Security Log Help Info

[AITpro Admin]

Security Log|HTTP Error Log
The Security Log is the primary troubleshooting tool in BPS Pro.  The Security Log logs blocked hackers, spammers, etc., but more importantly the Security Log logs anything the BPS Pro may be blocking in another Plugin or Theme.  If BPS Pro is blocking something in a Plugin or Theme a whitelist rule can be created to allow whatever is being blocked.  The 2 most common whitelist rule types are a Plugin Firewall whitelist rule or a plugin/theme skip/bypass rule.

Security Log General Information
Your Security Log file is a plain text static file and not a dynamic file or dynamic display to keep your website resource usage at a bare minimum and keep your website performance at a maximum. Log entries are logged in descending order by Date and Time. You can copy, edit and delete this plain text file. You can setup S-Monitor Email Alerting & Log File Options to automatically email your Security Log file to you and delete it when it reaches a certain size (256KB, 500KB or 1MB).

Security Wizard AutoFix:  https://forum.ait-pro.com/forums/topic/setup-wizard-autofix/

The Setup Wizard AutoFix feature added to BPS and BPS Pro on 6-2017 automatically creates Custom Code whitelist rules for 100+ known issues with plugins and themes.

Security Log & Plugin Firewall Video Tutorial:  https://forum.ait-pro.com/video-tutorials/#security-log-firewall

BPS Pro troubleshooting steps:  https://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting
Other common/general issues/problems:  https://forum.ait-pro.com/forums/topic/read-me-first-pro/
Security Log Troubleshooting Help Section: Security Log – HTTP Error Log Troubleshooting.

Question Mark help button help text

Forum Help Links & Bonus Custom Code:
BPS Pro Troubleshooting Steps
POST Request Attack Protection

Security Log General Information
To view your Security Log click the View Log button. Your Security Log file is a plain text static file and not a dynamic file or dynamic display to keep your website resource usage at a bare minimum and keep your website performance at a maximum. Log entries are logged in descending order by Date and Time. You can copy, edit and delete this plain text file. You can setup Display & Alert Options Email Alerting & Log File Options to automatically email your Security Log file to you and delete it when it reaches a certain size (256KB, 500KB or 1MB).

If a particular User Agent|Bot is generating excessive log entries you can add it to Add User Agents|Bots to Ignore|Not Log tool and that User Agent|Bot will no longer be logged. See the Ignoring|Not Logging User Agents|Bots help section.

NOTE: JTC Anti-Spam|Anti-Hacker Logging is turned On or Off with the JTC Logging option setting on the JTC Anti-Spam|Anti-Hacker page.

NOTE: The Display & Alert Options Email Alerting & Log File Options will only send log files up to 2MB in size. 500KB is the recommend maximum size setting that you should use for when to automatically email your Security Log File to you.

NOTE: BPS logs all 403 errors, but a 403 error may not necessarily be caused by BPS. Use the troubleshooting steps in the BPS Pro Troubleshooting Steps link at the top of this Question Mark help window to confirm or eliminate that the 403 error is being caused by BPS.

The Security Log logs 400, 403, 405 and 410 HTTP Response Status Codes by default. You can also log 404 HTTP Response Status Codes by opening this BPS Pro 404 Template file – /bulletproof-security/404.php and copying the logging code into your Theme’s 404 Template file. When you open the BPS Pro 404.php file you will see simple instructions on how to add the 404 logging code to your Theme’s 404 Template file. The Security Log also logs other events. See the Total # of Security Log Entries by Type help section below for a complete list of BPS Pro Security Log Entry Types.

Total # of Security Log Entries by Type
Displays the total number of each type of Security Log Entry in your Security Log file. There are 38 different Security Log entry types that are displayed in the Total # of Security Log Entries by Type list. There are several other types of Security Log Entries that are not displayed in the Total # of Security Log Entries by Type list. The Total # of Security Log Entries by Type is also added to each Security Log file when it is zipped and emailed to you and also added directly in the automated Security Log email. Complete list of BPS Pro Security Log Entry Types: 400 POST Bad Request, 400 GET Bad Request, 403 GET Request, 403 POST Request, 404 GET Not Found Request, 404 POST Not Found Request, 405 HEAD Request, 410 Gone POST Request, 410 Gone GET Request, Idle Session Logout, Maintenance Mode – Visitor Logged, Login Form – POST Request Logged, Login Form – GET, HEAD, OTHER Request Logged, WP Register Form – POST Request Logged, WP Register Form – GET, HEAD, OTHER Request Logged, Lost Password Form – POST Request Logged, Lost Password Form – GET, HEAD, OTHER Request Logged, Comment Form User Is Logged In – POST Request Logged, Comment Form User Is Logged In – GET, HEAD, OTHER Request Logged, Comment Form User NOT Logged In – POST Request Logged, Comment Form User NOT Logged In – GET, HEAD, OTHER Request Logged, BuddyPress Register Form – POST Request Logged, BuddyPress Register Form – GET, HEAD, OTHER Request Logged, Plugin Firewall AutoPilot Mode New Whitelist Rule(s) Created, WP Automatic|Remote|Forced Update: ARQ Cron was turned Off, WP Automatic|Remote|Forced Update: Backup performed, WP Automatic|Remote|Forced Update: ARQ Cron was turned On, WP Core Manual Update|Re-install function: Backup performed, WP Core Manual Update|Re-install function: ARQ Cron was turned On, AJAX Shiny Plugin Update|Install: ARQ Cron was turned Off, AJAX Shiny Theme Update|Install: ARQ Cron was turned Off, AJAX Bulk Theme Update|New Install: ARQ Cron was turned Off, AJAX Bulk Plugin Update: ARQ Cron was turned Off, AJAX Manual WP Core Update: ARQ Cron was turned Off, upgrader_pre_install Filter: ARQ Cron was turned Off, upgrader_post_install Filter: Backup performed, AFS Cron: ARQ Cron was turned On, WP <= 4.5.3 bpsPro_wordpress_update_core_manual function: ARQ Cron was turned Off.

HTTP Response Status Codes
400 Bad Request – The request could not be understood by the server due to malformed syntax.

403 Forbidden – The Server understood the request, but is refusing to fulfill it.

404 Not Found – The Server has not found anything matching the Request-URI/URL. No indication is given of whether the condition is temporary or permanent.

405 Method Not Allowed – The method specified in the Request-Line is not allowed for the resource identified by the Request-URI. The response MUST include an Allow header containing a list of valid methods for the requested resource. BPS blocks HEAD Requests using a 405 ErrorDocument Redirect. The BPS 405 Template has an Allow header field for the GET, POST and PUT HTTP Methods.

410 Gone – The requested resource is no longer available at the Server/site and no forwarding address is known. This condition is expected to be considered permanent.

Security Log File Size
Displays the size of your Security Log file. If your log file is larger than 2MB then you will see a Red warning message displayed: The Display & Alert Options Email Alerting & Log File Options will only send log files up to 2MB in size. Copy and paste the Security Log file contents into a Notepad text file on your computer and save it. Then click the Delete Log button to delete the contents of this Log file.

Security Log Status
Displays either Logging is Turned On or Logging is Turned Off.

Security Log Last Modified Time:
Security Log Alerts are displayed when a new security log entry is made in your Security Log file. When this happens your Last Modified Time in File: time stamp will be different than your Last Modified Time in DB: time stamp. In order to clear the Security Log Alert and synchronize/reset your DB and File time stamps so they are the same, click the Reset Last Modified Time in DB button.

Turn Off Logging
Turns Off HTTP 400, 403, 404, 405 & 410 Security Logging. NOTE: JTC Anti-Spam|Anti-Hacker Logging is turned On or Off with the JTC Logging option setting on the JTC Anti-Spam|Anti-Hacker page.

Turn On Logging
Turns On HTTP 400, 403, 404, 405 & 410 Security Logging. NOTE: JTC Anti-Spam|Anti-Hacker Logging is turned On or Off with the JTC Logging option setting on the JTC Anti-Spam|Anti-Hacker page.

Delete Log Button
Clicking the Delete Log button will delete the entire contents of your Security Log File. If you have setup Display & Alert Options Email Alerting & Log Options then the only time you would probably need to use the Delete Log button is if your Security Log file exceeds 2MB in size.

POST Request Body Data
The POST Request Body Data option settings only affect the REQUEST BODY Security Log field in your Security Log entries when a POST Request is blocked and logged by BPS. To capture/log all POST Request Attacks against your website you will need to add the POST Request Attack Protection Bonus Custom Code. A link to that Bonus Custom Code is at the top of this Question Mark help window. If you do not want to add the Bonus Custom Code then some, but not all POST Request Attacks will be captured/logged in the Security Log.

The default POST Request Body Data option setting is “Do Not Log POST Request Body Data (0KB)”, which means do not capture/log the POST Request data that was sent in the attack. You will see this text in the REQUEST BODY Security Log entry field: “REQUEST BODY: BPS Security Log option set to: Do Not Log POST Request Body Data” instead of the actual POST Request Body data used in the attack on your website. The reason the default setting is set to: “Do Not Log POST Request Body Data (0KB)” is because some web hosts falsely interpret the BPS Security Log text file as malicious since hacker code used to attack your website can be captured/logged in the Security Log text file if you are using the “Log Minimum…” or “Log Maximum…” POST Request Body Data option settings.

The “Log Minimum POST Request Body Data (5KB)” option setting will capture/log the first 500 characters or 5KB of hacker code used to attack your website in a POST Request attack and log that hacker code in the REQUEST BODY Security Log entry field. The “Log Maximum POST Request Body Data (250KB)” option setting will capture/log the first 250000 characters or roughly 250KB of hacker code used to attack your website in a POST Request attack and log that hacker code in the REQUEST BODY Security Log entry field. Hacker scripts typically range in size from 20KB to 100KB on average.

Important Notes: If you are using email security protection on your computer then your automatically zipped and emailed BPS Security Log files may be seen as containing a virus (hacker script/code) and they could be automatically deleted by your email protection application on your computer. Your computer security protection software may also see the Security Log file as malicious and block it. If your web host falsely sees the BPS Security Log file as a malicious hacker file then you will need to change your POST Request Body Data option setting and use the “Do Not Log POST Request Body Data (0KB)” option setting instead.

Ignoring|Not Logging User Agents|Bots – Allowing|Logging User Agents|Bots
Adding or Removing User Agents|Bots adds or removes User Agents|Bots to your Database and also writes new code to the 403.php Security Logging template. The 403.php Security Logging file is where the check occurs whether or not to log or not log a User Agent/Bot. It would be foolish and costly to website performance to have your WordPress database handle the task/function/burden of checking which User Agents/Bots to log or not log. WordPress database queries are the most resource draining function of a WordPress website. The more database queries that are happening at the same time on your website the slower your website will perform and load. For this reason the Security Logging check is done from code in the 403.php Security Logging file.

If a particular User Agent/Bot is being logged excessively in your Security Log file you can Ignore/Not Log that particular User Agent/Bot based on the HTTP_USER_AGENT string in your Security Log. Example User Agent strings: Mozilla/5.0 (compatible; 008/0.85; http://www.80legs.com/webcrawler.html) Gecko/2008032620 and facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php). You could enter 008 or 80legs or webcrawler to Ignore/Not Log the 80legs User Agent/Bot. You could enter facebookexternalhit or facebook or externalhit_uatext to Ignore/Not Log the facebook User Agent/Bot.

Add User Agents|Bots to Ignore|Not Log
Add the User Agent|Bot names you would like to Ignore|Not Log in your Security Log. These code characters are not allowed to be used: / | < > ‘ ”

Removing User Agents|Bots to Allow|Log
To search for ALL User Agents/Bots to remove/delete from your database leave the text box blank and click the Remove|Allow button. You will see a Dynamically generated Radio Button Form that will display the User Agents/Bots in the BPS User Agent/Bot database Table, Remove or Do Not Remove Radio buttons and the Timestamp when the User Agent/Bot was added to your DB. Select the Remove Radio buttons for the User Agents/Bots you want to remove/delete from your database and click the Remove button. Removing/deleting User Agents/Bots from your database means that you want to have these User Agents/Bots logged again in your Security Log.

View Log
In previous versions of BPS the Security Log was displayed open by default. The Security Log is now closed by default due to problems with ModSecurity CRS seeing the Security Log entries as malicious and blocking access to the Security Log page. If you are unable to open/view your Security Log file you can view your Security Log file by using FTP or your web host control panel file manager and opening the Security Log file located here /wp-content/bps-backup/logs/http_error_log.txt. The new View Log feature also resolves another problem, which is if the Security Log file automation is not working due to WP Cron jobs being disabled on a website then the Security Log file will not be automatically zipped, emailed to you and replaced with a new blank log file at regular cron intervals by the Security Log file Cron job automation. If your Security Log file is extremely large and you are unable to open/view it then you can manually download a copy of the Security Log file using FTP or your web host control panel file manager and then delete it using the Delete Log button.

Troubleshooting Security Log|HTTP Error Log Entries

The Security Log / HTTP Error Log is primarily designed to aid you in troubleshooting problems with the Plugin Firewall or the Uploads Anti-Exploit Guard.  If a plugin script is being blocked by either the Plugin Firewall or the Uploads Anti-Exploit Guard then you will see errors logged in your Security Log / HTTP Error Log.  By logging these errors you will see the exact problem or issue that is occuring and can then take the necessary action to resolve the issue or problem.

The Security Log can also be used to monitor hacking attempts, hacking probes, hacking recon, spambot sniffing, blocked bots, etc etc etc.  You should not spend a whole lot of time analyzing what Security Log entries mean.  Why?  The AITpro websites log over 1,500 hacking attempts, etc per day.  If I actually spent the time to anaylize every single security log entry I would never get anything done.  I do skim through the security logs looking for new forms of hacking attempts, but typically the hacking attempts are the same methods just used by different sources and are duplicate hacking methods/scans/recons etc etc etc.

If you have a question about a plugin script being blocked in either your plugins folder or your uploads folder then post a new Forum Topic.  Please do not post any other types of security log entries, such as random hacking attempts/recons/blocked bots sniffing around, etc etc etc.

Below are 2 example Security Log / HTTP Error Log entries.  The first example shows that a plugin script is being blocked by either the Plugin Firewall.  The second example shows that the Uploads Anti-Exploit Guard (plugin or theme script file) is blocking a js script in the uploads folder.  How you can identify that these are plugins scripts or uploads scripts that are being blocked is by looking at the REQUEST_URI:  portion of the logged event.  If REQUEST_URI is showing a path to your plugins folder then this is a plugin script that is being blocked by your Plugin Firewall and you will need to add this plugin script to the Plugin Firewall Whitelist Text Area.  If the REQUEST_URI path is showing the uploads folder then UAEG is blocking something – see the second example for ways to fix/whitelist this.

Plugin Firewall Forum Link
https://forum.ait-pro.com/forums/topic/plugin-firewall-read-me-first-troubleshooting/

To add this plugin script to your Plugin Firewall Whitelist you would copy this plugin script path – /bbpress/bbp-theme-compat/js/topic.js – to the Plugins Script/File Whitelist Text Area, click the Save Whitelist Options button and click the Plugin Firewall BulletProof Mode Activate button to activate the Plugin Firewall again.

Plugin script being blocked by the Plugin Firewall

>>>>>>>>>>> 403 Error Logged – January 19, 2013 – 12:10 pm <<<<<<<<<<<
REMOTE_ADDR: 94.44.197.195
Host Name: apn-94-44-197-195.vodafone.hu
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: http://forum.ait-pro.com/forums/topic/read-me-first-free/
REQUEST_URI: /wp-content/plugins/bbpress/bbp-theme-compat/js/topic.js?ver=2.1.2
QUERY_STRING: 
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20100101 Firefox/17.0

Plugin or Theme script stored in your uploads folder being blocked by Uploads Anti-Exploit Guard

A Sticky Forum Topic has been created for the Uploads Anti-Exploit Guard (UAEG):  https://forum.ait-pro.com/forums/topic/uploads-anti-exploit-guard-uaeg-read-me-first/

For this example a js file named avada.js in the uploads folder is being blocked by UAEG.  The Security Log entry below shows that the avada.js file is being blocked by UAEG.  Click the link above for the whitelist solution.

>>>>>>>>>>> 403 Error Logged - January 16, 2013 - 8:35 pm <<<<<<<<<<<
REMOTE_ADDR: 68.39.81.155
Host Name: c-68-39-81-155.hsd1.nj.comcast.net
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: [domain name removed for security/privacy]
REQUEST_URI: /wp-content/uploads/avada.js
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20100101 Firefox/17.0

• This topic was modified 2 years, 4 months ago by AITpro Admin.
• This topic was modified 2 years, 4 months ago by AITpro Admin.
• This topic was modified 2 years, 4 months ago by AITpro Admin.
• This topic was modified 2 years, 4 months ago by AITpro Admin.

[Paul]

does BPS pro collect more in the security log than basic version. Since upgrading i just see more login attempts than i did on basic version.

[AITpro Admin]

Yes.  The BPS Pro Security Log logs a lot more things.  Several different BPS Pro features that are not in the BPS free version log things in the Security Log to keep these logged events centralized/all in one place.

[Matt Zahy]

Hi,

i am getting big amount of  events : “BFHS – Blocked/Forbidden Hacker or Spammer”  from exact IP and Host adress. Is there a simple way to block IP and/or host address with BPS?

thanks

Matt

[AITpro Admin]

Since BPS is already blocking this then maybe you want to ignore/not log this particular user agent?  See the Ignoring|Not Logging User Agents|Bots – Allowing|Logging User Agents|Bots Read Me help text above or click the Security Log Read Me help button.  Or you can just let the BPS Security Log automation do what it is designed to do.

Security Log General Information
Your Security Log file is a plain text static file and not a dynamic file or dynamic display to keep your website resource usage at a bare minimum and keep your website performance at a maximum. Log entries are logged in descending order by Date and Time. You can copy, edit and delete this plain text file. You can setup S-Monitor Email Alerting & Log File Options to automatically email your Security Log file to you and delete it when it reaches a certain size (256KB, 500KB or 1MB).

[bpuser101]

Although BPS is blocking, do the hackers/spammers still take up hosting resources? There are some bad bots with the same IP making hundreds of requests (405 mainly) by the hour. Hosting resources seem to get limited as a result. Is it wise to deny access to these IPs through custom code in the .htaccess?

[AITpro Admin]

@ bpuser101 – All is good.  BPS logs errors in the same exact way that you server logs errors, which is to write to a plain text file, using fwrite , which is designed for and optimized for successive file writing.  In plain english that means that no matter what the frequency or quantity/volume of logged events that are occurring that resource impact is pretty much 0. If BPS was using your WP DB to log events then the resource usage would have a major impact/performance hit for you site and server.  😉

[Living Miracles]

Hi,

I noticed today that one of the sites: http://acim-online-video.net I use BPS Pro on has a very large Security Log (currently almost 11MB). For some reason the log wasn’t emailed/deleted when it reached the 1MB size. Any idea what could cause this? I did test the PHP mail() and WordPress wp_mail() function in S-Monitor and it works fine.

The Security Log page loads very slowly also, and even after it’s finally done loading it just becomes unresponsive.

I’m noticing some pretty strange looking entries as well (particularly the Whitelist Rules from today and yesterday), that I haven’t seen on any of our other sites. I’ve uploaded the file to my Dropbox here: https://www.dropbox.com/s/p78cs2fxsq6bajy/Security%20Log.txt?dl=0; I’d appreciate it if you could have a look and help me troubleshoot this issue.

Thank you!

[AITpro Admin]

@ Living Miracles – Your Security Log entries show that this website is hosted on Go Daddy Managed WordPress hosting (a special custom type of hosting that is not standard Go Daddy hosting).  So that most likely means this is another problem caused by Go Daddy Managed WordPress hosting.  The Plugin Firewall whitelist rules created by AutoPilot are not valid.  So what I need for you to do are these steps below and then monitor your Security Log file for a day or so to see if Go Daddy Managed WordPress hosting is still continuing to cause these problems.  I assume the Security Log file not being zipped and emailed is due to the custom cron job that GDMW hosting creates instead of allowing standard WordPress cron jobs to be run.  BPS uses a standard WordPress cron job to zip and email log files.  I am not exactly sure what or why the Plugin Firewall whitelist rules are not valid.  Could be caused by something else, but I assume GDMW hosting is also causing that problem since AutoPilot Mode uses a standard WordPress cron as well.

Do these steps first:
1. Go to the Security Log page.
2. Turn Off Security Logging.
3. Click the Delete Log button to delete your Security Log file contents.
4. Do the Plugin Firewall steps below.  When you complete step #4 below and before doing step #5 below – go back to the Security Log page and Turn On Security Logging.  Then continue with Plugin Firewall step #5 below.

Fix all general Plugin Firewall issues/problems:
1. Go to the Plugin Firewall page.
2. Click the Plugin Firewall BulletProof Mode Deactivate button.
3. Delete (or cut if you want to add your existing whitelist rules back into the Plugins Script|File Whitelist Text Area) all of your Plugin Firewall whitelist rules out of the Plugins Script|File Whitelist Text Area.
4. Click the Save Whitelist Options button.
5. Click the Plugin Firewall Test Mode button.
6. Check your site pages by clicking on all main website pages: contact form page, home page, login page, etc.
7. Recheck the Plugins Script|File Whitelist Text Area (after 1 minute) and you should see new Plugin Firewall whitelist rules have been created.
8. Change the AutoPilot Mode Cron Check Frequency to 15 minutes or whatever frequency time you would like to use.
9. Click the Plugin Firewall Activate button.

[Living Miracles]

Thanks. I’ll try those steps.

[AITpro Admin]

@ Living Miracles – After analyzing your Security Log I see reasons for why those Plugin Firewall whitelist rules were “logged”. They are not valid whitelist rules so they are only being logged and not actually created in the Plugin Firewall whitelist text area box.  You have a few hackers probing your site and the 403 errors are being interpreted as “possible” Plugin Firewall whitelist rules because they match the pattern of a whitelist rule, but like I said they are not valid so they will not actually be created and will just be logged.  The other problem is this:  This plugin:  vimeography is using the WordPress standard naming convention of “plugins” in the path to its plugin scripts.  Obviously that is a big no no.  There are certain reserved namespaces that should never be used, such as “plugins” for a path in the the WordPress /plugins/ folder.  That is recipe for disaster and is terrible coding practice in general. To compensate for this mistake you can manually create this Plugin Firewall whitelist rule: /vimeography/lib/shared/assets/js/(.*).js in the Plugin Firewall whitelist text area box.

/wp-content/plugins/vimeography/lib/shared/assets/js/plugins/jquery.flexslider.js?ver=4.6
/wp-content/plugins/vimeography/lib/shared/assets/js/plugins/jquery.fitvids.js?ver=4.6

[Living Miracles]

Interesting. Thank you for elaborating and looking into this even more and providing a whitelist rule for Vimeography!

[Paul]

Is it possible to get the security log and other log email notifications sent to another email address rather than the websites default email

[AITpro Admin]

@ Paul – The email option settings are on the S-Monitor page.  You can send all emails to multiple email accounts that you add in the S-Monitor email option settings, but you cannot send individual emails to different email accounts.  Example:  You can send the Security Log email to multiple email accounts, but you cannot send Security Log emails to 1 email account and send all other emails to a different email account.

The email address fields To, From, Cc and Bcc can be email addresses for your hosting account, your WordPress Administrator email address or 3rd party email addresses like gmail or yahoo email. If you are sending emails to multiple email recipients then separate the email addresses with a comma. Example: someone@somewhere.com, someoneelse@somewhereelse.com. You can add a space or not add a space after the comma between email addresses.

[Paul]

@AIT thank you

[Author]

Posts