Sucuri – BPS Security Logging no longer works

[Johnny]

Okay, so I’ve had some issues with BulletProof Security Free version. My website runs Wordfence Security (Free), Sucuri Security (Free), and uses W3TC with Cloudflare to enable Flexible SSL and caching. All these were installed before BulletProof Security has been added.

When I initially installed BulletProof Security, everything seemed fine. However, then I went to Sucuri Security and purged all error logs (amongst them also BulletProof’s Security Log):

• /wp-content/plugins/bulletproof-security/admin/htaccess/http_error_log.txt

When I went back to BP, it told me that there is no Security Log. So I tried to re-run the Setup Wizard and it gave me the following error:

• http_error_log.txt cannot be edited or updated

So then I tried to create the file manually through my host provider. This worked, and eliminated the error, but the file was completely blank. So I deleted BP security, and re-installed it. Now the file has this written in it:

BPS SECURITY LOG
=================
=================

But again there are no logs in it. When I access from a different browser and with another IP a forbidden area like:
www.example.com/.htaccess
or
www.example.com/index.php?sql

etc.

None of these lead to any recordings, even though I do get the “Forbidden 403” error page. I even tried it while disabling both Wordfence and Sucuri (though still using W3TC + Cloudflare), and still no recordings… What’s going on here and how can I test the Security Log? Thank you, much appreciated in advance!

[AITpro Admin]

The problem is caused by the Sucuri Restrict wp-content access Hardening Option, which breaks BPS Security Logging & probably other things in BPS and other plugins as well.  To fix the problem you need to turn off the Sucuri Restrict wp-content access Hardening option setting by clicking the Revert Hardening button.

[Johnny]

Perfect, it does work now! Thank you very much! 🙂

[AITpro Admin]

Great!  In BPS .54.6 and BPS Pro 12.8 we have added a new Dismiss Notice check for this known problem.  😉  It had been a while since we tested the Sucuri plugin and we already had a check for this known problem, but Sucuri had changed some things in their plugin so that the BPS check for this problem no longer worked.

Change: Sucuri plugin Restrict wp-content access Hardening Option Dismiss Notice conditional check changed to match newer Sucuri htaccess file changes.

Note: The Sucuri plugin does have some limited whitelisting capability for their wp-content htaccess code and file, but unfortunately you can only whitelist single files and not folders. So basically the Sucuri whitelisting tools for the Restrict wp-content access Hardening feature will not work for most cases since what is needed is the capability to whitelist entire folders and not single files. Example whitelist rule for folder: /wp-content/plugins/bulletproof-security/

[Johnny]

Related to this, it seems that when Sucuri does its hardening to remove error logs, it will also remove BP’s security logs, and it removes both of them (both the actual one, and the copy). How can I reinstate them after this happens? The problem is that I cannot press “delete” on the BP Security log page since Sucuri has deleted the blank log that was meant to be placed in its place, located here:

 /wp-content/plugins/bulletproof-security/admin/htaccess/http_error_log.txt 

So basically both that blank log, and this one here:

 /wp-content/bps-backup/logs/http_error_log.txt 

are deleted. If I run Setup Wizard again, I’ll get this error:

 Error: Unable to create or update File /wp-content/bps-backup/logs/http_error_log.txt 

So what’s the best remedy for this? Should I manually insert a text file log entitled http_error_log.txt in the BP plugin folder, then press delete in the BP Security Log interface, and have that one copied over? Also, is there anyway to let Sucuri delete the other error logs, but keep BP’s? The reason I’m asking is that some of the other logs are accessible by GET requests like:

 www.example.com/error_log 

Which is accessible, while I know that BP’s error logs aren’t accessible in the first place. If they weren’t accessible I wouldn’t bother with the Sucuri Error Log hardening in the first place. I guess they could be rendered inaccessible in BPS using .htaccess codes, but I wouldn’t know how to set it up myself, if you could direct me somewhere for this, if this is indeed the best solution.

[AITpro Admin]

Unzip the bulletproof-security.zip file on your computer.  Use FTP or your web host control panel file manager and upload this file: http_error_log.txt to this BPS plugin folder: /wp-content/plugins/bulletproof-security/admin/htaccess/http_error_log.txt.  Once you have done that the http_error_log.txt file should be automatically created by BPS in this folder:  /wp-content/bps-backup/logs/http_error_log.txt.

We will do some additional testing with the Sucuri plugin to see what other problems it causes.  This statement is really bizarre regarding php error logs:  “PHP uses files named as bps_php_error.log to log errors found in the code, these files may leak sensitive information of your project allowing an attacker to find vulnerabilities in the code. You must use these files to fix any bug while using a development environment, and remove them in production mode.”  The reason it is so bizarre is that Sucuri are top notch security folks.  So the only logical explanation I can think of is the person who actually created the Sucuri plugin does not actually work for Sucuri.  Of course you should always have a php error log at all times whether your site is in Development or it is a Live Production site.  How else are you going to know about any php error issues or problems that are occuring on a website without a php error log?  Yes, you could check a server log, but most folks have no idea that server logs exist and have no idea where to find a server log and the php errors will not be logged in the same way.  Yes, someone could have a duplicate Development site and only have a PHP error log on the duplicate Development site, but how many average users actually have a duplicate Development site – probably less than 1%.  Very strange???

Note:  The BPS Pro PHP error log is htaccess protected and cannot be accessed by anyone except for the website Administrator.

In general, it seems like either the Sucuri plugin was never fully completed or the effort put into the plugin was minimal or the person who created the plugin did not factor in all the potential problems the Sucuri plugin can cause for all other plugins without providing sufficient whitelisting tools/options/settings – lack of experience or knowledge – just plain strange in my opinion considering who Sucuri is.

[AITpro Admin]

Additional Sucuri plugin testing was done.  I did not find the setting or feature in Sucuri that deleted the BPS Security Log file.  The only other non-issue/non-problem that I found was this below.

Non-Problem: Sucuri Protect uploads directory Hardening Option: Adds additional Sucuri htaccess code in the BPS Pro Uploads Anti-Exploit Guard (UAEG) htaccess file.
Solution: None needed. The Sucuri Protect uploads directory Hardening Option can be used with BPS Pro UAEG, but the Sucuri htaccess code is redundant to the existing BPS Pro UAEG htaccess code, which already does the same thing. BPS Pro UAEG whitelisting capabilities/code will also work for the additional Sucuri Protect uploads directory htaccess code that is added in the existing BPS Pro UAEG htaccess file.

[Johnny]

Yes. It also works if I just insert a text file straight into there named “http_error_log” (no need for downloading and unzipping on computer).

Regarding Sucuri – it seems that it also has a login security feature (as you do) and it may interfere with yours, however there’s no way to disable it. Yours and Wordfence’s can be disabled. Although if all three run, it seems that yours over-runs all the others (for ex. if “Don’t let WordPress reveal valid users in login errors” is checked in Wordfence, and set your Error Message as “Standard WP Login Errors” is checked in BPS, then it will not hide valid users), however, it does produce some errors if run in combination. For example, the most obvious one is that sometimes it shows the number of login attempts left until being locked out as 0 when making an error while logging in, even though the max-login number is set to 3. Other times it doesn’t show it at all. To be honest it seems to me yours is the most compact out of the three for Login Security – Wordfence especially has many features of which I don’t see the point (for ex “Prevent users registering ‘admin’ username if it doesn’t exist” seems useless ).

[Johnny]

“Additional Sucuri plugin testing was done. I did not find the setting or feature in Sucuri that deleted the BPS Security Log file”

For me, it’s the last one in the “Hardening” Tab, called “Error Logs”. It deletes, amongst others, these following error logs:

/error_log
/wp-content/bps-backup/logs/http_error_log.txt
/wp-content/plugins/bulletproof-security/admin/htaccess/http_error_log.txt

[AITpro Admin]

Yep, you are spot on about BPS Login Security – we don’t do anything that is unnecessary and only focus on what is important.  Why in the heck would you want to check if a username is not valid.  Why?  Because the only way someone can login to a website is if a valid username is used.  So there is no point in wasting your website and server resources on performing a “useless” check like that.  It was probably created because so many people asked for that type of feature.  We call that a “gimmick” feature since it has zero value and actually causes unnecessary resource and memory usage.

In general, WordPress Login processing should only be handled by 1 plugin or plugin feature.  WordPress Login processing is a completely different type of animal vs all other WordPress functionality.  WordPress provides Hooks > Actions and Filters to hook into WordPress functionality.  Most WP Hooks can be used by many plugins simultaneously without any problems.  That is not the case with WordPrss Login page processing.  1 plugin or plugin feature that handles Login processing using the WordPress Login processing Hooks will ALWAYS override any other plugin’s Hooks that are trying to use that same Login Hook.  That is just what is about WP Login processing.  So the solution is to choose which plugin or plugin feature you want to use for Login processing and turn off Login processing in any other plugin that is trying to do the same thing.

[AITpro Admin]

Ah ok yeah I was unable to test that because when I enable:  FS Scanner, Error log files on the Sucuri settings page my site continues to hang and crash.  I am testing on a XAMPP Developer site and looking at the Sucuri file scanning code I see the reason why the site is hanging and crashing > the SPL iterator is trying to iterate beyond files in the site I am testing and is trying to recursively scan 100 other Development sites under the XAMPP installation, which probably contains over 100,000 files.  Not gonna happen.  😉

And obviously you do not want to enable/use the Sucuri Error Logs Hardening option.  I have no idea what the person was thinking that created that option, but it could not be more incorrect/fubar. 😉

I have lot of respect for Sucuri, but whoever created this plugin needs to complete/finish it.  It is great to have so many options in a plugin, but horrible to create options without sufficient whitelisting capability and Turn On and Off option settings. 😉

[Johnny]

“So the solution is to choose which plugin or plugin feature you want to use for Login processing and turn off Login processing in any other plugin that is trying to do the same thing”

Yes, this is exactly what I ended up doing. I disabled WF login security, and left BPS (well Sucuri too, although it’s a strange one… the only mention of it is in “Settings” Tab, “Alerts” sub-tab where you have an option to tell it how many failed logins per hour is considered a Brute force attack… although it’s not clear if that’s just to decide alerts, or to ban IPs, and there’s no way to turn it off).

“And obviously you do not want to enable/use the Sucuri Error Logs Hardening option. I have no idea what the person was thinking that created that option, but it could not be more incorrect/fubar”

This one isn’t actually “enabled” and then it’s on. It’s basically just a “delete logs” button. Then the logs can just be recreated, and then you need to press it again if you want to get rid of them.

And by the way, since I’m checking the logs:

 filesize(): stat failed for /wp-content/bps-backup/logs/http_error_log.txt in /wp-content/plugins/bulletproof-security/includes/zip-email-cron-functions.php on line 53 and line 64 

It seems that the command to check the size of the http_error_log.txt file so that it gets deleted when it reaches over 500KB doesn’t work on mine… any idea why this could be?

[AITpro Admin]

That PHP error is caused by one of these 3 things:
1. The file or folder does not exist.
2. The permissions of the folder where the file is or the file permissions of the file are set too restrictive.
3. The Script Owner User ID (UID) and the File Owner User ID for the: /wp-content/bps-backup/ folder do not match/are not the same.

The folder permissions for this folder should be either 755 or 705:  /wp-content/bps-backup/logs/
The file permissions for this file should be 644 or 604:  /wp-content/bps-backup/logs/http_error_log.txt
All folders under your website should have the same Script Owner User ID (UID) and the File Owner User ID.

You can check folder permissions and Script Owner User ID (UID) and the File Owner User ID on the BPS Pro System Info page.

And of course a 4th cause:  If the Sucuri Restrict wp-content access Hardening Option is still enabled or the Sucuri htaccess file here:  /wp-content/.htaccess was not actually really deleted and still exists.  If the Sucuri wp-content folder .htaccess file still actually exists you will need to manually delete it using FTP or your web host control panel file manager.  It is possible that the Sucuri Revert hardening button does not actually really work. 😉

[Johnny]

Okay so I had a quick check.

1. Both files exist.

2. File permissions are fine

/wp-content/bps-backup/logs/ has 755 chmod
/wp-content/bps-backup/logs/http_error_log.txt has chmod 644

3. I don’t know how to check Script Owner User ID and File Owner User ID in cpanel, but I checked on the Systems Info page, and they are the same.

It seems that the log entry may have been from when there was no file there earlier today. The server has a different time than my computer so hard to say. But I’ll wait to see if anymore additional errors show up.

Thank you very much, and I’ll let you know if I have any other queries, or I find any other problems! 🙂

[Johnny]

lol – checked the 4th one too, no .htaccess file present in /wp-content

[Author]

Posts