Blocking Plugin JavaScript

[Jon]

I’ve been looking through the forums for a solution to this and now my head is spinning even more! My firewall seems to be going crazy and blocking plugin js – even its own! I’ve tried turning off the firewall for the plugins folder, but am still getting these errors every time I try to change a setting.

The security error log is huge now, but the two that keep cropping up are:

>>>>>>>>>>> 403 GET or Other Request Error Logged - 13 March 2013 - 10:22 <<<<<<<<<<<
REQUEST_METHOD: GET
HTTP_REFERER: http: //DOMAIN/wp-admin/admin.php?page=bulletproof-security/admin/php/php-options.php
REQUEST_URI: /wp-content/plugins/bulletproof-security/admin/js/bulletproof-security-admin-2.js?ver=3.5.1
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.152 Safari/537.22

>>>>>>>>>>> 403 GET or Other Request Error Logged - 13 March 2013 - 10:22 <<<<<<<<<<<
REQUEST_METHOD: GET
HTTP_REFERER: http: //DOMAIN/wp-admin/admin.php?page=bulletproof-security/admin/php/php-options.php
REQUEST_URI: /wp-content/plugins/wordpress-seo/js/wp-seo-admin-global.js?ver=1.4.1
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.152 Safari/537.22

I’m also having problems with a couple of PHP errors (one on WordPress-SEO and one for BPS Pro itself)

[BPS Pro htaccess Protected Secure PHP Error Log]
[12-Mar-2013 19:19:50] PHP Warning: copy(/var/sites/l/DOMAIN/public_html/.htaccess) [function.copy]: failed to open stream: Permission denied in /var/sites/l/lazulicreations.com/public_html/wp-content/plugins/bulletproof-security/includes/functions.php on line 3270
[12-Mar-2013 20:24:12] PHP Warning: call_user_func_array() [function.call-user-func-array]: First argument is expected to be a valid callback, 'wpseo_activate' was given in /var/sites/l/DOMAIN/public_html/wp-includes/plugin.php on line 406
[13-Mar-2013 10:16:15] PHP Warning: call_user_func_array() [function.call-user-func-array]: First argument is expected to be a valid callback, 'wpseo_activate' was given in /var/sites/l/DOMAIN/public_html/wp-includes/plugin.php on line 406

AND… the horizontal tab display has gone wonky and is now displaying everything in one vertical list…
Help? *sobs*

[Jon]

Right, think I may have solved it, PHP errors aside!

Seems I’d added the js version numbers to the end of the rules in my firewall whitelist! Changed it to this:

/wordpress-seo/js/wp-seo-admin-global.js, /bulletproof-security/admin/js/bulletproof-security-admin-2.js

After updating this seems to be working again. This returned the tabs and display to its rightful settings and haven’t had another security error come up yet.

One thing  I can’t seem to do, however, and which may have helped me work out the problem, is get my Firewall test mode working. It just comes up with the 403 error screen and doesn’t change on refresh.

So, just that and the PHP errors to work out… *cracks knuckles and goes back to the grindstone*

[Jon]

Is there any way to avoid having to whitelist every single js process individually? It seems every single one of my javascript processes is throwing up a security log entry, often many different processes per plugin. Have just installed WooCommerce, for example, and am getting loads up every time I try to change a single settings page.

I’ve tried whitelisting the entire folder /woocommerce/ but this doesn’t seem to be working. I keep getting security notices for all the scripts in subfolders etc.

e.g.

/woocommerce/assets/js/admin/woocommerce_admin.min.js
/woocommerce/assets/js/chosen/chosen.jquery.min.js
/woocommerce/assets/js/jquery-tiptip/jquery.tipTip.min.js
/woocommerce/assets/js/jquery-placeholder/jquery.placeholder.min.js

and so on, just trying to change the main settings page!

Am I missing something here? All items in the whitelist follow the format: /itemname/, (with the comma and space following the forward slash. I thought this would work, from another post in the forum, or do I need to list each subfolder individually?

[AITpro Admin]

The Plugin Firewall whitelist rules can use regular expressions (Regex) to simplify whitelisting plugins that have a large number of frontloading js scripts.

This whitelist rule /woocommerce/assets/js/(.*).js will whitelist all of the plugin scripts shown below.  (.*) in Regex means “match anything”.

/woocommerce/assets/js/admin/woocommerce_admin.min.js
/woocommerce/assets/js/chosen/chosen.jquery.min.js
/woocommerce/assets/js/jquery-tiptip/jquery.tipTip.min.js
/woocommerce/assets/js/jquery-placeholder/jquery.placeholder.min.js

You do not need to whitelist the /bulletproof-security/admin/js/bulletproof-security-admin-2.js BPS Pro js script because it is not a front loading plugin script and only loads in BPS Pro plugin pages and nowhere else.

If the Plugin Firewall Test Mode is not working on your particular website/Server then these are the things that I have discovered that will prevent it from working correctly:  A plugin that blocks iframes in general, VPN protection security software, minifying plugins, copyright protection plugins and a Server setting or configuration that breaks the iframe.  You can still grab all of the plugin scripts that need to added to your Plugin Firewall whitelist from your Security Log.  It is of course less convenient to have to use this method, but if you have no choice then it is just a matter of doing the necessary manual copy and pastes (luckily this is a one time deal).

Regarding the php errors they may be related to the process of setting up the Plugin Firewall so after you have the Plugin Firewall setup if you see any php errors this is how you would handle them.

http://forum.ait-pro.com/forums/topic/how-to-troubleshoot-php-errors-php-errors-in-your-php-error-log/

[AITpro Admin]

If you want to email me your Security Log file then I will post your plugin scripts whitelist rules for your website.  Send your Security log file to info at ait-pro dot com.  Thanks.

[Jon]

It wasn’t until I whitelisted the  /bulletproof-security/admin/js/bulletproof-security-admin-2.js BPS Pro js script that the admin area started displaying properly.

If it doesn’t need to be whitelisted then why is it being blocked/picked up by my security error log? Have I somehow got it setup to block back-end javascript as well?

There’s no real content on the front end of my site yet. All of the changes I’m making are in the wp-admin area, just setting up plugins and trying save settings etc.

Would the Regex rule apply to the base plugin folder, as well? Such as: /woocommerce/(.*).js ? Is this the reason why my folder whitelist wasn’t working, being just: /woocommerce/ ?

I can try disabling my other plugins and see if I can get into the firewall test mode, but I’m dreading the process because it pops up with so many errors that then require resetting (security/php and ARQ logs, .htaccess, firewall and wp-config resets etc.). It takes forever to get it setup properly again… 🙁

[Jon]

I’ve forwarded a copy of my log file, as per the above.

The errors generated are the ones I have come across so far while trying to setup my admin area (installing plugins and changing settings) in the WordPress back end. Will I need to comb through all my plugins and whitelist all js functions for front end as well, or is there a way to whitelist my plugins by default, or even turn off the plugin firewall?

[AITpro Admin]

The Plugin Firewall [obsolete-removed] is ONLY designed to test the front end of your website not the backend/Admin area without going into the technical details of why that is so.

You have a very large number of frontloading plugin scripts so yeah you were getting a lot of logged errors.

/google-custom-search/js/gsc.js
/jetpack/modules/after-the-deadline/atd-autoproofread.js
/jetpack/_inc/spin.js
/jetpack/_inc/jetpack.js
/jetpack/_inc/jquery.spin.js
/jetpack/_inc/gallery-settings.js
/jetpack/modules/wpgroho.js
/jetpack/modules/after-the-deadline/jquery.atd.js
/jetpack/modules/after-the-deadline/install_atd_l10n.js
/jetpack/modules/after-the-deadline/jquery.atd.js
/jetpack/modules/after-the-deadline/atd.core.js
/jetpack/modules/after-the-deadline/atd-autoproofread.js
/jetpack/modules/after-the-deadline/atd-nonvis-editor-plugin.js
/jetpack/modules/after-the-deadline/atd-autoproofread.js
/jetpack/modules/sharedaddy/sharing.js
/jetpack/modules/sharedaddy/admin-sharing.js
/jetpack/modules/post-by-email/post-by-email.js
/nextgen-gallery/js/ngg.slideshow.min.js
/nextgen-gallery/shutter/shutter-reloaded.js
/nextgen-gallery/js/jquery.cycle.all.min.js
/woocommerce/assets/js/admin/jquery.flot.min.js
/woocommerce/assets/js/admin/dashboard_sales.min.js
/woocommerce/assets/js/admin/jquery.flot.resize.min.js
/woocommerce/assets/js/admin/woocommerce_admin.min.js
/woocommerce/assets/js/chosen/ajax-chosen.jquery.min.js
/woocommerce/assets/js/chosen/chosen.jquery.min.js
/woocommerce/assets/js/admin/jquery.flot.min.js
/woocommerce/assets/js/admin/jquery.flot.resize.min.js
/woocommerce/assets/js/frontend/add-to-cart.min.js
/woocommerce/assets/js/frontend/woocommerce.min.js
/woocommerce/assets/js/frontend/cart-fragments.min.js
/woocommerce/assets/js/jquery-tiptip/jquery.tipTip.min.js
/woocommerce/assets/js/jquery-blockui/jquery.blockUI.min.js
/woocommerce/assets/js/jquery-placeholder/jquery.placeholder.min.js
/woocommerce/assets/js/jquery-cookie/jquery.cookie.min.js
/wordpress-seo/js/wp-seo-metabox.js
/wordpress-seo/js/jquery.qtip.min.js
/wordpress-seo/js/wp-seo-admin-global.js
/wsecure/js/basic.js
/w3-total-cache/pub/js/lightbox.js
/w3-total-cache/pub/js/metadata.js

You can simplify both woocommerce and jetpack plugin script whitelisting rules.  Here are your Plugin Firewall whitelist rules that you can copy and paste to your Plugin Firewall Whitelist Text box.  Then save them and activate the Plugin Firewall.

/google-custom-search/js/gsc.js, /jetpack/(.*).js, /nextgen-gallery/js/(.*).js, /nextgen-gallery/shutter/shutter-reloaded.js, /woocommerce/assets/js/(.*).js, /wordpress-seo/js/(.*).js, /wsecure/js/basic.js, /w3-total-cache/pub/js/(.*).js

[Jon]

Wow! That’s fantastic! Thank you so much! That’s a huge help! 😀

*does a little dance for joy*

[AITpro Admin]

Yep the Plugin Firewall is the biggest pain right now to deal with and I have tried every possible thing that I can think of to automate this more efficiently, but in cases like yours when the Plugin Firewall Test Mode does not work for whatever reason then good old fashioned manual copy and paste is the only route to take.  😉

[Jon]

Hehe! It always comes down to the basics. 😛

All those errors bar one have stopped, for now. Thank you so much.

The only one I’m still getting, and don’t really understand, is this one:

BPS PRO SECURITY / HTTP ERROR LOG
=================================
=================================

>>>>>>>>>>> 403 GET or Other Request Error Logged - 13 March 2013 - 16:04 <<<<<<<<<<<
REMOTE_ADDR: 86.15.61.21
Host Name: cpc14-pmth10-2-0-cust20.6-1.cable.virginmedia.com
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR: 141.101.98.212
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http: //domain/wp-admin/admin.php?page=bulletproof-security/admin/options.php
REQUEST_URI: /wp-content/plugins/bulletproof-security/admin/js/bulletproof-security-admin-2.js?ver=3.5.1
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.152 Safari/537.22

[AITpro Admin]

Also this is a very important thing to note.  You want to primarily protect/Firewall the php plugin scripts and not the js scripts.  php plugin scripts are the plugin scripts that are targeted by hackers and not the plugin js scripts.  hackers will look for vulnerabilities/exploits in a plugin’s php scripts and then use that php script to inject code into plugin’s js scripts.  So as long as the php scripts are all protected/Firewalled then the js scripts are also protected since the php plugin scripts can no longer be exploited.  😉

[AITpro Admin]

Do you still have the Plugin Firewall [obsolete-removed] turned On?  If so, then turn it Off.  What I assume is happening is that [obsolete-removed] is still turned On.  Also for good measure after you turn Off [obsolete-removed] then activate the Plugin Firewall again.

[Jon]

Aaaah, good to know! Uber-protection. Love it.

My test mode is off… Made sure off was selected and clicked save on/off options button to make sure, then did another save of the whitelist and reactivated the firewall.

Went into security and deleted the log, just to make sure I wasn’t reading old posts or getting myself confused, hit the reset time button and it came up with the same error.

BPS PRO SECURITY / HTTP ERROR LOG
=================================
=================================

>>>>>>>>>>> 403 GET or Other Request Error Logged - 13 March 2013 - 16:22 <<<<<<<<<<<
REMOTE_ADDR: 86.15.61.21
Host Name: cpc14-pmth10-2-0-cust20.6-1.cable.virginmedia.com
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR: 141.101.98.212
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http: //DOMAIN/wp-admin/admin.php?page=bulletproof-security/admin/options.php
REQUEST_URI: /wp-content/plugins/bulletproof-security/admin/js/bulletproof-security-admin-2.js?ver=3.5.1
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.152 Safari/537.22

[AITpro Admin]

Ok do you have the Plugin Firewall Test Mode window still open in another Browser tab/Browser window?  log out of your website, close your Browser application, relaunch your Browser application, clear your Browser cache, log back into your website and clear the W3TC plugin cache.

[Author]

Posts