n00b needs help configuring plugin – it is blocking image uploads

Hi @groston,

First of all, I must apologize for not ready to provide enough documents about setting.

There are 2 things about this issue:

1. “Prevent malicious file uploading” in “Validation rule settings” section

In WordPress, MIME type and capability will be checked when a file is uploaded. But some plugins/themes or upload managers define the original MIME types and capabilities.

The MIME types can be extended via upload_mimes filter hook that should be automatically refracted to this plugin’s settings.

On the other hand, capabilities do not have similar functionality because those are so customizable. The default capability for uploading files is upload_files and only an “Author” or above as a role has this capability. So if your uploader has the custom capability for uploading, you need to add the customized capability for uploading files into “Capabilities to be verified” text box like this:

2. “Exceptions” at “Admin ajax/post” in “Back-end target settings” section

This plugin detects the “action” for ajax automatically if a plugin/theme registers it using add_action() until init action hook fires.

But a plugin/theme can register it at different timing. In this case, you need to add the name of action as follows especially when you enable “Prevent Zero-day Exploit“:

—

When you see the “Result” column of blocked requests in “Logs”, you can know which setting (1. or 2. on the above) you need . For example, if you find “upload” in “Result” column, you need to configure 1. And when you find “wp-zep“, you need to configure 2.

Anyway, those are a bit difficult to find the solution for this issue. So please let me know about your uploader or custom uploading functions (like BP_Attachment) so that I can help you more concretely.

• This reply was modified 7 years, 10 months ago by tokkonopapa.

Hi @groston,

We have a clone of our live site and I was able to run some experiments.

I really appreciate your effort to get the solution for this issue!

I think the best practice for allowing your guests to upload specific files is to give them a role and capabilities. But apart from it, I have to think about the cause of this issue.

Based on your investigations, I’d like to ask you to make “Capabilities to be verified” text box at “Prevent malicious file uploading” empty.

Doing this does not mean that your site will immediately face danger if your custom BuddyPress extension do the right thing for security. All the settings and functions of this plugin will be executed as defense in depth.

And then, you can consider to the best practice.

Specifically, no user of this system has the role of Author assigned.

That’s OK because WordPress is very flexible with respect to roles and capabilities.

My guess is that without giving users the Author role, I will not be able to use this setting.

Well, that’s not true. You can assign the capability upload_files to the existing two roles. Please find some documents in “Plugin Handbook” in order to know the usage of add_role() and add_cap().

Or you can manage your own roles and caps using wordpress plugins to manage roles and capabilities.

I hope my explanation above may help you.

Hi @groston,

You have addressed my question – thank you.

It’s my pleasure!

Please let me know if I can ever return the favor.

Thank you for your offer, but please never mind. I’m enjoying contribution to the WordPress community!