Uploads Anti-Exploit Guard UAEG

[Rami M]

Thanks for your reply.

I am on a LiteSpeed server, and here is my code. Kindly advise on white listing REQUEST_URI: /wp-content/uploads/astra-addon/astra-addon-5cd15edc0462b9-78934553.js?

Many thanks,

Rami

——————————————————–

# BULLETPROOF PRO UPLOADS FOLDER .HTACCESS
#
# BPS LiteSpeed mod_rewrite
#
# BEGIN WHITELIST
# Examples of whitelisting are commented out below. To create whitelist rules you would delete the # sign in front
# of the whitelist rule you want to use and add the actual filename or folder name you want to whitelist.
# Whitelist a specific js file in the uploads folder: example.js
#RewriteRule ^example.js$ - [L]
# Whitelist an entire folder in the uploads folder: /uploads/example-folder/
#RewriteRule ^example-folder/.*$ - [L]
# END WHITELIST
#
# FORBID THESE FILE EXTENSIONS FROM BEING ACCESSED OR EXECUTED REMOTELY
RewriteCond %{REQUEST_URI} ^.*\.(7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htm|html|htx|idc|ini|ins|isp|jar|jav|java|js|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|rar|shtm|shtml|sql|swf|sys|tar|taz|tgz|tpl|vb|vbe|vbs|war|ws|wsf|xhtml|xml|z)$ [NC]
RewriteRule ^(.*)$ - [F]

# FORBID PHP FILES DISGUISED AS AN IMAGE FILE - example.php.jpg - example.PHP.jpg
<FilesMatch "\.(php|PHP|\.+(php)|\.+(PHP)).*$">
Order Allow,Deny
Deny from all
</FilesMatch>

[AITpro Admin]

@ Rami M –

1. Copy and paste your entire Uploads .htaccess file code below into the CUSTOM CODE UAEG text box on the BPS Custom Code tab page under the UAEG htaccess File Custom Code accordion tab button.
2. Click the Save UAEG Custom Code button to save your UAEG custom code.
3. Go to the Security Modes page and click the UAEG BulletProof Mode Activate button.

# BULLETPROOF PRO UPLOADS FOLDER .HTACCESS
#
# BPS LiteSpeed mod_rewrite
#
# BEGIN WHITELIST
# Examples of whitelisting are commented out below. To create whitelist rules you would delete the # sign in front
# of the whitelist rule you want to use and add the actual filename or folder name you want to whitelist.
# Whitelist a specific js file in the uploads folder: example.js
#RewriteRule ^example.js$ – [L]
# Whitelist an entire folder in the uploads folder: /uploads/example-folder/
RewriteRule ^astra-addon/.*$ – [L]
# END WHITELIST
#
# FORBID THESE FILE EXTENSIONS FROM BEING ACCESSED OR EXECUTED REMOTELY
RewriteCond %{REQUEST_URI} ^.*\.(7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htm|html|htx|idc|ini|ins|isp|jar|jav|java|js|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|rar|shtm|shtml|sql|swf|sys|tar|taz|tgz|tpl|vb|vbe|vbs|war|ws|wsf|xhtml|xml|z)$ [NC]
RewriteRule ^(.*)$ – [F]

# FORBID PHP FILES DISGUISED AS AN IMAGE FILE – example.php.jpg – example.PHP.jpg
<FilesMatch “\.(php|PHP|\.+(php)|\.+(PHP)).*$”>
Order Allow,Deny
Deny from all
</FilesMatch>

[Rami M]

This quality and response time is premium. Many thanks.

One more thing, I see PHP Error Log Path Does Not Match error message. Couldn’t find a way to fix that using the link in the tooltip.

[AITpro Admin]

@ Rami M – What do you see for “Error Log Path Seen by Server” on the PHP Error Log page?

[Rami M]

ini_set PHP Error Log Location (Recommended): /home/…/public_html/wp-content/bps-backup/logs/bps_php_error.log

PHP Error Log Location Set To:
/home/…/public_html/wp-content/bps-backup/logs/bps_php_error.log

Error Log Path Seen by Server: error_log

Thanks again.

 

[AITpro Admin]

@ Rami M – Ok use your host server default PHP Error Log variable:  error_log. Copy: error_log into the PHP Error Log Location Set To text box and click the Set Error Log Location button.

[Rami M]

Brilliant!

Now I’m seeing some PhP errors mentioning “bulletproof-security/includes…” on the log. Should I post them here or send them via support form?

Thanks

[AITpro Admin]

@ Rami M – If they are are “Notice” PHP errors you can ignore them.  Also on first time setup of BPS Pro there can be a couple of PHP errors.  If the PHP errors only happened once then ignore them.  If the PHP errors are occurring repeatedly then post them in your forum reply.

Related Forum Topic:  https://forum.ait-pro.com/forums/topic/how-to-troubleshoot-php-errors-php-errors-in-your-php-error-log/

[Rami M]

Thanks a million!

[Rami M]

Hi,

Not sure if this has to do with the custom codes or PBS Pro. Hope you can help.

After applying the code above, I see no warnings related to Astra in the security log. But I noticed today when I inspect elements on front-end using Chrome, I got these in console:

(index):1 Refused to apply style from 'https://....com/wp-content/uploads/astra-addon/astra-addon-5cd5bc506db0c8-78247854.css?ver=1.8.1' because its MIME type ('text/html') is not a supported stylesheet MIME type, and strict MIME checking is enabled.

astra-addon-5cd5bc507019d0-53063167.js:1 Failed to load resource: the server responded with a status of 404 ()
(index):1 Refused to apply style from 'https://....com/wp-content/uploads/astra-addon/astra-addon-5cd5bc506db0c8-78247854.css?ver=1.8.1' because its MIME type ('text/html') is not a supported stylesheet MIME type, and strict MIME checking is enabled.

MIME sniffing|Drive-by Download Attack + with the External iFrame|Clickjacking Bonus Custom Codes added + LiteSpeed Cache server

[AITpro Admin]

Rami M – This problem is not being caused by BPS.  Do some Google searches for the error message – “because its MIME type (‘text/html’) is not a supported stylesheet MIME type, and strict MIME checking is enabled.” This StackOverflow topic has several things that could be causing the problem > https://stackoverflow.com/questions/48248832/stylesheet-not-loaded-because-of-mime-type

[Rami M]

Thanks a million. Your response time and quality are one of the best I have seen.

[Author]

Posts