Popup Maker plugin being flagged with 403

Home Forums BulletProof Security Pro Popup Maker plugin being flagged with 403

This topic contains 2 replies, has 2 voices, and was last updated by  UPR 3 weeks ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #37785

    UPR
    Participant

    Hi guys,
    I’ve just upgraded to pro and have an issue with the popup maker plugin triggering a 403 pretty much every time someone opens a page on my site:

    [403 GET Request: 28th August 2019 - 3:37 pm]
    BPS Pro: 14
    WP: 5.2.2
    Event Code: UAEGWR-HPRA
    Solution: https://forum.ait-pro.com/forums/topic/uploads-anti-exploit-guard-uaeg-read-me-first/
    REMOTE_ADDR: GDPR Compliance On
    Host Name: 45.63.19.241.vultr.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: GDPR Compliance On
    HTTP_FORWARDED: GDPR Compliance On
    HTTP_X_FORWARDED_FOR: GDPR Compliance On
    HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On
    REQUEST_METHOD: GET
    HTTP_REFERER: https://unplugrentals.com/vehicles/avan-aspire-555-db-ap-2019/
    REQUEST_URI: /wp-content/uploads/pum/pum-site-scripts.js?defer&generated=1566958975&ver=1.8.11
    QUERY_STRING: defer&generated=1566958975&ver=1.8.11
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0

    I’ve tried to whitelist the file and the folder in the UAEG section (litespeed server) see below, but still being flagged.

    RewriteRule ^/uploads/pum/pum-site-scripts.js$ - [L]
    RewriteRule ^/uploads/pum/.$ - [L]

    Contacted the plugin maker asked if it may be better to put the script into the actual plugin-folder – his reply:

    So there are a couple issues:

    1. Putting it in our plugin folder means it needs to be regenerated every time you update our plugin, if that fails it will end up throwing 404s until it is regenerated.

    2. Some popup blockers block loading of assets from any site if the path contains /wp-content/popup-maker/assets/js/, so this is a way around that.

    3. Page builders do the same thing we do, something I’ve been curious about how they get around as I’ve never seen people complain about their page builders assets 403.

    We are looking for a proper long term solution, but loading them from our plugin folder isn’t the right one for the situation.

    Here is the link to the plugin-page: https://wppopupmaker.com/

    Can you guys advise what I should do here?

    Many thanks!
    Sascha

    #37788

    AITpro Admin
    Keymaster

    Advice if you want to pass it on to the Plugin Dev:  I think the optimum location for Plugins and Themes to use/create a folder for their additional scripts is directly under the /wp-content/ folder, which is what a lot of them do.  Example:  /wp-content/pum/.

    Your UAEG folder whitelist rule is not correct.  See the correct folder whitelist rule below and the additional steps required to whitelist the /uploads/pum/ folder.

    https://forum.ait-pro.com/forums/topic/uploads-anti-exploit-guard-uaeg-read-me-first/

    To edit/customize your Uploads Anti-Exploit Guard (UAEG) .htaccess file go to the B-Core > htaccess File Editor tab page > “Your Current Uploads htaccess File” tab and do the steps below.
    1. Copy and paste your entire Uploads .htaccess file code from the “Your Current Uploads htaccess File” tab on the htaccess File Editor page into the CUSTOM CODE UAEG text box.
    2. Edit/modify/customize your UAEG htaccess code in the CUSTOM CODE UAEG text box.
    3. Click the Save UAEG Custom Code button to save your UAEG custom code.
    4. Go to the Security Modes page and click the UAEG BulletProof Mode Activate button.

    If you have a LiteSpeed server:
    To whitelist a folder: Remove/delete the # sign from infront of this line of code in your UAEG htaccess code and change the folder name to your actual folder name that you want to whitelist.

    Your actual pum folder whitelist rule with the # sign already removed.

    RewriteRule ^pum/.*$ - [L]

    If you have an Apache server (this step is not required if you have a LiteSpeed server):
    Delete the # signs in front of #Require env whitelist and #Allow from env=whitelist shown highlighted in yellow below in your UAEG code that you copied to CUSTOM CODE UAEG.

    # FORBID THESE FILE EXTENSIONS FROM BEING ACCESSED OR EXECUTED REMOTELY
    <FilesMatch "\.(7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htm|html|htx|idc|ini|ins|isp|jar|jav|java|js|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|shtm|shtml|sql|swf|sys|tar|taz|tgz|tpl|vb|vbe|vbs|war|ws|wsf|xhtml|xml|z)$">
    <IfModule mod_authz_core.c>
    #Require env whitelist
    Require all denied
    </IfModule>
    
    <IfModule !mod_authz_core.c>
    <IfModule mod_access_compat.c>
    Order Allow,Deny
    #Allow from env=whitelist
    Deny from all
    </IfModule>
    </IfModule>
    </FilesMatch>
    #37814

    UPR
    Participant

    Thanks guys, this worked great! My apologies for the typo in the ReWrite rule!

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.