Plugin Firewall Blocked Plugin Scripts

[Tom]

Activating the Plugin Firewall Security Mode broke javascript on my web site and blocked some plugins from working properly (for example BPS Pro – all the tabs were displayed as a single continuous page). Removing .htaccess from the plugins catalog fixed javascript and the plugins.

To activate the Firewall I just run the scan, created a Firewall Master and activated BulletProof Mode.

In my security log I do not see 403s related to plugins. How should I properly activate the Firewall? Should I do some custom scan / plugin override?

[AITpro Admin]

The Plugin Firewall Whitelist scanner is unfortunately not working on sites that use Minifying plugins, copyright protection plugins, Themes that embed code directly into your source code and some other additional scenarios where the Whitelist scanner is blocked from reading your source code or the source code is mangled beyond readability/unable to capture plugin script paths.

Are you using a Minify Plugin, some other kind of minifying script/Theme or copyright protection plugin?  

What I am seeing is that when using a Minify Plugin 403 errors are not being generated in the Security Log because the original plugin scripts no longer exists. Minifying basically combines all scripts into another script so the source origin of the true script is lost.

Example here:  http://forum.ait-pro.com/forums/topic/better-wordpress-minify-plugin-plugin-firewall-plugin-firewall-whitelist/

I’m not sure that an automated solution can be created in most of these scenarios above since the original plugin scripts/code/file paths are mangled beyond readability or blocked.  Please either post a link to your site here or if you want your site to remain anonymous then send an email to info at ait-pro dot com with a link to your site so that we can look at your website’s source code to manually see what the Whitelist scanner is seeing – or to be more accurate, what the Whitelist scanner is being blocked from seeing or is unable to see because things are mangled beyond readability.

 

[AITpro Admin]

A new Plugin Firewall Read Me First Troubleshooting post has been created here >>> http://forum.ait-pro.com/forums/topic/plugin-firewall-read-me-first-troubleshooting/

[Tom]

I have read the new Troubleshooting post and it helped me understand the Firewall better.
Yes, I was using the WP Minify plugin. As security is more important I deactivated minification, cleared the cache and reloaded the page. But I still do not see any 403 errors related to requests for plugin scripts.
***
The scan did not detect the plugins which get inactivated by the Firewall. I can see paths to several other plugin and theme .js files on the whitelist. There are also warnings:

Warning: curl_setopt() [function.curl-setopt]: CURLOPT_FOLLOWLOCATION cannot be activated when safe_mode is enabled or an open_basedir is set in [...]/public_html/blog/wp-content/plugins/bulletproof-security/admin/options.php on line 1617

Warning: curl_setopt() [function.curl-setopt]: CURLOPT_FOLLOWLOCATION cannot be activated when safe_mode is enabled or an open_basedir is set in [...]/public_html/blog/wp-content/plugins/bulletproof-security/admin/options.php on line 1617

***
The plugins inactivated by the Firewall include at least: Social Slider, WP-PageNavi, WP Single Post Navigation, and I think in part BulletProof Security Pro (the tabs did not render correctly in the Dashboard when the Firewall was enabled). The Firewall scan was not whitelisting these plugins even when all the remaining plugins were deactivated.
***
Overriding the Social Slider plugin created a new .htaccess file in that plugin’s folder but the plugin remained blocked.
***
Thank you for having a look at my web site – I just emailed you the address. Minification is disabled, and the security status is now:
BULLETPROOF PRO 5.5 SECURE .HTACCESS || Firewall Status: Off || UAEG Status: On

[AITpro Admin]

The Plugin Firewall Whitelist scanner is not being allowed on your Server due to restrictions on your Server.  You only have one option available to you since this scanner is blocked/not allowed.  You will have to manually get your plugin script file paths from your website’s source code and manually add them to the Plugin Firewall Whitelist text area.  See the Manual Whitelist Option If The Whitelist Scanner Is Unable To Get Plugin Scripts Section for the steps to manually get your plugin script paths >>> http://forum.ait-pro.com/forums/topic/plugin-firewall-read-me-first-troubleshooting/

[AITpro Admin]

Actually I just thought of something.  You will not see errors in your Security Log file until a visitor with a different IP Address visits your website because the Plugin Firewall is Whitelisting your IP Address.  What you can do to test your site and force errors to be generated/logged is this:

1.  Turn off AutoRestore.

2.  Log out of your WordPress site.

3.  FTP to your website and go to the /plugins folder and download the /plugins/.htaccess file.

4.  Edit the .htaccess file and change the Public IP address in the plugins .htaccess file.  You only need to change 1 number and not the whole IP address for testing purposes.

# BEGIN PUBLIC IP
Allow from xxx.xxx.xx.xxx
# END PUBLIC IP

5.  Upload the .htaccess file back to your /plugins folder and navigate to all your main site pages and check things like your contact form.

Your site may not be displaying correctly at this point and things might not work correctly.  What you are trying to do at this point is just generate Security Log errors so do not panic.  😉

6.  After you have checked/tested your website thoroughly, then log back in.

You should now see errors in your Security Log file and you can follow the manual instructions on adding those plugin scripts from the Security Log file to the Plugin Firewall Whitelist Text area.

[Tom]

Thank you again for your helpful suggestions!

1. I eventually managed to get the 403s logged but they showed the same scripts as already generated by the scan. After removing the warnings from the whitelist (and leaving only the scripts found by the scan) I do not see any blocked plugins. So maybe problems were somehow caused by the warnings at the top of the whitelist…
Previously e.g. Social Slider was blocked (also when logged in to WordPress). After removing the warnings Social Slider and several other plugins are not blocked by the firewall (even though they are not on the whitelist). The web site appears to load correctly also through a public proxy.

2. Some of the scripts have their versions written in their names, e.g.

/social-sharing-toolkit/script_no_follow_2.1.1.js, /photoswipe/code.photoswipe.jquery-3.0.4.min.js,

After an update of these plugins they would likely become blocked… So should I whitelist them like this:

/social-sharing-toolkit/script_no_follow*

3. After configuring the Firewall can I activate the minifying plugin? It may only interfere with the Scan and not with the Firewall? I think the web site loads as expected.

4. Is my understanding correct that plugins working behind the scene (like Google XML Sitemaps or new post notifiations by email) will not be blocked because my server’s IP is automatically allowed by the Firewall?

5. Is there an easy way to test the firewall?

[AITpro Admin]

All the standard Regex characters will work with SetEnvIf Request_URI so the Whitelisted scripts could be manually added using this syntax/Regex.

/social-sharing-toolkit/script_no_follow_(.*).js, /photoswipe/code.photoswipe.jquery-(.*).min.js,
but this is simpler and better
social-sharing-toolkit/(.*).js, /photoswipe/(.*).js

I do not know for sure at this point if it is possible to Minify scripts and still have everything work correctly.  I have done some testing with a Minifying plugin and I could not get anything to work correctly, but I will continue to look at the problem from other angles/approaches.  Here is the problem:  A minifying plugin takes the original plugin scripts and combines them into another “master” script.  The true origin of the plugin script no longer really exists so the Plugin Firewall Whitelist cannot accurately whitelist the plugin’s script.  I have also tried to then Whitelist the minified “master” script and this did not work either.  It may just be that this one particular minifying plugin is just not going to work with the Plugin Firewall or it may be that this is going to be the case with all minifying plugins.  I am still researching this, but if you feel like experimenting then let me know what happens.

Only frontend loading plugin scripts need to be Whitelisted – all other plugin scripts do not need to Whitelisted.  This is how that works.  Your plugins folder is protected by an IP based Firewall.  So all plugin files/scripts are blocked from being externally accessible by any other IP address that is not your IP Address.  What the Plugin Firewall Whitelist does is create an exception for whichever plugin script needs to load unrestricted/unblocked by the Plugin Firewall for your website visitors.

The steps I posted in my previous comment is the best method to test the Plugin Firewall at this point.  I will be creating a Plugin Firewall [obsolete-removed] that will force a testing IP address to be written to the .htaccess file and this will allow you to view your site as if you are a visitor.  More on that later – it is in the works.

[Tom]

OK, I am now happy with the Firewall.
The WP Minify plugin is set to minify JavaScript and HTML, and the web site appears to be loading fine. If I find any issues with this configuration I will post a note here. The “view as visitor” feature will be very nice. I am looking forward to it!
The frontend loading plugins on my web site (so far no problems):

Comment Redirect by Yoast
Featured Comment Widget
Google Analyticator
Google Authenticator
Peter’s Literal Comments
Recent Posts Plus
Social Sharing Toolkit
Social Slider
Subscribe2
Subscribe to Comments Reloaded
Twitter Avatar Reloaded
Use Google Libraries
WordPress SEO
WP-PageNavi
WP Single Post Navigation

My whitelist

http://(...)/wp-content/themes/(...)/resources/plugins/photoswipe/klass.min.js, http://(...)/wp-content/themes/(...)/resources/plugins/photoswipe/code.photoswipe.jquery-(.*).min.js, /google-analyticator/external-tracking.min.js, /social-sharing-toolkit/script_no_follow_(.*).js, /social-sharing-toolkit/includes/buttons/button.googleplus.js, /social-sharing-toolkit/includes/buttons/button.facebook.js, /google-analyticator/external-tracking.min.js, /social-sharing-toolkit/script_no_follow_(.*).js, /social-sharing-toolkit/includes/buttons/button.googleplus.js, /social-sharing-toolkit/includes/buttons/button.facebook.js,

[AITpro Admin]

Looks good, but you need to make a correction.  And AWESOME that the WP Minify plugin is working fine.  I have not tested that minifying plugin and have only tested another one, but that gives folks a great out / solution – switch from X minifying plugin to this one – WP Minify.  😉

Plugin Firewall Whitelist rules/paths ONLY need to be added for ONLY plugins and should ONLY be in this path format – /plugin-folder-name/rest-of-path-to-plugin-script.file-extension,  You do not need to Whitelist front loading scripts that are in any other folder than the /plugins folder.  ie your /themes folder.  Also you would not want to have “http” or additional / extra slashes or anything else in each plugin script Whitelist rule/path other than just the basic path format.

/photoswipe/(.*).js, /google-analyticator/external-tracking.min.js, /social-sharing-toolkit/(.*).js, /social-sharing-toolkit/includes/(.*).js, /social-sharing-toolkit/includes/(.*).js

[AITpro Admin]

I am testing WP Minify and I noticed this nice Advanced Option / Feature in WP Minify – Use “pretty” URL”      (i.e. use “wp-minify/cache/1234abcd.js” instead of “wp-minify/min/?f=file1.js,file2.js,…,fileN.js”).

When I use the Plugin Firewall Whitelist scanner I get these 2 usable whitelist paths below.  Unfortunately, the same type of problem occurs on my testing site with this minifying plugin that is occuring with the other minifying plugin I was testing.  Some of my plugin scripts cannot be Whitelisted if they are minified – PERIOD.  So that leaves only one option, which I am sure all minifying plugins have – exclude certain plugin scripts from being minified. 

/wp-minify/cache/bef8d465682e1f770a38f0b3f096c893.js, /wp-minify/cache/a6cbef0e2c55bd7b7f0ff2855062da20.js, 

Also minification causes the Whitelist scanner to not be able to see a website’s Source Code accurately and extra HTML code is returned in the scan results so I will also need to add additional capabilities in the Whitelist scanner to strip out any extra HTML code that is returned in the scan results from minification.

What has me baffled a little bit is logically it would seem that if you Whitelist the newly created/combined/minified script then why is it not being Whitelisted successfully?  Once I understand what that problem is with minifying/minification then I can probably come up with a working solution.

[AITpro Admin]

Oh wow nevermind. There are several scripts that just cannot be minified – PERIOD.  Minification itself breaks them and they do not work correctly so the problem is occurring even before the Plugin Firewall is involved.  😉  So basically the idea is if you are going to use minification then you might need to exclude some scripts from being minified.  When I do this then all the scripts that do work with minification are Whitelisted successfully and the scripts that cannot be minified without breaking them are Whitelisted normally.  Ok I’ve got a handle on minification now.  😉 

[Tom]

Plugin Firewall Whitelist rules/paths ONLY need to be added for ONLY plugins and should ONLY be in this path format  
I see, of course the .htaccess is blocking the plugins folder so it is not logical to include scripts from the themes folder. So I deleted the irrelevant scripts from the whitelist. My web site appears to be loading without any problems.
Though I must say that those scripts were automatically added, together with the h ttp://www..... by the Plugin Firewall Whitelist scanner. I merely replaced part of the path with “(…)” when posting here. The Whitelist scanner recognized the PhotoSwipe script from my theme (which I generated with the TTG CE2 Theme for WordPress – a web engine for Adobe Lightroom). In addition there were the two warnings on the whitelist, which I had to remove.
Minification itself breaks them and they do not work correctly
To be on the safe side I now disabled minification altogether (I am serving HTML gzipped anyway).

[AITpro Admin]

Yes,  there are several things that cause the Whitelist scanner not to be able to extract only the scan results it should be returning.  We will continue to refine and perfect the Whitelist scanner, but in cases where a minify or copyright protection plugin is installed/being used or a Theme or Plugin is embedding code into the website’s source code then it may just be that it is not possible to get the expected scan results since all of these things change a website’s source code significantly.  What we are seeing is the Whitelist scanner returns exact perfect scan results in 90% of websites and then the other 10% of websites fall under one of the problematic issues/categories above.  Since the Plugin Firewall is relatively new we will continue to research other ways of finding/detecting front loading plugins scripts or find a better way to compensate for the problematic issues above.

[Author]

Posts