GTmetrix gives 403 forbidden error when Falcon Engine enabled

Not sure why that would happen but the big problem is why are you running a plugin that stopped development in 2013? The support tickets are unanswered as of a year ago. You might be on the pro version, available at their site, but I don’t see that from your question.

Something you can try is seeing if there are any javascript errors on the page that can’t load. If you are unsure how to do this, follow the instructions HERE

tim

I’m not using a plugin for GTmetrix. I’m testing pages on gtmetrix.com. If I enable Falcon Engine I get a 403 error, if I disable it, it test fine.

There are no javascript errors when Falcon Engine is enabled. It’s not just on one page – it’s on any page for this site that I test at gtmetrix.com

Aha! I also discovered that while I can view pages in Chrome and Firefox (maybe previously cached pages?), IE (which I seldom use) is giving me 403 errors when Falcon Engine is enabled – and the pages load fine as soon as I disable Falcon Engine and refresh.

What can I check next? I’m using AIOWPSecurity, but no other cache program.

Ah. Now I understand more. What other plugins are you using?

tim

Active plugins:
——————————
Akismet
All In One WP Security
BackWPup
Broken Link Checker
Complete Central Backup
DirtySuds – Embed PDF
Easy Testimonials
Gravity Forms
Insert Pages
jQuery Archive List Widget
Photo Gallery
Print Friendly and PDF
Redirection
Spider FAQ
U-Design Shortcode Insert Button
WordPress SEO
WP-PageNavi

Inactive plugins:
——————————
flickrRSS
Get The Image
Hello Dolly
Revolution Slider
SmartFilter Security
U-Design WooCommerce Integration
WP125

Can you try the javaScript console and see what shows?

It might be helpful as well to see what errors were being thrown in the error logs.

Thanks

Thanks for your responses and help troubleshooting.

I tried the Javascript console both in FF and Chrome with Falcon Engine enabled – no errors. But, I am not so sure I was viewing a Falcon Engine cached page – more about that below.
Nothing in the error logs either.

Here’s another strange thing. After enabling Falcon Engine again I clicked on several of the site pages and refreshed, then I checked the cache stats and it said nothing was in the cache. This was all in Chrome. I looked at the wfcache folder using FTP and sure enough, nothing was there. Then I opened IE and checked a few pages there. I was able to view three different pages and the FTP window showed three new entries in wfcache. But, the next page I clicked on I got the 403 error message again. Again, this was in IE. The first time I clicked on each of these pages I viewed the page source – but no debug comment. When I tried to go back to those pages I got the 403 error.

In Firefox and in Chrome, I was seeing all of the pages fine with no errors, but I did not see the debug comment when viewing the page source. So, I doubt I was viewing Falcon Engine cached pages.

Hopefully some of this info was helpful. What should I do next?
Thanks!

Can you post the htaccess file here? (make sure nothing sensitive is there). I’m just curious as to what it has.

Thanks!

tim

It is basic with AIOWPSecurity stuff and Falcon Engine.

I’ve replaced the actual domain name with “mydomain”.

AIOWPS does have a lot of 403 redirects to give 403 errors to potential hackers. You would probably know better than I if you see anything that would cause a problem.

I’ll try disabling AIOWPS to see if it makes a difference.

#WFIPBLOCKS - Do not remove this line. Disable Web Caching in Wordfence to remove this data.
Order Deny,Allow
#Do not remove this line. Disable Web Caching in Wordfence to remove this data - WFIPBLOCKS
#WFCACHECODE - Do not remove this line. Disable Web Caching in Wordfence to remove this data.
<IfModule mod_deflate.c>
	AddOutputFilterByType DEFLATE text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/html text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon application/json
	<IfModule mod_headers.c>
		Header append Vary User-Agent env=!dont-vary
	</IfModule>
	<IfModule mod_mime.c>
		AddOutputFilter DEFLATE js css htm html xml
	</IfModule>
</IfModule>
<IfModule mod_mime.c>
	AddType text/html .html_gzip
	AddEncoding gzip .html_gzip
	AddType text/xml .xml_gzip
	AddEncoding gzip .xml_gzip
</IfModule>
<IfModule mod_setenvif.c>
	SetEnvIfNoCase Request_URI \.html_gzip$ no-gzip
	SetEnvIfNoCase Request_URI \.xml_gzip$ no-gzip
</IfModule>
<IfModule mod_headers.c>
	Header set Vary "Accept-Encoding, Cookie"
</IfModule>
<IfModule mod_rewrite.c>
	#Prevents garbled chars in cached files if there is no default charset.
	AddDefaultCharset utf-8

	#Cache rules:
	RewriteEngine On
	RewriteBase /
	RewriteCond %{HTTPS} on
	RewriteRule .* - [E=WRDFNC_HTTPS:_https]
	RewriteCond %{HTTP:Accept-Encoding} gzip
	RewriteRule .* - [E=WRDFNC_ENC:_gzip]
	RewriteCond %{REQUEST_METHOD} !=POST
	RewriteCond %{HTTPS} off
	RewriteCond %{QUERY_STRING} ^(?:\d+=\d+)?$
	RewriteCond %{REQUEST_URI} (?:\/|\.html)$ [NC]

	RewriteCond %{HTTP_COOKIE} !(comment_author|wp\-postpass|wf_logout|wordpress_logged_in|wptouch_switch_toggle|wpmp_switcher) [NC]

	RewriteCond %{REQUEST_URI} \/*([^\/]*)\/*([^\/]*)\/*([^\/]*)\/*([^\/]*)\/*([^\/]*)(.*)$
	RewriteCond "%{DOCUMENT_ROOT}/wp-content/wfcache/%{HTTP_HOST}_%1/%2~%3~%4~%5~%6_wfcache%{ENV:WRDFNC_HTTPS}.html%{ENV:WRDFNC_ENC}" -f
	RewriteRule \/*([^\/]*)\/*([^\/]*)\/*([^\/]*)\/*([^\/]*)\/*([^\/]*)(.*)$ "/wp-content/wfcache/%{HTTP_HOST}_$1/$2~$3~$4~$5~$6_wfcache%{ENV:WRDFNC_HTTPS}.html%{ENV:WRDFNC_ENC}" [L]
</IfModule>
#Do not remove this line. Disable Web caching in Wordfence to remove this data - WFCACHECODE

# BEGIN All In One WP Security
#AIOWPS_BLOCK_WP_FILE_ACCESS_START
<Files license.txt>
order allow,deny
deny from all
</files>
<Files wp-config-sample.php>
order allow,deny
deny from all
</Files>
<Files readme.html>
order allow,deny
deny from all
</Files>
#AIOWPS_BLOCK_WP_FILE_ACCESS_END
#AIOWPS_BASIC_HTACCESS_RULES_START
<Files .htaccess>
order allow,deny
deny from all
</Files>
ServerSignature Off
LimitRequestBody 10240000
<Files wp-config.php>
order allow,deny
deny from all
</Files>
#AIOWPS_BASIC_HTACCESS_RULES_END
#AIOWPS_PINGBACK_HTACCESS_RULES_START
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
#AIOWPS_PINGBACK_HTACCESS_RULES_END
#AIOWPS_DISABLE_INDEX_VIEWS_START
Options -Indexes
#AIOWPS_DISABLE_INDEX_VIEWS_END
#AIOWPS_IP_BLACKLIST_START
Order allow,deny
Allow from all
Deny from 178.93.40.0/24
Deny from 188.162.37.0/24
Deny from 193.105.154.0/24
Deny from 201.209.193.0/24
#AIOWPS_IP_BLACKLIST_END
#AIOWPS_DISABLE_TRACE_TRACK_START
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
#AIOWPS_DISABLE_TRACE_TRACK_END
#AIOWPS_FORBID_PROXY_COMMENTS_START
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:VIA}%{HTTP:FORWARDED}%{HTTP:USERAGENT_VIA}%{HTTP:X_FORWARDED_FOR}%{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION}%{HTTP:HTTP_PC_REMOTE_ADDR}%{HTTP:HTTP_CLIENT_IP} !^$
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .* - [F,NS,L]
#AIOWPS_FORBID_PROXY_COMMENTS_END
#AIOWPS_DENY_BAD_QUERY_STRINGS_START
RewriteCond %{QUERY_STRING} tag=     [NC,OR]
RewriteCond %{QUERY_STRING} ftp:     [NC,OR]
RewriteCond %{QUERY_STRING} http:    [NC,OR]
RewriteCond %{QUERY_STRING} https:   [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} (\;|'|\"|%22).*(request|insert|union|declare|drop) [NC]
RewriteRule ^(.*)$ - [F,L]
#AIOWPS_DENY_BAD_QUERY_STRINGS_END
#AIOWPS_ADVANCED_CHAR_STRING_FILTER_START
<IfModule mod_alias.c>
RedirectMatch 403 \,
RedirectMatch 403 \:
RedirectMatch 403 \;
RedirectMatch 403 \=
RedirectMatch 403 \@
RedirectMatch 403 \[
RedirectMatch 403 \]
RedirectMatch 403 \^
RedirectMatch 403 \

RedirectMatch 403 \{
RedirectMatch 403 \}
RedirectMatch 403 \~
RedirectMatch 403 \”
RedirectMatch 403 \$
RedirectMatch 403 \<
RedirectMatch 403 \>
RedirectMatch 403 \|
RedirectMatch 403 \.\.
RedirectMatch 403 \%0
RedirectMatch 403 \%A
RedirectMatch 403 \%B
RedirectMatch 403 \%C
RedirectMatch 403 \%D
RedirectMatch 403 \%E
RedirectMatch 403 \%F
RedirectMatch 403 \%22
RedirectMatch 403 \%27
RedirectMatch 403 \%28
RedirectMatch 403 \%29
RedirectMatch 403 \%3C
RedirectMatch 403 \%3E
RedirectMatch 403 \%3F
RedirectMatch 403 \%5B
RedirectMatch 403 \%5C
RedirectMatch 403 \%5D
RedirectMatch 403 \%7B
RedirectMatch 403 \%7C
RedirectMatch 403 \%7D
# COMMON PATTERNS
Redirectmatch 403 \_vpi
RedirectMatch 403 \.inc
Redirectmatch 403 xAou6
Redirectmatch 403 db\_name
Redirectmatch 403 select\(
Redirectmatch 403 convert\(
Redirectmatch 403 \/query\/
RedirectMatch 403 ImpEvData
Redirectmatch 403 \.XMLHTTP
Redirectmatch 403 proxydeny
RedirectMatch 403 function\.
Redirectmatch 403 remoteFile
Redirectmatch 403 servername
Redirectmatch 403 \&rptmode\=
Redirectmatch 403 sys\_cpanel
RedirectMatch 403 db\_connect
RedirectMatch 403 doeditconfig
RedirectMatch 403 check\_proxy
Redirectmatch 403 system\_user
Redirectmatch 403 \/\(null\)\/
Redirectmatch 403 clientrequest
Redirectmatch 403 option\_value
RedirectMatch 403 ref\.outcontrol
# SPECIFIC EXPLOITS
RedirectMatch 403 errors\.
RedirectMatch 403 config\.
RedirectMatch 403 include\.
RedirectMatch 403 display\.
RedirectMatch 403 register\.
Redirectmatch 403 password\.
RedirectMatch 403 maincore\.
RedirectMatch 403 authorize\.
Redirectmatch 403 macromates\.
RedirectMatch 403 head\_auth\.
RedirectMatch 403 submit\_links\.
RedirectMatch 403 change\_action\.
Redirectmatch 403 com\_facileforms\/
RedirectMatch 403 admin\_db\_utilities\.
RedirectMatch 403 admin\.webring\.docs\.
Redirectmatch 403 Table\/Latest\/index\.
</IfModule>
#AIOWPS_ADVANCED_CHAR_STRING_FILTER_END
#AIOWPS_FIVE_G_BLACKLIST_START
# 5G BLACKLIST/FIREWALL (2013)
# @ https://perishablepress.com/5g-blacklist-2013/

# 5G:[QUERY STRINGS]
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (\”|%22).*(<|>|%3) [NC,OR]
RewriteCond %{QUERY_STRING} (javascript:).*(\;) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3) [NC,OR]
RewriteCond %{QUERY_STRING} (\\|\.\./|`|=’$|=%27$) [NC,OR]
RewriteCond %{QUERY_STRING} (\;|’|\”|%22).*(union|select|insert|drop|update|md5|benchmark|or|and|if) [NC,OR]
RewriteCond %{QUERY_STRING} (base64_encode|localhost|mosconfig) [NC,OR]
RewriteCond %{QUERY_STRING} (boot\.ini|echo.*kae|etc/passwd) [NC,OR]
RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC]
RewriteRule .* – [F]
</IfModule>

# 5G:[USER AGENTS]
<IfModule mod_setenvif.c>
# SetEnvIfNoCase User-Agent ^$ keep_out
SetEnvIfNoCase User-Agent (binlar|casper|cmsworldmap|comodo|diavol|dotbot|feedfinder|flicky|ia_archiver|jakarta|kmccrew|nutch|planetwork|purebot|pycurl|skygrid|sucker|turnit|vikspider|zmeu) keep_out
<limit GET POST PUT>
Order Allow,Deny
Allow from all
Deny from env=keep_out
</limit>
</IfModule>

# 5G:[REQUEST STRINGS]
<IfModule mod_alias.c>
RedirectMatch 403 (https?|ftp|php)\://
RedirectMatch 403 /(https?|ima|ucp)/
RedirectMatch 403 /(Permanent|Better)$
RedirectMatch 403 (\=\\\’|\=\\%27|/\\\’/?|\)\.css\()$
RedirectMatch 403 (\,|\)\+|/\,/|\{0\}|\(/\(|\.\.\.|\+\+\+|\||\\\”\\\”)
RedirectMatch 403 \.(cgi|asp|aspx|cfg|dll|exe|jsp|mdb|sql|ini|rar)$
RedirectMatch 403 /(contac|fpw|install|pingserver|register)\.php$
RedirectMatch 403 (base64|crossdomain|localhost|wwwroot|e107\_)
RedirectMatch 403 (eval\(|\_vti\_|\(null\)|echo.*kae|config\.xml)
RedirectMatch 403 \.well\-known/host\-meta
RedirectMatch 403 /function\.array\-rand
RedirectMatch 403 \)\;\$\(this\)\.html\(
RedirectMatch 403 proc/self/environ
RedirectMatch 403 msnbot\.htm\)\.\_
RedirectMatch 403 /ref\.outcontrol
RedirectMatch 403 com\_cropimage
RedirectMatch 403 indonesia\.htm
RedirectMatch 403 \{\$itemURL\}
RedirectMatch 403 function\(\)
RedirectMatch 403 labels\.rdf
RedirectMatch 403 /playing.php
RedirectMatch 403 muieblackcat
</IfModule>

# 5G:[REQUEST METHOD]
<ifModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* – [F]
</IfModule>
#AIOWPS_FIVE_G_BLACKLIST_END
#AIOWPS_BLOCK_SPAMBOTS_START
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} ^(.*)?wp-comments-post\.php(.*)$
RewriteCond %{HTTP_REFERER} !^http(s)?://(.*)?\.inspectprescott\.com [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule .* https://127.0.0.1 [L]
</IfModule>
#AIOWPS_BLOCK_SPAMBOTS_END
#AIOWPS_PREVENT_IMAGE_HOTLINKS_START
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$ [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(.*)?\.mydomain\.com [NC]
RewriteRule \.(gif|jpe?g?|png)$ – [F,NC,L]
</IfModule>
#AIOWPS_PREVENT_IMAGE_HOTLINKS_END
# END All In One WP Security

RewriteEngine on
RewriteCond %{HTTP_HOST} ^mydomain\.mydomain\.net$ [OR]
RewriteCond %{HTTP_HOST} ^www\.mydomain\.mydomain\.net$
RewriteRule ^/?$ “http\:\/\/www\.mydomain\.com\/” [R=301,L]

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress
`

Sorry, the closing backtick did not work. There must have been a backtick in the code.

Wow. That is one serious htaccess file. ??

Did disabling the other security plugin help at all?

tim

I figured out the problem. There is one feature in AIOWPS that says:

Advanced Character String Filter
This is an advanced character string filter to prevent malicious string attacks on your site coming from Cross Site Scripting (XSS).
This setting matches for common malicious string patterns and exploits and will produce a 403 error for the hacker attempting the query.
NOTE: Some strings for this setting might break some functionality.

So, one of the lines below is the culprit. Do you know which one of these would cause the problem with Falcon Engine?

#AIOWPS_ADVANCED_CHAR_STRING_FILTER_START
<IfModule mod_alias.c>
RedirectMatch 403 \,
RedirectMatch 403 \:
RedirectMatch 403 \;
RedirectMatch 403 \=
RedirectMatch 403 \@
RedirectMatch 403 \[
RedirectMatch 403 \]
RedirectMatch 403 \^
RedirectMatch 403 \

RedirectMatch 403 \{
RedirectMatch 403 \}
RedirectMatch 403 \~
RedirectMatch 403 \"
RedirectMatch 403 \$
RedirectMatch 403 \<
RedirectMatch 403 \>
RedirectMatch 403 \|
RedirectMatch 403 \.\.
RedirectMatch 403 \%0
RedirectMatch 403 \%A
RedirectMatch 403 \%B
RedirectMatch 403 \%C
RedirectMatch 403 \%D
RedirectMatch 403 \%E
RedirectMatch 403 \%F
RedirectMatch 403 \%22
RedirectMatch 403 \%27
RedirectMatch 403 \%28
RedirectMatch 403 \%29
RedirectMatch 403 \%3C
RedirectMatch 403 \%3E
RedirectMatch 403 \%3F
RedirectMatch 403 \%5B
RedirectMatch 403 \%5C
RedirectMatch 403 \%5D
RedirectMatch 403 \%7B
RedirectMatch 403 \%7C
RedirectMatch 403 \%7D

I inserted an extra backtick this time. ??