AITpro

Resolving this topic.

Nah that was all you my friend, but thanks for saying that.

Oh and well done! That was a great catch.

Yep, you are correct SGS stands for SiteGround Security. The wp-content htaccess file is created by the SiteGround Security plugin. BPS automatically checks for wp-content htaccess files since several security plugins create them. If BPS finds an htaccess file in the wp-content folder and it contains htaccess code that blocks all .php files then BPS will automatically create additional bulletproof-security whitelisting htaccess rules in that wp-content htaccess file since those htaccess files will break BPS and other plugins (and apparently themes too) as well.

Check the SSG plugin and look for an option called “wp-content hardening” and turn it off.

• This reply was modified 1 month, 2 weeks ago by AITpro.
• This reply was modified 1 month, 2 weeks ago by AITpro.
• This reply was modified 1 month, 2 weeks ago by AITpro.
• This reply was modified 1 month, 2 weeks ago by AITpro.

Oops yeah I meant for you to retest your rewriterule in the default htaccess file which you figured out. Even though the top of the security log entry says this is a POST request I see this > REQUEST_METHOD: GET. My guess is both POST and GET are being used in the Form. Ie the form does a GET to do something and also a POST. Typically when a form does both POST and GET the Security Log entry will only capture one of the 403 events because the request is seen as one event. Or in other words, something else (2 things) is being blocked and it is not being logged in the security log.

Figuring out which htaccess security rule is causing the 403 error is time consuming without seeing a security log entry for clues. Logically it is going to be one of lines of code (or maybe more) in the BPSQSE BPS QUERY STRING EXPLOITS section of code. To confirm that copy this code into the 12. CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS text box overwriting any code in that text box, save your changes and activate Root folder BulletProof mode. You should add the other rewiterule in the 10. CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES text box.

Note: this is all code below, but unfortunately I am unable to format it as code. Known Gutenberg issue.

## BEGIN BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden – Many bad bots use libwww-perl modules, but some
# good bots use it too. Good sites such as W3C use it for their W3C-LinkChecker.
# Use BPS Custom Code to add or remove user agents temporarily or permanently from the
# User Agent filters directly below or to modify/edit/change any of the other security code rules below.

RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ – [F]
END BPSQSE BPS QUERY STRING EXPLOITS

Do this test > Deactivate Root Folder BulletProof Mode on the Security Modes page. Test your POST form. If you are seeing a 403 error then add your custom rewriterule code in the top Custom Code text box. Are you using any additional custom htaccess code in any of the BPS Custom Code text boxes? Are you using the BPS POST Attack protection Bonus Custom Code?

to me it looks like you have the rule backwards. Try this rule instead.

Theme POST request Query String Root htaccess skip/bypass rule
RewriteCond %{QUERY_STRING} request=true(.*) [NC]
RewriteRule . - [S=13]

Did you run the Setup Wizard again after saving your custom code?

Copy the code below into this Root htaccess file Custom Code text box: 10. CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES
Click the Save Root Custom Code button.
Run the Pre-Installation Wizard and Setup Wizard.

Note: if there are already existing whitelist rules in the 10. CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES text box then paste this code above the existing code.

# Theme POST request Query String Root htaccess skip/bypass rule
RewriteCond %{QUERY_STRING} !^request=true$ [NC]
RewriteRule . - [S=13]

Assuming all questions have been answered – the thread has been resolved. If the issue/problem is not resolved or you have additional questions about this specific thread topic then you can post them at any time. I still receive email notifications when threads have been resolved.

Not sure if this method still works or not but try this.

Uninstall Options
1. An Uninstall Options link is located on the WordPress Plugins page under the BulletProof Security plugin.
2. Clicking the Uninstall Options link loads a jQuery UI Dialog Form with 2 uninstall options.
3. If you are upgrading to BPS Pro, select the BPS Pro Upgrade Uninstall option and click the Save Option button or just click the Close button and do a normal plugin uninstall.
4. If you want to completely delete the BPS plugin, all files, Custom Code and BPS database settings, select the Complete BPS Plugin Uninstall option, click the Save Option button, click the Close button and do a normal plugin uninstall.

Yep. You may also want to delete this folder > /wp-content/bps-backup/ if you manually deleted BPS or used the partial uninstall method instead of using the full BPS uninstall method on the WordPress Plugins page.

• This reply was modified 1 month, 3 weeks ago by AITpro.

Thanks Syxguns for taking the time to leave a review. Very much appreciated!

Thanks Jordan C for taking the time to leave a review. Very much appreciated!

Thanks rgarciav33 for taking the time to leave a review. Very much appreciated!