Home › Forums › BulletProof Security Free › Constant Contact
- This topic has 8 replies, 3 voices, and was last updated 2 months ago by
JAck.
-
AuthorPosts
-
OPTI PCSG
ParticipantHello–recently started working at a new job which has BPS free installed on a WordPress website. I’m by no means an expert in security, but I’m trying to install a Woocommerce addon (constant-contact-woocommerce) that won’t allow me to ‘connect’ (authorize) the main Constant Contact website via the account. It gives a BPS 403 page.
I have solved the problem by disabling Root Folder BulletProof Mode (RBM), authorizing the plugin to link to the website and then re-enabling it. Then it works fine… for a few days. Then it is disconnected and I have to do the same thing again: disable the plugin, reactivate, turn off RBM, re-link and then I get another few days of usage. I’m not even sure this is BPS blocking it.
I’ve tried whitelisting it, but I’m probably doing it wrong. Is there any idea on how I can run both BPS and the Constant Contact plugin together on the site? I imagine there are some .htaccess rules involved, but again, I’m really out of my depth. Sorry if I am being vague or confusing.
I’d like to leave BPS installed if I could, though.
Thanks,
Jeff
AITpro Admin
KeymasterGo to the BPS Security Log page > copy any 403 log entries that could be related to the Constant Contact plugin and paste them in your forum reply. Is the plugin the official Constant Contact plugin > Constant Contact + WooCommerce > https://wordpress.org/plugins/constant-contact-woocommerce/
I just checked to see if anyone else is running into connection problems and several people are stating that the connection works then doesn’t work randomly > https://wordpress.org/support/plugin/constant-contact-woocommerce/reviews/
KeymasterI’ll test the Constant Contact plugin later today on a WooCommerce site.
ParticipantHi–thanks so much for getting back to me.
Yes, that is the plugin–and yes, there are a lot of issues, unfortunately. (My bosses would rather keep the account though, so I’m trying to work with it.(
Anyhow, I looked for the security log and it wasn’t configured. I’ve set that up and reproduced the error and this appeared in the log:
[403 GET Request: 24th November 2021 - 10:06 am] BPS: 5.4 WP: 5.8.2 Event Code: WPADMIN-SBR Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: [ip removed] Host Name: [ip removed] SERVER_PROTOCOL: HTTP/1.0 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /wc-auth/v1/authorize?app_name=Constant%20Contact&scope=read_write&user_id=[number removed]&return_url=https://www.[address removed].com/wp-admin/admin.php?page%3Dwc-settings%26tab%3Dcc_woo&callback_url=https://shoppingcart.constantcontact.com/auth/provider/woocommerce/callback?storeDomain%3Dhttps://www.[address removed].com%26nonce%3D[number removed] QUERY_STRING: app_name=Constant%20Contact&scope=read_write&user_id=[number removed]&return_url=https://www.[address removed].com/wp-admin/admin.php?page%3Dwc-settings%26tab%3Dcc_woo&callback_url=https://shoppingcart.constantcontact.com/auth/provider/woocommerce/callback?storeDomain%3Dhttps://www.[address removed].com%26nonce%3D[number removed] HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Thanks!
KeymasterThe cause of the block is the Query String is simulating and RFI hacking attempt. Do the steps below to fix this permanently. Note: I will add this fix in the Setup Wizard AutoFix feature for the Constant Contact plugin so that this fix will be created automatically by the BPS Setup Wizard in the next BPS/BPS Pro version.
1. Copy the modified BPS Query String Exploits below to this BPS Root Custom Code text box: 12. CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS
2. Click the Save Root Custom Code button.
3. Go to the BPS Setup Wizard page and run the Setup Wizard again.# BEGIN BPSQSE BPS QUERY STRING EXPLOITS # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too. # Good sites such as W3C use it for their W3C-LinkChecker. # Use BPS Custom Code to add or remove user agents temporarily or permanently from the # User Agent filters directly below or to modify/edit/change any of the other security code rules below. RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR] RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR] RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR] RewriteCond %{THE_REQUEST} etc/passwd [NC,OR] RewriteCond %{THE_REQUEST} cgi-bin [NC,OR] RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR] RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR] RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR] RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR] #RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR] #RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR] RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR] RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR] RewriteCond %{QUERY_STRING} ftp\: [NC,OR] #RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR] RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR] RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR] RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR] RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR] RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR] RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR] RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR] RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR] RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR] RewriteCond %{QUERY_STRING} (sp_executesql) [NC] RewriteRule ^(.*)$ - [F] # END BPSQSE BPS QUERY STRING EXPLOITSParticipantAwesome! Worked like a charm. Thanks so much!
One last question: I noticed this after I ran the setup wizard
Your current Root .htaccess file is not locked. It is recommended that you lock your Root .htaccess file on the htaccess Core > htaccess File Editor page. Click the Lock htaccess File and Turn On AutoLock buttons on the htaccess File Editor page.
Again, sorry for the noob question but I’m assuming it’s okay to follow this instruction?
KeymasterFor the BPS free plugin it is not important to lock the Root htaccess file. For BPS Pro it is definitely recommended that you lock your Root htaccess file. The reason for that is BPS Pro AutoRestore|Quarantine will autorestore and quarantine the Root htaccess file if plugins use the WordPress flush_rewrite_rules() function, which is a very common issue (problem).
ParticipantGreat. Thanks again for your help. Definitely a testament to the quality of BPS!
JAck
Participant[Edit by AITpro Admin – Use extreme caution when installing something on your phone that is not in the Apple Store or Google Play Store]
To ensure your email marketing campaigns are as effective as possible, consider incorporating tools like Constant Contact, but for those seeking enhanced photo editing capabilities for their marketing materials, exploring options like Remini Mod APK can provide advanced solutions. -
AuthorPosts
- You must be logged in to reply to this topic.