MainWP – WordPress Management System

Home Forums BulletProof Security Pro MainWP – WordPress Management System

Viewing 15 posts - 1 through 15 (of 16 total)
  • Author
    Posts
  • #11984
    Chris Moon
    Participant

    Ed,

    I have a lot of sites and am using the “MainWP” http://mainwp.com/ which is a self-hosted WP management system to update plugins, themes and WP.

    This is giving me problems with BPS Pro’s AutoRestore module which is quarantining updated files despite using the exclude filter for plugins and themes.

    Have searched through the forum and couldn’t find anything on this.
    How do I set up BPS Pro to work together with a WP management system?

    regards,
    Chris

    #11986
    AITpro Admin
    Keymaster

    Go to the Quarantine Log page, copy the entire contents of your Quarantine Log file and paste it into an email and send it to info [at] ait-pro [dot] com.

    #12019
    Chris Moon
    Participant

    Unfortunately I’ve already deleted my quarantine log file and fixed things manually.

    However as this is a reoccurring problem I’d like to send you the quarantine files next time there’s a plugin or theme update for advice on how to set up ARQ to prevent it happening in the future.

     

    #12023
    AITpro Admin
    Keymaster

    Actually this is not a problem.  Please read the ARQ Guide so that you have a full understanding of what ARQ is and how it works.

    AutoRestore/Quarantine Guide
    http://forum.ait-pro.com/forums/topic/autorestore-quarantine-guide-read-me-first/

    You can create an AutoRestore exclude rule for the plugins folder and the themes folder so that ARQ will not check these folders.  For WordPress upgrades themselves you would need to turn Off ARQ and then manually back up files if you are allowing something external/remote to change/add/modify your website files.

    #12034
    AITpro Admin
    Keymaster

    Not sure if you are aware of this, but as of WordPress 3.7, WordPress automatically updates itself.  So using a remote management tool to update WordPress is not necessary.  As of BPS Pro 7.7, BPS Pro automatically turns Off ARQ, backs up all WordPress files and turns ARQ back On during WordPress automatic updates.  You can also setup WordPress to automatically update plugins and themes instead of using a remote management tool or you can of course choose to still use the remote management tool for plugins and themes.  The obvious solution for WordPress updates/upgrades is not to use MainWP for WordPress updates/upgrades.

    http://forum.ait-pro.com/forums/topic/autorestore-quarantine-guide-read-me-first/#automation

    #12075
    Chris Moon
    Participant

    Thanks Ed, appreciate you advice

    #22334
    Jan Wessels
    Participant

    [Topic has been merged into this relevant Topic]

    MainWP makes it possible to maintain WordPress websites from one location. This works fine even when autorestore is activated. Or should this not be possible? Furthermore I cannot update BPS from MainWP.

    #22338
    AITpro Admin
    Keymaster

    Updating plugins|plugin files remotely from the MainWP website should not cause a problem for your website.  I believe we have blocked BPS Pro upgrade installations from being installed remotely by any plugins that do remote installations. The reason for that is this:  The BPS Pro plugin is on our API server here:   api.ait-pro.com.  WordPress plugins are on the wordpress.org API server.  Trying to install things remotely from 3 different API servers (MainWP, wordpress.org and api.ait-pro.com) on the Internet is guaranteed to cause problems for your website.  The order of plugin installation is WordPress does their plugin installations first and then allows other plugin upgrades from other API servers to be installed.  The timing of BPS Pro plugin updates is critical.  BPS Pro should never be installed at the same time as other WordPress plugins.  BPS Pro should never be installed remotely using a remote installation plugin like MainWP.  BPS Pro should ONLY be updated|upgraded using the update now link on the WordPress Plugins page to ensure that there are no problems.

    #22341
    Jan Wessels
    Participant

    Thanks for your reply and helpful support!

    #22349
    rafaelmagic
    Participant

    I use MainWP.

    Disable automatic install of Bullet Pro. ARQ will quarantine itself and you will get 3,000 files in the quarantine. Ed disabled remote update. So not an issue. But disable automatic update for BPS Pro.

    You could exclude ARQ to stop checking the plugins folder. It will work. The only issue is that some plugins install files in different folders besides the plugin folder.

    For example the backup plugin Updraft Plus requires a exlude of the wp-content/updraft folder.

    So install a plugin the wp regular way and see if its not quarantined before you use MainWP to install it on All your managed sites.

    MainWP will send you emails that a new version of BPS Pro is available. However you have to login to all your sites to update it. It’s actually better since the plugin has updates to the WAF/htaccess and bonus code.

    I did speak with Ed about a MainWP extension but that would be a security hole and potential risk and I agree with him.

    #22351
    AITpro Admin
    Keymaster

    @ rafaelmagic – very good advice.  A remote installation of files exactly simulates your website being hacked and files being added to your website.  So ARQ will do what it is designed to do and Quarantine those files since ARQ cannot tell if the remote file installation is legitimate or a hacker adding files on your website.

    #24553
    rafaelmagic
    Participant

    UPDATE: BPS Pro 13+ and BPS 2.0+ versions have a feature called: Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) that automatically creates plugin and theme whitelist rules and automatically sets up and cleans up caching plugins htaccess code.

    MainWp Extensions fix if they are NOT updating in Dashboard. Some of the MainWp Extensions will NOT update till you apply the fix below. It has to do with the query_string  |order| that is blocking the update from MainWp server. Its in the root .htaccess. The query string blocking the MainWp extensions update is below for reference. Look for |order|

    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    

    APPLY THE FIX BELOW:

    1.  Copy the modified BPS Query String Exploits code below (order has been removed from the code below) to this BPS Root Custom Code text box:  CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS: Modify Query String Exploit code here 
    2.  Click the Save Root Custom Code button.
    3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    # CUSTOM BEGIN BPSQSE BPS QUERY STRING EXPLOITS
    #Removed Query String - order for MainWp Extensions
    # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
    # Good sites such as W3C use it for their W3C-LinkChecker.
    # Use BPS Custom Code to add or remove user agents temporarily or permanently from the
    # User Agent filters directly below or to modify/edit/change any of the other security code rules below.
    RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
    RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
    RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
    RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
    RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
    RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
    RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] 
    RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
    RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
    RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
    RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
    RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|script|set|md5|benchmark|encode) [NC,OR]
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F]
    # END BPSQSE BPS QUERY STRING EXPLOITS
    
    #26176
    alexb
    Participant

    [Topic has been split/moved to this relevant Topic]
    Thanks. I read through the link you posted for ARQ but it says that when manually updating plugins/themes, one still needs to click something for ARQ to resume properly.

    My question is: I’m managing my wordpress sites via the mainwp.com dashboard, which also handles updates of all sites. So when a plugin/theme is updated, I never have to manually log into the actual site (so I won’t be there to click a button for ARQ). Will everything still be updated correctly without getting quarantined this way?

    #26177
    AITpro Admin
    Keymaster

    See this forum topic for additional information about MainWP: http://forum.ait-pro.com/forums/topic/how-to-use-bps-pro-with-a-wp-management-system/

    Since MainWP is remotely installing files then this exactly simulates your website being hacked.

    Recommendations:  Create a AutoRestore folder exclude rule for your themes folder (see the AutoRestore|Quarantine Exclude Folders & Files Video Tutorial link below for how to do that).  Setup/allow WordPress automatic updates and do not do WordPress updates from MainWP.  BPS Pro AutoRestore automation automatically handles everything seamlessly for WordPress automatic updates (see the AutoRestore (ARQ) Automation link below for more information).  You can install plugin updates/upgrades from MainWP without having to do anything else/additional.  The /plugins/ folder is excluded by default since it is protected by the Plugin Firewall and not monitored by ARQ.

    AutoRestore|Quarantine Exclude Folders & Files Video Tutorial
    http://forum.ait-pro.com/video-tutorials/#autorestore-quarantine

    AutoRestore (ARQ) Automation
    http://forum.ait-pro.com/forums/topic/autorestore-quarantine-guide-read-me-first/#automation

    #26178
    alexb
    Participant

    Thanks for that! Hm, how do I turn on automatic WP updates? I did a bit of reading and seems like only minor updates are done automatically, but not core releases/big ones. For that I’d have to add this to wp-config.php: define( 'WP_AUTO_UPDATE_CORE', true ); Are there other ways to do this? Because I have like 50 sites or so, and editing the wp-config file for each manually…duh.

Viewing 15 posts - 1 through 15 (of 16 total)
  • You must be logged in to reply to this topic.