WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] ISAPI_Rewrite and Bulletproof (23 posts)

  1. doulos2k
    Member
    Posted 1 year ago #

    Hi there - I know one person has asked about this plugin and ISAPI_Rewrite on Windows and you'd replied that you're not sure due to it being server-side.

    I do control the physical server in my installations, so I'm curious if there's any way we can test this to see if we can get the .htaccess commands working using this plugin.

    http://wordpress.org/extend/plugins/bulletproof-security/

  2. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Yep, I am still not completely sure if ISAPI_Rewrite will handle all of the directives/security code in the BPS htaccess files. Looking at the Reference link below I see the most of the general htaccess directives are supported, but what I do not know for sure is how "deep" that compatibility goes. Every directive that BPS uses in its htaccess files has a "green" indicator/status, which means fully supported/fully compatible. The only way to know for sure is to actually do a hands on and see what happens. ;) Please keep me posted on this as I am very curious to know if everything will just work or if tweaking is necessary or it does not work. Thanks.

    Reference: http://www.helicontech.com/isapi_rewrite/doc/compatibility.htm

    Going by the System requirements it looks Server based only, but I could be interpreting that incorrectly. But if you control the Server then this would not be a problem in your case. ;)

    System requirements
    ISAPI_Rewrite can be installed on the following operating systems:

    Windows 2000 with IIS 5
    Windows XP with IIS 5.1
    Windows Server 2003 with IIS 6.0
    Windows Vista with IIS 7.0
    Windows Server 2008 with IIS 7.0
    IIS should be installed on the operating system before installing ISAPI_Rewrite.
    Both 32 and 64 bit versions of Windows are supported, but you need to download distinct installation package for 32 and 64 bit versions.
    Windows Installer 2.0 is required to run installation program. You can download last version of Windows Installer from the Microsoft website.

    On Windows Vista and Windows Server 2008 installation of ISAPI_Rewrite also requires following modules, not installed by default:

    ISAPI Filters
    ISAPI Extensions

  3. doulos2k
    Member
    Posted 1 year ago #

    I must have missed something in the documentation because I can't even seem to get the plugin to do anything right now due to this (I'm assuming). It gives me the IIS alert and the htaccess alerts and asks me to check the "Security Status page" - but when I click that link nothing happens.

    Is there something else I need to do in order to ensure the plugin is activated so that I can attempt to force it to make the htaccess changes? (Working on a test site right now - so there's no danger.)

  4. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    hmm yeah I forgot about that. I believe BPS has been intentionally disabled for use on IIS Servers since this caused some problem for Windows IIS folks in the past that were not aware that .htaccess files are not made for IIS. I will need to go through BPS and see what I can do about that. What you can test for now is if the .htaccess files themselves actually work. Download the secure.htaccess file and upload to your site root folder and rename it to .htaccess.

  5. doulos2k
    Member
    Posted 1 year ago #

    I'm sorry if this should be obvious - but I can't seem to locate where I would download the secure.htaccess file.

  6. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Oops that was my fault. Sorry. The secure.htaccess file is located here: /wp-content/plugins/bulletproof-security/admin/htaccess/secure.htaccess.

  7. Govorunov
    Member
    Posted 1 year ago #

    Hello!

    I represent ISAPI_Rewrite support service.
    May I suggest you to take a look at another our product - Helicon Ape which implements much more features than ISAPI_Rewrite. Please see the compatibility chart - http://www.helicontech.com/ape/doc/compatibility.htm

    Helicon Ape is recommended if you are using IIS 7 or higher. For IIS 6 and prior versions ISAPI_Rewrite is still better solution. But for never IIS versions Ape is the best choice as it supports nearly all built-in Apache modules and directives. There are better chances that BPS module will work with Ape without modifications.

  8. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Hello Govorunov,

    I am stating the obvious, but just wanted to get confirmation on this.

    I assume that I am understanding the specs/requirements correctly and that once either ISAPI_Rewrite or Ape is installed and configured on the Server then the htaccess directives/files will be processed on the individual websites hosted on that Server without any additional config necessary for the individual websites?

    Thanks

  9. Govorunov
    Member
    Posted 1 year ago #

    If you are installing full trial versions by default - yes. Free version of ISAPI_Rewrite does not support .htaccess. Free version of Ape does support .htaccess files for up to 3 web sites per server, but you need to choose these 3 web sites in the manager. Please note that ISAPI_Rewrite is an IIS ISAPI filter and Ape is managed IIS module. Both can be disabled manually in IIS settings and enabled for individual web sites. With Ape manager program you can disable or enable Ape for individual web sites if you need.

  10. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Excellent! Thank you for the detailed info. Very much appreciated.

  11. doulos2k
    Member
    Posted 1 year ago #

    Okay - all error messages saying I don't have valid htaccess files have disappeared. So, at first blush, things seem to be recognized and operating. So, now, if we can enable the admin panels for BP then we'd be golden... I think.

  12. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Excellent! Okay what I need now is something to be able to check so that I can create a new coding check for this condition.

    Example Condition Check: If is IIS and is X (X being whatever I can check for ISAPI_Rewrite or Ape) then do Y.

    @Govorunov - I am not an IIS guru, but am fairly familiar with IIS so is there an identifier of some kind that I can check for from the frontside of a site. I assume the check would have to be for either if a .dll is registered or an extension is loaded. Thanks

    Manual installation package includes the following files:

    ISAPI_Rewrite.dll - this is the ISAPI filter itself
    ISAPI_RewriteProxy.dll - this is ISAPI extension module required for proxy operations
    license.rtf - product EULA
    ISAPI_Rewrite.chm - documentation file
    httpd.conf - sample global configuration file

  13. doulos2k
    Member
    Posted 1 year ago #

    I suppose it would be too much to ask to just add a manual preference option:

    If you are running IIS and you are CERTAIN that your server supports .htaccess files (through ISAPI_Rewrite or Helicon APE), check this option to Activate all features.

  14. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Well if I can find the identifier that I can check against then you are talking about a 30 minute fix otherwise you are talking about an additional new feature = 1 to 2 months.

  15. doulos2k
    Member
    Posted 1 year ago #

    Aaah. Well, here's hoping for an identifier. :-D

  16. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Yep, it would be the quick and easy way to get this rolling. I will do some searching around the Internet. I assume this is something simple.

    FYI - for Forms (checkbox, textbox, button, etc.) typically there is going to be anywhere from 200 to 1,000 lines of Form processing code to process whatever the Form is doing.

  17. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Nope, not easy to find at all. I also searched the Helicontech Forum and came up empty. Hopefully Govorunov can provide that answer.

  18. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    hmm actually I just looked at the BPS code and someone removed that hard kill check for IIS. You should already be able to do things like use the AutoMagic buttons and activate BulletProof Modes.

    Go to code line 86 in the /bulletproof-security/admin/options.php file and comment out: echo bps_check_iis_supports_permalinks(); to get rid of the IIS error message.

    Please verify that AutoMagic and activating BulletProof Modes works. If something does not work then list what does not work and I will look at the BPS code to see why that would be.

  19. Govorunov
    Member
    Posted 1 year ago #

    Hello.

    You are right, that check would not be easy. With Ape you would check presence of the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Helicon\Ape
    But this indicates only Ape is installed but say nothing about whether it is working for this particular web site or not. To tell more it would require analysis of IIS metabase, which may be of different versions, have various API to access (rely on IIS version) and different bitness. And the worst of all the IIS application pool user (the one who run WordPress) depending on system settings may not simply have permissions to read either registry or metabase.

    So according to our experience simple manual switch would be the best choice. Or simply remove the check. Presence of .htaccess file will not harm IIS if no .htaccess emulation modules are installed.

  20. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Yep, Govorunov I came to the same/similar conclusion - "...simple manual switch would be the best choice. Or simply remove the check...".

    We will display a warning/alert message that is based on/checking for the presence of IIS itself, with help instructions in the alert on what to do in the event that something goes wrong. The worst case scenario will always be the website crashes because the .htaccess files cannot be processed/recognized/handled.

    Simple Quick Solution: FTP to the website and delete the .htaccess files to bring the website back up.

    Thank you for all of your help and assistance.

    Best Regards,
    Ed

  21. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    @doulos2k - the IIS warning/alert will have a dismiss button included in the warning/alert displayed message so that the warning/alert can be permanently hidden/dismissed.

    BPS .48.4 is scheduled for release on 5/6 and will include a new feature - Login Security.

    BPS .48.5 will include the new coding check for IIS and some other new additions to Custom Code.

  22. doulos2k
    Member
    Posted 1 year ago #

    Thanks! Looking forward to the new release and I appreciate your attention to the issue!

  23. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Will be added in BPS .48.5 resolving.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.