BPS Pro and Vaultpress

[Tina Dubinsky]

Hi,

Back in August, I chose to purchase a subscription of Jetpack which comes with Vaultpress for backups.  I purchased it for other reasons but decided to make use of Vaultpress for peace of mind.  I had some initial issues with getting Vaultpress to start doing backups and while I found some older posts in relation to it their solutions did not help. This one post was most relevant to what I was seeing in my logs.

https://forum.ait-pro.com/forums/topic/vaultpress-blockedforbidden-hacker-or-spammer/

I too was using the BPS POST Attack Protection Bonus Custom Code, but the solution didn’t help. What did help was removing the bonus code completely.

Just over two weeks later, the backups stopped again. I did a number of plugin updates on the 31st August when they stopped. I did begin using Gutenberg at the time as my theme and pro plugins were now compatible. Not sure if I did an update for BPS at the time either. I didn’t notice the backups for Vaultpress had stopped until 6 days later (Sept 6).

Vaultpress have informed me that BPS is causing the backups to fail (because its protecting folders) and have asked me to remove the plugin, but I’m not happy with this solution.

Is there anything I can do to give Vaultpress access without removing BPS Pro?

Cheers

-Tina

[AITpro Admin]

What exactly is happening?  Can you explain the problem in more detail?  Are you seeing error messages?  Are there Security Log entries?  Any information would be helpful to start troubleshooting the problem

[Tina Dubinsky]

I’ve been seeing this in the log:

[403 POST Request: August 21, 2018 - 10:03 am]
BPS Pro: 13.7
WP: 4.9.8
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 192.0.101.172
Host Name: jobs13.misc.dca.vaultpress.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: POST
HTTP_REFERER: https://vaultpress.com
REQUEST_URI: /wp-load.php?action=plugins%3Als&doing_wp_cron=&vaultpress=true&vector=1534809793.5217&wp-admin=
QUERY_STRING: action=plugins%3Als&doing_wp_cron=&vaultpress=true&vector=1534809793.5217&wp-admin=
HTTP_USER_AGENT: Automattic/VaultPress/0.1
REQUEST BODY: BPS Security Log option set to: Do Not Log POST Request Body Data

And this is my recent truncated dialog with Vaultpress relevant to this issue:

First email response

When I review the backup logs for your site I’m seeing the following failure notice:

Currently we are examining the plugins at /bulletproof-security/admin/images
Curl Error <a href="https://automattic.zendesk.com/hc/requests/28" target="_blank" rel="noopener">#28</a>, 'Connection timed out after 10001 milliseconds'

Would it be possible for you to try removing the Bulletproof Security plugin as a test, then let us know, and we’ll start another backup to see if it completes (and to confirm if Bulletproof security is conflicting with VaultPress’ backup)? This is just a diagnostic step, so the plugin can be re-added afterwards, although please note that removing it will reset its options when you reinstall. The plugin appears to be protecting folders from even Jetpack, which is causing backups to fail, and that’s what we’re looking to confirm.

Second email response after deactivating:

I see the backup failed again due to the BulletProof Security plugin.
Although you have deactivated the plugin, the files remain in your server.
Can you please delete this plugin so we can try another backup?

[AITpro Admin]

The Security Log entry is pretty old so I assume those Security Log entries were from the POST Attack Protection Bonus Custom Code.

BPS will block both the cURL request with standard root htaccess security rules and the BPS Pro Plugin Firewall blocks remote access to all plugin folders.  So yeah that type of request from Vaultpress is going to be blocked and would not work as a test to confirm or eliminate anything.  I have a hunch that Vaultpress now needs remote HTTP access to plugin files instead of access to plugin files locally.  I could be wrong since I am taking a wild guess based on the cURL test that Vaultpress used.  Try deactivating the BPS Pro Plugin Firewall and have Vaultpress test again.  Then try deactivating Root folder BulletProof Mode and have Vaultpress test again.  BPS Pro is a very advanced plugin that has On|Off capability for all BPS Pro security features.  See the standard BPS Pro troubleshooting steps here > https://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting

[AITpro Admin]

Maybe you can just test Vaultpress backups without contacting Vaultpress support?  Not really sure how Vaultpress works these days.  The last time we looked at the tested Vaultpress was a few years ago and a lot could have changed since then.  If you can manually test Vaultpress backups then deactivate the BPS Pro Plugin Firewall and do a manual Vaultpress backup (test).  If that does not work then deactivate Root folder BulletProof Mode and do a manual Vaultpress backup (test).

The only other 2 BPS Pro features that might be causing an issue would be wp-admin BulletProof Mode and AutoRestore.  You would try BPS Pro troubleshooting step #2 > 2. On the Security Modes page, click the wp-admin Folder BulletProof Mode Deactivate button. and BPS Pro troubleshooting step #9 > 9. If an issue/problem is related to files being autorestored and/or quarantined turn Off AutoRestore|Quarantine on the AutoRestore page.

[Tina Dubinsky]

Hi,

Thanks for the ideas.  I’ll give them ago. I am still getting the same security logs even without the bonus code.  Here’s a more recent log entry:

[403 POST Request: September 10, 2018 - 10:03 am]
BPS Pro: 13.7
WP: 4.9.8
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 192.0.100.139
Host Name: jobs7.misc.dca.vaultpress.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: POST
HTTP_REFERER: https://vaultpress.com
REQUEST_URI: /wp-load.php?action=plugins%3Als&doing_wp_cron=&vaultpress=true&vector=1536537785.5156&wp-admin=
QUERY_STRING: action=plugins%3Als&doing_wp_cron=&vaultpress=true&vector=1536537785.5156&wp-admin=
HTTP_USER_AGENT: Automattic/VaultPress/0.1
REQUEST BODY: BPS Security Log option set to: Do Not Log POST Request Body Data

[AITpro Admin]

Go to the B-Core > htaccess File Editor tab page > click on the “Your Current Root htaccess File” tab > look through your currently active Root htaccess file code and look for the POST Attack Protection Bonus Custom Code in your Root htaccess file.  If you see the POST Attack Protection Bonus Custom Code in your Root htaccess file then go to the Custom Code tab page > click the Root htaccess File Custom Code accordion button > locate the POST Attack Protection Bonus Custom Code and delete it.  If you do not see the POST Attack Protection Bonus Custom Code then go to the Security Modes tab page and click the Root Folder BulletProof Mode Activate button to update your Root htaccess file, which will remove/delete the POST Attack Protection Bonus Custom Code in your Root htaccess file.

[Tina Dubinsky]

Hi again, sorry for dragging this out but I only have limited time to do web admin related work each week.

So, with regards to your last post, I checked all the files but there is no POST Attack Protection Bonus Custom Code anywhere. I even FTP’d into the site and looked at the .htaccess file there.

As this is an add-on domain, I also went and checked the main domain’s htaccess code and I’ve been through every other add-on domain in this account as well (another 5 sites), updated all . So, I don’t know why it’s being triggered in the log.

Cheers

-Tina

[AITpro Admin]

Does Vaultpress have a way to test Vaultpress backups?  So that you can do BPS standard troubleshooting steps to check to see what is causing the block.  Example:  You would deactivate root BulletProof Mode and run a Vaultpress backup test.  I have no idea what Vaultpress does or does not provide as far as option settings, testing, debugging, etc.

[Tina Dubinsky]

So, I don’t know if this could be causing problems (related or not). I found the master backups for the root htaccess files and decided to compare them since I had the backups working before the 31 August.  The difference between the files appears to be a swap in the following (There are three root htaccess files for the 31 August and all three have changes to the order of [s13] and [s14] when I compare them:

This is a file comparison with Textpad.

Compare: (<)C:\Users\Tiinsky_2\Desktop\bps\root.htaccess-2018-08-31-3-07-49-pm (13452 bytes)
with: (>)C:\Users\Tiinsky_2\Desktop\bps\root.htaccess-2018-08-31-2-34-32-pm (13456 bytes)

105,110c105,110
< # WooCommerce order & wc-ajax= Query String skip/bypass rule
< RewriteCond %{QUERY_STRING} .*(order|wc-ajax=).* [NC]
< RewriteRule . - [S=14]
<
< # WooCommerce shop, cart, checkout & wishlist URI skip/bypass rule
< RewriteCond %{REQUEST_URI} ^.*/(shop|cart|checkout|wishlist).* [NC]
---
> # WooCommerce shop, cart, checkout & wishlist URI skip/bypass rule
> RewriteCond %{REQUEST_URI} ^.*/(shop|cart|checkout|wishlist).* [NC]
> RewriteRule . - [S=14]
>
> # WooCommerce order & wc-ajax= Query String skip/bypass rule
> RewriteCond %{QUERY_STRING} .*(order|wc-ajax=).* [NC]

I did see this thread: https://forum.ait-pro.com/forums/topic/bps-setup-wizard-autofix-persistent-alert/page/2/  when looking into the same persistent alert message a few weeks ago. I ended up following the solution BPS offered in the above thread to remove the persistent alert.  This was the issue I raised a couple of weeks ago, but didn’t email you as I thought it had been solved with this thread. My issue was slightly different in that one of these skip rules for woocommerce appeared twice and doubled on using [s14].)

Something else I have noticed and I’m not sure if its normal or an issue is that my root htaccess does not have [s2] rule. It goes from [s1] to [s3]. Again, I don’t know if this is normal. Or, if I’m missing a rule. It appears to be consistent across all my sites.

—

I’m currently experiment with the solutions you suggested above relating to turning off certain areas of BPS Pro to see if that allows Vaultpress to work. Will you know how I go with this.

[AITpro Admin]

To correct the htaccess code issue/problem go to BPS Root Custom Code > delete all the htaccess code in this Custom Code text box > 10. CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES > click the Save Root Custom Code button > run the Pre-Installation Wizard and Setup Wizard again.  BPS Backup would not be related to Vaultpress in any way.

[Tina Dubinsky]

There’s no options for testing. Unfortunately, I have to contact their support each time to run it.  I seem to get mixed messages about what’s causing the issue. Their latest email referenced the plugin folder as the problem. So, I’m just waiting on them now to try again with the plugin firewall turned off.

[Tina Dubinsky]

Back again.

I deactivated BPS Plugin Firewall and we had the same result with the backup stopping when it reaches the BPS plugin folder.

I deactivated the Root folder BulletProof Mode and the same thing happened again. This time I was given a little further information, in that it stops when it reaches (BPS)  “BFS htaccess directory, and then timing out altogether after examining /bulletproof-security/admin/lock.”

Not sure if there is anything I can do about this.

Cheers

-Tina

[AITpro Admin]

Oh this is an easy problem to solve.  I misunderstood what Vaultpress was trying to do.  There is not any logical reason that I can think of for Vaultpress backing up the BPS plugin folder.  So all you need to do is add/create an exclude rule in Vaultpress to tell it NOT to backup the BPS plugin folder.  All backup plugins that I know of have the capability to exclude folders or files.  I assume Vaultpress has this same capability.

[Tina Dubinsky]

I already suggested this to them in my last email but unfortunately they can’t do it. It’s not how VaultPress is set up. They’ve told me their backup can’t be modified.

Oh well, it was worth looking into. I like BPS’ backup but I only run it once a month and my host doesn’t like having backups stored on the server so it requires me to be more diligent with the backup emails that I am sent. And I haven’t been that diligent in the past.

Thanks for working through this with me.

-Tina

[Author]

Posts