Plugin Author
AITpro
(@aitpro)
Hey Jeremy,
I’m thinking that probably the best way to handle this in the short-term (and maybe even the long-term) is to do Dismiss Notices for these 2 issues. ie Do a standard “if JetPack is installed and activated” check, then display the links to the forum topic solutions in the Dismiss Notices. This will definitely be done in the next BPS version release. At some point I would like to have this be a completely automated thing. š If only there were 100 hours in a day instead of only 24 hours. š
Thread Starter
Jeremy Herve
(@jeherve)
Jetpack Mechanic š
š
Alright! That can indeed help!
If you ever want to chat about other ways to automate this, feel free to get in touch with us!
Plugin Author
AITpro
(@aitpro)
Quick question about Jetpack Requests. Do all Jetpack xmlrpc.php Requests use this Request URI and Query string: /xmlrpc.php?for=jetpack
Plugin Author
AITpro
(@aitpro)
hmm looks like the User Agent is consistently HTTP_USER_AGENT: Jetpack by WordPress.com for each/every connection Request. Is that correct? If so, then I am thinking that creating customized mod_rewrite htaccess code specifically for use with Jetpack users, which whitelists by User Agent, is going to be the best way to go/approach this issue.
Plugin Author
AITpro
(@aitpro)
Awesome! Had my fingers and toes crossed. ha ha š Thanks for confirming that Jeremy. Very much appreciated!
Plugin Author
AITpro
(@aitpro)
Created, tested and working solutions:
Custom XML-RPC PROTECTION mod_rewrite code for Jetpack users:
# Jetpack XML-RPC DDoS PROTECTION
# pending help info
RewriteCond %{REQUEST_URI} ^(xmlrpc\.php)$
RewriteCond %{HTTP_USER_AGENT} !^(Jetpack)$
RewriteRule ^(.*)$ - [F]
Customized HEAD Request code:
# REQUEST METHODS FILTERED
# If you want to allow HEAD Requests use BPS Custom Code and copy
# this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
# text box: CUSTOM CODE REQUEST METHODS FILTERED.
# See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F]
RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
RewriteCond %{HTTP_USER_AGENT} !^(Jetpack)$
RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]
Other BPS REQUEST METHODS FILTERED code version customization for HEAD Requests:
# REQUEST METHODS FILTERED
# If you want to allow HEAD Requests use BPS Custom Code and copy
# this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
# text box: CUSTOM CODE REQUEST METHODS FILTERED.
# See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F]
RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
RewriteCond %{HTTP_USER_AGENT} !^(Jetpack)$
RewriteRule ^(.*)$ - [R=405,L]
Notes: The whitespace in this rule: RewriteCond %{HTTP_USER_AGENT} !^(Jetpack by WordPress\.com)$ causes 500 errors and could be compensated for/corrected with Regex, but logically it is just simpler and more widely compatible to just use “Jetpack” for the UA check instead of using the entire UA. The UA could of course be faked/spoofed, but I do not see any other way of adding more conditional checks/rules to protect against that possibility. In any case, I have not seen that scenario done in the wild and it is just going to be an “oh well” kind of thing. š
Plugin Author
AITpro
(@aitpro)
hmm looks like Regex code is needed afterall: RewriteCond %{HTTP_USER_AGENT} !^(.*Jetpack.*)$
Plugin Author
AITpro
(@aitpro)
Plugin Author
AITpro
(@aitpro)
BPS .53.3 was just released which contains the new Jetpack Dismiss Notice in BPS. Changelog: http://forum.ait-pro.com/forums/topic/bps-changelog/
