BPS Blocking Zapier

Looks like your are using the BPS POST Attack Protection Bonus Custom Code and you need to whitelist the > REQUEST_URI: /xmlrpc.php. Since the xmlrpc.php file is located in your website root folder you will also need to move the BPS POST Attack Protection Bonus Custom Code saved in BPS Root Custom Code using the steps below.

1. Copy the BPS POST Request Attack Protection Bonus Custom Code from this BPS Root Custom Code text box: 14. CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE and paste it in this BPS Root Custom Code text box: 8. CUSTOM CODE WP REWRITE LOOP START.
VERY IMPORTANT Steps!!!
2. Next go to the BPS htaccess File Editor tab page > click the Your Current Root htaccess File tab.
3. Scroll down until you see this section of htaccess code: # WP REWRITE LOOP START.
4. Copy the entire block/section of your WP REWRITE LOOP START htaccess code.
5. Paste your WP REWRITE LOOP START htaccess code ABOVE the BPS POST Request Attack Protection Bonus Custom Code in the BPS Root Custom Code text box: 8. CUSTOM CODE WP REWRITE LOOP START text box.
6. Check your BPS POST Request Attack Protection Bonus Custom Code and make sure this line of htaccess code below is not commented out with a pound sign (#). If you see a pound sign in front of the RewriteCond htaccess code directive then delete it.

RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC]

7. Scroll down and click the Save Root Custom Code button
8. Go to the Security Modes tab page and click the Root folder BulletProof Mode Activate button.

Note: If the xmlrpc.php file is still being blocked by the BPS POST Attack Protection Bonus Custom Code then you are going to have to delete it from BPS Custom Code.

BPS POST Attack Protection Bonus Custom Code Reference link: https://forum.ait-pro.com/forums/topic/post-request-protection-post-attack-protection-post-request-blocker/

• This reply was modified 5 years, 9 months ago by AITpro.

@aitpro

Thanks for the response but I am not using the BPS POST Attack Protection Bonus Custom Code and section 8 is completely empty for me.

So I don’t directly have a specific part that would block the XMLRPC that I’ve set personally that isn’t added by the wizard itself?

Does the steps still provide me the right information to solve this or am I just misunderstanding your explenation?

Either way thanks!

The only other BPS htaccess code that would block the xmlrpc.php file is this BPS Bonus Custom Code > https://forum.ait-pro.com/forums/topic/wordpress-xml-rpc-ddos-protection-protect-xmlrpc-php-block-xmlrpc-php-forbid-xmlrpc-php/. Do BPS troubleshooting step #1 > https://forum.ait-pro.com/forums/topic/read-me-first-free/#bps-free-general-troubleshooting and let me know if the problem is still occurring or not.

@aitpro

Thanks for the followup, I have also not used that Bonus code, in fact I’ve not used any bonus codes other than the extra added snippets by the wizzard, but those are not related to blocking xmlrpc either.

I first tried the custom loop change you suggested and tried accessing from another source and receive the same error:

[403 POST Request: 25/02/2019 - 03:19]
BPS: 3.3
WP: 5.1
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: GDPR Compliance On
Host Name: ec2-52-0-79-228.compute-1.amazonaws.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: GDPR Compliance On
HTTP_FORWARDED: GDPR Compliance On
HTTP_X_FORWARDED_FOR: GDPR Compliance On
HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On
REQUEST_METHOD: GET
HTTP_REFERER: 
REQUEST_URI: /xmlrpc.php
QUERY_STRING: 
HTTP_USER_AGENT: Zapier
REQUEST BODY: <?xml version='1.0'?>
<methodCall>
<methodName>wp.getPosts</methodName>
<params>
<param>
<value><string></string></value>
</param>
<param>
<value><string>zapier</string></value>
</param>
<param>
<value><string>Nendo-Addicts-Zapier</string></value>
</param>
<param>
<value><struct>
<member>
<name>post_status</name>
<value><string>publish</string></value>
</member>
<member>
<name>post_type</name>
<value><string>post</string></value>
</member>
</struct></value>
</param>
</params>
</methodCall>

Yet nothing in the htaccess that I directly see/can find related to blocking xmlrpc, here is the full htaccess code:

#   BULLETPROOF 3.3 SECURE .HTACCESS     

# CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE
### Begin Caching Performance ###
# Use UTF-8 encoding for anything served text/plain or text/html
AddDefaultCharset UTF-8
# Force UTF-8 for a number of file formats
<IfModule mod_mime.c>
	AddCharset UTF-8 .atom .css .js .json .rss .vtt .xml
</IfModule>

# FileETag None is not enough for every server.
<IfModule mod_headers.c>
Header unset ETag
</IfModule>

# Since we’re sending far-future expires, we don’t need ETags for static content.
FileETag None

<IfModule mod_alias.c>
	<FilesMatch "\.(html|htm|rtf|rtx|txt|xsd|xsl|xml)$">
	<IfModule mod_headers.c>
		Header unset Pragma
		Header append Cache-Control "public"
		Header unset Last-Modified
	</IfModule>
</FilesMatch>

<FilesMatch "\.(css|htc|js|asf|asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|eot|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|json|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|mpp|otf|odb|odc|odf|odg|odp|ods|odt|ogg|pdf|png|pot|pps|ppt|pptx|ra|ram|svg|svgz|swf|tar|tif|tiff|ttf|ttc|wav|wma|wri|xla|xls|xlsx|xlt|xlw|zip)$">
		<IfModule mod_headers.c>
			Header unset Pragma
			Header append Cache-Control "public"
		</IfModule>
	</FilesMatch>
</IfModule>

# Gzip Compression
<IfModule mod_deflate.c>
	# Force compression for mangled headers.
	<IfModule mod_setenvif.c>
		<IfModule mod_headers.c>
			SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
			RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
			# Don’t compress images and other uncompressible content
			SetEnvIfNoCase Request_URI \
			\.(?:gif|jpe?g|png|rar|zip|exe|flv|mov|wma|mp3|avi|swf|mp?g|mp4|webm|webp|pdf)$ no-gzip dont-vary
		</IfModule>
	</IfModule>
	# Compress all output labeled with one of the following MIME-types
	<IfModule mod_filter.c>
	AddOutputFilterByType DEFLATE "application/atom+xml" \
								"application/javascript" \
								"application/json" \
								"application/ld+json" \
								"application/manifest+json" \
								"application/rdf+xml" \
								"application/rss+xml" \
								"application/schema+json" \
								"application/vnd.geo+json" \
								"application/vnd.ms-fontobject" \
								"application/x-font-ttf" \
								"application/x-javascript" \
								"application/x-web-app-manifest+json" \
								"application/xhtml+xml" \
								"application/xml" \
								"font/eot" \
								"font/opentype" \
								"image/bmp" \
								"image/svg+xml" \
								"image/vnd.microsoft.icon" \
								"image/x-icon" \
								"text/cache-manifest" \
								"text/css" \
								"text/html" \
								"text/javascript" \
								"text/plain" \
								"text/vcard" \
								"text/vnd.rim.location.xloc" \
								"text/vtt" \
								"text/x-component" \
								"text/x-cross-domain-policy" \
								"text/xml"
	</IfModule>
	<IfModule mod_headers.c>
		Header append Vary: Accept-Encoding
	</IfModule>
</IfModule>

<IfModule mod_mime.c>
	AddType text/html .html_gzip
	AddEncoding gzip .html_gzip
</IfModule>
<IfModule mod_setenvif.c>
	SetEnvIfNoCase Request_URI \.html_gzip$ no-gzip
</IfModule>

# Expires headers
<IfModule mod_expires.c>
	ExpiresActive on
	ExpiresDefault									"access plus 1 month"
	
# cache.appcache needs re-requests in FF 3.6
	ExpiresByType text/cache-manifest				"access plus 0 seconds"
	
# CSS
	ExpiresByType text/css							"access plus 1 year"

# Data interchange
	ExpiresByType application/json					"access plus 0 seconds"
	ExpiresByType application/xml					"access plus 0 seconds"
	ExpiresByType text/xml							"access plus 0 seconds"

# Favicon (cannot be renamed!)
	ExpiresByType image/x-icon						"access plus 1 week"

# HTML components (HTCs)
	ExpiresByType text/x-component					"access plus 1 month"

# HTML
	ExpiresByType text/html							"access plus 0 seconds"

# JavaScript
	ExpiresByType application/javascript			"access plus 1 year"

# Manifest files
	ExpiresByType application/x-web-app-manifest+json	"access plus 0 seconds"
	ExpiresByType text/cache-manifest					"access plus 0 seconds"

# Media
	ExpiresByType image/gif							"access plus 1 month"
	ExpiresByType image/jpeg						"access plus 1 month"
	ExpiresByType image/png							"access plus 1 month"
	ExpiresByType video/mp4							"access plus 1 month"
	ExpiresByType audio/ogg							"access plus 1 month"
	ExpiresByType video/ogg							"access plus 1 month"
	ExpiresByType video/webm						"access plus 1 month"

# Web feeds
	ExpiresByType application/atom+xml				"access plus 1 hour"
	ExpiresByType application/rss+xml				 "access plus 1 hour"

# Web fonts
	ExpiresByType application/font-woff				"access plus 1 month"
	ExpiresByType application/font-woff2			"access plus 1 month"
	ExpiresByType application/vnd.ms-fontobject		"access plus 1 month"
	ExpiresByType application/x-font-ttf			"access plus 1 month"
	ExpiresByType font/opentype						"access plus 1 month"
	ExpiresByType image/svg+xml						"access plus 1 month"
</IfModule>

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_METHOD} !POST
RewriteCond %{QUERY_STRING} ^$
RewriteCond %{HTTP:Cookie} !^.*(wordpress_logged_in).*$
RewriteCond %{REQUEST_URI} !^/wp-content/cache/swift-performance/([^/]*)/assetproxy
RewriteCond %{HTTP_USER_AGENT} (Mobile|Android|Silk|Kindle|BlackBerry|Opera+Mini|Opera+Mobi) [NC]
RewriteCond /home/nendoa1q/public_html/wp-content/cache/swift-performance/%{HTTP_HOST}%{REQUEST_URI}/mobile/unauthenticated/index.html -f
RewriteRule (.*) wp-content/cache/swift-performance/%{HTTP_HOST}%{REQUEST_URI}/mobile/unauthenticated/index.html [L]

RewriteCond %{REQUEST_METHOD} !POST
RewriteCond %{QUERY_STRING} ^$
RewriteCond %{HTTP:Cookie} !^.*(wordpress_logged_in).*$
RewriteCond %{REQUEST_URI} !^/wp-content/cache/swift-performance/([^/]*)/assetproxy
RewriteCond %{HTTP_USER_AGENT} !(Mobile|Android|Silk|Kindle|BlackBerry|Opera+Mini|Opera+Mobi) [NC]
RewriteCond /home/nendoa1q/public_html/wp-content/cache/swift-performance/%{HTTP_HOST}%{REQUEST_URI}/desktop/unauthenticated/index.html -f
RewriteRule (.*) wp-content/cache/swift-performance/%{HTTP_HOST}%{REQUEST_URI}/desktop/unauthenticated/index.html [L]
</IfModule>

# Send CORS headers if browsers request them; enabled by default for images.
<IfModule mod_setenvif.c>
	<IfModule mod_headers.c>
		# mod_headers
		<FilesMatch "\.(gif|png|jpe?g|svg|svgz|ico|webp)$">
			SetEnvIf Origin ":" IS_CORS
			Header set Access-Control-Allow-Origin "*" env=IS_CORS
		</FilesMatch>
	</IfModule>
</IfModule>

# Webfont access
<IfModule mod_headers.c>
	<FilesMatch "\.(tt[cf]|otf|eot|woff|woff2|font.css|css|js)$">
		Header set Access-Control-Allow-Origin "*"
	</FilesMatch>
</IfModule>
### End Caching Performance ###

# CUSTOM CODE TURN OFF YOUR SERVER SIGNATURE
# Security Headers
<IfModule mod_headers.c>
Header set Developed-By "Rafael De Jongh"
Header set Content-Security-Policy "img-src 'self' https: data: blob:; font-src 'self' https: data:; base-uri 'self';"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-XSS-Protection "1; mode=block"
Header set Referrer-Policy "no-referrer-when-downgrade"
Header set Expect-CT "max-age=86400,enforce"
Header set Feature-Policy "fullscreen *;camera 'none';microphone 'none'"
Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure"
Header always unset "X-Powered-By"
</IfModule>

# DO NOT SHOW DIRECTORY LISTING
# Disallow mod_autoindex from displaying a directory listing
# If a 500 Internal Server Error occurs when activating Root BulletProof Mode 
# copy the entire DO NOT SHOW DIRECTORY LISTING and DIRECTORY INDEX sections of code 
# and paste it into BPS Custom Code and comment out Options -Indexes 
# by adding a # sign in front of it.
# Example: #Options -Indexes
Options -Indexes

# DIRECTORY INDEX FORCE INDEX.PHP
# Use index.php as default directory index file. index.html will be ignored.
# If a 500 Internal Server Error occurs when activating Root BulletProof Mode 
# copy the entire DO NOT SHOW DIRECTORY LISTING and DIRECTORY INDEX sections of code 
# and paste it into BPS Custom Code and comment out DirectoryIndex 
# by adding a # sign in front of it.
# Example: #DirectoryIndex index.php index.html /index.php
DirectoryIndex index.php index.html /index.php

# BRUTE FORCE LOGIN PAGE PROTECTION
# PLACEHOLDER ONLY
# Use BPS Custom Code to add Brute Force Login protection code and to save it permanently.
# See this link: https://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/
# for more information.

# BPS ERROR LOGGING AND TRACKING
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# BPS has premade 400 Bad Request, 403 Forbidden, 404 Not Found, 405 Method Not Allowed and 
# 410 Gone template logging files that are used to track and log 400, 403, 404, 405 and 410 errors 
# that occur on your website. When a hacker attempts to hack your website the hackers IP address, 
# Host name, Request Method, Referering link, the file name or requested resource, the user agent 
# of the hacker and the query string used in the hack attempt are logged.
# All BPS log files are htaccess protected so that only you can view them. 
# The 400.php, 403.php, 404.php, 405.php and 410.php files are located in /wp-content/plugins/bulletproof-security/
# The 400, 403, 405 and 410 Error logging files are already set up and will automatically start logging errors
# after you install BPS and have activated BulletProof Mode for your Root folder.
# If you would like to log 404 errors you will need to copy the logging code in the BPS 404.php file
# to your Theme's 404.php template file. Simple instructions are included in the BPS 404.php file.
# You can open the BPS 404.php file using the WP Plugins Editor or manually editing the file.
# NOTE: By default WordPress automatically looks in your Theme's folder for a 404.php Theme template file.

ErrorDocument 400 /wp-content/plugins/bulletproof-security/400.php
ErrorDocument 401 default
ErrorDocument 403 /wp-content/plugins/bulletproof-security/403.php
ErrorDocument 404 /404.php
ErrorDocument 405 /wp-content/plugins/bulletproof-security/405.php
ErrorDocument 410 /wp-content/plugins/bulletproof-security/410.php

# DENY ACCESS TO PROTECTED SERVER FILES AND FOLDERS
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# Files and folders starting with a dot: .htaccess, .htpasswd, .errordocs, .logs
RedirectMatch 403 \.(htaccess|htpasswd|errordocs|logs)$

# WP-ADMIN/INCLUDES
# Use BPS Custom Code to remove this code permanently.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F]
RewriteRule ^wp-includes/theme-compat/ - [F]

# WP REWRITE LOOP START
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]

# REQUEST METHODS FILTERED
# If you want to allow HEAD Requests use BPS Custom Code and copy 
# this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code 
# text box: CUSTOM CODE REQUEST METHODS FILTERED.
# See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F]
RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]

# PLUGINS/THEMES AND VARIOUS EXPLOIT FILTER SKIP RULES
# To add plugin/theme skip/bypass rules use BPS Custom Code.
# The [S] flag is used to skip following rules. Skip rule [S=12] will skip 12 following RewriteRules.
# The skip rules MUST be in descending consecutive number order: 12, 11, 10, 9...
# If you delete a skip rule, change the other skip rule numbers accordingly.
# Examples: If RewriteRule [S=5] is deleted than change [S=6] to [S=5], [S=7] to [S=6], etc.
# If you add a new skip rule above skip rule 12 it will be skip rule 13: [S=13]

# CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES
# Nextend Facebook Connect Query String skip/bypass rule
RewriteCond %{QUERY_STRING} loginFacebook=(.*) [NC]
RewriteRule . - [S=15]

# WooCommerce order & wc-ajax= Query String skip/bypass rule
RewriteCond %{QUERY_STRING} .*(order|wc-ajax=).* [NC]
RewriteRule . - [S=14]

# WooCommerce shop, cart, checkout & wishlist URI skip/bypass rule
RewriteCond %{REQUEST_URI} ^.*/(shop|cart|checkout|wishlist).* [NC]
RewriteRule . - [S=13]

# Adminer MySQL management tool data populate
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/adminer/ [NC]
RewriteRule . - [S=12]
# Comment Spam Pack MU Plugin - CAPTCHA images not displaying 
RewriteCond %{REQUEST_URI} ^/wp-content/mu-plugins/custom-anti-spam/ [NC]
RewriteRule . - [S=11]
# Peters Custom Anti-Spam display CAPTCHA Image
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/peters-custom-anti-spam-image/ [NC] 
RewriteRule . - [S=10]
# Status Updater plugin fb connect
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/fb-status-updater/ [NC] 
RewriteRule . - [S=9]
# Stream Video Player - Adding FLV Videos Blocked
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/stream-video-player/ [NC]
RewriteRule . - [S=8]
# XCloner 404 or 403 error when updating settings
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/xcloner-backup-and-restore/ [NC]
RewriteRule . - [S=7]
# BuddyPress Logout Redirect
RewriteCond %{QUERY_STRING} action=logout&redirect_to=http%3A%2F%2F(.*) [NC]
RewriteRule . - [S=6]
# redirect_to=
RewriteCond %{QUERY_STRING} redirect_to=(.*) [NC]
RewriteRule . - [S=5]
# Login Plugins Password Reset And Redirect 1
RewriteCond %{QUERY_STRING} action=resetpass&key=(.*) [NC]
RewriteRule . - [S=4]
# Login Plugins Password Reset And Redirect 2
RewriteCond %{QUERY_STRING} action=rp&key=(.*) [NC]
RewriteRule . - [S=3]

# CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
# TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# Remote File Inclusion (RFI) security rules
# Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files
RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
RewriteRule .* index.php [F]
# 
# Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php)
RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
# Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*
RewriteCond %{HTTP_REFERER} ^.*nendoaddicts.be.*
RewriteRule . - [S=1]

# CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS
# BEGIN BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
# Good sites such as W3C use it for their W3C-LinkChecker. 
# Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
# User Agent filters directly below or to modify/edit/change any of the other security code rules below.
RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|winhttp|clshttp|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] 
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F]
# END BPSQSE BPS QUERY STRING EXPLOITS

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# WP REWRITE LOOP END

# DENY BROWSER ACCESS TO THESE FILES 
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# wp-config.php, bb-config.php, php.ini, php5.ini, readme.html
# To be able to view these files from a Browser, replace 127.0.0.1 with your actual 
# current IP address. Comment out: #Require all denied and Uncomment: Require ip 127.0.0.1
# Comment out: #Deny from all and Uncomment: Allow from 127.0.0.1 
# Note: The BPS System Info page displays which modules are loaded on your server. 

<FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|readme\.html|bb-config\.php)">
<IfModule mod_authz_core.c>
Require all denied
#Require ip 127.0.0.1
</IfModule>

<IfModule !mod_authz_core.c>
<IfModule mod_access_compat.c>
Order Allow,Deny
Deny from all
#Allow from 127.0.0.1
</IfModule>
</IfModule>
</FilesMatch>

# HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE
# PLACEHOLDER ONLY
# Use BPS Custom Code to add custom code and save it permanently here.

So as mentioned I am not using any bonus code that I am aware off or have added myself to block it, yet BPS is actively blocking connection to it as if I disable BPS I can access it without a problem and as can be seen in the log requests to the file are indeed getting blocked.

I will troubleshoot this some more, if I find anything I’ll post it here!

• This reply was modified 5 years, 9 months ago by RafaelDeJongh.
• This reply was modified 5 years, 9 months ago by RafaelDeJongh.

What does this mean exactly – “if I disable BPS I can access it without a problem”. Are you deactivating the BPS plugin or are you deactivating (turning off) the BPS Root htaccess file? I don’t see anything in the standard BPS Root htaccess code that would cause the xmlrpc.php file. I do see some other possible code that you have added that might be doing that, but I first need to know if deactivating Root folder BulletProof Mode stops the 403 error from occurring.

@aitpro

The actual plugin to be honest via the dashboard to be honest, and I do think the htaccess files are kept even when disabling the plugin. So I can connect to XMLRPC.php when the BPS plugin is disabled with both the root and admin htaccess files still in tact, but not when I have the plugin activated.

Currently I’ve been troubleshooting and came up with the following htaccess code:

<FilesMatch "xmlrpc\.php$">
SetEnvIfNoCase User-Agent Zapier xmlrpc_access
Order Deny,Allow
Deny from All
Allow from env=xmlrpc_access
</FilesMatch>

As Zapier uses a specific User Agent this seems to actually work pretty well, I have placed this under block 13 (13. CUSTOM CODE DENY BROWSER ACCESS TO THESE FILES:) and that does make it work.

However that doesn’t explain why BPS itself (as the plugin) is blocking the access to it right?

However that doesn’t explain why BPS itself (as the plugin) is blocking the access to it right?

You are correct. I have never seen that before and never heard of Zapier. The only things in BPS that do anything with blocking the xmlrpc.php file are in the root htaccess file and deactivating the root htaccess file typically indicates that there is some code in the root htaccess file that is blocking the xmlrpc.php file.

So yeah I have no idea why this problem is occurring. So there must be a direct code conflict with the BPS plugin and whatever you are using for Zapier (plugin or some other thing) somewhere I guess? Or I am misunderstanding whatever you are doing to get things to work.

I’ll continue to work with you on this tomorrow, but yeah something very weird is going on. ??

@aitpro

Zapier pretty much just gets posts via XMLRCP and then uses it to distribute it to other platforms like Facebook, Twitter, Instagram, Linkedin, Discord, etc. It doesn’t require plugins or any other kind of integration just an account that you setup on their site and yours and that XMLRCP is accessible, so there’s not really a conflict directly with BPS as far as I know.

Even when I try to access the file via my browser instead of getting the normal message: XML-RPC server accepts POST requests only. I also get:

nendoaddicts.be 403 Forbidden Error Page

If you arrived here due to a search or clicking on a link click your Browser's back button to return to the previous page. Thank you.

IP Address: X.X.X.X

I’ve checked all settings and I’ve not changed anything other than using the Wizard and adding the security headers/swift caching code via the custom code. I also couldn’t find anything related to this and when I actually white list either my direct IP or via useragent on that specific file in the htaccess then it seems to work without any problem.

If you’d like to have a look on the site I can always provide you a temp login if that helps you find out the problem? As now that I am checking this on all my other sites where I am using BPS I am also receiving this access 403 error page when trying to access xmlrpc.php directly.

So it doesn’t seem to be an isolated problem for this particular website?

I checked your site and you are doing minification/compression with Swift cache. A lot of very strange/bizarre things occur pretty commonly with minification/compression especially if you are statically pre-caching website pages. At this point, let’s get your site to a place where Swift is eliminated/turned off/all cache cleared and then try to move forward. This could be some sort of multi-combo problem, which I have seen in the past when minification/compression is used. I try to stay away from saying anything negative about other plugins, features, etc., but in my opinion minification/compression is a horrible thing to use.

…when I actually white list either my direct IP or via useragent on that specific file in the htaccess then it seems to work without any problem.

I believe this is all it will take to get Zapier working/connecting – you would just need to add/save the Zapier htaccess code in BPS Custom Code in the 1. CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE above your Swift Cache code, click the Save Root Custom Code button and then activate Root folder BulletProof Mode. I’m not sure how deactivating the BPS plugin would come into play at all. That is throwing me off. So try adding the Zapier htaccess code to BPS Root Custom Code and see if that is all it takes to get this problem solved.

• This reply was modified 5 years, 9 months ago by AITpro.

@aitpro

The htaccess code is something I’ve wrote myself when I was troubleshooting, I’ve actually never experienced this before and when testing on all the websites that I’ve got this installed on (which are on various different servers) I get the same problem with them as well and they’re not even using Zapier but that’s pretty much just the connection/access to XMLRCP, example:

https://www.rafaeldejongh.com/xmlrpc.php
https://www.sandhillsstudio.com/xmlrpc.php
https://www.boaztimmermans.com/xmlrpc.php
https://mrj.agency/xmlrpc.php

These are all on different servers and with all different kind of themes/plugins the only thing they have in familiar is BPS. The first link for example doesn’t use Swift rather uses WP Rocket.

I’ve tried without caching plugin but that didn’t change anything either, it is only when activating BPS that the blocking starts.

The only thing I can imagine is that it has something to do with server configuration? As while they all are on a different shared webhost, they are on the same webhost seller being NeoStrada.

I just checked a site from one of my clients with BPS installed on another webhost and for some reason there it doesn’t seem to have any conflict.

So I am really not entirely sure to why it would behave such a way on this particular server. I also tried this on a complete clean install WP site on Neostrada and it indeed had the same problem.

Would any of the security modules or so affect BPS to block it when the plugin is activated? If you need any testing account I am happy to provide you with one.

That said however with the htaccess code I’ve mocked up I could possible just Allow All if needed but on the other side it’s not a bad thing to restrict XMLRPC either to prevent brute force attacks I assume.

So yea really not sure what’s going on here, but it does seem localized to the webhost as a whole even if all the sites linked above are on different shared hosting accounts.

Well if it’s a server/control panel problem then it’s going to be Mod Security SecRules/SecFilters that are causing the problem, but what is throwing me off that does not factor into the problem is that deactivating the BPS plugin makes things work – simply put I cannot figure out how that would factor into the equation or affect anything at all.

The only feature in the BPS plugin that does anything regarding the WP xmlrpc.php file is the Root htaccess file/Root folder BulletProof Mode.

So just move forward and do the steps I mentioned in my previous replies to even get started on figuring out what is going on. If you can get 1 site working then you will know what is causing the problem. It may just be a host server problem or Mod Security. I’m very confused at this point since nothing is really making any logical sense that I can work with. ??

Maybe the problem is just with Zapier itself and Mod Security and this has nothing to do with BPS???

• This reply was modified 5 years, 9 months ago by AITpro.

Yea exactly that’s also why that didn’t really make sense to me as the htaccess doesn’t change even if the plugin is deactivated, yet it does work when the plugin itself is deactivated.

And as you can see there’s really nothing in the htaccess file referring to restricting xmlrpc.

And yea with the code I’ve written it works without problem, as if I add my own IP to the allow list I can access it without any problems either. So it seems to be restricting it to some degree but when white listed it does work.

As mentioned the other sites that are also getting those 403 pages on the xmlrpc page don’t even utilise Zapier, so it really doesn’t have anything to do with Zapier. It might have something to do with Mod Security but then again then I should still receive a 403 error page when the plugin is disabled as well right? But it only appears when it is activated.

If you want I can setup a custom Cpanel/WP on one of the servers and provide you with all the login details if you want to spend the time to look into it for future problems like this?

In general for me I pretty much fixed it by writing that htaccess code, so I can proceed with what I need it for, but perhaps for other users that aren’t that familiar with htaccess or server settings in general might not get to that same realisation.

Feel free to pass me an e-mail I can send you the info to if you’re interested. Else I just put this on “resolved” even though I am also still very confused to why this is happening only on this host and only with BPS plugin active.

Thanks either way for your assistance in this!

Well this is a first and I cannot make heads or tails of this problem at all. So this would not be any sort of overall thing that would apply to anyone else in the past, present or future since this type of problem has never occurred with anyone else over the last 8+ years. We don’t login to BPS free plugin sites because that is considered kind of taboo in general with WP’s general policies and we don’t do that for isolated issues/problems.

I just had a thought that maybe your php server build/compile/installation is fubar. I have seen really strange/bizarre things occur with that over the years. So try switching your php server version to another version, which will load another php server build/compile/installation.

Overall the key thing to do is start eliminating and isolating the problem. You have to get to a good starting point by eliminating all other things that could be a factor in the equation. So once again do all of the troubleshooting things that I have mentioned just to keep eliminating things until you can isolate the root problem. On the surface it appears that just deactivating the BPS plugin fixes the problem, but there are many other possible factors involved and of course it does not make any logical sense for why deactivating the BPS plugin would affect/change anything else at all. ??

• This reply was modified 5 years, 9 months ago by AITpro.
• This reply was modified 5 years, 9 months ago by AITpro.
• This reply was modified 5 years, 9 months ago by AITpro.

Alright not a problem, I am using the latest PHP7.3 on my server but other sites that are also on it are running between 7.0 (which is the server’s default) and 7.1/7.2.

As these are still shared web servers I can’t directly go into editing any apache mods myself or enable/disable any.

I’ve made a complete fresh install with only BPS installed and I directly get the error when I activate the plugin.

So I am pretty sure it has something to do with my hosts server security mod configuration as they also have some additional recaptcha verification when logging into the back-end which is completely done by the webhost rather than something you can configure (or even disable).

So yea this is certainly a very specific unique and isolated hosting environment problem rather than BPS, I still do not know why disabling BPS would make it work though.

But I can confirm this is not the plugin itself as well as I tested this on a different webhost and it didn’t had this problem at all.

So for me the htaccess code fixes it for me, but this is really something isolated and not an actual problem of the plugin itself.

Thanks a bunch @aitpro for the continuous assistance and perhaps if anyone ever has a similar issue then I guess they also just require to white list it like I’ve done.

Either way thanks and I’ll mark this as resolved.