Plugin Firewall Error: One or more of your Whitelist rules are not valid

[J Garner]

Hi,

I’m getting this message: Error: One or more of your Whitelist rules are not valid.

Is there not a way to see where the error is. I have about 30 entries on one site that has this error message, it would be really useful to have an idea of which one is not written correctly or where there is an issue, maybe highlighting the area that isn’t passing the check?

Thanks,

 

John

[AITpro Admin]

Interesting idea, but no that would not work.  That text area needs to be ONLY pure whitelist rules and CANNOT contain any additional formatting code.

Post your Whitelist rules and I will tell you what is invalid.

There are many different Whitelist rule errors that are checked.  Some error messages tell you exactly/specifically what is invalid and other error checking can only tell you that there is an error due to the wide range of possible errors that fall under that check.

[J Garner]

Here is an example set that is giving me an error:

/akismet/akismet.js, /foobox/js/(.*).js, /wooslider/assets/js/(.*).js, /jetpack/_inc/(.*).js, /contact-form-7/includes/js/(.*).js, /jetpack/modules/(.*).js, /white-label-branding/js/(.*).js, /login-ninja/wf-ln-captcha.php, /bulletproof-security/admin/js/(.*).js, /oa-social-login/assets/js/(.*).js, /js_composer/assets/(.*).js, /pinterest-rss-widget/(.*).js, /backupbuddy/js/js/(.*).js, /nextgen-gallery/js/(.*).js, /backupbuddy/js/(.*).js, /backupbuddy/pluginbuddy/js/(.*).js, /nivo-slider/scripts/nivo-slider/(.*).js, /nivo-slider/scripts/(.*).js, /nivo-slider/scripts/mce-nivoslider/(.*).js, /nivo-slider/scripts/plupload/(.*).js, /ubermenu-sticky/(.*).js, /ubermenu/core/js/(.*).js, /ubermenu/core/sparkoptions/js/colorpicker/js/(.*).js, /ubermenu/core/sparkoptions/(.*).js, /nrelate-related-content/admin/(.*).js, /special-recent-posts-pro/assets/js/(.*).js, /nrelate-related-content/related_settings/(.*).js, /paginator/js/(.*).js, /google-analytics-for-wordpress/js/(.*).js, /wordpress-seo/js/(.*).js, /wordpress-seo/css/xml-sitemap-xsl.php, /wysija-newsletters/mce/wysija_register/(.*).js, /wysija-newsletters/js/(.*).js, /mp6/components/responsive/js/(.*).js, /mp6/components/sticky-menu/(.*).js, /wysija-newsletters/js/tinymce/themes/advanced/link.htm(.*), /wysija-newsletters/js/tinymce/themes/advanced/source_editor.htm(.*), /simply-instagram/js/(.*).js, /simply-instagram/simply-instagram-media.php(.*), /instagram-image-gallery/js/(.*).js, /easy-wordpress-timeline/assets/js/(.*).js, /dpSocialTimeline/js/(.*).js(.*), /dpSocialTimeline/lib/user_timeline.php(.*), /smart-archives-reloaded/admin/(.*).js, /flare/js/(.*).js, /flare/js/jquery-minicolors/(.*).js, /flare/js/(.*).js(.*)

Is there a way in the case of Nivo slider to cover all these with just one?

/nivo-slider/scripts/nivo-slider/(.*).js, /nivo-slider/scripts/(.*).js, /nivo-slider/scripts/mce-nivoslider/(.*).js, /nivo-slider/scripts/plupload/(.*).js

Thanks

[AITpro Admin]

I see several js scripts that should not be in your Plugin Firewall Whitelist.  How did you get these plugin scripts?  Did you use the Plugin Firewall Test Mode or the Pro-Tools cURL Scanner tool or did you just manually enter any/all plugin js script names?

[AITpro Admin]

And yes I see several invalid rules.  Send me your website URL if you do not want to post it here and I will scan your site with the Pro-Tools cURL Multi page scanner and post your valid Plugin Firewall Whitelist rules here.

[J Garner]

This is actually a dev server so hidden behind a coming soon page but I’ll send you the live server site URL. I added some manually after they were flagged in the security log.

[AITpro Admin]

There is a known issue that causes backend js scripts to be seen as having a problem or needing to be whitelisted.  What causes this is putting the site in Plugin Firewall Test Mode and clicking back on any of your main pages while your site is in Test Mode instead of only doing testing in the Plugin Firewall Test Mode window.

Ok then just run the Pro-Tools cURL scanner on this Dev site to get ONLY valid plugin scripts.  Then post the results here.

[AITpro Admin]

Ok got the link to the site you emailed me and scanned the site with the Pro-Tools cURL Multi page scanner.  Here are your Plugin Firewall whitelist rules for that site.

/easy-pagination/js/eap.js, /wysija-newsletters/js/(.*).js, /ubermenu/core/js/(.*).js, /ubermenu-sticky/(.*).js, /fitvids-for-wordpress/(.*).js, /rigl-responsive-images/js/(.*).js, /foobox/js/(.*).js

[AITpro Admin]

When using Regex (.*) which means match anything you cannot end the condition with this because this means match anything to infinity that comes after this and that means you would not have a boundary / ending point.

Invalid

/flare/js/(.*).js(.*)

Valid

/flare/js/(.*).js

[J Garner]

What effect does having an error / incorrect rules actually have?

[AITpro Admin]

The problems can range from a particular/individual frontloading plugin not functioning correctly to all of your frontloading plugins not functioning. That would depend on where the invalid rule is.  Everything after an invalid rule negates/cancels out all following rules.  Another issue/problem that occurred in previous versions was that BPS Pro menus and all other jQuery features displayed broken.  We spent a lot of time adding tons of error checking code in BPS Pro 5.9 to eliminate somewhere around 99% of all known common issues/problems caused by invalid entries/invalid code and anything invalid in general.  All areas of BPS Pro had massive new error checking coding added.

BPS Pro 6.0 will have some really neat visual enhancements and super cool features, but we no longer announce coming features.  😉

[J Garner]

You’re such a tease 😉 Can’t wait now!

I did just get this error:

>>>>>>>>>>> 403 GET or Other Request Error Logged - juin 4, 2013 - 1:00 <<<<<<<<<<<
REMOTE_ADDR: [IP removed]
Host Name: [IP removed]
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR: [IP removed]
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: [domain name removed]/wp-admin/admin.php?page=bulletproof-security%2Fadmin%2Foptions.php&settings-updated=true
REQUEST_URI: /wp-content/plugins/bulletproof-security/admin/js/bulletproof-security-admin-4.js?ver=3.5.1
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.94 Safari/537.36

Which is why I had added it to the firewall rules above. Is it OK to add it back?

[J Garner]

Just out of curiosity, when you said you saw plugins that shouldn’t be in the rules list. Could you give an example and explain why not just for my personal education 🙂

[J Garner]

I just added these as well since I was getting the same type of errors as above and putting them in the rules list stopped the above errors in the security log:

/nivo-slider/scripts/nivo-slider/(.*).js, /bulletproof-security/admin/js/(.*).js, /wordpress-seo/js/(.*).js

[AITpro Admin]

Akismet and BulletProof Security Pro do NOT have any frontloading js scripts.  You can add /bulletproof-security/admin/js/(.*).js to your Plugin Firewall Whitelist, but the new error checking code automatically strips this out of your actual Plugin Firewall .htaccess file because this is a mistake.  There are several other new error checking conditions that will prevent pretty much every mistake that is known.  Some cannot be automatically fixed and you will see errors instead that something is invalid.

[Author]

Posts