Support » Plugin: BulletProof Security » BPS prevents BackUpWordPress from accessing WP-Cron

Viewing 15 replies - 1 through 15 (of 19 total)
  • Plugin Author AITpro

    (@aitpro)

    On the BackUpWordPress FAQ page >>> http://wordpress.org/extend/plugins/backupwordpress/faq/ i see some troubleshooting options for wp-cron issues/problems. have you tried these yet?

    Is the cron using wget or curl? BPS is blocking these in the root .htaccess file.

    You can either allow wget by removing it from the BPS security filters (not recommended) or an alternative Cron command line command that is safer to use is lynx -source instead of wget -O. You would simply replace the wget command line with lynx -source.

    RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
    
    RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    Thread Starter nevermoor

    (@nevermoor)

    It is not a BackUpWordPress issue, since it works properly when BPS is deactivated. I did, however, try those steps.

    Tests:
    Scheduled Posts work with BPS enabled.
    Not using Heart Internet
    Manual Backup works with BPS enabled
    ALTERNATE_WP_CRON does not solve the problem
    Site is not private

    I didn’t understand the other part. WP-Cron, as I understand it, is not actually using command line to the server, it’s some WordPress created pseudo-cron.

    Plugin Author AITpro

    (@aitpro)

    You have provided some very good details of the issue/problem that is occurring, but in order to test this plugin accurately and be looking at the exact problem area please post the specific details of how the cron is being performed.

    Even though you are saying that the cron is a pseudo-cron method using the wp_schedule_event function i was wondering if the BackUpWordPress plugin also offers a plugin setting option where you can change this/or use a command line command for the cron instead?

    What options did you choose to schedule cron job backups?

    I will test the plugin today with the same settings you are using once i know what those settings are.

    Thanks

    Thread Starter nevermoor

    (@nevermoor)

    Thanks, and thanks for being so quick to respond.

    The plugin does not offer any options about how it schedules jobs, only when to schedule time. Other than the FAQ’s suggestion to define ALTERNATE_WP_CRON, everything is set in the code so you should see the error just by installing the plugin.

    Thanks again.

    Plugin Author AITpro

    (@aitpro)

    Ok perfect that is exactly what i needed to know. I can actually do the test right now. I will post back here shortly.

    Plugin Author AITpro

    (@aitpro)

    Ok the solution is nice and simple. The issue is that BackUpWordPress is making a HEAD Request.

    $response = wp_remote_head( site_url( 'wp-cron.php' ) );

    so you just need to remove HEAD from this Request Method filter in your Root .htaccess file as shown below.

    # REQUEST METHODS FILTERED
    # This filter is for blocking junk bots and spam bots from making a HEAD request, but may also block some
    # HEAD request from bots that you want to allow in certains cases. This is not a security filter and is just
    # a nuisance filter. This filter will not block any important bots like the google bot. If you want to allow
    # all bots to make a HEAD request then remove HEAD from the Request Method filter.
    # The TRACE, DELETE, TRACK and DEBUG request methods should never be allowed against your website.
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F,L]
    Thread Starter nevermoor

    (@nevermoor)

    Great. It definitely made the error message go away. I’ve set a job scheduled hourly, and will report back once I know whether it worked.

    Thanks again for being so responsive, and for a great plugin.

    Plugin Author AITpro

    (@aitpro)

    And i have to say that this is definitely the simplest (easiest to use) backup plugin to use that i have ever seen. Very, very impressive!!!! note to self – install this plugin on all my sites. 😉

    Plugin Author AITpro

    (@aitpro)

    @nevermoor – So i am assuming all is well? Please resolve this thread if the problem is resolved. Thanks.

    OK… so you’re saying to replace this:

    wget -q -O /dev/null http://yourwebsite.com/wp-cron.php?doing_wp_cron

    with this:

    lynx -source http://yourwebsite.com/wp-cron.php?doing_wp_cron

    No?

    Plugin Author AITpro

    (@aitpro)

    If this is in regards to using a wget cron then yes lynx in general is safer to use than wget so that would be the better cron command line to use.

    If you want to handle this from the BPS side and allow wget instead then you would just need to edit these 2 security filters in your root .htaccess file to allow wget. Remove wget from these 2 security filters shown below.

    RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
    
    RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]

    I am having similar problems on all my sites using Backup WordPress and BPS, and removing “HEAD” seems to be working.

    However, I have been creating the .htaccess in BPS and then manually editing it. Can I specify the code for removing “HEAD” in the Custom Code section? I still have problems with this sometimes, in particular creating the custom .htaccess for SuperCache.

    Plugin Author AITpro

    (@aitpro)

    Currently the HEAD security filter is part of the core/standard root .htaccess code, but what we will be doing in the next version release of BPS is creating 2 (or maybe more) new Custom Code sections that will allow you to change and save this in Custom Code.

    For WP Super Cache with mod_rewrite see this tutorial on adding WP Super Cache .htaccess code to BPS Custom Code (disregard references to AutoRestore and F-Lock).
    http://forum.ait-pro.com/forums/topic/where-is-the-log/#post-2715

    Also when you do BPS upgrades you do not need to use AutoMagic again since the upgrade is automated. You will briefly see the alerts on upgrade, but everything is already completed at that point so you can just refresh your Browser or just click anywhere in your Dashboard and the alerts will go away.

    Hi, I am getting this issue. I have tried removing the following as mentioned:
    $response = wp_remote_head( site_url( ‘wp-cron.php’ ) );

    but I can’t find this in my root htaccess file?

    Thanks.

    Never mind, just seen your guid somewhere else to do it through the WP Dashboard now it’s working. I was trying through filezilla FTP.

Viewing 15 replies - 1 through 15 (of 19 total)
  • The topic ‘BPS prevents BackUpWordPress from accessing WP-Cron’ is closed to new replies.