Background:
A week ago, our website was hijacked by a zero-day vulnerability in a Wordpress plugin. It would redirect traffic to a malicious site right away (even from within Wordpress).
We’ve cleaned it up within a day, and disabled the plugin, changed the passwords, did multiple scans of the website to make sure it’s clean.
We also have the Cloudflare Wordpress caching plugin.
Problem:
ever since then, we’ve been encountering “403 Forbidden / You don’t have permission to access the site”. This only happens on some IPs (if using VPN on the same computer, some IPs will get this, others will not). Country doesn’t seem to be a consistent source of 403s either.
We tried to disable the Cloudflare plugin, which seems to have reduced the 403s, but not entirely-eliminate them.
Hosting company doesn’t see any problems, says nothing’s being blocked.
Pinging works just fine.
Seems like Cloudflare is currently disabled? If it was related to Cloudflare, I can only think it could be because at one point in time, while restoring/fixing your website, you had forbidden URL’s. Chance is that these url’s may then have gotten cached by the Cloudflare CDN (for 4 hours or more, depending). Then, depending on geolocation of the visitor and what Cloudflare server they hit, they may have been served a stale outdated “403” page. If the issue is corrected on server, it’s likely these pages have been purged from cache by now anyway.
Having said that, the above would only happen if you have “cache everything” page rule, and you are actively caching pages (with the Cloudflare WP plugin).
Even if you temporarily disabled Cloudflare plugin, it could take time for some IP’s to resolve DNS to not go through Cloudflare, and pages might still be cached.
If it’s not Cloudflare, then I can only imagine it’s some WP security plugin you are using, which is blocking requests?
Was your site proxied when you got the 403s? Right now it is not proxied, so any such errors would come straight from your server.
Can you post a screenshot of that error?
Your site does seem to return for certain locations a 503 (not 403) sitemeer.com/#https://www.eyeseverywhere.ca
However that is not Cloudflare related but appears to come from your Wordfence setup
Yes, we do have Wordfence, which I used to block countries where I seem to get a lot of hacking attempts from (manually). It does block some stuff automatically as well, but none of the IPs that seem to be affected (that we tested) show up on its block list.
As I understand it, it will only do 503 errors, not 403.
Screenshot above, but here is one with the header. just says our website address when the 403 error comes up (normally it should say “IT Support and consulting…”
It’s looking more and more like we’ll have to change hosts, then, to get rid of the error, as the current host claims they checked the logs for 403 multiple times, and for blocking and see nothing on their end
Well, the block seems to be selective and if they dont get it, it might be hard to debug, however it should show up in the logs.
The question is also whether it is their responsibility to check that. Do you have a managed service with them? If not, it will be best to involve your web developer.
