Home › Forums › BulletProof Security Pro › How Do I Whitelist a whole plugin folder
Tagged: whitelist plugins folder
- This topic has 25 replies, 3 voices, and was last updated 11 years ago by AITpro Admin.
-
AuthorPosts
-
AITpro AdminKeymaster
“I noticed you got the UAEG status to display on. On my other sites i have activated the UAEG, but the display never showed it was on.” Do you have the S-Monitor option set to display the UAEG Status in your WP Dashboard? Display Status in WP Dashboard
Joshua WilsonParticipantCpanel keeps adding the rules. Its the redirect button, in the domain section of cpanel. When i changed the Display Status in WP Dashboard with S-Monitor, i saw it display on:) Have you had a chance to look on my site, and get the plugin whitelist working? How often is js hacked? can i remove the string that blocks it from the plugin folder .htaccess? I have this code below in my server’s main root. It may be blocking something. (you can delete this message later, if its to long)
# 5G BLACKLIST/FIREWALL (2013) # @ http: //perishablepress.com/5g-blacklist-2013/ # 5G:[QUERY STRINGS] RewriteEngine On RewriteBase / # RewriteCond %{QUERY_STRING} (\"|%22).*(<|>|%3) [NC,OR] RewriteCond %{QUERY_STRING} (javascript:).*(\;) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3) [NC,OR] RewriteCond %{QUERY_STRING} (\\|\.\./|`|=\'$|=%27$) [NC,OR] RewriteCond %{QUERY_STRING} (\;|\'|\"|%22).*(union|select|insert|drop|update|md5|benchmark|or|if) [NC,OR] RewriteCond %{QUERY_STRING} (base64_encode|localhost|mosconfig) [NC,OR] RewriteCond %{QUERY_STRING} (boot\.ini|echo.*kae|etc/passwd) [NC,OR] RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC] RewriteRule .* - [F] # 5G:[USER AGENTS] # SetEnvIfNoCase User-Agent ^$ keep_out SetEnvIfNoCase User-Agent (binlar|casper|cmsworldmap|comodo|diavol|dotbot|feedfinder|flicky|ia_archiver|jakarta|kmccrew|nutch|planetwork|purebot|pycurl|skygrid|sucker|turnit|vikspider|zmeu) keep_out Order Allow,Deny Allow from all Deny from env=keep_out Deny from 180.76.5.191 # 5G:[REQUEST STRINGS] RedirectMatch 403 (https?|ftp|php)\:// RedirectMatch 403 /(https?|ima|ucp)/ RedirectMatch 403 /(Permanent|Better)$ # RedirectMatch 403 (\=\\\'|\=\\%27|/\\\'/?|\)\.css\()$ # RedirectMatch 403 (\,|\)\+|/\,/|\{0\}|\(/\(|\.\.\.|\+\+\+|\||\\\"\\\") # RedirectMatch 403 \.(cgi|asp|aspx|cfg|dll|exe|jsp|mdb|sql|ini|rar)$ RedirectMatch 403 /(contac|fpw|install|pingserver|register)\.php$ # RedirectMatch 403 (base64|crossdomain|localhost|wwwroot|e107\_) #RedirectMatch 403 (eval\(|\_vti\_|\(null\)|echo.*kae|config\.xml) RedirectMatch 403 \.well\-known/host\-meta RedirectMatch 403 /function\.array\-rand RedirectMatch 403 \)\;\$\(this\)\.html\( RedirectMatch 403 proc/self/environ RedirectMatch 403 msnbot\.htm\)\.\_ RedirectMatch 403 /ref\.outcontrol # RedirectMatch 403 com\_cropimage RedirectMatch 403 indonesia\.htm # RedirectMatch 403 \{\$itemURL\} RedirectMatch 403 function\(\) RedirectMatch 403 labels\.rdf RedirectMatch 403 /playing.php RedirectMatch 403 muieblackcat
Joshua WilsonParticipantI also have this at the bottom of the server root .htaccess file.
# 5G:[WordPress] RedirectMatch 403 /\$\& RedirectMatch 403 (?i)/\&(t|title)= RedirectMatch 403 (?i)/\.(bash|git|hg|log|svn|swp|tar) RedirectMatch 403 (?i)/(1|contact|i|index1|iprober|phpinfo|phpspy|product|signup|t|test|tz|visit|webshell|wp-signup).php RedirectMatch 403 (?i)/(author-panel|class|database|manage|phpMyAdmin|register|submit-articles|system|usage|webmaster)/?$ RedirectMatch 403 (?i)/(=|_mm|cgi|cvs|dbscripts|jsp|rnd|shadow|userfiles) # mini firewall 2012-11-13 # # RedirectMatch 403 /(\{\$itemURL\}|administrator|#blogs/load/recent|default|register|signup|tools/quicklogin\.one|#undefined|WHMCS|YaBB\.cgi|YaBB\.pl)/?$ # RedirectMatch 403 /(curltest|join|join_form|member/join|mobiquo|#register|signup|tiki-register|ucp)\.php$ # SetEnvIfNoCase User-Agent ^$ keep_out SetEnvIfNoCase User-Agent (casper|cmsworldmap|diavol|dotbot) keep_out SetEnvIfNoCase User-Agent (flicky|ia_archiver|jakarta|kmccrew) keep_out SetEnvIfNoCase User-Agent (libwww|planetwork|pycurl|skygrid) keep_out SetEnvIfNoCase User-Agent (purebot|comodo|feedfinder) keep_out Order Allow,Deny Allow from all Deny from env=keep_out
Joshua WilsonParticipantI have 3 levels of .htacces files.
I have a .htaccess file in the main server root. before the /www folder. (mainly performance code)Then a .htaccess files after /www & /html folder (performance and blocking rules)
Then i have one in my main domain root folder. WordPress installations (Auto magic BP Pro)
Does this structure make since to you? Is it to much on my server?AITpro AdminKeymasterThe cPanel tool probably cannot be disabled either if it is designed like the broken cPanel HotLink Protection Tool, which cannot be disabled either because enable/disable is also broken in that Tool. You will need to contact your Host and ask them to disable this tool.
Your site is done and everything is working perfectly. You do have some WooCommerce php STRICT errors that are occurring and these are not related to BPS Pro in any way. They are very minor php errors, but they are a nuisance so contact WooCommerce and send them the php errors in your php error log file so they can take care of/fix this in WooCommerce.
js files are not targeted or attacked directly and are safe to whitelist. php files are targeted directly and the end result is that js files have code injected into them.
ARQ failsafe shutdown on wp-content folder issue/problem:
Your site did not have an index.php file in your wp-content folder. Either your index.php file has been removed/deleted from your wp-content folder or renamed by W3TC to index.html.Solution: I used the P-Security File Manager and Editor to create an index.php file in /bps-backup/autorestore/wp-content/index.php so that
the ARQ failsafe check will not kick in.I think the 5G code is fine and really do not have anything else to say about it. I do not like to be asked if something is good or bad and let people decide for themselves whether or not to use additional or custom .htaccess code. So no opinion on this. 😉
AITpro AdminKeymasterIdeally you want to compartmentalize your security so yes your site structure and the method of where you are adding .htaccess file is correct and perfectly fine.
Each website root folder or other root folder (not individual subfolders just the root folder) should have it’s own .htaccess file so that you can control .htaccess security for that specific folder. By doing this you can change security rules per directory as opposed to having to try and create rules in a master .htaccess files for child folders of the parent folder with 1 .htaccess file.
Visually this is what that best .htaccess site structure looks like.
/ root site has its own .htaccess file
/SiteA has its own .htaccess file
/SiteA/subfolderSiteA/ has its own .htaccess file.And no it is not too much for your Server. There is a minor performance hit per .htaccess file, but you are talking milliseconds. And to even see any sort of performance loss you would have to be using 100’s of .htaccess files.
AITpro AdminKeymasterAlso I changed your Plugin Firewall plugin scripts rules for these plugins to only look at and whitelist js scripts in these folders instead of whitelisting from a top level plugin folder. This means that only essential frontloading js plugin scripts are being whitelisted and not all of the js scripts for these plugins.
/background-manager/resources/js/(.*).js, /woocommerce/assets/js/(.*).js
Joshua WilsonParticipantThank you for your expertise, 🙂 I just started web development 2 years ago. I’m primarily on the business side.
When i do a speed test i still see that its blocking the js still.
http://tools.pingdom.com/fpt/#!/MyPlaaLw5/http://officesilk.comAITpro AdminKeymasterI am not sure what you are looking at on the speed test site, but doing a speed test is not the way to test for issues/problems. I do not see any problems when checking your site with Firefox with Firebug and Firephp. Try using Firefox with Firebug and Firephp installed to test for issues/problems or use Google Chrome Tools >>> Developer Tools or JavaScript Console.
Joshua WilsonParticipantOK, thank you greatly. I’v been looking at the error codes when i do speed tests.
AITpro AdminKeymasterYep, understandable, but what if BPS is blocking something that pingdom is doing to run the speed test then that would negate the result because the issue is that whatever pingdom is doing is being blocked and you would see that error and not necessarily an error that is occurring on your site. 😉 The Firefox and Google Chrome tools look at your site itself and are not testing for other things like pingdom is doing to run tests on your site. I am not really sure what pingdom does to perform its tests so this is just a logical guess.
-
AuthorPosts
- You must be logged in to reply to this topic.