WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] jquery issue (9 posts)

  1. jongag1
    Member
    Posted 1 year ago #

    Hi,

    After upgrade (MU-install) to 3.5 drag and drop and the slide out menus in the dashboard stopped working. On the sites itself it's okay.

    I noticed the sticky post with the Master List this is a known bug and should be related to a plugin or theme.

    I disabled all plugins (also on the sites) and switched the theme into TwentyTwelve. Still not working.

    Than I went to http://codex.wordpress.org/Using_Your_Browser_to_Diagnose_JavaScript_Errors as suggested. Issue is on all browsers, so I added define('SCRIPT_DEBUG', true); into my wp-config file. That solved the issue for me! And as mentioned on that page I should post a topic in this forum telling the volunteers it helped in my case.

    I have an other site (single install) and that works okay. Can it be related with the multi-user site?

    Greetings,
    Age

  2. jongag1
    Member
    Posted 1 year ago #

    When looking with the error console it says (when I'm in the Widget screen):
    Tijdstempel: 12-12-2012 12:29:17
    Fout: ReferenceError: jQuery is not defined
    Bronbestand: http://gemeentehollandskroon.net/wp-content/plugins/jetpack/_inc/jquery.spin.js?ver=3.5
    Regel: 86

    Tijdstempel: 12-12-2012 12:29:17
    Fout: ReferenceError: jQuery is not defined
    Bronbestand: http://s0.wp.com/wp-content/mu-plugins/notes/notes-rest-common.js?ver=2.0.2-201250
    Regel: 101

    Tijdstempel: 12-12-2012 12:29:17
    Fout: ReferenceError: jQuery is not defined
    Bronbestand: http://s0.wp.com/wp-content/mu-plugins/notes/admin-bar-rest.js?ver=2.0.2-201250
    Regel: 43

    Tijdstempel: 12-12-2012 12:29:17
    Fout: ReferenceError: jQuery is not defined
    Bronbestand: http://gemeentehollandskroon.net/wp-admin/widgets.php?w3tc_note=flush_all
    Regel: 8231

  3. When you don't have script_debug turned on -- can you please give me the link to load-scripts.php that shows up in your HTML source?

    It should look something like:

    <script type='text/javascript' src='http://www.example.com/wp-admin/load-scripts.php?c=0&load[]=jquery,utils&ver=3.5'></script>

    and then paste the contents of the linked URL into a pastebin to review?

    Thanks!

  4. jongag1
    Member
    Posted 1 year ago #

    Hi George,

    I'm not sure if I understand you correct regarding the pastebin...

    This is in my HTML source:

    <script type='text/javascript' src='http://gemeentehollandskroon.net/wp-admin/load-scripts.php?c=1&load[]=jquery,utils&ver=3.5'></script>

    When I click on it, I get:

    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>403 Forbidden</title>
    </head><body>
    <h1>Forbidden</h1>
    <p>You don't have permission to access /wp-admin/load-scripts.php
    on this server.</p>
    </body></html>

    The file is chmod: 644.

    Hope this is what you wanted to know!

    Gr,
    Age

  5. Do you have a .htaccess file in your wp-admin folder? If so, could you paste me the contents?

    Something is denying access to load-scripts.php based on it having the square brackets in the query string. This is an issue that we've seen caused by a plugin called BulletProof Security in the past.

  6. jongag1
    Member
    Posted 1 year ago #

    I used the plugin before, so it could be the cause.
    It's quite big, but I wasn't sure what to delete after removing the bulletproof plugin:

    #   BULLETPROOF PRO 5.D DEFAULT .HTACCESS     
    
    # If you edit the  BULLETPROOF .47.5 >>>>>>> SECURE .HTACCESS text above
    # you will see error messages on the BPS Security Status page
    # BPS is reading the version number in the htaccess file to validate checks
    # If you would like to change what is displayed above you
    # will need to edit the BPS /includes/functions.php file to match your changes
    # If you update your WordPress Permalinks the code between BEGIN WordPress and
    # END WordPress is replaced by WP htaccess code.
    # This removes all of the BPS security code and replaces it with just the default WP htaccess code
    # To restore this file use BPS Restore or activate BulletProof Mode for your Root folder again.
    
    # BEGIN WordPress
    # IMPORTANT!!! DO NOT DELETE!!! - BEGIN WordPress above or END WordPress - text in this file
    # They are reference points for WP, BPS and other plugins to write to this htaccess file.
    # IMPORTANT!!! DO NOT DELETE!!! - BPSQSE BPS QUERY STRING EXPLOITS - text
    # BPS needs to find the - BPSQSE - text string in this file to validate that your security filters exist
    
    # BEGIN W3TC Page Cache core
    <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteBase /
        RewriteRule ^(.*\/)?w3tc_rewrite_test$ $1?w3tc_rewrite_test=1 [L]
        RewriteCond %{HTTP_HOST} ^(www\.)?([a-z0-9\-\.]+\.[a-z]+)\.?(:[0-9]+)?$
        RewriteRule .* - [E=W3TC_DOMAIN:%2]
        RewriteCond %{HTTPS} =on
        RewriteRule .* - [E=W3TC_SSL:_ssl]
        RewriteCond %{SERVER_PORT} =443
        RewriteRule .* - [E=W3TC_SSL:_ssl]
        RewriteCond %{HTTP:Accept-Encoding} gzip
        RewriteRule .* - [E=W3TC_ENC:_gzip]
        RewriteCond %{REQUEST_METHOD} !=POST
        RewriteCond %{QUERY_STRING} =""
        RewriteCond %{HTTP_HOST} =gemeentehollandskroon.net
        RewriteCond %{REQUEST_URI} \/$ [OR]
        RewriteCond %{REQUEST_URI} (sitemap(_index)?\.xml(\.gz)?|[a-z0-9_\-]+-sitemap([0-9]+)?\.xml(\.gz)?) [NC]
        RewriteCond %{REQUEST_URI} !(\/wp-admin\/|\/xmlrpc.php|\/wp-(app|cron|login|register|mail)\.php|wp-.*\.php|index\.php) [NC,OR]
        RewriteCond %{REQUEST_URI} (wp\-comments\-popup\.php|wp\-links\-opml\.php|wp\-locations\.php) [NC]
        RewriteCond %{HTTP_COOKIE} !(comment_author|wp\-postpass|wordpress_\[a\-f0\-9\]\+|wordpress_logged_in) [NC]
        RewriteCond %{HTTP_USER_AGENT} !(W3\ Total\ Cache/0\.9\.2\.4) [NC]
        RewriteCond "%{DOCUMENT_ROOT}/wp-content/w3tc-%{ENV:W3TC_DOMAIN}/pgcache/%{REQUEST_URI}/_index%{ENV:W3TC_UA}%{ENV:W3TC_REF}%{ENV:W3TC_SSL}.html%{ENV:W3TC_ENC}" -f
        RewriteRule .* "/wp-content/w3tc-%{ENV:W3TC_DOMAIN}/pgcache/%{REQUEST_URI}/_index%{ENV:W3TC_UA}%{ENV:W3TC_REF}%{ENV:W3TC_SSL}.html%{ENV:W3TC_ENC}" [L]
        RewriteCond %{REQUEST_METHOD} !=POST
        RewriteCond %{QUERY_STRING} =""
        RewriteCond %{HTTP_HOST} =gemeentehollandskroon.net
        RewriteCond %{REQUEST_URI} \/$ [OR]
        RewriteCond %{REQUEST_URI} (sitemap(_index)?\.xml(\.gz)?|[a-z0-9_\-]+-sitemap([0-9]+)?\.xml(\.gz)?) [NC]
        RewriteCond %{REQUEST_URI} !(\/wp-admin\/|\/xmlrpc.php|\/wp-(app|cron|login|register|mail)\.php|wp-.*\.php|index\.php) [NC,OR]
        RewriteCond %{REQUEST_URI} (wp\-comments\-popup\.php|wp\-links\-opml\.php|wp\-locations\.php) [NC]
        RewriteCond %{HTTP_COOKIE} !(comment_author|wp\-postpass|wordpress_\[a\-f0\-9\]\+|wordpress_logged_in) [NC]
        RewriteCond %{HTTP_USER_AGENT} !(W3\ Total\ Cache/0\.9\.2\.4) [NC]
        RewriteCond "%{DOCUMENT_ROOT}/wp-content/w3tc-%{ENV:W3TC_DOMAIN}/pgcache/%{REQUEST_URI}/_index%{ENV:W3TC_UA}%{ENV:W3TC_REF}%{ENV:W3TC_SSL}.xml%{ENV:W3TC_ENC}" -f
        RewriteRule .* "/wp-content/w3tc-%{ENV:W3TC_DOMAIN}/pgcache/%{REQUEST_URI}/_index%{ENV:W3TC_UA}%{ENV:W3TC_REF}%{ENV:W3TC_SSL}.xml%{ENV:W3TC_ENC}" [L]
    </IfModule>
    # END W3TC Page Cache core
    
    # BEGIN W3TC Browser Cache
    <IfModule mod_deflate.c>
        <IfModule mod_setenvif.c>
            BrowserMatch ^Mozilla/4 gzip-only-text/html
            BrowserMatch ^Mozilla/4\.0[678] no-gzip
            BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
            BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
        </IfModule>
        <IfModule mod_headers.c>
            Header append Vary User-Agent env=!dont-vary
        </IfModule>
        <IfModule mod_filter.c>
            AddOutputFilterByType DEFLATE text/css application/x-javascript text/x-component text/html text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon
        </IfModule>
    </IfModule>
    <FilesMatch "\.(css|js|htc|CSS|JS|HTC)$">
        FileETag None
        <IfModule mod_headers.c>
             Header set X-Powered-By "W3 Total Cache/0.9.2.4"
        </IfModule>
    </FilesMatch>
    <FilesMatch "\.(html|htm|rtf|rtx|svg|svgz|txt|xsd|xsl|xml|HTML|HTM|RTF|RTX|SVG|SVGZ|TXT|XSD|XSL|XML)$">
        FileETag None
        <IfModule mod_headers.c>
             Header set X-Powered-By "W3 Total Cache/0.9.2.4"
        </IfModule>
    </FilesMatch>
    <FilesMatch "\.(asf|asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|eot|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|mpp|otf|odb|odc|odf|odg|odp|ods|odt|ogg|pdf|png|pot|pps|ppt|pptx|ra|ram|svg|svgz|swf|tar|tif|tiff|ttf|ttc|wav|wma|wri|xla|xls|xlsx|xlt|xlw|zip|ASF|ASX|WAX|WMV|WMX|AVI|BMP|CLASS|DIVX|DOC|DOCX|EOT|EXE|GIF|GZ|GZIP|ICO|JPG|JPEG|JPE|MDB|MID|MIDI|MOV|QT|MP3|M4A|MP4|M4V|MPEG|MPG|MPE|MPP|OTF|ODB|ODC|ODF|ODG|ODP|ODS|ODT|OGG|PDF|PNG|POT|PPS|PPT|PPTX|RA|RAM|SVG|SVGZ|SWF|TAR|TIF|TIFF|TTF|TTC|WAV|WMA|WRI|XLA|XLS|XLSX|XLT|XLW|ZIP)$">
        FileETag None
        <IfModule mod_headers.c>
             Header set X-Powered-By "W3 Total Cache/0.9.2.4"
        </IfModule>
    </FilesMatch>
    # END W3TC Browser Cache
    
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    
    # uploaded files
    RewriteRule ^files/(.+) wp-includes/ms-files.php?file=$1 [L]
    
    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^ - [L]
    RewriteRule . index.php [L]
    </IfModule>
    
    # TURN OFF YOUR SERVER SIGNATURE
    ServerSignature Off
    
    # ADD A PHP HANDLER
    # If you are using a PHP Handler add your web hosts PHP Handler below
    
    # DO NOT SHOW DIRECTORY LISTING
    # If you are getting 500 Errors when activating BPS then comment out Options -Indexes
    # by adding a # sign in front of it. If there is a typo anywhere in this file you will also see 500 errors.
    Options -Indexes
    
    # DIRECTORY INDEX FORCE INDEX.PHP
    # Use index.php as default directory index file
    # index.html will be ignored will not load.
    DirectoryIndex index.php index.html /index.php
    
    # BPS PRO ERROR LOGGING AND TRACKING - Available in BPS Pro only
    # BPS Pro has premade 403 Forbidden, 400 Bad Request and 404 Not Found files that are used
    # to track and log 403, 400 and 404 errors that occur on your website. When a hacker attempts to
    # hack your website the hackers IP address, Host name, Request Method, Referering link, the file name or
    # requested resource, the user agent of the hacker and the query string used in the hack attempt are logged.
    # BPS Pro Log files are added to the P-Security All Purpose File Manager to view them.
    # All BPS Pro log files are htaccess protected so that only you can view them.
    # The 400.php, 403.php and 404.php files are located in /wp-content/plugins/bulletproof-security/
    # The 400 and 403 Error logging files are already set up and will automatically start logging errors
    # after you install BPS Pro and have activated BulletProof Mode for your Root folder.
    # If you would like to log 404 errors you will need to copy the logging code in the BPS Pro 404.php file
    # to your Theme's 404.php template file. Simple instructions are included in the BPS Pro 404.php file.
    # You can open the BPS Pro 404.php file using the WP Plugins Editor or by using the BPS Pro File Manager.
    # NOTE: By default WordPress automatically looks in your Theme's folder for a 404.php template file.
    
    # ErrorDocument 400 /wp-content/plugins/bulletproof-security/400.php
    # ErrorDocument 403 /wp-content/plugins/bulletproof-security/403.php
    ErrorDocument 404 /404.php
    
    # DENY ACCESS TO PROTECTED SERVER FILES - .htaccess, .htpasswd and all file names starting with dot
    RedirectMatch 403 /\..*$
    
    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]
    
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    
    # FORBID EMPTY REFFERER SPAMBOTS
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} (wp-comments-post\.php)
    RewriteCond %{HTTP_REFERER} !^.*gemeentehollandskroon.net.* [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule .* - [F]
    
    # REQUEST METHODS FILTERED
    # This filter is for blocking junk bots and spam bots from making a HEAD request, but may also block some
    # HEAD request from bots that you want to allow in certains cases. This is not a security filter and is just
    # a nuisance filter. This filter will not block any important bots like the google bot. If you want to allow
    # all bots to make a HEAD request then remove HEAD from the Request Method filter.
    # The TRACE, DELETE, TRACK and DEBUG request methods should never be allowed against your website.
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F,L]
    
    # PLUGINS AND VARIOUS EXPLOIT FILTER SKIP RULES
    # IMPORTANT!!! If you add or remove a skip rule you must change S= to the new skip number
    # Example: If RewriteRule S=5 is deleted than change S=6 to S=5, S=7 to S=6, etc.
    
    # Adminer MySQL management tool data populate
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/adminer/ [NC]
    RewriteRule . - [S=12]
    # Comment Spam Pack MU Plugin - CAPTCHA images not displaying
    RewriteCond %{REQUEST_URI} ^/wp-content/mu-plugins/custom-anti-spam/ [NC]
    RewriteRule . - [S=11]
    # Peters Custom Anti-Spam display CAPTCHA Image
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/peters-custom-anti-spam-image/ [NC]
    RewriteRule . - [S=10]
    # Status Updater plugin fb connect
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/fb-status-updater/ [NC]
    RewriteRule . - [S=9]
    # Stream Video Player - Adding FLV Videos Blocked
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/stream-video-player/ [NC]
    RewriteRule . - [S=8]
    # XCloner 404 or 403 error when updating settings
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/xcloner-backup-and-restore/ [NC]
    RewriteRule . - [S=7]
    # BuddyPress Logout Redirect
    RewriteCond %{QUERY_STRING} action=logout&redirect_to=http%3A%2F%2F(.*) [NC]
    RewriteRule . - [S=6]
    # redirect_to=
    RewriteCond %{QUERY_STRING} redirect_to=(.*) [NC]
    RewriteRule . - [S=5]
    # Login Plugins Password Reset And Redirect 1
    RewriteCond %{QUERY_STRING} action=resetpass&key=(.*) [NC]
    RewriteRule . - [S=4]
    # Login Plugins Password Reset And Redirect 2
    RewriteCond %{QUERY_STRING} action=rp&key=(.*) [NC]
    RewriteRule . - [S=3]
    
    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    # Only Allow Internal File Requests From Your Website
    # To Allow Additional Websites Access to a File Use [OR] as shown below.
    # RewriteCond %{HTTP_REFERER} ^.*YourWebsite.com.* [OR]
    # RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*
    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    RewriteRule .* index.php [F,L]
    RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    RewriteCond %{HTTP_REFERER} ^.*gemeentehollandskroon.net.*
    RewriteRule . - [S=1]
    
    # BPSQSE BPS QUERY STRING EXPLOITS
    # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
    # Good sites such as W3C use it for their W3C-LinkChecker.
    # Add or remove user agents temporarily or permanently from the first User Agent filter below.
    # If you want a list of bad bots / User Agents to block then scroll to the end of this file.
    RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
    RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]
    RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
    RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
    RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
    RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
    RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
    RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR]
    RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    RewriteCond %{QUERY_STRING} http\: [NC,OR]
    RewriteCond %{QUERY_STRING} https\: [NC,OR]
    RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|%3c|%3e|%5b|%5d).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x5b|\x5d|\x7f).* [NC,OR]
    RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
    RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR]
    RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
    RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F,L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    
    # DENY BROWSER ACCESS TO THESE FILES
    # wp-config.php, bb-config.php, php.ini, php5.ini, readme.html
    # Replace Allow from 88.77.66.55 with your current IP address and remove the
    # pound sign # from in front of the Allow from line of code below to access these
    # files directly from your browser.
    
    <FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|readme\.html|bb-config\.php)">
    Order allow,deny
    Deny from all
    #Allow from 88.77.66.55
    </FilesMatch>
    
    # IMPORTANT!!! DO NOT DELETE!!! the END WordPress text below
    # END WordPress
    
    # BLOCK HOTLINKING TO IMAGES
    # To Test that your Hotlinking protection is working visit http://altlab.com/htaccess_tutorial.html
    #RewriteEngine On
    #RewriteCond %{HTTP_REFERER} !^https?://(www\.)?add-your-domain-here\.com [NC]
    #RewriteCond %{HTTP_REFERER} !^$
    #RewriteRule .*\.(jpeg|jpg|gif|bmp|png)$ - [F]
    
    # FORBID COMMENT SPAMMERS ACCESS TO YOUR wp-comments-post.php FILE
    # This is a better approach to blocking Comment Spammers so that you do not
    # accidentally block good traffic to your website. You can add additional
    # Comment Spammer IP addresses on a case by case basis below.
    # Searchable Database of known Comment Spammers http://www.stopforumspam.com/
    
    <FilesMatch "^(wp-comments-post\.php)">
    Order Allow,Deny
    Deny from 46.119.35.
    Deny from 46.119.45.
    Deny from 91.236.74.
    Deny from 93.182.147.
    Deny from 93.182.187.
    Deny from 94.27.72.
    Deny from 94.27.75.
    Deny from 94.27.76.
    Deny from 193.105.210.
    Deny from 195.43.128.
    Deny from 198.144.105.
    Deny from 199.15.234.
    Allow from all
    </FilesMatch>
    
    # BLOCK MORE BAD BOTS RIPPERS AND OFFLINE BROWSERS
    # If you would like to block more bad bots you can get a blacklist from
    # http://perishablepress.com/press/2007/06/28/ultimate-htaccess-blacklist/
    # You should monitor your site very closely for at least a week if you add a bad bots list
    # to see if any website traffic problems or other problems occur.
    # Copy and paste your bad bots user agent code list directly below.
  7. jongag1
    Member
    Posted 1 year ago #

    Oops you needed the htaccess for the admin folder:

    #   BULLETPROOF .47.5 WP-ADMIN SECURE .HTACCESS     
    
    # If you edit the BULLETPROOF .47.5 WP-ADMIN SECURE .HTACCESS text above
    # you will see error messages on the BPS Security Status page
    # BPS is reading the version number in the htaccess file to validate checks
    # BPS is also checking that the string BPSQSE exists in this file - do not delete it
    # If you would like to change what is displayed above you
    # will need to edit the BPS functions.php file to match your changes
    # For more info see the BPS Guide at AIT-pro.com
    
    # DO NOT ADD URL REWRITING IN THIS FILE OR WORDPRESS WILL BREAK
    # RewriteRule ^(.*)$ - [F,L] - works in /wp-admin without breaking WordPress
    # RewriteRule . /index.php [L] - will break WordPress
    
    # ADD WP-ADMIN FILE NAMES TO FILESMATCH MAKING THEM 403 FORBIDDEN
    # DENY BROWSER ACCESS TO WP-ADMIN INSTALL.PHP
    # Add the wp-admin file names to FilesMatch and deny direct browser access to them.
    # This would generate a HTTP 403 Forbidden error message instead of a 404 error.
    # The root .htaccess file already has a security rule that blocks access to all
    # /wp-admin/includes files in the wp-admin folder. Directly trying to access
    # files with a browser in the wp-admin folder results in 404 HTTP errors, which is
    # essentially the same protection that making the files forbidden 403 would achieve.
    # Making /wp-admin/install.php forbidden is not really necessary, but has been
    # added as an additional security measure.
    # To allow yourself browser access to install.php replace Allow from 88.77.66.55
    # with your current IP address and remove the pound sign # from in front of the
    # Allow from line of code below.
    
    <FilesMatch "^(install\.php|example\.php|example2\.php|example3\.php)">
    Order allow,deny
    Deny from all
    #Allow from 88.77.66.55
    </FilesMatch>
    
    # BEGIN OPTIONAL WP-ADMIN ADDITIONAL SECURITY MEASURES:
    
    # BEGIN CUSTOM CODE WPADMIN TOP: Add miscellaneous custom code here
    
    # END CUSTOM CODE WPADMIN TOP
    
    # WP-ADMIN DIRECTORY PASSWORD PROTECTION - .htpasswd
    # The BPS root .htaccess file already has a security rule that blocks access to all
    # /wp-admin/includes files in the wp-admin folder.
    # The wp-admin directory already requires authentication to gain access to your
    # wp dashboard. Adding a second layer of authentication is not really necessary.
    # Users / visitors to your site will not be able to register or login
    # to your site without also having the additional login information.
    # htpasswd encrypts passwords using either a version of MD5 modified for Apache,
    # or the system's crypt() routine. Files managed by htpasswd may contain both types
    # of passwords; some user records may have MD5-encrypted passwords while others in
    # the same file may have passwords encrypted with crypt().
    # User accounts and passwords can be added in your host Control Panel or directly
    # in the .htpasswd file.
    # The .htpasswd file should be in a Server protected directory and not in a public
    # directory.
    # You can specify a single specific user or use valid-user to allow all valid
    # user accounts to be able to login to your site.
    
    # EXAMPLE:
    #AuthType basic
    #AuthGroupFile /dev/null
    #AuthUserFile /path/to/protected/server/directory/.htpasswd
    #AuthName "Password Protected Area"
    #require user Zippy
    #require valid-user
    
    # ADD YOUR CURRENT IP ADDRESS TO THIS FILE
    # This will then require that you FTP to your site and manually change the IP
    # address in this .htaccess file. And users will not be able to register or login
    # to your site without having their IP addresses added to this file. It is possible
    # to automate this, but unfortunately in order to not lock you out of your own site
    # the IP address would have to be removed on exiting your site. This means that if
    # you are not currently logged in then no additional security is in effect.
    # If you are not going to access or login to your site for a long time and you
    # are not allowing additional users to access your site then
    # manually adding an IP address may be an option you want to use temporarily.
    
    # EXAMPLE:
    #AuthUserFile /dev/null
    #AuthGroupFile /dev/null
    #AuthName “Password Protected Area”
    #AuthType Basic
    #order deny,allow
    #deny from all
    # whitelist home IP address
    #allow from 64.233.169.99
    # whitelist work IP address
    #allow from 69.147.114.210
    #allow from 199.239.136.200
    # IP while in Kentucky; delete when back
    #allow from 128.163.2.27
    
    # END OPTIONAL WP-ADMIN ADDITIONAL SECURITY MEASURES
    
    # REQUEST METHODS FILTERED
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F,L]
    
    # BEGIN CUSTOM CODE WPADMIN PLUGIN FIXES: Add ONLY WPADMIN personal plugin fixes code here
    
    # END CUSTOM CODE WPADMIN PLUGIN FIXES
    
    # Allow wp-admin files that are called by plugins
    # Fix for WP Press This
    RewriteCond %{REQUEST_URI} (press-this\.php) [NC]
    RewriteRule . - [S=1]
    
    # BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS
    # WORDPRESS WILL BREAK IF ALL THE BPSQSE FILTERS ARE DELETED
    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
    RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]
    RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
    RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
    RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR]
    RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
    RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
    RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR]
    RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    RewriteCond %{QUERY_STRING} http\: [NC,OR]
    RewriteCond %{QUERY_STRING} https\: [NC,OR]
    RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR]
    RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
    RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR]
    RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
    RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F,L]
  8. Yup, it's BPS's fault.

    Just delete the one in wp-admin, and purge their rules from your normal .htaccess file.

    Or, just reinstall the plugin and upgrade to the latest release. That should remove the offending rules.

  9. jongag1
    Member
    Posted 1 year ago #

    You're my hero!

    Activated the plugin, let it do his changes and it's working perfectly!

    Thanks!

Topic Closed

This topic has been closed to new replies.

About this Topic