Custom Applications outside of WordPress – 3rd Party Apps

Home Forums BulletProof Security Pro Custom Applications outside of WordPress – 3rd Party Apps

This topic contains 12 replies, has 3 voices, and was last updated by  AITpro Admin 6 months, 4 weeks ago.

Viewing 13 posts - 1 through 13 (of 13 total)
  • Author
    Posts
  • #13664

    AITpro Admin
    Keymaster

    For Custom Applications that are outside of WordPress – 3rd Party Applications (Apps), that are not WordPress plugins and are instead stand alone PHP applications (3rd Party Apps) you can either create a custom RewriteRule for the Custom Application’s folder or you can create a RewriteEngine Off .htaccess file in the Custom Application’s folder.

    Note:  This RewriteRule method can also be used for hosting accounts with multiple websites installed where a root htaccess file exists in the Document Root / Hosting account root folder (/public_html/)  and you do NOT want that root htaccess file to apply any of its rules to any of the child websites / child folders.  See this Forum Topic link for more information:  http://forum.ait-pro.com/forums/topic/htaccess-files-for-multiple-website-domains/

    Creating a custom RewriteRule for the Custom Application (3rd Party App):

    Note:  This example RewriteRule method shows Rewrite rules for the vTigerCRM and Piwik 3rd Party Applications.  You would replace the example folder name or names (piwik and/or crm) with your actual 3rd Party Application’s folder name.

    1. Go to the BPS htaccess File Editor page, click on the Your Current Root htaccess File tab, scroll down in your Root .htaccess file code until you see this .htaccess code below.

    # WP REWRITE LOOP START
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]

    2. Copy your # WP REWRITE LOOP START code to this BPS Root Custom Code text box:  CUSTOM CODE WP REWRITE LOOP START
    3. After you have copied your WP Rewrite Loop Start .htaccess code then add your Custom Application RewriteRule code.  Your code should look like this example below.  Remember to add the actual folder name for your 3rd Party Application.  The “piwik” and “crm” folder names are specifically for the vTigerCRM and Piwik 3rd Party Applications in this example.
    4. Click the Save Root Custom Code button.
    5. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    # WP REWRITE LOOP START
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    
    # RewriteRule for Custom Apps outside of WP
    RewriteRule ^piwik/ - [L]
    RewriteRule ^crm/ - [L]

    Alternative Method

    Creating a RewriteEngine Off .htaccess file for the Custom Application (3rd Party App):

    1.  Create a text file in Notepad or Notepad++ (NOT WORD or WordPad) called securityoff.htaccess.  In that text file add this one line of .htaccess code below and nothing else in that file.

    RewriteEngine Off

    2.  Upload the securityoff.htaccess file to your 3rd Party app folder.  Once you have uploaded the file, rename it to just .htaccess – removing “securityoff” from the file name.

    #17321

    Gary M. Gordon
    Participant

    Thanks.
    I used the method “Creating a custom RewriteRule for the Custom Application (3rd Party App):” and it worked perfectly.
    Gary

    #34598

    Deb
    Participant

    I tried the above for my “amember” install, but no help. I am whitelisted everywhere in the system from all four vps server areas down to all places throughout the installs that have anything to do with security. BPSP did not show me an ip v 6, just the 4 normal octet type.

    I have an “amember” install in a folder outside the root wordpress.

    Whenever I attempt to delete a pending invoice in a user’s account, BPSP intercepts with a Forbidden 403 and my IP address.

    Here’s a Security log entry – they are always the same. It happened before and after I updated BPSP to 13.4 tonight.

    [403 GET Request: November 21, 2017 - 9:22 pm]
    BPS Pro: 13.4
    WP: 4.9
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: MY IP ADDRESS
    Host Name: MY CABLE HOSTNAME STUFF
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: MY IP ADDRESS
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: https://MYSITE.COM/amember/admin-user-payments/index/user_id/4
    REQUEST_URI: /amember/default/admin-payments/p/invoices/index?_invoice_a=delete&_invoice_b=https%3A%2F%2FMYSITE.COM%2Famember%2Fadmin-user-payments%2Findex%2Fuser_id%2F4%3F__cfduid%3Dd6025eb9f3cf19ad4781a5f2001e5557b1511053169%26wf_loginalerted_22ac0611da9079112889c19b5a3bb89e7a4a7f54ec63e327325116b231359f07%3Dbe453ead253dd2f1cb97b2812b22b0d17fe016623feed34ffe2d1cb822ad2d4d%26wf_loginalerted_97ceda04fd18d734299b39dfc7fc19586fd4ccd5a1b40a0a81ec22f1a0c30084%3D4b93e6662bb9516756ab0cfc5f9a8a8fe46cf7fd9f1e94168849c329cf29af4f%26am-menu%3Dusers%253Bconfiguration%26am-adv-fieldset%3Daddress_info%26wordpress_test_cookie%3DWP%2BCookie%2Bcheck%26PHPSESSID%3Dcb765200327c76c1ff8704c105676da1%26wordpress_logged_in_bd85fb53133be256f5c22bf3113367a8%3DMYWPADMINUSERNAME%257C1512539943%257C2o9cALWn15ndDUhI6GrgJsMuwTvZa6Cdr4kERCm02A7%257C539a589cbeeae0970f05363d8e421a9ae3a1c0ef0d9dff62086a2d3370038b2b%26wfwaf-authcookie-00220b2f1b8b24cf3c3867b2297dd90c%3D2%257Cadministrator%257C19f1ff2a7bbd5ca6ca4a439b63ba5699273ad4f452b0dbba1bfdddea05074a58%26wp-settings-2%3Deditor%253Dhtml%2526wplink%253D1%2526hidetb%253D1%2526libraryContent%253Dbrowse%2526imgsize%253Dmedium%2526align%253Dcenter%2526posts_list_mode%253Dlist%2526cats%253Dpop%26wp-settings-time-2%3D1511330346%26wfvt_2046501926%3D5a1541c0281ba%26sc_is_visitor_unique%3Drx3764096.1511336563.CC7F0278E57F4FEA3729736BB854D259.7.4.4.4.3.3.3.1.1-3763043.1511336563.7.4.4.4.3.3.3.1.1%26user_id%3D4&_invoice_id=5
    QUERY_STRING: _invoice_a=delete&_invoice_b=https%3A%2F%2FMYSITE.COM%2Famember%2Fadmin-user-payments%2Findex%2Fuser_id%2F4%3F__cfduid%3Dd6025eb9f3cf19ad4781a5f2001e5557b1511053169%26wf_loginalerted_22ac0611da9079112889c19b5a3bb89e7a4a7f54ec63e327325116b231359f07%3Dbe453ead253dd2f1cb97b2812b22b0d17fe016623feed34ffe2d1cb822ad2d4d%26wf_loginalerted_97ceda04fd18d734299b39dfc7fc19586fd4ccd5a1b40a0a81ec22f1a0c30084%3D4b93e6662bb9516756ab0cfc5f9a8a8fe46cf7fd9f1e94168849c329cf29af4f%26am-menu%3Dusers%253Bconfiguration%26am-adv-fieldset%3Daddress_info%26wordpress_test_cookie%3DWP%2BCookie%2Bcheck%26PHPSESSID%3Dcb765200327c76c1ff8704c105676da1%26wordpress_logged_in_bd85fb53133be256f5c22bf3113367a8%3DMYWPADMINUSERNAME%257C1512539943%257C2o9cALWn15ndDUhI6GrgJsMuwTvZa6Cdr4kERCm02A7%257C539a589cbeeae0970f05363d8e421a9ae3a1c0ef0d9dff62086a2d3370038b2b%26wfwaf-authcookie-00220b2f1b8b24cf3c3867b2297dd90c%3D2%257Cadministrator%257C19f1ff2a7bbd5ca6ca4a439b63ba5699273ad4f452b0dbba1bfdddea05074a58%26wp-settings-2%3Deditor%253Dhtml%2526wplink%253D1%2526hidetb%253D1%2526libraryContent%253Dbrowse%2526imgsize%253Dmedium%2526align%253Dcenter%2526posts_list_mode%253Dlist%2526cats%253Dpop%26wp-settings-time-2%3D1511330346%26wfvt_2046501926%3D5a1541c0281ba%26sc_is_visitor_unique%3Drx3764096.1511336563.CC7F0278E57F4FEA3729736BB854D259.7.4.4.4.3.3.3.1.1-3763043.1511336563.7.4.4.4.3.3.3.1.1%26user_id%3D4&_invoice_id=5
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 
    #34608

    AITpro Admin
    Keymaster

    @ Deb – Go to the BPS Pro B-Core page > htaccess File Editor tab page > Your Current Root htaccess File tab > copy and paste your entire root htaccess file code so I can take a look at it.

    #34609

    Deb
    Participant
    # BULLETPROOF PRO 13.4 SECURE .HTACCESS
    
    # CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE
    # PHP/php.ini handler htaccess code
    suPHP_ConfigPath '/home/USERNAME/public_html'
    
    # BONUS CODE
    <IfModule mod_headers.c>
    # Protects against Drive-by Download attacks
    # Protects against MIME/Content/Data sniffing
    Header set X-Content-Type-Options nosniff
    </IfModule>
    # END Protects against Drive-by Download attacks
    
    # TURN OFF YOUR SERVER SIGNATURE
    # Suppresses the footer line server version number and ServerName of the serving virtual host
    ServerSignature Off
    
    # DO NOT SHOW DIRECTORY LISTING
    # Disallow mod_autoindex from displaying a directory listing
    # If a 500 Internal Server Error occurs when activating Root BulletProof Mode
    # copy the entire DO NOT SHOW DIRECTORY LISTING and DIRECTORY INDEX sections of code
    # and paste it into BPS Custom Code and comment out Options -Indexes
    # by adding a # sign in front of it.
    # Example: #Options -Indexes
    Options -Indexes
    
    # DIRECTORY INDEX FORCE INDEX.PHP
    # Use index.php as default directory index file. index.html will be ignored.
    # If a 500 Internal Server Error occurs when activating Root BulletProof Mode
    # copy the entire DO NOT SHOW DIRECTORY LISTING and DIRECTORY INDEX sections of code
    # and paste it into BPS Custom Code and comment out DirectoryIndex
    # by adding a # sign in front of it.
    # Example: #DirectoryIndex index.php index.html /index.php
    DirectoryIndex index.php index.html /index.php
    
    # CUSTOM CODE BRUTE FORCE LOGIN PAGE PROTECTION
    # BONUS CODE ONLY ONE LOGIN ALLOWED
    # Protect wp-login.php from Brute Force Login Attacks based on IP Address
    <FilesMatch "^(wp-login\.php)">
    Order Allow,Deny
    # Add your website domain name
    Allow from MYSITE.COM
    # Add your website/Server IP Address
    Allow from SERVERNAME.COM
    Allow from vps.SERVERNAME.COM
    Allow from THE.SERVER.IP.ADDRESS
    Allow from THE.DEDICATED.IP.ADDRESS
    
    # Add your Public IP Address using 2 or 3 octets so that if/when
    # your IP address changes it will still be in your subnet range. If you
    # have a static IP address then use all 4 octets.
    # Examples: 2 octets: 65.100. 3 octets: 65.100.50. 4 octets: 65.100.50.1
    # Allow from 65.100.50.
    Allow from 50.80.0.235
    Allow from 99.45.177.197
    Allow from 75.36.111.148
    Allow from 173.10.19.86
    Allow from 162.40.247.73
    </FilesMatch>
    # END BONUS CODE SINGLE LOGIN
    
    # BPS PRO ERROR LOGGING AND TRACKING
    # Use BPS Custom Code to modify/edit/change this code and to save it permanently.
    # BPS Pro has premade 400 Bad Request, 403 Forbidden, 404 Not Found, 405 Method Not Allowed and
    # 410 Gone template logging files that are used to track and log 400, 403, 404, 405 and 410 errors
    # that occur on your website. When a hacker attempts to hack your website the hackers IP address,
    # Host name, Request Method, Referering link, the file name or requested resource, the user agent
    # of the hacker and the query string used in the hack attempt are logged.
    # All BPS Pro log files are htaccess protected so that only you can view them.
    # The 400.php, 403.php, 404.php, 405.php and 410.php files are located in /wp-content/plugins/bulletproof-security/
    # The 400, 403, 405 and 410 Error logging files are already set up and will automatically start logging errors
    # after you install BPS Pro and have activated BulletProof Mode for your Root folder.
    # If you would like to log 404 errors you will need to copy the logging code in the BPS Pro 404.php file
    # to your Theme's 404.php template file. Simple instructions are included in the BPS Pro 404.php file.
    # You can open the BPS Pro 404.php file using the WP Plugins Editor or by using the BPS Pro File Manager.
    # NOTE: By default WordPress automatically looks in your Theme's folder for a 404.php Theme template file.
    
    ErrorDocument 400 /wp-content/plugins/bulletproof-security/400.php
    ErrorDocument 401 default
    ErrorDocument 403 /wp-content/plugins/bulletproof-security/403.php
    ErrorDocument 404 /404.php
    ErrorDocument 405 /wp-content/plugins/bulletproof-security/405.php
    ErrorDocument 410 /wp-content/plugins/bulletproof-security/410.php
    
    # DENY ACCESS TO PROTECTED SERVER FILES AND FOLDERS
    # Use BPS Custom Code to modify/edit/change this code and to save it permanently.
    # Files and folders starting with a dot: .htaccess, .htpasswd, .errordocs, .logs
    RedirectMatch 403 \.(htaccess|htpasswd|errordocs|logs)$
    
    # WP-ADMIN/INCLUDES
    # Use BPS Custom Code to remove this code permanently.
    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ - [F]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F]
    RewriteRule ^wp-includes/theme-compat/ - [F]
    
    # CUSTOM CODE WP REWRITE LOOP START
    # WP REWRITE LOOP START
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    
    # RewriteRule for Custom Apps outside of WP
    RewriteRule ^amember/ - [L]
    
    # CUSTOM CODE REQUEST METHODS FILTERED
    # REQUEST METHODS FILTERED
    # If you want to allow HEAD Requests use BPS Custom Code and copy
    # this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
    # text box: CUSTOM CODE REQUEST METHODS FILTERED.
    # See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F]
    #RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
    #RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]
    
    # PLUGINS/THEMES AND VARIOUS EXPLOIT FILTER SKIP RULES
    # To add plugin/theme skip/bypass rules use BPS Custom Code.
    # The [S] flag is used to skip following rules. Skip rule [S=12] will skip 12 following RewriteRules.
    # The skip rules MUST be in descending consecutive number order: 12, 11, 10, 9...
    # If you delete a skip rule, change the other skip rule numbers accordingly.
    # Examples: If RewriteRule [S=5] is deleted than change [S=6] to [S=5], [S=7] to [S=6], etc.
    # If you add a new skip rule above skip rule 12 it will be skip rule 13: [S=13]
    
    # Adminer MySQL management tool data populate
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/adminer/ [NC]
    RewriteRule . - [S=12]
    # Comment Spam Pack MU Plugin - CAPTCHA images not displaying
    RewriteCond %{REQUEST_URI} ^/wp-content/mu-plugins/custom-anti-spam/ [NC]
    RewriteRule . - [S=11]
    # Peters Custom Anti-Spam display CAPTCHA Image
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/peters-custom-anti-spam-image/ [NC]
    RewriteRule . - [S=10]
    # Status Updater plugin fb connect
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/fb-status-updater/ [NC]
    RewriteRule . - [S=9]
    # Stream Video Player - Adding FLV Videos Blocked
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/stream-video-player/ [NC]
    RewriteRule . - [S=8]
    # XCloner 404 or 403 error when updating settings
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/xcloner-backup-and-restore/ [NC]
    RewriteRule . - [S=7]
    # BuddyPress Logout Redirect
    RewriteCond %{QUERY_STRING} action=logout&redirect_to=http%3A%2F%2F(.*) [NC]
    RewriteRule . - [S=6]
    # redirect_to=
    RewriteCond %{QUERY_STRING} redirect_to=(.*) [NC]
    RewriteRule . - [S=5]
    # Login Plugins Password Reset And Redirect 1
    RewriteCond %{QUERY_STRING} action=resetpass&key=(.*) [NC]
    RewriteRule . - [S=4]
    # Login Plugins Password Reset And Redirect 2
    RewriteCond %{QUERY_STRING} action=rp&key=(.*) [NC]
    RewriteRule . - [S=3]
    
    # CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    # Use BPS Custom Code to modify/edit/change this code and to save it permanently.
    # Remote File Inclusion (RFI) security rules
    # Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files
    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    RewriteRule .* index.php [F]
    #
    # Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php)
    RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    # Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*
    RewriteCond %{HTTP_REFERER} ^.*MYSITE.COM.*
    RewriteRule . - [S=1]
    
    # CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS
    # BEGIN BPSQSE BPS QUERY STRING EXPLOITS
    # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
    # Good sites such as W3C use it for their W3C-LinkChecker.
    # Use BPS Custom Code to add or remove user agents temporarily or permanently from the
    # User Agent filters directly below or to modify/edit/change any of the other security code rules below.
    RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
    RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
    RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
    RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
    RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
    RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
    RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR]
    RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
    RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
    RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
    RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
    RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F]
    # END BPSQSE BPS QUERY STRING EXPLOITS
    
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    # WP REWRITE LOOP END
    
    # CUSTOM CODE DENY BROWSER ACCESS TO THESE FILES
    # DENY BROWSER ACCESS TO THESE FILES
    # Use BPS Custom Code to modify/edit/change this code and to save it permanently.
    # wp-config.php, bb-config.php, php.ini, php5.ini, readme.html
    # To be able to view these files from a Browser, replace 127.0.0.1 with your actual
    # current IP address. Comment out: #Deny from all and Uncomment: Allow from 127.0.0.1
    # Note: The BPS System Info page displays which modules are loaded on your server.
    
    <FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|\.user\.ini|readme\.html|bb-config\.php)">
    Order Allow,Deny
    Deny from all
    # Allow from 127.0.0.1
    Allow from 50.80.0.235
    Allow from 99.45.177.197
    Allow from 73.177.67.
    </FilesMatch>
    
    # CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE
    # BONUS CODE
    # Protect wp-login.php from Brute Force Login Attacks based on Server Protocol
    # Block automated comment spambots using Server Protocol HTTP/1.0
    # All legitimate humans and bots should be using Server Protocol HTTP/1.1
    RewriteCond %{REQUEST_URI} ^(/wp-login\.php|/wp-comments-post\.php)$
    RewriteCond %{THE_REQUEST} HTTP/1\.0
    RewriteRule ^(.*)$ - [F,L]
    # END Protect wp-login.php from Brute Force Login Attacks based on Server Protocol
    
    # BONUS CODE
    # WP AUTHOR ENUMERATION BOT PROBE PROTECTION
    # Rewrites to author=999999 that does not actually exist
    # which results in a standard 404 error. To the hacker bot
    # it appears that this author does not exist without giving
    # any clues that the author does actually exist.
    
    RewriteCond %{QUERY_STRING} ^author=([0-9]){1,}$ [NC]
    RewriteRule ^(.*)$ $1?author=999999 [L]
    # END WP AUTHOR ENUMERATION BOT PROBE PROTECTION
    
    # BONUS CODE
    # XML-RPC DDoS PROTECTION
    # You can whitelist your IP address if you use A Weblog Client
    # or want to whitelist your IP address for any other reasons.
    # Example: uncomment #Allow from x.x.x. by deleting the # sign and
    # replace the x's with your actual IP address. Allow from 99.88.77.
    # Note: It is recommended that you use 3 octets x.x.x. of your IP address
    # instead of 4 octets x.x.x.x of your IP address.
    
    <FilesMatch "^(xmlrpc\.php)">
    Order Deny,Allow
    # Whitelist Jetpack/ Automattic CIDR IP Address Blocks
    Allow from 192.0.64.0/18
    Allow from 209.15.0.0/16
    Allow from 66.155.0.0/17
    Allow from 173.201.
    Allow from 73.177.67.78
    Allow from 50.80.0.235
    Allow from 99.45.177.
    Allow from 104.168.144.169
    Allow from 104.168.133.53
    Deny from all
    </FilesMatch>
    # END XML-RPC DDoS PROTECTION
    
    # BONUS CODE
    # Block/Forbid Referer Spammers/Referer Phishing
    RewriteCond %{HTTP_REFERER} ^.*(ranksonic\.|semalt\.|kambasoft\.|buttons-for-website\.).*$ [NC]
    RewriteRule ^(.*)$ - [F]
    # END Block/Forbid Referer Spammers/Referer Phishing
    #34610

    AITpro Admin
    Keymaster

    @ Deb – Your skip/bypass rule for amember looks fine and should be working > RewriteRule ^amember/ - [L]. Deactivate root BulletProof Mode, test deleting a pending invoice and let me know if the same problem occurs or not.  Are you using any caching plugins or CDN’s or Proxies or minification/compression plugins? For good measure clear your Browser and any caching plugins cache.

    Do you have any .htaccess files higher up in your hosting account directory structure?

    Example:
    /.htaccess – root hosting account folder
    /wordpress-site-folder/.htaccess

    #34614

    Deb
    Participant

    No — no .htaccess higher in the home directory. This wp is the root.

    Deactivated

    It now bounces me to a wordpress 404

    Not found, error 404

    The page you are looking for no longer exists. Perhaps you can return back to the site’s homepage and see if you can find what you are looking for. Or, you can try finding it with the information below.

     

    There is an .htaccess in the amember folder which comes with the package.

    #34616

    AITpro Admin
    Keymaster

    @ Deb – Ok then there is an underlying problem that exists and it appears that BPS is causing the problem or maybe 2 problems are occurring.  Do you have cPanel hosting?

    #34617

    Deb
    Participant

    Yes, normal linux, cPanel, WHM, etc. I’ll check again for whitelisting all on the server….

    Okay – I can’t even get to the VPS – I have a ticket in to Hosting. The new Security all the vps servers had added in the last month or so may have banned me. They will whitelist me and I’ll report back.

    It would go into the new Mod Security New Rules

    SecRule REMOTE_ADDR “@contains xyz.xyz.xyz.xyz” “id:?,phase:1,nolog,allow,ctl:ruleEngine=Off
    Matching my ip and whatever id:?? is next in line.

    A ticket I had in to amember believes THAT is the problem. The system is using the BPSP 404 and 403 error pages by default.

    I’ll be back.

    #34618

    AITpro Admin
    Keymaster

    @ Deb – I have a hunch that this may be a Mod Security issue/problem that we are seeing a lot recently.  Log into your web host control panel and look for Mod Security and disable it temporarily for testing.

    #34619

    AITpro Admin
    Keymaster

    @ Deb – I see you added additional info to your last Reply.  So can you get into cPanel at all at this point?  And yep BPS logs all errors whether or not BPS is causing an issue/problem – BPS Security logging is basically the same thing as web host server logging.

    #34620

    Deb
    Participant

    ModSecurity was it.

    Hosting wasn’t getting to me, so I found another IP to log into WHM and added the new Rule. All good, deleted the invoice.
    I had to add amember support’s Rule as well as they couldn’t even get into the system at all.

    Thank you very much as usual and I apologize for bothering you when it wasn’t BPSP! But now we all know.

    #34621

    AITpro Admin
    Keymaster

    @ Deb – all good and glad to help.  Glad you got it figured out.  I thought it was going to be Mod Security from the get go, but wanted to make sure BPS was not causing the root problem.  cPanel introduced a new Mod Security feature back in December/January of last year and for the last 11 months or so it has been causing a wide variety of problems.  😉

Viewing 13 posts - 1 through 13 (of 13 total)

You must be logged in to reply to this topic.