Plugin Firewall One of more of your Plugin Firewall Whitelist rules are not valid

Home Forums BulletProof Security Pro Plugin Firewall One of more of your Plugin Firewall Whitelist rules are not valid

Viewing 15 posts - 16 through 30 (of 33 total)
  • Author
    Posts
  • #18982
    Alex
    Participant

    Thanks Ed, I adjusted the cron interval to 60 minutes (highest short of “Off”). Glad to see this plugin is so well supported!

    Just signed up for your affiliate program – I was surprised that the page was not SSL secured, considering that it asks for sensitive data (SSN, address, etc.).

    #18996
    AITpro Admin
    Keymaster

    Could you tell I was a bit excited yesterday?  You can test and re-test a million times in a dev environment, but the real world typically tends to throw some curve balls at you.  Anyway Plugin Firewall AutoPilot Mode is working out exactly how I had hoped it would in the real world so I can go back to business as usual and get my focus back on some other things we are working on.

    SSL used generally is a great way to put folks at ease, but unless you are actually performing some sort of transaction that should be secured/encrypted with SSL then it is really not necessary to do just for a general site like the affiliate site.  It is just a standard WP site and is not doing any sort of transaction stuff that needs to be secured.  We prefer to let PayPal handle all SSL transaction stuff since they are trusted worldwide.  😉

    #19015
    Alex
    Participant

    I completely understand using PayPal for transactions, however your affiliate page asks for an SSN number along with name and address. Since that is submitted unencrypted, that information could still be intercepted, no?

    #19019
    AITpro Admin
    Keymaster

    Very good point.  I was not even aware that the WP Affiliate Platform plugin asked for a Tax ID / SSN number.  I will modify the plugin so that only these relevant 2 required fields will be displayed to folks. This is the only information we need to pay sales commissions.

    Email Address:
    PayPal Email Address:

    #19036
    AITpro Admin
    Keymaster

    The WP Affiliate Platform register.php form has been modified.  We decided to leave a couple of optional non-sensitive form fields.  Luckily only a couple of people added their SSN #’s which I have deleted from the database.  Thanks for catching this.

    Also at some point we will be getting rid of WP Affiliate Platform and installing a more professional affiliate plugin.  I’m not saying WP Affiliate Platform is bad, but it is very bare bones and limited. 😉

    #19056
    Alex
    Participant

    Awesome, thanks for addressing that so quickly!

    #26114
    alexb
    Participant

    I’m also getting an error on the pre-install wizard, saying “Error: One or more of your Whitelist rules are not valid

    I looked through the proposed format, and as far as I can see I only have /plugin-folder-name/file.js everywhere, though some plugins have multiple folders (like pluginfolder/js/file.js) – is that the problem?

    /adsense-click-fraud-monitoring/js/checkclicks.js, /adsense-click-fraud-monitoring/js/updateclicks.js, /adsense-click-fraud-monitoring/js/check_min.js, /cookie-law-info/js/cookielawinfo.js, /google-analyticator/external-tracking.min.js, /contact-form-7/includes/js/jquery.form.min.js, /contact-form-7/includes/js/scripts.js
    #26121
    AITpro Admin
    Keymaster

    Post the entire error message.  Also the Plugin Firewall tools have self correcting ability so do all the manual Plugin Firewall setup steps again to see if the problem is automatically corrected.

    Plugin Firewall Manual Setup Steps
    1. Copy and paste plugin scripts/whitelist rules to the Plugins Script|File Whitelist Text Area.
    2. Click the Save Whitelist Options button.
    3. Turn AutoPilot Mode On.
    4. Click the Plugin Firewall BulletProof Mode Activate button.

    #26124
    alexb
    Participant

    Error: One or more of your Whitelist rules are not valid
    Edit your Whitelist rules after copying them to the Plugin Firewall Whitelist Text Area and correct whitelist rules that contain any of these invalid things: ver=, page=, src=, www, http, https, href, .com, .net, .org, .biz, .info, .gov, .edu and click the Save Whitelist Options button and activate the Plugin Firewall again.
    Valid plugin Whitelist rules MUST use ONLY this Format: /plugin-folder-name/plugin-script.js, /plugin-folder-name/(.*).js. Plugin paths/scripts are separated by a comma and a single space.

    I followed your manual setup steps but when I run the curl scanner afterwards again, I get the same error message as above.

    cURL Scan Results|Plugin Firewall Whitelist Rules:

    /adsense-click-fraud-monitoring/js/checkclicks.js, /adsense-click-fraud-monitoring/js/updateclicks.js, /adsense-click-fraud-monitoring/js/check_min.js, /cookie-law-info/js/cookielawinfo.js, /google-analyticator/external-tracking.min.js, /contact-form-7/includes/js/jquery.form.min.js, /contact-form-7/includes/js/scripts.js
    #26129
    AITpro Admin
    Keymaster

    The only remotely possible cause for the error is this whitelist rule:  /cookie-law-info/js/cookielawinfo.js.  The matching condition is .info, but if for some reason your server is interpreting the dot as match anything then that would explain the false error.  Edit that whitelist rule and change it to this below and do all of the manual Plugin Firewall setup steps.

    /cookie-law-info/js/(.*).js

    And if that whitelist rule does not work then try this one:

    /cookie-law-(.*)/js/(.*).js
    #26162
    alexb
    Participant

    Thanks. I tried that but not sure – how do I know if it works? The curl scanner still gives the same error message, and in the yellow field with whitelist rules under the scan results, it has the old /cookie-law-info/js/cookielawinfo.js again, not the stuff that I put in the whitelist rule text box of the plugin firewall.

    The cookie law info plugin works fine (and it did so even with the old whitelist rule as above), so not sure if I should just ignore the PF warning?

    #26163
    AITpro Admin
    Keymaster

    Disregard the error message that the cURL scanner is displaying to you.  Do these steps and let me know if the Plugin Firewall error message goes away on the Security Modes page in the Plugin Firewall tools section.  Once I know if the .info matching condition is the actual problem then I can explain what is occurring in more detail/depth.

    1. Copy and paste plugin scripts/whitelist rules below to the Plugins Script|File Whitelist Text Area.
    2. Click the Save Whitelist Options button.
    3. Click the Plugin Firewall BulletProof Mode Activate button.

    /adsense-click-fraud-monitoring/js/checkclicks.js, /adsense-click-fraud-monitoring/js/updateclicks.js, /adsense-click-fraud-monitoring/js/check_min.js, /cookie-law-(.*)/js/(.*).js, /google-analyticator/external-tracking.min.js, /contact-form-7/includes/js/jquery.form.min.js, /contact-form-7/includes/js/scripts.js
    #26165
    alexb
    Participant

    ” let me know if the Plugin Firewall error message goes away on the Security Modes page in the Plugin Firewall tools section”

    – well, where exactly is that, or where would the error be displayed? I only had this whitelist rule error on either the curl scanner page or the pre-install wizard, nowhere else. Please see following screenshot: http://i.imgur.com/IHJ7tx8.jpg

    Where do I have to look?

    #26168
    AITpro Admin
    Keymaster

    Oops totally misunderstood what the issue is/was.  Ok I understand what is happening now.  The Pre-Installation Wizard cURL scanner and the Pro-Tools cURL scanner are capturing additional code in the scans that is not cleaned/stripped of all/any additional invalid code in the scan results.  Anything that is not literally in this exact format:  /plugin-folder-name/plugin-script-name.js that is captured by those cURL scanners is obviously not valid whitelist rules/code.  So you can disregard those errors in the Pro-Tools cURL scanner and the Pre-Installation Wizard cURL scanner.  If you actually add invalid code/plugin firewall whitelist rules in the Plugins Script|File Whitelist Text Area tool text box then there is an automated Cron job that will automatically fix/correct/remove that invalid code/whitelist rules.  The Plugin Firewall AutoPilot Mode, if it is turned on, creates only valid whitelist rules.  These days it is no longer necessary to use the old Pro-Tools cURL scanner tool or pay any attention to the Pre-Installation Wizard cURL scanner results.  Plugin Firewall AutoPilot Mode is the successor to those older tools.  Those older cURL tools/features will probably be phased out/removed at some point since they are no longer needed/necessary.

    #26171
    alexb
    Participant

    Oh that’s great to hear. Yeah PF autopilot is turned on. Well I have to say +1 for phasing that out then, because the readme for the pre-install wizard says that one should NOT proceed if there are any errors in the pre-install wizard. I’ve run the setup wizard anyway because I assumed I could just turn off the PF if there are any problems, but it’s still kind of confusing/worrying the first time around.

    So do I have to use the regex rule for the cookie law info plugin whitelist rule you gave me, or the one suggested by PF? Or will both work correctly?

    Unrelated question: If I have ARQ on and add a custom code to the root htaccess – will this then be quarantined unless I first turn off ARQ, delete old backup, make new backup and turn it back on?

Viewing 15 posts - 16 through 30 (of 33 total)
  • You must be logged in to reply to this topic.