WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] Beta Testers Wanted - new htaccess code to protect plugins (9 posts)

  1. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    This is the latest and greatest .htaccess code that will included in BPS .47.6. It has been tested and is working perfectly. if you would like to Beta Test this new code and post your results that would be very much appreciated. Please add additional plugins that you use to the REQUEST_URI filter to fully test protecting multiple plugins/plugins folder simultaneously. Thank you.

    # BLOCK ALL REQUESTS/ACCESS TO BPS PLUGIN FILES AND OTHER PLUGIN FILES
    # Whitelist AITpro.com - this is only for BPS Pro folks
    # to continue to allow them to connect to the AITpro API Server.
    # You can add additional plugins that you would like to protect by
    # adding the plugin folder name as shown below.
    # NOTE: Some plugins utilize an index.php file in their plugin folder
    # that will negate the REQUEST_URI filter below.
    RewriteCond %{THE_REQUEST} ^(GET|POST|PUT)
    RewriteCond %{HTTP_REFERER} !^.*example.com.* [NC,OR]
    #RewriteCond %{HTTP_REFERER} !^.*ait-pro.com.*
    RewriteCond %{REQUEST_URI} ^plugins/(bulletproof-security|example-plugin-name1|example-plugin-name2)/(.*)$ [NC]
    RewriteRule ^(.*)$ - [F,L]

    Test Parameters:
    1. Upload a text file named test.txt to an additional plugin's folder that you have added to the REQUEST_URI filter.
    2. Try to access that text.txt file from a Browser.
    Example: example.com/wp-content/plugins/some-example-plugin-name/test.txt
    3. The test result should be a 403 error/Forbidden.

    http://wordpress.org/extend/plugins/bulletproof-security/

  2. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Revision:

    Also an important detail was left out:
    This new code goes below the FORBID EMPTY REFFERER SPAMBOTS code in your Root .htaccess file.

    Please replace "Your-Website-Domain-Name-Here.com" in the HTTP_REFERER filter with your actual Domain name.
    Please replace the IP Addresses listed in REMOTE_HOST with your actual website IP address. You will find this listed on the BPS System Info page - Server / Website IP Address:

    # BLOCK ALL REQUESTS/ACCESS TO BPS PLUGIN FILES AND OTHER PLUGIN FILES
    # Whitelist AITpro.com - this is only for BPS Pro folks
    # to continue to allow them to connect to the AITpro API Server.
    # You can add additional plugins that you would like to protect by
    # adding the plugin folder name as shown below.
    # NOTE: Some plugins utilize an index.php file in their plugin folder
    # that will negate the REQUEST_URI filter below.
    RewriteCond %{THE_REQUEST} ^(GET|POST|PUT)
    RewriteCond %{HTTP_REFERER} !^.*(Your-Website-Domain-Name-Here.com|ait-pro.com).* [NC]
    RewriteCond %{REMOTE_HOST} !^(173\.201\.92\.1|88\.77\.66\.55)
    RewriteCond %{REQUEST_URI} ^plugins/(bulletproof-security|example-plugin-name1|example-plugin-name2)/(.*)$ [NC]
    RewriteRule ^(.*)$ - [F,L]
  3. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Test Parameters Clarification:

    1. Upload a text file named test.txt to an additional plugin's folder that you have added to the REQUEST_URI filter.
    2. Try to access that test.txt file by entering in the path to the test.txt file in the URL Address window from the Google Home page.
    Example: example.com/wp-content/plugins/some-example-plugin-name/test.txt
    3. The test result should be a 403 error/Forbidden.

    The new code is specifically designed to block remote access to plugin files or remote script execution on plugin files.

    Revision:

    # BLOCK ALL REQUESTS/ACCESS TO BPS PLUGIN FILES AND OTHER PLUGIN FILES
    # You can Whitelist other domains by adding them to the HTTP_REFERER filter.
    # You can Whitelist IP Addresses by adding them to the REMOTE_HOST filter.
    # You can add additional plugins that you would like to protect by
    # adding the plugin folder name as shown below.
    # NOTE: Some plugins utilize an index.php file in their plugin folder
    # that will negate the REQUEST_URI filter below.
    RewriteCond %{THE_REQUEST} ^(GET|POST|PUT)
    RewriteCond %{HTTP_REFERER} !^.*(Your-Website-Domain-Name-Here.com).* [NC]
    RewriteCond %{REMOTE_HOST} !^(88\.77\.66\.55)
    RewriteCond %{REQUEST_URI} ^plugins/(bulletproof-security|example-plugin-name1|example-plugin-name2)/(.*)$ [NC]
    RewriteRule ^(.*)$ - [F,L]
  4. Joe Hoyle
    Human Made
    Posted 1 year ago #

    Hi, continuing the discussion from http://wordpress.org/support/topic/heads-up-need-confirmation-on-this-whitelist-skipbypass-code?replies=15

    are you saying the user will have to enter our IP address in their .htaccess file to allow wpremote to communicate with their site?

  5. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    No, actually i do not think that will be necessary, but i do not fully know all the capabilities, functionality and communication methods that wpremote uses/offers, so i have already scheduled testing specifically for wpremote and another remote based plugin to see if there are any issues/problems with using this new code. Once that testing is completed then i will post the results back here.

    The idea is before i publicly release this new code i want to accomplish 2 main things during this Beta testing process.

    1. head off the number of headaches i have to deal with later on.
    2. offer the maximum amount of pre-configured website security without interfering with other plugin's functionality.

    so if it turns out that the best thing to do is just provide this base code and not automatically pre-configure/populate plugin folder names into the REQUEST_URI filter then it will be up to each user to manually add those additional plugin folder names.

  6. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    And of course if this new code does cause a problem for wpremote i can of course pre-configure/automatically add an IP address for wpremote to Whitelist it. or add whatever else that is needed to allow wpremote to function normally without being blocked by this new code.

  7. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    I initially thought that this new code might interfere with the AITpro API Server or even WordPress API communications in general, but it does not. Also i have been using this new code and protecting Akismet and this new code does not interfere with the Akismet API Servers. ;)

    And on a personal note: with any new code you can logically see the planned results of that code, but it is always the things/scenarios/situations that you have not thought of yet that can bite you in the "bleep". ;)

  8. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Status Report:
    New .htaccess code used on 10 different websites protecting all plugin folders with 0% problems or conflicts. 100% effective against hacker plugin folder recons, plugin folder probes and plugin folder script attacks. Result: blocked/Forbidden/403.

    1,000 Hacker Recon plugin folder probes blocked/Forbidden
    200 Remote script execution plugin folder attacks blocked/Forbidden
    300 RFI plugin folder hacking attempts blocked/Forbidden
    0 plugin conflicts or problems

    wpremote plugin testing - pending
    Outbrain plugin testing - pending

  9. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Nope this code is a NO GO and has been scrapped. Do not bother Beta testing this code. This was an overblown approach and a much simpler approach was found and that code is much more effective. That code is now in testing and has passed all tests whereas this code was just a bloated pig to begin with. LOL Nuke this code it is junk.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic