ManageWP wp-admin 500 error

Home Forums BulletProof Security Free ManageWP wp-admin 500 error

Tagged: 

This topic contains 39 replies, has 2 voices, and was last updated by  AITpro Admin 6 years, 4 months ago.

Viewing 15 posts - 1 through 15 (of 40 total)
  • Author
    Posts
  • #6559

    Aventura
    Participant

    Hi

    I’m trying to use managewp.com on my wordpress network installation but BPS’s htaccess is creating 500 errors when trying to admin via ManageWP. They suggest whitelisting their IPs but I don’t know where to whitelist them (which htaccess file as it could be the general or wp-admin one) and then where in them I need to allow them access.

    Surely this problem has occured to someone else, can anyone offer any suggestions?

    Thanks

    Aventura

    #6561

    AITpro Admin
    Keymaster

    First check the link below for Network/Multisite correct setup…

    http://forum.ait-pro.com/forums/topic/read-me-first-free/#network-multisite

    …then check your BPS Security log.  I believe ManageWP uses the UptimeRobot to check your site.  So you would need to whitelist the UptimeRobot in this security filter in your Root .htaccess file and add this HTTP USER AGENT line of code shown below.  Use the BPS built-in .htaccess editor on the htaccess File Editor tab page.

    [code deleted – not relevant to solving the problem]

    #6566

    Aventura
    Participant

    I assume that for (.*uptimerobot.*) you mean for me to replace that with an IP so it looks like: (.*1.2.3.4*.)? If that is the case I can’t get the IP from the logs due to cloudflare (as you’ve seen on my other post). If that is not what you meant than the changes you suggest have unfortunately not worked

    #6568

    AITpro Admin
    Keymaster

    Nope, you would add the User Agent / Bot name – “uptimerobot”.  The reason for this is because they may have several different IP addresses and you would have to whitelist all of them.  If you use the uptimerobot User Agent / Bot name then this means that no matter what IP address is used the uptimerobot will always be whitelisted.

    Try removing HEAD| next.  If that does not work then check your BPS Security log file and post the error directly related to ManageWP or the uptimerobot.  Please ONLY post the error directly related to this and NOT your entire Security Log file.

    #6579

    Aventura
    Participant

    OK, thought that might also be the case. I have tried both your suggestions but to no avail. Should I try them in the wp admin htaccess seen as the 500 error in managewp references its forbidden to access “/wp-admin/”?

    P.S. Sorry for delay in response – accidentally closed the tab or something before hitting submit.

    #6583

    AITpro Admin
    Keymaster

    Check your BPS Security log file and post the error directly related to ManageWP or the uptimerobot.  Please ONLY post the error directly related to this and NOT your entire Security Log file.

    #6596

    Aventura
    Participant

    There is nothing in the log for any day that I’ve had managewp so cannot post a specific one. If it helps with other other potential problems/solutions I’ve attached an image of the exact error (OTT I know but its for clarity).
    http: //img5.imageshack.us/img5/2774/managewp500error.png

     

    #6599

    AITpro Admin
    Keymaster

    Ok go to the BPS Security Modes page and deactivate wp-admin BulletProof Mode (Delete wp-admin htaccess File) and let me know if the error is still occurring.

    #6602

    Aventura
    Participant

    It still happens so I assume it must be the root .htaccess. Should I try just commenting out the requests method filtered and seeing if it works (I know it allows vulnerabilities but only for a min or two)?

    #6605

    AITpro Admin
    Keymaster

    What is more likely to be occurring is that since a remote website/domain is trying to access protected areas of your website then you would need to whitelist that remote website/domain.

    But yes try removing HEAD next…

    …Then try adding a plugin skip/bypass rule for ManageWP.  I have no idea what the folder name is for this plugin so enter that actual plugin folder name in this skip/bypass rule.

    Copy and paste this .htaccess code below to Your Current Root htaccess File file using the built-in BPS File Editor.  As of BPS Pro 5.1.5 and BPS free .46.9 you can add personal plugin fixes to Custom Code to save them permanently. Copy this .htaccess code to the Custom Code CUSTOM CODE PLUGIN FIXES: text box, save your changes, go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.  If your WordPress installation is in another folder then add that folder name.  Example:  /blog/wp-content/plugins/etc

    # ManageWP skip/bypass rule
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/add-plugin-folder-name-here/ [NC]
    RewriteRule . - [S=13]
    #6606

    Aventura
    Participant

    Well thats had some effect – it still errors out the same but it takes far longer. HEAD has added itself back due to using [obsolete-removed] so ill try removing that and maybe the combination will work

    #6607

    Aventura
    Participant

    Combination didnt work – neither did removing that section of the htaccess altogether

    #6608

    AITpro Admin
    Keymaster

    Yep, BPS .48.6 is scheduled for release today and it has new Custom Code text boxes for every section of both the Root and wp-admin .htaccess files so that you can keep your customizations permanently. Have you already confirmed that this issue/problem is being caused by BPS by doing the standard troubleshooting steps?

    http://forum.ait-pro.com/forums/topic/read-me-first-free/#bps-free-general-troubleshooting

    #6611

    Aventura
    Participant

    I’m not sure what .48.6 means for this thread as custom code is in .48.5 and seems to work as expected and as mentioed in your post.

    Yes it is bulletproof htaccess files causing the issue: Default htacces (from BPS) = fine, Bulletproof on but wp admin off = broken, Both on = broken (obviously).

     

    Side note: Twice I’ve tried to post in this thread and the page just refreshed and I lost my post (happened on this post and #6579)

    #6612

    AITpro Admin
    Keymaster

    Just pointing that .48.6 will have additional options for creating and saving custom code.  That of course does not pertain to whatever is causing this issue/problem.

    Ok so the most logical thing is that since another website/domain is trying to access protected areas of your website then some sort of whitelist probably needs to happen.  It would be helpful if the ManageWP error actually had a useful error message instead of just a generic error code. Also it is odd that you are not seeing an error in your BPS Security log.  I assume that this is because you have another security plugin installed that is breaking BPS Security / Error logging.

    To completely eliminate security filters comment out the entire section of BPSQSE code by adding a pound sign # in front of each line of code.

    # BPSQSE BPS QUERY STRING EXPLOITS
    # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
    # Good sites such as W3C use it for their W3C-LinkChecker.
    # Add or remove user agents temporarily or permanently from the first User Agent filter below.
    # If you want a list of bad bots / User Agents to block then scroll to the end of this file.
    #RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
    ...
    ...
    ...
    #RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
    #RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    
    Stop here and do not comment out this code below
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F,L]
Viewing 15 posts - 1 through 15 (of 40 total)

You must be logged in to reply to this topic.