iThemes Security (formerly Better WP Security)
[resolved] Suspicious Query Strings Bug (2 posts)

  1. MikeNGarrett
    Posted 1 year ago #

    I'm running iThemes Security Version 4.2.2 and WordPress 3.9.1 with nginx.

    I noticed some issues with scripts loading on edit pages in the WP admin. It seems that some of the security features I've enabled through the plugin are incompatible with something on the edit page. The only thing out of the ordinary is Yoat SEO's metabox.

    The following was returning a 403 when editing a post:

    I disabled the following lines in my nginx config:
    # location ^wp-includes/(.*).php { deny all; }
    # location ^/wp-admin/includes(.*)$ { deny all; }
    # if ($args ~* "(globals|encode|localhost|loopback)") { set $susquery 1; }
    # if ($args ~* "(request|select(?!ed)|insert|concat|union|declare)") { set $susquery 1; }
    # if ($args ~* "(%0|%A|%B|%C|%D|%E|%F)") { return 403; }

    This seems to have fixed the issue, but I'm not entirely sure what it may have been as none of these args or locations was in the request.


  2. iThemes Support
    Posted 1 year ago #


    Try updating your rules (resave your settings) as those rules were modified in an update a few weeks ago to address the issue.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic