This is an older Post that is outdated. A new Forum Topic has been created here: http://forum.ait-pro.com/forums/topic/plugin-conflicts-actively-blocked-plugins-plugin-compatibility/
There are 21,618 plugins in the WordPress Plugin Repository as of 10/4/2012 and that number grows everyday. There are probably 1,000’s of Premium WordPress Plugins available around the Internet.
The reason this is worth pointing out is that there are only around 30-40 Plugin issues that require a simple skip/bypass rule, which is a relatively low number considering the total number of Plugins available.
BPS is a Security Plugin – The standard WP term “Plugin Conflict” is Equal to “Actively Blocking” When “Fixing” Plugin Issues
Plugins that have been tested with BPS, waiting to be tested with BPS, .htaccess plugin skip/bypass rules “fixes”, Custom PHP Application “fixes” or other miscellaneous issues, fixes and solutions are listed here. Most plugin “conflicts” or issues require a simple .htaccess skip/bypass rule if there is a “conflict” or issue or the plugin is doing something that BPS is blocking because it appears to be unsafe to BPS or in some cases is actually an unsafe coding practice. If you need to apply an .htaccess skip rule this does not mean that your website is less secure by adding that .htaccess skip rule and it does not necessarily mean there is anything wrong with the coding in another plugin.
The general idea is that the default BPS security filters are starting from the highest and most secure possible website security protection settings and if you need to allow a particular plugin to do what it needs to do then a simple skip/bypass rule can be easily added. There are now over 21,000 plugins in the WordPress Plugin Repository so I am actually very amazed that the number or skip/bypass “fixes” rules on this page is so low. BPS Pro has several layers of overlapping security protection and BPS Free also has overlapping security protection to compensate for allowing any .htaccess plugin skip rules. Adding a skip/bypass rule is completely safe to do.
All plugin issues or “conflicts” go through thorough security testing before an official “fix” is released. New recent plugin “fixes” can be added manually to your current version of BPS if you are having a problem with a plugin listed on this page or other miscellaneous issue and it has not yet been added to the latest version of BPS. If you are using a plugin that is not playing nice or is being blocked by BPS, then please add a comment here with the plugin name, the author’s name and the version of the plugin and that plugin will be added to the list to be tested ASAP. Please perform general troubleshooting steps first such as refreshing your browser, clearing your browser cache and making sure your ISP connection does not have a problem before submitting an issue. Thank you.
IMPORTANT! Ongoing problem since at least 2002 – Broken cPanel HotLink Protection Tool
Problem: If you are unable to create .htaccess files with AutoMagic or edit .htaccess files with the built-in editor or you are seeing 404 errors when trying to edit .htaccess files or use AutoMagic and Quarantine does not work period then your site is using the broken cPanel HotLink Protection Tool. It has been broken since 2008 and it also breaks many other WordPress features such as the Plugin Editor and too many other things in WordPress to list here.
Solution: There is only one way to block the broken cPanel HotLink Protection tool, since enabling and disabling it is also broken – you cannot turn it off. You need to lock your Root .htaccess file with F-Lock and log into cPanel and delete all code that you see in the HotLink Protection window. If you unlock your Root .htaccess file at a later time and WordPress and BPS and ARQ are not working correctly again then you will need to repeat these steps to fix the problem again as this broken tool will probably do the same thing again as soon as you Root .htaccess file is unlocked.
NOTE: As of BPS Pro 5.1.5 and BPS .46.9 you can add custom .htaccess code and plugin fixes to the Custom Code feature. This feature allows you to permanently save any custom .htaccess code and plugin fixes permanently to your WP Database so that your custom .htaccess code and plugin fixes will be automatically written to your .htaccess files when you use AutoMagic and activate BulletProof Mode for your Root folder. The wp-admin Custom Code feature adds your custom code to the wp-admin .htaccess file when you activate BulletProof Mode for your wp-admin folder.
BulletProof Security CAN be installed if you are using an IIS6 or IIS7 server for web hosting. BUT DO NOT activate BulletProof Modes on an IIS6 or IIS7 servers ever. You can use the additional features in BPS, but mod_rewriting does not work on IIS6 or IIS7 servers. There are several prerequisites that are needed for an IIS7 server and you can install the URL Rewrite Module for IIS7 and create a web.config file in place of the root .htaccess file. This would of course require that you modify the coding in BPS to look for the root web.config file instead of the root .htaccess file. You could then use the built-in File Editor to edit your web.config file. If you are not familiar with what is required for an IIS7 server and “mod_rewriting” then click here >>> WordPress Codex using Permalinks without mod_rewrite.
INTesting = a possible conflict was reported – plugin is in testing
Testing PR = a conflict was found and a workaround may exist. A permanent fix may or may not be pending.
Tested NC = the plugin was tested and No existing conflicts were found.
PUDV = the plugin was tested, but is either not working correctly, coding problem or other coding conflict issue. A fix may or may not have been created – Pending User Verification or Developer verification of coding mistake or bug fix.
DCON = Direct conflict with BPS (may also be dangerous / not safe to use) – recommended action is to contact the plugin Developer to fix the coding mistakes and/or bugs or delete the plugin.
DCONTesting = direct conflict with BPS
Resolved = a conflict was found and a solution has been created. Premium plugin fixes will not automatically be included in BPS Pro and BPS Free .htaccess coding and do require that you manually add the .htaccess code solution to your root .htaccess file.
NI = Non Issue or Not an Issue
SF = similar functionality – ie another security plugin that performs security functions. Possible conflicting security functions or overlapping functions.
NF = New Fix
NLIC = no longer an issue or conflict or the new BPS .htaccess code permanently resolves this issue. NLIC issues are automatically and permanently included in each new version of BPS Pro and BPS Free that is released.
Pro = the conflict and solution applies to only BPS Pro and does not apply to BPS Free.
Plugin Name | Plugin Author | Plugin Version | Status |
W3 Total Cache | fredericktownes | All | NLIC |
WP-Cache | gallir | All | Tested NC |
WP Super Cache | donncha, automattic | All | NLIC |
BuddyPress – member log out | multiple authors | All | NLIC |
BuddyPress – delete Topics | multiple authors | All | Resolved |
Status Updater | Francesco Castaldo | All | NLIC |
Adminer | bueltge | All | NLIC |
Peter’s Custom Anti-Spam Image | pkthree | All | NLIC |
Stream Video Player | Rodrigo Polo | All | NLIC |
XCloner | xcloner | All | NLIC |
XCloner – Cron Job Only | xcloner | All | Resolved–Pro |
BackUpWordPress | multiple authors | All | Resolved |
Juicebox | unknown | All | Resolved |
Link Cloaking Plugin | whiteshadow | All | Resolved |
MyArcadePlugin Lite | MyArcadePlugin | All | Resolved |
Google Analytics Dashboard | Carson McDonald | All | Resolved |
WordPress SEO by Yoast | joostdevalk | All | Resolved |
User Avatar | multiple authors | All | Resolved |
wp-greet | tuxlog, woodstock | All | Resolved |
WP-Invoice | multiple authors | All | Resolved |
WP-DBManager | GamerZ | All | Resolved–Pro |
EZPZ One Click Backup | EZPZSolutions | All | Resolved–Pro |
SecureDL | Premium paid plugin | All | Resolved–Pro |
S2Member | Premium paid plugin | All | Resolved |
Shopp e-commerce | Premium paid plugin | All | Resolved |
DisplayBuddy – Video Showcase | Premium paid plugin | All | Resolved |
Cart66 | Premium paid plugin | All | Resolved |
Digi Auto Links | Premium paid plugin | All | Resolved |
RSS Link Bomber | Premium paid plugin | All | Resolved |
WP Twin AUTO BACKUP | Premium paid plugin | All | Resolved |
WP Twin – Clone | Premium paid plugin | All | Resolved |
WP PDF Stamper | Premium paid plugin | All | Resolved–Pro |
WP Whats My Rank | Premium paid plugin | All | Resolved–Pro |
Ad Trackz Gold | Premium paid plugin | All | Resolved–Pro |
BackupBuddy | Premium paid plugin | All | Resolved–Pro |
Full Screen Background Images Pro | Premium paid plugin | All | Resolved |
phpBay Pro | Premium paid plugin | All | Resolved |
tribulant – Shopping Cart | Premium paid plugin | All | Resolved |
Other Issues – WP Theme, Custom Apps or miscellaneous issues | Status |
.htaccess code is disappearing automatically – multiple instances of the default WordPress .htaccess code is appearing | Resolved |
All Login Password Reset or Redirect problems | NLIC |
GeoTheme – Geolocation Map 403 Error | Resolved |
Atahualpa Theme – Export / Download blocked by BPS | Resolved |
BPS menus or other CSS – visual look or menus not displaying correctly | General Fix |
PayPal IPN or PDT scripts – NO conflicts exist | Tested NC |
WPMU – multisite plugins – network plugins – General Fix | General Fix |
Plugin 403 Forbidden Errors | General Fix |
Infinite .htaccess Loops – not necessarily related to BPS | General Fix |
SquirrelCart PHP Shopping Cart | Resolved |
Custom Applications outside of WordPress – 3rd Party Apps – General Fix | Resolved |
“You don’t have permission to access /wp-admin/media-upload.php on this server.” – media-upload.php 403 Error | Resolved |
Nocturnal Theme mp3 audio files not playing | Resolved |
NEW PLUGIN FIXES METHODS – As of BPS .46.5 – The way Rules & Rulesets are processed has changed significantly
SQL Injection Filtering
Any SQL Injection fixes are no longer necessary as a pre-filter has been added to any filtered SQL Commands. This means that words / commands that were blocked before are no longer blocked by themselves alone. Example: The word / command “union” is no longer blocked / forbidden and now “; union” with a semi-colon in front of it or with any of the other pre-filter characters in front of it would be blocked. The pre-filter contains characters that are used in SQL Injection attacks.
Plugin Fixes
To fix a plugin conflict or not block a particular plugin from doing something the new method of adding an .htaccess Skip rule resolves any plugin conflict or issue. The general concept to get is that the .htaccess Skip rules go in descending order and the Skip number order is very important. As of BPS Pro 5.1.5 and BPS free .46.9 you can add personal plugin fixes to Custom Code to save them permanently.
The example below shows the new section of code in the BPS Root .htaccess file that deals with plugin conflicts. In this example I have added a fictitious plugin fix for a plugin called “example-plugin-fix”. Since I added the plugin fix after the “Comment Spam Pack MU Plugin” fix this means that I have added another RewriteRule in this section of .htaccess code so the 2 plugin fixes that came before (are above) this new RewriteRule need to have their Skip rule numbers changed to increase by 1 to skip the additional new example RewriteRule that was added. The Example Plugin Fix is S=11. The RewriteRule that was S=11 will now be changed to S=12 and the RewriteRule above S=12 will now be changed to S=13. An .htaccess Skip rule skips the number of RewriteRules that you tell it to skip. If you count down the RewriteRules (in your actual root .htaccess file for your website) you will see that what happens is that the Skip rules cause these plugin fixes to skip all the RewriteRules that deal with other plugin fixes and the thumbnailer Forbid RewriteRule and the Query String Exploits filter RewriteRule and go directly to the WordPress RewriteRule and skip all the other RewriteRules that come before the WordPress RewriteRule.
This .htaccess code below is .htaccess code that is included as of BPS Pro 5.1.3 and BPS .46.8. As of BPS Pro 5.1.5 and BPS .46.9 you can now use the Custom Code feature in BPS and BPS Pro to add additional plugin fixes automagically.
# PLUGINS AND VARIOUS EXPLOIT FILTER SKIP RULES # IMPORTANT!!! If you add or remove a skip rule you must change the S= number to the new skip number # Examples: If RewriteRule S=5 is deleted than change S=6 to S=5, S=7 to S=6, etc. # If you add a new skip rule above S=12 it will be skip rule S=13 # Adminer MySQL management tool data populate RewriteCond %{REQUEST_URI} ^/wp-content/plugins/adminer/ [NC] RewriteRule . - [S=13] # Comment Spam Pack MU Plugin - CAPTCHA images not displaying RewriteCond %{REQUEST_URI} ^/wp-content/mu-plugins/custom-anti-spam/ [NC] RewriteRule . - [S=12] # Example Plugin Fix - Just an example of how to add a new plugin fix RewriteCond %{REQUEST_URI} ^/wp-content/plugins/example-plugin-fix/ [NC] RewriteRule . - [S=11] # Peters Custom Anti-Spam display CAPTCHA Image RewriteCond %{REQUEST_URI} ^/wp-content/plugins/peters-custom-anti-spam-image/ [NC] RewriteRule . - [S=10] # Status Updater plugin fb connect RewriteCond %{REQUEST_URI} ^/wp-content/plugins/fb-status-updater/ [NC] RewriteRule . - [S=9] # Stream Video Player - Adding FLV Videos Blocked RewriteCond %{REQUEST_URI} ^/wp-content/plugins/stream-video-player/ [NC] RewriteRule . - [S=8] # XCloner 404 or 403 error when updating settings RewriteCond %{REQUEST_URI} ^/wp-content/plugins/xcloner-backup-and-restore/ [NC] RewriteRule . - [S=7] # BuddyPress Logout Redirect RewriteCond %{QUERY_STRING} action=logout&redirect_to=http%3A%2F%2F(.*) [NC] RewriteRule . - [S=6] # redirect_to= RewriteCond %{QUERY_STRING} redirect_to=(.*) [NC] RewriteRule . - [S=5] # Login Plugins Password Reset And Redirect 1 RewriteCond %{QUERY_STRING} action=resetpass&key=(.*) [NC] RewriteRule . - [S=4] # Login Plugins Password Reset And Redirect 2 RewriteCond %{QUERY_STRING} action=rp&key=(.*) [NC] RewriteRule . - [S=3] # TIMTHUMB FORBID RFI BY HOST NAME BUT ALLOW INTERNAL REQUESTS RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR] RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC] RewriteRule .* index.php [F,L] RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC] RewriteRule . - [S=1]
Permanent Fixes For Plugin Conflicts with BPS
As of BPS .46.5 and BPS Pro 5.1 the Master (AutoMagic) .htaccess code automatically permanently resolves several plugin conflicts that previously existed. The “Other Issues – WP Theme or other miscellaneous issue” section of this help page may still apply in some cases and have been highlighted if they still apply to the new version of BPS.
W3TC – specific .htaccess code checking and messaging – included as of BPS .45.8
BPS will display W3TC specific error warning messages when W3TC .htaccess code needs to be updated. Not confirmed / possible issues with CDN / CloudFlare or eaccelerator. Symptoms: Random pop up messages similar to this “Are you sure you want to do this?” messages with no confirm button. This may or may not be related to BPS.
WPSC – specific .htaccess code checking and messaging – included as of BPS .45.8
BPS will display WPSC specific error warning messages when WPSC .htaccess code needs to be updated.
BuddyPress – BuddyPress Member log out does not log Members out – included as of BPS .45.8
Permanent .htaccess bypass / skip rule as of BPS .45.8. This fix requires that WordPress 3.0.4 is installed. This fix will NOT work with versions of WordPress older than 3.0.4.
# BuddyPress Logout Redirect RewriteCond %{QUERY_STRING} action=logout&redirect_to=http%3A%2F%2F(.*) [NC] RewriteRule . - [S=6]
BuddyPress – 403 Error when trying to Trash/delete Topics
BuddyPress calls the /wp-admin/post.php file to perform several tasks such as Trash/delete Topics. Add this wp-admin .htaccess bypass / skip rule below to the wp-admin Custom Code box – CUSTOM CODE WPADMIN PLUGIN FIXES:and then activate BulletProof Mode for your wp-admin folder again. The skip rule must be [S=2] because it will be written to your wp-admin .htaccess file above skip / bypass rule [S=1]. This bypass / skip rule is safe to use because the wp-admin area is protected with WP Authentication security.
post.php skip/bypass rule
# BuddyPress skip/bypass rule RewriteCond %{REQUEST_URI} (post\.php) [NC] RewriteRule . - [S=2]
Status Updater – FB and Twitter posts not updating – Cron jobs not running – included as of BPS .46.1
Permanent .htaccess bypass / skip rule as of BPS .46.1.
# Status Updater plugin fb connect RewriteCond %{REQUEST_URI} ^/wp-content/plugins/fb-status-updater/ [NC] RewriteRule . - [S=9]
Adminer BPS conflict fix – included as of BPS .46.1
Permanent .htaccess bypass / skip rule as of BPS .46.1.
# Adminer MySQL management tool BPS conflict fix RewriteCond %{REQUEST_URI} ^/wp-content/plugins/adminer/ [NC] RewriteRule . - [S=12]
Peter’s Custom Anti-Spam Image plugin -included as of BPS .46.1
Permanent .htaccess bypass / skip rule as of BPS .46.1.
# Peters Custom Anti-Spam Image fix RewriteCond %{REQUEST_URI} ^/wp-content/plugins/peters-custom-anti-spam-image/ [NC] RewriteRule . - [S=10]
Stream Video Player – Unable to Add FLV Videos – 404 or 403 Errors – included as of BPS .46.1
Permanent .htaccess bypass / skip rule as of BPS .46.1.
# Stream Video Player - Adding FLV Video Blocked By BPS RewriteCond %{REQUEST_URI} ^/wp-content/plugins/stream-video-player/ [NC] RewriteRule . - [S=8]
XCloner – Settings page update causes a 404 or 403 error – included as of BPS .46.2
Permanent .htaccess bypass / skip rule as of BPS .46.2.
# XCloner 404 or 403 error when updating settings RewriteCond %{REQUEST_URI} ^/wp-content/plugins/xcloner-backup-and-restore/ [NC] RewriteRule . - [S=7]
XCloner – Cron Jobs not working – BPS Pro ONLY
The custom php.ini file that comes with BPS Pro has register_argc_argv turned Off by default >>> register_argc_argv = Off. For Cron jobs to work correctly change the register_argc_argv setting to On >>> register_argc_argv = On.
BackUpWordPress – WP-Cron 302 or 403 response/error
The BackUpWordPress plugin makes a HEAD Request to verify that the site is up. The BPS Request Method nuisance filter will block that HEAD Request. Remove HEAD from the nuisance filter.
# REQUEST METHODS FILTERED # This filter is for blocking junk bots and spam bots from making a HEAD request, but may also block some # HEAD request from bots that you want to allow in certains cases. This is not a security filter and is just # a nuisance filter. This filter will not block any important bots like the google bot. If you want to allow # all bots to make a HEAD request then remove HEAD from the Request Method filter. # The TRACE, DELETE, TRACK and DEBUG request methods should never be allowed against your website. RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC] RewriteRule ^(.*)$ - [F,L]
Juicebox – 403 error when trying to insert Juicebox Gallery
A simple .htaccess skip rule fixes this issue. Copy and paste this .htaccess code below to Your Current Root htaccess File file using the built-in BPS File Editor. As of BPS Pro 5.1.5 and BPS free .46.9 you can add personal plugin fixes to Custom Code to save them permanently. Copy this .htaccess code to the Custom Code CUSTOM CODE PLUGIN FIXES: text box, save your changes, click the secure.htaccess AutoMagic button and then activate BulletProof Mode for your Root folder.
# Juicebox skip/bypass rule RewriteCond %{REQUEST_URI} ^/wp-content/plugins/wp-juicebox/ [NC] RewriteRule . - [S=13]
Link Cloaking plugin – Removes/overwrites BPS .htaccess code on plugin activation
Activate the Link Cloaking plugin to get the .htaccess code that it creates in your Root .htaccess file. Go to the Edit/Upload/Download page and copy the Link Cloaking plugin’s .htaccess code (# Link Cloaker Plugin BEGIN to # Link Cloaker Plugin ENDS) and then go to BPS Custom Code and paste the .htaccess code in the Root .htaccess File # CUSTOM CODE BOTTOM text box and click the Save Root Custom Code button. Next go to the Security Modes page and click the AutoMagic buttons and activate BulletProof Mode for your Root folder. The Link Cloaker plugin’s .htaccess code will be included in your root .htaccess file coding.
MyArcadePlugin Lite – Unable to import a Flash SWF file – 403 Forbidden Error
A simple .htaccess skip rule fixes this issue. Copy and paste this .htaccess code below to Your Current Root htaccess File file using the built-in BPS File Editor. As of BPS Pro 5.1.5 and BPS free .46.9 you can add personal plugin fixes to Custom Code to save them permanently. Copy this .htaccess code to the Custom Code CUSTOM CODE PLUGIN FIXES: text box, save your changes, click the secure.htaccess AutoMagic button and then activate BulletProof Mode for your Root folder.
# MyArcadePlugin Lite SWF Import fix RewriteCond %{REQUEST_URI} ^/wp-content/plugins/myarcadeblog/ [NC] RewriteRule . - [S=13]
Google Analytics Dashboard – Google Analytics data will not load.
There are 2 things that are blocked:
1. parenthesis characters in Query strings are blocked: Edit your Root .htaccess file and remove the parenthesis characters from the security filter as shown below.
2. admin-ajax.php file call is blocked: Add this wp-admin .htaccess bypass / skip rule below to the wp-admin Custom Code box – CUSTOM CODE WPADMIN PLUGIN FIXES: and then activate BulletProof Mode for your wp-admin folder again. The skip rule must be [S=2] because it will be written to your wp-admin .htaccess file above skip / bypass rule [S=1]. This bypass / skip rule is safe to use because the wp-admin area is protected with WP Authentication security.
Remove parenthesis characters in this root .htaccess security filter
RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(<|>|%3c|%3e).* [NC,OR]
admin-ajax.php skip/bypass rule
# Google Analytics Dashboard skip/bypass rule RewriteCond %{REQUEST_URI} (admin-ajax\.php) [NC] RewriteRule . - [S=2]
WordPress SEO by Yoast – unable to connect to facebook OpenGraph – generates a 403 error
Add this skip/bypass rule to BPS Custom Code in the CUSTOM CODE WPADMIN PLUGIN FIXES: text box and activate BulletProof Mode for your wp-admin folder.
# Yoast Facebook OpenGraph skip/bypass RewriteCond %{QUERY_STRING} page=wpseo_social&key=(.*) [NC] RewriteRule . - [S=2]
User Avatar – avatar images are no longer displaying for custom images – 403 error
Edit your root .htaccess file with the BPS built-in editor, find the timthumb htaccess code and add the user-avatar-pic.php file to the image thumbnailer (timthumb) skip/bypass rule.
# TimThumb Forbid RFI By Host Name But Allow Internal Requests RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR] RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC] RewriteRule .* index.php [F,L] RewriteCond %{REQUEST_URI} (user-avatar-pic\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC] RewriteRule . - [S=1]
wp-greet – postcard gallery / postcard sending form not working
Copy this .htaccess code below to the Custom Code CUSTOM CODE PLUGIN FIXES: text box, save your changes, click the secure.htaccess AutoMagic button and then activate BulletProof Mode for your Root folder.
# WP-Greet skip/bypass rule RewriteCond %{QUERY_STRING} gallery=([0-9]+)&image=(.*) [NC] RewriteRule . - [S=13]
WP-Invoice – Updating / editing an Invoice generates a 403 error
Requires 2 .htaccess skip rules – 1 in your Root .htaccess file and 1 in your wp-admin .htaccess file. Copy and paste this .htaccess code below to Your Current Root htaccess File using the built-in BPS File Editor. This .htaccess code should be added to your root .htaccess file before skip rule 12 [S=12]. As of BPS Pro 5.1.5 and BPS free .46.9 you can add personal plugin fixes to Custom Code to save them permanently. Copy this .htaccess code to the Custom Code CUSTOM CODE PLUGIN FIXES: text box, save your changes, click the secure.htaccess AutoMagic button and then activate BulletProof Mode for your Root folder.
# WP-Invoice query string Root skip rule RewriteCond %{QUERY_STRING} page=wpi_(.*) [NC] RewriteRule . - [S=13]
Copy and paste this .htaccess code below to Your Current wp-admin htaccess File using the built-in BPS File Editor. This .htaccess code solution goes after # REQUEST METHODS FILTERED .htaccess code and before the start of the block of BPS security filters RewriteCond %{HTTP_USER_AGENT} …. in your wp-admin .htaccess file (not your Root .htaccess file). As of BPS Pro 5.1.5 and BPS free .46.9 you can add personal plugin fixes to Custom Code to save them permanently. Add this fix to the CUSTOM CODE WPADMIN PLUGIN FIXES: text box and activate BulletProof Mode for your wp-admin folder.
# WP-Invoice query string wp-admin skip rule RewriteCond %{QUERY_STRING} page=wpi_(.*) [NC] RewriteRule . - [S=2]
WP Remote – 403 HTTP Status Error – remote backups fail – As of BPS .47.7 this fix is no longer necessary – solution: upgrade to BPS .47.7
The security filter below in the root .htaccess file will block wp remote backups. If you see a 403 error in your wpremote account then comment out this security filter with a pound sign # as shown below in your root .htaccess file for each site that you are trying to remotely connect too.
# RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
WP-DBManager – Automatic backups not working – BPS Pro ONLY
The custom php.ini file that comes with BPS Pro has these php functions disabled by default in the disable_functions directive >>> disable_functions = system, exec, passthru, shell_exec, show_source, popen, pclose, pcntl_exec. WP-DBManager uses the system, exec and passthru functions. To allow these php functions to be enabled / allowed on your website remove them from the disable_functions directive in your custom php.ini file >>> disable_functions = shell_exec, show_source, popen, pclose, pcntl_exec.
EZPZ One Click Backup – Backups not working – BPS Pro ONLY
The custom php.ini file that comes with BPS Pro has these php functions disabled by default in the disable_functions directive >>> disable_functions = system, exec, passthru, shell_exec, show_source, popen, pclose, pcntl_exec. EZPZ uses the exec function. To allow the php function to be enabled / allowed on your website remove it from the disable_functions directive in your custom php.ini file >>> disable_functions = system, passthru, shell_exec, show_source, popen, pclose, pcntl_exec.
Click Heat Dynamo – Premium plugin – Heat Map is not displaying correctly – Heat Map overlay is not shown – As of BPS .47.7 this fix is no longer necessary – solution: upgrade to BPS .47.7The Click Heat Dynamo plugin needs these 2 root .htaccess file security filters to be modified as shown below.
Before modification RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|%3c|%3e|%5b|%5d).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x5b|\x5d|\x7f).* [NC,OR]After modification RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
SecureDL – secure downloading plugin – Downloads are not working – file name is public_html – BPS Pro ONLY
Symptoms / problem: You are seeing files named public_html instead of the file name that you should be seeing in the download. The custom php.ini file that comes with BPS Pro has allow_url_fopen turned Off by default >>> allow_url_fopen = Off. SecureDL uses an URL fopen technique in order to securely download files. To allow the URL fopen download technique to work correctly change the allow_url_fopen setting to On >>> allow_url_fopen = On.
S2Member – protected page generating 403 Forbidden errors – Premium plugin
A simple .htaccess skip rule fixes this issue. Copy and paste this .htaccess code below to Your Current Root htaccess File using the built-in BPS File Editor. Add the actual path to where your S2Member protected page is using the fix below as a general example. The S= # is very important. It is an .htaccess Skip rule. The skip rules are in descending order S=12, S=11, S=10, etc and this number order is very important. If you add a plugin fix above Skip rule #11 (S=11) then your new skip rule will be S=12. If you add another skip rule above S=12 it will be S=13. As of BPS Pro 5.1.5 and BPS free .46.9 you can add personal plugin fixes to Custom Code to save them permanently. Copy this .htaccess code to the Custom Code CUSTOM CODE PLUGIN FIXES: text box, save your changes, click the secure.htaccess AutoMagic button and then activate BulletProof Mode for your Root folder.
# S2Member protected URL rewrite / redirect bypass RewriteCond %{REQUEST_URI} ^/example-URI-path/example-registration-page/ [NC] RewriteRule . - [S=13]
Shopp e-commerce shopping cart plugin – Premium plugin
A simple .htaccess skip rule fixes this issue. Copy and paste this .htaccess code below to Your Current Root htaccess File using the built-in BPS File Editor. If you are using another e-commerce shopping cart plugin then try this type of fix, replacing the name of the plugin folder with your shopping cart plugin’s folder name. The S= # is very important. It is an .htaccess Skip rule. The skip rules are in descending order S=12, S=11, S=10, etc and this number order is very important. If you add a plugin fix above Skip rule #11 (S=11) then your new skip rule will be S=12. If you add another skip rule above S=12 it will be S=13. As of BPS Pro 5.1.5 and BPS free .46.9 you can add personal plugin fixes to Custom Code to save them permanently. Copy this .htaccess code to the Custom Code CUSTOM CODE PLUGIN FIXES: text box, save your changes, click the secure.htaccess AutoMagic button and then activate BulletProof Mode for your Root folder.
# Shopp e-Commerce shopping cart skip rule RewriteCond %{REQUEST_URI} ^/wp-content/plugins/shopp/ [NC] RewriteRule . - [S=13]
DisplayBuddy Video Showcase – 403 errors when trying to view videos
To allow this plugin to use the WP admin-ajax.php file without being blocked by BPS add this .htaccess bypass / skip code below to the wp-admin Custom Code box – CUSTOM CODE WPADMIN PLUGIN FIXES: and then activate BulletProof Mode for your wp-admin folder again. The skip rule must be [S=2] because it will be written to your wp-admin .htaccess file above skip / bypass rule [S=1]. This bypass / skip rule is safe to use because the wp-admin area is protected with WP Authentication security.
# DisplayBuddy Video Showcase bypass / skip rule RewriteCond %{REQUEST_URI} (admin-ajax\.php) [NC] RewriteRule . - [S=2]
Cart66 e-commerce shopping cart plugin – Premium plugin
A simple .htaccess skip rule fixes this issue. Copy and paste this .htaccess code below to Your Current Root htaccess File using the built-in BPS File Editor. If you are using another e-commerce shopping cart plugin then try this type of fix, replacing the name of the plugin folder with your shopping cart plugin’s folder name. The S= # is very important. It is an .htaccess Skip rule. The skip rules are in descending order S=12, S=11, S=10, etc and this number order is very important. If you add a plugin fix above Skip rule #11 (S=11) then your new skip rule will be S=12. If you add another skip rule above S=12 it will be S=13. As of BPS Pro 5.1.5 and BPS free .46.9 you can add personal plugin fixes to Custom Code to save them permanently. Copy this .htaccess code to the Custom Code CUSTOM CODE PLUGIN FIXES: text box, save your changes, click the secure.htaccess AutoMagic button and then activate BulletProof Mode for your Root folder.
# Cart66 AJAX Request skip rule RewriteCond %{QUERY_STRING} cart66AjaxCartRequests=(.*) [NC] RewriteRule . - [S=13]
Digi Auto Links plugin – Premium plugin
A simple .htaccess skip rule fixes this issue. Copy and paste this .htaccess code below to Your Current Root htaccess File using the built-in BPS File Editor. If you are using another plugin then try this type of Query String fix, replacing the name of the Query String with the Query String that is being blocked by BPS. The S= # is very important. It is an .htaccess Skip rule. The skip rules are in descending order S=12, S=11, S=10, etc and this number order is very important. If you add a plugin fix above Skip rule #11 (S=11) then your new skip rule will be S=12. If you add another skip rule above S=12 it will be S=13. As of BPS Pro 5.1.5 and BPS free .46.9 you can add personal plugin fixes to Custom Code to save them permanently. Copy this .htaccess code to the Custom Code CUSTOM CODE PLUGIN FIXES: text box, save your changes, click the secure.htaccess AutoMagic button and then activate BulletProof Mode for your Root folder.
# Digi Auto Links Approval Check Query String Skip Rule RewriteCond %{QUERY_STRING} checkpostid=(.*) [NC,OR] RewriteCond %{QUERY_STRING} checkapproved=(.*) [NC] RewriteRule . - [S=13]
RSS Link Bomber – Premium Plugin – Cron job is being blocked
This plugin uses wget to perform Cron jobs and wget is blocked in the root .htaccess file. You can either allow wget by removing it from the BPS security filters (not recommended) or an alternative Cron command line command that is safer to use is lynx -source instead of wget -O. You would simply replace the wget command line with lynx -source.
WP Twin AUTO BACKUP – Premium Plugin – Cron job is being blocked
This plugin uses wget to perform Cron jobs and wget is blocked in the root .htaccess file. You can either allow wget by removing it from the BPS security filters (not recommended) or an alternative Cron command line command that is safer to use is lynx -source instead of wget -O. You would simply replace the wget command line with lynx -source.
WP Twin – Premium Plugin – Cloning website is not working
This plugin uses the system() and exec() php functions to clone websites. To allow cloning to work correctly you will need to edit your custom php.ini file and remove system and exec from the disable_functions directive in your custom php.ini file – After removing the exec and system functions your disable_functions directive should look like this – disable_functions = passthru, shell_exec, show_source, popen, pclose, pcntl_exec .
WP PDF Stamper – ionCube PHP Loader ioncube_loader_lin_5.2.so Site error – BPS Pro ONLY
This is actually not a conflict or issue and is just a procedural step required by this plugin. When you are creating your Custom php.ini file in BPS Pro you will need to add the ioncube extension – Example: zend_extension=/usr/xxx/php/modules/ioncube_loader_lin.so (this is just an example of the ioncube extension – you will need to get the specific extension from your host’s help pages) Example Error message: Site error: the file /xxxxx/public_html/wp-content/plugins/wp-pdf-stamper/wp_pdf_stamp1.php requires the ionCube PHP Loader ioncube_loader_lin_5.2.so to be installed by the site administrator.
WP Whats My Rank – Premium Plugin – Cron job is being blocked
This plugin uses wget to perform Cron jobs and wget is blocked in the root .htaccess file. You can either allow wget by removing it from the BPS security filters (not recommended) or an alternative Cron command line command that is safer to use is lynx -source instead of wget -O. You would simply replace the wget command line with lynx -source.
Ad Trackz Gold – unable to create or view files – BPS Pro ONLY
The custom php.ini file that comes with BPS Pro has allow_url_fopen turned Off by default >>> allow_url_fopen = Off. To be able to view or create files change the allow_url_fopen setting to On >>> allow_url_fopen = On.
BackupBuddy – Your server does not support command line Zip. Backups will be performed in Compatibility Mode – BPS Pro ONLY
The custom php.ini file that comes with BPS Pro has the exec() php function added to the disable_functions directive. BPS Pro has several overlapping layers of security protection so if you want to allow the exec() function to be used on your website then remove exec function from the disable_functions = system, exec, passthru, shell_exec, show_source, popen, pclose, pcntl_exec directive in your custom php.ini file. Your website will still be protected against Shell scripts because several other common php functions used in hackers Shell scripts are still blocked in your custom php.ini file.
Full Screen Background Images Pro – Premium plugin – Unable to upload images – Choose images is blocked with 403 error
To allow this plugin to use the WP media-upload.php file without being blocked by BPS add this .htaccess bypass / skip code below to the wp-admin Custom Code box – CUSTOM CODE WPADMIN PLUGIN FIXES: and then activate BulletProof Mode for your wp-admin folder again. The skip rule must be [S=2] because it will be written to your wp-admin .htaccess file above skip / bypass rule [S=1]. This bypass / skip rule is safe to use because the wp-admin area is protected with WP Authentication security.
# Full Screen Background Images Pro bypass / skip rule RewriteCond %{REQUEST_URI} (media-upload\.php) [NC] RewriteRule . - [S=2]
phpBay Pro – Premium plugin – Unable to view images – links to eBay not working
The phpBay Pro plugin comes with its own special / custom .htaccess code. That code is displayed to you on the the phpBay Pro Settings page under the .htaccess tab. Copy the custom .htaccess code from the phpBay Pro Settings page under the .htaccess tab and paste it into the BPS Pro Custom Code Top box (if your site has php.ini handler code then be sure to add your php.ini handler code in the Top box as well), click the Save Custom Code button, create new Master .htaccess files with AutoMagic and activate all BulletProof Modes again. This will permanently save the phpBay custom .htaccess code so that it will written into your Root .htaccess any time you create new Master .htaccess files.
WHMCS – Premium plugin – 403 Forbidden Errors – As of BPS .47.7 this fix is no longer necessary – solution: upgrade to BPS .47.7The WHMCS client billing and management plugin needs this root .htaccess file security filter modified as shown below.
change this security filter... RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|%3c|%3e|%5b|%5d).* [NC,OR] ...to... RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|%3c|%3e).* [NC,OR]
tribulant Shopping Cart – Premium plugin – Unable to save admin options changes – 403 errors
To allow this plugin to use the WP admin.php file without being blocked by BPS add this .htaccess bypass / skip code below to the wp-admin Custom Code box – CUSTOM CODE WPADMIN PLUGIN FIXES: and then activate BulletProof Mode for your wp-admin folder again. The skip rule must be [S=2] because it will be written to your wp-admin .htaccess file above skip / bypass rule [S=1]. This bypass / skip rule is safe to use because the wp-admin area is protected with WP Authentication security.
# tribulant Shopping Cart bypass / skip rule RewriteCond %{REQUEST_URI} (admin\.php) [NC] RewriteRule . - [S=2]
Other Issues – WP Theme, Custom Applications or other miscellaneous issues
.htaccess code is automatically disappearing / being overwritten in the Root .htaccess file – WordPress Default .htaccess code is being added multiple times in the Root .htaccess file.
If you are using the cPanel HotLink Protection tool it will cause this problem. It has had this problem since at least 2002. You cannot disable this tool. Disabling the cPanel HotLink Protection tool has no effect. This tool has several coding problems and the only way to prevent your Root .htaccess file from being damaged or overwritten is to lock your Root .htaccess file with 404 file permissions to prevent this broken tool from damaging / overwriting your Root .htaccess file. The BPS Root .htaccess file has example HotLink protection .htaccess code already in that file. You just need to add your personal URL for your website to that example HotLink .htaccess code and uncomment the code to use it.
Password Reset Problems – Login Plugins Password Reset or Redirection Conflicts – inluded as of BPS .46.1
These .htaccess skip rules resolve any issues with login plugins that use a password reset.
# Login Plugins Password Reset And Redirect Conflicts Fix 1 RewriteCond %{QUERY_STRING} action=resetpass&key=(.*) [NC] RewriteRule . - [S=4] # Login Plugins Password Reset And Redirect Conflicts Fix 2 RewriteCond %{QUERY_STRING} action=rp&key=(.*) [NC] RewriteRule . - [S=3]
GeoTheme – Geolocation Map is blocked by BPS – 403 Error
The GeoTheme Geolocation Map requires that you allow inbound connections to your website in order to populate the Geolocation Map data. Comment out these 2 BPS security filters below in your root .htaccess file.
#RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR] #RewriteCond %{QUERY_STRING} http\: [NC,OR]
Atahualpa Theme Export / Download blocked by BPS
In order to export / download your Theme settings you will need to put your site in Default Mode temporarily and then put your site back in BulletProof Mode after exporting / downloading your Theme settings.
BPS Menus or Other CSS Visual Style or Menus Not Displaying Correctly – Very minor issue
If another plugin is causing the BPS menus or other visual styles to not display correctly then please leave a comment and we will notify the plugin authors of the coding fix that is needed to fix this. This post on Loading Plugin CSS and js scripts and styles in the WP Admin area provides the necessary fundamental plugin coding to fix this issue. To add a temporary fix until the plugin author can fix this you can add the plugin’s stylesheet name to the FilesMatch section of your root htaccess file. Example: if the stylesheet name is jquery-ui-1.8.5.custom.css for that particular plugin then add it to the FilesMatch section like this |jquery-ui-1.8.5.custom\.css
PayPal IPN – PayPal IPN or PDT Scripts – No Known Conflicts Exist
If for some reason you are experiencing a problem with your PayPal IPN or PDT script then copy the BPS default.htaccess file to the folder where the PayPal IPN script is contained and rename the default.htacces file to just .htaccess (removing default from the file name). This will completely eliminate the BPS is blocking your PayPal IPN or PDT script for testing. There is not one standard type of PayPal IPN or PDT scripts and many custom PayPal IPN and PDT scripts exist. The PayPal IPN or PDT script that you are using should ONLY open a secure SSL port 443 connection to a paypal.com server. Therefore there is no need to secure the PayPal IPN or PDT script if for some reason BPS appears to be blocking the script. It cannot be exploited as long as the ONLY connection allowed in your particular PayPal IPN or PDT script is a connection to / from a PayPal secured SSL server.
WPMU – multisite plugins – network plugins – General Fix
Contributed by the WPMU Dev website and Tom – The same general htaccess skip rule that you would use for standard WordPress plugins also applies to WPMU plugins. In this specific example BPS was blocking the CAPTCHA images from displaying for the Comment Spam Pack MU plugin. All that is required to fix this is to include the /mu-plugins folder name in the REQUEST_URI path as shown below. The same general fix principle should work for all other MU plugins as well.
Comment Spam Pack MU Plugin - CAPTCHA images not displaying RewriteCond %{REQUEST_URI} ^/wp-content/mu-plugins/custom-anti-spam/ [NC] RewriteRule . - [S=13]
Plugin 403 Forbidden Errors General Troubleshooting
If a plugin is being blocked by BPS either because it is performing an action that BPS considers unsafe or violates the .htaccess security filters rules then creating an htaccess skip / bypass rule by either allowing a unique portion of the query string that is being blocked by BPS or by adding the plugin’s folder name in a URI skip / bypass rule will typically fix the issue. Use the plugin fixes above as a reference to create plugin skip rules. If you add a fix for a plugin that is not listed here please add a comment with your fix.
Fix for Infinite Loops in either your .htaccess files or coding – this is a general fix for Infinite Loops and does not pertain specifically to BPS
The error message related to Infinite Loops is this – Request exceeded the limit of 10 internal redirects due to probable configuration error. Use ‘LimitInternalRecursion’
to increase the limit if necessary. Use ‘LogLevel debug’ to get a backtrace or you may see Request exceeded the limit, probable configuration error, Use ‘LogLevel debug’ to get a backtrace or Use ‘LimitInternalRecursion’ to increase the limit if necessary. The symptoms are that some php coding is looping infinitely, which causes extreme lag times or your website comes to a complete halt when trying to process a php script.
# .htaccess Fix for Infinite Loops RewriteEngine On RewriteCond %{ENV:REDIRECT_STATUS} 200 RewriteRule .* - [L]
SquirrelCart PHP Shopping Cart – 403 Forbidden errors when trying to checkout – iframes not working in admin panel
Create a text file in Notepad (NOT WORD – MUST BE NOTEPAD) called securityoff.htaccess. In that text file add this one line of .htaccess code.
RewriteEngine Off
Upload the file to your Squirrelcart /store folder or if you named the folder something else then upload the securityoff.htaccess file to that folder. Once you have uploaded the file, rename it to just .htaccess – removing “securityoff” from the file name. You may also have to do this for the other squirrelcart folder that is called sc_data.
Custom PHP Applications Outside of WordPress – General fixes to try
For Custom Applications that are outside of WordPress, not WP plugins and instead stand alone PHP applications you can try these fixes. One of them should work. This example bypass / skip .htaccess code shows skip rules and rewrite fixes for vTigerCRM and Piwik.
# Custom Applications bypass / skip RewriteCond %{REQUEST_URI} ^piwik/ [NC,OR] RewriteCond %{REQUEST_URI} ^crm/ [NC] RewriteRule . - [S=13]
Alternative Fix – add RewriteRules after the this .htaccess code in your Root .htaccess file
RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] # RewriteRule for Custom Apps outside of WP RewriteRule ^piwik/ - [L] RewriteRule ^crm/ - [L]
Alternative Fix – add a RewriteEngine Off .htaccess file to the 3rd Party app folder
Create a text file in Notepad (NOT WORD – MUST BE NOTEPAD) called securityoff.htaccess. In that text file add this one line of .htaccess code.
RewriteEngine Off
Upload the securityoff.htaccess file to your 3rd Party app folder. Once you have uploaded the file, rename it to just .htaccess – removing “securityoff” from the file name.
Unable to upload images in a plugin or theme that is using the WordPress media-upload.php file to upload images – 403 error
To allow plugins or themes that are using the WP media-upload.php file to upload images without being blocked by BPS add this .htaccess bypass / skip code below to the wp-admin Custom Code box – CUSTOM CODE WPADMIN PLUGIN FIXES: and then activate BulletProof Mode for your wp-admin folder again. The skip rule must be [S=2] because it will be written to your wp-admin .htaccess file above skip / bypass rule [S=1]. This bypass / skip rule is safe to use because the wp-admin area is protected with WP Authentication security.
# Allow Plugins and Themes to use media-upload.php bypass / skip rule RewriteCond %{REQUEST_URI} (media-upload\.php) [NC] RewriteRule . - [S=2]
Nocturnal Theme mp3 files are not playing – audiojs.swf not loading
The Query string used contains a single quote and/or its ASCII equivalent in a way that BPS is blocking it due to this query string being seen as dangerous. To safely allow only this particular Query string for this Theme to work correctly use this skip/bypass rule. This skip/bypass rule can be added to CUSTOM CODE PLUGIN FIXES: to save it permanently to your WP DB. After saving the new rule to your WP DB, use AutoMagic and then activate BulletProof Mode for your Root folder again to write this new rule to your Root .htaccess file.
# Nocturnal Theme audio file query string bypass / skip rule RewriteCond %{QUERY_STRING} playerInstance=(.*) [NC] RewriteRule . - [S=13]
Tags: BPS Plugin Conflicts, BPS Testing To Do List, Plugin Compatibility Testing, Plugin Conflicts, Plugin Fixes
Categories: BulletProof Security Plugin Support
The latest update shut down WP Remote’s ability to update plugins from afar. The owners say adding 107.22.153.142. to the whitelist section of the plugin should fix it. Since there is no such section in the admin area, I think you all need to fix this.
BPS now has this new additional security coding below which of course adds more security protection for your website to prevent RFI hacking attempts and other forms of remote file exploits and website hacking. For now you can choose to not use this additional security protection by commenting out this line of code in your root .htaccess file by adding a # sign in front of it – # RewriteCond %{HTTP_REFERER} ^.*your-website-domain-name.com.*. Or you can add the wp-remote IP Address whitelist code RewriteCond %{REMOTE_ADDR} ^107.22.153.142 as shown below. Important note!!! You will need to add the [OR] flag after the line of code with your domain name as shown below. Please confirm that this works on your site. The code has been tested, but has not been tested specifically for the wp-remote plugin.
Also i have contacted the wp-remote folks as i think another condition is going to be required for the URI and am waiting for their reply. Thanks.
Also i think i have a much better approach for this issue, but i am not getting any response from the wpremote folks so if you would test this code below for me i would very much appreciate it. Edit your root .htaccess file and add this Whitelist .htaccess code above skip rule #12 – # Adminer MySQL management tool data populate – in your root .htaccess file.
I just tried this (and the previous fix) and neither worked.
Mark
Ok how about a simple typical plugin skip/bypass rule like this. This plugin skip/bypass rule would go directly above skip/bypass rule #12 – # Adminer MySQL management tool data populate – in your root .htaccess file. Thanks.
Frustratingly.. no change!
Maybe you need to sign up and test it – its a free service.
Mark
Yep i have an account with them from over a year ago for testing of another issue. I will reconfigure a Server for testing again. One of the considerations we have to take into account is that we get somewhere between 1,500 and 2,000 hacking attempts per day since we are a target for hackers. Once the Server is reconfigured then i can safely open some stuff up for testing. I am not implying that wpremote is unsafe to use, but i am making the point that the AITpro is a prime target for hackers so we have to be extra careful about what we allow and do not allow on our sites. 😉
And since wpremote does not work on a Local XAMPP site then testing has to be done on a Live Development or Production site. 😉
ARGH! this is the same old issue and is not a new issue. The solution is here >>> http://www.ait-pro.com/aitpro-blog/2252/bulletproof-security-plugin-support/checking-plugin-compatibility-with-bps-plugin-testing-to-do-list/#wpremote
This is my mistake for not catching this early on. Several people thought that this was a new problem and instead of doing what i should have done right away i bought into it and took a jog down stupid Lane. Sigh. Just apply the solution in the link above.
Suggest you get a cheap hosting account and set up a WP test site on it. Take 10 minutes.
I do good rates: [Link Removed by LinkStripper]
And a massive discount offer here: [Link Removed by LinkStripper]
Mark
Yep that is on the to do list. Thanks. 😉
This is not a new issue and is a very old issue the solution is here >>> http://www.ait-pro.com/aitpro-blog/2252/bulletproof-security-plugin-support/checking-plugin-compatibility-with-bps-plugin-testing-to-do-list/#wpremote
Yep, sorted.
The issue needs updating because it refers to backups, whereas at present this rule prevents WP Remote from getting the website status and it generates a “WP 403” error.
Thanks for the solution. Both BPS and WP-Remote are very useful plugins so am pleased I can have them both working together.
Mark
I got a 200 OK status on the wpremote site from my account. Or are you saying just to edit the text regarding the explanation and add that the HTTP Status code displays a 403 status error?
Cardoza’s WordPress Poll plugin messes up BPS menus and screen formatting. I’ve contacted the author too. Any quick fixes in the meantime?
Thanks for the heads up. To block another plugin’s js scripts and css scripts from loading everywhere throughout the WordPress Dashboard, which is a coding mistake, you can right mouse click on any of the BPS options pages and click View Source to view your source code. Then look for the js and css scripts that this plugin is mistakenly loading in other plugins pages and throughout your WordPress Dashboard and post them here so that i can tell you how to block them in the root .htaccess file. Also you can send this link to the plugin author so that he/she can fix this mistake – http://www.ait-pro.com/aitpro-blog/2734/misc-projects/wordpress-tips-tricks-fixes/wordpress-load-css-and-js-scripts-on-wordpress-plugin-pages-only-wordpress-top-level-plugin-menu-admin-scripts/
oops… let me try that again.
Thanks for the quick response!
Here are the relevant lines when I view the source of a BPS page:
Ok it looks like the cardoza-wordpress-poll plugin is the plugin that has the coding mistake. Not sure why you have a link to the google api because WordPress already contains the jQuery library bundled with WP. Maybe the 1.8 version was needed for some reason? this may also be causing the problem, but only add that file name to the FilesMatch code as a last resort because this could cause frontend visual problems for your website. if this jQuery file is being called in some fubar way then it could totally mess up the visual appearance of your site if you block the file.
Ok so go to the BPS htaccess file editor page – Edit/Upload/Download – and edit you root .htaccess file like this below adding the CWPoll.js file to the FilesMatch htaccess code.
Reposted the code – the angle brackets were stripped out.
The edit to .htaccess seems to have no effect.
The author not only ignored me, he deleted my post regarding the way his plugin breaks BPS menus (which I stated in the nicest way possible) *sigh*
Uh what are you talking about??? I have made several replies to your comment post. Your comment post obviously exists and was not deleted because you just left another reply to that comment post??? When i have a chance i will install and test this plugin. Please keep in mind that we support over 500,000 people, with most of those people being free BPS plugin users, and move as quickly as we can to resolve all problems in a timely manner. Thank you.
I was referring to the author of the offending plugin, not you. I had posted the issue on his board and he has deleted it. You have been VERY responsive and VERY helpful! That is why I’ll be upgrading to the Pro version of BPS and why I’ll likely be removing his plugin from all my sites.
Oh my mistake. I misinterpreted what you said. Sorry. 😉 I am going to test that plugin in about 1 hour, but yeah bad support usually gets me running, not walking to the nearest exit. 😉 I will be testing this plugin anyway as any conflict that exists anywhere in the wild needs to be addressed and “fixed”. Thanks and sorry again for misunderstanding your reply. 😉
No worries, I could have been more clear myself. Cardoza replied to my post asking why he deleted my other post – anyway, here is what he had to say:
I haven’t deleted your comment instead I put hold to do more research.
Always there will be a conflict between wordpress plugins CSS because it is developed by various people. Regarding the design issues, either myself or the Bulletproof author should change their class names in the CSS. Alternatively, you can also change the css class names in the css and my plugin code.
Actually the issue is that CWPPoll.css, CWPPoll.js, jquery-ui.css, jquery-ui.min.js is loading in the BPS admin options pages and throughout the WordPress Admin backend in all plugins pages and WordPress itself. So i can easily block all these scripts from loading using .htaccess code, but this of course causes all your scripts to stop working. What i have done with BPS is to confine my scripts to ONLY my plugin pages following this method >>> http://www.ait-pro.com/aitpro-blog/2734/misc-projects/wordpress-tips-tricks-fixes/wordpress-load-css-and-js-scripts-on-wordpress-plugin-pages-only-wordpress-top-level-plugin-menu-admin-scripts/
I believe your scripts need to load both frontend and backend, but in the backend admin area those scripts should be confined to only your plugin’s admin options pages. 😉 Thanks.
Oops I thought you were the plugin author since you posted his comment back to you. ha ha ha. Actually his plugin is proving more of a challenge to block those scripts then i thought because he is calling 2 of them from ajax.googleapis.com and those scripts are doing most of the damage. And you were not kidding about messing up the BPS options pages – they are a complete mess since all these other scripts from WordPress Poll are overiding my js and css plugin scripts. ugh.
I’ve been posting your comments to the author’s site (including your most recent one – currently awaiting approval). Feel free to jump into the thread:
http://www.fingerfish.com/cardoza-wordpress-poll/comment-page-5/#comment-1027
Yep just about to get back to this issue. The release of BPS .47.5 included a new much better approach to blocking remote file exploits and unfortunately it did several things. Plugins that need to remotely post to remote websites are being blocked. Another issue on a larger scale was that a popular Server malware scanner was triggered by this new coding and saw it as malicious coding and was quarantining the .htaccess files. This issue has been solved, but the remote posting issue is still being worked on.
So i am at a point again where i can switch gears and find a solution for the WordPress Poll plugin problem. Will be trying some additional .htaccess coding to block the external call to the jquery scripts from Google without completely breaking WordPress Poll – this is proving to be the tricky part. I can easily block the scripts, but it is breaking the WordPress Poll plugin. 😉
I definitely appreciate the work you’re putting in on this, but if it’s a case of bad coding with the poll plugin, why should you have to create the work-around?
I’m not completely married to this poll plugin, BTW. If you don’t feel like fixing other people’s bad code, I fully understand. In any case, I appreciate it!
Sorry i got a little backlogged. I will get you some .htaccess code shortly. thanks.
ARGH! This one is giving me fits. I can come up with brilliant .htaccess code like this below, but i cannot stop one dumb plugin from creating a mess. jeez.
New htaccess code that will be in BPS .47.6
Wow this plugin is doing something i have never seen before. no wonder i cannot block its scripts. I can block my own scripts and even WordPress scripts, but this plugin appears to be forcing its scripts into the Headers. my god.
Nope it is not possible to block this plugin’s bad script calls with .htaccess code. I can of course simply add some code to fix the plugin coding, but this should be done by the plugin author so that the next version release has new corrected code. When i finally was able to block this plugin’s scripts it ended up blocking other good script calls. i can understand that this plugin author wants to use the latest jQuery library for his plugin, but he should be bundling that library with his plugin or correct the way he is calling external ajax.googleapis.com libraries. Or he can of course apply the method that i use to contain my plugin scripts to only my plugin pages >>> http://www.ait-pro.com/aitpro-blog/2734/misc-projects/wordpress-tips-tricks-fixes/wordpress-load-css-and-js-scripts-on-wordpress-plugin-pages-only-wordpress-top-level-plugin-menu-admin-scripts/
I found another plugin that this poll plugin breaks the admin menus on: NextGEN Gallery
I suppose that I’ll just have to uninstall it after my currently running poll closes. Why is it that there never seems to be any good FREE poll solutions. Of all the gadgets and whizbang things I’ve added to websites through the years, this is the one thing that seems to elude me. There are good PAID solutions, but come on, freeware has been around since the 1970s and THIS is the one program that can’t ever be produced? Weird.
Thanks again for your Herculean efforts to solve what most developers would consider “not their problem”. I REALLY appreciate your excellent support. As soon as I can convince my clients that they want to pay for it, I’ll be upgrading to BPS Pro.
Yep the WordPress Poll plugin will break any other plugins or WordPress functionality that has anything to do with jQuery because of the way the plugin is calling its scripts. I have a feeling that this particular plugin author will fix this issue in his plugin so give him a chance and some time to fix this. 😉
If any issues or problems are even slightly related too or connected too BPS and BPS Pro it is my problem. What i see too often is that plugin authors get too overly focused on their plugin and forget that their plugin is not the center of the Universe. I understand how this thinking can happen and sometimes i have dumb thoughts like BPS and BPS Pro are more important than other plugins because of what BPS and BPS Pro are doing. This is of course totally irrational thinking because what good is any plugin if it interferes with your essential day to day operations and functionality. it is not enough to create a plugin that does magical things – the plugin also has to do its magic in a way that there is perfect harmony and balance with all the other planets in the Universe. 😉
Dude, you really speak my language. 🙂 You’re a classy guy. Thanks!
Hi
I’ve been using your plugin now on all my sites for some time and it’s has become a mayor pilor of my security protection method, so thank you very much.
However I’ve now come across the first problems 😉
With the site in the web field of this comment (and all others set up with the same theme etc) I’m finding that BPS is blocking theme options from working, the ones i am aware of for sure are background color (background reverts back to white as soon as root .htaccess protection is activated), the theme losses it’s outer table, theme fonts change & selected color for menus reverts back to white.
Compare the site quoted with this one using the same theme, server, worpdress and plugins and versions, but with out the BPS .htaccess files activated: http://www.lasereyesurgerytoday.com/ and you’ll see quickly what I’m talking about (outer table, background color, font size in sidebar…)
The theme being used here is the premium theme from authoritypro.com, this theme has diverse options from changing fonts colors etc which are activated via the “The AP Launcher” and “The Authority Pro Engine” plugins that come with the theme, however i tried using the built in WP background selector also and this too wont show on the site with BPS.
The sites are hosted on Lunar pages, all files permissions are set to 755 for folders and 644 for files (the norm for this host).
Any ideas?
Thanks
Jayen
Have you activated both Root and wp-admin BulletProof Modes?
Is this Theme using any /wp-admin files in order to display images? Such as media.php, admin.php or admin-ajax.php?
Hi
Yes I originally had both root and wp-admin .htaccess files activated, plus the two deny folder access options and this problem was the same. I only said that the problem occurs when activating the root .htaccess file because in testing I found that to be when things go wrong.
In fact in the sites I’ve reverted back to the standard root .htaccess files I’ve left the BPS WP-admin .htaccess file in place, since i didn’t have a default one, is this ok to do?
In terms of the theme using media.php etc, the theme does use the build in WP file uploader to upload and store images in the media libery, and show them.. however this is the case of the header of the site and as you can see that isn’t affected…
The font and backgound color options are imputed into the database from what i understand, maybe it’s more to do with BPS blocking the plugins that run the theme?
If you want I can get you FTP and Admin access to this site so you can take a quick look. And or send you the plugins for investigation, although you wouldn’t be able to test them with out the theme…
Thanks
When Premium Themes or Plugins are involved then we cannot test these since that would violate the licensing agreement of that Theme or Plugin. Also we only access websites for BPS Pro customers. What i can do is look at your website to hopefully determine the problem. What i need to know is how exactly the Theme or Plugin or both is calling the images. Looking at the source code of your website i see this below in regards to how your CSS stylesheet is being called.
/dynamic-css.php?themestyling=
So logically you can probably create a skip/bypass rule for this file (which is a REQUEST_URI). Use the BPS built-in file editor and edit your root .htaccess file and add the dynamic-css.php file to the TimThumb skip/bypass rule as shown below.
Hi there
Thanks, that seems to have fix it 🙂
I’m still testing but from what I can see everything seems to work now.
I’ll let you know If I come across any other irregularities.
I guess this means that I’ll have to edit this with every update from now on then as I can’t do this edit with the custom insert in any way can I?
Yep that seemed like it would logically work. Thanks for confirming the “fix”. I see another possible potential problem, but I believe the amember plugin has been tested and there were not any conflicts or issues. When i look at your source code i see an amember link that is calling this file below from this folder location below. Please test that amember and any other affiliate related features on your site are working correctly. Thanks.
/affads/affiliatejs.php?id=
Oh and to answer your question regarding having to repeat this edit on every update of BPS – no, you would not have to make this edit again when you update BPS because BPS automatically updates your .htaccess files on BPS upgrades, but upgrades will not alter any custom edits that you have made to your .htaccess files. If you use the AutoMagic buttons and activate BulletProof Mode for your Root folder again then yes you would have to make the edit/modification again.
I was thinking to install BPS on my site… because I saw some great references from users and serious work but…I found uphere message:
WPSC – specific .htaccess code checking and messaging – included as of BPS .45.8
BPS will display WPSC specific error warning messages when WPSC .htaccess code needs to be updated.
…information with status not resolved ( NLIC – what is this mean) for WP Super Cashe.. I’ sorry, but I dont understand.. I have wordpress 3.4.1 and what code needs to be uptated, and where? in BPS panel after I install plugin, or what?
Is this fixed actualy or if not.. how to fix it?
It says there included as of BPS 45.8… curent BPS version is 47.4 . Is this resolved by now?
Thanks
NLIC means this is No Longer an Issue or Conflict – it means Resolved. BPS has additional custom bonus code that was created to specifically check for issues or problems with both WPSC and W3TC – BPS custom coding and BPS custom error messages have been added to BPS to check these plugins specifically for any issues or problems or conflicts with BPS since both of these plugins can write .htaccess code to your root .htaccess file.
My website is located at http://www.bluphoenix-webdesign.com. I am having a 500 internal server error with WordPress.
My error log says:
SecurityException in Application.cpp:188: Do not have root privileges. Executable not set-uid root?
Premature end of script headers: index.php
I currently running BPS security and have 2 other sites down as well. The admin panel is inaccessible and I can’t figure out what the issue is. Major plugins that are consistent across all 3 sites would be:
– Bulletproof Security
– Quick Cache
– WordPress SEO by Yoast
– Akismet
I really need help!!! Any help would be appreciated. Thank you.
This is an Ownership permission issue/problem and this issue/problem is not related to BPS or caused by BPS.
See this post for more details of the problem >>> http://computernetworkingnotes.com/managing-file-system-security/sticky-bit.html
Alright, looks like the server issue had to do with MySQL errors and was out of my control. Server admins at my web hosting company are dealing with it.
We will see if that takes care of the issue.
Thanks
Plugin named “Download Protect”
http://wordpress.org/extend/plugins/download-protect/
Some downloads with that plugin works OK, but some don’t.
It says:
Forbidden
You don’t have permission to access /wp-content/plugins/download-protect/downloader.php on this server.
Following your recommendation for turning off BPS … I found that everything works OK when BPS is off.
Are you saying that some downloads are downloading successfully with BPS in BulletProof Mode and other downloads are not? If so, then what is the difference between the downloads that are downloading and the ones that are not downloading when BPS is in BulletProof Mode. example: file path differences, file name differences, downloading from a protected or not protected folder, etc.
Yes, this is the most interesting part!
The files are in the same folder and all with the same CHMOD…
Naturally – file names are different…
I though that there is a problem with file names length… But it happens with both long and short ones…
Well the download-protect plugin is quite old… and I believe you’re not very interested in BPS compatibility with it.
So it would just be great if you could help with some kind of rule to exclude DP-plugin from BPS processing…
I can send you some sample links of problem. Please send me your email.
Best Regards!
First off i want to point out the obvious thing about BPS since it is a security plugin. The term “plugin conflict” is not really correct when referring to BPS blocking things that it sees as a vulnerability, threat or unsafe for your website. BPS only blocks things are unsafe for your website.
Yes, the download plugin has not been updated in a while, but I would of course still test this plugin. What i wanted to know from you is the specific details of the problem occurring so i know exactly what and where to look for the problem and am not wasting time in testing it. So yes send me the links via the AITpro Contact form as they will be helpful for me to see the exact problem and then i will test this plugin. Thanks.
I believe that I didn’t use “plugin conflict”… But if I did… Sorry. My fault.
Surely I understand that BPS close every possible holes at wordpress site.
I followed your recommendation with contact form.
I was just mentioning this because a lot of folks are conditioned to think of all plugin issues as “conflicts” and in the case of BPS it is a bit different since BPS is actively protecting a website. So if BPS sees something that appears like a vulnerability for your website then BPS takes action and blocks it. 😉
I got your download links and the first link looks fine, the URL encoding looks completely valid and the download works fine. The second link you sent me looks bad. The URL encoding has non URL encoded characters spaced between valid URL encoded characters so i think that once you fix that issue then everything will be ok. Did you name the filename with unusual characters? UTF-8 sometimes will not correctly translate unusual characters. You should use standard characters for filenames – A – Z and 0 – 9 and you can use hyphens and some other characters or course, but stay away from using characters like the @ symbol, apostrophes, double hyphens, etc in file names.
Hi,
The “My Shortcodes” plugin seem to partially not work correct when the BPS “Website Root Folder .htaccess Security Mode” is activated.
See plugin details here: http://wordpress.org/extend/plugins/my-shortcodes/
The plugin functions fine in that the shortcodes all work correctly. The problem is that when you click on the “My Shortcodes Builder” button to add a new shortcode to a post or page, the box that pops up is blank apartment from a 403 server error message. Going back to the default .htaccess file it all works fine.
…”blank apart from a 403 server error message” that should be. Pesky spell checker!
Could you please suggest a fix?
Thanks,
James
The My Shortcodes Plugin has been scheduled for testing and a solution will be posted after testing is completed.
Note: If a bad coding practice is the cause of the problem that would leave your website vulnerable to being hacked then a solution will not be posted and the plugin author will be notified.
Testing completed – no problems or conflicts were found.
When clicking the My Shortcodes Builder button in a new test post no errors occurred and the shortcode was added successfully.
That’s strange! Just re-tested on my WP installation. When the ‘BulletProof Mode’ security is enabled for the ‘Website Root Folder .htaccess’ then the My Shortcodes Plugin does not work within a post or thread editing screen. I just get a 403 server error in the pop-up box when I click the button.
Turn off the BPS security (i.e. enable ‘Default Mode’ for the root folder .htaccess) and the plugin instantly starts to work as it should. Turn BPS security mode back on and it instantly stops working.
So 100% sure it is something in the BPS .htaccess file that is causing the conflict. I’ve repeated this test 3 times now on 3 different days on my install so confused as to why you aren’t able to reproduce it.
Any thoughts please or suggestions for finding the cause or solution please?
Thanks,
James
Ok then some condition on your site is different then the site i am testing on.
Have you activated all BulletProof Modes – both Root and wp-admin BulletProof Modes?
Do you have any of these plugins below installed? Each of these plugins interferes with BPS in some way and will cause problems that are difficult to troubleshoot. If so, then deactivate all of them, click the AutoMagic buttons and activate all BulletProof Modes again and then test again.
Firewall
Better WP Security
6Scan
It may also be possible, but unlikely, that your Theme may have something to do with this since you are going from a front side edit link to your secure WP dashboard area.
Another possibility, but unlikely, is this could be the known broken cPanel HotLink protection tool problem. Do you have a cPanel? if so, do you see the HotLink Protection Tool option?
BPS Free plugin causes “Strx Zurb CSS3 Awesome Buttons” not to work completely, resulting in this error – Failed to load resource: the server responded with a status of 403 (Forbidden) : /wp-content/plugins/strx-zurb-css3-awesome-buttons/css/strx-zurb-css3-awesome-buttons-css.php?fontFamily=Arial%2C+Helvetica%2C+%27Helvetica+Neue%27%2C+Verdana%2C+sans-serif+%21important&ver=2176
The ‘buttons’ generated byt he plugin don’t have any styling. i did all the standard troubleshooting, and it’s definitely an issue with BPS.
Thanks for the great plugin!
hmm very odd looking query string. %27 is the single quote which will be blocked by BPS as it is very dangerous, but my question is why is formatting being added to a query string like this. a safer way to do this would be to add a class to the query string. i will test this plugin and post my findings and then notify the plugin author about any unsafe coding practices. Thanks.
Example WP Smiley Wink class:
Actually i cannot test this plugin because it does not meet the minimum requirements for testing.
Requires: 2.5 or higher
Compatible up to: 3.0.5
Last Updated: 2010-12-19
Downloads: 1,199
thanks very much for the response. i will be looking to replace it, or simply style the buttons myself, which is more practical at this point.
best
Hello,
Great plugin! I just recently found it and putting it on all my sites to evaluate before buying Pro. On one of my sites I use a plugin called events made easy and I have getting 403 Forbidden you don’t have permission, every time someone tries to registrar. I have to use the WP Default htaccess File for it to work. Any suggestions?
Thank you!
Please post the URL that you see in your Browser window (address bar) when you get the 403 error. Thanks.
http://preview.dontinvestandforget.com/events/13/test-event/?#eme-rsvp-message
That Query string is malformed/no good and is exploitable. ?# is bad news in general.
A valid Query string would look like this ?src=something#eme-rsvp-message
Ok so, I emailed that other plugin maker and here is what he said
“what the person writes there (see above) is just wrong. Rewriting rules
for wordpress forces these kind of url’s, and are for sure not
exploitable.
“?#eme-rsvp-message” means “the current page, anchor eme-rsvp-message”,
so no need to add something like “src=…” to it.
If they don’t like these url’s, there’s not much I can do.”
What can I do? For now, is there a way for BulletProof to allow this plugin to work?
That is not a good response in general from the plugin author and i will say nothing more about his/her response.
Please send that plugin author these 2 links regarding the CGI flaw found by the php.net folks so that this plugin author will now become aware of this known exploit:
http://wordpress.org/support/topic/plugin-bulletproof-security-buddypress-and-403?replies=31
http://www.php.net/archive/2012.php#id2012-05-06-1
Thank you for your response. I sent over the links. While I’m waiting is there a way I can by pass this to get it to work?
Well the problem is and what this plugin author does not fully understand is that a pound sign # is treated the same as http://.
So in order to allow this bad query string to work you will need to comment out an important BPS security filter that protects against RFI hacking attempts.
this is the security filter you would need to comment out in your root .htaccess file for now by adding a # sign in front of it. ironic huh? LOL A pound sign means something entirely different in .htaccess coding compared to HTML coding. 😉
I would image even though I comment that part out, it is still better to use the .htaccess file by BulletProof then the default wordpress one? I will start searching for a new plugin, unless he fixes it soon.
Yes you are correct. Basically by commenting out that 1 BPS security filter it just means that an RFI attack could be used against your website, but that attack would require some exploitable coding in combination with the security filter being commented out. This recently added new security filter in BPS specifically blocks the new CGI Exploit found by the php.net folks.
I took a look the Events Made Easy plugin’s coding and it looks like it would be very simple to fix the malformed query string.
Hello,
Unfortunately I just discovered that BPS prevent Powerpress from working properly… after iTunes removed my 4 years old podcast without warning.
After 2 weeks of emails exchange with Apple they finally told me that my podcast feed “have too much 403 errors”… which finally led me to BPS as the main cause.
I see that you posted a fix for that in the comments, so I have 2 questions :
– If I implement this fix to make iTunes works again, will I have do this fix each time I upgrade BPS ?
– Do you plan to integrate directly this fix in BPS in the future ?
Olivier
Wow that was crummy of them to do that without warning considering your long standing/posting with them. very sorry to hear that they did that.
There was an old Powerpress issue that was resolved back in 2011 when the new .htaccess loop structure in BPS was changed, but someone else recently mentioned that they were having a problem with Powerpress. So something has changed in Powerpress or on the iTunes/Apple side of things. Did they by any chance give you the exact details of what in your podcast feed was generating 403 errors? For example the exact query string or characters in the podcast feed URL that are dangerous, unsafe or would leave your website vulnerable to a hacker? BPS only blocks things that can get your website hacked, but BPS is also built with overlapping security protection so adding skip/bypass rules may allow a vulnerability, but it will be very limited and most likely some other security filter will overlap that security vulnerability.
I will test Powerpress and find what has changed and create a new skip/bypass rule for this, but what i need from you is the exact details about what exactly is being blocked. Please send all details and information about exactly what is being blocked to info[at]ait-pro[dot]com.
Regarding implementing the fix permanently – BPS now automatically updates the .htaccess files when upgrading. This will automatically add any new security filters when they are available and update your .htaccess files, but any coding fixes you have added will not be removed, altered or changed. So if you add the new Powerpress skip/bypass rule and then update/upgrade BPS then your Custom Code will not be altered or modified when upgrading BPS. And if you use the BPS Custom Code feature to add this new plugin skip/bypass rule then if you ever need to use AutoMagic again to create new master .htaccess files then your Powerpress custom plugin fix would be included in your root .htaccess file because BPS Custom Code is saved to your WordPress Database permanently or until you delete it.
Thank you for providing a great plugin (I’m using v47.1). I am using BPS on a Dreamhost install of WordPress, and my Dreamhost stats, which used to work with the following custom code added to the root .htaccess no longer do so since my install was moved to a different Dreamhost server:
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} ^/(stats|failed_auth\.html).*$ [NC]
RewriteRule . – [L]
Can you suggest a fix?
Well since your .htaccess code did not change, but you changed Servers then you would need to look at what is different about the Server. Is Stats set up on this new Server? Is this new Server using DSO or CGI? Check with DreamHost and see if they can tell you what the difference is between your old Server and new Server and if Stats is set up on the new Server.
[…] CharacterThe Difficulty of Art in Video GamesNew trailer reveals ‘Black Ops’ futurePlugin Compatibility Testing – Plugin Conflicts – Plugin Fixes .aa6b_box {font-size: 14px !important;font-style: normal !important;font-weight: normal […]
[…] Errors Recent CommentsRecent CommentsBulletProof Security Pro Questions, Comments & FAQ on Plugin Compatibility Testing – Plugin Conflicts – Plugin FixesBulletProof Security Pro Hover ToolTips Text Format – BPS Pro Help Files on Plugin […]
[…] CommentsBulletProof Security Pro Hover ToolTips Text Format – BPS Pro Help Files on Plugin Compatibility Testing – Plugin Conflicts – Plugin FixesBulletProof Security Pro Hover ToolTips Text Format – BPS Pro Help Files on BPS Free vs BPS […]
[…] WordPress FilesBulletProof Security WordPress Plugin Support – WordPress Website Security on Plugin Compatibility Testing – Plugin Conflicts – Plugin FixesBulletProof Security Pro Features ~ BPS Pro Features on Plugin Compatibility Testing – Plugin […]
[…] Errors Recent CommentsRecent CommentsBulletProof Security Pro Features ~ BPS Pro Features on Plugin Compatibility Testing – Plugin Conflicts – Plugin FixesBulletProof Security Free Version Plugin Guide – BPS Version .46.9 – .45.5 on […]
[…] Help and FAQ, WordPress Automatic File Restore, AutoRestore WordPress FilesAITpro Admin on Plugin Compatibility Testing – Plugin Conflicts – Plugin FixesJack Miller on Plugin Compatibility Testing – Plugin Conflicts – Plugin FixesAITpro […]
We seem to have an issue with wpremote, a backup plugin from
http://wpremote.com
Human Made Limited
version 2.13
We tried adding a skip, but no joy.
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/wpremote/ [NC]
RewriteRule . – [S=13]
*** UPDATE ***
This security filter in the BPS Root .htaccess file is blocking wpremote.
Looking at the coding of this plugin I see 2 general things that it requires that would be blocked by BPS Pro.
This plugin uses shell_exec – remove shell_exec from the disable_functions directive
disable_functions = system, exec, passthru, show_source, popen, pclose, pcntl_exec
This plugin uses persistent MySQL connections – set the mysql.allow_persistent directive to On from Off
mysql.allow_persistent = On
Without knowing more specific details about the exact problem and error i can only generalize possible solutions. Please post specific details about what exactly is not working or is being blocked by BPS. Thanks.
It would be nice if the current permission setting would be visibly highlighted if it differs from the recommended setting. Or at least if the current setting is less restrictive than the recommended setting.
*** UPDATE & FINAL CONCLUSION ***
this comment has been removed as it is no longer valid. new coding changes have been made to the 6scan plugin.
6Scan claims to only do a scan for weaknesses. There is a subscription service for a vulnerability cleanup tool of some kind. At the moment, 6Scan is not reporting any problems to me, but maybe BulletProof is protecting the site from 6Scan’s vulnerability tests.
Where is the troublesome extra blank line? There are many \n\n in the root .htaccess file — wherever there is a blank line.
Yep you are right. The code is not defined enough and is very vague about doing a pre-check to see if the .htaccess file is writable.
Accident, surely.
“Does 6Scan Security work with other security plugins?
Yes, 6Scan Security has been tested with many other security plugins and does not conflict with them.”
http://wordpress.org/extend/plugins/6scan-protection/faq/
[Link removed]
Good day AITpro Admin,
I represent 6Scan, and want to comment on your post.
First of all – I am ready to answer your questions regarding technical aspects of our plugin, if you still have some left (After reviewing our code).
Bulletproof detects its presence and status by reading the .htaccess and expecting several characters to be positioned at specified offset. While I understand the idea behind that technique, it will not work if another plugin changes the .htaccess.
In this case – 6scan does change this file and adds its directives to the beginning of the .htacces. In this case, Bulletproof will indeed fail to detect its presence in the system ( though the main functionality – protecting rules – are intact).
We do want to improve our plugin and are open to suggestions. Would you like to describe what part of our design/code you have found unsatisfying?
P.S.
The code you quoted actually does something else (It does not add 2 LFs to the beginning, but adds 2 LFs between 6Scan’s directives and the rest )
I will test the latest version of 6scan to see if this problem is still occurring.
“It is confirmed that this plugin is interfering with BPS either intentionally or unintentionally by adding 2 blank spaces to the beginning of the root .htaccess file on plugin activation.”
If the problem still exists i will offer a coding solution.
if the problem no longer exists i will remove this entire comment as it would no longer be valid information.
Thank you.
Also several of the comments in this thread have been removed due to being offensive in nature and the person who posted it was warned. Thank you.
Test Environment
Local XAMPP installation
The coding of 6scan has changed and the old coding that was mentioned before no longer exists.
New problem
Blank spaces are inserted at the top of the .htaccess file on each failed plugin activation.
Error message on failed activation
There was a problem registering your site with 6Scan: There are no HTTP transports available which can complete the requested request..
A solution was found to prevent the blank space from being inserted on failed activation on the local XAMPP testing site.
Since the plugin was not tested in a Live Environment this test does not indicate whether or not this same problem would occur on a Live site. This test does although pinpoint the problem code in a XAMPP testing Environment.
To complete testing on XAMPP site this file’s coding was modified and the blank space was no longer being inserted into the root .htaccess file on failed activation.
/6scan-protection/admin/includes/installation.php
Code lines modified related to problematic function – sixscan_installation_try_direct_write_file
After commenting out this function and related calls to this function the problem of the blank space being inserted into the top of the root .htaccess file no longer occured
Good day!
Are you sure it was this function? It just tries to open .htaccess for write access, and then immediately closes it ( I’ve tested it again, but this specific code does not add symbols to the file being opened)
We will try to see why a failed installation adds LF symbols to .htaccess.
In any case, perhaps you have a proposition about how to check whether BulletProof is installed? Currently it expects the .htaccess rules to be positioned in very exact places ( The $check_string_cur_ver variable).
When 6Scan adds itself to the beginning of .htaccess, users see BulletProof inactive (When in fact, this is not correct)
Incidentally, sorry about putting this highlight-permission suggestion here in the compatibility discussion. I meant to put it in the more general comments, but didn’t realize which window I was typing into.
The 6Scan plugin prepends some changes to the root .htaccess which triggers the following from BulletProof:
Ok thanks for the heads up. I will download this plugin and see what it does.
Hi there.
I’ve been trying to work with 6Scan to get the issues ironed out between the two plugins. I have installed 6Scan version 2.2.8 and Bulletproof version .47.3.
Using a previous version of Bulletproof and 6scan together would result in HTTP 500 errors on my blog. I’ve since updated Bulletproof but have been leaving 6Scan disabled. I would of course prefer to have both.
Since the 500 errors I have intentionally been leaving 6Scan disabled. I was asked by the authors of 6Scan to do some testing and possibly find the 500 errors in the Apache logs and send back whatever I could.
Now when I enable 6Scan and Bulletproof I no longer get 500 errors. Instead now the only thing I get is that Bulletproof can’t find it’s config stuff in .htaccess. So whatever it is it unfortunately looks like a Bulletproof issue and not a 6Scan issue. The only thing that has changed is I’ve upgraded Bulletproof to a more current version.
Please make whatever changes need to be made so 6Scan and Bulletproof can co-exist peacefully.
Thank you,
alan
Yep the old issue is no longer a problem, but there is another quirky issue going on. 6scan is borrowing a little snippet of coding from the WordPress Core and for whatever reason that snippet of coding is adding blank spaces to the top of the root .htaccess file when activating 6scan. The 6scan folks are aware of this issue and i assume they will fix it in the next version release. So to manually fix this problem all your need to do is go to the BPS Edit/Upload/Download page and delete the blank spaces at the top of your Root .htaccess file. We could easily provide a coding fix to get around this problem, but that would be putting a band-aid on the real issue of why that snippet of WordPress coding is inserting blank spaces into the root .htaccess file. So it is better that 6scan actually takes care of that root problem. Thanks.
Not good.
I opened up .htaccess and there were no black lines of any kind at the top of .htaccess. The first character in the file was a # for a comment line.
So I just shuffled your stuff on top of theirs and no one’s complaining. 🙂 So now the Bulletproof stuff comes first followed by 6Scan.
alan
Excellent! Thanks for confirming that everyone is playing nice now. 😉 FYI – To see the blank spaces you have to view the .htaccess file with the BPS built-in .htaccess file editor. When you download the file and open it you will not see the blank spaces. Thanks.
Hi Ed!
I’m wanting to speed up my sites, but I know there have been security issues with some of the cache plugins. I see the ‘major’ ones have been tested, but I am anxious about allowing, for instance, quick cache the file permissions it wants (755 when you are recommending 705, etc.) Can you give me a suggestion for the cache plugin that will play best with BPS Pro? Or perhaps I should focus on other methods of speeding up my page loads.
Thanks!!
Actually there are not any security issues with any reputable caching plugins. I think Quick Cache is a reputable caching plugin. Typically a plugin may need 755 file permissions only temporarily to be able to write to a particular file. With caching plugins those particular files are usually ONLY going to be wp-config.php and .htaccess. I think Quick Cache only needs to write to the wp-config.php file temporarily and does not do caching with .htaccess code. The key thing to note is “temporarily” write to a file. Once a plugin has done whatever temporary write it needs to do then you should be able to change the file permissions to whatever you want after that. My personal favorite caching plugin is W3TC.
Just checking to see if you have had any conflicts with the Wishlist Member Plugin? I have several Wishlist Member website that I want to put BPS but I want to check with you first.
Thanks in advance for your help in this matter.
No one has ever reported a conflict regarding this plugin. What i suggest is installing BPS on one of the sites and testing that everything is working normally. If there is a conflict somewhere then a simple skip / bypass rule will fix the conflict. Please post back here if there is a conflict. Thanks.
I just purchased the s2member plugin to upgrade my membership management features of my various sites. I am also using BPS Pro 5.1.5. With s2member active, when I click on a protected page without logging in first, BPS Pro produces a 403 error. I’ve copied the uri below. Perhaps you can help me understand what the issue is and how to fix it?
*** UPDATE ***
This fix will be added to the plugin fixes page.
This fix requires the specific URI path to whatever protected page is being blocked.
issue resolved via direct email.
I have a couple of flv files I’m trying to play in posts, Since installing BPS I can’t get them to play using the plugin “XVE Various Embed”. I tried the Stream Video Player, but it fails with current IE version and doesn’t seem to be updated anymore. I have the posts removed at the moment. But any help is appreciated
I will test this plugin. Can you give me some specific details about the exact steps are you doing and the end result that is not occurring / working correctly. Thanks.
Ok i have tested this plugin by adding a local FLV file and BPS did not block the video. If BPS is blocking something else then please state specifically exactly what is being blocked.
I have the FLV file in the default upload directory, and after installing BPS I can’t get any videos to play with any web browser. Chrome at least will load the player but then the stream fails with it can’t find the file.
I took the lines from the stream video player above and changed them to this….
“# XVE Various Embed – Adding FLV Video Blocked By BPS
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/xve-various-embed/ [NC]
RewriteRule . – [S=8]”
Adding that failed to fix it, and I could not get it work again, I will try some more tonight. Thanks for checking into it.
*** UPDATE ***
The problem was caused by a simulated RFI attack due to a coding problem and not a conflict – the coding that was causing this problem has been corrected no .htaccess skip rule is needed for this plugin
The successful test i did was the same then. I uploaded an FLV file and then added the shortcode to a test post with the path the FLV file and it worked without requiring an .htaccess skip / bypass rule so it appears this plugin is not blocked by BPS. If you can provide me with a URL link to the FLV file on your site i will look at your site’s source code for errors. Thanks.
Also i chose the JW Player as i think it is probably the most stable player out of all of them.
Also this plugin seems like a nice alternative if you can’t get this one to work >>> JW Player for WordPress
I am having a bit of trouble with a plugin called Rsvpmaker. I have added the following to my root htaccess…
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/rsvpmaker/ [NC]
RewriteRule . – [S=13]
But still receive a 403 error. If I disable my secure htaccess and go back to the default it works fine… Clearly i’m doing something wrong, any ideas?
Is this for the free version 2.4.2 or the premium version? If this is for the free version of the plugin i will test it. If this is for the premium version then you will need to troubleshoot it by looking at exactly what this plugin is doing when BPS is set in Default Mode. Is a query string displaying in a URL? If so copy that query string and then you can create a query string skip rule.
*** UPDATE ***
I tested the free version and everything I tested worked fine. What exact specific feature is not working correctly for you?
This is for the free version… You can see the error here…
http://www.brianandmarcia.com/rsvpmaker/our-wedding/?#rsvpnow
When I go to the RSVP section of the site
http://www.brianandmarcia.com/rsvp/
And click the RSVP now button, I get the 403 error…
When i remove the question mark from your URL, which should not be there, i can see the page without an error. And your other URL links have the same problem. They have question marks in them that should not be there. This does not appear to be caused by BPS – you have bad URL’s.
I have been using the WSD Security plugin (wp-security-scan) on my sites as well as BPS. I am a bit paranoid after getting hacked earlier this year.
I wondered if this plugin offered me any benefits (other than being able to change the table prefix) and if I am better off without it?
So many plugins on WordPress all claiming that they are the best thing since sliced bread, it’s hard to know.
I trust you guys – just purchased my BPS Pro copy today having tried the basic version for a few weeks.
The DB table prefix renaming thing is a novelty idea and not really a security solution. Yes I actually get kind of angry when i read some of the BS in the WP plugin repository for some of the security plugins, but then i remind myself that if someone really feels that their plugin is the best thing since sliced bread then they are allowed to think and believe that. I have found that when people have a little knowledge about something they tend to think they know more then they really do. When someone has vast knowledge of a particular area they tend to be more humble. Ironic, but makes complete sense. And then of course you have the typical scammers and liars. LOL
I guess there is nothing really worth having in the WSD plugin in that case, off to delete it, thanks.
It’s great to have hotlinking to images blocked, however I do link to some images on my site(s) from my pages on Squidoo.com and having installed BPS of course these images are no longer showing.
Is it easy to change the hotlinking protection to allow 1 or more specific sites to hotlink to images?
Would it be easier/safer/preferrable to place those images in a separate folder (rather than the standard media library) for use by external sites? I would have to use FTP to place the images there, but I could by doing this maybe restrict hotlinking to a specific folder.
I’m not sure how easy it would be to do this.
BPS Pro is not blocking Hotlinking. I have added some optional code in the Root .htaccess file, but it is commented out and not being used. I would need more specific information about what exactly is not working correctly. Is it a plugin that is doing the linking? Did you create custom links or coding to do this linking? Please post specific details with example URLs. Thanks.
I created custom links which were working before I re-installed the site on a new host. I checked and the images are still there in the uploads folder. Will do some further investigation, I assumed it was hotlinking protection causing it.
Yep just compare the literal URL to the image file in your uploads folder with the URL link in your coding and if that is ok then it is NOT going to be a timthumb thing because we have put that puppy to bed finally with the new .htaccess code for timthumb scripts so another thing i have seen is that with some Themes they use allow_url_fopen to open image files. Why a Theme author would do something that dumb is beyond me, but if you have set up a custom php.ini file then you may need to change allow_url_fopen = Off to allow_url_fopen = On.
Hi,
Im having troubles with google analytics dashboard, it shows this error: “Could not load Google Analytics data.”.
I have tried to change rules but it doesnt work…. any idea??
——————— .HTACCESS
### new characters rules
#OLD RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|).* [NC,OR]
#RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)||%3c|%3e|%5b|%5d).* [NC,OR]
#RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x5b|\x5d|\x7f).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)||%3c|%3e|%5b|%5d).* [NC,OR]
### end new characters rules
Oops my plugin fixes page is missing the rest of the info on the fix for Google Analytics Dashboard. I will update that right now. You need to remove ONLY the parenthesis characters from BOTH the Root .htaccess file security filter and the wp-admin .htaccess file security filter.
http://www.ait-pro.com/aitpro-blog/2252/bulletproof-security-plugin-support/checking-plugin-compatibility-with-bps-plugin-testing-to-do-list/
Great great plugin, thank you!
I´ve deleted the parenthesis characters from root and admin .htacess but I still have the same error: “Could not load Google Analytics data.” . I think there is something else on the admin htaccess, when I delete it, Analytics Dashboard works.
¿Could you show us the admin htaccess modifies?
Thanks
I did something wrong!
Now it works
thank you
I got the below error when activated plugin. (using Pro 5.1.3)
Plugin could not be activated because it triggered a fatal error.
Warning: require_once(/home2/standav7/public_html/wp-content/plugins/bulletproof-security/includes/class.php) [function.require-once]: failed to open stream: No such file or directory in /home2/standav7/public_html/wp-content/plugins/bulletproof-security1/bulletproof-security.php on line 43
Fatal error: require_once() [function.require]: Failed opening required ‘/home2/standav7/public_html/wp-content/plugins/bulletproof-security/includes/class.php’ (include_path=’.:/usr/lib64/php:/usr/lib/php:/usr/share/pear’) in /home2/standav7/public_html/wp-content/plugins/bulletproof-security1/bulletproof-security.php on line 43
This is a common issue that happens when you use the WordPress Upload Zip installer (PCLZIP). A number has been appended to the bulletproof-security folder name during PCLZIP installation >>> bulletproof-security1. You can either use FTP or your Web Host control panel to rename the folder to bulletproof-security by removing the number “1”. BPS Pro has a built-in Upload Zip installer for this reason and a couple of other reasons. So all future upload zip installations of BPS Pro should be done using the built-in BPS Pro Upload Zip installer. Thanks.
Cart66 Plugin does not work with BPS when using any front-side AJAX calls. Throws 403 errors.
Let me know if the .htaccess skip rule i sent you does the trick. If not then i will need to know the exact errors and when and where they are occurring.
Yes, that fix worked great so we should be good to go.
Thank you for confirming that this code works. I will post this code to the Plugin Compatibility and Conflicts page. Thank you.
Two plugins that are causing conflicts are Bad Behavior and Wassup on 403 pages (example readme.html):
Warning: Cannot modify header information – headers already sent
Yes, i have noticed that these plugins and some others are trying to track the BPS Pro 403.php BlackHole template and are generating these headers already sent PHP errors. The 403.php template should not be tracked or monitored because it is intended to send hackers or people using “bad” requests to this 403.php template. This nuisance issue is on my list of things to take care of and I will have a solution to compensate for this nuisance issue in BPS Pro 5.1.4. It is also acceptable to change your error_reporting to not show all php errors – just show Fatal php errors, but not Notices or Warnings, but I will still find a solution to not have these plugins generate these nuisance php errors. 😉
; Examples:
;
; – Show all errors, except for notices and coding standards warnings
;
;error_reporting = E_ALL & ~E_NOTICE
;
; – Show all errors, except for notices
;
;error_reporting = E_ALL & ~E_NOTICE | E_STRICT
;
; – Show only errors
;
;error_reporting = E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR
;
; – Show all errors, except coding standards warnings
;
;error_reporting = E_ALL
A solution has been created in the 403 BlackHole template and these nuisance php errors are no longer being generated by these 2 plugins.
After I installed the last update I got the following error. I can’t enter the website or the admin part.
—————
Parse error: syntax error, unexpected ‘<', expecting ')' in /home/otd/public_html/wp-content/plugins/bulletproof-security/includes/functions.php on line 167
—————
Please help.
already fixed through the wp forum
Yep glad we could answer your questions in the WP Forum. In the future there is no need to post in both places. We monitor the WP forum daily throughout the day so it is fine just to post there or just to post on the AITpro site. Thank you.
Ed
This is a website / web host configuration problem. Most likely PHP4 is running when PHP5 should be running and PHP5 is required for BPS.
Dear Sir,
I have installed BPS latest version on my site (http://indianscholars.net). It is a WP Multisite install on sub-directory. I had ‘network enabled’ BPS and used magic buttons to create proper .htacess files.
Problem is that images uploaded via the dashboard are not visible in post/pages etc on subdirectory sites. ON the main site, they are OK and visible.
In fact I have noticed that ‘Set as Featured Image’ link also get disappeared from dashboard on main as well as subdirectoiry sites as soon as BPS is activated in secure mode. I also notced that icon named ‘add image’ (mear ‘add media icon in dashboard) also disappears.
May you kindly suggest an appropriate solution to the above.
Regards,
S. K. Verma
BPS should not be Network Activated – sub sites are virtual in MU so you only need to protect the Primary site in order to automatically protect all of your sub sites.
Check your Screen Options (top right floating WP button) to ensure that you have checked Featured Image to Shown on Screen. Not sure what you mean by ‘add image’, but check your settings options for that too. FYI – BPS is now and forever blocking thumbnailer scripts by default in the root .htaccess file. If you want to allow thumbnailer images to display then check to ensure that ALL thumbnailer scripts are security patched or recent versions of timthumb.php before you decide to allow thumbnailer script images to display on your website.
*** UPDATE ***
I see that this is a known issue with WordPress Network / MU websites
I have created a new post that explains how to correct this issue >>> http://www.ait-pro.com/aitpro-blog/3454/wordpress-tips-tricks-fixes/wordpress-network-mu-images-not-displaying-images-not-displaying-in-media-library-images-not-displaying-on-website/
Hey, first thanks for a super super cool plug-in! I have a little problem when I use the plugin with the XXX plugin(here )! I are doing a call to
http://www.newblog.com/?b2w=http://oldblog.blogspot.com/2010/09/post123.html
that should resolve to
http://www.newblog.com/2010/09/post123.html
Any ideas?
Ups, the XXX is Blogger To WordPress Redirection and a link here http://wordpress.org/extend/plugins/blogger-to-wordpress-redirection/
This is simulating a RFI – Remote File Inclusion hack on your website and is one of the primary things that BPS blocks in the Query String Exploits filters. To allow only this plugin to do this try this skip rule below. CAUTION!!!. I have not looked at the coding in this plugin, so if there is a way that a hacker can hook into this plugin then they will be able to successfully hack your website using an RFI attack. As long as the plugin has security code in it to ensure that only internal links are allowed to redirect then your site is safe otherwise your site will get hacked. When i get a chance i will test this plugin to see if i can hack it and hack a testing site.
sorry I have not replied before, I just tested it and it seems to work perfectly. If I look in the plugin code, what it do is that it looks for some meta values in the database and if it finds them and they match it makes a redirect if they don’t match it just a redirect to home_url () so I think it is safe… maybe 🙂
Hi,
Thanks for the great plugin. Looks like it will work great.
I’m having one problem, and I haven’t been successful with a workaround. I am using the plugin User Avatar 1.4.6 and I have been unable to display avatars in the blog with BPS activated.
Have tried:
RewriteCond %{REQUEST_URI} ^/wp-content/uploads/avatars/ [NC]
RewriteRule . – [S=30]
no luck there.
Any help would be greatly appreciated. Thanks!
*** UPDATE ****
Actually i just noticed that the Request URI rule you added is incorrect. try this instead
I have tested User Avatar and the avatars displayed correctly in Comments using the WP 2011 Theme. Have you double checked Settings >>> Discussion >>> Avatars to make sure the Show Avatars option is on? This could possibly be a Theme issue i guess, but i seriously doubt that. I see that you have comments turned off. Normally an avatar is displayed in comments. When i look at “About The Author” i see that the image URL is your-domain-url/wp-content/plugins/user-avatar/user-avatar-pic.php?src=your-domain-url/wp-content/uploads/avatars/1/1295828258-bpfull.jpg&w=80&id=1&random=1295828258.
This is similar to a common thumbnailer image link and simulates an RFI hacking attempt by adding src= after your URL with a link to your images. So my guess is that you will need to do something like this. use a safe portion of the query string to allow this simulated RFI attack to be allowed to bypass the bps exploit filters. Whatever you do DO NOT use src= or src=http://. if you do allow src= to bypass the query string exploits filters then you are guaranteeing that your website will be hacked at some point. Thanks.
ONLY TRY THIS RULE IF THE ABOVE SKIP RULE DOES NOT WORK
I tried both fixes with no joy. I’m sure they would work on the standard setup, but I just remembered I’m doing something a bit outside the box. I’m calling the User-Avatar images from a plugin called People Lists. People Lists allows one to build lists of links and display them using a separate template. So, People Lists uses a code %thumbnail% to display a users image, which is drawing from /wp-content/uploads/avatars/ , which is populated by the User Avatars plugin (by my understanding). The template is a table that includes the following for the image:
%thumbnail%
Any ideas? I really appreciate the help.
You can see the areas that are missing the images on the Teachers page.
hmm. Ok first off i want to say that the /uploads folder is kind of a dangerous area in general and especially if opened up to the public so you want to be very careful about creating rules that allow access or removing any security filtering relating to that particular folder. And if you end up allowing something that gets your images to display correctly but your website gets hacked then this is going to a self defeating thing because you will be losing time restoring / repairing your website.
Ok so here is the main issue that you are facing. You are simulating and creating a Remote File Inclusion (RFI) hack on your own site so you need to be able to allow this intentional hack on your site, but limit the possibility of a hacker bot detecting this vulnerability / exploit to take advantage of it. That is why taking the Query String rule approach is dangerous because your own query string skip rule could be used against your site by extending the query string with other variables. Here is the worst case scenario that i see. You open up your uploads folder to a hacker, he / she is able to upload a file and execute it remotely with RFI. both the uploading and remote execution can be done by exploiting the rule you create to bypass the filters. i played around with this and i was successfully able to accomplish both an upload and remote execution of the uploaded script using several different skip rules.
This is most likely the primary RFI exploit filter that is blocking you from hacking your own site. RewriteCond %{QUERY_STRING} http\: [NC,OR] This is a very, very important filter so if you comment it out you are asking for trouble.
Have you tried something simple like creating a skip rule for the People Lists plugin?
I can easily see a way for you to open up the /uploads/avatars folder to the public (and hackers of course) and get your images to display correctly, but as i have explained above when i did this in testing i was very easily able to upload a test script (neutered Alucar Shell) and execute it remotely – uploaded script with an image file extension and executed it remotely to generate a new file with a .php file extension, which gave me a fully functionubg Shell login script to log in with and take total control of the testing website.
Ok so looking at the trouble spots:
The src attribute specifies the URL of an external script file.
The external script file cannot contain the tag “script” – but this can be exploited by pointing the src= attribute to a script tag
BPS sees the URL to the image file as an external link that is trying to perform an RFI hack on your site
http:// is filtered because this is used in a typical RFI attack
So after looking at all the more complex approaches i just thought of something really simple – take a block image hotlinking approach but use skip instead. This may or may not work as is. You may need to add additional conditions, but i think this is the general approach you should be taking.
Hi,
Same problem here I’m afraid with the User Avatar plugin. Not of the above three fixes seem to work.
Any further ideas? Regards, James
The User Avatar Plugin has been scheduled for testing and a solution will be posted after testing is completed.
Note: If a bad coding practice is the cause of the problem that would leave your website vulnerable to being hacked then a solution will not be posted and the plugin author will be notified.
Testing completed – no problems or conflicts were found.
The User Avatar plugin and People Lists plugin were tested together and no conflicts were found with BPS. I was able to create a custom avatar as a new user, create a reply to a comment as a new user and the custom Avatar displayed correctly.
*** Comment has been moved to the appropriate page ****
I use Inline Editor Version 0.7.6 | By WPXpand it allows you to make quick changes to posts from the main front page. When I activate BPS it seems to effect this plugin as when I click save to the post the page hangs forever?
How do I give this plugin rights to read & write to posts ?
Inline Editor Version 0.7.6 | By WPXpand has been tested with the WP 2011 Theme and also with your Adventure Journal Theme and there are no conflicts. Inline Editor works fine with BPS without any conflicts. Please check things like caching plugins, clear your browser cache, ping or tracert your host server, etc. This sounds like either a caching problem or connectivity problem, but could also be something like your DB needs to be optimized or your DB is damaged. Thanks.
I have a Dewplayer plugin on my website that doesn’t work with BPS.
Thanks
*** UPDATE ***
Actually this plugin is not safe to use because this coding in the plugin is not protected with sufficient security checks and security coding protection. This can be hijacked very easily and a hacker could very easily exploit this code. If you remove this function from the plugin then it will be safe to use, but i would go ahead and add the additional security checks coding that is missing from the plugin coding too. And actually you will need to remove the dewplayer_check_plugin_version function and this action add_action( ‘after_plugin_row’, ‘dewplayer_check_plugin_version’ );
*** See UPDATE above ***
This plugin is quite old, but i downloaded it and looked at the coding and it looks generally ok. Now when i say ok i mean that it does not have any security coding in it, but for what this plugin is doing I think that it will not create a security vulnerability on your site. Checks like is_admin, current_user_can(‘manage_options’) and checking the referrer in forms, etc on the backend – the coding does not contain any security checks coding. The last update for this plugin was almost 4 years ago and the plugin author’s website is no longer around.
Please tell me the specific error or problem that is occurring. Thank you.
Thank you for your prompt reply! I will just remove the DewPlayer and use a different one.
Also, i’ve just noticed that after i installed BPS on my website, google analytics shows 0 visitors. It is receiving data, analytics code is fine. From Oct 12th (day when i activated BPS) to this day, it says there are 0 visits. Not that i bothers me, just wanted to let you know.
Thank you in advance!
Yep no problem. I never should have allowed Timthumb scripts to be allowed by default to skip BPS .htaccess filters. So the last thing i want to do is repeat doing something like that. If people want to make the choice of possibly getting their website hacked then that will be their choice. All future version releases of BPS have all thumbnailer scripts Forbidden by default in the root .htaccess file. I would rather get complaints from people that they have to do an extra step to get their thumbnailer scripts to work then have them get their websites hacked because they were not paying attention.
Are you talking about a GA plugin or GA itself? I don’t have any issues with GA on any of my sites.
FYI – are you aware that “Selektor” is a known hacker’s handle. I have collected a bunch of his scripts from hacking attempts against AITpro. 😉
Thanks.
I use a membership plugin called s2 member pro. s2member.com
When BPS is activated, s2member pro does not function correctly. There is a URL which returns to the site after a purchase is made but BPS does not allow this and I get a 403 page.
Can you advise?
Thanks.
BPS has been tested with S2 and NO compatibility problems were found. Things change constantly though. The problem is most likely isolated to the URL request itself. A filtered word used in the URL is being blocked by BPS as being seen as an external request made in the query string. Please post the URL so that i can tell you what is causing the problem. Thanks.
[…] check the BulletProof Security Plugin Compatibility Testing and Fixespage for new fixes that are not yet included in the most current version of BPS. Typically a simple […]
I run Blubrry’s PowerPress as well as James and have recently encountered the following error when attempting to verify the media (mp3) URL when creating a post under the ‘Podcast Episode’ element of a post edit: The requested URL returned error: 404.
If I copy and paste the same media URL into my address bar, the .mp3 queues right up. I have successfully produced 20+ episodes prior to this occuring.
I was hoping I could reverse engineer the code you have for podPress, thinking they may be similar in their snags, but I do not know how to tailor it for PowerPress.
Best regards and thanks for any assistance,
Ryan
For what it’s worth, I’ve zapped the call to all BPS in my public_html/.htaccess and desired functionality of PowerPress was restored… so now I know the culprit code is in there somewhere…
Ok I will put this plugin in testing. Thanks.
Ok here is the fix for the 403 / 404 redirection problems with Blubrry PowerPress. You must use a virtual directory name. i have randomly chosen “bpp”, but you can choose any name you want here. You cannot redirect back to your root folder because this is in direct conflict with the root .htaccess file. This will cause a hang while the RewriteRule processing loops into infinity. I will make this a standard plugin fix in the BPS master .htaccess file and add this fix on the Plugin Compatibility and Testing page. Thanks for notifying me of this problem.
Test links to verify BPS and BPP are getting along now:
>>>
>>> http://www.ait-pro.com/verum/
Thanks for the quick sniping of this issue, however my tech illiteracy prevents me from understanding ‘virtual directory’ a Google search only further gobsmacks… is this something I’d designate in WHM, cPanel or my FTP client, or from within WP?
I hate answering a solution with a request for education, but must needs as the devil drives.
Virtual directory was just the wording i used to describe /bpp/ . There is no technical term called “virtual directory” that pertains to websites that i am aware of. this was just my choice of wording. Looks like i will have to change that wording. 🙂 So basically all i am saying is you must have a folder name like /bpp/. it could be /media/ or /mystuff/ or /podcast/ or whatever else you want to make up. The folder name you are adding here does not really exist on your site so it is just a virtual name that you are adding here. If you do not add a make believe folder name in the RewriteRule it will loop back into your root site .htaccess file to be processed again and again….then again…then again…..then again…….. into infinity. Thanks.
I was lead down a rabbit hole b/c the code did not work for me (and virtual directory is something in hosting apparently –increased my knowledge base there, tho :). Finally I’ve had success when deleting:
With this gone, the
is not needed for PowerPress to verify a podcast episode when creating a post, but I feel the code I’ve omitted may leave a chink in the armor or undermine BPS..?
Hmm ok well if the Request Method Filters are blocking something then that would mean that the Podcast Request is coming from an external source other than your site, which would make perfect sense. I did my testing by adding a local mp3 on the test site.. I did not test adding a podcast from an external source. The mp3 will not load in an external window unless i use the query string rewriterule. I just rechecked your site and the podcasts that were working before on your site are no longer loading in an external window anymore. They are looping into reopening the same window instead of launching the mp3. Could you add a URL link to an example podcast that is working now so that i can look at what is going on. I will set up some other various podcasts at a later date when i have more time to fiddle around with this. I provided a couple of links in my previous comment that go to working local mp3 file that is correctly loading in an external window for verification that the htaccess query string rewriterule works. So any way add a URL that i can look at to see what the exact type of usage you are doing with Blubrry.
Test links to verify BPS and BPP are getting along now:
>>>
>>> http://www.ait-pro.com/verum/
Thanks.
I have been using Bluberry Poerpress and now the audio player is not working. Also I use an external flash player as an internet radio player, this has also stopped functioning since I installed BulletProof Security. Please advise
I have tested Bluberry PowerPress before and did not find any problems, but you may have something additional set up that i did not test. I am not sure if you are talking about frontend or backend issues. Please post another comment with specific details about the problems. Also please see the Plugin Testing and Compatibility page for general fixes. http://www.ait-pro.com/aitpro-blog/2252/bulletproof-security-plugin-support/checking-plugin-compatibility-with-bps-plugin-testing-to-do-list/. Most likely a general skip rule will work for the BluBerry issue. I can’t tell by looking at your site what the Internet radio problem would be or if it is frontend or backend. Thanks.
Hi,
There seems to be a conflict with Bulletproof Security and WP Robot 3 for autoposting. Using WP Robot 3 has an external Control Panel to automate campaigns for multiple domains. Can you please test?
Ok thanks I will put it in testing.
A simple htaccess skip rule appears to work fine at least for the free demo version. I am only testing with the demo free version since this is a premium plugin. If this fix does not work for the paid version of this plugin then check with the plugin authors since this is a premium plugin they should support their product and provide you with further assistance for their product. Thanks.
# WP Robots fix
# If you have WordPress installed in a subfolder you will need to add the
# subfolder name to the RewriteCond /blog/wp-content/plugins/WPRobot3/ [NC]
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/WPRobot3/ [NC]
RewriteRule . – [S=30]
Hello,
There was a great post about this plugin here :
http://wpmu.org/wordpress-security-101-8-tips-tricks-and-tweaks-to-secure-your-wordpress-website/
I followed the instructions but now I have a plugin conflict with the anti spam images not showing up – I am wondering if you can help me with the rewrite rule as described here http://premium.wpmudev.org/forums/topic/comment-spam-pack-plugin-conflict
Thank you!
Hi Tom,
I read through the entire post and see that you guys got it figured out by adding the mu-plugins folder in the Request_uri string / path. I have added your WPMU general plugin solution to the BPS Plugin Compatibility and testing page as a general fix technique to try for all WPMU plugins. Well done!!! Thanks.
[…] Plugin Compatibility Testing – Plugin Conflicts – Plugin Fixes […]
I have an issue with the reset password link in wordpress. I can enter my username, get the email from wordpress, click the link, the page load to change the password but when i enter my new password and hit reset, it brings me a 404 page. I tried to delete my htaccess file and it worked! There is someting with the bulletproof security htaccess files that is wrong. Can someone help me plz!
*** UPDATE ***
Actually i just received confirmation that these two new standard fixes are working successfully to deal with issues with all login plugins. These are the common hooks that are used in most login plugins. Add these 2 fixes to Your Current Root htaccess file using the BPS built-in File Editor. You can copy and paste them directly into your root htaccess file from here. In your case you may or may not need to add the default.htaccess file fix in addition. Try these first and then if you are still experiencing a problem try the default.htaccess fix IN ADDITION to adding these new skip rules below.
*** END UPDATE ***
You left out a lot of important information. 😉 I registered to your site. I then tried to reset the password and was directed to SimplePress Forum not WordPress. I will put this in testing, but since you have a /forum subfolder my guess is that the BulletProof root .htaccess file rules are being applied to the /forum folder for SimplePress Forum. Try this until i can get to testing this plugin and scenario – download the BulletProof Security default.htaccess master file, edit the rewritebase and rewriterule as shown below, upload it to your /forum folder and then rename it to just .htaccess (removing default from in front of .htacess). Let me know what happens. Thanks.
Also you may need to comment out this line of the htaccess code above. RewriteRule ^index\.php$ – [L]
like this # RewriteRule ^index\.php$ – [L]
There is also another possible cause that is very similar to another issue that i am working on.
This particular section of the string needs to be allowed to bypass the BPS filters. action=rp&key=
Add this fix below to your root htaccess file.
I’m just discovering your plugin and I’m not yet using it. In fact before installing it to my blog I was wondering if there’s any known conflict with the Secure WordPress plugin. Could this plugin cause any double features problem with yours?
Thanks a lot for your work and for sharing it with us!
I am not 100% sure and I will eventually test this plugin at some point. It appears that it could add a few extra protective things to your website. It might make a nice supplement to BPS website security. Check the “See what others are saying” area for this plugin. There seem to be some negative statements about this plugin causing a Server load problem.
Also a new client of mine sent me this information on them. Several of his websites were being hacked on a daily basis. He was using the Secure WordPress plugin and the website defender plugin. I believe they are both made by the same person.
“Hi,
Have you ever heard of these guys?
Secure WordPress
There program did not help me at all….
http://www.websitedefender.com/secure-wordpress-plugin/
They did not understand this virus”
I don’t believe in saying negative things about other people’s work, but the bottom line was that the client’s websites were hacked when using these plugins. He is now using BulletProof Security on all his websites and they have never been hacked again.
Thanks.
Two plugins don’t work with BPS enabled.
These are: WP-eXtplorer and Adminer
Throws 403 errors.
Ok thanks for the heads up. I will put both of these plugins in testing. Thank you.
*** UPDATE ***
Sehr schönes Plugin Frank. 😉
Adminer has been tested. A simple .htaccess skip rule is all that is required to resolve this conflict between Adminer and BPS.
wp-eXtplorer has been tested. I could not get this plugin to work with BPS Security enabled or disabled. I was able to manually access the eXtplorer admin login window by creating an .htaccess skip rule. I have no idea how you have this plugin setup or if you have it working, but try the .htaccess skip rule fix I have added above and let me know if that works for you. The eXtplorer manual login test was performed successfully by going directly to /wp-content/plugins/wp-extplorer/helpers/index.php. Thanks.
*** FOR ANYONE WHO SEES THIS COMMENT DO NOT DO THIS ***
**************** Comment edited by Ed *****************
Thank for the solutions. I also try this:
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)||"|;|\?|\*).* [NC,OR]
and it works.
Hmm that actually should not work and is removing the most important part of that filter the less than and greater than characters used in malicious script attacks. Most likely when you posted this code here the greater than and less than characters were stripped out of the comment. There are some limitations on what can be posted in comments.
[…] Checking Plugin Compatibility with BPS – Plugin Testing – To Do List […]