Does OLS cache pages with 403 error code (Forbidden)?

#1
The WP Zero Spam plugin sends a 403 with some text to block clients. I am observing that OLS is caching the blocked page and serving it to other clients. Is that expected? Does OLS cache pages with 403 status or does it not differentiate?
 
#2
Gilles,

Error 403: "The server understood the request, but is refusing to authorise it.", RFC 7231. This doesn't sound like something OLS would cache, but maybe an admin can prove me wrong. You didn't specify what files or directories being requested result in this error, or what your platform/OS is, so I'll speak in generalities. Let's see if it might not be WP Zero Spam first...

1. Check the permissions on wordpress files and directories. They should be owned by user nobody and group nogroup, should probably have the group sticky flag set to keep it this way, and the wordpress best-practice says directories should be 750 and files be 640. These shell commands could do that:
Bash:
chown -R nobody:nogroup <vhost directory>
chmod -R g+s <vhost directory>
find <wordpress directory>/ -type d -exec chmod 750 {} \;
find <wordpress directory>/ -type f -exec chmod 640 {} \;
2. Check if it's being caused by a wayward .htaccess file. Just back it up then delete it, rename it, or otherwise get it out of there and see if it works. If it does, that .htaccess needs some attention. If it still breaks in the same way, you can put it back and look elsewhere.
3. Deactivate all your plugins, and then activate them one by one and retest after each. This may identify the true culprit, and can sometimes surprise you.

If you could provide more details, that would help too.

I hope this helps. If it does, please let us know.
 
Last edited:
#3
Hi Steve,

I'm guessing I was not clear enough with my description. I'm running OLS with CyperPanel on Ubuntu 20.04.

Let's say a malicious host is trying to hammer my home page. WP Zero Spam sends back a 403:
Code:
                                status_header( 403 );
                                die( $this->options['blocked_message'] );
But then I get the same page on my browser. I'm thinking OLS cached the blocked page instead of the real one and is serving it to me too.

Not sure if WP Zero Spam is supposed to set a no-cache header or if I need to configure the cache not to cache pages with 403 errors. But I am surprised OLS would cache a 403 in the first place.
 
#4
Just saw LiteSpeed Cache has a TTL for status codes:

Default HTTP Status Code Page TTL:
403 3600
404 3600
500 3600
I guess I can either:
1) Stop using WP Zero Spam (which I am doing for now).
2) Set the 403 TTL to 0 to disable caching.
3) Wait for the WP Zero Spam developer to fix it.

It's good to have options.
 
Top