BulletProof Security Forum

That’s ok I’ll take care of testing this issue, but thanks for offering.

It used to be very simple to force a new BPS Pro plugin upgrade check, but that has changed in WordPress 5.5.1.  The method I normally use to test BPS Pro plugin upgrade checks from my API server no longer works.  I believe that has to do with the new Plugin Automatic U…[Read more]

I can control what plugins are “managed” by Easy Updates Manager, so I can turn it off for BPS Pro. I’ve already updated to 14.8, but I’ll try that on my own site – I’ll be able to check when the next update comes out.

Unless you can give me access to the 14.7 plugin zip file?

hmm just saw your latest reply.  That could mean that something is interfering with WordPress Transients > https://developer.wordpress.org/apis/handbook/transients/. Deactivating and reactivating any plugin will affect transient stored DB cache. I’ll look into that further.

I’ll test the Easy Updates Manager plugin.  Most likely what is happening is the Easy Updates Manager plugin is forcing a check for the BPS free plugin for the WordPress API server instead of the BPS Pro plugin, which of course will cancel out the BPS Pro plugin update/upgrade response from our ait-pro.com API server.  I doubt that it would be p…[Read more]

Update: The behavior is inconsistent. Sometimes disabling EUM works, other times it does not 🙁

Great! Thanks for confirming that fixed the problem. On a personal note, I have a bad habit of copying similar code blocks to save time instead of retyping new code blocks. Occasionally I miss an edit. The same problem would have shown up for me during testing, but those files had already been deleted by WP when I upgraded WP on my test site.

Thank you for explaining that to us. That all started to feel more understandable and clear for us.

We updated the sites with the new version that were already affected with those files in the quarantine yesterday after you published it to take care of those and updated the rest of the sites today. From what we can see from our end, the issue…[Read more]

Hi,

Those special characters weren’t suppose to be there. My assumptions of being blocked by USER_AGENT rules where not correct. I fixed the bug in my app and the app can now hit the php page no problem. No htaccess changes were required.

Thanks for the prompt replies!!
Andy

There are several code characters in the Query String that are being blocked. You can either create a RewriteRule bypass for your /stats/ folder or you can allow those code characters in Query Strings.

See this forum topic for how to create a RewriteRule bypass for your /stats/ folder >…[Read more]

Thanks for the quick reply. Log entry pertaining to the last rest call made to ./stats/trc.php file is below.

The REQUEST_URI looks funny. The call is suppose to provide a guid, e.g., trc.php?guid=b8fb9664-f52d-11ea-adc1-0242ac120002.

[403 GET Request: September 17, 2020 – 12:27 pm]
BPS: 4.2
WP: 4.9.8
Event Code: BFHS – Blocked/Forbidden…[Read more]

Check your BPS Security Log and post any/all Security Log entries that show what is being blocked in your REST calls so I can take a look at them and provide a fix.

Actually I decided to push back one of the new changes in BPS Pro 14.8. So BPS Pro 14.8 will be released in about 1 hour from now.

The ARQ OBDF cron deletes old WordPress Core files that were backed up in AutoRestore backup.  When WordPress releases a new version of WordPress, that new version of WordPress has a “cleanup” function that deletes any old folders and files in previous versions of WordPress that are no longer used in the current version of WordPress. In a…[Read more]

Thank you for your response. We’re not sure we still understand what this specific Cron does or how it is supposed to work exactly or what issue that typo/bug with the variable name caused exactly here.

However, these are our main questions now:

1. To be clear, you’re confirming that we should delete the four files…

[Read more]

Email Question:
I use some of the features of Clearfy which on a few sites works okay with BPS.
On some other sites though I can’t make changes to the Clearfy settings without first disabling “Root Folder BulletProof Mode (RBM)”, which then seems to jack up the .htaccess file after I re-enable RBM.

Email Response/Answer:
I am in the proce…[Read more]

I updated the AutoRestore Old Backup File Deletion code, which is a Cron job that runs once per day (every 24 hours) that deletes old WordPress Core files that are backed up in the AutoRestore backup folder. I just checked the ARQ OBFD code and yep found a typo/bug in this section of code below. This variable name is wrong: $ie_css_js. It should…[Read more]