BPS Compatibility and opinions – Defender – Ninja Firewall

Home Forums BulletProof Security Pro BPS Compatibility and opinions – Defender – Ninja Firewall

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
  • #39268
    The Eldest Geek

    I’ve started reusing BPS (had recent HORRIBLE attacks with files being uploaded and executed from my /web (public_html) folder! and linux executables running from the hacked website).

    1) I would surely love (and be willing to pay for) some expert assistance.  Been running linux servers for almost 30 years and almost NEVER a hacking problem till a month ago!

    2) does BPS pay nice with Ninja Firewall and WPMU caching and defender anti-malware?


    AITpro Admin

    BPS Pro AutoRestore|Quarantine will quarantine any uploaded hacker files, but you need to first make sure that all of your websites under your host server are clean of all hacker files and code.  I created a help forum topic here with steps to cleanup a hacked hosting account/WordPress sites > https://forum.ait-pro.com/forums/topic/wordpress-hacked-wordpress-hack-cleanup-wordpress-hack-repair/. Important Note: Most likely your WordPress database does not contain any hacker code and does not need to be backed up or restored in the steps in the forum link above. You should skip any manual database steps in the forum link above and only do them if the manual file cleanup/repair steps do not completely remove all hacker files and code.

    I can assist you with the frontend stuff, but don’t really have the spare time to do any server-side stuff these days.

    Regarding compatibility with Ninja Firewall, I searched the forum and only found this 1 Topic > https://forum.ait-pro.com/forums/topic/are-these-plugins-working-with-bps-pro/, which explains some general help stuff.

    Regarding WPMU Caching, which is Hummingbird I assume, used to have 1 issue with BPS Pro, but that was fixed years ago. So BPS Pro and Hummingbird do play nice with each other.

    Regarding Defender Security by WPMU, I did not find any search results in this forum, which typically indicates there are not any compatibility issues, but any time you are using more than 1 WordPress security plugin there is a chance that some security features may overlap or conflict with each other. The typical solution for that is to use the overlapping security feature in 1 of the security plugins and turn off that security feature in the other security plugin.

    Check your BPS Pro Security Log for any Log entries that show any legitimate things being blocked in these plugins or any other plugins and post those Security Log entries in this forum and I’ll reply with a solution/fix.

    The Eldest Geek

    ok couple more questions.
    I get a notice about .htaccess in wp-content that breaks BPS – I put them in to prevent php execution.
    just remove them?
    also when I get an error like that is it safe to just rerun the setup wizard after situation has been fixed?
    can bps block based on geolocation? thats one think I have ninja doing. non-usa access is blocked…

    I’ve ‘cleaned’ the site by removing the obvious hacked files and installed bps on the site.
    i’m hoping it will prevent whatever allowed the hack in the first place!
    the file blog.php (obvious malwre) along with linux executables were present in the root (web/public_html) folder.
    got any expertise to make it worthwhile uploading them?

    ps cant reply to email because I’ve been blocked by several of the BL.

    Reporter seller_service
    06 Sep 2020
    php WP PHPmyadamin ABUSE blocked for 12h
    Attempts to probe for or exploit installed web applications such as a CMS like WordPress/Drupal, e-commerce solutions, forum software, phpMyAdmin and various other software plugins/solutions.Web App Attack

    Reporter Findus LeChat
    Attempt to hack WordPress Login, XMLRPC or other login

    02 Sep 2020
    chaangnoifulda.de [02/Sep/2020:13:16:17 +0200] “POST /wp-login.php HTTP/1.1″ 200 6667 ” … show more
    Attempts to probe for or exploit installed web applications such as a CMS like WordPress/Drupal, e-commerce solutions, forum software, phpMyAdmin and various other software plugins/solutions. Web App Attack

    Reporter computerdoc
    02 Sep 2020
    xmlrpc attack
    Attempts to probe for or exploit installed web applications such as a CMS like WordPress/Drupal, e-commerce solutions, forum software, phpMyAdmin and various other software plugins/solutions. Web App Attack

    The Eldest Geek

    Another issue  – trying to run mscan but cant seem to get it to run box keeps saying ‘refresh to get estimate time’ and I cant tell mscan ever actually runs.

    would LOVE to scan my cleaned website see if any of the folders have any nasties hiding!

    also – a couple of files from the hummingbird cache (part of WPMUDEV) have been quarantined.

    safe to exclude the /wphb-cache from the scan?

    AITpro Admin

    Yep, delete the .htaccess file in the wp-content folder or create bypass/skip rules for the /bulletproof-security/ plugin folder. Blocking PHP execution in the wp-content folder is known to break a lot of plugins and themes.

    You can rerun the Wizards at any time and over and over…

    BPS does not do any geolocation or IP blocking. BPS blocks by “bad actions” vs static IP address blocking. Note: The US has more hackers than any other country in the world. 😉

    If MScan is looping and not starting then choose and scan less folders at a time. Note: MScan is very, very sensitive and does detect a lot of false positives. I never got around to making MScan user-friendly. Currently you have to be a coder or at least know the difference between legit/harmless code and malicious code for MScan to be useful to you.

    Yep, to exclude any plugin’s cache folder under the wp-content folder use the > AutoRestore|Quarantine steps for creating wp-content folder and single file exclude rules here > http://forum.ait-pro.com/forums/topic/autorestore-quarantine-guide-read-me-first/#autorestore-exclude-rules

    The Eldest Geek

    ok yes its been quarantining hummingbird (wpmudev cache).

    but also now worried – wpmudev also auto-updates all the sites checking for updated versions of plugins.

    also I manage with infinitewp and it too may do lots of updates for me!

    dont want bps replacing all the updated plugins with the original older versions! unlike hummingbird it could update ANY wp-content folders!

    AITpro Admin

    AutoRestore Automation uses AJAX trigger functions and hooks into the WP upgrader_pre_install and upgrader_post_install filters. So as long as InfiniteWP is also hooking into the WP upgrader_pre_install and upgrader_post_install filters then everything will work seamlessly.  I know for a fact that ManageWP does hook into the WP upgrader_pre_install and upgrader_post_install filters.  So I assume InfiniteWP is doing that as well. To test this do a remote upgrade/install of WordPress, a Plugin or your Theme and see if there is a problem or not.

    To put ARQ Automation in laymans terms – AutoRestore “listens” for when the WP Upgrader filters are being applied and then performs relevant automated tasks depending on whether the Upgrader is in pre-installation or post-installation. ie ARQ Automation automatically turns itself Off, backs up any new files and then turns itself back On. Whether the WordPress API server or the ManageWP API server or any other API server triggers the WP Upgrader function/filters, AutoRestore will also do what it does automatically based on whichever WP Upgrader filters are currently being applied.

    The Eldest Geek

    starting to get the hang of things – but I have 2 mildly annoying issues:

    I get LOTS of php error log entries. and here are some examples:

    [10-Nov-2020 00:16:10 UTC] PHP Warning: mkdir(): File exists in /var/www/clients/client0/web8/web/wp-content/plugins/wp-hummingbird/core/class-logger.php on line 184
    [10-Nov-2020 00:27:43 UTC]
    [10-Nov-2020 00:34:14 UTC]
    [10-Nov-2020 00:40:31 UTC]
    [10-Nov-2020 00:59:11 UTC]
    [10-Nov-2020 01:06:23 UTC]
    [10-Nov-2020 01:15:12 UTC]
    [10-Nov-2020 01:25:23 UTC]
    [10-Nov-2020 01:32:08 UTC]
    [10-Nov-2020 01:37:33 UTC]
    [10-Nov-2020 01:45:29 UTC]
    [10-Nov-2020 02:04:13 UTC]
    [10-Nov-2020 02:11:00 UTC]
    [10-Nov-2020 02:17:53 UTC]
    [10-Nov-2020 02:30:08 UTC]
    [10-Nov-2020 02:41:51 UTC]
    [10-Nov-2020 02:59:25 UTC]
    [10-Nov-2020 03:08:39 UTC]
    [10-Nov-2020 03:14:07 UTC]
    [10-Nov-2020 03:21:16 UTC]
    [10-Nov-2020 03:36:08 UTC]
    [10-Nov-2020 03:38:49 UTC]
    [10-Nov-2020 03:46:05 UTC]
    [10-Nov-2020 03:49:57 UTC]
    [10-Nov-2020 04:08:48 UTC]
    [10-Nov-2020 04:15:12 UTC]
    [10-Nov-2020 04:21:07 UTC]
    [10-Nov-2020 04:39:46 UTC]
    [10-Nov-2020 04:45:02 UTC]
    [10-Nov-2020 05:09:44 UTC]
    [10-Nov-2020 05:16:20 UTC]
    [10-Nov-2020 05:40:23 UTC]
    [10-Nov-2020 05:46:39 UTC]
    [10-Nov-2020 05:48:07 UTC]
    [10-Nov-2020 06:14:14 UTC]
    [10-Nov-2020 06:54:30 UTC]
    [10-Nov-2020 07:09:50 UTC]
    [10-Nov-2020 08:50:11 UTC]
    [10-Nov-2020 09:03:41 UTC] PHP Warning: filetype(): open_basedir restriction in effect. File(/var/www/clients/client0/web8/web/web82) is not within the allowed path(s): (/var/www/clients/client0/web8/web:/var/www/clients/client0/web8/private:/var/www/clients/client0/web8/tmp:/var/www/theeldestgeek.com/web:/srv/www/theeldestgeek.com/web:/usr/share/php5:/usr/share/php:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/dev/random:/dev/urandom) in /var/www/clients/client0/web8/web/wp-content/plugins/wp-defender/vendor/hammer/base/file.php on line 205
    [10-Nov-2020 09:08:18 UTC] PHP Warning: filetype(): open_basedir restriction in effect. File(/var/www/clients/client0/web8/web/web82) is not within the allowed path(s): (/var/www/clients/client0/web8/web:/var/www/clients/client0/web8/private:/var/www/clients/client0/web8/tmp:/var/www/theeldestgeek.com/web:/srv/www/theeldestgeek.com/web:/usr/share/php5:/usr/share/php:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/dev/random:/dev/urandom) in /var/www/clients/client0/web8/web/wp-content/plugins/wp-defender/vendor/hammer/base/file.php on line 205
    [10-Nov-2020 09:08:54 UTC]
    [10-Nov-2020 10:33:26 UTC]
    [10-Nov-2020 11:24:57 UTC]
    [10-Nov-2020 12:39:06 UTC]
    [10-Nov-2020 13:55:08 UTC]
    [10-Nov-2020 15:02:50 UTC]
    [10-Nov-2020 15:47:26 UTC]
    [10-Nov-2020 17:20:10 UTC]
    [10-Nov-2020 17:45:55 UTC]
    [10-Nov-2020 18:08:39 UTC]
    [10-Nov-2020 18:13:39 UTC]
    [10-Nov-2020 18:18:48 UTC]
    [10-Nov-2020 18:19:29 UTC]
    [10-Nov-2020 18:26:36 UTC]
    [10-Nov-2020 18:32:40 UTC]
    [10-Nov-2020 18:37:09 UTC]
    [10-Nov-2020 18:43:10 UTC]
    [10-Nov-2020 18:48:55 UTC]
    [10-Nov-2020 18:55:56 UTC]
    [10-Nov-2020 19:19:43 UTC]
    [10-Nov-2020 19:25:12 UTC]
    [10-Nov-2020 19:29:20 UTC]
    [10-Nov-2020 19:44:35 UTC]
    [10-Nov-2020 19:48:44 UTC]
    [10-Nov-2020 19:54:19 UTC]
    [10-Nov-2020 20:08:09 UTC]
    [10-Nov-2020 20:17:24 UTC]
    [10-Nov-2020 20:31:05 UTC]
    [10-Nov-2020 20:41:09 UTC]
    [10-Nov-2020 21:00:01 UTC]
    [10-Nov-2020 21:07:40 UTC]
    [10-Nov-2020 21:25:08 UTC]
    [10-Nov-2020 21:28:26 UTC]
    [10-Nov-2020 21:34:35 UTC]
    [10-Nov-2020 21:36:24 UTC]
    [10-Nov-2020 21:52:52 UTC]
    [10-Nov-2020 22:07:32 UTC]
    [10-Nov-2020 22:11:49 UTC]
    [10-Nov-2020 22:31:15 UTC]
    [10-Nov-2020 22:35:14 UTC]
    [10-Nov-2020 22:45:34 UTC]
    [10-Nov-2020 22:55:16 UTC]
    [10-Nov-2020 23:00:34 UTC]
    [10-Nov-2020 23:05:38 UTC]
    [10-Nov-2020 23:21:41 UTC]
    [10-Nov-2020 23:26:18 UTC]
    [10-Nov-2020 23:31:59 UTC]
    [10-Nov-2020 23:47:17 UTC]
    [10-Nov-2020 23:48:18 UTC]
    [10-Nov-2020 23:52:43 UTC]
    [10-Nov-2020 23:56:44 UTC]
    [11-Nov-2020 00:18:40 UTC]
    [11-Nov-2020 00:40:18 UTC]
    [11-Nov-2020 00:45:28 UTC]
    [11-Nov-2020 00:46:35 UTC]
    [11-Nov-2020 01:11:23 UTC]
    [11-Nov-2020 01:13:10 UTC]
    [11-Nov-2020 01:34:41 UTC]
    [11-Nov-2020 01:40:16 UTC]
    [11-Nov-2020 01:45:08 UTC]
    [11-Nov-2020 01:50:10 UTC]
    [11-Nov-2020 02:02:08 UTC]
    [11-Nov-2020 02:06:26 UTC]
    [11-Nov-2020 02:13:32 UTC]
    [11-Nov-2020 02:28:07 UTC]
    [11-Nov-2020 02:33:58 UTC]
    [11-Nov-2020 02:39:28 UTC]
    [11-Nov-2020 02:54:47 UTC]
    [11-Nov-2020 03:01:14 UTC]
    [11-Nov-2020 03:06:10 UTC]
    [11-Nov-2020 03:11:38 UTC]
    [11-Nov-2020 03:23:25 UTC]
    [11-Nov-2020 03:28:24 UTC]
    [11-Nov-2020 03:34:18 UTC]
    [11-Nov-2020 03:50:46 UTC]
    [11-Nov-2020 03:56:21 UTC]
    [11-Nov-2020 04:01:37 UTC]
    [11-Nov-2020 04:02:04 UTC]
    [11-Nov-2020 04:13:27 UTC]
    [11-Nov-2020 04:17:52 UTC]
    [11-Nov-2020 04:22:44 UTC]
    [11-Nov-2020 04:29:22 UTC]
    [11-Nov-2020 04:46:43 UTC]
    [11-Nov-2020 04:58:04 UTC]
    [11-Nov-2020 05:13:47 UTC]
    [11-Nov-2020 05:20:07 UTC]
    [11-Nov-2020 05:25:32 UTC]
    [11-Nov-2020 05:41:44 UTC]
    [11-Nov-2020 05:47:30 UTC]
    [11-Nov-2020 05:52:35 UTC]
    [11-Nov-2020 06:11:21 UTC]
    [11-Nov-2020 06:23:46 UTC]
    [11-Nov-2020 06:24:17 UTC]
    [11-Nov-2020 06:31:49 UTC]
    [11-Nov-2020 06:41:00 UTC]
    [11-Nov-2020 06:49:23 UTC]
    [11-Nov-2020 06:52:12 UTC]
    [11-Nov-2020 06:56:34 UTC]
    [11-Nov-2020 07:06:32 UTC]
    [11-Nov-2020 07:13:07 UTC]
    [11-Nov-2020 07:22:49 UTC]
    [11-Nov-2020 07:26:59 UTC]
    [11-Nov-2020 07:30:39 UTC]
    [11-Nov-2020 07:32:07 UTC]
    [11-Nov-2020 07:42:01 UTC]
    [11-Nov-2020 07:44:19 UTC]
    [11-Nov-2020 08:06:32 UTC]
    [11-Nov-2020 08:52:33 UTC]
    [11-Nov-2020 09:01:24 UTC] PHP Warning: filetype(): open_basedir restriction in effect. File(/var/www/clients/client0/web8/web/web82) is not within the allowed path(s): (/var/www/clients/client0/web8/web:/var/www/clients/client0/web8/private:/var/www/clients/client0/web8/tmp:/var/www/theeldestgeek.com/web:/srv/www/theeldestgeek.com/web:/usr/share/php5:/usr/share/php:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/dev/random:/dev/urandom) in /var/www/clients/client0/web8/web/wp-content/plugins/wp-defender/vendor/hammer/base/file.php on line 205
    [11-Nov-2020 09:25:13 UTC]
    [11-Nov-2020 09:53:28 UTC]
    [11-Nov-2020 10:03:26 UTC]
    [11-Nov-2020 12:26:36 UTC]
    [11-Nov-2020 13:07:22 UTC]
    [11-Nov-2020 14:54:17 UTC]
    [11-Nov-2020 15:57:25 UTC]
    [11-Nov-2020 16:05:10 UTC]
    [11-Nov-2020 18:04:55 UTC]
    [11-Nov-2020 19:55:54 UTC]
    [11-Nov-2020 20:35:26 UTC]
    [11-Nov-2020 20:44:02 UTC]
    [11-Nov-2020 21:28:08 UTC]
    [11-Nov-2020 22:10:22 UTC]

    so I can suss many out but why all the time stamps with no error? and warnings being logged. (many of the errors are from bps itself).  can I restrict it to errors not just warnings and info? if so where?

    also – different thing – .htaccess keeps being quarantined.  dont see any obvious changes being made, but it happens frequently and I tried locking it – and immediately was not able to access the site!  had to delete bps- folder to get back in!

    yes its obviously something else (I have infinitewp, wpmudev etc running) – so can I tell bps to NOT care about .htaccess???


    AITpro Admin

    A php error log is only supposed to used to log php errors and not used as a personal log file by a plugin or anything else. So something else that you have installed is incorrectly logging log entries to the your php error log file. Looks like it is probably the wp hummingbird plugin.

    The simplest solution for the root htaccess file issue is to simply exclude the root htaccess file from being checked by ARQ IDPS. Use the AutoRestore > Add|Exclude Other Folders & Files > Exclude Folders & Files tool > choose the Exclude an Individual file option > enter the path to your root htaccess file > click the Exclude button.

    open_basedir comes with its own set of headaches. So you may want to rethink using that PHP config option. 😉

Viewing 9 posts - 1 through 9 (of 9 total)
  • You must be logged in to reply to this topic.