WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] Please make BPS compatible with 6Scan (10 posts)

  1. cfravel
    Member
    Posted 1 year ago #

    I have been using 6Scan to find vulnerabilities in my site's code, plugins, etc, which is a different thing than BPS does.
    BPS seems to be unable to work with .htaccess files tha 6Scan has touched.
    Can you make BPS more compatible with .htaccess files that have other things in them, and in particular with 6Scan?

    Would be great.

    http://wordpress.org/extend/plugins/bulletproof-security/

  2. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Yes, there have been ongoing problems with each 6scan version that is released. the problem is that 6scan is trying to use the same space/position in the root .htaccess file that BPS is using instead of 6scan creating its own allocated space/position in the root .htaccess file.

    BPS is the dominant and primary plugin when it comes to .htaccess website security protection so what i have considered doing is creating a coding check that will check if 6scan is installed on a website and then move that 6scan coding where it should be in the root .htaccess file so that it does not interfere with BPS.

    The problem with doing this is that 6scan keeps changing the coding that breaks the BPS root .htaccess checks in each new version of 6scan that they release. So this means that i would have to keep changing my checking coding to fix the new coding issues in each new version of 6scan that is released.

    That is obviously not a good approach and the better approach is since BPS .htaccess code has always had and will always have consistent identifiers (BEGIN, END) in the code/root .htaccess file then 6scan should be using these consistent BPS identifiers to position/add their 6scan .htaccess code in the root .htaccess file.

    The solution would actually be very simple for 6scan to do: use file_get_contents, do a preg_match, do a str_replace or preg_replace and add their .htaccess code based on the consistent BPS indentifiers using either file_put_contents or fwrite.

    I will test the newest release of 6scan and find out what the problem is this time. Thanks.

  3. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Actually i am tired of retesting the 6scan plugin over and over so instead just post the exact problem that is occurring and i will give you the solution. thanks.

  4. cfravel
    Member
    Posted 1 year ago #

    Thank you!

    I started in through your tabs, including backing up my two existing .haccess files and being about to try the activation of Root and wp-admin security.
    Before activiation, I did see one item on the security status page that looked problematic:
    "The .htaccess file that is activated in your root folder is:
    reated by 6Scan plugin #Those are used by 6S"

    So, before trying activation, I decided to see if I could see what about 6scan in my current root .htaccess seems to be the problem.

    I see what you mean, instead of something like
    # BEGIN 6SCAN
    and
    # END 6SCAN
    they have non-standard, at the beginning of the file:
    # Created by 6Scan plugin
    ...
    # End of 6Scan plugin

    If I were to leave those alone, but to WRAP their section with a more standard BEGIN/END myself, like this, would your plugin then be happy?

    BEGIN 6SCAN
    # Created by 6Scan plugin
    ...
    # End of 6Scan plugin
    END 6SCAN

    If so, I can easily do that.
    Any harm in trying it at least?

    Thank you!

    Carl

  5. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Well actually they do now have identifiers (# Created by 6Scan plugin and # End of 6Scan plugin) so that is fine as long as these stay consistent. The exact wording of the identifier is not important.

    What i need to see is the actual .htaccess code that 6scan is creating in the root .htaccess file so that i can tell you what needs to happen next. please post the 6scan .htaccess code using the code blocks button in this WP commenting form or use backticks.

  6. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Actually i just looked at the 6scan .htaccess code and a lot of it is redundant, much less comprehensive and less sophisticated .htaccess code then BPS .htaccess code.

    In general the 6scan .htaccess code just needs to be cut and pasted to the bottom or end of your root .htaccess file since it is stand alone .htaccess coding that does not need to work inside the WordPress rewrite loop.

  7. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Other options that you could use:

    You could cut and paste the 6scan .htaccess coding into the BPS Custom Code TOP text area for your Root .htaccess file or the BOTTOM Custom Code text area for your Root .htaccess file, save your custom code, click the AutoMagic buttons and activate BulletProof Mode for your Root folder again.

    Root htaccess File Custom Code

    CUSTOM CODE TOP: Add php.ini handler code and / or miscellaneous custom code here
    add 6scan .htaccess code here

    OR

    CUSTOM CODE BOTTOM: Add miscellaneous custom htaccess code here
    add 6scan .htaccess code here

  8. 6Scan
    Member
    Posted 1 year ago #

    Good day,

    We would be glad to work on this problem together.
    Our .htaccess code has been always wrapped by the "# Created by 6Scan plugin" and "# End of 6Scan plugin" decorators.
    We see that BulletProof checks the position of its .htaccess rules, and if not present in the beginning - shows warning message.

    Can we change something to make it easier for the integration?
    Perhaps you could add an exception for our code? (Our tags will not be changed anytime soon)

  9. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    The BPS .htaccess code has been designed as a base or foundation .htaccess coding/file because it is combined into the WordPress .htaccess Rewrite loop and would not be effective site-wide as stand alone .htaccess code.

    Since your .htaccess code can be used as stand alone .htaccess code you can easily append it to the root .htaccess file by doing something like this:

    // Base your file pointer/marker/position on the # END WordPress string
    // and append to the .htaccess file
    	$filename = ABSPATH . '.htaccess';
    	$subject = file_get_contents($filename);
    	$pattern = '/# END WordPress/s';
    	$replacement = "/# END WordPress\n\n# Created by 6Scan plugin(.*?)# End of 6Scan plugin/";	
    
    	if ( file_exists($filename) && preg_match($pattern, $subject, $matches) ) {
    		chmod($filename, 0644);
    		$stringReplace = @file_get_contents($filename);
    		$stringReplace = preg_replace('/# END WordPress/s', $replacement, $stringReplace);
    		file_put_contents($filename, $stringReplace, FILE_APPEND | LOCK_EX);	
    
    }

    And of course replace (.*?) with your actual .htaccess code, but to check if your code already exists you would extend the function to look for your existing code in the root .htaccess file and can shorten that search string by using (.*?).

  10. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Oops you probably do not need to use FILE_APPEND if you wanted to use this string replace method. If you wanted to keep it really simple you could just do a File append and not even check for a pointer/marker/ position in the root .htaccess file. ;)

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags