Ok, thanks.

Hi, I checked my custom code sections and I didn’t have anything relating to POST attack / BPS POST Attack Protection Bonus Custom Code.

I’ve hadn’t set up any custom code myself, and as far as I’m aware, the configuration was pretty much default.  Section 14 of custom code tab was empty.

I’ve since created a custom entry to try and whitelist these blocked POSTs:

# Custom Code - Referrer Post Whitelist
RewriteCond %{REQUEST_URI} !^.*/creator.php [NC]
RewriteCond %{REQUEST_URI} !^.*/gpx* [NC]
RewriteCond %{REQUEST_URI} !^.*/GPX* [NC]
RewriteCond %{HTTP_REFERER} !^.*referrer* [NC]

And again, this is blocking with a 403 when RBM is activated.

Ok let me do some testing on a test site.  I’ll post a solution once I figure out the issue.

I have a question about this – “This referrer transfers physical files to my server (the server keeps them in the root directory temporarily before doing stuff with them).”  When you say root directory do you literally mean your hosting account root folder (/public_html/ or /htdocs/, etc.) or a folder in your hosting account root folder (/public_html/example-folder/, or /htdocs/example-folder/, etc.).  The reason I am asking that is because BPS Pro AutoRestore|Quarantine will probably see the files as hacker files and quarantine them, unless temporarily means only seconds before the files are moved somewhere else or whatever else is done with them.  If the files are being transferred to a folder such as /public_html/example-folder/, or /htdocs/example-folder/, etc. then the /example-folder/ can be excluded from being checked by AutoRestore|Quarantine.

The referrer posts a file to a folder under docroot (or at least I have a PHP function which handles this).  Docroot would be for example /var/www/html   and the folder would  /var/www/html/gpx

It’s strange as I’ve been using with no problems for nearly 2 years!  I don’t know if a recent update (whether that WP itself or BPS) has tightened up security,

Since deactivating Root BulletProof Mode allowed the file transfer to work then something in the root htaccess file is causing the block. I assume something changed about how the file transfer is being done and that is what changed that is now being blocked.  So give me about 15 minutes to test this and post a solution for you.  The POST Request must also be seen as a GET Request by your server or the POST Request does additional things that include a GET Request after/during the POST Request.

Great on the files being transferred to a folder instead of just the literal hosting account root folder.  If you run into a problem with AutoRestore|Quarantine quarantining files that are transferred to your /gpx folder then you can create an AutoRestore|Quarantine exclude rule to not check the /gpx folder.  You don’t need to do anything now if files are not being quarantined by AutoRestore|Quarantine.

Test Results:
On my test site the BPS POST Attack Protection Bonus Custom Code blocks the POST Request. When I removed the POST Attack Protection code from the test site and forced a GET Request instead of a POST Request there are 2 BPS Query String Exploits security rules that block the GET Request. So what I think will work is the modified BPS Query String Exploits code below.

1. Copy the modified BPS Query String Exploits code below to this BPS Root Custom Code text box: 12. CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.
Note: You may see a Setup Wizard message that says the Setup Wizard needs to be run again. If so, then run the Setup Wizard again.

# BEGIN BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
# Good sites such as W3C use it for their W3C-LinkChecker. 
# Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
# User Agent filters directly below or to modify/edit/change any of the other security code rules below.
RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] 
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
#RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
#RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F]
# END BPSQSE BPS QUERY STRING EXPLOITS

[403 POST Request: July 18, 2019 - 8:59 am]
BPS Pro: 14
WP: 5.2.2
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 127.0.0.1
Host Name: DESKTOP-8TQEKNH
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: POST
HTTP_REFERER: http://demo5.local/post-form.php
REQUEST_URI: /buddypress-code-mods/
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36
REQUEST BODY: blah4=gpx%3D%253C%253Fxml%2Bversion%253D%25221.0%2522%2Bencoding%253D%2522UTF-8%2522%253F%253E%253Cgpx%2Bversion%253D%25221.1%2522%2B%253D%2522%2Bwith%2B%2522%2Bxsi%253AschemaLocation%253D%2522http%253A%252F%252Fwww..com%252FGPX%252F1%252F1%2Bhttp%253A%252F%252Fwww..com%252FGPX%252F1%252F1%252Fgpx.xsd%2522%2Bxmlns%253D%2522http%253A%252F&Submit-test4=Submit4

[403 GET Request: July 18, 2019 - 9:03 am]
BPS Pro: 14
WP: 5.2.2
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 127.0.0.1
Host Name: DESKTOP-8TQEKNH
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /?gpx=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22%3F%3E%3Cgpx+version%3D%221.1%22+%3D%22+with+%22+xsi%3AschemaLocation%3D%22http%3A%2F%2Fwww..com%2FGPX%2F1%2F1+http%3A%2F%2Fwww..com%2FGPX%2F1%2F1%2Fgpx.xsd%22+xmlns%3D%22http%3A%2F
QUERY_STRING: gpx=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22%3F%3E%3Cgpx+version%3D%221.1%22+%3D%22+with+%22+xsi%3AschemaLocation%3D%22http%3A%2F%2Fwww..com%2FGPX%2F1%2F1+http%3A%2F%2Fwww..com%2FGPX%2F1%2F1%2Fgpx.xsd%22+xmlns%3D%22http%3A%2F
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36

Resolved. Thanks for all the help.

Thank you, this seems to have worked!

The only thing is now that I’ve added that custom code, executed the preinstallation and setup wizards, I keep getting the BPM setup autofix wizard notification:

<span style=”color: blue;”>BPS Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) Notice</span>
One or more of your plugins or your theme requires a BPS Custom Code whitelist rule to be automatically created by the Setup Wizard.
Click this Setup Wizard link and click the Pre-Installation Wizard and Setup Wizard buttons to automatically create BPS Custom Code whitelist rules.
This BPS AutoFix check can be turned Off on the Setup Wizard Options page if you do not want BPS to check for any plugin or theme whitelist rules.

Here’s an extract from my security log – a customer was making a purchase at the time – it all appeared to have been processed successfully and I’ve not be contacted by them to say there was anything wrong with the transaction.  However, a lot of 403 errors appear to be getting generated.

[403 GET Request: July 19, 2019 - 09:20]
BPS Pro: 14
WP: 5.2.2
Event Code: PFWR-PSBR-HPRA
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 103.21.23.106
Host Name: mail.lewis.com.au
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: https://printmyroute.xyz/my-account/lost-password/?show-reset-form=true
REQUEST_URI: /wp-content/plugins/mailchimp-for-woocommerce/public/js/mailchimp-woocommerce-public.min.js?ver=2.1.17
QUERY_STRING: ver=2.1.17
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0

[403 GET Request: July 19, 2019 - 09:20]
BPS Pro: 14
WP: 5.2.2
Event Code: PFWR-PSBR-HPRA
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 103.21.23.106
Host Name: mail.lewis.com.au
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: https://printmyroute.xyz/my-account/lost-password/?show-reset-form=true
REQUEST_URI: /wp-content/plugins/woocommerce/assets/js/jquery-tiptip/jquery.tipTip.min.js?ver=3.6.5
QUERY_STRING: ver=3.6.5
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0

[403 GET Request: July 19, 2019 - 09:20]
BPS Pro: 14
WP: 5.2.2
Event Code: PFWR-PSBR-HPRA
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 103.21.23.106
Host Name: mail.lewis.com.au
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: https://printmyroute.xyz/my-account/lost-password/?show-reset-form=true
REQUEST_URI: /wp-content/plugins/woocommerce/assets/js/selectWoo/selectWoo.full.min.js?ver=1.0.6
QUERY_STRING: ver=1.0.6
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0

[403 GET Request: July 19, 2019 - 09:20]
BPS Pro: 14
WP: 5.2.2
Event Code: PFWR-PSBR-HPRA
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 103.21.23.106
Host Name: mail.lewis.com.au
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: https://printmyroute.xyz/my-account/lost-password/?show-reset-form=true
REQUEST_URI: /wp-content/plugins/wp-gdpr-compliance/assets/js/front.js?ver=1559644983
QUERY_STRING: ver=1559644983
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0

[403 GET Request: July 19, 2019 - 09:20]
BPS Pro: 14
WP: 5.2.2
Event Code: PFWR-PSBR-HPRA
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 103.21.23.106
Host Name: mail.lewis.com.au
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: https://printmyroute.xyz/my-account/lost-password/?show-reset-form=true
REQUEST_URI: /wp-content/plugins/woocommerce/assets/js/frontend/password-strength-meter.min.js?ver=3.6.5
QUERY_STRING: ver=3.6.5
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0

While checking your site to test these Security Log errors I came across what I am pretty sure is a security vulnerability in your GPX Creator.  At bare minimum what I found allows me to bypass the Protected: GPX Creator password protected page and upload .gpx and .xml files to your website.  The GPX upload form did not allow me to upload a test hacker file (not an actual real hacker file and just a simulated non-dangerous test hacker file for testing).  So the security vulnerability is a technicality vulnerability and not a serious threat to your website security.  I don’t want to post any information publicly regarding this issue.  Contact me directly via email:  info at ait-pro dot com so that I can fill you in on exactly what I found.

Regarding the BPS Setup Wizard AutoFix issue and the original problem:  What must be happening is the modified BPS Query String Exploits code that I posted above is probably confusing the BPS Setup Wizard AutoFix feature.  Do these steps below.

1. Go to BPS Custom Code and delete the BPS Query String Exploits code from the 12. CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS text box.
2. Click the Save Root Custom Code button.
3. Run the BPS Pro Pre-Installation Wizard and Setup Wizard again.
4. Go to BPS Custom Code and copy the new BPS Query String Exploits code that you should see in Custom Code text box:  12. CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS (see steps #5 and #6 below).
5. If you do NOT see any new BPS Query String Exploits code in the Custom Code text box:  12. CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS then stop here and let me know that.
6. If you DO see new BPS Query String Exploits code in the Custom Code text box:  12. CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS then copy the new BPS Query String Exploits code and post that code in your forum reply so that I can see what the issue is and modify the code you post to include the new fix for the original gpx file transfer problem.

Hi,

I noticed this error in my security log:

[403 GET Request: July 20, 2019 7:22 pm]
BPS Pro: 14
WP: 5.2.2
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: <deleted>
Host Name:
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED: <deleted>
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP: <deleted>
REQUEST_METHOD: GET
HTTP_REFERER: <deleted>
REQUEST_URI: /?select=Women%27s&lp_s_loc=861&lp_s_tag=&lp_s_cat=842&s=home&post_type=listing
QUERY_STRING: select=Women%27s&lp_s_loc=861&lp_s_tag=&lp_s_cat=842&s=home&post_type=listing
HTTP_USER_AGENT: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

This is me, though, making the search.

And I get this error:
“403 Forbidden Error Page
If you arrived here due to a search or clicking on a link click your Browser’s back button to return to the previous page. Thank you.”
How can I fix this?

Thanks.

The apostrophe/single quote code character is being blocked.

Solution for allowing apostrophe’s/single quote code characters in search forms on the frontend of your website:  http://forum.ait-pro.com/forums/topic/apostrophe-single-quote-code-character/#post-6939

Solution for allowing apostrophe’s/single quote code characters in search forms on the backend of your website:  http://forum.ait-pro.com/forums/topic/search-string-403-error/#post-14372

Thanks. But, I already copied that into my Custom Code.

Did you do the rest of the Custom Code steps?  ie Save your custom code and activate Root folder BulletProof Mode again?

Sorry, I copied the wrong code. It works now.

Thanks!

Ok your website is currently under a massive brute force attack.  That would explain the delay in Plugin Firewall AutoPilot Mode not creating the whitelist rules right away.  When a website is under a massive brute force attack and you have the BPS Pro plugin installed you and your visitors will not notice any difference in website performance, but things like AutoPilot Mode are going to be adversely affected temporarily.  Brute force attacks can last minutes to days.  You do not need to do anything since BPS Pro is already handling the brute force attack.  Your website is safe and there is nothing further that needs to be done and you don’t need to worry about this at all.

I put the Plugin Firewall in Test Mode to speed up Plugin Firewall AutoPilot Mode whitelist rule creation and it is working fine even though your site is being attacked right now.

So, how do you know it’s under attack? Is it just based on the attempts of logins to wp-login.php? Because, yes, I see a ton of log entries for that.

Well the brute force attack is not as big as I thought.  Yep, you can tell your site is under a brute force attack by checking the BPS Security Log.  When you see several Security Log entries being logged every second continuously then yep a brute force bot attack is occurring on your website.  The bots are hitting your Login page and your xml-rpc.php file continuously.

Ok the 3 problems are fixed and I found 1 other issue, which is your wp-config.php file was quarantined, but I checked the wp-config.php file in Quarantine and did not see any differences in the code in the file.  I assume you were manually editing your wp-config.php file or maybe another plugin or your theme was adding or removing code or just doing a flush.  If you were manually editing your wp-config.php file then you can use the AutoRestore|Quarantine Standard Procedural Steps when manually modifying files method > http://forum.ait-pro.com/forums/topic/autorestore-quarantine-guide-read-me-first/#procedural-steps or just Restore files in Quarantine after you edit them manually.

I will post the forum links to the fixes I did with additional help info in a minute.

1. The Plugin Firewall is blocking plugin .js scripts and AutoPilot Mode is not automatically whitelisting those .js scripts.

Solution:  No solution needed. Most likely since the site is currently undergoing a significant brute force attack then Plugin Firewall AutoPilot Mode may have temporarily impacted.  Plugin Firewall AutoPilot Mode is automatically creating new whitelist rules successfully.  Note:  I turned On Plugin Firewall Test Mode to speed up the process of adding any new additional Plugin Firewall whitelist rules.

2. It appears that you are using the BPS POST Attack Bonus Custom Code and need to add an additional whitelist rule for this Query String:  wc-ajax=get_refreshed_fragments

Solution:  Added the 2 new Query String whitelist rules (in bold font below) in your existing BPS POST Attack Protection Bonus Custom Code and moved the POST Attack Protection code into this Custom Code text box:  8. CUSTOM CODE WP REWRITE LOOP START.
Forum Solution Reference Link:  https://forum.ait-pro.com/forums/topic/whitelist-monarch-plugin/#post-37359

# BPS POST Request Attack Protection
RewriteCond {8028a084f91c45a6382f271484221490798c0379c64b87d30a6e96a4c3591b0d}{REQUEST_METHOD} POST [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond {8028a084f91c45a6382f271484221490798c0379c64b87d30a6e96a4c3591b0d}{REQUEST_URI} !^.*/wp-admin/ [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond {8028a084f91c45a6382f271484221490798c0379c64b87d30a6e96a4c3591b0d}{REQUEST_URI} !^.*/wp-cron.php [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond {8028a084f91c45a6382f271484221490798c0379c64b87d30a6e96a4c3591b0d}{REQUEST_URI} !^.*/wp-login.php [NC]
# Whitelist WP JSON POST Requests by Query String
RewriteCond {8028a084f91c45a6382f271484221490798c0379c64b87d30a6e96a4c3591b0d}{QUERY_STRING} !^_locale=(.*) [NC]
# Whitelist the WordPress Theme Customizer
RewriteCond {8028a084f91c45a6382f271484221490798c0379c64b87d30a6e96a4c3591b0d}{HTTP_REFERER} !^.*/wp-admin/customize.php [NC]
# Whitelist XML-RPC Pingbacks, JetPack and Remote Posting POST Requests
RewriteCond {8028a084f91c45a6382f271484221490798c0379c64b87d30a6e96a4c3591b0d}{REQUEST_URI} !^.*/xmlrpc.php [NC]
# Whitelist Jetpack JSON POST Request
RewriteCond {8028a084f91c45a6382f271484221490798c0379c64b87d30a6e96a4c3591b0d}{REQUEST_URI} !^.*/wp-json/jetpack/(.*) [NC]
# Whitelist Network|Multisite Signup POST Form Requests
RewriteCond {8028a084f91c45a6382f271484221490798c0379c64b87d30a6e96a4c3591b0d}{REQUEST_URI} !^.*/wp-signup.php [NC]
# Whitelist Network|Multisite Activate POST Form Requests
RewriteCond {8028a084f91c45a6382f271484221490798c0379c64b87d30a6e96a4c3591b0d}{REQUEST_URI} !^.*/wp-activate.php [NC]
# Whitelist Trackback POST Requests
RewriteCond {8028a084f91c45a6382f271484221490798c0379c64b87d30a6e96a4c3591b0d}{REQUEST_URI} !^.*/wp-trackback.php [NC]
# Whitelist Comments POST Form Requests
RewriteCond {8028a084f91c45a6382f271484221490798c0379c64b87d30a6e96a4c3591b0d}{REQUEST_URI} !^.*/wp-comments-post.php [NC]
# Example 1: Whitelist Star Rating Calculator POST Form Requests
RewriteCond {8028a084f91c45a6382f271484221490798c0379c64b87d30a6e96a4c3591b0d}{REQUEST_URI} !^.*/star-rating-calculator.php [NC]
# Example 2: Whitelist Contact Form POST Requests
RewriteCond {8028a084f91c45a6382f271484221490798c0379c64b87d30a6e96a4c3591b0d}{REQUEST_URI} !^.*/contact/ [NC]
# Example 3: Whitelist PayPal IPN API Script POST Requests
RewriteCond {8028a084f91c45a6382f271484221490798c0379c64b87d30a6e96a4c3591b0d}{REQUEST_URI} !^.*/ipn_handler.php [NC]
# Whitelist WooCommerce POST Request to Root URI by Query String
RewriteCond {8028a084f91c45a6382f271484221490798c0379c64b87d30a6e96a4c3591b0d}{QUERY_STRING} !^wc-ajax=(.*) [NC]
# Whitelist WooCommerce POST Request to Root URI by Query String
RewriteCond {8028a084f91c45a6382f271484221490798c0379c64b87d30a6e96a4c3591b0d}{QUERY_STRING} !^wc-api=(.*) [NC]
RewriteRule ^(.*)$ - [F]

3. You need to add a wp-admin htaccess file whitelist rule for the WP admin-ajax.php file and/or this Query String:  action=quick_preivew

Solution:  Added a admin-ajax.php file skip rule in BPS wp-admin Custom Code.
Forum Solution Reference Link:  https://forum.ait-pro.com/forums/topic/nextgen-gallery-pro-post-request-blocked/#post-35621

So, I noticed the quarantine as well, after the theme developer logged in a day or two ago. I forgot to tell him about BPS Pro.

I just restored the file because I figured he didn’t know about it and made a change to the file.

As for the brute force attack, it does seem big. The security log file has over 900 requests for the wp-login.php file from late this morning and it’s increased another 120k just from reading your last message!

I had copied the log and then deleted it because I noticed it was increasing in size so fast.

Feature Request? Maybe you could add a limit size to the log, that the user can set, so that in cases like this the file size doesn’t get too big.