Incapsula – Error: Your Whitelist rules have a /bulletproof-security/admin/js/ script whitelisted

[Living Miracles]

Hi,

On my multisite (i-am-one.net), I just updated BPS Pro to version 13. Since then, I’ve gotten a massive amount of Security Log entries. Here is one (all the others are very similar to this one):

[405 HEAD Request: June 28, 2017 - 10:10 am]
BPS Pro: 13
WP: 4.8
Event Code: PFWR-PSBR-HPRA-HEAD
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 198.143.33.41
Host Name: 198.143.33.41.ip.incapdns.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR: 69.162.124.236
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: HEAD
HTTP_REFERER: http://suzanne.i-am-one.net
REQUEST_URI: /wp-content/plugins/bulletproof-security/405.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36

I also went to the PFW settings and noticed an error:
Error: Your Whitelist rules have a /bulletproof-security/admin/js/ script whitelisted
The bulletproof-security plugin js scripts should NOT be whitelisted.Click on the Plugin Firewall Whitelist Tools accordion tab and correct/fix any invalid plugin whitelist rules in the Plugins Script|File Whitelist Text Area.
Delete the bulletproof-security js script(s) and click the Save Whitelist Options button and activate the Plugin Firewall again.
Valid plugin Whitelist rules MUST use ONLY this Format: /plugin-folder-name/plugin-script.js, /plugin-folder-name/(.*).js. Plugin paths/scripts are separated by a comma and a single space.
Here are the Whitelist Rules currently in that box:

/akismet/_inc/akismet.js, /akismet/_inc/form.js, /async-javascript/js/admin.js, /autoptimize/classes/external/js/jquery.cookie.min.js, /autoptimize/classes/external/js/unslider-min.js, /autoptimize/classes/static/toolbar.js, /captcha/bws_menu/js/bws_tooltip.js, /captcha/bws_menu/js/c_o_o_k_i_e.js, /captcha/bws_menu/js/general_script.js, /captcha/bws_menu/js/shortcode-button.js, /captcha/js/front_end_script.js, /contact-form-7/includes/js/scripts.js, /facebook-button-plugin/bws_menu/js/general_script.js, /facebook-button-plugin/bws_menu/js/shortcode-button.js, /facebook-button-plugin/js/script.js, /google-calendar-events/assets/js/admin-add-calendar.min.js, /google-calendar-events/assets/js/admin.min.js, /google-calendar-events/assets/js/default-calendar.min.js, /google-calendar-events/assets/js/vendor/imagesloaded.pkgd.min.js, /google-calendar-events/assets/js/vendor/jquery.qtip.min.js, /google-calendar-events/assets/js/vendor/jquery.tipTip.minified.js, /google-calendar-events/assets/js/vendor/moment-timezone-with-data.min.js, /google-calendar-events/assets/js/vendor/moment.min.js, /google-calendar-events/assets/js/vendor/select2.min.js, /google-one/bws_menu/js/general_script.js, /google-one/bws_menu/js/shortcode-button.js, /google-one/js/script.js, /monarch/js/admin.js, /monarch/js/custom.js, /monarch/js/idle-timer.min.js, /monarch/js/monarch-mce-button.js, /monarch/js/monarch-post-meta.js, /tinymce-advanced/mce/advlist/plugin.min.js, /tinymce-advanced/mce/anchor/plugin.min.js, /tinymce-advanced/mce/code/plugin.min.js, /tinymce-advanced/mce/contextmenu/plugin.min.js, /tinymce-advanced/mce/emoticons/plugin.min.js, /tinymce-advanced/mce/insertdatetime/plugin.min.js, /tinymce-advanced/mce/link/plugin.min.js, /tinymce-advanced/mce/nonbreaking/plugin.min.js, /tinymce-advanced/mce/print/plugin.min.js, /tinymce-advanced/mce/searchreplace/plugin.min.js, /tinymce-advanced/mce/table/plugin.min.js, /tinymce-advanced/mce/visualblocks/plugin.min.js, /tinymce-advanced/mce/visualchars/plugin.min.js, /tinymce-advanced/mce/wptadv/plugin.min.js, /wordpress-seo/js/(.*).js, /wordpress-seo/js/dist/select2/i18n/en.js, /wordpress-seo/js/dist/select2/select2.min.js, /wp-security-audit-log/js/common.js, /wp-smushit//assets/shared-ui/wdev-ui.js, /wp-smushit/assets/js/wp-smushit-admin.js, /wp-smushit/assets/shared-ui/wdev-ui.js, /wp-security-audit-log/js/auditlog.js, /async-javascript/js/admin.min.js, /wp-security-audit-log/js/settings.js, /bulletproof-security/405.php

The only BPS Pro-related Whitelist Rule I see is the last one for the /405.php. I tried removing this, and that stopped the Security Log entries from being generated for about 2 minutes, but then the /405.php Whitelist Rule got automatically added back into the PFW.

Can you tell me how I should proceed here? Thank you!

[AITpro Admin]

Most likely Incapsula is breaking the Plugin Firewall.  Do these steps in this link:  https://forum.ait-pro.com/forums/topic/plugin-firewall-read-me-first-troubleshooting/page/3/#post-30933

[Living Miracles]

Thanks! This will also take care of the error I’m seeing in the Plugin Firewall area then, yes? It will fix the Security Log entries and the PFW error?

[AITpro Admin]

You would need to let me know if that does work or not.

[Living Miracles]

Thanks. I just went through all those steps but it didn’t fix either of the issues. The error in PFW still appears: http://i.imgur.com/YixWhcu.png

And the Security Log entries still appear as well. Maybe I didn’t enter the “proxy server IP address: xxx.xxx.xxx.xxx in the Whitelist by Hostname (domain name) and IP Address text box” correctly? Here’s what I entered:

198.143.33.41.ip.incapdns.net, 198.143.33.41, 198.143.33.33, 198.143.33.33.ip.incapdns.net, 198.143.32.145.ip.incapdns.net, 198.143.32.145, 198.143.32.153.ip.incapdns.net, 198.143.32.153

Those are the IPs/Hostnames I found in the Security Log entries.

[AITpro Admin]

Ok well I guess you cannot use Plugin Firewall AutoPilot Mode with Incapsula.  So just manually edit your Plugin Firewall whitelist rules, remove the invalid whitelist rule for the /bulletproof-security/ plugin, save your changes and activate the Plugin Firewall again. Then turn Off AutoPilot Mode.

[Living Miracles]

Hm, odd. We’ve been using Incapsula for a good while now (I’m assuming these Incapsula IPs are coming from SiteLock, althrough I also see Uptime Robot in the Security Log) and we haven’t had an issue until the most recent BPS Pro update. Thoughts?

[AITpro Admin]

Nothing has changed in BPS that could be causing these problems.  These problems appear to be caused by other things that are breaking BPS. Things change constantly.  For example lately we have been seeing a huge increase in Mod Security problems breaking BPS Custom Code forms and other things.  I assume what has happened is that someone globally released and distributed a new ruleset of Mod Security SecRules/SecFilters, which is breaking things in BPS as well as many other things in other plugins.  Just what it is.  😉  So you would want to check into things like what has changed in Incapsula, what has changed in SiteLock, also check into Mod Security if you have Mod Security installed on your host server since it is wreaking havoc across the board lately.

[Living Miracles]

Ah, thanks for that information. We did indeed install ModSecurity on our server fairly recently. What about it could be causing these issues, and is there something we can do about this if we want ModSecurity installed? Or would we need to compromise and turn off PFW AutoPilot Mode if we want to use ModSecurity?

[AITpro Admin]

This forum topic: https://forum.ait-pro.com/forums/topic/bps-speed-boost-cache-custom-code-notice/page/2/#post-33462 has 2 different people on 2 different web host’s worldwide with the same exact Mod Security problem.  We have also been contacted directly by at least 10 other people with the same exact Mod Security problems on 10 different web host’s worldwide.  ie global problem. 😉  If you are lucky your web host allows you to change individual Mod Security rules.  If not then most web hosts only offer either Enable or Disable for Mod Security.  I’m not 100% sure if the new Mod Security problems affect the BPS Pro Plugin Firewall.  Or of course the extra “combo” problem could be occurring.  Ie A breaks C, which then creates a snowball effect and breaks C, D, E, ………………….

Mod Security in general is very nice thing, but the problem that we see every once in a while is individual Mod Security SecRules and SecFilters are created that are totally fubar.  For example:  Mod Security should have an exclusion rule for the WordPress /wp-admin/ backend area (based on the Request origin) because the WP Dashboard is password protected and does not need to checked by Mod Security.  Only the frontend of the site should have Mod Security security rules applied to it (based on the Request origin).  Request origin means where the Request came from.  If the Request came from the wp-admin area then don’t muck around with it since only an authenticated user could have made that Request.

[AITpro Admin]

I just found this forum topic regarding Incapsula:  https://forum.ait-pro.com/forums/topic/incapsula-cdn-401-error-authorization-required/#post-26856. So it looks like you would need to add the entire range of Incapsula IP addresses. I just updated that Incapsula forum topic. It now has all the most current Incapsula IP addresses.

[Living Miracles]

Thanks for updating those Incapsula IPs! It seems like the error I was seeing in PFW is now gone and it also looks like the /bulletproof-security/405.php isn’t getting added anymore to the Whitelist Rules. I am still seeing, however, these types of errors in the PHP error log:

[405 HEAD Request: June 29, 2017 - 11:58 am]
BPS Pro: 13
WP: 4.8
Event Code: PFWR-PSBR-HPRA-HEAD
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 198.143.33.41
Host Name: 198.143.33.41.ip.incapdns.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR: 69.162.124.236
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: HEAD
HTTP_REFERER: http://michael.i-am-one.net
REQUEST_URI: /wp-content/plugins/bulletproof-security/405.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36

Can you tell me more about what’s happening there with the 405.php file? What is that file for? Sorry, if I’m a bit slow with understanding how to troubleshoot this. I appreciate anything you can explain about this further 🙂

[AITpro Admin]

My guess would be that you are using some fubar Incapsula settings.  It has been a few years since we looked at what Incapula is doing so things might have changed since then.  Incapsula used to have these option settings (3 years ago):  Static+Dynamic Caching or Aggressive Caching.  Aggressive caching did the worst possible thing imagineable – wp-admin backend caching – yeah that is a nightmare/train wreck scenario.  The wp-admin backend Dashboard should never be cached for any reason.  I’m not exactly sure what the Incapsula Static+Dynamic Caching option setting did/does, but apparently it is also a fubar setting, unless you specifically create rules to exclude the wp-admin backend area from being thrashed by Incapsula.

Additional Information: Using the Incapsula Static + Dynamic Caching or Aggressive Caching content caching options without creating an Advanced Caching rule to NOT cache the WordPress /wp-admin backend area URL will break the BPS Pro Plugin Firewall and most likely lots of other things in all of your other plugins. The WordPress wp-admin backend Dashboard area should NEVER be cached for any reason.

The BPS 405.php Security Logging template file logs HEAD Requests that are blocked on your site. I’m not sure why you are seeing a direct Request to the 405.php logging file, but whatever is causing the Security Log entry is directly going to the 405.php logging template instead of processing the HEAD Request normally. My assumption is that Incapsula or something else is breaking the normal functionality of the 405 logging template. You can try allowing all HEAD Requests on your site, but that is putting a band-aid on whatever the root cause of the problem is.

[Living Miracles]

Thanks so much for all that information. Like I said, I’m assuming that when I’m seeing “Incapsula” in the Security Log, I’ll just assume that that’s actually SiteLock since we don’t have an account with Incapsula. So, I’ve disabled SiteLock for this site for now and will see if that makes a difference in terms of the entries I’m seeing in the Security Log.

On another note, I actually just noticed that the “Error: Your Whitelist rules have a /bulletproof-security/admin/js/ script whitelisted” did come back now in the PFW. You were saying that this could be related to ModSecurity, or did I misunderstand that?

[AITpro Admin]

I believe the “Error: Your Whitelist rules have a /bulletproof-security/admin/js/ script whitelisted” error is caused by Incapsula.  Most likely you have fubar Incapsula settings that is wrecking your WordPress backend.  You would need to look into what Incapsula is doing these days.  If another plugin is breaking things then you would need to get in touch with those plugin or service support folks to get a solution for the problem they are causing for other plugins, etc.  It is always possible that you have fubar Mod Security SecRules or SecFilters. You would need to do some Mod Security troubleshooting or contact your web host support folks for help with Mod Security troubleshooting.  We are trying to eliminate or minimize troubleshooting problems caused by other plugins these days since that kind of stuff drags everyone down – BPS Pro developers, coders and users,  😉

If BPS or BPS Pro is causing a problem for another plugin then we create a solution for that issue/problem.  So the same rules should apply for all other plugins or services, etc. 😉

[Author]

Posts