WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] BPS prevents BackUpWordPress from accessing WP-Cron (20 posts)

  1. nevermoor
    Member
    Posted 1 year ago #

    Hello,

    I tried to activate BPS on a fresh blog install. With no .htaccess file in the root, BackUpWordPress works normally. With BPS activated, it reports an error with WP-Cron (specifically, a 302 response instead of a 200 response).

    I would love to use both plugins, but my .htaccess-fu is weak. Can you help?

    http://wordpress.org/extend/plugins/bulletproof-security/

  2. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    On the BackUpWordPress FAQ page >>> http://wordpress.org/extend/plugins/backupwordpress/faq/ i see some troubleshooting options for wp-cron issues/problems. have you tried these yet?

    Is the cron using wget or curl? BPS is blocking these in the root .htaccess file.

    You can either allow wget by removing it from the BPS security filters (not recommended) or an alternative Cron command line command that is safer to use is lynx -source instead of wget -O. You would simply replace the wget command line with lynx -source.

    RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
    
    RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
  3. nevermoor
    Member
    Posted 1 year ago #

    It is not a BackUpWordPress issue, since it works properly when BPS is deactivated. I did, however, try those steps.

    Tests:
    Scheduled Posts work with BPS enabled.
    Not using Heart Internet
    Manual Backup works with BPS enabled
    ALTERNATE_WP_CRON does not solve the problem
    Site is not private

    I didn't understand the other part. WP-Cron, as I understand it, is not actually using command line to the server, it's some WordPress created pseudo-cron.

  4. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    You have provided some very good details of the issue/problem that is occurring, but in order to test this plugin accurately and be looking at the exact problem area please post the specific details of how the cron is being performed.

    Even though you are saying that the cron is a pseudo-cron method using the wp_schedule_event function i was wondering if the BackUpWordPress plugin also offers a plugin setting option where you can change this/or use a command line command for the cron instead?

    What options did you choose to schedule cron job backups?

    I will test the plugin today with the same settings you are using once i know what those settings are.

    Thanks

  5. nevermoor
    Member
    Posted 1 year ago #

    Thanks, and thanks for being so quick to respond.

    The plugin does not offer any options about how it schedules jobs, only when to schedule time. Other than the FAQ's suggestion to define ALTERNATE_WP_CRON, everything is set in the code so you should see the error just by installing the plugin.

    Thanks again.

  6. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Ok perfect that is exactly what i needed to know. I can actually do the test right now. I will post back here shortly.

  7. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Ok the solution is nice and simple. The issue is that BackUpWordPress is making a HEAD Request.

    $response = wp_remote_head( site_url( 'wp-cron.php' ) );

    so you just need to remove HEAD from this Request Method filter in your Root .htaccess file as shown below.

    # REQUEST METHODS FILTERED
    # This filter is for blocking junk bots and spam bots from making a HEAD request, but may also block some
    # HEAD request from bots that you want to allow in certains cases. This is not a security filter and is just
    # a nuisance filter. This filter will not block any important bots like the google bot. If you want to allow
    # all bots to make a HEAD request then remove HEAD from the Request Method filter.
    # The TRACE, DELETE, TRACK and DEBUG request methods should never be allowed against your website.
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F,L]
  8. nevermoor
    Member
    Posted 1 year ago #

    Great. It definitely made the error message go away. I've set a job scheduled hourly, and will report back once I know whether it worked.

    Thanks again for being so responsive, and for a great plugin.

  9. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    And i have to say that this is definitely the simplest (easiest to use) backup plugin to use that i have ever seen. Very, very impressive!!!! note to self - install this plugin on all my sites. ;)

  10. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    @nevermoor - So i am assuming all is well? Please resolve this thread if the problem is resolved. Thanks.

  11. rpayne7264
    Member
    Posted 1 year ago #

    OK... so you're saying to replace this:

    wget -q -O /dev/null http://yourwebsite.com/wp-cron.php?doing_wp_cron

    with this:

    lynx -source http://yourwebsite.com/wp-cron.php?doing_wp_cron

    No?

  12. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    If this is in regards to using a wget cron then yes lynx in general is safer to use than wget so that would be the better cron command line to use.

    If you want to handle this from the BPS side and allow wget instead then you would just need to edit these 2 security filters in your root .htaccess file to allow wget. Remove wget from these 2 security filters shown below.

    RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
    
    RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
  13. poddys
    Member
    Posted 1 year ago #

    I am having similar problems on all my sites using Backup WordPress and BPS, and removing "HEAD" seems to be working.

    However, I have been creating the .htaccess in BPS and then manually editing it. Can I specify the code for removing "HEAD" in the Custom Code section? I still have problems with this sometimes, in particular creating the custom .htaccess for SuperCache.

  14. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Currently the HEAD security filter is part of the core/standard root .htaccess code, but what we will be doing in the next version release of BPS is creating 2 (or maybe more) new Custom Code sections that will allow you to change and save this in Custom Code.

    For WP Super Cache with mod_rewrite see this tutorial on adding WP Super Cache .htaccess code to BPS Custom Code (disregard references to AutoRestore and F-Lock).
    http://forum.ait-pro.com/forums/topic/where-is-the-log/#post-2715

    Also when you do BPS upgrades you do not need to use AutoMagic again since the upgrade is automated. You will briefly see the alerts on upgrade, but everything is already completed at that point so you can just refresh your Browser or just click anywhere in your Dashboard and the alerts will go away.

  15. Ash_20
    Member
    Posted 1 year ago #

    Hi, I am getting this issue. I have tried removing the following as mentioned:
    $response = wp_remote_head( site_url( 'wp-cron.php' ) );

    but I can't find this in my root htaccess file?

    Thanks.

  16. Ash_20
    Member
    Posted 1 year ago #

    Never mind, just seen your guid somewhere else to do it through the WP Dashboard now it's working. I was trying through filezilla FTP.

  17. rpayne7264
    Member
    Posted 1 year ago #

    the lynx -source thing did not work.
    I hacked the .htaccess file so I could use wget.

  18. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    lynx will not work for every scenario and will depend on how the code is processing things on the plugin side of things. Also there are variations of the lynx command line using /dev/null or -dump or -source, etc.

    http://linux.die.net/man/1/lynx

    -source
    works the same as dump but outputs HTML source instead of formatted text. For example
    lynx -source . >foo.html
    generates HTML source listing the files in the current directory. Each file is marked by an HREF relative to the parent directory. Add a trailing slash to make the HREF's relative to the current directory:
    lynx -source ./ >foo.html

    http://stackoverflow.com/questions/1210930/cron-job-on-ubuntu-for-php
    http://www.nbill.co.uk/documentation/setting-up-a-cronjob.html

    Examples (NOTE: a space has been added after http: to kill the links):

    lynx -dump http: //www.domain.com/cron/realqueue >/dev/null 2>&1
    */2 * * * * lynx > /dev/null \-dump [http: //www.example.com/index.php?m=742061208]

  19. klausmo
    Member
    Posted 1 year ago #

    hi, I think I have a similar problem. The plug-in works fine usually but few days ago I had to put a file .htaccess with some codes in my directory (public_html) because of other problems with my provider...since then, when I click on my backup section of this plug-in, I get a white page, so that I cannot see the normal startpagina...very strange...should I try to add some codes in my file .htaccess?
    thanks

  20. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Post the .htaccess code that you added to your .htaccess file.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic