Home › Forums › BulletProof Security Pro › Stats plugin – admin @ 2x.php file, @2x images, Retina, Responsive
Tagged: @2x images, admin@2x.php, Responsive, Retina, Stats plugin
- This topic has 43 replies, 6 voices, and was last updated 8 years, 1 month ago by AITpro Admin.
-
AuthorPosts
-
AITpro AdminKeymaster
UPDATE: The solution is here: http://forum.ait-pro.com/forums/topic/problem-maybe-with-displaying-stats-in-admin-bar/page/3/#post-26494
Next try this: Put a # sign in this Custom Code text box: CUSTOM CODE WP-ADMIN/INCLUDES and do all of the Custom Code steps and test. If the problem is still occurring put a # sign in this Custom Code text box: CUSTOM CODE REQUEST METHODS FILTERED and do all of the Custom Code steps and test.
impartParticipantno. 1does nothing, no 2 custom code request…. fixes it
AITpro AdminKeymasterWell I’ll be damned. Ok what is probably occurring is that a HEAD Request is being made during the image retrieval process. Do these steps below and remove/delete the testing/troubleshooting # sign in this Custom Code text box: CUSTOM CODE WP-ADMIN/INCLUDES and delete the modified testing/troubleshooting BPS Query String Exploits code in this Custom Code text box: CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS.
1. Copy this modified REQUEST METHODS FILTERED .htaccess code below to this BPS Custom Code text box CUSTOM CODE REQUEST METHODS FILTERED: Whitelist User Agents or remove HEAD here
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.BPS Pro 11.6+ & BPS free .53.2+
You may see this code or the 11.5+/.53.1+ code in your root htaccess file. The code does the same exact thing and is whitelisted in the same exact way.# REQUEST METHODS FILTERED # If you want to allow HEAD Requests use BPS Custom Code and copy # this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code # text box: CUSTOM CODE REQUEST METHODS FILTERED. # See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps. RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC] RewriteRule ^(.*)$ - [F] #RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC] #RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]
BPS Pro 11.5+ & BPS free .53.1+
# REQUEST METHODS FILTERED # If you want to allow HEAD Requests use BPS Custom Code and copy # this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code # text box: CUSTOM CODE REQUEST METHODS FILTERED. # See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps. RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC] RewriteRule ^(.*)$ - [F] #RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC] #RewriteRule ^(.*)$ - [R=405,L]
BPS Pro 11.4|BPS free .53 and lower versions
# REQUEST METHODS FILTERED # If you want to allow HEAD Requests use BPS Custom Code and # remove/delete HEAD| from the Request Method filter. # Example: RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC] # The TRACE, DELETE, TRACK and DEBUG Request methods should never be removed. RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC] RewriteRule ^(.*)$ - [F]
impartParticipantYes, it seems that this fixed it.
So now everything is a complete mess here, as I was pretty upset because I am fucked (not about you your support is great) I didn’t do a backup before starting with you here. From my point of view the following should be possible now. Anything against it? I did save the original .htaccess on a terminal. So I would now. Or do you think it would be better to put the custom codes back, save, then create a new .htaccess and then re-activate W3TC, don’t want to break this thing now…
- Reactivate W3TC
- Copy back my original htaccess
- Put your REQUEST code directly into it (in the file)
- Then go to custom code and put your REQUEST code, my old BPS QUERY code and the W3TC back and save it for a later use
- I wouldn’t create and activate bulletproof then as I have my old .htaccess
AITpro AdminKeymasterYou are thinking too much. 😉 Keep it simple. You only need to do one thing and that is to add W3TC htaccess code back to BPS Custom Code by doing these steps below. The REQUEST METHODS FILTERED modified/customized Custom Code is already saved permanently and you do not need to do anything else with that code.
1. Go to F-Lock and unlock both your Root .htaccess file and your wp-config.php file.
2. Activate W3TC. W3TC will create new htaccess code in your root htaccess file automatically (at the bottom of the file).
3. Copy the W3TC .htaccess code from your root htaccess file to this BPS Pro Custom Code text box: CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE.
4. Click the Save Root Custom Code button.
5. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.
6. Go to F-Lock and lock your Root .htaccess file and turn off checking for the wp-config.php file and instead leave it unlocked.impartParticipantOk, thank you for fixing that issue with me! Great!
AITpro AdminKeymasterOh it looks like you did customize your BPS Query String Exploits code so I am sure there is a forum topic somewhere with that customization or you can just copy the standard BPS Query String Exploits code from your root htaccess file and comment out these 5 lines of code after you copy it to BPS Custom Code.
#RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [NC,OR] #RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR] #RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR] #RewriteCond %{QUERY_STRING} http\: [NC,OR] #RewriteCond %{QUERY_STRING} https\: [NC,OR]
impartParticipantI saved the BPS Query Strings before so that works already, thanks!
Matt ZahyParticipant[Topic has been merged into this relevant Topic]
Hi,I am getting big amount of BFHS-HEAD – HEAD Request Blocked in my security log – mainly pictures from my website ( i tried it from different IP and it does the same..)
[405 HEAD Request: February 16, 2016 1:42 pm] Event Code: BFHS-HEAD - HEAD Request Blocked Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: 80.x.x.x Host Name: xxxx SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: HEAD HTTP_REFERER: http://xx.xx/ REQUEST_URI: /wp-content/uploads/2016/01/oculus_logo_x1@2x.png QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.103 Safari/537.36
i was trying some solutions from the forum for example adding <label for=”bps-CCode”>Whitelist User Agents and allow HEAD Requests:</label>
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC] RewriteRule ^(.*)$ - [F] #RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC] #RewriteRule ^(.*)$ - [R=405,L]
but nothing helped. The problem is that opening the site produce huge amount of this logs since i am using one-page portfolio theme. I am not sure if its ok -lately my provider even locked my ip for too many attempts to log into the site ( i am not sure if its connected or not). Can you give me some advice?
thanks
MattAITpro AdminKeymaster@ Matt Zahy – this is a confirmed solution: http://forum.ait-pro.com/forums/topic/problem-maybe-with-displaying-stats-in-admin-bar/page/3/#post-26494 so make sure you are doing all the Custom Code steps correctly. If that still does not solve the problem then maybe this is some sort of new unusual problem. Let me know what happens.
Matt ZahyParticipantHi,
thanks a lot for the quick answer. It worked for me too.
Matt
AITpro AdminKeymaster@ Matt Zahy – Thanks for confirmimg this fix still works since things change constantly in the “coding world”. 😉
Haiko NieuwoudtParticipant[Topic has been merged into this relevant Topic]
Thanks a lot for the help, this is really an awesome plugin! I will send them the info. Now I am having issues with my Photo Gallery plugin on the same site – it seems that the plugin is making HEAD and POST requests and then BPS is blocking it. I don’t fully understand the steps to whitelist a plugin. I have copied the REQUEST METHODS FILTERED code from this topic: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
But it still isn’t working.This is the security log for whenever I try to load a page with that plugin on it:
[405 HEAD Request: August 23, 2016 6:51 am] Event Code: BFHS-HEAD - HEAD Request Blocked Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: 41.190.105.3 Host Name: 41.190.105.3 SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: HEAD HTTP_REFERER: http://www.xxxxx.com/ REQUEST_URI: /wp-content/uploads/2015/12/Gallery2@2x.jpg QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
The page then also display empty.
Also, I tried adding custom code to whitelist the plugin to see if that helped, after which I got a 500 server error on the site. So I probably typed something incorrectly. So I deleted the htaccess files to get back in, but now I can’t reactivate the plugin firewall. So I tried running the pre-installation wizard again, and I see this error:
htaccess Files Disabled: Existing BPS htaccess files have been deleted and new BPS htaccess files will not be created. All BPS htaccess features are disabled.
How do I get the htaccess files back?
AITpro AdminKeymaster@ Haiko – Make sure you are doing all of these Custom Code steps correctly: http://forum.ait-pro.com/forums/topic/problem-maybe-with-displaying-stats-in-admin-bar/page/3/#post-26494 Also it is possible that the other problem you have with the Server Document Root variable value being incorrect on your server/website could also be breaking Custom Code as well as other things: http://forum.ait-pro.com/forums/topic/php-error-file_exists-open_basedir-restriction-in-effect-on-htaccess-prevents-setup-wizard/
To enable htaccess files > go to the Setup Wizard Options page > Enable|Disable htaccess Files option > Select htaccess Files Enabled.
Important Note: Since your hosting account and/or server and several of your websites were hacked prior to installing BPS Pro then it is possible that the Server Document Root variable value being incorrect on your server/website and any other problems are being caused by hacker code or scripts in your hosting account somewhere or your hosting server itself could be compromised/hacked.
-
AuthorPosts
- You must be logged in to reply to this topic.