Plugin Firewall Error: One or more of your Whitelist rules are not valid

Home Forums BulletProof Security Pro Plugin Firewall Error: One or more of your Whitelist rules are not valid

This topic contains 14 replies, has 2 voices, and was last updated by  AITpro Admin 6 years, 6 months ago.

Viewing 15 posts - 1 through 15 (of 15 total)
  • Author
    Posts
  • #6588

    J Garner
    Participant

    Hi,

    I’m getting this message: Error: One or more of your Whitelist rules are not valid.

    Is there not a way to see where the error is. I have about 30 entries on one site that has this error message, it would be really useful to have an idea of which one is not written correctly or where there is an issue, maybe highlighting the area that isn’t passing the check?

    Thanks,

     

    John

    #6594

    AITpro Admin
    Keymaster

    Interesting idea, but no that would not work.  That text area needs to be ONLY pure whitelist rules and CANNOT contain any additional formatting code.

    Post your Whitelist rules and I will tell you what is invalid.

    There are many different Whitelist rule errors that are checked.  Some error messages tell you exactly/specifically what is invalid and other error checking can only tell you that there is an error due to the wide range of possible errors that fall under that check.

    #6629

    J Garner
    Participant

    Here is an example set that is giving me an error:

    /akismet/akismet.js, /foobox/js/(.*).js, /wooslider/assets/js/(.*).js, /jetpack/_inc/(.*).js, /contact-form-7/includes/js/(.*).js, /jetpack/modules/(.*).js, /white-label-branding/js/(.*).js, /login-ninja/wf-ln-captcha.php, /bulletproof-security/admin/js/(.*).js, /oa-social-login/assets/js/(.*).js, /js_composer/assets/(.*).js, /pinterest-rss-widget/(.*).js, /backupbuddy/js/js/(.*).js, /nextgen-gallery/js/(.*).js, /backupbuddy/js/(.*).js, /backupbuddy/pluginbuddy/js/(.*).js, /nivo-slider/scripts/nivo-slider/(.*).js, /nivo-slider/scripts/(.*).js, /nivo-slider/scripts/mce-nivoslider/(.*).js, /nivo-slider/scripts/plupload/(.*).js, /ubermenu-sticky/(.*).js, /ubermenu/core/js/(.*).js, /ubermenu/core/sparkoptions/js/colorpicker/js/(.*).js, /ubermenu/core/sparkoptions/(.*).js, /nrelate-related-content/admin/(.*).js, /special-recent-posts-pro/assets/js/(.*).js, /nrelate-related-content/related_settings/(.*).js, /paginator/js/(.*).js, /google-analytics-for-wordpress/js/(.*).js, /wordpress-seo/js/(.*).js, /wordpress-seo/css/xml-sitemap-xsl.php, /wysija-newsletters/mce/wysija_register/(.*).js, /wysija-newsletters/js/(.*).js, /mp6/components/responsive/js/(.*).js, /mp6/components/sticky-menu/(.*).js, /wysija-newsletters/js/tinymce/themes/advanced/link.htm(.*), /wysija-newsletters/js/tinymce/themes/advanced/source_editor.htm(.*), /simply-instagram/js/(.*).js, /simply-instagram/simply-instagram-media.php(.*), /instagram-image-gallery/js/(.*).js, /easy-wordpress-timeline/assets/js/(.*).js, /dpSocialTimeline/js/(.*).js(.*), /dpSocialTimeline/lib/user_timeline.php(.*), /smart-archives-reloaded/admin/(.*).js, /flare/js/(.*).js, /flare/js/jquery-minicolors/(.*).js, /flare/js/(.*).js(.*)

    Is there a way in the case of Nivo slider to cover all these with just one?

    /nivo-slider/scripts/nivo-slider/(.*).js, /nivo-slider/scripts/(.*).js, /nivo-slider/scripts/mce-nivoslider/(.*).js, /nivo-slider/scripts/plupload/(.*).js

    Thanks

    #6631

    AITpro Admin
    Keymaster

    I see several js scripts that should not be in your Plugin Firewall Whitelist.  How did you get these plugin scripts?  Did you use the Plugin Firewall Test Mode or the Pro-Tools cURL Scanner tool or did you just manually enter any/all plugin js script names?

    #6633

    AITpro Admin
    Keymaster

    And yes I see several invalid rules.  Send me your website URL if you do not want to post it here and I will scan your site with the Pro-Tools cURL Multi page scanner and post your valid Plugin Firewall Whitelist rules here.

    #6634

    J Garner
    Participant

    This is actually a dev server so hidden behind a coming soon page but I’ll send you the live server site URL. I added some manually after they were flagged in the security log.

    #6636

    AITpro Admin
    Keymaster

    There is a known issue that causes backend js scripts to be seen as having a problem or needing to be whitelisted.  What causes this is putting the site in Plugin Firewall Test Mode and clicking back on any of your main pages while your site is in Test Mode instead of only doing testing in the Plugin Firewall Test Mode window.

    Ok then just run the Pro-Tools cURL scanner on this Dev site to get ONLY valid plugin scripts.  Then post the results here.

    #6638

    AITpro Admin
    Keymaster

    Ok got the link to the site you emailed me and scanned the site with the Pro-Tools cURL Multi page scanner.  Here are your Plugin Firewall whitelist rules for that site.

    /easy-pagination/js/eap.js, /wysija-newsletters/js/(.*).js, /ubermenu/core/js/(.*).js, /ubermenu-sticky/(.*).js, /fitvids-for-wordpress/(.*).js, /rigl-responsive-images/js/(.*).js, /foobox/js/(.*).js
    #6640

    AITpro Admin
    Keymaster

    When using Regex (.*) which means match anything you cannot end the condition with this because this means match anything to infinity that comes after this and that means you would not have a boundary / ending point.

    Invalid

    /flare/js/(.*).js(.*)

    Valid

    /flare/js/(.*).js
    #6642

    J Garner
    Participant

    What effect does having an error / incorrect rules actually have?

    #6643

    AITpro Admin
    Keymaster

    The problems can range from a particular/individual frontloading plugin not functioning correctly to all of your frontloading plugins not functioning. That would depend on where the invalid rule is.  Everything after an invalid rule negates/cancels out all following rules.  Another issue/problem that occurred in previous versions was that BPS Pro menus and all other jQuery features displayed broken.  We spent a lot of time adding tons of error checking code in BPS Pro 5.9 to eliminate somewhere around 99% of all known common issues/problems caused by invalid entries/invalid code and anything invalid in general.  All areas of BPS Pro had massive new error checking coding added.

    BPS Pro 6.0 will have some really neat visual enhancements and super cool features, but we no longer announce coming features.  😉

    #6645

    J Garner
    Participant

    You’re such a tease 😉 Can’t wait now!

    I did just get this error:

    >>>>>>>>>>> 403 GET or Other Request Error Logged - juin 4, 2013 - 1:00 <<<<<<<<<<<
    REMOTE_ADDR: [IP removed]
    Host Name: [IP removed]
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: [IP removed]
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: [domain name removed]/wp-admin/admin.php?page=bulletproof-security%2Fadmin%2Foptions.php&settings-updated=true
    REQUEST_URI: /wp-content/plugins/bulletproof-security/admin/js/bulletproof-security-admin-4.js?ver=3.5.1
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.94 Safari/537.36

    Which is why I had added it to the firewall rules above. Is it OK to add it back?

    #6647

    J Garner
    Participant

    Just out of curiosity, when you said you saw plugins that shouldn’t be in the rules list. Could you give an example and explain why not just for my personal education 🙂

    #6648

    J Garner
    Participant

    I just added these as well since I was getting the same type of errors as above and putting them in the rules list stopped the above errors in the security log:

    /nivo-slider/scripts/nivo-slider/(.*).js, /bulletproof-security/admin/js/(.*).js, /wordpress-seo/js/(.*).js
    #6649

    AITpro Admin
    Keymaster

    Akismet and BulletProof Security Pro do NOT have any frontloading js scripts.  You can add /bulletproof-security/admin/js/(.*).js to your Plugin Firewall Whitelist, but the new error checking code automatically strips this out of your actual Plugin Firewall .htaccess file because this is a mistake.  There are several other new error checking conditions that will prevent pretty much every mistake that is known.  Some cannot be automatically fixed and you will see errors instead that something is invalid.

Viewing 15 posts - 1 through 15 (of 15 total)

You must be logged in to reply to this topic.