Home › Forums › BulletProof Security Pro › Plugin Firewall Whitelist Rules not being added
- This topic has 16 replies, 2 voices, and was last updated 4 years, 8 months ago by webstar.
-
AuthorPosts
-
webstarParticipant
Hi,
I noticed that my plugin firewall rules are not being added anymore. In fact it’s blank now. It’s on AutoPilot mode and I have 15 plugins installed.
I’m pretty sure it had rules before.
I’ve already run the Pre-Installation and Setup, and it still shows up empty in the rules.
Can you help debug the issue?
Thanks.
AITpro AdminKeymasterNot all websites will require Plugin Firewall whitelist rules depending on how things are setup on a website. Are you seeing Security Log entries that show frontloading plugin .js script 403 errors? Are you using a .js minifying/compressing and/or combining plugin? Post a link/URL to your website so I can take a look at the frontend of the website for issues/problems. If you do not want to post a link/URL to your website in this forum then send the link/URL to your website to email address: info at ait-pro dot com.
webstarParticipantI’m going to send you an email. Writing it up right now. Thanks.
webstarParticipantI sent you an email just now with all the info and some of the debugging I’ve done.
AITpro AdminKeymasterI found 3 problems: It would be much faster for me to login to this website and fix these problems instead of listing all of the steps in this forum topic for you to fix the problems. I have sent you a direct email requesting WP Admin login credentials to this site.
1. The Plugin Firewall is blocking plugin .js scripts and AutoPilot Mode is not automatically whitelisting those .js scripts.
2. It appears that you are using the BPS POST Attack Bonus Custom Code and need to add an additional whitelist rule for this Query String: wc-ajax=get_refreshed_fragments
3. You need to add a wp-admin htaccess file whitelist rule for the WP admin-ajax.php file and/or this Query String: action=quick_preivewwebstarParticipantSure, I’ll send you the login details. Thanks.
Some plugin whitelist rules have finally appeared, but, it didn’t include any of the issues you noted.
AITpro AdminKeymasterYes, you are correct about the Plugin Firewall working correctly now. I checked your site and am no longer seeing 403 errors for any frontloading plugin scripts. So the Plugin Firewall and Plugin Firewall AutoPilot Mode are working correctly. Not sure why it was not working before unless maybe the AutoPilot Mode Cron had not run yet. The default Cron frequency is to check and automatically create new Plugin Firewall whitelist rules every 15 minutes. You can change that Cron frequency setting to 1, 5, or 10 minutes to shorten the time between AutoPilot Mode Cron checks.
AITpro AdminKeymasterOk your website is currently under a massive brute force attack. That would explain the delay in Plugin Firewall AutoPilot Mode not creating the whitelist rules right away. When a website is under a massive brute force attack and you have the BPS Pro plugin installed you and your visitors will not notice any difference in website performance, but things like AutoPilot Mode are going to be adversely affected temporarily. Brute force attacks can last minutes to days. You do not need to do anything since BPS Pro is already handling the brute force attack. Your website is safe and there is nothing further that needs to be done and you don’t need to worry about this at all.
AITpro AdminKeymasterI put the Plugin Firewall in Test Mode to speed up Plugin Firewall AutoPilot Mode whitelist rule creation and it is working fine even though your site is being attacked right now.
webstarParticipantSo, how do you know it’s under attack? Is it just based on the attempts of logins to wp-login.php? Because, yes, I see a ton of log entries for that.
AITpro AdminKeymasterWell the brute force attack is not as big as I thought. Yep, you can tell your site is under a brute force attack by checking the BPS Security Log. When you see several Security Log entries being logged every second continuously then yep a brute force bot attack is occurring on your website. The bots are hitting your Login page and your xml-rpc.php file continuously.
Ok the 3 problems are fixed and I found 1 other issue, which is your wp-config.php file was quarantined, but I checked the wp-config.php file in Quarantine and did not see any differences in the code in the file. I assume you were manually editing your wp-config.php file or maybe another plugin or your theme was adding or removing code or just doing a flush. If you were manually editing your wp-config.php file then you can use the AutoRestore|Quarantine Standard Procedural Steps when manually modifying files method > http://forum.ait-pro.com/forums/topic/autorestore-quarantine-guide-read-me-first/#procedural-steps or just Restore files in Quarantine after you edit them manually.
I will post the forum links to the fixes I did with additional help info in a minute.
AITpro AdminKeymaster1. The Plugin Firewall is blocking plugin .js scripts and AutoPilot Mode is not automatically whitelisting those .js scripts.
Solution: No solution needed. Most likely since the site is currently undergoing a significant brute force attack then Plugin Firewall AutoPilot Mode may have temporarily impacted. Plugin Firewall AutoPilot Mode is automatically creating new whitelist rules successfully. Note: I turned On Plugin Firewall Test Mode to speed up the process of adding any new additional Plugin Firewall whitelist rules.
2. It appears that you are using the BPS POST Attack Bonus Custom Code and need to add an additional whitelist rule for this Query String: wc-ajax=get_refreshed_fragments
Solution: Added the 2 new Query String whitelist rules (in bold font below) in your existing BPS POST Attack Protection Bonus Custom Code and moved the POST Attack Protection code into this Custom Code text box: 8. CUSTOM CODE WP REWRITE LOOP START.
Forum Solution Reference Link: https://forum.ait-pro.com/forums/topic/whitelist-monarch-plugin/#post-37359# BPS POST Request Attack Protection RewriteCond %{REQUEST_METHOD} POST [NC] # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON RewriteCond %{REQUEST_URI} !^.*/wp-admin/ [NC] # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON RewriteCond %{REQUEST_URI} !^.*/wp-cron.php [NC] # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON RewriteCond %{REQUEST_URI} !^.*/wp-login.php [NC] # Whitelist WP JSON POST Requests by Query String RewriteCond %{QUERY_STRING} !^_locale=(.*) [NC] # Whitelist the WordPress Theme Customizer RewriteCond %{HTTP_REFERER} !^.*/wp-admin/customize.php [NC] # Whitelist XML-RPC Pingbacks, JetPack and Remote Posting POST Requests RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC] # Whitelist Jetpack JSON POST Request RewriteCond %{REQUEST_URI} !^.*/wp-json/jetpack/(.*) [NC] # Whitelist Network|Multisite Signup POST Form Requests RewriteCond %{REQUEST_URI} !^.*/wp-signup.php [NC] # Whitelist Network|Multisite Activate POST Form Requests RewriteCond %{REQUEST_URI} !^.*/wp-activate.php [NC] # Whitelist Trackback POST Requests RewriteCond %{REQUEST_URI} !^.*/wp-trackback.php [NC] # Whitelist Comments POST Form Requests RewriteCond %{REQUEST_URI} !^.*/wp-comments-post.php [NC] # Example 1: Whitelist Star Rating Calculator POST Form Requests RewriteCond %{REQUEST_URI} !^.*/star-rating-calculator.php [NC] # Example 2: Whitelist Contact Form POST Requests RewriteCond %{REQUEST_URI} !^.*/contact/ [NC] # Example 3: Whitelist PayPal IPN API Script POST Requests RewriteCond %{REQUEST_URI} !^.*/ipn_handler.php [NC] # Whitelist WooCommerce POST Request to Root URI by Query String RewriteCond %{QUERY_STRING} !^wc-ajax=(.*) [NC] # Whitelist WooCommerce POST Request to Root URI by Query String RewriteCond %{QUERY_STRING} !^wc-api=(.*) [NC] RewriteRule ^(.*)$ - [F]
3. You need to add a wp-admin htaccess file whitelist rule for the WP admin-ajax.php file and/or this Query String: action=quick_preivew
Solution: Added a admin-ajax.php file skip rule in BPS wp-admin Custom Code.
Forum Solution Reference Link: https://forum.ait-pro.com/forums/topic/nextgen-gallery-pro-post-request-blocked/#post-35621webstarParticipantSo, I noticed the quarantine as well, after the theme developer logged in a day or two ago. I forgot to tell him about BPS Pro.
I just restored the file because I figured he didn’t know about it and made a change to the file.
As for the brute force attack, it does seem big. The security log file has over 900 requests for the wp-login.php file from late this morning and it’s increased another 120k just from reading your last message!
I had copied the log and then deleted it because I noticed it was increasing in size so fast.
Feature Request? Maybe you could add a limit size to the log, that the user can set, so that in cases like this the file size doesn’t get too big.
AITpro AdminKeymasterYep, the attack on your site is fairly big, but sometimes our forum site gets attacked for days at a rate of 1,000 attacks per second. Luckily the way we have designed BPS Pro, it deflects all attacks instead of creating any significant resource usage for your server/website. In other words, everything functions and performs as if the attack were not occurring at all.
That feature has already been added to the Security Log. 😉 You don’t need to do anything with the Security Log. When the Security Log reaches the size setting that you have chosen or the default size setting then it will be automatically zipped, emailed to you and replaced with a new blank Security Log file.
webstarParticipantThanks for making the changes.
-
AuthorPosts
- You must be logged in to reply to this topic.