Home › Forums › BulletProof Security Free › Constant Contact
- This topic has 20 replies, 13 voices, and was last updated 2 weeks, 6 days ago by Desmond.
-
AuthorPosts
-
OPTI PCSGParticipant
Hello–recently started working at a new job which has BPS free installed on a WordPress website. I’m by no means an expert in security, but I’m trying to install a Woocommerce addon (constant-contact-woocommerce) that won’t allow me to ‘connect’ (authorize) the main Constant Contact website via the account. It gives a BPS 403 page.
I have solved the problem by disabling Root Folder BulletProof Mode (RBM), authorizing the plugin to link to the website and then re-enabling it. Then it works fine… for a few days. Then it is disconnected and I have to do the same thing again: disable the plugin, reactivate, turn off RBM, re-link and then I get another few days of usage. I’m not even sure this is BPS blocking it.
I’ve tried whitelisting it, but I’m probably doing it wrong. Is there any idea on how I can run both BPS and the Constant Contact plugin together on the site? I imagine there are some .htaccess rules involved, but again, I’m really out of my depth. Sorry if I am being vague or confusing.
I’d like to leave BPS installed if I could, though.
Thanks,
Jeff
AITpro AdminKeymasterGo to the BPS Security Log page > copy any 403 log entries that could be related to the Constant Contact plugin and paste them in your forum reply. Is the plugin the official Constant Contact plugin > Constant Contact + WooCommerce > https://wordpress.org/plugins/constant-contact-woocommerce/
I just checked to see if anyone else is running into connection problems and several people are stating that the connection works then doesn’t work randomly > https://wordpress.org/support/plugin/constant-contact-woocommerce/reviews/
AITpro AdminKeymasterI’ll test the Constant Contact plugin later today on a WooCommerce site.
OPTI PCSGParticipantHi–thanks so much for getting back to me.
Yes, that is the plugin–and yes, there are a lot of issues, unfortunately. (My bosses would rather keep the account though, so I’m trying to work with it.(
Anyhow, I looked for the security log and it wasn’t configured. I’ve set that up and reproduced the error and this appeared in the log:
[403 GET Request: 24th November 2021 - 10:06 am] BPS: 5.4 WP: 5.8.2 Event Code: WPADMIN-SBR Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: [ip removed] Host Name: [ip removed] SERVER_PROTOCOL: HTTP/1.0 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /wc-auth/v1/authorize?app_name=Constant%20Contact&scope=read_write&user_id=[number removed]&return_url=https://www.[address removed].com/wp-admin/admin.php?page%3Dwc-settings%26tab%3Dcc_woo&callback_url=https://shoppingcart.constantcontact.com/auth/provider/woocommerce/callback?storeDomain%3Dhttps://www.[address removed].com%26nonce%3D[number removed] QUERY_STRING: app_name=Constant%20Contact&scope=read_write&user_id=[number removed]&return_url=https://www.[address removed].com/wp-admin/admin.php?page%3Dwc-settings%26tab%3Dcc_woo&callback_url=https://shoppingcart.constantcontact.com/auth/provider/woocommerce/callback?storeDomain%3Dhttps://www.[address removed].com%26nonce%3D[number removed] HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Thanks!
AITpro AdminKeymasterThe cause of the block is the Query String is simulating and RFI hacking attempt. Do the steps below to fix this permanently. Note: I will add this fix in the Setup Wizard AutoFix feature for the Constant Contact plugin so that this fix will be created automatically by the BPS Setup Wizard in the next BPS/BPS Pro version.
1. Copy the modified BPS Query String Exploits below to this BPS Root Custom Code text box: 12. CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS
2. Click the Save Root Custom Code button.
3. Go to the BPS Setup Wizard page and run the Setup Wizard again.# BEGIN BPSQSE BPS QUERY STRING EXPLOITS # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too. # Good sites such as W3C use it for their W3C-LinkChecker. # Use BPS Custom Code to add or remove user agents temporarily or permanently from the # User Agent filters directly below or to modify/edit/change any of the other security code rules below. RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR] RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR] RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR] RewriteCond %{THE_REQUEST} etc/passwd [NC,OR] RewriteCond %{THE_REQUEST} cgi-bin [NC,OR] RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR] RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR] RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR] RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR] #RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR] #RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR] RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR] RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR] RewriteCond %{QUERY_STRING} ftp\: [NC,OR] #RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR] RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR] RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR] RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR] RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR] RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR] RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR] RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR] RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR] RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR] RewriteCond %{QUERY_STRING} (sp_executesql) [NC] RewriteRule ^(.*)$ - [F] # END BPSQSE BPS QUERY STRING EXPLOITS
OPTI PCSGParticipantAwesome! Worked like a charm. Thanks so much!
One last question: I noticed this after I ran the setup wizard
Your current Root .htaccess file is not locked. It is recommended that you lock your Root .htaccess file on the htaccess Core > htaccess File Editor page. Click the Lock htaccess File and Turn On AutoLock buttons on the htaccess File Editor page.
Again, sorry for the noob question but I’m assuming it’s okay to follow this instruction?
AITpro AdminKeymasterFor the BPS free plugin it is not important to lock the Root htaccess file. For BPS Pro it is definitely recommended that you lock your Root htaccess file. The reason for that is BPS Pro AutoRestore|Quarantine will autorestore and quarantine the Root htaccess file if plugins use the WordPress flush_rewrite_rules() function, which is a very common issue (problem).
OPTI PCSGParticipantGreat. Thanks again for your help. Definitely a testament to the quality of BPS!
JAckParticipant[Edit by AITpro Admin – Use extreme caution when installing something on your phone that is not in the Apple Store or Google Play Store]
To ensure your email marketing campaigns are as effective as possible, consider incorporating tools like Constant Contact, but for those seeking enhanced photo editing capabilities for their marketing materials, exploring options like spam link can provide advanced solutions.OtiumParticipantIf you’re looking for an easy-to-use email marketing tool, Constant Contact is a great choice. It helps you create beautiful emails quickly, even if you’re not a tech expert. Plus, it integrates smoothly with other tools you might be using. For a hassle-free experience on your PC, check out this handy tool: spam link. It makes everything even simpler!
Ellon HenryParticipantThis app is a blast! spam link makes it so easy to send multiple messages at once. Perfect for harmless fun. I love using spam link TeraBox Mod APK! The premium features unlocked for free are a game-changer. It’s super easy to back up my photos and videos. Need to spam link to JPG? Our tool delivers high-quality results in seconds. Try it now.
Rehana JohnParticipantConstant Contact is a great tool for managing email campaigns, but it’s crucial to ensure you’re not overwhelming your audience. Some users have reported issues with deliverability, often due to overuse or improper use of links. For instance, a spam link in your emails can significantly harm your sender reputation, leading to your messages landing in the junk folder. Always monitor your campaigns closely to maintain high engagement rates.
ReminiParticipantHelpful post on managing email marketing! Alongside Constant Contact, using resources like these can enhance content quality, even when using apps like Remini Mod APK.
ReminiParticipantGreat insights on maintaining customer relationships through Constant Contact. If you’re also into improving your visual content, you might find this helpful while working with Remini Mod APK.
Alight MotionParticipantHelpful discussion here! While exploring solutions for my email problems, I’ve also come across some great tools like Alight Motion Mod APK and this app for productivity.
-
AuthorPosts
- You must be logged in to reply to this topic.