Plugin Firewall Whitelist Rules not being added

[webstar]

Hi,

I noticed that my plugin firewall rules are not being added anymore. In fact it’s blank now. It’s on AutoPilot mode and I have 15 plugins installed.

I’m pretty sure it had rules before.

I’ve already run the Pre-Installation and Setup, and it still shows up empty in the rules.

Can you help debug the issue?

Thanks.

[AITpro Admin]

Not all websites will require Plugin Firewall whitelist rules depending on how things are setup on a website.  Are you seeing Security Log entries that show frontloading plugin .js script 403 errors?  Are you using a .js minifying/compressing and/or combining plugin?  Post a link/URL to your website so I can take a look at the frontend of the website for issues/problems.  If you do not want to post a link/URL to your website in this forum then send the link/URL to your website to email address:  info at ait-pro dot com.

[webstar]

I’m going to send you an email. Writing it up right now. Thanks.

[webstar]

I sent you an email just now with all the info and some of the debugging I’ve done.

[AITpro Admin]

I found 3 problems:  It would be much faster for me to login to this website and fix these problems instead of listing all of the steps in this forum topic for you to fix the problems.  I have sent you a direct email requesting WP Admin login credentials to this site.

1. The Plugin Firewall is blocking plugin .js scripts and AutoPilot Mode is not automatically whitelisting those .js scripts.
2. It appears that you are using the BPS POST Attack Bonus Custom Code and need to add an additional whitelist rule for this Query String:  wc-ajax=get_refreshed_fragments
3. You need to add a wp-admin htaccess file whitelist rule for the WP admin-ajax.php file and/or this Query String:  action=quick_preivew

[webstar]

Sure, I’ll send you the login details. Thanks.

Some plugin whitelist rules have finally appeared, but, it didn’t include any of the issues you noted.

[AITpro Admin]

Yes, you are correct about the Plugin Firewall working correctly now.  I checked your site and am no longer seeing 403 errors for any frontloading plugin scripts.  So the Plugin Firewall and Plugin Firewall AutoPilot Mode are working correctly.  Not sure why it was not working before unless maybe the AutoPilot Mode Cron had not run yet.  The default Cron frequency is to check and automatically create new Plugin Firewall whitelist rules every 15 minutes.  You can change that Cron frequency setting to 1, 5, or 10 minutes to shorten the time between AutoPilot Mode Cron checks.

[AITpro Admin]

Ok your website is currently under a massive brute force attack.  That would explain the delay in Plugin Firewall AutoPilot Mode not creating the whitelist rules right away.  When a website is under a massive brute force attack and you have the BPS Pro plugin installed you and your visitors will not notice any difference in website performance, but things like AutoPilot Mode are going to be adversely affected temporarily.  Brute force attacks can last minutes to days.  You do not need to do anything since BPS Pro is already handling the brute force attack.  Your website is safe and there is nothing further that needs to be done and you don’t need to worry about this at all.

[AITpro Admin]

I put the Plugin Firewall in Test Mode to speed up Plugin Firewall AutoPilot Mode whitelist rule creation and it is working fine even though your site is being attacked right now.

[webstar]

So, how do you know it’s under attack? Is it just based on the attempts of logins to wp-login.php? Because, yes, I see a ton of log entries for that.

[AITpro Admin]

Well the brute force attack is not as big as I thought.  Yep, you can tell your site is under a brute force attack by checking the BPS Security Log.  When you see several Security Log entries being logged every second continuously then yep a brute force bot attack is occurring on your website.  The bots are hitting your Login page and your xml-rpc.php file continuously.

Ok the 3 problems are fixed and I found 1 other issue, which is your wp-config.php file was quarantined, but I checked the wp-config.php file in Quarantine and did not see any differences in the code in the file.  I assume you were manually editing your wp-config.php file or maybe another plugin or your theme was adding or removing code or just doing a flush.  If you were manually editing your wp-config.php file then you can use the AutoRestore|Quarantine Standard Procedural Steps when manually modifying files method > http://forum.ait-pro.com/forums/topic/autorestore-quarantine-guide-read-me-first/#procedural-steps or just Restore files in Quarantine after you edit them manually.

I will post the forum links to the fixes I did with additional help info in a minute.

[AITpro Admin]

1. The Plugin Firewall is blocking plugin .js scripts and AutoPilot Mode is not automatically whitelisting those .js scripts.

Solution:  No solution needed. Most likely since the site is currently undergoing a significant brute force attack then Plugin Firewall AutoPilot Mode may have temporarily impacted.  Plugin Firewall AutoPilot Mode is automatically creating new whitelist rules successfully.  Note:  I turned On Plugin Firewall Test Mode to speed up the process of adding any new additional Plugin Firewall whitelist rules.

2. It appears that you are using the BPS POST Attack Bonus Custom Code and need to add an additional whitelist rule for this Query String:  wc-ajax=get_refreshed_fragments

Solution:  Added the 2 new Query String whitelist rules (in bold font below) in your existing BPS POST Attack Protection Bonus Custom Code and moved the POST Attack Protection code into this Custom Code text box:  8. CUSTOM CODE WP REWRITE LOOP START.
Forum Solution Reference Link:  https://forum.ait-pro.com/forums/topic/whitelist-monarch-plugin/#post-37359

# BPS POST Request Attack Protection
RewriteCond %{REQUEST_METHOD} POST [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-admin/ [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-cron.php [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-login.php [NC]
# Whitelist WP JSON POST Requests by Query String
RewriteCond %{QUERY_STRING} !^_locale=(.*) [NC]
# Whitelist the WordPress Theme Customizer
RewriteCond %{HTTP_REFERER} !^.*/wp-admin/customize.php [NC]
# Whitelist XML-RPC Pingbacks, JetPack and Remote Posting POST Requests
RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC]
# Whitelist Jetpack JSON POST Request
RewriteCond %{REQUEST_URI} !^.*/wp-json/jetpack/(.*) [NC]
# Whitelist Network|Multisite Signup POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/wp-signup.php [NC]
# Whitelist Network|Multisite Activate POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/wp-activate.php [NC]
# Whitelist Trackback POST Requests
RewriteCond %{REQUEST_URI} !^.*/wp-trackback.php [NC]
# Whitelist Comments POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/wp-comments-post.php [NC]
# Example 1: Whitelist Star Rating Calculator POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/star-rating-calculator.php [NC]
# Example 2: Whitelist Contact Form POST Requests
RewriteCond %{REQUEST_URI} !^.*/contact/ [NC]
# Example 3: Whitelist PayPal IPN API Script POST Requests
RewriteCond %{REQUEST_URI} !^.*/ipn_handler.php [NC]
# Whitelist WooCommerce POST Request to Root URI by Query String
RewriteCond %{QUERY_STRING} !^wc-ajax=(.*) [NC]
# Whitelist WooCommerce POST Request to Root URI by Query String
RewriteCond %{QUERY_STRING} !^wc-api=(.*) [NC]
RewriteRule ^(.*)$ - [F]

3. You need to add a wp-admin htaccess file whitelist rule for the WP admin-ajax.php file and/or this Query String:  action=quick_preivew

Solution:  Added a admin-ajax.php file skip rule in BPS wp-admin Custom Code.
Forum Solution Reference Link:  https://forum.ait-pro.com/forums/topic/nextgen-gallery-pro-post-request-blocked/#post-35621

[webstar]

So, I noticed the quarantine as well, after the theme developer logged in a day or two ago. I forgot to tell him about BPS Pro.

I just restored the file because I figured he didn’t know about it and made a change to the file.

As for the brute force attack, it does seem big. The security log file has over 900 requests for the wp-login.php file from late this morning and it’s increased another 120k just from reading your last message!

I had copied the log and then deleted it because I noticed it was increasing in size so fast.

Feature Request? Maybe you could add a limit size to the log, that the user can set, so that in cases like this the file size doesn’t get too big.

[AITpro Admin]

Yep, the attack on your site is fairly big, but sometimes our forum site gets attacked for days at a rate of 1,000 attacks per second.  Luckily the way we have designed BPS Pro, it deflects all attacks instead of creating any significant resource usage for your server/website.  In other words, everything functions and performs as if the attack were not occurring at all.

That feature has already been added to the Security Log. 😉  You don’t need to do anything with the Security Log.  When the Security Log reaches the size setting that you have chosen or the default size setting then it will be automatically zipped, emailed to you and replaced with a new blank Security Log file.

[webstar]

Thanks for making the changes.

[Author]

Posts