403 Forbidden Error When Pressing to the Email Sub. Widget

If the POST Request is being blocked then you are using the BPS POST Attack Protection bonus custom code and would need to create a whitelist rule or rules in your BPS POST Attack Protection code to allow/whitelist these POST Requests. Do these steps below.

1. Go to the BPS Security Log page > POST Request Body Data option > add a checkmark in this checkbox > [X] Log Minimum POST Request Body Data (5KB) > uncheck any other checkboxes that are checked > click the Save POST Request Body Data Option button.
2. Make another POST Request to your widget form.
3. Post the Security Log entry for that blocked POST Request.

Note: Since the POST Request is being made to your Root site URI / and not a specific page or post URI. Example: /some-page/, /another-page/. Then the only way to whitelist the POST Request would be by adding a Query String whitelist rule in the POST Attack Protection bonus custom code. If a Query String is not available in the POST Request Body data then you will not be able to use the BPS POST Attack Protection bonus custom code on this website.

• This reply was modified 7 years, 4 months ago by AITpro.

Clarification: “3. Post the Security Log entry for that blocked POST Request.” Copy and paste the Security Log entry for the blocked Widget form request in your forum reply.

Here is the post request log:

[403 POST Request: July 26, 2017 9:44 am]
BPS: 2.3
WP: 4.8
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 188.166.83.39
Host Name: 188.166.83.39
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: https://www.ourwebsite.com/
REQUEST_URI: /
QUERY_STRING: 
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 OPR/46.0.2597.57
REQUEST BODY: email=vpbaymedia%40gmail.com&action=subscribe&source=http%3A%2F%2Fwww.oursite.com%2F&sub-type=widget&redirect_fragment=blog_subscription-3&_wpnonce=c80a9c8ef8&jetpack_subscriptions_widget=Subscribe

I have censored our website url with “oursite.com” url in the code.

At this point I do not see a way to whitelist the Widget Form in the POST Attack Protection code, but I will continue to research this and see if there is a way to whitelist this Request (highly doubtful) that I am not aware of. So you will not be able to use the BPS POST Attack Protection bonus custom code for now and will have to delete/remove it.

This is a very typical POST Request Remote File Upload attack below.
The HTTP Referer is your domain.
The Request URI is your site root URI|URL: /

Problem: There are not any htaccess directives that match POST Request body data that I am aware of so you cannot match or whitelist anything in the Request Body data sent by the Widget Form.
If the Widget Form Request had a Query String then it would be very simple to allow/whitelist the Widget Form POST Requests.
Example Query String: ?jetpack_subscriptions_widget could easily be whitelisted with this rule: RewriteCond %{QUERY_STRING} !^jetpack_subscriptions_widget [NC]

[403 POST Request: July 25, 2017 - 9:16 pm]
BPS Pro: 13.2
WP: 4.8
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 162.209.168.23
Host Name: 162-209-168-23.rdns.cloudradium.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: POST
HTTP_REFERER: https://forum.ait-pro.com/
REQUEST_URI: /
QUERY_STRING: 
HTTP_USER_AGENT: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0
REQUEST BODY: --(UploadBoundary)
Content-Disposition: form-data; name="yiw_contact[]"; filename="0274508.php"
Content-Type: text/php

<?php
if(isset($_POST['Submit'])){
    $filedir = ""; 
    $maxfile = '2000000';

    $userfile_name = $_FILES['image']['name'];
    $userfile_tmp = $_FILES['image']['tmp_name'];
    if (isset($_FILES['image']['name'])) {
        $abod = $filedir.$userfile_name;
        @move_uploaded_file($userfile_tmp, $abod);
  
echo"<center><b>Done ==> $userfile_name</b></cen

Just as a thought, an htaccess directive does not exist that can be used to check the Request Body data.

So your options are:
1. do not use the BPS POST Attack Protection bonus custom code.
2. do not use Widget forms.
3. post a feature request to have a Query String added for the Widget forms.
4. create your own code that adds a Query String for the Widget forms: esc_url( add_query_arg( 'foo', 'bar' ) ); Result: /?foo=bar

• This reply was modified 7 years, 4 months ago by AITpro.
• This reply was modified 7 years, 4 months ago by AITpro.

Wouldnt it be a security problem if I dont use BPS POST Attack Protection bonus custom code?

Yep, not using the POST Attack protection bonus custom code would significantly decrease your overall website security. If it were me I would choose not to use the Widget Forms and figure out an alternative thing that works for my purposes. Or create the necessary code that adds a Query String to the Widget forms and then submit a feature request to the plugin author to add that code in the next plugin version. Adding a Query String is a very simple thing to do and it follows good security practices by “defining” a Request. Query Strings in essence can be used simply as a marker to “define” a request and do not necessarily need to be used for processing data/requests.

• This reply was modified 7 years, 3 months ago by AITpro.

I created a Query String for the MailChimp Widget Form using this code below in a theme functions.php file which you can use to whitelist the MailChimp Widget Form Query String in the BPS POST Attack Protection bonus custom code.
Note: by default MailChimp creates a null value for form Actions, which means the form “action” element is not displayed. This code below creates the action form element and populates the action with a Query String.

MailChimp Widget Form with Action element populated with a Query String:
<form id="mc4wp-form-1" class="mc4wp-form" action="/?foo=bar" method="post" data-id="414" data-name="MailChimp">

MailChimp filter created in a theme functions.php file to add the Action element and Query String

// define the mc4wp_form_action callback - Add a Query String to the action for use in whitelisting the Query String
function filter_mc4wp_form_action( $form_action_attribute, $form ) { 

	$form_action_attribute = esc_url( add_query_arg('foo', 'bar') );
    return $form_action_attribute; 
}; 
         
add_filter( 'mc4wp_form_action', 'filter_mc4wp_form_action', 10, 2 ); 

BPS POST Attack Protection Bonus Custom Code whitelist rule:

# MailChimp Widget Form Query String whitelist rule
RewriteCond %{QUERY_STRING} !^foo=bar [NC]

• This reply was modified 7 years, 3 months ago by AITpro.
• This reply was modified 7 years, 3 months ago by AITpro.

My previous forum reply has been updated with additional info > https://www.ads-software.com/support/topic/403-forbidden-error-when-pressing-to-the-email-sub-widget/#post-9363343

Unfortunately, I cannot tell you how to do the same thing with Jetpack since Jetpack does not work on Local Development testing servers. So I cannot install and test Jetpack on our Local Development servers. ??

Assuming all questions have been answered – the thread has been resolved. If the issue/problem is not resolved or you have additional questions about this specific thread topic then you can post them at any time. We still receive email notifications when threads have been resolved.