MemberPress plugin htaccess code

Home Forums BulletProof Security Pro MemberPress plugin htaccess code

Tagged: 

  • This topic has 33 replies, 3 voices, and was last updated 2 weeks ago by bill.
Viewing 15 posts - 16 through 30 (of 34 total)
  • Author
    Posts
  • #4030
    J Garner
    Participant

    BTW: Just came across this, they actually recommend BPS over at MemberPress as it seems that a product called WordPress Firewall is incompatible: http: //www.memberpress.com/user-manual/known-incompatibilities/

    Edit: Well, they recommend BulletProof Security and with the above it seems they can add BPS Pro ūüôā

    #4031
    AITpro Admin
    Keymaster

    The extra “account” skip/bypass rule would not be necessary since you are already skipping/bypassing the entire /memberpress/ folder, which I assume has something to do with the /account/ folder?

    LOL – 2 sets of eyes are always better than 1. ¬†ūüėČ

    Yeah WordPress Firewall seems to be abandoned. ¬†In any case, AutoRestore/Quarantine is that plugin plus lots more all rolled into one BPS Pro feature. ¬†ūüėČ

    #4447
    AITpro Admin
    Keymaster

    Email Reply:

    Wow … that is a super-complex .htaccess file … hahaha.

    I think your problem is here:

    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/memberpress/ [NC]
    RewriteRule . - [S=13]

    I think that whoever added this rule mis-interpreted what MemberPress is trying to do with its rules. This directive tells apache that if a url matches something under the memberpress plugin directory to skip the BPS rules and go to the MemberPress rules. This means that any other urlbase such as “^/module-[\d]*/min-newsletter-support/. *” won’t ever be matched … and that it completely breaks the ability for MemberPress to protect files.

    You have 2 options here:
    1. Put the Actual MemberPress rules here instead of this skip directive … I’m assuming that if this happens then BPS may break though … so I have a less desirable second alternative:
    2. Every-time you add a rule in MemberPress to protect a custom uri … you’ll need to add the same rule in this directive … like so:

    RewriteCond %{REQUEST_URI} ^/module-[\d]*/min-newsletter-support/. * [NC]
    RewriteRule . - [S=13]

    Then if you added an additional custom uri rule … say it was for “^/wp-content/cool_files/*.zip” or something .. you’d just add another line in your .htaccess in addition to the rule:

    RewriteCond %{REQUEST_URI} ^/module-[\d]/min-newsletter-support/. * [NC]
    RewriteCond %{REQUEST_URI} ^/wp-content/cool_files/.zip [NC]
    RewriteRule . - [S=13]

    I haven’t really used the skip directive before … so I’m not sure what it counts as a directive (to determine how many directives to skip) so you may still have issues with this approach … so whoever you got to add the skip rule may need to troubleshoot accordingly.

    #4448
    AITpro Admin
    Keymaster

    Ok now I understand better what MemberPress is doing.  This is pretty much the same thing as what the S2Member plugin does and the solution is very similar.

    http://www.ait-pro.com/aitpro-blog/2252/bulletproof-security-plugin-support/checking-plugin-compatibility-with-bps-plugin-testing-to-do-list/#S2Member

    The only additional thing you would need to add to the conditions would be the [OR] flag between multiple conditions. The last condition does NOT contain an [OR] flag because there would not be any more “or” conditions since the last condition is the final condition. You would add this code to Custom Code plugin fixes text box. I imagine you will probably have relatively few URI’s to add so this will not be that big of a deal and you would just update your Custom Code and activate a new Root .htaccess file each time you have a new URI to add.

    RewriteCond %{REQUEST_URI} ^/another-example-path/another-example/. * [NC,OR]
    RewriteCond %{REQUEST_URI} ^/module-[\d]/min-newsletter-support/. * [NC,OR]
    RewriteCond %{REQUEST_URI} ^/wp-content/cool_files/.zip [NC]
    RewriteRule . - [S=13]
    #4453
    J Garner
    Participant

    I see. Does that mean that each time there is a new structure to protect, that it needs to be obviously first created in MemberPress and then added manually via the custom code system of BPS Pro in the “CUSTOM CODE PLUGIN FIXES” or can that work with variables / regex, like in MemberPress?

    And with regards to the rules, if I have say

    http://www.domainname.com/courses/first_course_name
    http://www.domainname.com/courses/second_course_name
    
    and
    
    http://www.domainname.com/lessons/a_lesson_name/
    http://www.domainname.com/lessons/another_lesson_name/
    
    then
    
    http://www.domainname.com/quizzes/first_quiz_name/
    http://www.domainname.com/quizzes/second_quiz_name/
    
    I have some zip and (Word) doc files that are accessible via the above pages but are in:
    http://www.domainname.com/wp-content/uploads/2013/04

    Would the rules I need be:

    RewriteCond %{REQUEST_URI} ^/courses/. * [NC,OR]
    RewriteCond %{REQUEST_URI} ^/lessons/. * [NC,OR]
    RewriteCond %{REQUEST_URI} ^/quizzes/. * [NC,OR]
    RewriteCond %{REQUEST_URI} ^/uploads/2013/([0-9]+)/.zip [NC,OR]
    RewriteCond %{REQUEST_URI} ^/uploads/2013/([0-9]+)/.doc [NC]
    RewriteRule . - [S=13]

    I also get the impression that the BPS Pro UAEG system needs to be modified to allow access to these upload folders. Would that be the same if I created a folder in the uploads folder say for example:
    http: //www.domainname.com/wp-content/uploads/drop_files/

    adding:

    RewriteCond %{REQUEST_URI} ^/uploads/drop_files/.zip [NC,OR]
    RewriteCond %{REQUEST_URI} ^/uploads/drop_files/.doc [NC]

    One final question was about the about the rule and the names of the zip or doc files. I would have wanted to put a star for the name of the zip or doc file so for:
    http: //www.domainname.com/wp-content/uploads/drop_files/my_zip_file_name.zip
    I wanted to put

    RewriteCond %{REQUEST_URI} ^/uploads/drop_files/*.zip [NC,OR]

    Why isn’t the star required?

    Thanks

    #4455
    AITpro Admin
    Keymaster

    Yes, you can use Regular Expressions (Regex) to simplify the whole whitelisting/skip/bypass process.  Your code looks good and just needs a little tweaking.  Your uploads folder has the UAEG .htaccess file in it so since .htaccess files are hierachical/recursive then you would need to do whatever pertains to the uploads folder in the uploads folder .htaccess file.  Typically you only need to remove .zip and .doc file extensions from the list of file extensions in the FilesMatch code.  If this is not working then something else is going on that is not obvious at the surface.  For example MemberPress is simulating a hacking attempt against your site when retrieving image files.  This is a fairly common issue/problem.  I would need to see the full URL to an image file to be able to tell if that is the problem that is occurring.

    Corrected code…

    RewriteCond %{REQUEST_URI} ^/courses/(.*).doc$ [NC,OR]
    RewriteCond %{REQUEST_URI} ^/lessons/(.*).zip$ [NC,OR]
    RewriteCond %{REQUEST_URI} ^/quizzes/(.*).pdf$ [NC]
    RewriteRule . - [S=13]

    The much simpler approach for creating an upload folder that you do not want UAEG to monitor/protect is to add a RewriteEngine Off .htaccess file in that custom folder.

    http://forum.ait-pro.com/forums/topic/rewriteengine-off-htaccess-file/

    Regex (.*) means match anything and can be used anywhere. ¬†dots . should technically always be escaped if you want the literal dot to be looked at instead of Regex special meaning of dot, but I sometimes do not bother with that. ūüėČ

    so technically you are supposed to do this \.zip to be technically code correct to match 1 dot and zip.

    RewriteCond %{REQUEST_URI} ^/uploads/drop_files/(.*).zip$ [NC] means match any filename with a zip file extension in the /uploads/drop_files/ folder.

    Since the best thing to do in this case is to add a RewriteEngine Off .htaccess file in this folder to simplify things then you would not be creating rules for this anyway.

    #4456
    AITpro Admin
    Keymaster

    CORRECTION:   You would have to include the file extension to make these valid conditions ( has also been corrected above in the previous post).

    RewriteCond %{REQUEST_URI} ^/courses/(.*).doc$ [NC,OR]
    RewriteCond %{REQUEST_URI} ^/lessons/(.*).zip$ [NC,OR]
    RewriteCond %{REQUEST_URI} ^/quizzes/(.*).pdf$ [NC]
    RewriteRule . - [S=13]

    Or you can probably just do this.

    RewriteCond %{REQUEST_URI} ^/courses/ [NC,OR]
    RewriteCond %{REQUEST_URI} ^/lessons/ [NC,OR]
    RewriteCond %{REQUEST_URI} ^/quizzes/ [NC]
    RewriteRule . - [S=13]
    #4460
    AITpro Admin
    Keymaster

    Another approach would be to treat the URI’s as if they were a 3rd party app URI/folder/URL. ¬†You would add RewriteRules that would go directly to these folders without being processed through the root .htaccess security filters.

    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    
    # RewriteRule for Custom Apps outside of WP
    RewriteRule ^courses/ - [L]
    RewriteRule ^lessons/ - [L]
    RewriteRule ^quizzes/ - [L]
    
    #4469
    J Garner
    Participant

    I have now got memberpress working from what I can tell.

    With regards to the uploads folder where I have files (zip,doc,pdf), where would I need to look to get allow files to be downloaded. Is that the same for uploading to the uploads folder and clients that download from the uploads folder?

    First I had this:

    # FORBID THESE FILE EXTENSIONS FROM BEING ACCESSED OR EXECUTED REMOTELY
    Order Deny,Allow
    Deny from all
    #Allow from example.com

    I now have this code at the moment in the uploads htaccess file from looking in the “htaccess File Editor” tab at the “Your current Uploads htaccess file” section

    # FORBID THESE FILE EXTENSIONS FROM BEING ACCESSED OR EXECUTED REMOTELY
    Order Deny,Allow
    Deny from all
    #Allow from example.com

    The allow p.jwpcdn.com is for the Flash SWF file for the LongTail Video player, fall back with MP4 for non HTML5 video compliant browsers like FireFox but I think I remember you saying I would need to use an IP address for this?

    However I can’t see in there anything that refers to Zip, doc or PDF files. I can see gz, jar, tar, rar… but not the ones I need. How is it that the zip file I just tested is being blocked?

    What I did to test with this and that I found weird:
    1) I modified the above to not include swf (+ a few other html ones) and as indicated I can’t see zip in there anyway
    2) I then activated in “Security Modes” the Bullet Proof mode for “Activate Uploads Anti-Exploit Guard htaccess Security Mode”
    3) I then tried to download my zip file but I get “403 Forbidden Error Page”
    4) I deleted the htaccess file in the “wp-content/uploads” file having checked that it was the correct one with the modified code as above beforehand.
    5) I then tried to download my zip file again with no htaccess file in place but I still get “403 Forbidden Error Page”

    So is there a file somewhere else higher up in the folder structure, on a par with how CSS works, that is telling the browser that this folder is in 403 status?

    PS: the code I inserted to illustrate the htaccess file code in question just gets deleted when I update the post!

    #4473
    AITpro Admin
    Keymaster

    I had already created a separate Forum post for this question since it is a different question.  See the explanation and solution in this Forum link below.
    http://forum.ait-pro.com/forums/topic/uploads-anti-exploit-guard-whitelist-domain-or-website/

    #7083
    AITpro Admin
    Keymaster

    Edit|Update: 11-18-2020
    MemberPress htaccess code help info: https://docs.memberpress.com/article/179-understanding-rewrite-rules
    MemberPress additional help info about protecting files: https://docs.memberpress.com/article/156-protecting-files
    Note from MemberPress: “Though these instructions are still valid, we have since released the MemberPress Downloads Add-on which is a much easier way of uploading and protecting your files.”

    EDIT|Updated:  8-2016 РMemberPress htaccess code has changed a bit.  The newer htaccess code and steps to add the MemberPress htaccess code to BPS Root Custom Code are below.

    1. Go to the BPS htaccess File Editor page, click on the Your Current Root htaccess File tab, scroll down in your Root .htaccess file code until you see this .htaccess code below.

    Important Note: If you have a WordPress Network|Multisite website type then your WP REWRITE LOOP START code is going to look different. Do not use this example code below for either a standard single WordPress site type of a Network|Multisite site type. Use your actual htaccess code in your BPS Root htaccess file.

    # WP REWRITE LOOP START
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]

    2. Copy your # WP REWRITE LOOP START code to this BPS Root Custom Code text box:  CUSTOM CODE WP REWRITE LOOP START

    3. Copy your actual MemberPress htaccess code (the MemberPress htaccess code below is example code) that you see in your root htaccess file and add it after the WP REWRITE LOOP START htaccess code in the CUSTOM CODE WP REWRITE LOOP START text box.  Your code should look similar to the example code below.
    4. Click the Save Root Custom Code button.
    5. Go to the Security Modes page and click the Root Folder BulletProof Mode Activate button.

    # WP REWRITE LOOP START
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    
    # BEGIN MemberPress Rules
    <IfModule mod_rewrite.c>
    
    RewriteCond %{HTTP_COOKIE} mplk=([a-zA-Z0-9]+)
    RewriteCond /path/for/your/website/wp-content/uploads/mepr/rules/%1 -f
    RewriteRule ^(.*)$ - [L]
    
    RewriteCond %{REQUEST_URI} !^/(wp-admin|wp-includes|wp-content/plugins|wp-content/themes)
    RewriteCond %{REQUEST_URI} \.(zip|gz|tar|rar|doc|docx|xls|xlsx|xlsm|pdf|mp4|m4v|mp3|ts|key|m3u8|ZIP|GZ|TAR|RAR|DOC|DOCX|XLS|XLSX|XLSM|PDF|MP4|M4V|MP3|TS|KEY|M3U8)$
    RewriteRule . /wp-content/plugins/memberpress/lock.php [L]
    
    </IfModule>
    # END MemberPress Rules

    __________ Older Info below РDo not use this info below ____________
    This topic went way too deep. ¬†The answer was really simple. ¬†For each member URL that you want protected you would add each URL. ¬†The last URL example-url-3 does NOT contain the “OR” flag because it is the last URL.

    # BEGIN MemberPress Rules
    RewriteRule memberpress\/lock\.php$ - [L]
    RewriteCond %{REQUEST_URI} ^/example-url-1/ [NC,OR]
    RewriteCond %{REQUEST_URI} ^/example-url-2/ [NC,OR]
    RewriteCond %{REQUEST_URI} ^/example1-url-3/ [NC]
    RewriteCond %{REQUEST_URI} !\.(php|phtml|jpg|jpeg|gif|css|png|js|ico|PHP|PHTML|JPG|JPEG|GIF|CSS|PNG|JS|ICO)
    RewriteCond %{REQUEST_URI} !^/(wp-admin|wp-login.php|wp-comments-post.php|xmlrpc.php)
    RewriteRule . /wp-content/plugins/memberpress/lock.php [L]
    # END MemberPress Rules

    Or another way to have an “or” condition is to use the pipe operator |.

    # BEGIN MemberPress Rules
    RewriteRule memberpress\/lock\.php$ - [L]
    RewriteCond %{REQUEST_URI} ^(/example-url-1/|/example-url-2/|/example-url-3/) [NC]
    RewriteCond %{REQUEST_URI} !\.(php|phtml|jpg|jpeg|gif|css|png|js|ico|PHP|PHTML|JPG|JPEG|GIF|CSS|PNG|JS|ICO)
    RewriteCond %{REQUEST_URI} !^/(wp-admin|wp-login.php|wp-comments-post.php|xmlrpc.php)
    RewriteRule . /wp-content/plugins/memberpress/lock.php [L]
    # END MemberPress Rules

    …or you can put the starting and trailing forward slash outside of the group ( ), which means each “or” condition starts and ends with a forward slash. ¬†Also the [NC] flag means not case sensitive so you can simplify/shorten the file extensions/types condition by adding [NC] as shown below. ¬†And some other minor technical corrections were made.

    # BEGIN MemberPress Rules
    RewriteRule memberpress/lock\.php$ - [L]
    RewriteCond %{REQUEST_URI} ^/(example-url-1|example-url-2|example-url-3)/ [NC]
    RewriteCond %{REQUEST_URI} !^\.(php|phtml|jpg|jpeg|gif|css|png|js|ico) [NC]
    RewriteCond %{REQUEST_URI} !^/(wp-admin|wp-login\.php|wp-comments-post\.php|xmlrpc\.php)
    RewriteRule . /wp-content/plugins/memberpress/lock.php [L]
    # END MemberPress Rules
    #40680
    bill
    Participant

    Greetings and thanks AITPro for your years of service and ingenuity. I had two (2) quick questions pertaining to MemberPress. 1) I read the updated approach outline above but when I reach the step (included below), I did not see the MemberPress .htaccess code in my .htacess file. This is the step I’m referencing:

    3. Copy your actual MemberPress htaccess code (the MemberPress htaccess code below is example code) that you see in your root htaccess file and add it after the WP REWRITE LOOP START htaccess code in the CUSTOM CODE WP REWRITE LOOP START text box. 

    Is this still relative now?

    Lastly, when testing the client’s site I was able to subscribe, but when I attempted to log in I received an “ERROR: Incorrect CAPTCHA Entered.” Although, I did activate Google’s reCAPTCHA via DIVI’s Contact Form module to protect the contact form from bots, outside of the little tab in the bottom right corner, there is no CAPTCHA window, image or equation to enter or solve. That said, I couldn’t log in. So, I brought this to MemberPress support and they blamed my security plugin (BPS Pro). I responded with a screenshot of what it looks like when BPS Pro prevents access to something (403 Forbidden Error), but they didn’t respond just yet. So, in the meantime, I thought I’d verify with your offices, in the event that BPS Pro may be blocking something.

    Please advise and thank you.

    -Bill

    #40681
    AITpro Admin
    Keymaster

    See this MemberPress help page regarding MemberPress htaccess code > https://docs.memberpress.com/article/179-understanding-rewrite-rules. Read the help text at the top of that page.  Sounds like you will need to turn Off BPS Pro JTC Anti-Spam|Anti-hacker, which is a CAPTCHA feature.  You may also need to turn Off BPS Pro Login Security & Monitoring if MemberPress is already handling login processing.

    #40682
    bill
    Participant

    Thank you for the insight. So, if I disable these features, will the site be “less secure” or more vulnerable to compromise? I always double-down on everything with BPS Pro (login security, Brute Force log-in code, etc.), so I apologize for the question– just want to make sure that the site will still be protected as people begin entering passwords, etc. into these fields.

    #40684
    AITpro Admin
    Keymaster

    @ bill – Your additional “edit” has been deleted per your request. I will respond directly via email to your additional “edit”.

    It is fairly common that membership Plugins or Themes override BPS JTC and Login Security features because the WordPress Login and Registration pages only have a couple of Hooks (Actions and Filters) for login processing.¬† Only 1 plugin or theme can use the login processing Hooks at a time.¬† Membership Plugins and Themes typically offer their own login processing protection for that reason.¬† MemberPress has a CAPTCHA add-on called MemberPress Match CAPTCHA > https://memberpress.com/add-ons/math-captcha/.¬† CAPTCHA’s block bots from auto-registering and auto-logins.¬† I assume MemberPress has it’s own built-in Login Security features.

Viewing 15 posts - 16 through 30 (of 34 total)
  • You must be logged in to reply to this topic.