表现: 用户不能评论了

 

WordPress at the outset will look easier to use. But when there is an error, it is a difficult task for normal users to understand and troubleshoot. Most of us use complicated security and caching plugins without knowing how it exactly works. This will make the troubleshooting process more difficult as the plugins tend to cause problems than the intended features.

WordPress在一开始看起来更容易使用。但是当出现错误时,普通用户要理解并排除故障是一件困难的事情。我们大多数人使用复杂的安全和缓存插件,而不知道它到底是如何工作的。这将使故障排除过程更加困难,因为插件往往会导致问题而不是预期的功能。

Crawl Errors in Google Search ConsoleGoogle Search Console中的抓取错误

Recently we found many server errors are reported in “Crawl Errors” section of Google Search Console. All the listed URLs are strangely shown with 500 internal server error while there was no issue at the server side.最近,我们发现许多服务器错误报告在”抓取错误”部分的谷歌搜索控制台。所有列出的URL都奇怪地显示为500内部服务器错误,而服务器端没有问题。

 

 

URLs with Users Are Blocked阻止包含用户的URL

We have noticed all the listed URLs are having the word “users” in the URL. When clicked on the URL it was showing the error WordPress error “Accessing author info via REST API is forbidden”.我们注意到所有列出的URL都在URL中包含“用户”一词。当点击URL时,它显示错误WordPress错误“禁止通过REST API删除作者信息”。

 

 

URL Forbidden Due to Security Plugin由于安全插件,URL被禁止

Troubleshooting the Error排除错误

We started looking into the error and the difficult troubleshooting part was started. As a first step in troubleshooting any WordPress error, we have scanned through the installed plugins. Then scanned through .htaccess entries and understand the error could come from the security plugin.我们开始查找错误,并开始了困难的故障排除部分。作为解决任何WordPress错误的第一步,我们已经扫描了安装的插件。然后扫描.htaccess条目,并了解错误可能来自安全插件。

After a bit of Google search, we found a Github bug report pointing out the error was coming from all in one WordPress security and firewall plugin.在Google搜索之后,我们发现了一个Github错误报告,指出错误来自于WordPress的安全和防火墙插件。

Finding the Root Cause寻找根本原因

Basically the security plugin offers an option to stop viewing the URLs by querying with user names. This was intended to block bots trying to get author and other user information from the site. This function is implemented through a PHP function in the plugin file “/wp-content/plugins/all-in-one-wp-security-and-firewall/other-includes/wp-security-stop-users-enumeration.php“.基本上,安全插件提供了一个选项,通过查询用户名来停止查看URL。这是为了阻止机器人试图从网站获取作者和其他用户信息。该函数通过插件文件“/wp-content/plugins/all-in-one-wp-security-and-firewall/other-includes/wp-security-stop-users-enumeration.php”中的PHP函数实现。

<?php
/* Here is the comment section */
if (!is_admin()) {
    if (preg_match('/(wp-comments-post)/', $_SERVER['REQUEST_URI']) === 0) {
        if (!empty($_POST['author'])) {
            wp_die('Accessing author info via link is forbidden');
        }
    }

    if (preg_match('/author=([0-9]*)/', $_SERVER['QUERY_STRING']) === 1)
        wp_die('Accessing author info via link is forbidden');

    add_filter('redirect_canonical', 'll_detect_enumeration', 10, 2);
}

add_filter('redirect_canonical', 'll_detect_enumeration', 10, 2);

function ll_detect_enumeration($redirect_url, $requested_url) {
    if (preg_match('/\?author(%00[0%]*)?=([0-9]*)(\/*)/', $requested_url) === 1 | isset($_POST['author'])) {
        wp_die('Accessing author info via link is forbidden');
    } else {
        return $redirect_url;
    }
}

Unfortunately this blocks the real URLs with certain words like “users“. The user enumeration through WordPress REST API function was added in the plugin with the version 4.2.9.不幸的是,这会阻止带有某些单词(如“用户”)的真实的URL。通过WordPress REST API函数的用户枚举被添加到4.2.9版本的插件中。

 

 

User Enumeration Added in Latest Version最新版本中添加的用户枚举

Fixing the Error修复错误

So any other plugins or functions that block users using REST API enumeration will also result in blocking the real URLs. You should check with the plugin author or disable the user enumeration function till the time the bug is resolved.因此,使用REST API枚举阻止用户的任何其他插件或函数也将导致阻止真实的URL。你应该与插件作者确认,或者禁用用户枚举函数,直到bug被解决。Here we explain with the same all in one WordPress security and firewall plugin which caused the issue. Navigate to the menu “WP Security > Miscellaneous > User Enumeration” and uncheck the “Disable Users Enumeration” checkbox.在这里,我们解释了相同的所有在一个WordPress的安全和防火墙插件导致的问题。导航到菜单”WP Security Miscellaneous User Enumeration”并取消选中”Disable Users Enumeration”复选框。>>

 

 

User Enumeration Option in WordPress All In One Security PluginWordPress中的用户枚举选项All In One安全插件

Conclusion结论

After removing the user enumeration option the URLs with 500 error are working fine. So when you see the “Accessing author info via REST API is forbidden” error, first checkout the recently updated plugin’s changelog section. Especially look out whether the installed security plugin on your site is having user blocking option using REST API. This will help you to narrow down the issue and find the plugin that causing the error.删除用户枚举选项后,带有500错误的URL工作正常。因此,当您看到“禁止通过REST API删除作者信息”错误时,请首先查看最近更新的插件的更改日志部分。特别要注意您网站上安装的安全插件是否使用REST API进行用户阻止。这将帮助您缩小问题范围并找到导致错误的插件。

 

 

 

来源: https://www.webnots.com/fix-wordpress-error-accessing-author-info-via-rest-api-is-forbidden/