BPS Speed Boost Cache Custom Code Notice

[AITpro Admin]

@ FireMyst – Are you by any chance using the BPS POST Attack Protection Bonus Custom Code in your wp-admin htaccess file? Or have you modified that Bonus Custom Code in a way that it would block /wp-admin/ POST Requests?  The BPS POST Attack Protection Bonus Custom Code should only be used in the BPS Root htaccess file.  Also make sure you are not blocking POST Requests in your /wp-admin/ WordPress backend.

[FireMyst]

Hello:

I’ve resolved the issue. However, your code is triggering two MOD security rules.
Here they are for your information. Hopefully you can program a “work around” or alternative way.

The first rule violated is:

210580

was triggered as it’s apparently doing something with the

/etc/passwd

file? Or sending that phrase back that was matched.

Second rule violated is:

210410

with an

"invalid character request"

. Looks like you’re using something with live perl user agent?

THank you.

[AITpro Admin]

@ FireMyst – Unfortunately, the only solution is to whitelist what is being blocked by Mod Security in Mod Security.  It’s the same exact thing as when BPS blocks something legitimate in another plugin – we have to create a whitelist rule for whatever BPS is blocking in BPS htaccess code. 😉  Ironically what Mod Security is seeing as a “threat” is actually a BPS Security rule to protect against that same “threat”.  ie Mod Security is seeing the literal BPS htaccess security rule as an attack instead of what it is – a security defense rule.

[FireMyst]

At least you know what’s happening.

Thank you for the quick responses and suggestions that lead to a speedy resolution. 🙂

[AITpro Admin]

@ FireMyst – Thanks for posting the exact Mod Security SecRule/SecFilter rule numbers.  These are the BPS htaccess security rules below that Mod Security is seeing as a “threat”.

RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]

[Michael Slusher]

I have WT3C installed and I would like to disable the BPS Speed Boost Cache. Your instructions state to delete the BPS code from CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE but I cannot differentiate what is BPS code and what might be from WT3C (other than the block marked already as WT3C).

It might be easiest for all involved for you to have a simple clickable option box in the next update so we can enable/disable BPS cache without jumping through so many hoops. 😉

Here are the current contents of my custom code box 1 and I’ve BOLD-texted those BPS lines I think should be removed – did I get it right?:

<IfModule mod_headers.c>
# Using DENY will block all iFrames including iFrames on your own website
# Header set X-Frame-Options DENY
# Recommended: SAMEORIGIN - iFrames from the same site are allowed - other sites are blocked
# Block other sites from displaying your website in iFrames
# Protects against Clickjacking
Header always append X-Frame-Options SAMEORIGIN
# Protects against Drive-by Download attacks
# Protects against MIME/Content/Data sniffing
Header set X-Content-Type-Options nosniff
</IfModule>

# BEGIN WEBSITE SPEED BOOST
# Time cheat sheet in seconds
# A86400 = 1 day
# A172800 = 2 days
# A2419200 = 1 month
# A4838400 = 2 months
# A29030400 = 1 year

# Test which ETag setting works best on your Host/Server/Website
# with Firefox Firebug, Firephp and Yslow benchmark tests.

# Create the ETag (entity tag) response header field
# This is probably not the optimum choice to use.
#FileETag MTime Size

# Remove the ETag (entity tag) response header field
# This is most likely the optimum choice to use.
Header unset ETag
FileETag none

<IfModule mod_expires.c>
ExpiresActive on
# ExpiresByType overrides the ExpiresDefault...
# cache expiration time of 2 days|A172800.
ExpiresDefault A172800
ExpiresByType image/jpg A4838400
ExpiresByType image/jpeg A4838400
ExpiresByType image/gif A4838400
ExpiresByType image/png A4838400
ExpiresByType image/bmp A4838400
ExpiresByType image/x-icon A4838400
ExpiresByType image/svg+xml A4838400
ExpiresByType text/javascript A4838400
ExpiresByType text/x-javascript A4838400 
ExpiresByType text/css A4838400
ExpiresByType text/html A4838400
ExpiresByType application/x-font-ttf A4838400
ExpiresByType application/x-font-woff A4838400
ExpiresByType font/opentype A4838400
ExpiresByType application/x-shockwave-flash A4838400
ExpiresByType application/x-javascript A4838400
ExpiresByType application/javascript A4838400
ExpiresByType video/mp4 A4838400
ExpiresByType video/ogg A4838400
ExpiresByType video/webm A4838400
</IfModule>

<IfModule mod_headers.c>
<FilesMatch "\.(js|css|flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|gif|jpg|jpeg|png|swf|webm)$">
Header append Cache-Control "public"
</FilesMatch>
<FilesMatch "\.(txt|html)$">
Header append Cache-Control "proxy-revalidate"
</FilesMatch>
<FilesMatch "\.(php|cgi|pl|htm|xml)$">
Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform"
Header set Pragma "no-cache"
</FilesMatch>
</IfModule>

<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css text/javascript
AddOutputFilterByType DEFLATE application/javascript application/x-javascript
AddOutputFilterByType DEFLATE application/x-httpd-php application/x-httpd-fastphp
AddOutputFilterByType DEFLATE application/xml application/xhtml+xml application/xml-dtd
AddOutputFilterByType DEFLATE application/rdf+xml application/rss+xml application/atom+xml
AddOutputFilterByType DEFLATE font/otf font/opentype application/font-otf application/x-font-otf
AddOutputFilterByType DEFLATE font/ttf font/truetype application/font-ttf application/x-font-ttf
AddOutputFilterByType DEFLATE image/svg+xml

# Drop problematic browsers
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html

# Make sure proxies don't deliver the wrong content
Header append Vary User-Agent env=!dont-vary
</IfModule>
# END WEBSITE SPEED BOOST
# BEGIN W3TC Browser Cache
<IfModule mod_deflate.c>
 AddOutputFilterByType DEFLATE text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/html text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/bmp application/java application/msword application/vnd.ms-fontobject application/x-msdownload image/x-icon image/webp application/json application/vnd.ms-access application/vnd.ms-project application/x-font-otf application/vnd.ms-opentype application/vnd.oasis.opendocument.database application/vnd.oasis.opendocument.chart application/vnd.oasis.opendocument.formula application/vnd.oasis.opendocument.graphics application/vnd.oasis.opendocument.presentation application/vnd.oasis.opendocument.spreadsheet application/vnd.oasis.opendocument.text audio/ogg application/pdf application/vnd.ms-powerpoint image/svg+xml application/x-shockwave-flash image/tiff application/x-font-ttf application/vnd.ms-opentype audio/wav application/vnd.ms-write application/font-woff application/font-woff2 application/vnd.ms-excel
 <IfModule mod_mime.c>
 # DEFLATE by extension
 AddOutputFilter DEFLATE js css htm html xml
 </IfModule>
</IfModule>
<FilesMatch "\.(html|htm|rtf|rtx|svg|txt|xsd|xsl|xml|HTML|HTM|RTF|RTX|SVG|TXT|XSD|XSL|XML)$">
 <IfModule mod_headers.c>
 Header append Vary User-Agent env=!dont-vary
 </IfModule>
</FilesMatch>
<FilesMatch "\.(bmp|class|doc|docx|eot|exe|ico|webp|json|mdb|mpp|otf|_otf|odb|odc|odf|odg|odp|ods|odt|ogg|pdf|pot|pps|ppt|pptx|svg|svgz|swf|tif|tiff|ttf|ttc|_ttf|wav|wri|woff|woff2|xla|xls|xlsx|xlt|xlw|BMP|CLASS|DOC|DOCX|EOT|EXE|ICO|WEBP|JSON|MDB|MPP|OTF|_OTF|ODB|ODC|ODF|ODG|ODP|ODS|ODT|OGG|PDF|POT|PPS|PPT|PPTX|SVG|SVGZ|SWF|TIF|TIFF|TTF|TTC|_TTF|WAV|WRI|WOFF|WOFF2|XLA|XLS|XLSX|XLT|XLW)$">
 <IfModule mod_headers.c>
 Header unset Last-Modified
 </IfModule>
</FilesMatch>
# END W3TC Browser Cache
# BEGIN W3TC Page Cache core
<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteBase /3000
 RewriteCond %{HTTPS} =on
 RewriteRule .* - [E=W3TC_SSL:_ssl]
 RewriteCond %{SERVER_PORT} =443
 RewriteRule .* - [E=W3TC_SSL:_ssl]
 RewriteCond %{HTTP:Accept-Encoding} gzip
 RewriteRule .* - [E=W3TC_ENC:_gzip]
 RewriteCond %{HTTP_COOKIE} w3tc_preview [NC]
 RewriteRule .* - [E=W3TC_PREVIEW:_preview]
 RewriteCond %{REQUEST_METHOD} !=POST
 RewriteCond %{QUERY_STRING} =""
 RewriteCond %{REQUEST_URI} \/$
 RewriteCond %{HTTP_COOKIE} !(comment_author|wp\-postpass|w3tc_logged_out|wordpress_logged_in|wptouch_switch_toggle) [NC]
 RewriteCond "%{DOCUMENT_ROOT}/3000/wp-content/cache/page_enhanced/%{HTTP_HOST}/%{REQUEST_URI}/_index%{ENV:W3TC_SSL}%{ENV:W3TC_PREVIEW}.html%{ENV:W3TC_ENC}" -f
 RewriteRule .* "/3000/wp-content/cache/page_enhanced/%{HTTP_HOST}/%{REQUEST_URI}/_index%{ENV:W3TC_SSL}%{ENV:W3TC_PREVIEW}.html%{ENV:W3TC_ENC}" [L]
</IfModule>
# END W3TC Page Cache core

[AITpro Admin]

Yep, you guessed correctly.  BPS Speed Boost Cache code is also called WEBSITE SPEED BOOST.

[Author]

Posts