BPS Speed Boost Cache Custom Code Notice

Home Forums BulletProof Security Pro BPS Speed Boost Cache Custom Code Notice

Viewing 7 posts - 16 through 22 (of 22 total)
  • Author
    Posts
  • #33461
    AITpro Admin
    Keymaster

    @ FireMyst – Are you by any chance using the BPS POST Attack Protection Bonus Custom Code in your wp-admin htaccess file? Or have you modified that Bonus Custom Code in a way that it would block /wp-admin/ POST Requests?  The BPS POST Attack Protection Bonus Custom Code should only be used in the BPS Root htaccess file.  Also make sure you are not blocking POST Requests in your /wp-admin/ WordPress backend.

    #33462
    FireMyst
    Participant

    Hello:

    I’ve resolved the issue. However, your code is triggering two MOD security rules.
    Here they are for your information. Hopefully you can program a “work around” or alternative way.

    The first rule violated is:

    210580

    was triggered as it’s apparently doing something with the

    /etc/passwd

    file? Or sending that phrase back that was matched.

    Second rule violated is:

    210410

    with an

    "invalid character request"

    . Looks like you’re using something with live perl user agent?

    THank you.

    #33463
    AITpro Admin
    Keymaster

    @ FireMyst – Unfortunately, the only solution is to whitelist what is being blocked by Mod Security in Mod Security.  It’s the same exact thing as when BPS blocks something legitimate in another plugin – we have to create a whitelist rule for whatever BPS is blocking in BPS htaccess code. 😉  Ironically what Mod Security is seeing as a “threat” is actually a BPS Security rule to protect against that same “threat”.  ie Mod Security is seeing the literal BPS htaccess security rule as an attack instead of what it is – a security defense rule.

    #33464
    FireMyst
    Participant

    At least you know what’s happening.

    Thank you for the quick responses and suggestions that lead to a speedy resolution. 🙂

    #33465
    AITpro Admin
    Keymaster

    @ FireMyst – Thanks for posting the exact Mod Security SecRule/SecFilter rule numbers.  These are the BPS htaccess security rules below that Mod Security is seeing as a “threat”.

    RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
    
    RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    #33561
    Michael Slusher
    Participant

    I have WT3C installed and I would like to disable the BPS Speed Boost Cache. Your instructions state to delete the BPS code from CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE but I cannot differentiate what is BPS code and what might be from WT3C (other than the block marked already as WT3C).

    It might be easiest for all involved for you to have a simple clickable option box in the next update so we can enable/disable BPS cache without jumping through so many hoops. 😉

    Here are the current contents of my custom code box 1 and I’ve BOLD-texted those BPS lines I think should be removed – did I get it right?:

    <IfModule mod_headers.c>
    # Using DENY will block all iFrames including iFrames on your own website
    # Header set X-Frame-Options DENY
    # Recommended: SAMEORIGIN - iFrames from the same site are allowed - other sites are blocked
    # Block other sites from displaying your website in iFrames
    # Protects against Clickjacking
    Header always append X-Frame-Options SAMEORIGIN
    # Protects against Drive-by Download attacks
    # Protects against MIME/Content/Data sniffing
    Header set X-Content-Type-Options nosniff
    </IfModule>
    
    # BEGIN WEBSITE SPEED BOOST
    # Time cheat sheet in seconds
    # A86400 = 1 day
    # A172800 = 2 days
    # A2419200 = 1 month
    # A4838400 = 2 months
    # A29030400 = 1 year
    
    # Test which ETag setting works best on your Host/Server/Website
    # with Firefox Firebug, Firephp and Yslow benchmark tests.
    
    # Create the ETag (entity tag) response header field
    # This is probably not the optimum choice to use.
    #FileETag MTime Size
    
    # Remove the ETag (entity tag) response header field
    # This is most likely the optimum choice to use.
    Header unset ETag
    FileETag none
    
    <IfModule mod_expires.c>
    ExpiresActive on
    # ExpiresByType overrides the ExpiresDefault...
    # cache expiration time of 2 days|A172800.
    ExpiresDefault A172800
    ExpiresByType image/jpg A4838400
    ExpiresByType image/jpeg A4838400
    ExpiresByType image/gif A4838400
    ExpiresByType image/png A4838400
    ExpiresByType image/bmp A4838400
    ExpiresByType image/x-icon A4838400
    ExpiresByType image/svg+xml A4838400
    ExpiresByType text/javascript A4838400
    ExpiresByType text/x-javascript A4838400 
    ExpiresByType text/css A4838400
    ExpiresByType text/html A4838400
    ExpiresByType application/x-font-ttf A4838400
    ExpiresByType application/x-font-woff A4838400
    ExpiresByType font/opentype A4838400
    ExpiresByType application/x-shockwave-flash A4838400
    ExpiresByType application/x-javascript A4838400
    ExpiresByType application/javascript A4838400
    ExpiresByType video/mp4 A4838400
    ExpiresByType video/ogg A4838400
    ExpiresByType video/webm A4838400
    </IfModule>
    
    <IfModule mod_headers.c>
    <FilesMatch "\.(js|css|flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|gif|jpg|jpeg|png|swf|webm)$">
    Header append Cache-Control "public"
    </FilesMatch>
    <FilesMatch "\.(txt|html)$">
    Header append Cache-Control "proxy-revalidate"
    </FilesMatch>
    <FilesMatch "\.(php|cgi|pl|htm|xml)$">
    Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform"
    Header set Pragma "no-cache"
    </FilesMatch>
    </IfModule>
    
    <IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css text/javascript
    AddOutputFilterByType DEFLATE application/javascript application/x-javascript
    AddOutputFilterByType DEFLATE application/x-httpd-php application/x-httpd-fastphp
    AddOutputFilterByType DEFLATE application/xml application/xhtml+xml application/xml-dtd
    AddOutputFilterByType DEFLATE application/rdf+xml application/rss+xml application/atom+xml
    AddOutputFilterByType DEFLATE font/otf font/opentype application/font-otf application/x-font-otf
    AddOutputFilterByType DEFLATE font/ttf font/truetype application/font-ttf application/x-font-ttf
    AddOutputFilterByType DEFLATE image/svg+xml
    
    # Drop problematic browsers
    BrowserMatch ^Mozilla/4 gzip-only-text/html
    BrowserMatch ^Mozilla/4\.0[678] no-gzip
    BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
    
    # Make sure proxies don't deliver the wrong content
    Header append Vary User-Agent env=!dont-vary
    </IfModule>
    # END WEBSITE SPEED BOOST
    # BEGIN W3TC Browser Cache
    <IfModule mod_deflate.c>
     AddOutputFilterByType DEFLATE text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/html text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/bmp application/java application/msword application/vnd.ms-fontobject application/x-msdownload image/x-icon image/webp application/json application/vnd.ms-access application/vnd.ms-project application/x-font-otf application/vnd.ms-opentype application/vnd.oasis.opendocument.database application/vnd.oasis.opendocument.chart application/vnd.oasis.opendocument.formula application/vnd.oasis.opendocument.graphics application/vnd.oasis.opendocument.presentation application/vnd.oasis.opendocument.spreadsheet application/vnd.oasis.opendocument.text audio/ogg application/pdf application/vnd.ms-powerpoint image/svg+xml application/x-shockwave-flash image/tiff application/x-font-ttf application/vnd.ms-opentype audio/wav application/vnd.ms-write application/font-woff application/font-woff2 application/vnd.ms-excel
     <IfModule mod_mime.c>
     # DEFLATE by extension
     AddOutputFilter DEFLATE js css htm html xml
     </IfModule>
    </IfModule>
    <FilesMatch "\.(html|htm|rtf|rtx|svg|txt|xsd|xsl|xml|HTML|HTM|RTF|RTX|SVG|TXT|XSD|XSL|XML)$">
     <IfModule mod_headers.c>
     Header append Vary User-Agent env=!dont-vary
     </IfModule>
    </FilesMatch>
    <FilesMatch "\.(bmp|class|doc|docx|eot|exe|ico|webp|json|mdb|mpp|otf|_otf|odb|odc|odf|odg|odp|ods|odt|ogg|pdf|pot|pps|ppt|pptx|svg|svgz|swf|tif|tiff|ttf|ttc|_ttf|wav|wri|woff|woff2|xla|xls|xlsx|xlt|xlw|BMP|CLASS|DOC|DOCX|EOT|EXE|ICO|WEBP|JSON|MDB|MPP|OTF|_OTF|ODB|ODC|ODF|ODG|ODP|ODS|ODT|OGG|PDF|POT|PPS|PPT|PPTX|SVG|SVGZ|SWF|TIF|TIFF|TTF|TTC|_TTF|WAV|WRI|WOFF|WOFF2|XLA|XLS|XLSX|XLT|XLW)$">
     <IfModule mod_headers.c>
     Header unset Last-Modified
     </IfModule>
    </FilesMatch>
    # END W3TC Browser Cache
    # BEGIN W3TC Page Cache core
    <IfModule mod_rewrite.c>
     RewriteEngine On
     RewriteBase /3000
     RewriteCond %{HTTPS} =on
     RewriteRule .* - [E=W3TC_SSL:_ssl]
     RewriteCond %{SERVER_PORT} =443
     RewriteRule .* - [E=W3TC_SSL:_ssl]
     RewriteCond %{HTTP:Accept-Encoding} gzip
     RewriteRule .* - [E=W3TC_ENC:_gzip]
     RewriteCond %{HTTP_COOKIE} w3tc_preview [NC]
     RewriteRule .* - [E=W3TC_PREVIEW:_preview]
     RewriteCond %{REQUEST_METHOD} !=POST
     RewriteCond %{QUERY_STRING} =""
     RewriteCond %{REQUEST_URI} \/$
     RewriteCond %{HTTP_COOKIE} !(comment_author|wp\-postpass|w3tc_logged_out|wordpress_logged_in|wptouch_switch_toggle) [NC]
     RewriteCond "%{DOCUMENT_ROOT}/3000/wp-content/cache/page_enhanced/%{HTTP_HOST}/%{REQUEST_URI}/_index%{ENV:W3TC_SSL}%{ENV:W3TC_PREVIEW}.html%{ENV:W3TC_ENC}" -f
     RewriteRule .* "/3000/wp-content/cache/page_enhanced/%{HTTP_HOST}/%{REQUEST_URI}/_index%{ENV:W3TC_SSL}%{ENV:W3TC_PREVIEW}.html%{ENV:W3TC_ENC}" [L]
    </IfModule>
    # END W3TC Page Cache core
    #33562
    AITpro Admin
    Keymaster

    Yep, you guessed correctly.  BPS Speed Boost Cache code is also called WEBSITE SPEED BOOST.

Viewing 7 posts - 16 through 22 (of 22 total)
  • You must be logged in to reply to this topic.