MainWP – WordPress Management System

Home Forums BulletProof Security Pro MainWP – WordPress Management System

Viewing 15 posts - 1 through 15 (of 17 total)
  • Author
  • #11984
    Chris Moon


    I have a lot of sites and am using the “MainWP” which is a self-hosted WP management system to update plugins, themes and WP.

    This is giving me problems with BPS Pro’s AutoRestore module which is quarantining updated files despite using the exclude filter for plugins and themes.

    Have searched through the forum and couldn’t find anything on this.
    How do I set up BPS Pro to work together with a WP management system?


    AITpro Admin

    Go to the Quarantine Log page, copy the entire contents of your Quarantine Log file and paste it into an email and send it to info [at] ait-pro [dot] com.

    Chris Moon

    Unfortunately I’ve already deleted my quarantine log file and fixed things manually.

    However as this is a reoccurring problem I’d like to send you the quarantine files next time there’s a plugin or theme update for advice on how to set up ARQ to prevent it happening in the future.


    AITpro Admin

    Actually this is not a problem.  Please read the ARQ Guide so that you have a full understanding of what ARQ is and how it works.

    AutoRestore/Quarantine Guide

    You can create an AutoRestore exclude rule for the plugins folder and the themes folder so that ARQ will not check these folders.  For WordPress upgrades themselves you would need to turn Off ARQ and then manually back up files if you are allowing something external/remote to change/add/modify your website files.

    AITpro Admin

    Not sure if you are aware of this, but as of WordPress 3.7, WordPress automatically updates itself.  So using a remote management tool to update WordPress is not necessary.  As of BPS Pro 7.7, BPS Pro automatically turns Off ARQ, backs up all WordPress files and turns ARQ back On during WordPress automatic updates.  You can also setup WordPress to automatically update plugins and themes instead of using a remote management tool or you can of course choose to still use the remote management tool for plugins and themes.  The obvious solution for WordPress updates/upgrades is not to use MainWP for WordPress updates/upgrades.

    Chris Moon

    Thanks Ed, appreciate you advice


    [Topic has been merged into this relevant Topic]

    MainWP makes it possible to maintain WordPress websites from one location. This works fine even when autorestore is activated. Or should this not be possible? Furthermore I cannot update BPS from MainWP.

    AITpro Admin

    Updating plugins|plugin files remotely from the MainWP website should not cause a problem for your website.  I believe we have blocked BPS Pro upgrade installations from being installed remotely by any plugins that do remote installations. The reason for that is this:  The BPS Pro plugin is on our API server here:  WordPress plugins are on the API server.  Trying to install things remotely from 3 different API servers (MainWP, and on the Internet is guaranteed to cause problems for your website.  The order of plugin installation is WordPress does their plugin installations first and then allows other plugin upgrades from other API servers to be installed.  The timing of BPS Pro plugin updates is critical.  BPS Pro should never be installed at the same time as other WordPress plugins.  BPS Pro should never be installed remotely using a remote installation plugin like MainWP.  BPS Pro should ONLY be updated|upgraded using the update now link on the WordPress Plugins page to ensure that there are no problems.


    Thanks for your reply and helpful support!


    I use MainWP.

    Disable automatic install of Bullet Pro. ARQ will quarantine itself and you will get 3,000 files in the quarantine. Ed disabled remote update. So not an issue. But disable automatic update for BPS Pro.

    You could exclude ARQ to stop checking the plugins folder. It will work. The only issue is that some plugins install files in different folders besides the plugin folder.

    For example the backup plugin Updraft Plus requires a exlude of the wp-content/updraft folder.

    So install a plugin the wp regular way and see if its not quarantined before you use MainWP to install it on All your managed sites.

    MainWP will send you emails that a new version of BPS Pro is available. However you have to login to all your sites to update it. It’s actually better since the plugin has updates to the WAF/htaccess and bonus code.

    I did speak with Ed about a MainWP extension but that would be a security hole and potential risk and I agree with him.

    AITpro Admin

    @ rafaelmagic – very good advice.  A remote installation of files exactly simulates your website being hacked and files being added to your website.  So ARQ will do what it is designed to do and Quarantine those files since ARQ cannot tell if the remote file installation is legitimate or a hacker adding files on your website.


    UPDATE: BPS Pro 13+ and BPS 2.0+ versions have a feature called: Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) that automatically creates plugin and theme whitelist rules and automatically sets up and cleans up caching plugins htaccess code.

    MainWp Extensions fix if they are NOT updating in Dashboard. Some of the MainWp Extensions will NOT update till you apply the fix below. It has to do with the query_string  |order| that is blocking the update from MainWp server. Its in the root .htaccess. The query string blocking the MainWp extensions update is below for reference. Look for |order|

    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]


    1.  Copy the modified BPS Query String Exploits code below (order has been removed from the code below) to this BPS Root Custom Code text box:  CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS: Modify Query String Exploit code here 
    2.  Click the Save Root Custom Code button.
    3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    #Removed Query String - order for MainWp Extensions
    # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
    # Good sites such as W3C use it for their W3C-LinkChecker.
    # Use BPS Custom Code to add or remove user agents temporarily or permanently from the
    # User Agent filters directly below or to modify/edit/change any of the other security code rules below.
    RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
    RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
    RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
    RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
    RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
    RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
    RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] 
    RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
    RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
    RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
    RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|script|set|md5|benchmark|encode) [NC,OR]
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F]

    [Topic has been split/moved to this relevant Topic]
    Thanks. I read through the link you posted for ARQ but it says that when manually updating plugins/themes, one still needs to click something for ARQ to resume properly.

    My question is: I’m managing my wordpress sites via the dashboard, which also handles updates of all sites. So when a plugin/theme is updated, I never have to manually log into the actual site (so I won’t be there to click a button for ARQ). Will everything still be updated correctly without getting quarantined this way?

    AITpro Admin

    See this forum topic for additional information about MainWP:

    Since MainWP is remotely installing files then this exactly simulates your website being hacked.

    Recommendations:  Create a AutoRestore folder exclude rule for your themes folder (see the AutoRestore|Quarantine Exclude Folders & Files Video Tutorial link below for how to do that).  Setup/allow WordPress automatic updates and do not do WordPress updates from MainWP.  BPS Pro AutoRestore automation automatically handles everything seamlessly for WordPress automatic updates (see the AutoRestore (ARQ) Automation link below for more information).  You can install plugin updates/upgrades from MainWP without having to do anything else/additional.  The /plugins/ folder is excluded by default since it is protected by the Plugin Firewall and not monitored by ARQ.

    AutoRestore|Quarantine Exclude Folders & Files Video Tutorial

    AutoRestore (ARQ) Automation


    Thanks for that! Hm, how do I turn on automatic WP updates? I did a bit of reading and seems like only minor updates are done automatically, but not core releases/big ones. For that I’d have to add this to wp-config.php: define( 'WP_AUTO_UPDATE_CORE', true ); Are there other ways to do this? Because I have like 50 sites or so, and editing the wp-config file for each manually…duh.

Viewing 15 posts - 1 through 15 (of 17 total)
  • You must be logged in to reply to this topic.