I receive 403 messages inconsistently with several plug-ins

I receive 403 messages inconsistently with several of your plug-ins with Jetpack security enabled or broken functionality.

Host: MDD Host with Litespeed on SSD
Theme: Headway on Multisite

Used your plug-ins in past no issue, good stuff.

Upgraded WP to current, and plug-ins, with no issue.
Ran backups with your solution, all good.

Ultimate Branding: in the login CSS option I was working away fine then began to receive 403's on save. Several changes had been made successfully then it just began. An hour later no problem.... until 10 or fifteen minutes later then again.

Member2: through dashboard, on install it showed successful but wasn't able to assign content to membership levels, was missing screens like Settings and Add-ons, not even in menu.

When creating membership, I could create but no secondary screens or assignments.

On assignments to memberships, 403.

Uninstalled Branding and Member2.

New site, few plugins used, disabled Jetpack.

Reinstalled Branding through dash and Member2, fixed and new menus and screens in Memebr2!?

Permissions/security?

I see the Jetpack white-list but concerned about functionality for future members, a little limiting too because I travel and on cable so random.

If it is Jetpack, as I assume, any code, whether function or htaccess, to resolve this so I can turn on Jetpack security? Any file permissions need changing?

Thanks,
Louis

  • Vaughan

    Hi Louis,

    I have never used jetpack security, but a 403 is a forbidden error. So i'd say it's definitely something to do with jetpack security or an issue on the server.

    The only info I can find on this is if xmlrpc is being blocked by the server somehow or by another security plugin.

    I have just installed jetpack on my site, but I haven't experienced any 403 errors.

    The following plugin might help with xmlrpc but if your server is blocking xmlrpc, then you will need to contact your webhost.

    https://wordpress.org/plugins/disable-xml-rpc-pingback/

    Hope this helps

  • Michael

    Hi Vaughan,

    I'll give it a try but I'm thinking it's not that, here's why. Soon after reporting this issue today, Jetpack wanted an update so I did. I had it activated but everything off. The update turned the security back on site wide and I didn't realize it. At that time I was trying to install CustomPress and like Membership2, I was missing menus after install.

    Puzzled I rechecked the network plugin level to find the Jetpack update had reinitialized the security setting as I mentioned before so I turned it off. Do note I've used your plugins on this host before with no issue.

    With Jetpack security off I deleted CustomPress, all through the Dashboard... so I tried again via FTP with CustomPress but with no improvement, basically it shows it's installed but my CustomPress menu only has Settings & Export/Import... this is how CoursePress behaved when it failed.

    https://www.mddhosting.com/premium.php is pretty decent and never had install issues with your or any plugins except a time out that I found a fix for a year ago.

    I run light as possible so no other security, strong strong password, custom salt, htaccess and good plug-ins. So unless it's a plug-in conflict, I think the 403 and my install issues are the same.

    This sure feels like something simple like permissions or security so I'm going to completely remove Jetpack and see what happens, if it works, re-install Jetpack and white list myself... but basically the plugins that use custom post types seem to sometimes fail but show to be successful though they are missing menus and the menu's pages.

    I'm guessing this is a write file permission issue since it installs but missing parts and in some saves, Branding, I get a 403 if anything at all!?

    Note, no other security plugins or cache... none at all actually. Other non-WPMU plug-ins are not having this issue such at Types which is similar to CustomPress.

    Plugs-ins activated on network but not running cache and it is flushed:
    Chrome Admin Menu Fix, Google Analytics +, Jetpack, Login Redirect, Logout Redirect, Messaging, Multisite Enhancements, Remember Me Checked, Snapshot, Ultimate Branding, WP Super Cache
    ,WPMU DEV Dashboard.

    Any other plugins are site level and running well. I do use https://wp-types.com/home/types-manage-post-types-taxonomy-and-custom-fields/ ... but not on the same sub-site as CustomPress.

    It's something at the save/file permission level that affects your plug-ins? I don't get it.

    If you can, see anything wrong here? My host set me up with a basic server password access for brute force attacks, see # BEGIN CUSTOM - User in CPanel":

    # BEGIN WordPress

    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]

    # add a trailing slash to /wp-admin
    RewriteRule ^wp-admin$ wp-admin/ [R=301,L]

    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^ - [L]
    RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
    RewriteRule ^(.*\.php)$ $1 [L]
    RewriteRule . index.php [L]

    # END WordPress

    # BEGIN CUSTOM - prevents lightspeed from killer slow processes
    RewriteRule .* - [E=noabort:1]

    ### SECURITY ###
    # BEGIN CUSTOM - Brute Force Protect wp-login
    # BEGIN CUSTOM - User in CPanel
    AuthUserFile /home/mypathXXX/.htpasswds/passwd
    AuthType Basic
    AuthName "Restricted Access"

    <Files "wp-login.php">
    Require valid-user
    </Files>

    # BEGIN CUSTOM - protect wp-config.php
    <Files wp-config.php>
    order allow,deny
    deny from all
    </Files

    # block directory browsing
    Options All -Indexes

    # protect htaccess
    <Files ~ "^.*.([Hh][Tt][Aa])">
    order allow,deny
    deny from all
    satisfy all
    </Files>

    Mull that over if you will and send me any other suggestion and I'll remove Jetpack, see about a debug, and do some more testing and report back if I haven't heard from you.

    Thanks,
    Louis

  • Michael

    Hi Vaughan,

    I've been checking around and my host recently initiated ModSecurity which I've never used and I hear is pretty sensitive. My host allows to disable for updates so I'm going to see, but updates have been fine...

    Do you know if ModSecurity creates problems for end users for your apps such as CousePress?

    Most of ModSecurity seems a good idea but wonder if any known issues and if I should leave disabled.

    Thanks,
    Louis

  • Vaughan

    Hi,

    I'm not a sysadmin so I'm not really up on mod_security, however, I do know it can certainly affect some plugins, especially plugins that use gateways and others, so the rules in mod security may need to be relaxed. But I can't really say what because I am not experienced enough with that side of things unfortunately. But if everything works ok with mod security disabled, then it has to be some strict rule in there somewhere.

    Cheers