Support » Plugin: iThemes Security » Disqus Auto Syncing Fail

  • Resolved swamparoo

    (@swamparoo)


    I’m posting this issue in the iThemes Security support because the problem is caused by iThemes. Reading through the Disqus troubleshooting information, it lists iThemes Security as one of two plugins that can cause conflicts. It seems that the auto syncing feature of the Disqus plugin uses the REST API. The troubleshooting article also mentions about the use of XML-RPC.

    I’ve disabled the iThemes Security features that block XML-RPC as well as those associated with the REST API.Under Request Method, I unchecked “Filter Request Methods” as that deals with the REST API. Under WordPress Tweaks I’ve done the following:

    – Unchecked the EditURL Header as that’s potential REST API. Selected the option to Enable XML-RPC. Allowed Multiple Authentication Attempts per XML-RPC Request. Set REST API to Default Access.

    Even with all of this auto syncing fails. Now, if I deactivate iThemes Security and then try to enable auto syncing it works just fine. I really dislike having to enable all of the REST API and XML-RPC options. If I knew exactly what iThemes Security was blocking then I could possibly find a happy medium between allowing Disqus commenting and decent website security. I like Disqus as it easily creates a unified platform for comments and I don’t have to allow others to register for an account on my website.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Does the disqus REST API endpoint work to your site ?
    (http://YOURSITE.com/wp-json/disqus/v1/sync/webhook)

    If the endpoint works, try to disable the System Tweaks module (if enabled) in the iTSec plugin (disabled is the default).

    If that doesn’t help try and disable the Banned Users module in the iTSec plugin (Not recommended but just to see whether it makes any difference).

    To prevent any confusion, I’m not iThemes.

    • This reply was modified 3 years, 5 months ago by nlpro.
    • This reply was modified 3 years, 5 months ago by nlpro.
    Thread Starter swamparoo

    (@swamparoo)

    I used your suggestions to troubleshoot the problem. First, I disabled the System Tweaks. Still syncing would fail. Then I disabled Banned Users and that seemed to have worked. However, I thought it odd as there really isn’t much in that setting. So, I enabled the System Tweaks and it still synced. That told me it was within Banned Users feature.

    Considering Banned Users only has blacklist and whitelist, I knew it wasn’t any of those. Only thing left was the Default Blacklist. I unchecked that box and it synced. So I have all of the System Tweaks and all of the WordPress Tweaks enabled with no issues. I’m guessing whatever IP (or IPs) that are used as part of Disqus’ system is on the HackRepair.com blacklist.

    Much thanks for your help. I’m glad I can keep everything else enabled. To me the HackRepair.com blacklist is nice but not ultimately necessary.

    I’m guessing whatever IP (or IPs) that are used as part of Disqus’ system is on the HackRepair.com blacklist.

    The Default Blacklist setting adds a bunch of RewriteCond entries to your site .htaccess file. If any of those conditions are met the HTTP request is rewritten (RewriteRule) to be forbidden (403). This happens on the web server layer, so the HTTP request never reaches the WordPress application layer.

    The conditions check for certain HTTP_USER_AGENT values that are known to be bad bots. However any request with an EMPTY user agent string is also blocked:

    RewriteCond %{HTTP_USER_AGENT} "^$" [NC,OR]

    So when disqus auto sync is enabled the disqus server is probably sending requests to your site web server with no user agent value in the HTTP request header.
    It then receives a 403 forbidden status code and auto sync fails to enable.

    Thread Starter swamparoo

    (@swamparoo)

    That’s even better. Thanks. I enabled Banned Users and tried to sync. Failed (of course). I then searched through the .htaccess file for the line you specified. I commented it out. I then tried to sync with Disqus and it worked perfectly fine. I’d rather remove one part of a feature than the entire feature. I will be contacting Disqus about this. Even though I’m on the free account, which doesn’t come with support, I consider this reporting of a bug. To me, a service, especially one like Disqus, should properly format their communications. In this case, put a User Agent.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Disqus Auto Syncing Fail’ is closed to new replies.