auto_.htaccess quarantine and php errors

Home Forums BulletProof Security Pro auto_.htaccess quarantine and php errors

Viewing 15 posts - 1 through 15 (of 29 total)
  • Author
    Posts
  • #11321
    James Burden
    Participant

    Hi again,

    Everything has been going fine since Friday, but in the last hour the error messages have kicked off again with BPS Pro on the familyimpact.org website. I haven’t even been on the site in the last hour – so it can’t be any changes I’ve made.

    The two problems I’m experiencing (which are presumably related) are:

    1. I have auto_.htaccess being quarantined every three minutes.
    2. I have PHP errors occurring every three minutes.

    These are representative of the entries in the PHP error log:
    I’m guessing that these problems will be solved if I reset file permissions via WPEngine and go through setup wizard again, but I can’t do this every day. How do we get to the bottom of what is causing these types of problems?

    [19-Nov-2013 00:43:10] PHP Warning: copy(/nas/wp/www/xxxx/xxxx/wp-content/bps-backup/quarantine/auto_.htaccess) [function.copy]: failed to open stream: Permission denied in /nas/wp/www/xxxx/xxxx/wp-content/plugins/bulletproof-security/includes/functions.php on line 4255
    [19-Nov-2013 00:43:10] PHP Warning: copy(/nas/wp/www/xxxx/xxxx/.htaccess) [function.copy]: failed to open stream: Permission denied in /nas/wp/www/xxxx/xxxx/wp-content/plugins/bulletproof-security/includes/functions.php on line 4257

    Thanks
    James

    #11324
    AITpro Admin
    Keymaster

    Something tried to change the root .htaccess file or did change the root .htaccess file.  What that is might be WPEngine since it does some very unusual things that I have never seen before with any other plugin or service.  You should only have to activate Root Folder BulletProof Mode again to stop whatever has occurred.  My assumption is that since WPEngine overrides the BPS Pro Setup Wizards then it probably overrides other BPS Code and functionality as well.

    #11328
    AITpro Admin
    Keymaster

    I just thought of something else that could be totally unrelated to WPEngine.  Is your root .htaccess file locked?  If not, then these 2 very common problems will cause this problem repeatedly.  Both of these recurring problems can be prevented by locking your root .htaccess file.

    cPanel Broken HotLink Protection Tool
    http://forum.ait-pro.com/forums/topic/read-me-first-pro/#cpanel-hotlink-protection

    WordPress flush_rewrite_rules function used incorrectly in another plugin or theme
    http://forum.ait-pro.com/forums/topic/read-me-first-pro/#flush-rewrite-rules

    #11329
    James Burden
    Participant

    I went through to F-Lock and looked at the Lock/Unlock Root htaccess File setting which is currently on Turn Off Checking & Alerts. But I have a message above that which says: “Server API: apache2handler – Your Server Configuration is DSO. Files cannot be locked on a DSO Server. Choose/Select – Turn Off Checking & Alerts – for all F-Lock option settings.”  So I presume I should leave the htaccess file unlocked?

    #11330
    AITpro Admin
    Keymaster

    Oh yeah if you have a DSO Server then you cannot lock your files.  Unfortunately, this means that if you have a plugin installed that automatically flushes the root .htaccess file then this problem will continue to reoccur until either you disable that plugin’s inappropriate code or contact the plugin author or theme author to fix their code.  Or you will have to occaisonally activate root folder BulletProof Mode to correct this issue.  This is assuming of course that this problem is the common flush_rewrite_rules problem.

    #11334
    James Burden
    Participant

    I reset file permissions and activated Root Folder BulletProof Mode again. Everything was fine for a few hours.
    I’ve now got an error message in the yellow box at the top of the page that says:

    Failed to Activate Uploads Folder BulletProof Mode
    Unable to automatically Copy and Rename the /bulletproof-security/admin/htaccess/uploads.htaccess file to /wp-content/uploads/.htaccess.
    If your Server API is DSO and not CGI/suPHP then you will have to manually activate the Uploads Folder BulletProof Mode on the Security Modes page.
    Click Here to go to the B-Core Security Modes page.

    I’ve tried manually activating BulletProof Mode on ‘Activate Uploads Anti-Exploit Guard htaccess Security Mode’ but it doesn’t seem to have made any difference. The error message is still there.
    How can I resolve this?

    #11338
    AITpro Admin
    Keymaster

    Has this website or any websites under this hosting account been hacked before prior to installing BPS Pro?  Does WPEngine randomly change files on your website or do some kind of timed/scheduled file restore?  Do you have any other plugins installed that will change files or change settings on a schedule / Cron / Timer?

    #11339
    James Burden
    Participant

    No, none of the sites with WP Engine have been hacked. They’ve got one of the best reputations actually for WP security amongst specialist WP hosts.

    As far as I’m aware WP Engine doesn’t randomly change files on my website, and I don’t have any other plugins installed that change files or settings on schedule / cron / timer.

    WP Engine does take a scheduled back up of all files once every 24 hours, and with the last problem with BPS Pro I had to roll back to the last backup (which was around 12 hours ago). Maybe that has caused this problem then? I was using the site fine for a few hours after the backup restore without any problems…

    Is it an option for me to uninstall BPS Pro, delete files and reinstall? Would that solve this current problem?

    #11340
    AITpro Admin
    Keymaster

    I don’t think the problem has anything to do with BPS Pro so reinstalling would not make any difference.  What you are describing is that things are being changed on your website on some kind of scheduled event like a cron.  When BPS Pro is setup and everything is working then BPS Pro will not all of a sudden stop working.  Or stop working at 3 hour time intervals.

    What is odd is that you now cannot reactivate UAEG.  To me that seems like the permissions or Ownership has been changed on the /uploads folder, which is kind of similar to the other problem with the /master-backups folder not being created (ballpark similar).  I think the best approach at this point is to figure out what has changed about the /uploads folder and fix that.  ie check the permissions and Ownership of the /uploads folder.  Then if things continue to be automatically changed on your website at time intervals you would invesigate further into what is doing that.

    #11342
    AITpro Admin
    Keymaster

    Hmm I just thought of a somewhat logical explanation.  Let’s say that when the WPEngine scheduled backup occurs the /uploads folder permissions or Ownership is automatically changed by WPEngine to protect the /uploads folder.  This is logical since a typical place to store or cache backups is the WordPress /uploads folder.  So check the permissions and Ownership of the /uploads folder and change it to whatever it should be and then check with WPEngine and see if my logical guess is something that they do automatically during a scheduled backup.

    If WPEngine needs full access to the uploads folder and UAEG is blocking them in some way then a permanent solution will need to created.  I would need to know the details of what occurs during a scheduled WPEngine backup in order to create a permanent solution if this is what is occurring.  Continuing with the logic – if WPEngine tries to perform a scheduled backup and cannot because UAEG is blocking this backup then I assume WPEngine will automatically correct that problem to allow the scheduled backup to complete and then in that process UAEG may become disabled / deactivated / inaccessible to BPS Pro.

    #11348
    James Burden
    Participant

    I’ve checked the permissions of the /wp-content/uploads and it’s 775. I’ve just tried manually uploading a small txt file via sftp and it didn’t have any problems with that.

    I couldn’t get the BPS plugin working again with the auto buttons, or with the setup wizard, so I deleted the plugin, reinstalled it, followed the various steps that you’ve helped me out with over the past week and it all looks fine now. I presume that doesn’t answer the question as to what went wrong, but at least it’s up and running again.

    I’ll follow up with WP Engine as to whether they can shed any light on the apparent permission discrepancies and why a plugin would not be able to access that folder.

    Do you have any other users that you know are using WP Engine as a host?

    #15661
    simon
    Participant

    [Topic has been merged into this relevant Topic]

    Hi,

    this file is being quaratined all the time: Jun-18-2014–09-04-45–auto_.htaccess

    Why is that happening and how can i fix this?
    Regards Simon

    #15664
    AITpro Admin
    Keymaster

    The auto_.htaccess file is a copy of your root .htaccess file that is renamed from .htaccess to auto_.htaccess so that it is treated as a plain file and is not executed/processed by your server/website.  If your root .htaccess file is being repeatedly quarantined/autorestored then the most likely cause is that something is repeatedly writing to your root .htaccess file and modifying it.

    These are the 2 most likely/common issues that cause this problem (link below goes to a post within this Topic).

    http://forum.ait-pro.com/forums/topic/auto_-htaccess-quarantine-and-php-errors/#post-11328

    #22325
    Jan Wessels
    Participant

    [Topic has been merged into this relevant Topic]

    Hi,

    Sometimes an auto_.htaccess is quarantined. Although this is happening, the .htaccess is still working.
    No alert that BPS is not working correctly. Any idea if this is an issue or can I just delete the quarantained file?

    Thanks!

    #22331
    AITpro Admin
    Keymaster

    @ Jan Wessels – If you have a CGI Server type lock your root .htaccess file on the BPS Pro htaccess File Editor tab page to prevent other plugins or themes from writing to or changing your root htaccess file which will result in the root htaccess file (auto_.htaccess file) being repeatedly quarantined since the root htaccess file is being modified by something else and not BPS.  If you have a DSO server type then you cannot lock your root .htaccess file on a DSO server and will just have to delete the auto_.htaccess file that is quarantined each time another plugin or theme modifies your root htaccess file.

    You can view files|file contents in Quarantine by using the View File option.

Viewing 15 posts - 1 through 15 (of 29 total)
  • You must be logged in to reply to this topic.