin BulletProof Modes. Lock your root .htaccess file on the htaccess File Editor tab page to ensure these common problems are not occurring:
    Broken cPanel HotLink Protection tool problem.
    http://wordpress.org/support/topic/plugin-bulletproof-security-broken-cpanel-hotlink-tool-404-errors-unable-to-edit-htaccess-files?replies=9
    flush_rewrite_rules problem.
    http://forum.ait-pro.com/forums/topic/read-me-first-free/#flush-rewrite-rules

  12. martmiguel
    Member
    Posted 1 year ago #

    Thanks, will see what I can do...

  13. jcervantes28
    Member
    Posted 1 year ago #

    AIT,

    So if I have my site installed in examplerootsite.com/example

    then the htaccess rewrite rule for both the htaccess in examplerootsite.com/ and examplerootsite.com/example should be:

    RewriteBase /example/

    ?

  14. jcervantes28
    Member
    Posted 1 year ago #

    Well, this is what I did:

    I went into the brute login options in BPS and turned it OFF. Then I did automagic buttons again for secure htaccess and activated in root and wpadmin.

    I then opened the root htaccess file created and it still had the information about the brute login attempts, so I deleted that code.

    I also deleted the code about a redirect for BuddyPress plugin which I don't have installed anyway.

    I also deleted the "Head" from request before "trace"

    Then I saved it and changed permissions to 404 to keep it that way.

    And boom! I can log out now and BPS is activated along with the other plugins I mentioned.

    It had to do something with that code. My guess is the BuddyPress code which specifically has a redirect for logging out, which is what was happening.

    I hope that i am still protected well by taking those things out.

    Also, currently, both rewritebase rules (in root and in install subfolder) point to:

    RewriteBase /example/

  15. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    First question: Nope, because a root site will have a RewriteBase of just /.

    A subdirectory/subfolder site will have a RewriteBase of /whatever-that subfolder-name-is/

    The RewriteBase directive means do rewriting from this "base". What this directive is designed to do is to keep .htaccess rules compartmentalized to each site so that each site's .htaccess files to do not interfere with each other.

    Let's say your Hosting account has this website setup as the primary website domain for you hosting account...

    WebsiteA is the primary domain for this hosting account.

    You then create additional websites/domains and put them in folders.
    /WebsiteB.com
    /WebsiteC.com

    These domains are considered aliased or add-on domains. They would also be considered as root website installations and would have a RewriteBase of /.

    Now if you install a WordPress site in a subfolder and there is NOT a separate website/domain involved then this is a WordPress subdirectory/subfolder installation.

    /subfolderA
    /subfolderB

    These subfolder sites would have a RewriteBase of...

    RewriteBase /subfolderA/

    RewriteBase /subfolderB/

    BPS already creates the correct RewriteBase when you click the AutoMagic buttons so you really do not need to know this, but this is the basic hosting account structure.

  16. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Second Post/Question: please isolate the exact code that is causing the problem so that we can make a determination on what needs to happen next. Thanks.

  17. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Actually I believe this is what worked.

    Then I saved it and changed permissions to 404 to keep it that way.

    The broken cPanel HotLink Protection Tool problem surfaces over and over on each BPS version release. The broken cPanel HotLink Protection tool problem also breaks WordPress in general. This problem has been going on for well over 10 years now. ;)

  18. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    To prevent this problem from occurring over and over we created this additional option - Turn AutoLock On.

  19. lzevon
    Member
    Posted 1 year ago #

    Same issue as all the others (403) will try the AutoLock On. Seems like the upgrade should be more seamless than this, but such a great plugin I can't complain (too much ;).

  20. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Yeah, we tried to figure out a way to hook into cPanel, but it is outside the capabilities of client to server interaction/relationship. Basically any check from a client site happens to late to prevent a server-side condition/tool/etc. ;)

  21. lzevon
    Member
    Posted 1 year ago #

    I tried the autolock - nothing. I deleted the plugin and now I get a 404 error when trying to load /wp-admin/ in Firefox or Safari. In Chrome, where I still had the admin open I reinstalled WordPress. I still have the 404 error. What happened exactly?

    Am I going to be able to use this plugin anymore? It seems I can't use AutoLock On and I need to keep plugin updates going (including BPS).

    Please advise

  22. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Delete your root .htaccess file and wp-admin .htaccess file. Go to WordPress Settings >>> Permalinks and resave your permalinks. There is another issue that appears to be occuring on Host's with mod_security installed - the new Brute Force Login protection code could be the cause of your particular site's issue/problem.

    http://wordpress.org/support/topic/wp-is-dead-after-upgrade-bps-to-493?replies=8

  23. lzevon
    Member
    Posted 1 year ago #

    got it - working again. thanks. will there be an easier (more foolproof... me being the fool) way to update this plugin so I can use it again? I liked it, but this is a difficult thing to manage in terms of updating and there might even be a restriction on my host which prevents me from using it seamlessly.

  24. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Yep, we have designed BPS to work on the 1,000's of Hosts worldwide, but there are at least 3 known Hosts worldwide where BPS just will not work. I imagine there must be at least a few more. ;) .htaccess files are distributed configuration files (basically Server config files that have less juice/limited juice) and yes there will always be other factors in any environment to take into consideration. We have done our best to make BPS compatible right out of the box, but would never kid ourselves into believing we could make BPS work perfectly in every possible scenario right out of the box. Most folks just have to click and shoot and others are not so lucky. ;)

    If BPS does not work right of the box for you then you can either bail or mess around with BPS. Up to you of course. ;)

  25. jcervantes28
    Member
    Posted 1 year ago #

    I would have normally been more specific as to what code I deleted, but because it is working and locked, I don't want to go in there again and do it. :( I guess I will though, you've been much help. I'll do it tonight.

    The autolock has always been on because after it creates the files and i enbale them, the permissions are automatically set to 404, which I often have to change because I often have to go in there and change some things and then i relock it manually through ftp permissions.

  26. jcervantes28
    Member
    Posted 1 year ago #

    Regarding the rewrite base:

    Okay, that makes sense.

    My website structure is:

    example.com/exampleblog

    and example.com/exampleforum

    within example.com i have an htaccess at the moment that has rewrite base:

    /exampleblog

    and in exampleblog htaccess folder i currently have:

    /exampleblog

    (which you correctly said that BPS does for you.

    Based on what you said, my htaccess in my example.com root should be

    /

    I will change it. My question is, then why does it still work with my current configuration?

    Also, when I update permalinks in my wordpress install (which is in /exampleblog) what htaccess does it modify? the one in example.com/exampleblog or in example.com/?

    This will clear a lot for me...

    Thank you
    Jose

  27. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    WordPress does internal rewriting for permalinks and also creates an .htaccess file to create the correct "base" for the site and creates some basic/standard mod_rewrite code/rules to ensure that everything works correctly. So to answer your question about permalinks specifically what happens when you save your custom permalinks is these are DB options that are stored in your database and WordPress uses these DB options to rewrite your URL's based on the custom permalink options/tags that you have saved. Nothing changes regarding the .htaccess code when you change your custom permalinks - this rewriting is done internally by WordPress using PHP code.

    Not really sure about your first question so I'm going to go with - "if it ain't broken then don't fix it" ha ha ha. ;)

  28. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    And just to put you at ease - as long as you click the BPS AutoMagic buttons before activating BulletProof Modes you are guaranteed to have the correct .htaccess code created for each of your websites.

  29. jcervantes28
    Member
    Posted 1 year ago #

    Thanks for some extra info regarding the process.

    I take it back, it appears you were right. My root .htaccess has a rewrite base of:

    /

    and my WP install subfolder has a rewrite base of:

    /exampleblog

    It is good to know that BPS will use the right rewrite base.

    Also, everything is currently working with an edited .htaccess. I will enter the code I deleted next as I promised.

  30. jcervantes28
    Member
    Posted 1 year ago #

    Okay, so even though things were working just fine, I went ahead and FTP'ed in there and downloaded the edited htaccess I had, which was working, and went to WP and did the automagic buttons again for secure htaccess file. Then I activated both /exampleblog root folder and wp-admin folder.

    As expected, upon logging out I got the 403 error.

    Then I removed:

    # BRUTE FORCE LOGIN PAGE PROTECTION
    # Protects the Login page from SpamBots & Proxies
    # that use Server Protocol HTTP/1.0 or a blank User Agent
    RewriteCond %{REQUEST_URI} ^(/wp-login\.php|.*wp-login\.php.*)$
    RewriteCond %{HTTP_USER_AGENT} ^(|-?)$ [NC,OR]
    RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR]
    RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$
    RewriteRule ^(.*)$ - [F,L]

    and "Head" from:

    RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]

    And removed this:

    # BuddyPress Logout Redirect
    RewriteCond %{QUERY_STRING} action=logout&redirect_to=http%3A%2F%2F(.*) [NC]
    RewriteRule . - [S=6]

    Once I removed those items again, I changed permissions back to writeable in FTP, uploaded the edited htaccess again, refreshed WP and logged out--no problem.

    I don't think "Head" has anything to do with it.

    It is one of the other two things, and I don't think it is conflict with other plugins because this was working well with other plugins before the update.

    And since this began to happen, I went into BPS>login security>Turn off/on>turn off login security (which I thought would remove that login related code that gets generated in the htaccess, but it didn't).

    Which is why I went in there and took that code off manually and that's how I got the logout to function again.

    PS--after you analyze the information I've provided, can you also let me know if my site is safe in spite of the code I've removed?

    Thank you,
    Jose

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic