On trying to save the deflate code in box 1 of the custom code for the root htaccess file I get a 403 error. This happens on several sites with different plugins and themes. The code is below please advise on what may be preventing this code from being added to the htaccess file through custom code in BPS. I can add it manually and it works but of course that would be over written in an update.

<IfModule mod_deflate.c>
# Compress HTML, CSS, JavaScript, Text, XML and fonts
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE application/x-font
AddOutputFilterByType DEFLATE application/x-font-opentype
AddOutputFilterByType DEFLATE application/x-font-otf
AddOutputFilterByType DEFLATE application/x-font-truetype
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE font/otf
AddOutputFilterByType DEFLATE font/ttf
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml

# Remove browser bugs (only needed for really old browsers)
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
Header append Vary User-Agent
</IfModule>

That is a very common ModSecurity problem.  The ModSecurity OWASP CRS Ruleset breaks the BPS Custom Code Forms and many other Forms in BPS.  We are currently redesigning BPS to be “ModSecurity Proof”.  We will be releasing a new BPS and BPS Pro version in 5-10 days.  For now you will need to manually edit your Root htaccess file via your web host control panel file manager or FTP.  Note: For the last year we have been advising folks to contact their web host support folks to create ModSecurity whitelist rules.  That has been a complete failure and waste of time since 90% of the time web host support techs think they have fixed the ModSecurity problem, but it is not fixed or they do not have any idea how to fix the ModSecurity problems.  So don’t even bother contacting your web host support folks.

Ongoing ModSecurity Problems Related Topics:
https://forum.ait-pro.com/forums/topic/mod-security-common-known-problems/
https://forum.ait-pro.com/forums/topic/xampp-mod-security-setup-owasp-modsecurity-core-rule-set-setup/
https://wordpress.org/support/topic/custom-code-security-logging-setup-wizard-htaccess-file-editor-not-working/

Hello!

I need guidance on how to best re-instate BPS Pro after another dev deactivated multiple times.

I can’t enable without the Firewall / Plugin Firewall blocking core functions.

Should I just erase everything and start again?

Yep, the most logical thing to try first would be to manually delete the /plugins/bulletproof-security/ plugin folder and the Plugin Firewall htaccess file /plugins/.htaccess.  Then re-install BPS Pro using the WordPress Plugin Upload Zip installer.  Then run the BPS Pro Setup Wizard.  If the same problem still exists then you will have to uninstall BPS Pro and re-install BPS Pro.

After trying to delete the BPS plugin folder and also the plugin htaccess, and also the plugin from the WP dashboard, I’m still not able to activate the plugin, getting this error which indicates the system is counting the unique name of plugin folders and iterating, which I’ve tried a few times as you can see.

Do I need to delete tables from the DB?

Warning: require_once(/public_html/wp-content/plugins/bulletproof-security/includes/class.php): failed to open stream: No such file or directory in /public_html/wp-content/plugins/bulletproof-security2-1/bulletproof-security.php on line 95

Fatal error: require_once(): Failed opening required '/public_html/wp-content/plugins/bulletproof-security/includes/class.php' (include_path='.:/usr/local/lsws/lsphp71/share/pear:/usr/local/lsws/lsphp71/share/php:/usr/share/pear:/usr/share/php') in /public_html/wp-content/plugins/bulletproof-security2-1/bulletproof-security.php on line 95

That is a caching issue with PclZip (The WordPress Plugin Upload Zip installer).  Use FTP or your web host control panel file manager and rename the /bulletproof-security2-1/ folder name to /bulletproof-security/.  Then go to the WordPress Plugins page and activate the BPS Pro plugin.

I did try that step and the plugin activation failed reporting that the folder did not exist, as if it were looking for the numbered BPS folder…  then starting getting a fatal PHP error.

Ok well that usually works.  Double check that you are renaming the correct BPS Plugin folder and double check that all caches have been cleared.  You should also try logging out of your website and closing and reopening your Browser (all Windows and all Tabs).  Then relaunch your Browser, login to your website, go to the WordPress Plugins page and activate BPS Pro.

Also I just thought of another possible problem.  The name of the BPS Pro zip file MUST be bulletproof-security.zip (the BPS Pro zip file saved on your computer) when you install the BPS Pro zip file using the WordPress Plugins Upload Zip installer.

Wow, that was it, having downloaded multiple Pro Zips over the month of dev.  Thanks for helping find this easy one!

No problem and yeah I’ve done that boo boo before myself. 😉

Greetings BPS,

I encounter a security issue.

My website does the registration for guests( I am doing an accommodation business )

Eventually all guests images is scan and upload via our website.

All the images is saved in the wordpress image folder as usual:-

Other users will not be able to view any files in the link beside >>>>>    https://xxxxxxx.com/wp-content/uploads/2019/08/

However, user can view the file IF user specified the link like below :-

https://xxxx.com/wp-content/uploads/2019/08/image.jpg

Is it possible to add a code to block the images viewable ?

Please advise.

Best regards,

Alex

You can protect images so that no one including yourself or your website can display them.  You can protect images by allowing them to only be viewed by logged in users.  You can protect images by using a membership plugin or theme.

If you want to display images anywhere on your website then the only protection you can use is something like adding a watermark to images.  What exactly do you want to do with images?  ie do you want to display them on your website or not display them on your website?  Are the image files only used for something like a person is submitting an image to be used as an example to do some sort of job or service?  ie Vehicle Wrap or Sign work examples.

Greeting BPS,

To be specified, all the new upload images is their ID and for the hotel accommocation to keep as acopy during check in.

Only the ID is for personal reference. It is risky that if users known the access – example the whole link

Ok so what you need to do is this.  Whatever upload form (plugin or theme) you are using you need to change the folder path option setting for where these images are stored under the hosting account.  Good examples:  /wp-content/ID/ or /wp-content/uploads/ID/.  Then you need to manually copy the /wp-content/bps-backup/.htaccess file to your new ID folder.  The BPS Backup folder htaccess file denies Browser access to all files in the directory/folder that you put the htaccess file in and where you are now storing uploaded ID images.

OWASP ModSecurity CRS testing, troubleshooting, solutions and pending redesign work for the BPS and BPS Pro Plugins:

Major Redesign|ModSecurity CRS Proofing:  The OWASP ModSecurity Core Rule Set installed on cPanel breaks numerous Forms/Features/Pages and other things in the BPS and BPS Pro plugins:  A list of broken/fixed/pending Forms/Features/Pages is below.  In order to speed up the process of getting new BPS and BPS Pro versions released as quickly as possible we are fixing the most critical broken Forms/Features/Pages first and will be releasing several BPS and BPS Pro version releases in stages until all BPS and BPS Pro Forms/Features/Pages are no longer being broken by the OWASP Mod Security CRS Ruleset installed on cPanel.

Solution Methods used:

New:  ModSecurity CRS falsely sees legitimate htaccess code Form data as a threat.  JavaScript Encryption|Decryption and PHP openssl_encrypt|openssl_decrypt to encrypt and decrypt htaccess code submitted in various BPS Forms that save and submit htaccess code. Form data is encrypted in POST Form submission to evade/bypass ModSecurity CRS detection and decrypted in the Form processing code.

New:  ModSecurity CRS falsely sees some log file data as a threat. View Log buttons added to BPS Plugin pages with log files to allow BPS Plugin Page loading instead of loading Log files in an open state when loading BPS Plugin pages that contain log files.  Pending additional log file data encryption|decryption redesign work for some BPS Plugin log file pages.

Pending:  ModSecurity CRS falsely sees BPS Plugin page Body Response/Source Code as a threat. BPS Plugin page Body Response design for various BPS Plugin pages due to ModSecurity CRS detecting help text and BPS Plugin option setting names in the page Body/Source Code as malicious and blocking BPS Plugin pages from loading.  Limiting the amount of false positives that ModSecurity CRS Anomaly Scoring sees in the Body Response/Source Code by breaking up BPS Plugin pages so that limited Response Body data/Source Code is outputted should allow the broken BPS Plugin pages to load by falling under the ModSecurity CRS Anomaly Scoring threshold number that blocks BPS Plugin pages from loading.

Security Modes Page:
Root Folder BulletProof Mode (RBM) Activate Form: ModSecurity CRS Proofed – Encryption|Decryption completed
Root Folder BulletProof Mode (RBM) Deactivate Form: ModSecurity CRS Proofed – Encryption|Decryption completed
wp-admin Folder BulletProof Mode (WBM) Activate Form: ModSecurity CRS Proofed – Encryption|Decryption completed
Plugin Firewall BulletProof Mode (PFW) Activate Form (BPS Pro): ModSecurity CRS Proofed – Encryption|Decryption completed
Uploads Anti-Exploit Guard BulletProof Mode (UAEG) Form (BPS Pro): ModSecurity CRS Proofed – Encryption|Decryption completed

Details: These Forms now decrypt encrypted htaccess code in the WP Database before processing file writing.

Custom Code Page:
Root Custom Code Form: ModSecurity CRS Proofed – Encryption|Decryption completed
Wp-admin Custom Code Form: ModSecurity CRS Proofed – Encryption|Decryption completed
UAEG Custom Code Form (BPS Pro): ModSecurity CRS Proofed – Encryption|Decryption completed
Custom Code Export Form: ModSecurity CRS Proofed – Encryption|Decryption completed

Details: ModSecurity CRS falsely sees legitimate htaccess code as malicous. BPS now uses encryption and decryption in these Forms to evade/bypass ModSecurity CRS detection.

htaccess File Editor Page:
secure.htaccess Form: ModSecurity CRS Proofed – Encryption|Decryption completed
default.htaccess Form: ModSecurity CRS Proofed – Encryption|Decryption completed
wpadmin-secure.htaccess Form: ModSecurity CRS Proofed – Encryption|Decryption completed
Your Current Plugins htaccess File Form (BPS Pro): ModSecurity CRS Proofed – Encryption|Decryption completed
Your Current Uploads htaccess File Form (BPS Pro): ModSecurity CRS Proofed – Encryption|Decryption completed
Your Current Root htaccess File Form: ModSecurity CRS Proofed – Encryption|Decryption completed
Your Current wp-admin htaccess File Form: ModSecurity CRS Proofed – Encryption|Decryption completed

Details: ModSecurity CRS falsely sees legitimate htaccess code as malicous. BPS now uses encryption and decryption in these Forms to evade/bypass ModSecurity CRS detection.

My Notes Page:
My Notes Form: ModSecurity CRS Proofed – Encryption|Decryption completed

Details: ModSecurity CRS falsely sees legitimate htaccess code as malicous. BPS now uses encryption and decryption in these Forms to evade/bypass ModSecurity CRS detection.

Security Log Page:
Security Log Form: Partially ModSecurity CRS Proofed – View Log button added to allow the Security Log page to load. Pending further Log file data encryption|decryption redesign work.

Details: ModSecurity CRS sees legitimate Security Log errors logged in the Security Log as malicious. The Security Log now has a View Log button to allow the Security Log page to load. Pending additional redesign work to ecrypt and decrypt log file data to allow viewing the Security Log file data. Pending further Log file data encryption|decryption redesign work.

Quarantine Page (BPS Pro):
View File Form: Pending additional redesign work
Restore File Form: Pending additional redesign work
Delete File Form: Pending additional redesign work

Details: ModSecurity CRS falsely sees legitimate file names and legitimate code in files in Quarantine as malicious when trying to view, restore or delete particular files in Quarantine. Pending additional redesign work.

System Info Page:
System Info Page Data Ouput: Pending additional redesign work

Details: The BPS System page is inaccessible due to ModSecurity CRS falsely seeing legitimate data output as malicious. Pending additional redesign work.

PHP Error Log Page (BPS Pro):
PHP Error Log Form: Partially ModSecurity CRS Proofed – View Log button added to allow the PHP Error Log page to load. Pending further Log file data encryption|decryption redesign work.
PHP Error Log Page: Pending additional redesign work

Details: ModSecurity CRS sees legitimate PHP errors logged in the PHP Error Log as malicious. The PHP Error Log now has a View Log button to allow the PHP Error Log page to load. Pending additional redesign work to ecrypt and decrypt log file data to allow viewing PHP Error log file data. ModSecurity CRS also looks at the Response Body ouput/Source Code of the PHP Error Log page itself and is falsely seeing BPS option setting names and help text as malicious. Pending further Log file data encryption|decryption redesign work. Pending additional Response Body/Page redesign work.

I’m trying to integrate a postal service (Royal Mail, Click and Drop) with Woocommerce. Clicking the link RM provide to do this I get an error page:

xxxxxxx.com 403 Forbidden Error Page

If you arrived here due to a search or clicking on a link click your Browser’s back button to return to the previous page. Thank you.

IP Address: xx.xx.xxx.xx

Checking the BPS logs, the integration is being blocked by BPS (see below). What should I do about this? Is there a way to allow it through? I’ve tried disabling BPS temporarily, but that doesn’t solve it, I suspect because it doesn’t remove the .htaccess and its rules.

[403 GET Request: August 27, 2019 - 11:59 am]
BPS: 3.6
WP: 5.2.2
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: GDPR Compliance On
Host Name: xxxxxxxxxxxxxxxx.cable.virginm.net
SERVER_PROTOCOL: HTTP/1.0
HTTP_CLIENT_IP: GDPR Compliance On
HTTP_FORWARDED: GDPR Compliance On
HTTP_X_FORWARDED_FOR: GDPR Compliance On
HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On
REQUEST_METHOD: GET
HTTP_REFERER: https://business.parcel.royalmail.com/settings/channels/
REQUEST_URI: /wc-auth/v1/authorize?app_name=Click-and-Drop&user_id=xxxxxxxxxxxxxxxxxxxx&return_url=https://business.parcel.royalmail.com/woocommerce/complete&callback_url=https://business.parcel.royalmail.com/woocommerce/callback/&scope=read_write
QUERY_STRING: app_name=Click-and-Drop&user_id=xxxxxxxxxxxxxxxxxxxxxxx&return_url=https://business.parcel.royalmail.com/woocommerce/complete&callback_url=https://business.parcel.royalmail.com/woocommerce/callback/&scope=read_write
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36

The Query String is simulating an RFI hacking attempt, which is being blocked.

1. Copy the modified BPS Query String Exploits code below into this BPS Root Custom Code text box:  12. CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS
2. Click the Encrypt Custom Code button – You only need to do this step if your web host has ModSecurity CRS installed and you are unable to save your custom code.
3. Click the Save Root Custom Code button to save your Root custom code.
4. Go to the BPS Setup Wizard page and run the Setup Wizard.

# BEGIN BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
# Good sites such as W3C use it for their W3C-LinkChecker. 
# Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
# User Agent filters directly below or to modify/edit/change any of the other security code rules below.
RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
#RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
#RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
#RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] 
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F]
# END BPSQSE BPS QUERY STRING EXPLOITS

Check your BPS Security Log for a log entry that shows what is being blocked in Redis/Litespeed plugin and post the Security Log entry in your forum reply.  Have you done any BPS Pro troubleshooting steps to isolate which BPS feature is causing the problem > https://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting

Hi guys,
I’ve just upgraded to pro and have an issue with the popup maker plugin triggering a 403 pretty much every time someone opens a page on my site:

[403 GET Request: 28th August 2019 - 3:37 pm]
BPS Pro: 14
WP: 5.2.2
Event Code: UAEGWR-HPRA
Solution: https://forum.ait-pro.com/forums/topic/uploads-anti-exploit-guard-uaeg-read-me-first/
REMOTE_ADDR: GDPR Compliance On
Host Name: 45.63.19.241.vultr.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: GDPR Compliance On
HTTP_FORWARDED: GDPR Compliance On
HTTP_X_FORWARDED_FOR: GDPR Compliance On
HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On
REQUEST_METHOD: GET
HTTP_REFERER: https://unplugrentals.com/vehicles/avan-aspire-555-db-ap-2019/
REQUEST_URI: /wp-content/uploads/pum/pum-site-scripts.js?defer&generated=1566958975&ver=1.8.11
QUERY_STRING: defer&generated=1566958975&ver=1.8.11
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0

I’ve tried to whitelist the file and the folder in the UAEG section (litespeed server) see below, but still being flagged.

RewriteRule ^/uploads/pum/pum-site-scripts.js$ - [L]
RewriteRule ^/uploads/pum/.$ - [L]

Contacted the plugin maker asked if it may be better to put the script into the actual plugin-folder – his reply:

So there are a couple issues:

1. Putting it in our plugin folder means it needs to be regenerated every time you update our plugin, if that fails it will end up throwing 404s until it is regenerated.

2. Some popup blockers block loading of assets from any site if the path contains /wp-content/popup-maker/assets/js/, so this is a way around that.

3. Page builders do the same thing we do, something I’ve been curious about how they get around as I’ve never seen people complain about their page builders assets 403.

We are looking for a proper long term solution, but loading them from our plugin folder isn’t the right one for the situation.

Here is the link to the plugin-page: https://wppopupmaker.com/

Can you guys advise what I should do here?

Many thanks!
Sascha

I’ve searched for a solution in the forum, but couldn’t find any Skip/Bypass rule for this pluging.
This is the security log:

[403 GET Request: 28th August 2019 - 5:32 pm]
BPS Pro: 14.1
WP: 5.2.2
Event Code: WPADMIN-SBR
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: GDPR Compliance On
Host Name: 203-59-94-52.perm.iinet.net.au
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: GDPR Compliance On
HTTP_FORWARDED: GDPR Compliance On
HTTP_X_FORWARDED_FOR: GDPR Compliance On
HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On
REQUEST_METHOD: GET
HTTP_REFERER: https://unplugrentals.com/wp-admin/admin.php?page=mphb_calendar
REQUEST_URI: /wp-admin/admin.php?page=mphb_calendar&mphb_bookings_calendar%5Broom_type_id%5D=0&mphb_bookings_calendar%5Bperiod_page_month%5D=0&mphb_bookings_calendar%5Bperiod_page_quarter%5D=0&mphb_bookings_calendar%5Bperiod_page_year%5D=0&mphb_bookings_calendar%5Bperiod%5D=month&mphb_bookings_calendar%5Baction_period_next%5D=Next+%3E&mphb_bookings_calendar%5Bcustom_period%5D%5Bdate_from%5D=&mphb_bookings_calendar%5Bcustom_period%5D%5Bdate_to%5D=&mphb_bookings_calendar%5Bsearch_room_availability_status%5D=&mphb_bookings_calendar%5Bsearch_date_from%5D=&mphb_bookings_calendar%5Bsearch_date_to%5D=
QUERY_STRING: page=mphb_calendar&mphb_bookings_calendar%5Broom_type_id%5D=0&mphb_bookings_calendar%5Bperiod_page_month%5D=0&mphb_bookings_calendar%5Bperiod_page_quarter%5D=0&mphb_bookings_calendar%5Bperiod_page_year%5D=0&mphb_bookings_calendar%5Bperiod%5D=month&mphb_bookings_calendar%5Baction_period_next%5D=Next+%3E&mphb_bookings_calendar%5Bcustom_period%5D%5Bdate_from%5D=&mphb_bookings_calendar%5Bcustom_period%5D%5Bdate_to%5D=&mphb_bookings_calendar%5Bsearch_room_availability_status%5D=&mphb_bookings_calendar%5Bsearch_date_from%5D=&mphb_bookings_calendar%5Bsearch_date_to%5D=
HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:68.0) Gecko/20100101 Firefox/68.0

It is triggered by clicking on the ‘Next’ button in a calendar overview in the back-end.

Could you help with a whitelist rule for this please (and advise where to put it)?

Cheers,
Sascha