403 Forbidden error workaround

Status
Not open for further replies.

letapk

Member
Messages
39
Reaction score
0
Points
6
A number of users are experiencing "403 Forbidden" related issues on x10hosting. An Internet search will show that this is not exclusive to x10, but seems to be a common problem in the servers of other hosting providers as well.

For what it is worth, the following procedure is a workaround for those users who are able to create new content but unable to modify existing pages in their Wordpress installation.

Basically you need to copy the old page into a new one, and then delete the old one. On my installation, once the new page is created, the 403 message is no longer seen when I modify the new page in the normal way.

However, this is a stop gap measure, and is useful for small sites (like mine) with mostly static content.

1. Log into your Wordpress site with your admin name and password.
2. Select "Pages" on the left sidebar. This will display all the pages on your site.
3. Click the page you want to modify. Wordpress will display it in the editor.
4. On the top of this page is a "Add new" button. Right-click this button and select "Open link in New Tab". This will open a new empty page in the editor in a new tab.
5. Select all content and copy it to the new empty page. Give a title to the page (I used the old title with "2" appended).
6. Publish the new page and delete the old one, which gets moved to Trash, and is still available if required.
7. You will need to ensure that all links pointing to the old page point to the new one. Edit the menus, if required, to reflect the new page.

The new page does not suffer from the "403" issue.

This should help until the good people at x10 are able to resolve the issue on their servers. I hope you guys are working on this, right? Right, of course you are.

With regards,
KP
 

Skizzerz

Contributors
Staff member
Contributors
Messages
2,929
Reaction score
118
Points
63
From the accounts I've seen who have encountered 403 errors in Wordpress, the majority of the time the 403 is occurring is because you are trying to post a <form>, <script>, or <object> tag, which is what is being blocked by our filters. We can disable these filters on a per-account basis, but I'm hesitant to disable them server-wide. A lot of Wordpress hijacks make use of those types of fields; the main attack point would be if you gave someone limited access to post they could post a form and trick you into clicking on it or include some javascript that automates that behind-the-scenes, which could then cause you to inadvertently carry out some admin action such as elevating their access. If you are the only one with the ability to post to your site, that is far less of an issue however.
 

letapk

Member
Messages
39
Reaction score
0
Points
6
You are absolutely right. This is a security related issue, and there can be no compromise on that.

But consider this:
Why should the original content of a page trigger the security rule when a copy of the content in a new page does not?

If the rule is being triggered by content, both the pages should experience from the "403 Forbidden" issue, since their content is identical.

With regards,
KP
 

Skizzerz

Contributors
Staff member
Contributors
Messages
2,929
Reaction score
118
Points
63
That is usually correct, however it is possible that creating a new post differs somehow from editing an existing one such that it doesn't trip the filters (which depends on what the filter is actually looking for). In your case, the issue looks like it stems from your inclusion of the Google Analytics script tag in your post. I disabled the offending rule for your account (it was actually triggering two separate ones which is why the first fix from a different post didn't fully work), but for other people looking at this thread, that is another thing you can check for -- there may be other options for including such content on your blog via plugins as opposed to embedding it in posts. If not, post a new thread and I'll be more than happy to add an exception so you can post your content :)
 

letapk

Member
Messages
39
Reaction score
0
Points
6
Many, many thanks for the fix! I able to modify the pages, at least for now!

I am going to remove the Google Analytics script from all the pages. I could never understand most of the results it displayed anyway.

However, I have a question to ask:
The .htaccess files contained the following lines:
"SecFilterEngine Off
SecFilterScanPOST Off"
which should have prevented the server from tripping on the posts.

Were these rules being ignored? If so, why?

With regards,
KP
 

Skizzerz

Contributors
Staff member
Contributors
Messages
2,929
Reaction score
118
Points
63
Yes, we run ModSecurity 2, which ignores any and all attempts to modify/disable rules in .htaccess
 

letapk

Member
Messages
39
Reaction score
0
Points
6
Ahh..., now I understand

Thank you for your help and time.

With regards,
KP
 
Status
Not open for further replies.
Top