Home › Forums › BulletProof Security Pro › Uploads Anti-Exploit Guard UAEG
Tagged: UAEG, Uploads Anti-Exploit Guard
- This topic has 41 replies, 5 voices, and was last updated 5 years, 6 months ago by Rami M.
-
AuthorPosts
-
Rami MParticipant
Thanks for your reply.
I am on a LiteSpeed server, and here is my code. Kindly advise on white listing REQUEST_URI: /wp-content/uploads/astra-addon/astra-addon-5cd15edc0462b9-78934553.js?
Many thanks,
Rami
——————————————————–
# BULLETPROOF PRO UPLOADS FOLDER .HTACCESS # # BPS LiteSpeed mod_rewrite # # BEGIN WHITELIST # Examples of whitelisting are commented out below. To create whitelist rules you would delete the # sign in front # of the whitelist rule you want to use and add the actual filename or folder name you want to whitelist. # Whitelist a specific js file in the uploads folder: example.js #RewriteRule ^example.js$ - [L] # Whitelist an entire folder in the uploads folder: /uploads/example-folder/ #RewriteRule ^example-folder/.*$ - [L] # END WHITELIST # # FORBID THESE FILE EXTENSIONS FROM BEING ACCESSED OR EXECUTED REMOTELY RewriteCond %{REQUEST_URI} ^.*\.(7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htm|html|htx|idc|ini|ins|isp|jar|jav|java|js|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|rar|shtm|shtml|sql|swf|sys|tar|taz|tgz|tpl|vb|vbe|vbs|war|ws|wsf|xhtml|xml|z)$ [NC] RewriteRule ^(.*)$ - [F] # FORBID PHP FILES DISGUISED AS AN IMAGE FILE - example.php.jpg - example.PHP.jpg <FilesMatch "\.(php|PHP|\.+(php)|\.+(PHP)).*$"> Order Allow,Deny Deny from all </FilesMatch>
AITpro AdminKeymaster@ Rami M –
1. Copy and paste your entire Uploads .htaccess file code below into the CUSTOM CODE UAEG text box on the BPS Custom Code tab page under the UAEG htaccess File Custom Code accordion tab button.
2. Click the Save UAEG Custom Code button to save your UAEG custom code.
3. Go to the Security Modes page and click the UAEG BulletProof Mode Activate button.# BULLETPROOF PRO UPLOADS FOLDER .HTACCESS # # BPS LiteSpeed mod_rewrite # # BEGIN WHITELIST # Examples of whitelisting are commented out below. To create whitelist rules you would delete the # sign in front # of the whitelist rule you want to use and add the actual filename or folder name you want to whitelist. # Whitelist a specific js file in the uploads folder: example.js #RewriteRule ^example.js$ – [L] # Whitelist an entire folder in the uploads folder: /uploads/example-folder/ RewriteRule ^astra-addon/.*$ – [L] # END WHITELIST # # FORBID THESE FILE EXTENSIONS FROM BEING ACCESSED OR EXECUTED REMOTELY RewriteCond %{REQUEST_URI} ^.*\.(7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htm|html|htx|idc|ini|ins|isp|jar|jav|java|js|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|rar|shtm|shtml|sql|swf|sys|tar|taz|tgz|tpl|vb|vbe|vbs|war|ws|wsf|xhtml|xml|z)$ [NC] RewriteRule ^(.*)$ – [F] # FORBID PHP FILES DISGUISED AS AN IMAGE FILE – example.php.jpg – example.PHP.jpg <FilesMatch “\.(php|PHP|\.+(php)|\.+(PHP)).*$”> Order Allow,Deny Deny from all </FilesMatch>
Rami MParticipantThis quality and response time is premium. Many thanks.
One more thing, I see PHP Error Log Path Does Not Match error message. Couldn’t find a way to fix that using the link in the tooltip.
AITpro AdminKeymaster@ Rami M – What do you see for “Error Log Path Seen by Server” on the PHP Error Log page?
Rami MParticipantini_set PHP Error Log Location (Recommended): /home/…/public_html/wp-content/bps-backup/logs/bps_php_error.log
PHP Error Log Location Set To:
/home/…/public_html/wp-content/bps-backup/logs/bps_php_error.logError Log Path Seen by Server: error_log
Thanks again.
AITpro AdminKeymaster@ Rami M – Ok use your host server default PHP Error Log variable: error_log. Copy: error_log into the PHP Error Log Location Set To text box and click the Set Error Log Location button.
Rami MParticipantBrilliant!
Now I’m seeing some PhP errors mentioning “bulletproof-security/includes…” on the log. Should I post them here or send them via support form?
Thanks
AITpro AdminKeymaster@ Rami M – If they are are “Notice” PHP errors you can ignore them. Also on first time setup of BPS Pro there can be a couple of PHP errors. If the PHP errors only happened once then ignore them. If the PHP errors are occurring repeatedly then post them in your forum reply.
Related Forum Topic: https://forum.ait-pro.com/forums/topic/how-to-troubleshoot-php-errors-php-errors-in-your-php-error-log/
Rami MParticipantThanks a million!
Rami MParticipantHi,
Not sure if this has to do with the custom codes or PBS Pro. Hope you can help.
After applying the code above, I see no warnings related to Astra in the security log. But I noticed today when I inspect elements on front-end using Chrome, I got these in console:
(index):1 Refused to apply style from 'https://....com/wp-content/uploads/astra-addon/astra-addon-5cd5bc506db0c8-78247854.css?ver=1.8.1' because its MIME type ('text/html') is not a supported stylesheet MIME type, and strict MIME checking is enabled. astra-addon-5cd5bc507019d0-53063167.js:1 Failed to load resource: the server responded with a status of 404 () (index):1 Refused to apply style from 'https://....com/wp-content/uploads/astra-addon/astra-addon-5cd5bc506db0c8-78247854.css?ver=1.8.1' because its MIME type ('text/html') is not a supported stylesheet MIME type, and strict MIME checking is enabled.
MIME sniffing|Drive-by Download Attack + with the External iFrame|Clickjacking Bonus Custom Codes added + LiteSpeed Cache server
AITpro AdminKeymasterRami M – This problem is not being caused by BPS. Do some Google searches for the error message – “because its MIME type (‘text/html’) is not a supported stylesheet MIME type, and strict MIME checking is enabled.” This StackOverflow topic has several things that could be causing the problem > https://stackoverflow.com/questions/48248832/stylesheet-not-loaded-because-of-mime-type
Rami MParticipantThanks a million. Your response time and quality are one of the best I have seen.
-
AuthorPosts
- You must be logged in to reply to this topic.