How Do I Whitelist a whole plugin folder

Home Forums BulletProof Security Pro How Do I Whitelist a whole plugin folder

Tagged: 

Viewing 11 posts - 16 through 26 (of 26 total)
1 2
  • Author
    Posts
  • April 27, 2013 at 7:42 am #4945
    AITpro Admin
    Keymaster

    “I noticed you got the UAEG status to display on.   On my other sites i have activated the UAEG, but the display never showed it was on.” Do you have the S-Monitor option set to display the UAEG Status in your WP Dashboard? Display Status in WP Dashboard

    April 27, 2013 at 8:56 am #4955
    Joshua Wilson
    Participant

    Cpanel keeps adding the rules. Its the redirect button, in the domain section of cpanel. When i changed the Display Status in WP Dashboard with  S-Monitor, i saw it display on:) Have you had a chance to look on my site, and get the plugin whitelist working? How often is js hacked? can i remove the string that blocks it from the plugin folder .htaccess? I have this code below in my server’s main root. It may be blocking something. (you can delete this message later, if its to long)

    # 5G BLACKLIST/FIREWALL (2013)
# @ http: //perishablepress.com/5g-blacklist-2013/
# 5G:[QUERY STRINGS]
RewriteEngine On
RewriteBase /
# RewriteCond %{QUERY_STRING} (\"|%22).*(<|>|%3) [NC,OR]
RewriteCond %{QUERY_STRING} (javascript:).*(\;) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3) [NC,OR]
RewriteCond %{QUERY_STRING} (\\|\.\./|`|=\'$|=%27$) [NC,OR]
RewriteCond %{QUERY_STRING} (\;|\'|\"|%22).*(union|select|insert|drop|update|md5|benchmark|or|if) [NC,OR]
RewriteCond %{QUERY_STRING} (base64_encode|localhost|mosconfig) [NC,OR]
RewriteCond %{QUERY_STRING} (boot\.ini|echo.*kae|etc/passwd) [NC,OR]
RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC]
RewriteRule .* - [F]
# 5G:[USER AGENTS]
# SetEnvIfNoCase User-Agent ^$ keep_out
SetEnvIfNoCase User-Agent (binlar|casper|cmsworldmap|comodo|diavol|dotbot|feedfinder|flicky|ia_archiver|jakarta|kmccrew|nutch|planetwork|purebot|pycurl|skygrid|sucker|turnit|vikspider|zmeu) keep_out
Order Allow,Deny
Allow from all
Deny from env=keep_out
Deny from 180.76.5.191
# 5G:[REQUEST STRINGS]
RedirectMatch 403 (https?|ftp|php)\://
RedirectMatch 403 /(https?|ima|ucp)/
RedirectMatch 403 /(Permanent|Better)$
# RedirectMatch 403 (\=\\\'|\=\\%27|/\\\'/?|\)\.css\()$
# RedirectMatch 403 (\,|\)\+|/\,/|\{0\}|\(/\(|\.\.\.|\+\+\+|\||\\\"\\\")
# RedirectMatch 403 \.(cgi|asp|aspx|cfg|dll|exe|jsp|mdb|sql|ini|rar)$
RedirectMatch 403 /(contac|fpw|install|pingserver|register)\.php$
# RedirectMatch 403 (base64|crossdomain|localhost|wwwroot|e107\_)
#RedirectMatch 403 (eval\(|\_vti\_|\(null\)|echo.*kae|config\.xml)
RedirectMatch 403 \.well\-known/host\-meta
RedirectMatch 403 /function\.array\-rand
RedirectMatch 403 \)\;\$\(this\)\.html\(
RedirectMatch 403 proc/self/environ
RedirectMatch 403 msnbot\.htm\)\.\_
RedirectMatch 403 /ref\.outcontrol
# RedirectMatch 403 com\_cropimage
RedirectMatch 403 indonesia\.htm
# RedirectMatch 403 \{\$itemURL\}
RedirectMatch 403 function\(\)
RedirectMatch 403 labels\.rdf
RedirectMatch 403 /playing.php
RedirectMatch 403 muieblackcat
    April 27, 2013 at 8:58 am #4956
    Joshua Wilson
    Participant

    I also have this at the bottom of the server root .htaccess file.

    # 5G:[WordPress]
RedirectMatch 403 /\$\&
RedirectMatch 403 (?i)/\&(t|title)=
RedirectMatch 403 (?i)/\.(bash|git|hg|log|svn|swp|tar)
RedirectMatch 403 (?i)/(1|contact|i|index1|iprober|phpinfo|phpspy|product|signup|t|test|tz|visit|webshell|wp-signup).php
RedirectMatch 403 (?i)/(author-panel|class|database|manage|phpMyAdmin|register|submit-articles|system|usage|webmaster)/?$
RedirectMatch 403 (?i)/(=|_mm|cgi|cvs|dbscripts|jsp|rnd|shadow|userfiles)
# mini firewall 2012-11-13
#
# RedirectMatch 403 /(\{\$itemURL\}|administrator|#blogs/load/recent|default|register|signup|tools/quicklogin\.one|#undefined|WHMCS|YaBB\.cgi|YaBB\.pl)/?$
# RedirectMatch 403 /(curltest|join|join_form|member/join|mobiquo|#register|signup|tiki-register|ucp)\.php$
#
SetEnvIfNoCase User-Agent ^$ keep_out
SetEnvIfNoCase User-Agent (casper|cmsworldmap|diavol|dotbot) keep_out
SetEnvIfNoCase User-Agent (flicky|ia_archiver|jakarta|kmccrew) keep_out
SetEnvIfNoCase User-Agent (libwww|planetwork|pycurl|skygrid) keep_out
SetEnvIfNoCase User-Agent (purebot|comodo|feedfinder) keep_out

Order Allow,Deny
Allow from all
Deny from env=keep_out
    April 27, 2013 at 9:06 am #4959
    Joshua Wilson
    Participant

    I have 3 levels of .htacces files.
    I have a .htaccess file in the main server root. before the /www folder. (mainly performance code)

    Then a .htaccess files after /www & /html folder (performance and blocking rules)
    Then i have one in my main domain root folder. WordPress installations (Auto magic BP Pro)
    Does this structure make since to you? Is it to much on my server?

    April 27, 2013 at 9:12 am #4960
    AITpro Admin
    Keymaster

    The cPanel tool probably cannot be disabled either if it is designed like the broken cPanel HotLink Protection Tool, which cannot be disabled either because enable/disable is also broken in that Tool.  You will need to contact your Host and ask them to disable this tool.

    Your site is done and everything is working perfectly.  You do have some WooCommerce php STRICT errors that are occurring and these are not related to BPS Pro in any way.  They are very minor php errors, but they are a nuisance so contact WooCommerce and send them the php errors in your php error log file so they can take care of/fix this in WooCommerce.

    js files are not targeted or attacked directly and are safe to whitelist.  php files are targeted directly and the end result is that js files have code injected into them.

    ARQ failsafe shutdown on wp-content folder issue/problem:
    Your site did not have an index.php file in your wp-content folder.  Either your index.php file has been removed/deleted from your wp-content folder or renamed by W3TC to index.html.

    Solution:  I used the P-Security File Manager and Editor to create an index.php file in /bps-backup/autorestore/wp-content/index.php so that
    the ARQ failsafe check will not kick in.

    I think the 5G code is fine and really do not have anything else to say about it.  I do not like to be asked if something is good or bad and let people decide for themselves whether or not to use additional or custom .htaccess code.  So no opinion on this.  😉

    April 27, 2013 at 9:16 am #4961
    AITpro Admin
    Keymaster

    Ideally you want to compartmentalize your security so yes your site structure and the method of where you are adding .htaccess file is correct and perfectly fine.

    Each website root folder or other root folder (not individual subfolders just the root folder) should have it’s own .htaccess file so that you can control .htaccess security for that specific folder.  By doing this you can change security rules per directory as opposed to having to try and create rules in a master .htaccess files for child folders of the parent folder with 1 .htaccess file.

    Visually this is what that best .htaccess site structure looks like.

    / root site has its own .htaccess file
    /SiteA has its own .htaccess file
    /SiteA/subfolderSiteA/ has its own .htaccess file.

    And no it is not too much for your Server.  There is a minor performance hit per .htaccess file, but you are talking milliseconds.  And to even see any sort of performance loss you would have to be using 100’s of .htaccess files.

    April 27, 2013 at 9:28 am #4969
    AITpro Admin
    Keymaster

    Also I changed your Plugin Firewall plugin scripts rules for these plugins to only look at and whitelist js scripts in these folders instead of whitelisting from a top level plugin folder.  This means that only essential frontloading js plugin scripts are being whitelisted and not all of the js scripts for these plugins.

    /background-manager/resources/js/(.*).js, /woocommerce/assets/js/(.*).js
    April 27, 2013 at 9:36 am #4970
    Joshua Wilson
    Participant

    Thank you for your expertise, 🙂   I just started web development 2 years ago. I’m primarily on the business side.

    When i do a speed test i still see that its blocking the js still.
    http://tools.pingdom.com/fpt/#!/MyPlaaLw5/http://officesilk.com

    April 27, 2013 at 9:48 am #4974
    AITpro Admin
    Keymaster

    I am not sure what you are looking at on the speed test site, but doing a speed test is not the way to test for issues/problems.  I do not see any problems when checking your site with Firefox with Firebug and Firephp. Try using Firefox with Firebug and Firephp installed to test for issues/problems or use Google Chrome Tools >>> Developer Tools or JavaScript Console.

    April 27, 2013 at 10:06 am #4978
    Joshua Wilson
    Participant

    OK, thank you greatly.  I’v been looking at the error codes when i do speed tests.

    April 27, 2013 at 10:24 am #4979
    AITpro Admin
    Keymaster

    Yep, understandable, but what if BPS is blocking something that pingdom is doing to run the speed test then that would negate the result because the issue is that whatever pingdom is doing is being blocked and you would see that error and not necessarily an error that is occurring on your site.  😉  The Firefox and Google Chrome tools look at your site itself and are not testing for other things like pingdom is doing to run tests on your site.  I am not really sure what pingdom does to perform its tests so this is just a logical guess.

  • Author
    Posts
Viewing 11 posts - 16 through 26 (of 26 total)
1 2
  • You must be logged in to reply to this topic.