Smart Filtering gives a 403 error on some environments

[DGStefan]

It seems to be related to the json in the URL.
Although I can't reproduce the issue locally, I was able to login on a clients website and test something with the URL params.
By altering the ac-rules params I was able to reproduce the issue.
So it seems to be related to JSON in the URL that is recognized as malicious by the server (not verified).

[DGStefan]

update:
In my case, I had to deactivate the ModSecurity option in Cpanel

[DGStefan]

update:
My hosting service has a WAF active, I guess by ModSecurity. They offer whitelisting of my IP. After doing this, the issue was solved.

[jasonb4u]

I'm a bit cheesed off this has not been fixed. All started since version 4.5.x.

I have 7 different themes and 3 on different serveres, and all have the same issue.

Cannot bulk delete and then gives the 403 error

Image link 1: http://prntscr.com/mnw2nm

Image link 2: http://prntscr.com/mnw3dk

[tobiasschutter]

We are encoding the query string parameters for filtering in JSON for easy handling. The type of encoding is what some servers not allow. We are looking into other forms of encoding at the moment.

In the meanwhile, you can disable (smart) filtering and that will prevent the 403 error from triggering.

Add this to your theme's functions.php:

add_filter( 'acp/search/is_active', '__return_false' );

[jasonb4u]

Whether its on or off, the errors still occurs.

Thanks for the code, hope this all gets dealt with soon, and knowing when I'm to remove that code is a pain.

[DGStefan]

My host is cpanel and cpanel has "Hotlink Protection" (linux)
HotLink Protection is closed as default in cpanel
I opened it and I added to my domain selahattinuzun.com

[DGStefan]

Update:
the iTheme Security uses a setting to optimize the system. There is a point "Non-English characters filter" this is not allowed to has be checked.

[jasonb4u]

WOW, that seems to woks for those who are using iThemes, but is it still happening for those who not using iThemes

[DGStefan]

@jasonb4u
Thanks for the clarification on the iThemes solution.
In any use case we had so far, this issue could be solved by tweaking the security settings, on ModSecurity level or on plugin level. Besides that, we have some ways to prevent this error from happening by disabling Smart Filtering. And we changed our code so that the Smart Filtering params are not set to the URL when there is no actual smart filtering active. We do have another last resort solution that would fix the issue for most environments, but since this feels a bit like a hack and unnecessary, we don't know if we're going for that option. Personally, I feel that we can close this issue, but I like to discuss this within the team.

We will at least create a 'How To' tutorial on how to solve this issue based on all the provided solution so far.

[meninomiel]

Any news about this issue?

[DGStefan]

@meninomiel
This issue was already closed since there are no plans to address this on our side.
We are bound to the way Wordpress builds their form on the table pages which is with a GET form.
This forces us to expose the data (which is JSON) in the URL. Some security plugin find that insecure and will block the call.