WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] Bulletproof Security block Google to access images (13 posts)

  1. hwk-fr
    Member
    Posted 1 year ago #

    Hello!

    First I want to say that Bulletproof really helped me when my websites got infected by malicious code, this plugin is really a must have to secure wordpress/timthumb ;)

    I've got some problem though, because this plugin block Google/Google Images to access and parses my images via timthumb. How can I configure BPS to let Google agent_user to access this files?

    Think you by advance,

    Regards,
    hwk

    http://wordpress.org/extend/plugins/bulletproof-security/

  2. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Please check your BPS Security Log and ONLY post a log entry that pertains to/is relevant to this particular issue. Please do not post your entire Security Log. I can then tell you what you will need to do next to create a whitelist or skip/bypass rule to allow this.

  3. hwk-fr
    Member
    Posted 1 year ago #

    Hi, think you for your answer! Here are 2 Exemples : One for Googlebot-Image, and another one for Googlebot.

    (I've replaced: MYTHEME, MYDOMAIN, MYIMAGE)

    403 ERROR
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-content/themes/MYTHEME/functions/timthumb.php?src=http://www.MYDOMAIN.com/wp-content/uploads/2013/02/MYIMAGE.jpg&w=300&h=168&q=100
    QUERY_STRING:
    HTTP_USER_AGENT: Googlebot-Image/1.0
    403 ERROR
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-content/themes/MYTHEME/functions/timthumb.php?src=http://www.MYDOMAIN.com/wp-content/uploads/2013/04/MYIMAGE.jpg&w=300&h=168&q=100
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

    Regards,

  4. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    A skip/bypass rule for your Theme should do the trick. I am surprised that the existing timthumb skip/bypass rule is not already working. Did you click the AutoMagic buttons before activating BulletProof Modes? If not, then do that and test. If you have clicked the AutoMagic buttons before activating BulletProof Modes then do this below...

    1. Copy this .htaccess code below to the Custom Code CUSTOM CODE PLUGIN FIXES: text box
    2. Save your new custom code by clicking the Save Root Custom Code button.
    3. Click the Create secure.htaccess File AutoMagic button on the Security Modes page.
    4. Activate BulletProof Mode for your Root folder on the Security Modes page.

    NOTE: If your WordPress installation is in a subfolder then add your WordPress subfolder name in the path.
    Example: /my-wordpress-installation-folder-name/wp-content/plugins/google-document-embedder/

    Try this first...

    # Theme Timthumb skip/bypass rule
    RewriteCond %{REQUEST_URI} ^/wp-content/themes/MYTHEME/(.*)timthumb\.php [NC]
    RewriteRule . - [S=13]

    ...if the skip/bypass rule above does not work then try this...

    # Theme Timthumb skip/bypass rule
    RewriteCond %{REQUEST_URI} ^/wp-content/themes/MYTHEME/functions/ [NC]
    RewriteRule . - [S=13]
  5. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Another approach would be to whitelist the Googlebot User Agent. You would add RewriteCond %{HTTP_USER_AGENT} ^.*Googlebot.* to this security filter in your root .htaccess file.

    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    # Only Allow Internal File Requests From Your Website
    # To Allow Additional Websites Access to a File Use [OR] as shown below.
    # RewriteCond %{HTTP_REFERER} ^.*YourWebsite.com.* [OR]
    # RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*
    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    RewriteRule .* index.php [F,L]
    RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    RewriteCond %{HTTP_REFERER} ^.*example.com.* [OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*Googlebot.*
    RewriteRule . - [S=1]

    IMPORTANT NOTE: Keep in mind that User Agents, IP Addresses, Hostnames, etc. can all be faked by spammers or hackers.

  6. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Please post a status update. If the issue/problem is resolved please resolve this thread. Thank you.

  7. hwk-fr
    Member
    Posted 1 year ago #

    Hello,

    Sorry for the delay, I chose the solution that allow access to google by USER_AGENT.

    [OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*Googlebot.*

    I'm perfoming test and wait to see how google now interact with my images. I'll post you the results soon :)

    Regards,

  8. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Please post a status update. If the issue/problem is resolved please resolve this thread. Thank you.

  9. hwk-fr
    Member
    Posted 1 year ago #

    Hello AITpro,

    Past days I've got few problems with google that couldn't parse my website. That was because WP Super cache didn't updated to core htaccess.

    I still got to wait 1 or 2 days to see if it can access to my images.

    i'm sorry for the delay,
    I'll keep the post updated ;)

  10. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Ok I'll quit pestering you. Just want folks to know that we are here.

  11. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    I will still receive email notifications when you get a chance to post again. Resolving so that I do not keep checking this thread. ;)

  12. hwk-fr
    Member
    Posted 1 year ago #

    Okay,

    After weeks of tests, I decided to use this code :

    # Theme Timthumb skip/bypass rule
    RewriteCond %{REQUEST_URI} ^/wp-content/themes/MYTHEME/(.*)timthumb\.php [NC]
    RewriteRule . - [S=13]

    The HTTP_USER_AGENT worked for Google, but there were still problems with the indexation of my images.

    Now it works nice :)

  13. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Great thanks for confirming. Also just a reminder that BPS does not block the Googlebot/Google image retrieval. What is actually happening is that pretty much all plugins and themes use timthumb scripts in a way that simulate RFI hacking attempts against your website, which triggers a 403 error. The image retrieval is not affected in any way ie images are retrieved by google and all other search engines successfully without having to do anything, but a nuisance 403 error is generated because of the simulated RFI hacking attempt. This is very common unfortunately since most plugins and themes are using this sketchy/poor timthumb image retrieval method.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic