WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] Problem with BulletProof and WP Super Cache (7 posts)

  1. MickeyRoush
    Member
    Posted 3 years ago #

    Maybe an issue with BulletProof Security & WP Super Cache. I could not access the Advanced Settings of WP Super Cache. Throws up a Forbidden.

    I removed the string 'set' from this line:
    RewriteCond %{QUERY_STRING} ^.*(execute|exec|sp_executesql|request|select|insert|union|declare|drop|delete|create|alter|update|order|char|set|cast|convert|meta|script|truncate).* [NC]

    and it works now

  2. AITpro
    Member
    Plugin Author

    Posted 3 years ago #

    hmmm ok it's been a while since i retested WP Super Cache so i will retest it today and see what is going on and post my findings back here. Well you just removed all the SQL Injection filters so that means that your site is now vulnerable to SQL Injection hacking methods.

  3. AITpro
    Member
    Plugin Author

    Posted 3 years ago #

    ok well several things have changed in WP Super Cache since i originally tested it. It is working fine with BPS, but I see one issue that will need to be manually corrected by people who are using WP Super Cache with BPS. When using mod_rewrite to serve cache files. (Recommended) the WPSC htaccess code is being written appended to the end of the root htaccess file instead of being written to the top of the htaccess file so this will require that the appended code be cut from the end of the root htaccess file and pasted to the top of the BPS root htaccess file right before the first plugin fix htaccess code. You would do this using the Built-in BPS File Editor. The Begin WordPress to End WordPress code also needs to be cut and pasted with the WPSC code (cut and paste all the code both WPSC and the WordPress rewrite code) to the top of root htaccess file. I did not have a problem with accessing the Advanced Settings page so this means that you do not have BulletProof Mode activated for the wp-admin folder. BulletProof Modes need to activated together. If you have the root BulletProof Mode activated you must have the wp-admin BulletProof Mode activated and vice versa. If you only have the root BulletProof Mode activated without activating the wp-admin BulletProof Mode this will cause administrator menus and functions to not work correctly in your WP Dashboard. I will add this info to the BPS plugin compatibility testing and fixes page and let the WPSC author know about this. Also i noticed that when you manually correct this in the BPS File Editor and then update the htaccess rules again in WPSC the WPSC rules stay at the top of the htaccess file, but the WordPress htaccess rewrite rules are sent to the bottom of the root htaccess file - this is a big problem. Thanks.

  4. AITpro
    Member
    Plugin Author

    Posted 3 years ago #

    After talking with the WPSC plugin author the best solution looks like to just add alerting messages for WPSC in BPS. In the next version release of BPS you will see a message alert if WPSC settings need to be resaved.

  5. MickeyRoush
    Member
    Posted 3 years ago #

    Thanks!

  6. AITpro
    Member
    Plugin Author

    Posted 3 years ago #

    oh and it looks like you were updating your question at the same time i was answering it. Yep removing individual strings / SQL commands from the SQL Injection filter is the correct method to fix plugin conflicts, where a plugin needs to use one of the SQL commands that is being blocked. "set" would be used in conjunction with other SQL commands that are still being blocked by the BPS SQL Injection filter so you are not creating any additional security risk by removing "set" from the filtered SQL commands. Thanks.

  7. AITpro
    Member
    Plugin Author

    Posted 3 years ago #

    BPS .46.3 now checks the root htaccess file to make sure the WPSC htacess code is in the root htaccess file. I still recommend manually cutting and pasting the htaccess code that WPSC writes appended to the root htaccess to the top of the root htaccess file right after Options -Indexes. Be sure to also cut and paste the # Begin WordPress to # End WordPress code that was moved to the bottom of the root htaccess file. Thanks.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic