BulletProof Security Forum

I take that back.  I will add the .html file extension in the Plugin Firewall AutoPilot Mode whitelist making code in BPS Pro 16.1, which will be released in a few hours.  I just tested the new file extensions and everything works fine.  So this is a pretty straightforward fix and I don’t expect any unforeseen issues/problems.

Actually what happened is that I thought I had already added .html file extensions to the Plugin Firewall AutoPilot Mode whitelist rule making code, but I just rechecked the code and I guess I left that file extension out of the filter.  So that is why the .html file whitelist rule was not automatically created.  I am releasing BPS Pro 16.1 t…[Read more]

Hello,

Thanks so much for the quick response, great support as always. I did get the reply from the forum but it went into spam. (That’s just Google who are spamming all-sorts at the moment).

I added the code, and needed to add a second entry too for .js as below:

/wonderplugin-pdf-embed/pdfjs/web/viewer.html,…[Read more]

@ Grant – I believe you want to use this open_basedir setting:  open_basedir = /usr/www/users/iafridzcgy/:/tmp/ in your php.ini file. I think you are blocking PHP from being able to process custom php.ini files as well with your existing open_basedir path settings. After editing your php.ini file reboot your server if you have root permissions to…[Read more]

Hello,

I am getting a similar error but it seems to be linked to the WP Super Cache plugin:
PHP Warning: file_exists(): open_basedir restriction in effect. File(/wp-cache-xh26030fb48e66db61f46060a402043325.php) is not within the allowed path(s):…[Read more]

Do you have BPS Pro Plugin Firewall AutoPilot Mode turned On?  If not, then turn AutoPilot Mode On.  This new Plugin Firewall whitelist rule should be created automatically:  /wonderplugin-pdf-embed/pdfjs/web/viewer.html.  If you are disabling WP standard crons and are using a Direct Cron instead then Plugin Firewall AutoPilot Mode whitelist rul…[Read more]

I came across another scenario.  The DB Backup folder had folder permissions of: 0.  The normal folder permissions should be 0755.  0 folder permission typically means the folder is corrupt and needs to be deleted.  BPS automatically creates a new DB Backup folder if a DB Backup folder does not exist.

Answer:

The open_basedir allowed paths in the php error are: /serverpath/html/:/tmp/

The actual file path is different: File(/serverpath/wp-content/uploads/oxygen/css/features-14.css)
The actual file path is missing: html in the path

The simplest way to fix this issue would be to change the open_basedir path settings to this:…[Read more]

Answer:

The BPS Pro > P-Security > ini_set Options page > Error Reporting option allows you to choose which php errors are logged. The default option setting is:  E_ERROR|E_WARNING|E_PARSE.  If you want to log all php errors you can change that option setting to:  E_All > https://www.php.net/manual/en/function.error-reporting.php

If you want to…[Read more]

Great.  Thanks again for your help.  Definitely a testament to the quality of BPS!

For the BPS free plugin it is not important to lock the Root htaccess file.  For BPS Pro it is definitely recommended that you lock your Root htaccess file.  The reason for that is BPS Pro AutoRestore|Quarantine will autorestore and quarantine the Root htaccess file if plugins use the WordPress flush_rewrite_rules() function, which is a very c…[Read more]

Awesome!  Worked like a charm.  Thanks so much!

One last question:  I noticed this after I ran the setup wizard

Your current Root .htaccess file is not locked. It is recommended that you lock your Root .htaccess file on the htaccess Core > htaccess File Editor page. Click the Lock htaccess File and Turn On AutoLock buttons on the htaccess Fi…[Read more]

The cause of the block is the Query String is simulating and RFI hacking attempt.  Do the steps below to fix this permanently.  Note: I will add this fix in the Setup Wizard AutoFix feature for the Constant Contact plugin so that this fix will be created automatically by the BPS Setup Wizard in the next BPS/BPS Pro version.

1. Copy the modified B…[Read more]

Hi–thanks so much for getting back to me.

Yes, that is the plugin–and yes, there are a lot of issues, unfortunately.  (My bosses would rather keep the account though, so I’m trying to work with it.(

Anyhow, I looked for the security log and it wasn’t configured.  I’ve set that up and reproduced the error and this appeared in the l…[Read more]

I’ll test the Constant Contact plugin later today on a WooCommerce site.

Go to the BPS Security Log page > copy any 403 log entries that could be related to the Constant Contact plugin and paste them in your forum reply.  Is the plugin the official Constant Contact plugin > Constant Contact + WooCommerce > https://wordpress.org/plugins/constant-contact-woocommerce/

I just checked to see if anyone else is running…[Read more]

Hi,

Just wanted to say thanks for all of the input.

We have been monitoring this for the past few days and have not had the error.

So fingers crossed.