Plugin Author
AITpro
(@aitpro)
Double check all of the BPS Custom Code text boxes and look for any WPSC .htaccess code and delete it. After deleting the WPSC .htaccess code do the steps below.
1. Click the Save Root Custom Code button to save your Root custom code.
2. Go to the Security Modes page and click the Create secure.htaccess File AutoMagic button.
3. Select the Activate Root Folder BulletProof Mode Radio button and click the Activate|Deactivate button.
Plugin Author
AITpro
(@aitpro)
Is the issue/problem still occurring or is it resolved?
Thread Start Date: 3-30-2015 to 3-31-2015
Current Date: 4-3-2015
Thank you for the follow up. I will let you know. It’s a long holiday weekend over here for Easter, so will try it as soon as I’m back at work (which won’t be until Tuesday).
I already did steps #1 – 3, and when I looked previously, as I stated in my original problem, the only line I could find was:
#WPSuperCache
in my .htaccess file.
But we will see next week. Thanks!
Still didn’t work.
I found this in the wp_options table on my website the BPS security DB backup:
INSERT INTO wp_options ( option_id, option_name, option_value, autoload )
VALUES ( 97254, ‘bulletproof_security_options_customcode’, ‘a:12:{s:18:\”bps_customcode_one\”;s:14:\”# WPSuperCache\”;s:30:\”bps_customcode_directory_index\”;s:0:\”\”;s:28:\”bps_customcode_error_logging\”;s:0:\”\”;s:29:\”bps_customcode_admin_includes\”;s:0:\”\”;s:31:\”bps_customcode_wp_rewrite_start\”;s:0:\”\”;s:30:
:
:
Notice it has the line that’s causing problems!
Editing the custom htaccess files through the BPS editor doesn’t seem to affect whether it’s there or not.
How did it get in there and how do I remove it?
Thanks!
Plugin Author
AITpro
(@aitpro)
If #WPSuperCache is saved in that BPS DB option then it means that it exists in Custom Code somewhere. So either you are doing ALL of the Custom Code steps and something is preventing Custom Code from working correctly on this site. ie what is actually happening is that editing and saving Custom Code DB options is actually being broken/prevented from working by something else or you are not doing all of the Custom Code steps. So you could just delete the # WPSuperCache DB option value and that would solve the problem, but would not tell me if there is a bigger problem occurring with Custom Code being broken by something else. so…
Do these steps and double check that the # WPSuperCache placeholder text is actually really being deleted when you do the steps below.
1. Double check all of the BPS Custom Code text boxes and look for any WPSC .htaccess code and delete it.
2. Click the Save Root Custom Code button to save your Root custom code.
3. Double check all of the Custom Code text boxes and let me know if the # WPSuperCache placeholder text actually really was deleted or not.
Plugin Author
AITpro
(@aitpro)
Is the issue/problem still occurring or is it resolved?
Thread Start Date: 3-30-2015 to 3-31-2015
Current Date: 4-6-2015
Ok, so when I click on the “htaccess file editor”, I delete all the code from:
1) the “secure.htraccess” tab
2) “Your current root htaccess file” tab
3) there is no wp super cache custom code in the default.htaccess tab
I click the “update” button after each update.
I then click on the “security modes” tab.
I click “create secure htaccess” button.
Says it was created successfully.
I then go back to the tab “htaccess file editor” and click on “secure.htaccess”.
WHAMMO!
This line is back in there:
# WPSuperCache
It appears just under the line:
# CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE
So I remove them again and click “update”. I go to create the “secure.htaccess” file, and then back to the htaccess file editor.
Guess what?
Those lines reappear.
So no, it’s not fixed. Somehow BPS is getting that value from the database. WP Super Cache must have left something that BPS is picking up for reading, but not removing.
Plugin Author
AITpro
(@aitpro)
Ok that tells me what the actual problem is then. Something either that you have installed on this site (ie another plugin), another htaccess file exists in a higher folder (parent folder, website hosting account root folder) that has conflicting htaccess code/rules, something installed/configured on the server (mod_security, proxy/routing, etc) or an external service (CDN, Cloudflare) is breaking Custom Code and not allowing you to actually change/edit/save Custom Code changes. Most likely the problem is going to be with something that is installed/configured on the server or an external service.
Do these troubleshooting steps to eliminate plugins first:
1. Deactivate all other plugins.
2. Test editing/changing/saving Custom Code to see if it is now working.
Plugin Author
AITpro
(@aitpro)
One other less likely possibility: Are you seeing this error message when trying to save Custom Code? “The BPS Query String Exploits Custom Code below is NOT valid…”
Plugin Author
AITpro
(@aitpro)
Oh wait a minute. These troubleshooting steps below are not correct.
1) the “secure.htraccess” tab
2) “Your current root htaccess file” tab
3) there is no wp super cache custom code in the default.htaccess tab
Please do these troubleshooting steps below and let me know the results:
1. Double check all of the BPS Custom Code text boxes and look for any WPSC .htaccess code and delete it.
2. Click the Save Root Custom Code button to save your Root custom code.
3. Double check all of the Custom Code text boxes and let me know if the # WPSuperCache placeholder text actually really was deleted or not.
Plugin Author
AITpro
(@aitpro)
Somehow BPS is getting that value from the database.
When you save Custom Code it is saved to your database and BPS uses that DB value to create the code in the .htaccess files.
Is the issue/problem still occurring or is it resolved?
Thread Start Date: 4-1-2015 to 4-2-2015
Current Date: 4-9-2015
Here is a long post reply for you.
First, I show you the code that in my htaccess file editor, broken up by “secure.htaccess” and “your current root htaccess” tabs.
Second, the custom code boxes when I hit the “update” button for both.
Third, the custom code that comes back when I then go to the “security modes” tab and click the “create secure.htaccess” file button.
It all starts here…
[Please post huge log files to a pastebin – that’s just too much code to post here – http://codex.wordpress.org/Forum_Welcome#Posting_Large_Excerpt_of_Code ]
Plugin Author
AITpro
(@aitpro)
Third, the custom code that comes back when I then go to the “security modes” tab and click the “create secure.htaccess” file button.
The custom htaccess code does not “come back” when you try to delete it from Custom Code. What is happening is that you physically delete that custom .htaccess code from a text box, but when you click the Save Root Custom Code button your edits/changes are NOT actually being saved because something you have installed on your site or something that is configured on your server is breaking/blocking BPS Custom Code from actually saving your edits/changes.
I have seen this exact same problem occurring on other websites when mod_security SecRules/SecFilters are restricting/blocking/preventing BPS Custom Code from saving any changes. So what you want to do is send a copy of the BPS root htaccess file to your web host and ask them if any mod_security SecRules and/or SecFilters will block any of the code in the BPS root .htaccess file. Also have them check the server log file, which will tell them exactly what is being blocked.
Plugin Author
AITpro
(@aitpro)
Typically the same exact problem will also happen when using the BPS htaccess File Editor. ie you try to edit something in any of the htaccess files using the BPS htaccess File Editor and your changes are not actually saved because they are being blocked/prevented/broken by a mod_security SecRule and/or SecFilter. We are looking into this known issue and trying to figure out why mod_security is doing this. Once we know why the problem is occurring then we can figure out a solution.
Plugin Author
AITpro
(@aitpro)
The obvious factors are: The POST Requests when saving Forms are being filtered/blocked, but what we do not understand is why an internal/wp-admin authentication protected folder would have this done in the first place. It does not seem logical or practical to filter POST Requests in the wp-admin authentication protected directory. Frontend of the site POST Requests make sense, but backend authentication protected POST Requests should not be blocked for obvious reasons.
