Ninja Firewall with BPS and AIO WP Security

Resolved Manuel Fritsch
(@let-me-see)

10 years ago

Hello there,

I am currently trying to get Ninja Firewall working with Bulletproof Security and All in One WP Security. (Having recently discovered that someone hacked my site, despite BPS, I try to do everything I can – hoping I don’t do too much).

The other plugins seem to get along with each other, but when I write the .htaccess file to include the Ninja Firewall code, I break the site. I have to rebuild the whole .htaccess with my backup in BPS. At this moment, I do not know what to do. Could it be because they are redundant and block each other?

I also consulted http://ninjafirewall.com/wordpress/help.php and did everything many times over, but to no avail.

Kind regards,
Manuel

https://wordpress.org/plugins/ninjafirewall/

Viewing 12 replies - 1 through 12 (of 12 total)

Thread Starter Manuel Fritsch
(@let-me-see)

10 years ago

I would like to add that Ninja Firewall tries or suggests to insert its code into the .htaccess file at the same position as BPS itself puts it (if I insert the code which NF gives me into the according Custom Code field in the BPS plugin). However, Ninja Firewall seems to (want me to) kill all lines before, which includes the BEGIN WordPress tag.

So, what I get is a corrupted .htaccess, if I let NF do the work, and if I do it myself, the intro site loads all over again as if I hadn’t changed my .htaccess.

rafaelmagic
(@rafaelmagic)

10 years ago

I would get BPS working correctly. Look at all the custom code pop-ups in the WP-Admin for BPS. Set those up in the Custom Code Editor.

Watch the video multiple times.

I never used AIO WP Security, so I am not sure if that plugin also adds code to .htaccess

Look at the link below, I got BPS and Ninja getting along. Did a tutorial and some trouble shooting.

http://wordpress.org/support/topic/ninja-firewall-with-bullet-proof-security-ithemes-security-better-wp-secuirty?replies=6#post-5438234

WordPress Core is secure but when you add plugins, they may create security holes and exploits. Look for any plugins that are old and figure out if you need them.

Scan your computer for keylogger with antivirus and spyware.

Use a complicated password and a user name that is not an author name, look at the nickname section.

Then your sever itself has to be secure.

rafaelmagic
(@rafaelmagic)

10 years ago

The main problem with AIO and BPS is the overlap in security may or may not create issues.

Post a message in BPS and AIO support forums.

From the looks of NinjaFirewall, it might be providing all the features of AIO. So do your homework and make a decision.

FYI, BPS has a Pro version for $60 for unlimited domains. Might be a solution.

Plugin Author nintechnet
(@nintechnet)

10 years ago

Hi,

Normally, Ninjafirewall will add its own lines at the top of the .htaccess and will keep all other lines as they are, without altering them.

when I write the .htaccess file to include the Ninja Firewall code, I break the site

What kind of error did you get?

Note that while running NF, I would avoid using plugins that add tons of lines to the .htaccess. They will not add more protection to your site.

Thread Starter Manuel Fritsch
(@let-me-see)

10 years ago

Hej,

@rafaelmagic Thank you very much for your detailed installation tutorial!

@nintechnet I got completely shut out of my installation, and had to take the altered .htaccess out completely (not even reverting the changes worked).

I hoped that more .htaccess lines would add more layers of security, since Ninja Firewall only seems to block certain types of attacks? There is a whole bundle of options in AIO which I could not make out in your screenshots (thanks for that).

Unfortunately, I still cannot get NinjaFirewall to complete its setup – although the .htaccess and php.ini are written and given 644 permissions (just in case that is of concern). I always waited more than 5min before checking. I also tried putting the files into the root directory of my webspace, just out of curiosity, but that did not change anything either. I also checked that the php.ini filename is correct for the server in use. It’s a shame, NinjaFirewall really seemed so great.

Plugin Author nintechnet
(@nintechnet)

10 years ago

There is a whole bundle of options in AIO which I could not make out in your screenshots

Which ones? .htacces rules give you a very limited protection. They can only handle GET requests, but no POST requests for instance. That means that it is very easy to bypass.

Regarding your error, can you download the ninjacheck script, upload it to your WP directory, call it from your browser and paste here the output?

Thread Starter Manuel Fritsch
(@let-me-see)

10 years ago

Hej nintechnet,

AIO offers e. g. file checks (for changes of any file, would have been most useful to me earlier) and the ability to change the login URL, among many other things. It combines many things I could get separately; I like that idea. Regarding .htaccess, I admit not to understand too much of what AIO actually inserts there. The following options are give to me:

basic firewall protection:
1) Protect your htaccess file by denying access to it.
2) Disable the server signature.
3) Limit file upload size (10MB).
4) Protect your wp-config.php file by denying access to it.

other:
disable access to the WordPress xmlrpc.php
disable directory and file listing
disable trace and track
forbid proxy comment posting
protect against malicious queries via XSS
block bad character matches from XSS
5G Blacklist firewall protection
block all fake Googlebots
prevent hotlinking to images on your site
IP Lockout For 404 Events

So, all this sounds quite nice, but of course I do not know whether BPS, AIO and NinjaFirewall try to do the same job one time or another. Yet again, I don’t have any idea what the firewall policies of NinjaFirewall mean. (This certainly isn’t ideal for an admin, I know.)

This is the output from your troubleshooter script (while no php.ini in the WP root, but the PHP handler at the right place in the BPS-(custom-)made .htaccess):

NinjaFirewall (WP edition) troublershooter v1.01

========================== %< ============================

HTTP server: Apache/2.2.22
PHP version: 5.4.9
PHP SAPI: CGI-FCGI
Loaded INI file: /usr/local/php54-SECURE/php.ini
auto_prepend_file: none
user_ini.filename: .user.ini
user_ini.cache_ttl: 300
user INI: not found
PHPRC: ./:/etc/php.ini/5/315438/2032348:/etc/php.ini/5/315438:/usr/local/php54-SECURE
DOCUMENT_ROOT: /*****/wordpress
wp-config.php: found

Warning: session_start(): Cannot send session cache limiter – headers already sent (output started at /*****/wordpress/ninjacheck.php:25) in /*****/wordpress/wp-content/plugins/ninjafirewall/ninjafirewall.php on line 45

ABSPATH: /*****/wordpress/
WP version: 3.8.2
WP_CONTENT_DIR: /*****/wordpress/wp-content

========================== %< ============================

…and this was seconds after I put your php.ini back in the WP root:

NinjaFirewall (WP edition) troublershooter v1.01

========================== %< ============================

HTTP server: Apache/2.2.22
PHP version: 5.4.9
PHP SAPI: CGI-FCGI
Loaded INI file: /*****/wordpress/php.ini
auto_prepend_file: /*****/wordpress/wp-content/plugins/ninjafirewall/lib/firewall.php
user_ini.filename: .user.ini
user_ini.cache_ttl: 300
user INI: php.ini found
PHPRC: ./:/etc/php.ini/5/315438/2032348:/etc/php.ini/5/315438:/usr/local/php54-SECURE
DOCUMENT_ROOT: /*****/wordpress
wp-config.php: found
ABSPATH: /*****/wordpress/
WP version: 3.8.2
WP_CONTENT_DIR: /*****/wordpress/wp-content

========================== %< ============================

Again, I checked after 5min for access to the NinjaFirewall Settings Page, but I still only got the intro routine.

Best regards,
Manuel

Plugin Author nintechnet
(@nintechnet)

10 years ago

The loaded INI file as well as the “auto_prepend_file” value are fine.
However, the loaded INI file does not appear in the “PHPRC” variable.
Can you check the NinjaFirewall line that was added to your .htaccess file and ensure it is pointing to the loaded INI file (/*****/wordpress/php.ini) ?

Thread Starter Manuel Fritsch
(@let-me-see)

10 years ago

Sorry, It seems I missed the mail about your reply. Yes, I checked that, it points to the file (which has 740 rights). I had copied it from the installation page right into the part of .htaccess where BPS suggests to put PHP handlers.

Interestingly, this morning I logged into my site for maybe the first time in two weeks and instantly received notification of NinjaFirewall about the login via email. Also, its widget “Ninja Firewall statistics” on the network admin dashboard shows one blocked hacking attempts of medium severity since about a week ago. Unfortunately, I cannot access the Firewall log, it tells me “You do not have sufficient permissions to access this page.”
Thread Starter Manuel Fritsch
(@let-me-see)

10 years ago
It works! I asked my hoster for help, and they inserted the reference to the firewall via a php.ini editor in my online administration tools. Apparently, they use a default or custom php.ini for their shared hosting accounts, which I cannot access via my FTP. I was not aware of that. In this php.ini, the last line after many other settings lines now reads:
```
[NinjaFirewall]
auto_prepend_file = "/kunden/315438_67663/movemeta/wordpress/wp-
content/plugins/ninjafirewall/lib/firewall.php"
```
To prove that this “invisible” php.ini overrides any other, I renamed the php.ini that NinjaFirewall had created – and the Firewall still worked. So, I took this one out completely. Thank you for your efforts! I updated my five star rating immediately 🙂

For anyone who is interested, the .htaccess now sports the codes of NinjaFirewall, AIO WP Security and BPS in this order. My hoster says, the .htaccess code for NinjaFirewall does not change a thing in their environment, and they only put it in because NinjaFirewall explicitly checks it… I still wonder whether all three plugins are really nesessary, but I simply am not able to judge this and found nothing on the net. Also, I will most probably have to edit the .htaccess manually and put everything back in order whenever any of these three is updated, or any settings of AIO and BPS are changed. :-/
Plugin Author nintechnet
(@nintechnet)

10 years ago

Great !
You can try to check whether you are blocked :
1) log out of WordPress.
2) call your site: http://YOUR_BLOG.COM/index.php?test=hack%00

You should be blocked.

Also, I will most probably have to edit the .htaccess manually and put everything back in order whenever any of these three is updated, or any settings of AIO and BPS are changed. :-/

NinjaFirewall will not complain when you upgrade it (it does not make any more changes to the .htaccess or PHP ini file after its intallation). However, if one day you want to remove it, it is very important that you manually remove the auto_prepend_file instruction from the php.ini before uninstalling NinjaFirewall.

Thread Starter Manuel Fritsch
(@let-me-see)

10 years ago

I will certainly keep that in mind. Also, the test hack was successfully blocked. You know, this really lifts a huge weight off my shoulders. I worried many days about security, ever since someone inserted that link into my home page via one of the disabled (free) templates. There really are other things I love to do with my time than worry. So:

NinjaFirewall makes my life a lot easier, and I sincerely hope that people will make this the no. 1 firewall and security plugin on WP. I see no reason why it shouldn’t be. Thank you so much, again!

//Topic resolved, signing off!

Viewing 12 replies - 1 through 12 (of 12 total)

The topic ‘Ninja Firewall with BPS and AIO WP Security’ is closed to new replies.