Is cPanel to Blame for Wordpress REST API 403 Errors?

[PostAlmostAnything]

Are there any default settings in cPanel that might explain why a Wordpress plugin returns a cookie check failure error after making calls to the Wordpress REST API for over 12 hours straight?

The plugin scans posts and media files to figure out which images are used by a site so that unused ones can be deleted. It never has problems on small sites, but when a site gets so big that you'll need well over 12 hours to complete the scan, the scan almost always fails because calls to the API are rejected by the website. The two most likely culprits are Wordpress security plugins and server settings. I base this on feedback from the plugin developer and this thread describing an identical problem with a different plugin (Cookie check failed error – Status Code 403).

I suspect either Jetpack security or cPanel/WHM being the culprit here. Jetpack has brute force protection and other security features which I suspect might tweak things just enough for something to fail after scanning for that long. I also suspect cPanel because of all the default setting which come with it. It wouldn't surprise me if someone at cPanel put some default setting in place thinking that it would be best for most users if stuff couldn't keep running scans like that that long. Kind of like back in the 90s when someone limited the number files you can see in a folder to just 10,000 and still hasn't changed it.

If cPanel is the culprit please tell me which setting to change and how.

 

[quietFinn]

You should check Apache error log, that might give you a hint of what is happening.
403 error is often caused by ModSecurity.

 

[PostAlmostAnything]

You should check Apache error log, that might give you a hint of what is happening.
403 error is often caused by ModSecurity.

Interesting, is there any setting in ModSecurity which would explain it? A specific setting please.

I tried downloading the Apache error log for the domain via WHM raw log download but it says the log is empty.

 

[cPRex]

There wouldn't be a specific setting, but you'd see the 403 errors logged in the Apache log by ModSecurity if it was blocking a request. Then, once you have that log, you can decide if you want to disable that particular ModSecurity rule.

 

[PostAlmostAnything]

Interesting, is there any setting in ModSecurity which would explain it? A specific setting please.

There wouldn't be a specific setting, but you'd see the 403 errors logged in the Apache log by ModSecurity if it was blocking a request. Then, once you have that log, you can decide if you want to disable that particular ModSecurity rule.

If not ModSecurity then what other default cPanel setting might explain this? The developer of the plugin, Media Cleaner, insists that this is either my fault or yours due to me being the only person to send him repeated complaints of this nature.

I think the plugin is more to blame for not having resume feature. Eventually your site will get too big to run the plugin in your browser for days unless your PC doesn't restart. He tried getting me to use WP-CLI but every attempt resulted in a timeout error of 999 seconds. That makes me think something in cPanel must be limiting the amount of time his script can run.

 

[kdean]

Do you have caching that may be affecting things? Wordpress REST API that uses Nonces can expire after 12 or 24 hours and can result in a 403 error. Basically depending on when the Nonce was created, it will generally expire as little as 12 hours and no more than 24 with the default setting of 86,400 seconds for Wordpress. So since you mentioned working for 12 hours and then 403 error I thought a nonce could be involved. If you look up wordpress nonces and how they count, you'll see just how weird they are to figure out.

I find Nonces also affect cached pages if content on the page uses a nonce and the cached page exists longer than the nonce expiration, the content on the page no longer works. So I use the Nonce Extender plugin to resolve that and let me have longer lived cache pages.

So I suggest a test can be done for this. Download and install the Nonce Extender plugin.

GitHub - pcfreak30/nonce-extender: WordPress Plugin to allow a configurable nonce lifetime

WordPress Plugin to allow a configurable nonce lifetime - GitHub - pcfreak30/nonce-extender: WordPress Plugin to allow a configurable nonce lifetime

github.com

In wordpress go to the bottom of the Settings --> General page and change the default Nonce Lifetime of 86400 to 172800 and then any new nonces should last up to twice as long as before in regard to their expiration.

So I figure give that a shot to see if it makes any difference for you in lasting past 12 hours.

 

[PostAlmostAnything]

Do you have caching that may be affecting things? Wordpress REST API that uses Nonces can expire after 12 or 24 hours and can result in a 403 error. Basically depending on when the Nonce was created, it will generally expire as little as 12 hours and no more than 24 with the default setting of 86,400 seconds for Wordpress. So since you mentioned working for 12 hours and then 403 error I thought a nonce could be involved. If you look up wordpress nonces and how they count, you'll see just how weird they are to figure out.

I find Nonces also affect cached pages if content on the page uses a nonce and the cached page exists longer than the nonce expiration, the content on the page no longer works. So I use the Nonce Extender plugin to resolve that and let me have longer lived cache pages.

So I suggest a test can be done for this. Download and install the Nonce Extender plugin.

GitHub - pcfreak30/nonce-extender: WordPress Plugin to allow a configurable nonce lifetime

WordPress Plugin to allow a configurable nonce lifetime - GitHub - pcfreak30/nonce-extender: WordPress Plugin to allow a configurable nonce lifetime

github.com

In wordpress go to the bottom of the Settings --> General page and change the default Nonce Lifetime of 86400 to 172800 and then any new nonces should last up to twice as long as before in regard to their expiration.

So I figure give that a shot to see if it makes any difference for you in lasting past 12 hours.

I've never heard of a "nonce" before so bear with me on this. I am not using caching because if content is removed from a site with cached pages that often results in people complaining that the content is still there. Is there a good way to disable nonces instead of just extending the lifetime?

 

[PostAlmostAnything]

Do you have caching that may be affecting things? Wordpress REST API that uses Nonces can expire after 12 or 24 hours and can result in a 403 error. Basically depending on when the Nonce was created, it will generally expire as little as 12 hours and no more than 24 with the default setting of 86,400 seconds for Wordpress. So since you mentioned working for 12 hours and then 403 error I thought a nonce could be involved. If you look up wordpress nonces and how they count, you'll see just how weird they are to figure out.

I find Nonces also affect cached pages if content on the page uses a nonce and the cached page exists longer than the nonce expiration, the content on the page no longer works. So I use the Nonce Extender plugin to resolve that and let me have longer lived cache pages.

So I suggest a test can be done for this. Download and install the Nonce Extender plugin.

GitHub - pcfreak30/nonce-extender: WordPress Plugin to allow a configurable nonce lifetime

WordPress Plugin to allow a configurable nonce lifetime - GitHub - pcfreak30/nonce-extender: WordPress Plugin to allow a configurable nonce lifetime

github.com

In wordpress go to the bottom of the Settings --> General page and change the default Nonce Lifetime of 86400 to 172800 and then any new nonces should last up to twice as long as before in regard to their expiration.

So I figure give that a shot to see if it makes any difference for you in lasting past 12 hours.

Why is it that the Nonce Extender is not available in the Wordpress.org plugin directory?

 

[kdean]

Nonces are a core wordpress feature so I'm not sure it's a good idea to try and disable if even possible. Not everything uses it but I have run across some output that has and then there's the REST API stuff.

It was on the repository up to just very recently. It may have only been removed since it hasn't been updated or the author on the site is gone. If you look at the code, it's pretty basic stuff and clear nothing untoward is going on.

You can actually add it to the functions.php as a filter if you want to hard code a number in there. I just thought the plugin that i've used for years makes it a bit easier to adjust and test. It solved my nonces expiring before page cache issue I was having allowing me to keep cached pages around longer, otherwise they can only really last less than 12 hours to be safe.

nonce_life | Hook | WordPress Developer Resources

Filters the lifespan of nonces in seconds.

developer.wordpress.org

 

[kdean]

Just wondering if you tried any of this and if it helped at all?