Title: 403 Error with BPS Version .51.2 Last modified: August 22, 2016 --- # 403 Error with BPS Version .51.2 * Resolved [Gillian](https://wordpress.org/support/users/ridgididgi/) * (@ridgididgi) * [11 years, 6 months ago](https://wordpress.org/support/topic/403-error-with-bps-version-512/) * After installing version .51.2, whitelisted IPs are being denied access to login( I have to delete .htaccess through ftp, login, then recreate the secure .htaccess). * This is the security log entry. I am using CloudFlare but have whitelisted the IPs using the technique described in [this thread](https://wordpress.org/support/topic/whitelisting-ips-leads-to-403-errors-on-logout?replies=31#post-4677157). My actual IP is being detected but is still being blocked. Everything has worked fine for the last year, and still works fine in BPS version .51.1. * ``` [403 GET / HEAD Request: 18 November 2014 - 1:27 am] Event Code: BFHS - Blocked/Forbidden Hacker or Spammer Solution: N/A - Hacker/Spammer Blocked/Forbidden REMOTE_ADDR: my whitelisted IP Host Name: my whitelisted IP/host SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: my whitelisted IP HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /wp-login.php QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.3; rv:33.0) Gecko/20100101 Firefox/33.0 ``` * [https://wordpress.org/plugins/bulletproof-security/](https://wordpress.org/plugins/bulletproof-security/) Viewing 10 replies - 1 through 10 (of 10 total) * Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/) * (@aitpro) * [11 years, 6 months ago](https://wordpress.org/support/topic/403-error-with-bps-version-512/#post-5490903) * Nothing changed as far as htaccess rules or functionality goes in BPS .51.2. What did change is file structure and the order of code in the root .htaccess file. In other words, there were no changes made in BPS .51.2 that could cause this problem. * So what is probably happening is this: When you did the one-time manual steps in BPS .51.2 your custom code was recreated in your root htaccess file by doing those steps and either your custom code is not correct or it is missing some IP addresses or of course the most obvious thing: your ip address or addresses have changed or are different. * Check your IP based code in Custom Code and make sure it is correct and then do the Custom Code steps again. 1. Edit/correct your custom code. 2. Click the Save Root Custom Code button. 3. Go to the Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root folder BulletProof Mode. * Thread Starter [Gillian](https://wordpress.org/support/users/ridgididgi/) * (@ridgididgi) * [11 years, 6 months ago](https://wordpress.org/support/topic/403-error-with-bps-version-512/#post-5490923) * Thanks for your reply. * All IPs are fixed and have definitely not changed. * This is my custom code (actual IPs obscured): * SetEnvIf X-FORWARDED-FOR “^x\.x\.x\.x$” allowedip SetEnvIf X-FORWARDED-FOR “^x\.x\.x\.x$” allowedip SetEnvIf X-FORWARDED-FOR “^ x\.x\.x\.x$” allowedip SetEnvIf X-FORWARDED-FOR “^x\.x\.x\.x$” allowedip * order allow,deny deny from all allow from env=allowedip * I have already re-created and re-activated the secure .htaccess file without success. * I have just cleared the browser (Firefox) cache and cookies (and locked myself out again as a result). * Something else is at play here. * Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/) * (@aitpro) * [11 years, 6 months ago](https://wordpress.org/support/topic/403-error-with-bps-version-512/#post-5490924) * I believe the problem is that you have the SetEnvIf conditions inside of the FilesMatch condition. Also reverse the “Order” directive from Allow,Deny to Deny, Allow since you are only matching the IP conditions and not other things like Server IP, Host, domains, etc. * ``` SetEnvIf X-FORWARDED-FOR "^x\.x\.x\.x$" allowedip SetEnvIf X-FORWARDED-FOR "^x\.x\.x\.x$" allowedip SetEnvIf X-FORWARDED-FOR "^x\.x\.x\.x$" allowedip SetEnvIf X-FORWARDED-FOR "^x\.x\.x\.x$" allowedip Order Deny,Allow Allow from env=allowedip Deny from all ``` * Thread Starter [Gillian](https://wordpress.org/support/users/ridgididgi/) * (@ridgididgi) * [11 years, 6 months ago](https://wordpress.org/support/topic/403-error-with-bps-version-512/#post-5490988) * Thanks, those changes did the trick. * Any idea why the original code I used, which was described by you in [this post](https://wordpress.org/support/topic/whitelisting-ips-leads-to-403-errors-on-logout?replies=31#post-4677871), stopped working when BPS .51.2 was installed? For example, in your original post, you said the correct order was allow,deny and also that _“You can use SetEnvIf X-FORWARDED-FOR inside or outside of the FilesMatch section of code”_. * Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/) * (@aitpro) * [11 years, 6 months ago](https://wordpress.org/support/topic/403-error-with-bps-version-512/#post-5490989) * Looks like most of the example code in that post is good, but yeah there is one bad example in that thread/post. It happens. 😉 * And nope this is not correct: “You can use SetEnvIf X-FORWARDED-FOR inside or outside of the FilesMatch section of code.” I have only used SetEnvIf outside of the FilesMatch condition because it would not work inside the FilesMatch condition for that particular check obviously. * Thread Starter [Gillian](https://wordpress.org/support/users/ridgididgi/) * (@ridgididgi) * [11 years, 6 months ago](https://wordpress.org/support/topic/403-error-with-bps-version-512/#post-5490991) * My point was that with the SetEnvIf X-FORWARDED-FOR _inside_ the FilesMatch section of code, the code worked perfectly for 12 months – it worked, in fact, until I installed BPS .51.2 🙂 * Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/) * (@aitpro) * [11 years, 6 months ago](https://wordpress.org/support/topic/403-error-with-bps-version-512/#post-5490992) * The only logical thing I can think of is that the code was saved to Custom Code, but it did not actually exist in your root htaccess file. * Thread Starter [Gillian](https://wordpress.org/support/users/ridgididgi/) * (@ridgididgi) * [11 years, 6 months ago](https://wordpress.org/support/topic/403-error-with-bps-version-512/#post-5490993) * Nice try, but not correct 🙂 In addition, the custom code as I originally posted it in this thread exists exactly as written in the root .htaccess file on 3 other of my websites which I did not update BPS on once I discovered the issue with 51.2 – those sites are still all using 51.1 at the moment, and I have no problem logging in and out of them. * I suspect there’s some code interaction going on which only became apparent with the changes introduced in 51.2. In any event, I’ve got the code working on 51.2 now thanks to your help 🙂 * Thread Starter [Gillian](https://wordpress.org/support/users/ridgididgi/) * (@ridgididgi) * [11 years, 6 months ago](https://wordpress.org/support/topic/403-error-with-bps-version-512/#post-5491003) * I’ve now updated all my sites to .51.3, so I’m adding to this thread with a bit more info … * After updating the first site (which I had the difficulty with discussed in this thread) I did some experiments. First, I reverted the custom code to the version that was working with .51.1 and logged out. There was a 403 error which locked me out – I removed the .htaccess file and logged back in. Next I tried just changing the “Order” directive from Allow,Deny to Deny,Allow while leaving the SetEnvIf X-FORWARDED-FOR inside the FilesMatch section of code. I logged out again – no 403 error, no lock out, and I was able to log back in. I decided to quit while I was ahead and left the custom code like that. * I then updated all the other sites, one by one, from .51.1 to .51.3, and tested each site in turn. What I found was that _without changing the existing custom code in any of them_ I had no problem logging in and out – no 403 errors appeared. The only difference between the custom code in all these sites and the first site is the order directive: these sites have Allow,Deny whereas, as noted above, the first site now has Deny,Allow. * So, from my experiments it appears: * 1) there is some interaction going on in the first site, be it a plugin or custom code or something else – the problem is fixed by making one change: using Deny, Allow instead of Allow,Deny * 2) having the SetEnvIf X-FORWARDED-FOR inside the FilesMatch section of code works fine * I thought it was worth documenting this because other people using CloudFlare( or another CDN) in conjunction with BPS will need to use SetEnvIf X-FORWARDED- FOR in their custom code – for my sites it doesn’t matter whether this is inside or outside the FilesMatch section of code. * Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/) * (@aitpro) * [11 years, 6 months ago](https://wordpress.org/support/topic/403-error-with-bps-version-512/#post-5491010) * Ok great! Thanks for the helpful info. 🙂 Viewing 10 replies - 1 through 10 (of 10 total) The topic ‘403 Error with BPS Version .51.2’ is closed to new replies. * ![](https://ps.w.org/bulletproof-security/assets/icon-128x128.png?rev=1731938) * [BulletProof Security](https://wordpress.org/plugins/bulletproof-security/) * [Support Threads](https://wordpress.org/support/plugin/bulletproof-security/) * [Active Topics](https://wordpress.org/support/plugin/bulletproof-security/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/bulletproof-security/unresolved/) * [Reviews](https://wordpress.org/support/plugin/bulletproof-security/reviews/) * 10 replies * 2 participants * Last reply from: [AITpro](https://wordpress.org/support/users/aitpro/) * Last activity: [11 years, 6 months ago](https://wordpress.org/support/topic/403-error-with-bps-version-512/#post-5491010) * Status: resolved