Support » Plugin: BulletProof Security » [Plugin: BulletProof Security] IMPORTANT PERMANENT CHANGE TO BPS!!!

  • ResolvedPlugin Author AITpro


    BPS .46.5 is forbidding thumbnailer scripts by default. To allow thumbnailer scripts on your website see the root .htaccess file for instructions on allowing thumbnailer scripts on your website. If your Theme or any of your Plugins are using a Thumbnailer script such as TimThumb, phpThumb, Thumb or variations of these thumbnailer scripts then you should check (ask the author, creator or Google it) and make sure that you have a recently patched version of the thumbnailer script that you are using. A Zero Day Vulnerability exists in older versions of these thumbnailer scripts and your website will get hacked if you are using an older version of a thumbnailer script. Thumbnailer scripts are automatically seen by BPS as a threat, exploit or vulnerability because of the general nature of these scripts.

    Problem: Images are no longer displaying after upgrading BPS.

    Solution: BPS is no longer allowing thumbnailer scripts to display images by default. The reason for this is that if you do not have a patched or current version of the timthumb.php thumbnailer script then your website WILL DEFINTELY GET HACKED. Once you are sure that your thumbnailer scripts are current versions of timthumb.php or any other thumbnailer scripts (thumbs.php, thumb.php or phpThumb.php) that are being used in your Theme or Plugins, then open your Currently Active Root .htaccess file in the BPS File Editor and change this rule from Forbidden to a Skip rule. See below. This is a permanent change and all future versions of BPS will automatically block thumbnailer scripts. We apologize for this inconvenience, but we would rather hear complaints about having to do this extra step then hearing that your website has been hacked because you did not patch or replace your thumbnailer scripts. Thank you.

    # By default BPS is forbidding allowing these thumbnailer scripts filename requests
    # This will Log lots of hacking attempts on your website in your BPS Pro Error Log
    # If you are using one of these thumbnailer scripts on your website and you want to allow
    # your thumbnailer script images to display then change [F,L] to [S=1]
    # Make sure that you have a security patched version or recent versions of these scripts
    # before changing [F,L] to [S=1] and allowing these files to be requested on your website
    # If you delete or remove the RewriteRule below you will need to change the above skip rules
    # Example: RewriteRule S=2 above will need to be changed to S=1, change S=3 to S=2, etc.
    RewriteCond %{REQUEST_FILENAME} thumb.php [NC,OR]
    RewriteCond %{REQUEST_FILENAME} thumbs.php [NC,OR]
    RewriteCond %{REQUEST_FILENAME} timthumb.php [NC,OR]
    RewriteCond %{REQUEST_FILENAME} phpthumb.php [NC]
    RewriteRule . - [F,L]

Viewing 5 replies - 1 through 5 (of 5 total)
Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘[Plugin: BulletProof Security] IMPORTANT PERMANENT CHANGE TO BPS!!!’ is closed to new replies.