Argo Links 403 Error

This plugin also uses admin-ajax.php so make sure that you have whitelisted admin-ajax.php in your wp-admin .htaccess file.

This plugin also uses press-this.php. press-this.php should already be whitelisted in your wp-admin .htaccess file.

# Allow wp-admin files that are called by plugins
# Fix for WP Press This
RewriteCond %{REQUEST_URI} (press-this\.php|admin-ajax\.php) [NC]
RewriteRule . - [S=1]

Still not working; this is what it looks like:

root .htaccess:

# TimThumb Forbid RFI By Host Name But Allow Internal Requests
#RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
#RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
#RewriteRule .* index.php [F,L]
RewriteCond %{REQUEST_URI} (argo-this\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
RewriteCond %{HTTP_REFERER} ^.*mysite.com.*
RewriteRule . - [S=1]

wp-admin .htaccess:

# Allow wp-admin files that are called by plugins
# Fix for WP Press This
RewriteCond %{REQUEST_URI} (admin-ajax\.php|press-this\.php) [NC]
RewriteRule . - [S=1]

Really, really, REALLY appreciate you looking at this. I have tried removing huge sections of the .htaccess file trying to identify what is causing this and am still scratching my head. Will keep plugging away at it.

Ok that leaves you with isolating this RFI security filters.
Comment them out 1 by 1 and test. Once you isolate the filter or filters then it may be possible to whitelist something without leaving your website wide open to RFI hacking attempts, but I need to know which filter is blocking this plugin before I can see if creating a whitelisting rule that will still leave your site protected, but also allow this plugin to do what it is doing.

RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=https:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]

I just noticed something. Is this the true/actual plugin folder name?

# Argo Links
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/argoproject-argo-links-ec58e2a/ [NC]
RewriteRule . - [S=13]

Are you sure this plugin actually works with WP 3.5?

* NOTE: The plugin has been verified to work in WordPress 3.3.1. It is no longer under active development.

Yeah, that was because I just uploaded the zip file that I downloaded directly from Git. I went ahead and renamed it to argo-links and reactivated it to clean it up. It appears to work in the latest version of WordPress. I am able to do everything with it, with the exception of using the bookmarklet with BPS. I have even gone so far as to remove most of the code from the .htaccess file:

# BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
# Good sites such as W3C use it for their W3C-LinkChecker.
# Add or remove user agents temporarily or permanently from the first User Agent filter below.
# If you want a list of bad bots / User Agents to block then scroll to the end of this file.

RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

But still get the same result.

Have you put BPS in Default Mode to make absolutely sure BPS is causing this issue?

1. Make a backup of your .htaccess files using BulletProof Security built-in Backup.
2. Activate Default Mode on the Security Modes page.
3. Use the Delete wp-admin .htaccess feature on the Security Modes page.
4. Test your plugin or theme.

After testing is completed
5. Restore your .htaccess files using BulletProof Security built-in Restore.

Yes, and when I do, the bookmarklet works.

Let me know what happens after you put BPS into Default Mode.

Is the plugin folder name correct that you posted?

argoproject-argo-links-ec58e2a

Yes it was, but to make sure that wasn’t causing any issues, I simplified it down to just argo-links and reactivated the plugin (and updated that portion of the .htaccess file). The name was just how it came down from Github.

Wow ok so you have eliminated all of the root .htaccess code and the error still occurs? Something does not add up there???

This was just the piece that was leftover from the whole BPSQSE section; I did leave everything else intact. Just wanted to make sure I was clear that what you see below is not ALL that was in the .htaccess file.

# BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
# Good sites such as W3C use it for their W3C-LinkChecker.
# Add or remove user agents temporarily or permanently from the first User Agent filter below.
# If you want a list of bad bots / User Agents to block then scroll to the end of this file.

RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

Oh wait you were only showing the Query string section.
This means that the problem is with some other .htaccess code in the root .htaccess file then.