Title: POST Request Attack Protection issues
Last modified: September 1, 2016

---

# POST Request Attack Protection issues

 *  Resolved [7thcircle](https://wordpress.org/support/users/7thcircle/)
 * (@7thcircle)
 * [9 years, 10 months ago](https://wordpress.org/support/topic/post-request-attack-protection-issues/)
 * I have the code in my file, and it had been working until the last few days. 
   Now I am getting a lot of POST requests generating a 404
 * # BPS POST Request Attack Protection
    # Add any additional lines of code to allow/
   whitelist files/POST Forms that you want to allow/whitelist on # your website.
   See the IMPORTANT Whitelisting steps for additional POST Forms on your website
   help section # above for how to add additional code/whitelist rules. <IfModule
   mod_rewrite.c> RewriteCond %{REQUEST_METHOD} POST [NC] # NEVER COMMENT OUT THIS
   LINE OF CODE BELOW FOR ANY REASON RewriteCond %{REQUEST_URI} !^.*/wp-admin/ [
   NC] # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON RewriteCond %{
   REQUEST_URI} !^.*/wp-cron.php [NC] # NEVER COMMENT OUT THIS LINE OF CODE BELOW
   FOR ANY REASON RewriteCond %{REQUEST_URI} !^.*/wp-login.php [NC] # Whitelist 
   the WordPress Theme Customizer RewriteCond %{HTTP_REFERER} !^.*/wp-admin/customize.
   php # Whitelist XML-RPC Pingbacks, JetPack and Remote Posting POST Requests #
   RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC] # Whitelist Network|Multisite
   Signup POST Form Requests #RewriteCond %{REQUEST_URI} !^.*/wp-signup.php [NC]#
   Whitelist Network|Multisite Activate POST Form Requests #RewriteCond %{REQUEST_URI}!
   ^.*/wp-activate.php [NC] # Whitelist Trackback POST Requests # RewriteCond %{
   REQUEST_URI} !^.*/wp-trackback.php [NC] # Whitelist Comments POST Form Requests
   RewriteCond %{REQUEST_URI} !^.*/wp-comments-post.php [NC] # Whitelist Contact
   Form POST Requests RewriteCond %{REQUEST_URI} !^.*/hostgator/ [NC] # Whitelist
   Mailinglist POST Requests #RewriteCond %{REQUEST_URI} !^.*/subscribe/ [NC] # 
   Whitelist PayPal IPN API Script POST Requests #RewriteCond %{REQUEST_URI} !^.*/
   ipn_handler.php [NC] # Whitelist MainWP Management Console RewriteCond %{HTTP_USER_AGENT}!
   MainWP [NC] RewriteRule ^(.*)$ – [F] </IfModule>
 * [https://wordpress.org/plugins/bulletproof-security/](https://wordpress.org/plugins/bulletproof-security/)

Viewing 7 replies - 1 through 7 (of 7 total)

 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [9 years, 10 months ago](https://wordpress.org/support/topic/post-request-attack-protection-issues/#post-7556307)
 * Paste one of the POST 404 erorrs from your BPS Security Log so I can take a look
   at it. Most likely the POST 404 errors are just hacker/spammer probes looking
   for exploitable files on your website that do not actually exist on your website.
 *  Thread Starter [7thcircle](https://wordpress.org/support/users/7thcircle/)
 * (@7thcircle)
 * [9 years, 10 months ago](https://wordpress.org/support/topic/post-request-attack-protection-issues/#post-7556320)
 * Yes, they are non existent files, but as I read the code (and correct me if I
   am misreading it) it is supposed to take ALL post requests and only allow the
   whitelisted ones.
 * TIME: July 7th 2016, 07:03pm
    *404: [https://www.example.com/cron.php](https://www.example.com/cron.php)
   SITE: [https://www.example.com/](https://www.example.com/) THEME: Modularity 
   REFERRER: undefined QUERY STRING: REMOTE ADDRESS: 202.150.209.178 REMOTE IDENTITY:
   undefined REQUEST METHOD: POST SERVER PROTOCOL: HTTP/1.1 USER AGENT: Mozilla/
   5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0
 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [9 years, 10 months ago](https://wordpress.org/support/topic/post-request-attack-protection-issues/#post-7556336)
 * Correct the code uses an explicit whitelisting method, but this BPS htaccess 
   code in the root htaccess file: ErrorDocument 404 /404.php will send 404 Requests
   to your 404.php template file. You could change that and have 404 errors be sent
   to the BPS 403.php template file. You would not really want to do that because
   legitimate 404 errors made by legitimate visitors would be logged as 403 errors
   instead of what they are which is 404 errors.
 * So since a 404 errors means that the URI used does not point to a valid file 
   or URI then BPS just logs that. There is no point in blocking that 404 Request
   because an actual file or URI does not really exist so there is nothing to block.
 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [9 years, 10 months ago](https://wordpress.org/support/topic/post-request-attack-protection-issues/#post-7556338)
 * So if a file or URI does exist and a hacker or spammer sends a POST Request to
   that URI then it will be handled as a 403 Request error, sent to the 403.php 
   logging template and blocked.
 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [9 years, 10 months ago](https://wordpress.org/support/topic/post-request-attack-protection-issues/#post-7556401)
 * Additional explanation with examples:
 * The test file post-form.php has a POST Form and since it is not whitelisted then
   the POST Request is blocked when submitting the form back to itself. Note the
   Request Body form values: REQUEST BODY: foo=bar&Submit-test=Submit
 * The test file post-form.php has another POST Form that sends a POST Request to
   a non-existent file post-bogus.php. Note: There are no Request Body form values
   captured when submitting the form to post-bogus.php because a form does not actually
   exist in the post-bogus.php file. If a form did exist in the post-bogus.php file
   then it would logged as a 403 error and blocked and the Request Body form values
   would be captured.
 *     ```
       [403 POST Request: July 10, 2016 - 10:45 am]
       Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
       Solution: N/A - Hacker/Spammer Blocked/Forbidden
       REMOTE_ADDR: 127.0.0.1
       Host Name: Z666P-HP
       SERVER_PROTOCOL: HTTP/1.1
       HTTP_CLIENT_IP:
       HTTP_FORWARDED:
       HTTP_X_FORWARDED_FOR:
       HTTP_X_CLUSTER_CLIENT_IP:
       REQUEST_METHOD: POST
       HTTP_REFERER: http://aitpro-blog.local/post-form.php
       REQUEST_URI: /post-form.php
       QUERY_STRING:
       HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
       REQUEST BODY: foo=bar&Submit-test=Submit
   
       [404 POST Not Found Request: July 10, 2016 - 10:49 am]
       Event Code: The server has not found anything matching the Request-URI.
       Solution: N/A - 404 Not Found
       REMOTE_ADDR: 127.0.0.1
       Host Name: Z666P-HP
       SERVER_PROTOCOL: HTTP/1.1
       HTTP_CLIENT_IP:
       HTTP_FORWARDED:
       HTTP_X_FORWARDED_FOR:
       HTTP_X_CLUSTER_CLIENT_IP:
       REQUEST_METHOD: POST
       HTTP_REFERER: http://aitpro-blog.local/post-form.php
       REQUEST_URI: /post-bogus.php
       QUERY_STRING:
       HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
       ```
   
 *  Thread Starter [7thcircle](https://wordpress.org/support/users/7thcircle/)
 * (@7thcircle)
 * [9 years, 10 months ago](https://wordpress.org/support/topic/post-request-attack-protection-issues/#post-7556404)
 * Makes sense. Looks like I just needed to read the code a little better and see
   that. I just assumed it took all POST requests and filtered them.
 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [9 years, 10 months ago](https://wordpress.org/support/topic/post-request-attack-protection-issues/#post-7556407)
 * Yeah its confusing and I had to double check everything to make sure I was not
   posting bad info here. 😉 The primary concern with 404 errors was to NOT interfere
   with any 404 Requests because that could cause major headaches and folks to get
   pretty pissed off since it is important to know about “legit” 404 errors. ie 
   a broken link or similar scenario (error checking basically).

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘POST Request Attack Protection issues’ is closed to new replies.

 * ![](https://ps.w.org/bulletproof-security/assets/icon-128x128.png?rev=1731938)
 * [BulletProof Security](https://wordpress.org/plugins/bulletproof-security/)
 * [Support Threads](https://wordpress.org/support/plugin/bulletproof-security/)
 * [Active Topics](https://wordpress.org/support/plugin/bulletproof-security/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/bulletproof-security/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/bulletproof-security/reviews/)

 * 7 replies
 * 2 participants
 * Last reply from: [AITpro](https://wordpress.org/support/users/aitpro/)
 * Last activity: [9 years, 10 months ago](https://wordpress.org/support/topic/post-request-attack-protection-issues/#post-7556407)
 * Status: resolved