Home › Forums › BulletProof Security Free › BPS 6.5 default secure htaccess blocking cURL requests
- This topic has 5 replies, 2 voices, and was last updated 9 months ago by
Aimee.
-
AuthorPosts
-
Aimee
ParticipantHi there,
I noticed something new about the 6.5 secure htaccess file is that out of the gate it’s not blocking UptimeRobot and also returns a 405 if I send a cURL request. I managed to solve the fact that UptimeRobot is blocked by using this which I found on the forum (placed in “9. CUSTOM CODE REQUEST METHODS FILTERED”):
# REQUEST METHODS FILTERED # If you want to allow HEAD Requests use BPS Custom Code and copy # this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code # text box: CUSTOM CODE REQUEST METHODS FILTERED. # See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps. RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC] RewriteRule ^(.*)$ - [F] RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(UptimeRobot|uptimerobot.com).* [NC] RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]
But a single, personal cURL request from my machine still seem to be returning a 405 error.
Do I need to whitelist myself in this instance?
Aimee
ParticipantI take that back. Adding that code did not allow Uptime to hit the site. I’m just getting notification it’s returning a 405 still.
AITpro Admin
KeymasterUse the steps here to allow/whitelist all curl Requests > https://forum.ait-pro.com/forums/topic/mailchimp-embed-code-verification-gets-403/#post-40237. Note: HEAD Requests and curl Requests are typically just nuisance Bot Requests. So it is fine/safe to allow them.
To allow all HEAD Requests use this code:
# REQUEST METHODS FILTERED # If you want to allow HEAD Requests use BPS Custom Code and copy # this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code # text box: CUSTOM CODE REQUEST METHODS FILTERED. # See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps. RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC] RewriteRule ^(.*)$ - [F] #RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC] #RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]
Aimee
ParticipantHi thanks. This appears to be near identical (with the exception of two commented lines) to the code I posted in the OP which does not work. A cURL request from my machine is returning a 403 now instead of 405.
Other ideas?
AITpro Admin
KeymasterDid you also do this additional fix?
Use the steps here to allow/whitelist all curl Requests > https://forum.ait-pro.com/forums/topic/mailchimp-embed-code-verification-gets-403/#post-40237. Note: HEAD Requests and curl Requests are typically just nuisance Bot Requests. So it is fine/safe to allow them.
Aimee
ParticipantHi thanks, sorry it’s taking so long for me to reply. The forum doesn’t seem to be sending me notification emails unfortunately. 😛 No, seems I missed that. I implemented that section of code and am receiving a 200 from my machine. Waiting to see what Uptime robot thinks but I’m hopeful!
-
AuthorPosts
- You must be logged in to reply to this topic.