Plugin Firewall problem

[Thunder]

I have just installed the Pro version today but DANG, this Plugin Firewall has got me!
Looking at all of your information here the ONLY thing you do not mention is when the Firewall Test mode reports NOTHING.
I have two plugins installed that Create an Events application where people sign in and fill out a form to enroll. Two different events, two different versions of the same basic plugin are installed.

Plugin Firewall Test Mode Results
There are no Test Mode Results to display. This could simply mean that you do not have any plugin scripts that need to Whitelisted. Please click HERE for blah blah (BACK TO THE PAGE I JUST READ )….

So, I follow the rest of the steps.
On refresh I get Success! Plugin Firewall BulletProof Mode Activated. Your /wp-content/plugins folder is now protected with BulletProof Security.
But ABOVE that I get this message indicating NOPE.
The Plugin Firewall Needs To Be Activated
Click Here to go to the Plugin Firewall to create your Plugin Firewall Whitelist and then Activate the Plugin Firewall.
If you do not want to setup or use the Plugin Firewall then click the Firewall Whitelist Tools tab and click the Save Whitelist Options button to remove/clear this message/notification.

the .htaccess file in the plugins folder says:
[code removed]
I want to make sure Plugins are protected.
But every time I take a step in BulletProof I get conflicting indications from the Top Warnings section that contrasts with a message on the bottom half.

[AITpro Admin]

Check your BPS Pro Security Log and post any errors that you see.

[Thunder]

The File Lock says Server API: cgi-fcgi – Your Host Server is using CGI. Use the CGI File Lock and Unlock options.
CGI Permissions & Status Table

Filename Permissions & Status Last Modified
Root .htaccess 404 – Locked – Read Only
Jun 13 2013 13:19:35.
/homepages/36/d236264054/htdocs/mywebsitesfoldername/.htaccess
wp-config.php 400 – Locked – Read Only
Jun 13 2013 09:47:33.
/homepages/36/d236264054/htdocs/mywebsitesfoldername/wp-config.php
WP index.php 400 – Locked – Read Only
Jun 13 2013 09:46:16.
/homepages/36/d236264054/htdocs/mywebsitesfoldername/index.php
wp-blog-header.php 400 – Locked – Read Only
Jun 13 2013 09:46:16.
/homepages/36/d236264054/htdocs/mywebsitesfoldername/wp-blog-header.php
DR – Root .htaccess Turned Off
Jun 13 2013 13:19:35.
/myserversitename/homepages/36/d236264054/htdocs/mywebsitesfoldername/.htaccess
DR – WP index.php Turned Off
Jun 13 2013 09:46:16.
/myserversitename/homepages/36/d236264054/htdocs/mywebsitesfoldername/index.php
GWIOD – Root .htaccess Turned Off
/homepages/36/d236264054/htdocs/.htaccess
GWIOD – WP index.php Turned Off
/homepages/36/d236264054/htdocs/index.php

[AITpro Admin]

The Security Log page is located in B-Core.  Click the Security Log tab page and then post any errors.

[Thunder]

There are no errors. It is reporting from the very first setup of this plugin almost 5 hours ago.

Please give instructions when the Firewall Testmode shows NO response when tested.

Even though 2 plugins are activated and are putting output onto pages in WordPress publicly the Whitelist has nothing to put into it.  So, I save it BLANK before exiting and going to Firewall Test Mode OFF and Save On/Off Option button.

I never get rid of the message below even when I get back
B-Core ~ Htaccess Core Security
Success! Plugin Firewall BulletProof Mode Activated. Your /wp-content/plugins folder is now protected with BulletProof Security.

The Plugin Firewall Needs To Be Activated
Click Here to go to the Plugin Firewall to create your Plugin Firewall Whitelist and then Activate the Plugin Firewall.
If you do not want to setup or use the Plugin Firewall then click the Firewall Whitelist Tools tab and click the Save Whitelist Options button to remove/clear this message/notification.

[AITpro Admin]

Hmm not really sure what is going on on your website. This is something I have never seen before. Please create a temporary WordPress Admin login account for this website and send the login info to edward at ait-pro dot com.  I will login and figure out what is going on. Thanks.

[AITpro Admin]

Silly one.  I should have caught this – “…click the Save Whitelist Options button to remove/clear this message/notification…”.  I checked your site and you do not really have any frontloading plugin scripts that need to be whitelisted in the Plugin Firewall.  You brought a very good point though.  I need to add additional help information that states something like this “Even if you do not have any plugin scripts to whitelist you still need to click the Save Whitelist Options button and activate the Plugin Firewall”.

The php error log issue was another silly one.  Button 2 was not clicked yet.

These example lines in your Plugin Firewall are left over from a Demo that I was doing and are not supposed to be included. They are not hurting anything so in the next BPS Pro version I will clean this up automatically.  😉

SetEnvIf Request_URI "/plugins/example1/js/example.js$" whitelist
SetEnvIf Request_URI "/plugins/example1/js/example.js$" whitelist
SetEnvIf Request_URI "/plugins/example2/js/example.js$" whitelist
SetEnvIf Request_URI "/plugins/example-super-long-string/js/example.js$" whitelist
SetEnvIf Request_URI "/plugins/example-super-long-string-tuitotituti/js/example.js$" whitelist

Your Theme has a minor coding error that was constantly generating php errors.  I have suppressed the errors for now by adding a @ sign in front of the include below in your Theme’s index.php file, but you need to contact the theme author and have him/her fix the coding issue.

/kunden/homepages/xxxxx/htdocs/xxxxx/wp-content/themes/ApomaxxTemplate/index.php, line 50

<?php @include (TEMPLATEPATH . '/wp-contentfrontpage.php'); ?>

[AITpro Admin]

Ideally the “include” should have a coding check like this

if (file_exists($file)) {
include...

[Thunder]

Fantastic!

I will take a look at that template line and see what can be resolved.
Thank you for finding that.

Oh, Edward, if I fix that template file do I Turn off the Chron/autorestore check first?

AutoRestore/Quarantine ARQ Cron is On
Check files every 10 minutes.

1) Is the ONLY step I have to take is to Turn this off, Save, then FTP upload the fixed template index.php file?

2) Then delete the wp_content backup files?

3) then re-backup the wp_content files?

4) Then Restore the Quarantine ARQ to ON?

[AITpro Admin]

You can either turn off the AutoRestore Cron while you are editing the file and then backup wp-content files again before turning the ARQ Cron back on or you can upload the edited file and it will be sent to Quarantine so you can just restore it from Quarantine using the Restore File option.  Either way is fine.

[Jonathan]

I am having a problem with the Plugin Firewall test. When I first opened the separate window, I got a message that I did not have permission to run the PFW-TestMode.php file. I reset permissions to 664 and the php file ran, but all I got was a grey screen. Moving forward, I reloaded the site and found two plugins that could not run. I then deleted the htaccess file in the plugins folder to get the site running again. At this point, I do not have an operable Plugin Firewall. I could go ahead and add those two plugins to the Whitelist, but I am reticent to do so with the testing service inoperable. What do you suggest?

[Jonathan]

This probably should be placed in a separate forum category, but it may be related to the problem described above. I am using the folder structure recommended by Mark Jaquith and other WordPress gurus. In this structure, the index.php and the wp-config.php files, as well as the content directory, are located one level above the WordPress directory. This is an amazing innovation which greatly simplifies the docroot file listing, and it probably improves security from amateur hackers. The problem is that BPS evidently does not recognize this kind of file structure, claiming that the index.php and wp-config.php files do not exist.

Here is the pertinent information from the WordPress Codex:

http://codex.wordpress.org/Giving_WordPress_Its_Own_Directory

Here is an article for this kind of setup:

http: //www.johngirvin.com/archives/moving-the-wordpress-wp-content-folder.html

What can be done here?

[AITpro Admin]

The Plugin Firewall will generate a 403 error on first launch.  You just need to relaunch it again or refresh your Browser.  There is a slight delay between when your testing IP address is added.  A lot of folks find the cURL Multi Page Scanner easier/simpler to use to get plugin scripts to add to the Plugin Firewall Whitelist text area.  You will find a link to the cURL Multi Page Scanner under the Additional Whitelist Tools accordian tab or you can go directly to the cURL Multi Page Scanner tool in BPS Pro Pro-Tools.

Additional help links

http://forum.ait-pro.com/forums/topic/plugin-firewall-read-me-first-troubleshooting/

General BPS Pro troubleshooting

http://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting

Security / HTTP Error Log

http://forum.ait-pro.com/forums/topic/security-log-http-error-log-read-me-first/

 

[AITpro Admin]

BPS works fine with GWIOD sites.  We have a GWIOD testing site setup as well as every other possible type of WordPress setup/installation and BPS works perfectly on all of them.  If something is not working correctly on the GWIOD site then something is not setup correctly on that site.

Ugh I just looked at the link you posted.  I do not buy into any of the “hiding” gimmicks.  Hiding is not and never will be real security.  The only people hiding tactics fool are wannabe hackers.  Professional hackers blaze right through any hiding tactics because hiding is not security.

Having a GWIOD setup following ONLY the WordPress Codex is an excellent thing to do for a number of reasons.  Changing the name or location of the wp-content folder is a terrible idea for a number of reasons – mostly because it will probably just cause problems instead of adding anything beneficial to the site and security is not a factor because like I said this is not a real/valid security measure.

I make it a point to debunk methods like this that have zero value.  I feel that it is my duty to inform folks about myths, mistruths and gimmicks that are crap.

[Author]

Posts