how to avoid admin-ajax.php call as forbidden (403)
-
I use a WP blog on a MultiSite installation with iThemes Security. I’m not allowed to deactivate iS or change settings.
I have an Error 403 Problem when the WP Plugin Zotpress calls
.../wp-admin/admin-ajax.php?action=zpRetrieveViaShortcode&instance_id=zp-InTextBib-zotpress-89c9…C&update=false&request_start=0&request_last=0&zpShortcode_nonce=be33c57b68
JS Error message
Failed to load resource: the server responded with a status of 403 (Forbidden)
See also Closed Topic of same problem and Zotpress post about the problem.
With the help of Wolfi (thanks) I tried this on a WP test installation with iThemes Security and when iS “Filter Suspicious Query Strings in the URL” was deactivated the error 403 does not happen.
Relevant part of iS code in the .htaccess file
# Filter Suspicious Query Strings in the URL - Security > Settings > System Tweaks > Suspicious Query Strings RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR] RewriteCond %{QUERY_STRING} ^.*\.(bash|git|hg|log|svn|swp|cvs) [NC,OR] RewriteCond %{QUERY_STRING} etc/passwd [NC,OR] RewriteCond %{QUERY_STRING} boot\.ini [NC,OR] RewriteCond %{QUERY_STRING} ftp\: [NC,OR] RewriteCond %{QUERY_STRING} http\: [NC,OR] RewriteCond %{QUERY_STRING} https\: [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR] RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(127\.0).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(request|concat|insert|union|declare).* [NC] RewriteCond %{QUERY_STRING} !^loggedout=true RewriteCond %{QUERY_STRING} !^action=jetpack-sso RewriteCond %{QUERY_STRING} !^action=rp RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$ RewriteCond %{HTTP_REFERER} !^http://maps\.googleapis\.com(.*)$ RewriteRule ^.* - [F]
My question would be: how much safety is lost by deactivating this Filters?
And would it be useful to manually add those that do not block the Zotpress request (have yet to find out)?
- The topic ‘how to avoid admin-ajax.php call as forbidden (403)’ is closed to new replies.