Title: New Bonus Custom Code
Last modified: August 21, 2016
---
# New Bonus Custom Code
* Resolved [mrppp](https://wordpress.org/support/users/mrppp/)
* (@mrppp)
* [12 years, 1 month ago](https://wordpress.org/support/topic/new-bonus-custom-code/)
* Where do i find the New Bonus Custom Code/Dismiss Notice: WordPress XML-RPC DDoS
Protection:
Or is this set automatically?
* [https://wordpress.org/plugins/bulletproof-security/](https://wordpress.org/plugins/bulletproof-security/)
Viewing 14 replies - 1 through 14 (of 14 total)
* Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
* (@aitpro)
* [12 years, 1 month ago](https://wordpress.org/support/topic/new-bonus-custom-code/#post-4744546)
* A Dismiss Notice should have been displayed to you with a link to the WordPress
XML-RPC DDoS Protection when you upgraded BPS. To reset/recheck Dismiss Notices
go to the Security Status tab page and click the Reset/Recheck Dismiss Notices
button.
* The code is here: [http://forum.ait-pro.com/forums/topic/wordpress-xml-rpc-ddos-protection-protect-xmlrpc-php-block-xmlrpc-php-forbid-xmlrpc-php/](http://forum.ait-pro.com/forums/topic/wordpress-xml-rpc-ddos-protection-protect-xmlrpc-php-block-xmlrpc-php-forbid-xmlrpc-php/)
* Thread Starter [mrppp](https://wordpress.org/support/users/mrppp/)
* (@mrppp)
* [12 years, 1 month ago](https://wordpress.org/support/topic/new-bonus-custom-code/#post-4744553)
* OK thanks, as i don’t have a fixed ip, what would happen if using 3 octets and
they were changed by my isp?
Also i assume the Block/Protect the wp-trackback.
php file also goes in CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK
BOTS/BLOCK IP/REDIRECT CODE
* Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
* (@aitpro)
* [12 years, 1 month ago](https://wordpress.org/support/topic/new-bonus-custom-code/#post-4744555)
* Yep, this code would go in the CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/
BLOCK BOTS/BLOCK IP/REDIRECT CODE Custom Code text box. This type of .htaccess
code is considered “stand-alone” .htaccess code, which means it can go anywhere
in the root .htaccess file and does not need to be inside the WordPress Rewrite
Loop – # WP REWRITE LOOP START ….. # WP REWRITE LOOP END to do what it does.
* Here are some scenarios with options/solutions:
* First off if you are not doing any sort of remote posting to your site then you
do not need to whitelist any IP addresses. Jetpack and some other plugins do
use the XML-RPC protocol to do things so a whitelist rule would need to be created
for that plugin. We will be testing Jetpack today to find out what the best whitelist
code would be.
* Let’s say your ISP changes the 3rd and 4th octet of your IP address dynamically
on a regular basis, but the first octet and 2nd octet are always the same.
* x.x.x.x
x**-first octet**.x**-2nd octet**.x**-3rd octet**.x**-4th octet**
* 99.88.77.66
99.88.44.33 99.88.66.22
* You would create this IP whitelist rule
Allow from 99.88.
* If you have multiple IP addresses that you want to whitelist by whitelisting
just the first 2 octets then you would add them like this.
* Allow from 99.88.
Allow from 77.66. Allow from 22.11.
* Thread Starter [mrppp](https://wordpress.org/support/users/mrppp/)
* (@mrppp)
* [12 years, 1 month ago](https://wordpress.org/support/topic/new-bonus-custom-code/#post-4744556)
* Thanks, i use jetpack so will await your tests. I only use the mobile site part
of that plugin though.
I don’t post remotely so that is fine.( i assume you
mean from a mobile or similar)
* Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
* (@aitpro)
* [12 years, 1 month ago](https://wordpress.org/support/topic/new-bonus-custom-code/#post-4744557)
* Are you seeing any Security Log entries for Jetpack in your BPS Security Log?
If so, post one of them here.
* Thread Starter [mrppp](https://wordpress.org/support/users/mrppp/)
* (@mrppp)
* [12 years, 1 month ago](https://wordpress.org/support/topic/new-bonus-custom-code/#post-4744559)
* No can’t see anything re jetpack but i am not implementing above yet
* i,m just popping out but will try above on a site and see what i get in error
log for you later
* Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
* (@aitpro)
* [12 years, 1 month ago](https://wordpress.org/support/topic/new-bonus-custom-code/#post-4744561)
* Ok just checking. Jetpack testing starts at 9am today. There are a total of 4
plugins scheduled for testing at 9am. There are 4 other plugins scheduled for
testing at 11am today.
* Thread Starter [mrppp](https://wordpress.org/support/users/mrppp/)
* (@mrppp)
* [12 years, 1 month ago](https://wordpress.org/support/topic/new-bonus-custom-code/#post-4744562)
* ok i will keep a look for updates on tests before trying it.
* Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
* (@aitpro)
* [12 years, 1 month ago](https://wordpress.org/support/topic/new-bonus-custom-code/#post-4744582)
* XML-RPC Jetpack Whitelist Test Results:
* AITpro Bot/x9.3 probeX2 bot event:
* ```
[403 GET / HEAD Request: March 26, 2014 - 9:14 am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: x.x.x.x
Host Name: x-x-x-x.lightspeed.irvnca.sbcglobal.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /xmlrpc.php?url=http%3A%2F%2Faitpro.local%2Fscripts%2Fxmlrpc-test.php%3Fresponsetest%3D1%26secret%3Ddebug
QUERY_STRING:
HTTP_USER_AGENT: AITpro Bot/x9.3 probeX2
```
* Best Whitelisting method: Whitelist the root domain of the Host Name
* ```
Order Deny,Allow
Deny from all
Allow from sbcglobal.net
```
* Scenario: XML-RPC client/server connection to jetpack.wordpress.com
* Best Whitelisting method: Whitelist the root domain of the Host Name
* ```
Order Deny,Allow
Deny from all
Allow from wordpress.com
```
* Whitelisting multiple Hosts:
* ```
Order Deny,Allow
Deny from all
Allow from wordpress.com
Allow from sbcglobal.net
Allow from gumby.com
Allow from zippy.com
```
* Thread Starter [mrppp](https://wordpress.org/support/users/mrppp/)
* (@mrppp)
* [12 years, 1 month ago](https://wordpress.org/support/topic/new-bonus-custom-code/#post-4744586)
* So something like
* ```
# XML-RPC DDoS PROTECTION
# You can whitelist your IP address if you use A Weblog Client
# or want to whitelist your IP address for any other reasons.
# Example: uncomment #Allow from x.x.x. by deleting the # sign and
# replace the x's with your actual IP address. Allow from 99.88.77.
# Note: It is recommended that you use 3 octets x.x.x. of your IP address
# instead of 4 octets x.x.x.x of your IP address.
Order Deny,Allow
Deny from all
#Allow from x.x.x. ( REMOVE THE # and use 2 octets of my IP)
Order Deny,Allow
Deny from all
Allow from wordpress.com
```
* In this bit, how do i know what plugins domains to allow?
* ```
Order Deny,Allow
Deny from all
Allow from wordpress.com
```
* Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
* (@aitpro)
* [12 years, 1 month ago](https://wordpress.org/support/topic/new-bonus-custom-code/#post-4744588)
* > In this bit, how do i know what plugins domains to allow?
* The simplest way is to use whatever device or connection that you use that connects
to XML-RPC and then when that connection is blocked, go to your BPS Security
Log and get the Host Name from the Security Log entry and whitelist that Host
Name in your code. Allow from xyz.com
* Thread Starter [mrppp](https://wordpress.org/support/users/mrppp/)
* (@mrppp)
* [12 years, 1 month ago](https://wordpress.org/support/topic/new-bonus-custom-code/#post-4744592)
* sorry i meant regards plugins, as i may not know they are blocked if that makes
sense?
* Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
* (@aitpro)
* [12 years, 1 month ago](https://wordpress.org/support/topic/new-bonus-custom-code/#post-4744594)
* You will always know when something is blocked by checking the BPS Security Log.
The Security Log is not just for logging blocked/forbidden hackers, spammers,
scrapers, miners, bad bots, harvestors, etc etc etc etc. The Security Log is
the primary troubleshooting/diagnostic tool in BPS, much like an Apache Server
log is.
* If BPS is blocking something it will be logged in the Security Log. That would
not be known until you have a Security Log entry to look at that shows what is
being blocked so that you can whitelist whatever is being blocked.
* Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
* (@aitpro)
* [12 years, 1 month ago](https://wordpress.org/support/topic/new-bonus-custom-code/#post-4744682)
* Assuming all questions have been answered – thread has been resolved.
Viewing 14 replies - 1 through 14 (of 14 total)
The topic ‘New Bonus Custom Code’ is closed to new replies.
* 
* [BulletProof Security](https://wordpress.org/plugins/bulletproof-security/)
* [Support Threads](https://wordpress.org/support/plugin/bulletproof-security/)
* [Active Topics](https://wordpress.org/support/plugin/bulletproof-security/active/)
* [Unresolved Topics](https://wordpress.org/support/plugin/bulletproof-security/unresolved/)
* [Reviews](https://wordpress.org/support/plugin/bulletproof-security/reviews/)
* 14 replies
* 2 participants
* Last reply from: [AITpro](https://wordpress.org/support/users/aitpro/)
* Last activity: [12 years, 1 month ago](https://wordpress.org/support/topic/new-bonus-custom-code/#post-4744682)
* Status: resolved