Plugin Firewall Whitelist Rules not being added

Home Forums BulletProof Security Pro Plugin Firewall Whitelist Rules not being added

This topic contains 16 replies, has 2 voices, and was last updated by  webstar 2 months, 3 weeks ago.

Viewing 15 posts - 1 through 15 (of 17 total)
  • Author
    Posts
  • #37702

    webstar
    Participant

    Hi,

    I noticed that my plugin firewall rules are not being added anymore. In fact it’s blank now. It’s on AutoPilot mode and I have 15 plugins installed.

    I’m pretty sure it had rules before.

    I’ve already run the Pre-Installation and Setup, and it still shows up empty in the rules.

    Can you help debug the issue?

    Thanks.

    #37703

    AITpro Admin
    Keymaster

    Not all websites will require Plugin Firewall whitelist rules depending on how things are setup on a website.  Are you seeing Security Log entries that show frontloading plugin .js script 403 errors?  Are you using a .js minifying/compressing and/or combining plugin?  Post a link/URL to your website so I can take a look at the frontend of the website for issues/problems.  If you do not want to post a link/URL to your website in this forum then send the link/URL to your website to email address:  info at ait-pro dot com.

    #37704

    webstar
    Participant

    I’m going to send you an email. Writing it up right now. Thanks.

    #37705

    webstar
    Participant

    I sent you an email just now with all the info and some of the debugging I’ve done.

    #37706

    AITpro Admin
    Keymaster

    I found 3 problems:  It would be much faster for me to login to this website and fix these problems instead of listing all of the steps in this forum topic for you to fix the problems.  I have sent you a direct email requesting WP Admin login credentials to this site.

    1. The Plugin Firewall is blocking plugin .js scripts and AutoPilot Mode is not automatically whitelisting those .js scripts.
    2. It appears that you are using the BPS POST Attack Bonus Custom Code and need to add an additional whitelist rule for this Query String:  wc-ajax=get_refreshed_fragments
    3. You need to add a wp-admin htaccess file whitelist rule for the WP admin-ajax.php file and/or this Query String:  action=quick_preivew

    #37707

    webstar
    Participant

    Sure, I’ll send you the login details. Thanks.

    Some plugin whitelist rules have finally appeared, but, it didn’t include any of the issues you noted.

    #37708

    AITpro Admin
    Keymaster

    Yes, you are correct about the Plugin Firewall working correctly now.  I checked your site and am no longer seeing 403 errors for any frontloading plugin scripts.  So the Plugin Firewall and Plugin Firewall AutoPilot Mode are working correctly.  Not sure why it was not working before unless maybe the AutoPilot Mode Cron had not run yet.  The default Cron frequency is to check and automatically create new Plugin Firewall whitelist rules every 15 minutes.  You can change that Cron frequency setting to 1, 5, or 10 minutes to shorten the time between AutoPilot Mode Cron checks.

    #37709

    AITpro Admin
    Keymaster

    Ok your website is currently under a massive brute force attack.  That would explain the delay in Plugin Firewall AutoPilot Mode not creating the whitelist rules right away.  When a website is under a massive brute force attack and you have the BPS Pro plugin installed you and your visitors will not notice any difference in website performance, but things like AutoPilot Mode are going to be adversely affected temporarily.  Brute force attacks can last minutes to days.  You do not need to do anything since BPS Pro is already handling the brute force attack.  Your website is safe and there is nothing further that needs to be done and you don’t need to worry about this at all.

    #37710

    AITpro Admin
    Keymaster

    I put the Plugin Firewall in Test Mode to speed up Plugin Firewall AutoPilot Mode whitelist rule creation and it is working fine even though your site is being attacked right now.

    #37711

    webstar
    Participant

    So, how do you know it’s under attack? Is it just based on the attempts of logins to wp-login.php? Because, yes, I see a ton of log entries for that.

    #37712

    AITpro Admin
    Keymaster

    Well the brute force attack is not as big as I thought.  Yep, you can tell your site is under a brute force attack by checking the BPS Security Log.  When you see several Security Log entries being logged every second continuously then yep a brute force bot attack is occurring on your website.  The bots are hitting your Login page and your xml-rpc.php file continuously.

    Ok the 3 problems are fixed and I found 1 other issue, which is your wp-config.php file was quarantined, but I checked the wp-config.php file in Quarantine and did not see any differences in the code in the file.  I assume you were manually editing your wp-config.php file or maybe another plugin or your theme was adding or removing code or just doing a flush.  If you were manually editing your wp-config.php file then you can use the AutoRestore|Quarantine Standard Procedural Steps when manually modifying files method > http://forum.ait-pro.com/forums/topic/autorestore-quarantine-guide-read-me-first/#procedural-steps or just Restore files in Quarantine after you edit them manually.

    I will post the forum links to the fixes I did with additional help info in a minute.

    #37713

    AITpro Admin
    Keymaster

    1. The Plugin Firewall is blocking plugin .js scripts and AutoPilot Mode is not automatically whitelisting those .js scripts.

    Solution:  No solution needed. Most likely since the site is currently undergoing a significant brute force attack then Plugin Firewall AutoPilot Mode may have temporarily impacted.  Plugin Firewall AutoPilot Mode is automatically creating new whitelist rules successfully.  Note:  I turned On Plugin Firewall Test Mode to speed up the process of adding any new additional Plugin Firewall whitelist rules.

    2. It appears that you are using the BPS POST Attack Bonus Custom Code and need to add an additional whitelist rule for this Query String:  wc-ajax=get_refreshed_fragments

    Solution:  Added the 2 new Query String whitelist rules (in bold font below) in your existing BPS POST Attack Protection Bonus Custom Code and moved the POST Attack Protection code into this Custom Code text box:  8. CUSTOM CODE WP REWRITE LOOP START.
    Forum Solution Reference Link:  https://forum.ait-pro.com/forums/topic/whitelist-monarch-plugin/#post-37359

    # BPS POST Request Attack Protection
    RewriteCond %{REQUEST_METHOD} POST [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-admin/ [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-cron.php [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-login.php [NC]
    # Whitelist WP JSON POST Requests by Query String
    RewriteCond %{QUERY_STRING} !^_locale=(.*) [NC]
    # Whitelist the WordPress Theme Customizer
    RewriteCond %{HTTP_REFERER} !^.*/wp-admin/customize.php [NC]
    # Whitelist XML-RPC Pingbacks, JetPack and Remote Posting POST Requests
    RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC]
    # Whitelist Jetpack JSON POST Request
    RewriteCond %{REQUEST_URI} !^.*/wp-json/jetpack/(.*) [NC]
    # Whitelist Network|Multisite Signup POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-signup.php [NC]
    # Whitelist Network|Multisite Activate POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-activate.php [NC]
    # Whitelist Trackback POST Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-trackback.php [NC]
    # Whitelist Comments POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-comments-post.php [NC]
    # Example 1: Whitelist Star Rating Calculator POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/star-rating-calculator.php [NC]
    # Example 2: Whitelist Contact Form POST Requests
    RewriteCond %{REQUEST_URI} !^.*/contact/ [NC]
    # Example 3: Whitelist PayPal IPN API Script POST Requests
    RewriteCond %{REQUEST_URI} !^.*/ipn_handler.php [NC]
    # Whitelist WooCommerce POST Request to Root URI by Query String
    RewriteCond %{QUERY_STRING} !^wc-ajax=(.*) [NC]
    # Whitelist WooCommerce POST Request to Root URI by Query String
    RewriteCond %{QUERY_STRING} !^wc-api=(.*) [NC]
    RewriteRule ^(.*)$ - [F]

    3. You need to add a wp-admin htaccess file whitelist rule for the WP admin-ajax.php file and/or this Query String:  action=quick_preivew

    Solution:  Added a admin-ajax.php file skip rule in BPS wp-admin Custom Code.
    Forum Solution Reference Link:  https://forum.ait-pro.com/forums/topic/nextgen-gallery-pro-post-request-blocked/#post-35621

    #37714

    webstar
    Participant

    So, I noticed the quarantine as well, after the theme developer logged in a day or two ago. I forgot to tell him about BPS Pro.

    I just restored the file because I figured he didn’t know about it and made a change to the file.

    As for the brute force attack, it does seem big. The security log file has over 900 requests for the wp-login.php file from late this morning and it’s increased another 120k just from reading your last message!

    I had copied the log and then deleted it because I noticed it was increasing in size so fast.

    Feature Request? Maybe you could add a limit size to the log, that the user can set, so that in cases like this the file size doesn’t get too big.

    #37715

    AITpro Admin
    Keymaster

    Yep, the attack on your site is fairly big, but sometimes our forum site gets attacked for days at a rate of 1,000 attacks per second.  Luckily the way we have designed BPS Pro, it deflects all attacks instead of creating any significant resource usage for your server/website.  In other words, everything functions and performs as if the attack were not occurring at all.

    That feature has already been added to the Security Log. 😉  You don’t need to do anything with the Security Log.  When the Security Log reaches the size setting that you have chosen or the default size setting then it will be automatically zipped, emailed to you and replaced with a new blank Security Log file.

    #37716

    webstar
    Participant

    Thanks for making the changes.

Viewing 15 posts - 1 through 15 (of 17 total)

You must be logged in to reply to this topic.