Security risks when not using the Plugin Firewall

[YoolsLoganta]

Hi there,

I’m considering to keep the plugin firewall disabled on client websites. I can whitelist the plugin scripts I use when setting up the site, but I can’t ask them to do the same each time they install a plugin on their own : ) Are there any major security risks?

Thanks,
Stefaan

[AITpro Admin]

The Plugin Firewall protects the WordPress /plugins/ folder – all plugins/plugin files.  If you do not have any plugins installed that have security vulnerabilities or exploits in those plugin’s code then the risk is 0.  If you did happen to have a plugin installed that has a security vulnerability or exploit then it is protected by the Plugin Firewall even though that plugin has a security vulnerability/exploit.  If the Plugin Firewall is not turned On then the Plugin Firewall would not protect that plugin from being exploited.

BPS Pro 9.8 will have increased Plugin Firewall automation that will automatically add new Plugin Firewall whitelist rules as needed.  Tentative release date for BPS Pro 9.8 is between October 29 to November 5.  So you could turn the Plugin Firewall off for now and then turn it on after BPS Pro 9.8 is released and installed on the site(s).

[YoolsLoganta]

Thanks for the feedback! Increased plugin firewall automation, I like it : ) So when a client will add a new plugin under BPS Pro 9.8, the whitelist rules will be automatically created? That would be great!

[AITpro Admin]

Yes.  And of course we have to create both a Plugin Firewall auto-pilot mode and a manual mode since some folks will not want to use auto-pilot mode.  I think we are leaning towards making auto-pilot mode the default setting and then creating an option to turn auto-pilot mode off.

[Thea]

Glad i ran into this, i just had to disable the whole plugin firewall, on account of it blocking pretty much every one of my plugins,even though they are listed in the whitelist box… hope the new automated feature will do a better job.

[AITpro Admin]

Then there is a mistake somewhere or something is breaking the BPS Pro Plugin Firewall.  Are you using a minify plugin or minifying your website?  Go to the B-Core >>> htaccess File Editor tab page >>> click Your Current Plugins htaccess File tab.  Copy and paste your Plugin Firewall htaccess code here.

[Thea]

Not using a minify plugin. i am using quick cache pro if that makes any difference. This should be it. i re-created it now because i deleted it when disabling the plugin firewall, as is instructed somewhere on this forum.

[Plugin Firewall htaccess code copied and then deleted for privacy]

[AITpro Admin]

I have checked your site on the frontend and see that the Plugin Firewall is not working correctly on this site.  I don’t think that Quick Cache would be causing this problem, but try clearing Quick Cache cache and deactivating the Quick Cache plugin temporarily.  I see that this is a Giving WordPress Its Own Directory (GWIOD) WordPress installation installed in this folder /wp/.  The Plugin Firewall works on all WordPress installation types.  I am unable to see anything that could be causing the problem by looking at the frontend of your website.  I would like to look at the backend of this website.  Please create a temporary WordPress Admin account and send it to edward at ait-pro dot com.

[AITpro Admin]

UPDATE|EDIT:  As of BPS Pro 11 the Plugin Firewall now works on LiteSpeed Servers.

Actually I figured out what the problem is.  You have a LiteSpeed Server and LiteSpeed does not support this Apache htaccess directive/code:  SetEnv, which means the Plugin Firewall whitelist rules/code is being ignored.  LiteSpeed is planning on adding support for this Apache htaccess directive in the future.  At this time you cannot use the Plugin Firewall on your LiteSpeed server so deactivate it.  We were planning on creating some dumbed down Plugin Firewall htaccess code that LiteSpeed can handle, but have temporarily put that on hold pending further discussion.

[Thea]

Ok. I’m about to switch hosting companies anyhow and will see if the new one will have the same setup or something that works with BPS Pro. Thanks for the help!

[Author]

Posts