Security log entries for UptimeRobot HEAD requests

[DaveR56]

I know there’s been other threads about this and I may be getting old but I thought I’d made the changes recommended in them but I’m still getting lots of security log entries for UptimeRobot (which I’ve been using for years though the logs only started appearing a few months ago – I’ve ignore them until now).

Here’s an example of a security log entry (my domain replaced by **’s):

[405 HEAD Request: January 17, 2022 12:54 pm]
BPS: 5.6
WP: 5.8.3
Event Code: BFHS-HEAD - HEAD Request Blocked
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: GDPR Compliance On
Host Name: engine17.uptimerobot.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: GDPR Compliance On
HTTP_FORWARDED: GDPR Compliance On
HTTP_X_FORWARDED_FOR: GDPR Compliance On
HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On
REQUEST_METHOD: HEAD
HTTP_REFERER: https://************.uk/
REQUEST_URI: /
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)

Here’s what I’ve got in my root htaccess custom code:

# CUSTOM CODE REQUEST METHODS FILTERED
# REQUEST METHODS FILTERED
# If you want to allow HEAD Requests use BPS Custom Code and copy
# this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
# text box: CUSTOM CODE REQUEST METHODS FILTERED.
# See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F]
RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
RewriteCond %{HTTP_USER_AGENT} !^(UptimeRobot|engine17.uptimerobot.com) [NC]
RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]

(I don’t know if the engine17 bit was necessary, I only added it as this appeared in the security log). I did all the Encrypt, Activate etc things and even checked that the above code appears in the .htaccess file on the server.

So why am I still getting hundreds of security log entries and what should I do to stop them?
Thanks,
Dave

[AITpro Admin]

Try using a Skip rule and let me know if it works or not.

# REQUEST METHODS FILTERED
# If you want to allow HEAD Requests use BPS Custom Code and copy
# this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
# text box: CUSTOM CODE REQUEST METHODS FILTERED.
# See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
RewriteCond %{HTTP_USER_AGENT} ^(UptimeRobot|uptimerobot.com) [NC]
RewriteRule . - [S=2]
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F]
RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]

[AITpro Admin]

I tested the Skip rule and it did not work.  Probably because I did not add this RegEx: .* to the condition.  This code below works.

Usage:
Copy the htaccess code below to this BPS Root Custom Code text box: 9. CUSTOM CODE REQUEST METHODS FILTERED
Click the Save Root Custom Code button.
Go to the Security Modes tab page, click the Root Folder BulletProof Mode Activate button.

Note: If you are unable to save this custom code to BPS Custom Code (nothing happens, errors or you are redirected to your website home page) click the Encrypt Custom Code button and then click the Save Root Custom Code to bypass/evade ModSecurity installed on your host server.

# REQUEST METHODS FILTERED
# If you want to allow HEAD Requests use BPS Custom Code and copy
# this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
# text box: CUSTOM CODE REQUEST METHODS FILTERED.
# See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F]
RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(UptimeRobot|uptimerobot.com).* [NC]
RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]

[DaveR56]

Thank you very much! That seems to work, there haven’t been any uptimerobot logs since I added the code you gave.

Dave

[Author]

Posts