Random General Questions

[AITpro Admin]

I can take a look at the plugin probably in a day or so.  I’ll let you know what I find.

[bill]

That would be awesome… Can’t Thank You enough.

[AITpro Admin]

WordPress File Upload plugin testing:
Tried to upload a php file: hacker-test-file.php and saw these error messages: Upload Failed. File not allowed.
Renamed the php file with a jpg file extension: hacker-test-file.php.jpg and was able to upload the file. This is not a game changer, but an additional Regex filter should be added to this plugin to catch and prevent this type of exploit from being possible.

By default the WordPress File Upload plugin uploads files to the WordPresss /uploads folder. BPS Pro Uploads Anti-Exploit Guard (UAEG) protects the WordPress /uploads folder against this type of php files disguised as jpg image files exploit. The hacker-test-file.php.jpg cannot be viewed, accessed or executed from a Browser and a 403 Forbidden error will be displayed.

Summary: Overall the file upload form is secure, but the plugin author should be notified about adding an additional Regex filter in this plugin to prevent/disallow php files disguised as other file types from being uploaded. If you keep the default upload folder location: /wp-content/uploads/ then BPS Pro UAEG will protect against php files disguised as other file types from being viewed, accessible or exploited from a Browser.

[bill]

Thank you for allotting the time to look into this for me… I sincerely appreciate it. I will personally inform the plugin’s author of your findings and I will share your directives on how to better secure the plugin. I will be very sure to note who (AITPro/link) he has to thank for this very sound advice/recommendation.

Re: moving forward: Just to confirm… so, if I create a “catchall” folder of sorts for all uploads received via this plugin, and place this folder inside of the uploads folder via ftp; as long as UAEG is enabled/activated (which everything normally is in my case), this will protect the site from the the noted Regex filter oversight and the site would be safe from malicious uploads and hacking attempts?

[AITpro Admin]

The UAEG htaccess file is in the root of the /uploads folder:  /uploads/.htaccess.  htaccess files are hierarchical/recursive so yes any subfolders under the /uploads folder are also protected by the UAEG htaccess file.  If you need to create whitelist rules for any reasons then see this UAEG sticky forum topic:  http://forum.ait-pro.com/forums/topic/uploads-anti-exploit-guard-uaeg-read-me-first/

[bill]

Thank you very much…. (Confidence bolstered!) Have a great day, my friend.

[Paul]

I want to use a plugin once for a site backup. The folder bps-backup under wp-content, can i delete this folder via ftp then create it again when i have downloaded and run site on my localhost (currently have some issue and the plugin “duplicator” can’t cope for some reason).
Or can i just delete from the auto restore screen “Delete Backup Files” then turn ARQ off?

[AITpro Admin]

Recommended:  Use the Delete Backup Files button in AutoRestore.  If the Duplicator plugin is still having a problem after deleting Backup Files then maybe the DB backup files are the issue:  /bps-backup/backups_xxxxxxxxxxxx/ and you can download and delete them.  Or of course you can exclude the /bps-backup/ folder from being backed up/duplicated in the Duplicator plugin settings.

[Paul]

Thanks, not using the DB checks so looks like /bps-backup/backups_xxxxxxxxxxxx/ is empty.
Unfortunately i don’t think i can exclude with “duplicator”

[AITpro Admin]

It would be very strange and unusual if you could not exclude folders in the Duplicator plugin.  That is a standard basic option setting in all backup plugins.

[Paul]

Might suggest it to plugin author, it would help

[AITpro Admin]

That option setting already exists in the Duplicator plugin.

Backup the contents of your files and database, all wrapped up into one package.
You can use File filter to exclude files and folders from your package.
You can use Table filter to choose which database tables to include or exclude from your package.
You can use mysqldump for large databases.
System scan ensure that build process runs smoothly without any issues.

[Paul]

Thank you. I have never thought to look in that part under “archive” Doh! learn something new every day. I always looked in settings.

[jenni101]

Hi there,
I’m pretty sure I know the answer to this but need to double check with you as my hosting provider reckons my very ‘busy’ htaccess file is delaying the time to First Byte. Basically my site is slow (we’re on shared hosting). I’m looking at everything and have tweeked lots so far. When they reviewed their server performance to First Byte (anything from 4 – 8 secs!) they came back with this:
Can you just let me know your  take on their comment below? Much appreciated.

I checked the .htaccess file, and it is very ‘busy’ (a lot of content). This means the browser/ server will be doing a fair bit before even getting to the page load.

[AITpro Admin]

Uh yeah.  I am not going to try to respond to whatever that statement is supposed to mean because it does not make any technical or logical sense whatsoever.  The BPS standard htaccess files and code do NOT slow down a website at all and can actually speed up a website significantly if you are using the Speed Boost Bonus Custom Code, which is very similar to the “busy” htaccess code that WPSC and W3TC use – “busy” seriously???

I believe you are using SSL/HTTPS, which is known to slow down a website.  That is common knowledge.  If you have added additional custom code to BPS Standard htaccess files and code then that additional custom code might cause some slowness.

Ok now for some rational logical information: Deactivate Root Folder BulletProof Mode and benchmark test website performance.  If there is any difference in speed then some additional code that you have added in your root htaccess file is actually causing some slowness.  My money is on the support person is guessing, which happens quite a lot.  They look at the BPS htaccess code and think to themselves “this looks very complex so it must be the cause of the problem”.  Ugh.

Other things that commonly cause slowness:  Caching plugins and Cloudflare.  Yup seems odd, but these 2 things are the most common things that cause website slowness due to a variety of issues related to server configs or other random factors.  So you need to eliminate these things if you are using these things.

[Author]

Posts