WordPress at the outset will look easier to use. But when there is an error, it is a difficult task for normal users to understand and troubleshoot. Most of us use complicated security and caching plugins without knowing how it exactly works. This will make the troubleshooting process more difficult as the plugins tend to cause problems than the intended features.
Crawl Errors in Google Search Console
Recently we found many server errors are reported in “Crawl Errors” section of Google Search Console. All the listed URLs are strangely shown with 500 internal server error while there was no issue at the server side.
URLs with Users Are Blocked
We have noticed all the listed URLs are having the word “users” in the URL. When clicked on the URL it was showing the error WordPress error “Accessing author info via REST API is forbidden”.
URL Forbidden Due to Security Plugin
Troubleshooting the Error
We started looking into the error and the difficult troubleshooting part was started. As a first step in troubleshooting any WordPress error, we have scanned through the installed plugins. Then scanned through .htaccess entries and understand the error could come from the security plugin.
After a bit of Google search, we found a Github bug report pointing out the error was coming from all in one WordPress security and firewall plugin.
Finding the Root Cause
Basically the security plugin offers an option to stop viewing the URLs by querying with user names. This was intended to block bots trying to get author and other user information from the site. This function is implemented through a PHP function in the plugin file “/wp-content/plugins/all-in-one-wp-security-and-firewall/other-includes/wp-security-stop-users-enumeration.php“.
<?php
/* Here is the comment section */
if (!is_admin()) {
if (preg_match('/(wp-comments-post)/', $_SERVER['REQUEST_URI']) === 0) {
if (!empty($_POST['author'])) {
wp_die('Accessing author info via link is forbidden');
}
}
if (preg_match('/author=([0-9]*)/', $_SERVER['QUERY_STRING']) === 1)
wp_die('Accessing author info via link is forbidden');
add_filter('redirect_canonical', 'll_detect_enumeration', 10, 2);
}
add_filter('redirect_canonical', 'll_detect_enumeration', 10, 2);
function ll_detect_enumeration($redirect_url, $requested_url) {
if (preg_match('/\?author(%00[0%]*)?=([0-9]*)(\/*)/', $requested_url) === 1 | isset($_POST['author'])) {
wp_die('Accessing author info via link is forbidden');
} else {
return $redirect_url;
}
}
Unfortunately this blocks the real URLs with certain words like “users“. The user enumeration through WordPress REST API function was added in the plugin with the version 4.2.9.
User Enumeration Added in Latest Version
Fixing the Error
So any other plugins or functions that block users using REST API enumeration will also result in blocking the real URLs. You should check with the plugin author or disable the user enumeration function till the time the bug is resolved.
Here we explain with the same all in one WordPress security and firewall plugin which caused the issue. Navigate to the menu “WP Security > Miscellaneous > User Enumeration” and uncheck the “Disable Users Enumeration” checkbox.
User Enumeration Option in WordPress All In One Security Plugin
Conclusion
After removing the user enumeration option the URLs with 500 error are working fine. So when you see the “Accessing author info via REST API is forbidden” error, first checkout the recently updated plugin’s changelog section. Especially look out whether the installed security plugin on your site is having user blocking option using REST API. This will help you to narrow down the issue and find the plugin that causing the error.
3 Comments
Leave your reply.