W3TC Minify problem

Home Forums BulletProof Security Free W3TC Minify problem


Viewing 12 posts - 16 through 27 (of 27 total)
  • Author
  • #10317
    Arpan Das

    I was not notified. Thanks…

    Arpan Das

    My wordpress installation is in public_html/w3epic.com I tried both with Still getting error logs…

    "...REQUEST_URI} ^/w3epic.com/wp-content/c..." and without.
    AITpro Admin

    Then try these things below.  This may or may not work due to the fact that minifying causes a lot of very undesirable results.  Your scripts are combined and cached in a way that the original source of the actual scripts become unknown to other plugins, site, themes, etc. unless you create additional custom code to handle this undesirable issue/problem.

    Try creating a skip/bypass rule for the w3tc plugin folder.

    # W3TC Minify skip/bypass rule
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/w3-total-cache/ [NC]
    RewriteRule . - [S=13]

    Try whitelisting the w3tc minify.php file in the TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS code

    RewriteCond %{REQUEST_URI} (minify\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]

    Try whitelisting all .js scripts in the TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS code

    RewriteCond %{REQUEST_URI} (.*\.js|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]

    Try creating a bypass RewriteRule for W3TC Minify

    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    # W3TC minify bypass
    RewriteRule ^minify/ - [L]

    Exclude certain js scripts or all js scripts from being minified in the W3TC plugin settings.

    Do not use W3TC Minify for js scripts

    Arpan Das

    I disabled JS minification in W3TC. Above code worked – errors gone.

    Thank you AITpro Admin.


    Sorry to chime in late on this but I think the issue has nothing to do with what has been previously mentioned in this topic. W3TC’s cache minify folder contains its own .htaccess file to rewrite requests like


    The relative url conflicts with the following rule in BPS’s root htaccess folder. A temporary workaround for this would be to change all the relative urls in W3TC’s htaccess files to absolute urls.
    RedirectMatch 403 /\..*$

    AITpro Admin

    This rule says to block access to files or folders that start with a dot.

    RedirectMatch 403 /\..*$

    Examples of what this rule blocks:
    .htaccess – file
    .htpasswd – file
    .error-logs – folder
    .example-folder – folder

    This security filter that protects against Directory Traversal attacks and could be the cause of the block if the relative URLs are seen as a Directory Traversal attack.

    RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR]

    Also just an FYI – the Path/Directory Traversal security filter above is pending additional URL encoding filters added to it.


    URL encoding and double URL encoding

    %2e%2e%2f represents ../
    %2e%2e/ represents ../
    ..%2f represents ../
    %2e%2e%5c represents ..\
    %2e%2e\ represents ..\
    ..%5c represents ..\
    %252e%252e%255c represents ..\
    ..%255c represents ..\ and so on.

    Thanks for the response AITpro.

    This is getting a little out of my depth here. I’ve tested the removal of the filter for directory traversal and the 403 error is still present. Removing just the 403 redirection rule produces the 200 (logically), and replacing the relative urls with absolute urls works too.

    Here’s the full rewrite code from the minify htaccess file

    RewriteEngine On
    RewriteBase /blog/wp-content/cache/minify/
    RewriteRule /w3tc_rewrite_test$ ../../plugins/w3-total-cache/pub/minify.php?w3tc_rewrite_test=1 [L]
    RewriteCond %{HTTP:Accept-Encoding} gzip
    RewriteRule .* - [E=APPEND_EXT:.gzip]
    RewriteRule (.*) $1%{ENV:APPEND_EXT} [L]
    RewriteRule ^(.+/[X]+\.css)$ ../../plugins/w3-total-cache/pub/minify.php?test_file=$1 [L]
    RewriteRule ^(.+\.(css|js))$ ../../plugins/w3-total-cache/pub/minify.php?file=$1 [L]

    hope this helps

    AITpro Admin

    Ok if it works then it works, but it does not make any sense to me why that would work.  When I have some spare time I will figure out exactly what is going on.  Thanks for the info.


    Cool, thanks. Send me an email if you need any more info

    AITpro Admin

    OMG Brainfart – of course  /\..*  matches /../plugins/w3-total-cache/pub/minify.php?test_file=$1 [L]

    \.[h] - will only match files starting with .h
    \.[h]+[t] or \.h[t] - will match files starting with .ht
    \.[hel]+[tro] - would match .htaccess, .htpasswd and folders named .errordocs and .logs

    So this is probably the better method to use to allow folks to add additional folder or file names. This rule will be changed in the next BPS version release. And the Path / Directory Traversal rule / filter would NOT block the W3TC relative URL since it is not a Query String.


    Awesome, thanks AITpro

    AITpro Admin

    We decided that this rule should be very specific and did not use any of the code above because during testing we discovered that “ht” would also block htm and html.  Now that would have been a serious disaster.  LOL

    # Use BPS Custom Code to modify/edit/change this code and to save it permanently.
    # Files and folders starting with a dot: .htaccess, .htpasswd, .errordocs, .logs
    RedirectMatch 403 \.(htaccess|htpasswd|errordocs|logs)$
Viewing 12 posts - 16 through 27 (of 27 total)
  • You must be logged in to reply to this topic.