Author: AITpro Admin
Published: December 3, 2015
Updated: December 3, 2015
New Feature: Folder Lock
Folder Lock uses an automated Cron check that monitors your Hosting Account Root folder and checks for any new folders that are created. If a new folder is found in your Hosting Account Root folder that is not already listed in the Folder Lock Table it is automatically locked with 400 folder permissions. BPS Pro upgrades and Setup Wizard setup automatically setup Folder Lock, but Folder Lock is turned Off by default since it is an optional security feature. Folder Lock should only be turned On, on 1 of your websites under a Hosting Account. For your other websites under the same Hosting Account, click the Folder Lock Dismiss Notice and do not turn Folder Lock On, on any of your other websites under the same Hosting Account. The Folder Lock Tools allow you to unlock folders that have been automatically locked. Folder Lock has email alert and Dashboard alert option settings in S-Monitor. For more information about Folder Lock and Folder Lock Tools go to the BPS Pro F-Lock page > Folder Lock tab page > click the Folder Lock Help Info Read Me button. |
New Feature: 405 Method Not Allowed Security Logging Template
A new 405.php Security Logging template has been created to specifically handle and log HEAD Request errors as HTTP 405 Method Not Allowed Security Log entries. Previously HEAD Request errors were logged as 403 Security Log entries. Note: If HEAD Requests are currently being allowed with customized htaccess code on a website then HEAD Requests will still continue to be allowed and will not be blocked or logged by BPS. |
New Root htaccess Code: ERROR LOGGING AND TRACKING & REQUEST METHODS FILTERED
ErrorDocument 405 /wp-content/plugins/bulletproof-security/405.php code is created automatically in the root htaccess file during BPS upgrades. The new ErrorDocument 405 directive htaccess code logs HEAD Requests as HTTP 405 Method Not Allowed Security Log entries. The root htaccess file Request Methods Filtered code has been changed so that HEAD Requests checking has its own individual condition and RewriteRule to handle HEAD Requests specifically and redirect them as 405 Method Not Allowed Requests, which in turn is handled by the ErrorDocument 405 redirect to redirect 405 HEAD Request to the Security Logging template. Note: If HEAD Requests are currently being allowed with customized htaccess code on a website then HEAD Requests will still continue to be allowed and will not be blocked or logged by BPS. |
New Plugin Firewall Default Whitelist Rule:
A 405.php Security Logging template whitelist rule is automatically created for the Plugin Firewall file during BPS upgrades: RewriteRule ^bulletproof-security/405.php – [L]. This Plugin Firewall whitelist rule allows/whitelists 405 Security Logging. |
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
• Visual CSS Change: New CSS code changes for visual compatibility with WP 4.4.
• Sanitization|Validation Audit: Sanitization and Validation coding work performed throughout all BPS.
• Change: Setup Wizard DBM default S-Monitor email alert option changed to Do not send email alerts.
• Visual Change: Login Security, Quarantine and S-Monitor display loop messages on single lines with single Refresh button.
• Correction|Enhancement: XML-RPC Exploit Checker Pro-Tool new individual conditional checks for HTTP Status Codes: 401, 403, 404, 405 or 500.
• Enhancement: Automatically unlock, delete invalid standard WP Rewrite code and relock root htaccess file.
• Correction: Prevent creating duplicate or new POST Request Attack Protection code correction during BPS upgrades if someone has commented out the wp-admin Request URI whitelist rule.
• Correction: htmlspecialchars added to Custom Code error checks for invalid BPS Query String Exploits code and invalid standard WP Rewrite code.
• Correction|BugFix: ob_end_flush(); added to 403.php logging template.
• Correction|BugFix: ob_start(); and ob_end_flush(); added to the 400.php and 410.php logging templates.
• Enhancement: $_SERVER[‘SERVER_PROTOCOL’] condition added to header functions in Security Logging templates.
• Improvement: The Setup Wizard no longer has a 15 minute Apache Module ifModule check time restriction so that new BPS Core folder self-protection htaccess files are created if needed in real-time.
• Change: Security Logging check for On|Off. Only checks if 403 Logging is On or Off and no longer checks if other ErrorDocument directives are On|Off.
• Change: Plugin Firewall AutoPilot Mode check for Security Logging On|Off. Checks if 403 Logging is On or Off and no longer checks if other ErrorDocument directives are On|Off.
• Correction: UAEG Read Me help text updated to include help info about UAEG Custom Code feature.
• Enhancement: Security Log Alert message additional help info and link to S-Monitor created.
• BugFix: Suppress various insignificant php errors when WP_DEBUG is enabled.
• BugFix: Plugin Firewall Whitelist by Hostname (domain name) and IP Address automation and manual tools preg_match conditional check error correction. Features affected/corrected: PFW manual tools, PFW AutoPilot Mode and Setup Wizard.
• Correction: Pre-Installation Wizard help text regarding handling of blue and red font error messages.
• Enhancement: Pre-Installation Wizard cURL scan automatically filter out invalid whitelist rules. Plugin Firewall AutoPilot Mode will automatically add any additional whitelist rules that could not be stripped/cleaned up and validated in the Wizard.
• Procedural: Dismiss Notice created for Folder Lock optional security feature.
• Procedural: Automated Folder Lock setup on BPS Pro upgrade and Setup Wizard run.
• Obsolete|Removal: Publicly displayed Usernames/User Accounts Dismiss Notice removed.
• Dev Note: Core upgrade autoupdate function does literal DB option checks and saves default pre-set value or resave existing value. Resolves an issue with BPS Pro upgrades from very old versions to newest version without having to re-run Wizards.
• Dev Note: Security Log Read Me help text update. 410 Gone and 405 Method Not Allowed help text created.
• Dev Note: API Server automated email text update to include newer non-email based systems information.
• Dev Note: Forum Topics pending update:
• http://forum.ait-pro.com/forums/topic/security-log-event-codes/
• http://forum.ait-pro.com/forums/topic/pre-installation-wizard-and-setup-wizard-read-me-first/
• http://forum.ait-pro.com/forums/topic/siteground-supercacher-cannot-modify-header-information-php-error/#post-26354
• http://forum.ait-pro.com/forums/topic/incapsula-cdn-401-error-authorization-required/
• http://forum.ait-pro.com/forums/topic/root-and-wp-admin-htaccess-file-significant-changes/ |
Tags: BPS Pro 11.5 Whats New, BulletProof Security Pro 11.5 Whats New
BulletProof Security Pro | Comments Off
