WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] BPS and Wayback Machine (13 posts)

  1. Shora
    Member
    Posted 1 year ago #

    Hi

    Recently, I have detected that IPs from Internet Archive (such as 207.241.229.208 or 207.241.229.207) are blocked by BPS. Moreover, it seems that my website it is not correctly included by the Wayback machine (http://web.archive.org/) since I installed the BPS plugin and I think it´s important to be part of the Internet history :P

    Do yo have a problem with this too? What is the reason BPS block Internet Archive IPs?

    Thanks!

    http://wordpress.org/extend/plugins/bulletproof-security/

  2. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    BPS does not block the wayback machine or archive.org. You can confirm this by checking ait-pro.com back to 2009 and site captures as recent as April of this year.

    If you have added additional htaccess code to your root .htaccess file that blocks IP addresses remove the IP address for web.archive.org.

    NOTE: archive.org is abused by Spammers to post spam posts on WordPress sites and then link back to those spam posts on archive.org so if you have another plugin installed that is blocking archive.org or has added these IP addresses because spammers abuse archive.org then that is where the problem is occurring.

  3. Shora
    Member
    Posted 1 year ago #

    Thanks for your response. I will try to find where is the problem in my htaccess, knowing that BPS is not responsible for that. However, I haven´t found anything yet which could block IP addresses from web.archive.org.

  4. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Also check your BPS Security Log. If BPS is blocking something it will be logged. If you see an error log entry that was archive.org as the Referer then post that error log entry. Thanks.

  5. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    I thought of another possibility. Does your website use an apostrophe/single quote coding character in its name or title?

    Example: Pete's Garage

    What can happen is this: Since BPS has security filters that block URL's/Query Strings with the single quote coding character/apostrophe in the URL/Query String then if an external URL pointing to your site contains that single quote coding character/apostrophe in the URL/Query string then a 403 error will occur since this is seen as a threat/attack against your website. There is a fix for this, but before I post that fix let me know if this is the case/scenario that is occurring. Thanks.

    Also check with your Host and in your Web Host Control Panel to see if this IP or domain name is being blocked.

  6. Shora
    Member
    Posted 1 year ago #

    Nop, my website doesn't use apostrophes or single qoutes. What I see in my Error log is something like that:

    [error] [client 207.241.229.207] Request exceeded the limit of 10 internal redirects due to probable configuration error.

    I have read the following discussion about that problem before:

    http://forum.ait-pro.com/forums/topic/request-exceeded-the-limit-of-10-internal-redirects/

    I have checked if by eliminating this command the error would persist or not: ErrorDocument 403 /wp-content/plugins/bulletproof-security/403.php When I erase this command the internal redirects disappear. So, it should be a problem about something else that is trying to handle 403 redirects, right?. But, you know what is the most strange thing of all this? This error mainly appears from IPS such as web.archive.org, Amazon or Opera Software Asa. Apart from that, all is fine. I have tried to access Loglevel Debug to get a backtrace but my Hosting doesn't allow to activate it. So I am a little lost here.

    Ah, and the problem isn´t solved by using this:

    # .htaccess Fix for 403 Error Infinite Loops
    RewriteEngine On
    RewriteCond %{ENV:REDIRECT_STATUS} 403
    RewriteRule .* - [L]

    Thank you for your attention. I have been thinking about buying the BPS pro version and I have finally decided to do it :)

  7. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    That code you posted would not work since the ErrorDocument directive is a redirect directive so the infinite would still continue to occur. I need to bold and highlight this sentence in that forum post. The idea was to let folks know that this would not work so do not bother trying it. ;)

    ...And doing something like this would NOT work because the ErrorDocument directive already has a Redirect Status 403...

    Yep, unless you have Dedicated Hosting then you would not be allowed to do LogLevel stuff.

    Ok so since the ErrorDocument is an .htaccess redirect directive then what this means is that the error is occurring repeatedly in an infinite redirect loop. The rest of that Forum post goes on to explain troubleshooting steps to try and isolate where the conflict is, but does not include that this could be a conflict with something your Host itself is doing or maybe a Host Control Panel option, tool or setting. Example: If errors are being handled by something else then you end with BPS trying to handle this and something else at the same time so this creates an infinite redirect problem. I will update the BPS Forum post to include this info. You can turn Off BPS Security logging on the Security Log page if error logging is being handled/checked/logged elsewhere. Check with your Host and see if they are already handling error logging at the Server with something like mod_security, etc.

    Try commenting out the ErrorDocument htaccess code in your Root .htaccess file. What is probably happening is you have another plugin installed or maybe your Theme itself that is conflicting with the new BPS ErrorDocument .htaccess code. Comment out this code by adding a pound sign in front of it. This of course removes your capability to log / track errors on your website, but it will give you clues to figuring out what might be happening so that you can start eliminating plugins and your Theme from causing this problem by doing the standard WordPress troubleshooting steps – deactivate all plugins and activate them one by one until you find the problem plugin and switch your Theme, etc.

  8. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Actually that is mentioned in the forum topic that the Host might be handling errors already, but I have added additional info to make this clearer.

  9. Shora
    Member
    Posted 1 year ago #

    I have been testing all the possibilities these days. Neither the theme nor the plugins are responsible for these internal redirects. I have changed the theme and deactivated the plugins and the internal redirects persisted.

    I have asked my web hosting if the server has mod_Security and they have confirmed me that the server has both mod_Security and Suhosin. Could One of these protection systems be causing the internal redirects?

  10. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Yep, it is going to be a mod_security SecRule or SecFilter. Suhosin works on another level of security and would not be the cause of this.

  11. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Please post a status update. If the issue/problem is resolved please resolve this thread. Thank you.

  12. Shora
    Member
    Posted 1 year ago #

    Resolved. I have erased this command (ErrorDocument 403 /wp-content/plugins/bulletproof-security/403.php) in order to avoid internal redirects because mod_Security is interfering with it. I am in a shared hosting so I can't do anything about the mod_Security.

    Thanks!

  13. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    It is actually better to go to the BPS Security Log page and click the Turn Off Error Logging button, but you can also do this manually if you prefer that. Thanks.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic