ManageWP wp-admin 500 error

[Aventura]

Hi

I’m trying to use managewp.com on my wordpress network installation but BPS’s htaccess is creating 500 errors when trying to admin via ManageWP. They suggest whitelisting their IPs but I don’t know where to whitelist them (which htaccess file as it could be the general or wp-admin one) and then where in them I need to allow them access.

Surely this problem has occured to someone else, can anyone offer any suggestions?

Thanks

Aventura

[AITpro Admin]

First check the link below for Network/Multisite correct setup…

http://forum.ait-pro.com/forums/topic/read-me-first-free/#network-multisite

…then check your BPS Security log.  I believe ManageWP uses the UptimeRobot to check your site.  So you would need to whitelist the UptimeRobot in this security filter in your Root .htaccess file and add this HTTP USER AGENT line of code shown below.  Use the BPS built-in .htaccess editor on the htaccess File Editor tab page.

[code deleted – not relevant to solving the problem]

[Aventura]

I assume that for (.*uptimerobot.*) you mean for me to replace that with an IP so it looks like: (.*1.2.3.4*.)? If that is the case I can’t get the IP from the logs due to cloudflare (as you’ve seen on my other post). If that is not what you meant than the changes you suggest have unfortunately not worked

[AITpro Admin]

Nope, you would add the User Agent / Bot name – “uptimerobot”.  The reason for this is because they may have several different IP addresses and you would have to whitelist all of them.  If you use the uptimerobot User Agent / Bot name then this means that no matter what IP address is used the uptimerobot will always be whitelisted.

Try removing HEAD| next.  If that does not work then check your BPS Security log file and post the error directly related to ManageWP or the uptimerobot.  Please ONLY post the error directly related to this and NOT your entire Security Log file.

[Aventura]

OK, thought that might also be the case. I have tried both your suggestions but to no avail. Should I try them in the wp admin htaccess seen as the 500 error in managewp references its forbidden to access “/wp-admin/”?

P.S. Sorry for delay in response – accidentally closed the tab or something before hitting submit.

[AITpro Admin]

Check your BPS Security log file and post the error directly related to ManageWP or the uptimerobot.  Please ONLY post the error directly related to this and NOT your entire Security Log file.

[Aventura]

There is nothing in the log for any day that I’ve had managewp so cannot post a specific one. If it helps with other other potential problems/solutions I’ve attached an image of the exact error (OTT I know but its for clarity).
http: //img5.imageshack.us/img5/2774/managewp500error.png

 

[AITpro Admin]

Ok go to the BPS Security Modes page and deactivate wp-admin BulletProof Mode (Delete wp-admin htaccess File) and let me know if the error is still occurring.

[Aventura]

It still happens so I assume it must be the root .htaccess. Should I try just commenting out the requests method filtered and seeing if it works (I know it allows vulnerabilities but only for a min or two)?

[AITpro Admin]

What is more likely to be occurring is that since a remote website/domain is trying to access protected areas of your website then you would need to whitelist that remote website/domain.

But yes try removing HEAD next…

…Then try adding a plugin skip/bypass rule for ManageWP.  I have no idea what the folder name is for this plugin so enter that actual plugin folder name in this skip/bypass rule.

Copy and paste this .htaccess code below to Your Current Root htaccess File file using the built-in BPS File Editor.  As of BPS Pro 5.1.5 and BPS free .46.9 you can add personal plugin fixes to Custom Code to save them permanently. Copy this .htaccess code to the Custom Code CUSTOM CODE PLUGIN FIXES: text box, save your changes, go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.  If your WordPress installation is in another folder then add that folder name.  Example:  /blog/wp-content/plugins/etc

# ManageWP skip/bypass rule
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/add-plugin-folder-name-here/ [NC]
RewriteRule . - [S=13]

[Aventura]

Well thats had some effect – it still errors out the same but it takes far longer. HEAD has added itself back due to using [obsolete-removed] so ill try removing that and maybe the combination will work

[Aventura]

Combination didnt work – neither did removing that section of the htaccess altogether

[AITpro Admin]

Yep, BPS .48.6 is scheduled for release today and it has new Custom Code text boxes for every section of both the Root and wp-admin .htaccess files so that you can keep your customizations permanently. Have you already confirmed that this issue/problem is being caused by BPS by doing the standard troubleshooting steps?

http://forum.ait-pro.com/forums/topic/read-me-first-free/#bps-free-general-troubleshooting

[Aventura]

I’m not sure what .48.6 means for this thread as custom code is in .48.5 and seems to work as expected and as mentioed in your post.

Yes it is bulletproof htaccess files causing the issue: Default htacces (from BPS) = fine, Bulletproof on but wp admin off = broken, Both on = broken (obviously).

 

Side note: Twice I’ve tried to post in this thread and the page just refreshed and I lost my post (happened on this post and #6579)

[AITpro Admin]

Just pointing that .48.6 will have additional options for creating and saving custom code.  That of course does not pertain to whatever is causing this issue/problem.

Ok so the most logical thing is that since another website/domain is trying to access protected areas of your website then some sort of whitelist probably needs to happen.  It would be helpful if the ManageWP error actually had a useful error message instead of just a generic error code. Also it is odd that you are not seeing an error in your BPS Security log.  I assume that this is because you have another security plugin installed that is breaking BPS Security / Error logging.

To completely eliminate security filters comment out the entire section of BPSQSE code by adding a pound sign # in front of each line of code.

# BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
# Good sites such as W3C use it for their W3C-LinkChecker.
# Add or remove user agents temporarily or permanently from the first User Agent filter below.
# If you want a list of bad bots / User Agents to block then scroll to the end of this file.
#RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
...
...
...
#RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
#RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]

Stop here and do not comment out this code below
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F,L]

[Author]

Posts