Forbidden Error

@jan Dembowski,

Hi,

Thanks for the suggestion and releasing the post about code above.

odd stuff. check your BPS Security Log file and post the 403 error. It will probably just show exactly what is already known, but it is worth looking at for clues. check your server log file and find the 403 error and post it here.

There is no security log since July 26, 2014 – 4:57 PM. Here is the status:

Security Log Status: Logging is Turned On
Security Log Last Modified Time: July 26, 2014 - 4:57 PM

And for server log file, I’ve checked from hosting account in IIS Raw Logs and there is no 403 error in that file. I’m not sure if you are talking about this!

IIS? This is a Windows IIS server? If so, then the only way htaccess files and code would be working correctly on an IIS server is if your IIS server is using the URL Rewrite Module or ISAPI_Rewrite (see Source below). Go to the BPS System Info page and post this information below about your server.

Server Type:
Operating System:
WP Filesystem API Method:
Server API:

Source: https://www.ads-software.com/plugins/bulletproof-security/faq/

Compatible with Windows IIS Servers – Windows Hosting – See IMPORTANT NOTES below.
If your IIS Server has ISAPI_Rewrite installed then you CAN use .htaccess files/BulletProof Modes.
IMPORTANT NOTES: If you have an IIS Server you may or may not be able to use .htaccess files and can only use Login Security & Monitoring. If your IIS Server is using the URL Rewrite Module then you can probably use .htaccess files/BulletProof Modes. If you activate BulletProof Modes and your website crashes then FTP to your website and delete the root .htaccess file and the wp-admin .htaccess file. You will not be able to use .htaccess files on your Server/website and can only use Login Security and the other features in BPS.

Is this site a Hosted site on a web host or is it a Local Development site? ie installed on WAMP, IIS, XAMPP, etc. on your computer? Is the site publicly accessible on the Internet if it is a Local site? Are you hosting the site Locally?

It’s a live site, If you want to check, you can check webblogsforyou this link. My site is publicly accessible on the internet and hosted on shared windows server.

Ok then what I assume is happening is that either none of the BPS htaccess code and files are actually being recognized by your Windows server or some of the BPS htaccess code is being recognized and other code is not. If you are not seeing BPS Security Log entries then that would mean that this htaccess code: ErrorDocument 403 /wp-content/plugins/bulletproof-security/403.php is being ignored/not being recognized by your IIS server. This code is the code that logs Security Log errors in your Security Log file.

What you need to do at this point is contact your web host and send them the BPS htaccess files and ask them what htaccess code does and does not work on your/their Windows IIS server. Also ask them if they have the URL Rewrite Module or ISAPI_Rewrite installed.

Is there any particular reason you chose Windows IIS hosting instead of Linux hosting? Do you have ASP applications/software installed that require Windows IIS hosting? Most folks use Linux hosting instead of Windows hosting. Windows IIS servers are typically used for internal computer networks/companies since IIS integrates with Active Directory (AD).

Here is the needed info from BPS System Info page:

Server Type: Microsoft-IIS/8.5
Operating System: WINNT
WP Filesystem API Method: direct
Server API: cgi-fcgi CGI Host Server Type

Yeah, I’d hosted multiple sites on same server including Asp.net (allowed max 6 sites) so that’s the reason I’m using windows server.

Ok then check with your host to find out what they do and do not allow/what htaccess code does and does not work on their/your server.

Or just do this for the Dismiss Notice link issue. Do not activate wp-admin BulletProof Mode. It is optional and not required. That does not solve the ErrorDocument Security Logging issue though. So BPS Security Logging would not work on your particular server, but that makes me wonder which other BPS htaccess code is not doing anything/being ignored. So probably the best thing to do would still be to ask your host what does and does not work/is allowed is not allowed on your/their particular server. ??

OK, I’ll check and let you know if any updates got from them. Currently I’m assuming my BPS code is not working on my windows hosting, right?

If so, any other way to run this .htaccess code to my windows server?

Well something appears to be working because deleting/deactivating wp-admin BulletProof Mode did something. I’ll use this LiteSpeed server case as an example. LiteSpeed has added support for most of the Apache directives, but not the SetEnv directive (fully anyway – some things are supported). So what that means in the case of LiteSpeed servers is that if you try to use htaccess code like this for example: SetEnvIf Request_URI "/bulletproof-security/403.php$" whitelist the LiteSpeed server ignores the SetEnvIf Apache directive and the result is the code has no effect whatsoever since it is not supported by LiteSpeed servers/is ignored. Or in other words, there is no equivalent LiteSpeed handling/processing done for that Apache directive.

So my best guess is that some Apache directives are supported on your Windows IIS server and some are not or it is also possible to instruct the server to intentionally ignore Apache directives. ie if the ErrorDocument directive is found in htaccess code/files then ignore it and do not handle/process that directive.

Since this is a server issue and your website relies on what the server does and does not allow then there is only one approach to take – find out what the server does and does not allow. htaccess files are distributed server configuration files that instruct your server to do something, BUT if your server says “i am not going to do that” or “i cannot do that” then the only approach is – find out what the server does and does not allow. ??

Hi AITpro,

Web hosting company told me to convert all .htaccess code to web.config (supported configuration file for windows server). For that they provide me automated tool which will do the job for me.

Reply from Company:

Our servers are based on Windows, so you need to convert .htaccess to web.config.

I’m also confused how to merge two .htacces files (that is root & wp-admin) in web.config. I’m wondered If it’ll work or not.

Should I’ve to do this?