Hotlinking forbidden from CDN

  • Hello

    I am using MaxCDN on my website but the image media is unable to load because the Better WP Security plugin is disabling image hotlinking. For example, an image with the security plugin enabled shows access to the image is Forbidden: https://adv-adlps.netdna-ssl.com/wp-content/uploads/2016/12/email-marketing.jpg

    With the security plugin disabled, however, the image at this path can be seen. My question is how to I turn that off hotlink protection so that the CDN can work with the security plugin enabled? The security plugin is currently disabled.

    My WordPress version is 4.7 and the security plugin is v6.1.1, but it does not matter which version I have there is no setting I can see even in the latest version to disable hotlink protection.

    The CDN is set up correctly and as I say, works fine as long as the security plugin is disabled. Therefore it’s the security plugin that is denying the CDN access to the new paths: https://adv-adlps.netdna-ssl.com/*

    Many thanks,

Viewing 3 replies - 1 through 3 (of 3 total)

  • @artdivision

    There is probably something in the .htaccess file that is blocking those images.

    In order to find out which plugin feature writes the rule(s) that causes the issue you could try and disable the plugin features that add rules to the .htaccess file.

    In the 6.1.1 plugin release there are 4 modules that write to the .htaccess file.

    Start by disabling (if not already) the Default Blacklist (HackRepair.com’s blacklist) setting in the Banned Users module.

    Next if the Ban Lists setting is enabled temporarily save any banned IP addresses listed in the Ban Hosts box. This will allow you to add the IPs back later on in case removing them makes no difference.
    Do the same for any User Agents listed in the Ban User Agents box.

    If that doesn’t help move on to the next module: Hide Backend
    Disable this module.

    If that doesn’t help move on to the next module: System Tweaks
    Disable all the settings one by one. You could disable the module but if the culprit is in this module you still don’t know which setting is causing havoc.

    Still no luck, move on to the next module: WordPress Tweaks
    Only the Comment Spam and XML-RPC settings write to the .htaccess file. So disable those 2.

    If done properly, by this time the plugin will not write any rules into the .htaccess file. You can doublecheck by navigating to the Advanced page and then clickin on the Show Details button of the Server Config Rules module. There should be no rules visible there.

    • This reply was modified 7 years, 4 months ago by pronl.
    Thread Starter artdivision

    (@artdivision)

    Hello

    Many thanks for your help with this. It was the Enable Banned Lists that caused it. Would not have thought to have looked there, I spent all my time going through each option in WordPress and System Tweaks. Is it possible to whitelist the IP of the CDN so I can re-enable the feature?

    Thanks again,

    @artdivision

    Ok, I see. Probably the 404 Detection module that triggered 2 temporary lockouts on the CDN IP and on third banned the IP permanently.

    Simply add the CDN IP(s) to the Lockout White List setting in the Global Settings module.

    Please ignore the following part of the descriptive text underneath the Lockout White List box:

    … and will only prevent a temporary ban. Should a permanent ban be triggered you will still be added to the “Ban Users” list unless the IP address is also white listed in that section.

    It’s bulls*t ??

    The whitelist prevents temporary lockouts for the whitelisted IPs. No (temporary) lockouts means no (permanent) ban.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Hotlinking forbidden from CDN’ is closed to new replies.