Home › Forums › BulletProof Security Pro › BPS Speed Boost Cache Custom Code Notice
- This topic has 21 replies, 4 voices, and was last updated 7 years, 5 months ago by AITpro Admin.
-
AuthorPosts
-
AITpro AdminKeymaster
@ FireMyst – Are you by any chance using the BPS POST Attack Protection Bonus Custom Code in your wp-admin htaccess file? Or have you modified that Bonus Custom Code in a way that it would block /wp-admin/ POST Requests? The BPS POST Attack Protection Bonus Custom Code should only be used in the BPS Root htaccess file. Also make sure you are not blocking POST Requests in your /wp-admin/ WordPress backend.
FireMystParticipantHello:
I’ve resolved the issue. However, your code is triggering two MOD security rules.
Here they are for your information. Hopefully you can program a “work around” or alternative way.The first rule violated is:
210580
was triggered as it’s apparently doing something with the
/etc/passwd
file? Or sending that phrase back that was matched.
Second rule violated is:
210410
with an
"invalid character request"
. Looks like you’re using something with live perl user agent?
THank you.
AITpro AdminKeymaster@ FireMyst – Unfortunately, the only solution is to whitelist what is being blocked by Mod Security in Mod Security. It’s the same exact thing as when BPS blocks something legitimate in another plugin – we have to create a whitelist rule for whatever BPS is blocking in BPS htaccess code. 😉 Ironically what Mod Security is seeing as a “threat” is actually a BPS Security rule to protect against that same “threat”. ie Mod Security is seeing the literal BPS htaccess security rule as an attack instead of what it is – a security defense rule.
FireMystParticipantAt least you know what’s happening.
Thank you for the quick responses and suggestions that lead to a speedy resolution. 🙂
AITpro AdminKeymaster@ FireMyst – Thanks for posting the exact Mod Security SecRule/SecFilter rule numbers. These are the BPS htaccess security rules below that Mod Security is seeing as a “threat”.
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR] RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR] RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
Michael SlusherParticipantI have WT3C installed and I would like to disable the BPS Speed Boost Cache. Your instructions state to delete the BPS code from CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE but I cannot differentiate what is BPS code and what might be from WT3C (other than the block marked already as WT3C).
It might be easiest for all involved for you to have a simple clickable option box in the next update so we can enable/disable BPS cache without jumping through so many hoops. 😉
Here are the current contents of my custom code box 1 and I’ve BOLD-texted those BPS lines I think should be removed – did I get it right?:
<IfModule mod_headers.c> # Using DENY will block all iFrames including iFrames on your own website # Header set X-Frame-Options DENY # Recommended: SAMEORIGIN - iFrames from the same site are allowed - other sites are blocked # Block other sites from displaying your website in iFrames # Protects against Clickjacking Header always append X-Frame-Options SAMEORIGIN # Protects against Drive-by Download attacks # Protects against MIME/Content/Data sniffing Header set X-Content-Type-Options nosniff </IfModule> # BEGIN WEBSITE SPEED BOOST # Time cheat sheet in seconds # A86400 = 1 day # A172800 = 2 days # A2419200 = 1 month # A4838400 = 2 months # A29030400 = 1 year # Test which ETag setting works best on your Host/Server/Website # with Firefox Firebug, Firephp and Yslow benchmark tests. # Create the ETag (entity tag) response header field # This is probably not the optimum choice to use. #FileETag MTime Size # Remove the ETag (entity tag) response header field # This is most likely the optimum choice to use. Header unset ETag FileETag none <IfModule mod_expires.c> ExpiresActive on # ExpiresByType overrides the ExpiresDefault... # cache expiration time of 2 days|A172800. ExpiresDefault A172800 ExpiresByType image/jpg A4838400 ExpiresByType image/jpeg A4838400 ExpiresByType image/gif A4838400 ExpiresByType image/png A4838400 ExpiresByType image/bmp A4838400 ExpiresByType image/x-icon A4838400 ExpiresByType image/svg+xml A4838400 ExpiresByType text/javascript A4838400 ExpiresByType text/x-javascript A4838400 ExpiresByType text/css A4838400 ExpiresByType text/html A4838400 ExpiresByType application/x-font-ttf A4838400 ExpiresByType application/x-font-woff A4838400 ExpiresByType font/opentype A4838400 ExpiresByType application/x-shockwave-flash A4838400 ExpiresByType application/x-javascript A4838400 ExpiresByType application/javascript A4838400 ExpiresByType video/mp4 A4838400 ExpiresByType video/ogg A4838400 ExpiresByType video/webm A4838400 </IfModule> <IfModule mod_headers.c> <FilesMatch "\.(js|css|flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|gif|jpg|jpeg|png|swf|webm)$"> Header append Cache-Control "public" </FilesMatch> <FilesMatch "\.(txt|html)$"> Header append Cache-Control "proxy-revalidate" </FilesMatch> <FilesMatch "\.(php|cgi|pl|htm|xml)$"> Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform" Header set Pragma "no-cache" </FilesMatch> </IfModule> <IfModule mod_deflate.c> AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css text/javascript AddOutputFilterByType DEFLATE application/javascript application/x-javascript AddOutputFilterByType DEFLATE application/x-httpd-php application/x-httpd-fastphp AddOutputFilterByType DEFLATE application/xml application/xhtml+xml application/xml-dtd AddOutputFilterByType DEFLATE application/rdf+xml application/rss+xml application/atom+xml AddOutputFilterByType DEFLATE font/otf font/opentype application/font-otf application/x-font-otf AddOutputFilterByType DEFLATE font/ttf font/truetype application/font-ttf application/x-font-ttf AddOutputFilterByType DEFLATE image/svg+xml # Drop problematic browsers BrowserMatch ^Mozilla/4 gzip-only-text/html BrowserMatch ^Mozilla/4\.0[678] no-gzip BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html # Make sure proxies don't deliver the wrong content Header append Vary User-Agent env=!dont-vary </IfModule> # END WEBSITE SPEED BOOST # BEGIN W3TC Browser Cache <IfModule mod_deflate.c> AddOutputFilterByType DEFLATE text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/html text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/bmp application/java application/msword application/vnd.ms-fontobject application/x-msdownload image/x-icon image/webp application/json application/vnd.ms-access application/vnd.ms-project application/x-font-otf application/vnd.ms-opentype application/vnd.oasis.opendocument.database application/vnd.oasis.opendocument.chart application/vnd.oasis.opendocument.formula application/vnd.oasis.opendocument.graphics application/vnd.oasis.opendocument.presentation application/vnd.oasis.opendocument.spreadsheet application/vnd.oasis.opendocument.text audio/ogg application/pdf application/vnd.ms-powerpoint image/svg+xml application/x-shockwave-flash image/tiff application/x-font-ttf application/vnd.ms-opentype audio/wav application/vnd.ms-write application/font-woff application/font-woff2 application/vnd.ms-excel <IfModule mod_mime.c> # DEFLATE by extension AddOutputFilter DEFLATE js css htm html xml </IfModule> </IfModule> <FilesMatch "\.(html|htm|rtf|rtx|svg|txt|xsd|xsl|xml|HTML|HTM|RTF|RTX|SVG|TXT|XSD|XSL|XML)$"> <IfModule mod_headers.c> Header append Vary User-Agent env=!dont-vary </IfModule> </FilesMatch> <FilesMatch "\.(bmp|class|doc|docx|eot|exe|ico|webp|json|mdb|mpp|otf|_otf|odb|odc|odf|odg|odp|ods|odt|ogg|pdf|pot|pps|ppt|pptx|svg|svgz|swf|tif|tiff|ttf|ttc|_ttf|wav|wri|woff|woff2|xla|xls|xlsx|xlt|xlw|BMP|CLASS|DOC|DOCX|EOT|EXE|ICO|WEBP|JSON|MDB|MPP|OTF|_OTF|ODB|ODC|ODF|ODG|ODP|ODS|ODT|OGG|PDF|POT|PPS|PPT|PPTX|SVG|SVGZ|SWF|TIF|TIFF|TTF|TTC|_TTF|WAV|WRI|WOFF|WOFF2|XLA|XLS|XLSX|XLT|XLW)$"> <IfModule mod_headers.c> Header unset Last-Modified </IfModule> </FilesMatch> # END W3TC Browser Cache # BEGIN W3TC Page Cache core <IfModule mod_rewrite.c> RewriteEngine On RewriteBase /3000 RewriteCond %{HTTPS} =on RewriteRule .* - [E=W3TC_SSL:_ssl] RewriteCond %{SERVER_PORT} =443 RewriteRule .* - [E=W3TC_SSL:_ssl] RewriteCond %{HTTP:Accept-Encoding} gzip RewriteRule .* - [E=W3TC_ENC:_gzip] RewriteCond %{HTTP_COOKIE} w3tc_preview [NC] RewriteRule .* - [E=W3TC_PREVIEW:_preview] RewriteCond %{REQUEST_METHOD} !=POST RewriteCond %{QUERY_STRING} ="" RewriteCond %{REQUEST_URI} \/$ RewriteCond %{HTTP_COOKIE} !(comment_author|wp\-postpass|w3tc_logged_out|wordpress_logged_in|wptouch_switch_toggle) [NC] RewriteCond "%{DOCUMENT_ROOT}/3000/wp-content/cache/page_enhanced/%{HTTP_HOST}/%{REQUEST_URI}/_index%{ENV:W3TC_SSL}%{ENV:W3TC_PREVIEW}.html%{ENV:W3TC_ENC}" -f RewriteRule .* "/3000/wp-content/cache/page_enhanced/%{HTTP_HOST}/%{REQUEST_URI}/_index%{ENV:W3TC_SSL}%{ENV:W3TC_PREVIEW}.html%{ENV:W3TC_ENC}" [L] </IfModule> # END W3TC Page Cache core
AITpro AdminKeymasterYep, you guessed correctly. BPS Speed Boost Cache code is also called WEBSITE SPEED BOOST.
-
AuthorPosts
- You must be logged in to reply to this topic.