Support » Plugin: BulletProof Security » What file permissions are needed while editing?

  • Resolved leejosepho

    (@leejosepho)


    I think I might be in my final stage of learning how BPS handles edits, saves and backups, and I thank you for your patience and clear explanations!

    I just did the BULLETPROOF .49.1 update (four individual and completely separate sites), I presently have the big yellow banner at the top of each site’s Dashboard and I am going to leave things just like that until I know exactly how to work inside BPS properly rather than manually editing my .htaccess files via FTP like I have been doing.

    In the past, my .htaccess modifications I have been doing manually via FTP have not been showing up in my BPS editors…and maybe that is because I had not set permissions properly beforehand. But after doing the BPS .49.1 update a few minutes ago, I *do* now see my previously-FTP-modified files in the BPS editors.

    Question: Will my modifications disappear if I click “Create secure.htaccess file” in BPS or will they again be read from the file and be included like they obviously were during the update? Also, will the “Create secure.htaccess file” button cause BPS to add the various comment lines I had previously removed FTP?

    What I would like to know here is how and/or where “square one” is defined before I click any button after the BPS .49.1 update.

    http://wordpress.org/plugins/bulletproof-security/

Viewing 15 replies - 16 through 30 (of 59 total)
  • …if you want to work with your own files via FTP instead of having BPS create them for you…

    For the record here, I do not plan to do any more of that. Where it might have taken a coder only about an hour or two to figure out and add about a dozen lines of code at the BPS Custom Code editor, I was doing all that by trial-and-error via FTP over the course of about a week…and I had begun with what BPS had first made for me with its Create secure.htaccess AutoMagic buttons. But I have now just been through all the Bulletproof Mode and Backup buttons at each site and see no need for doing anything more via FTP.

    Please let me know if you ever run short of grounds at the coffee pot!

    leejosepho

    (@leejosepho)

    Question: Would these two extra lines (commented out at the moment) add anything to the protection BPS already provides?

    # BRUTE FORCE LOGIN PAGE PROTECTION
    # Protects the Login page from SpamBots & Proxies
    # that use Server Protocol HTTP/1.0 or a blank User Agent
    RewriteCond %{REQUEST_URI} ^(/wp-login\.php|.*wp-login\.php.*)$
    #RewriteCond %{REQUEST_URI} ^/wp-admin$
    #RewriteCond %{REQUEST_URI} ^(.*)?wp-comments-post\.php(.*)$
    RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
    RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR]
    RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$
    RewriteRule ^(.*)$ - [F,L]

    Plugin Author AITpro

    (@aitpro)

    Yes, they would add additional protection. I would combine all URI’s into one RewriteCond. I have not tested this code so I do not know if it will break anything so do thorough testing on your website.

    # BRUTE FORCE LOGIN PAGE PROTECTION
    # Protects the Login page from SpamBots & Proxies
    # that use Server Protocol HTTP/1.0 or a blank User Agent
    RewriteCond %{REQUEST_URI} ^(/wp-login\.php|.*wp-login\.php.*|/wp-admin|.*wp-comments-post\.php.*)$
    RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
    RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR]
    RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$
    RewriteRule ^(.*)$ - [F,L]
    leejosepho

    (@leejosepho)

    I would combine all URI’s into one RewriteCond.

    Many thanks!

    Edit: Please excuse my initial post while missing what you had done there.

    Plugin Author AITpro

    (@aitpro)

    I saw this code you posted in the link below and it looks great for preventing mass Brute Force probing. We have also been looking at and testing some other code that is similar to this code. So probably in the next BPS version we will add another Bonus Code Dismiss Notice.

    http://wordpress.org/support/topic/wp-beginner-security-question?replies=12#post-4862678

    leejosepho

    (@leejosepho)

    Cool beans.

    leejosepho

    (@leejosepho)

    PS: I currently have all of that together like this:

    # BRUTE FORCE LOGIN PAGE PROTECTION
    #### br04 as modified by AITPro for testing (nnysandbox) on 20131110
    ### http://wordpress.org/support/topic/what-file-permissions-are-needed-while-editing?replies=20#post-4862704
    # Protects the Login page from SpamBots & Proxies
    # that use Server Protocol HTTP/1.0 or a blank User Agent
    RewriteCond %{REQUEST_URI} ^(/wp-login\.php|.*wp-login\.php.*|/wp-admin|.*wp-comments-post\.php.*)$
    RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
    RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR]
    RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$
    RewriteRule ^(.*)$ - [F,L]

    Links such as http://www.mydomain.com/page-one/+%22post+a+comment%22+subscriber&ct=clnk were already returning 404s for me, but I do not know whether that is the same as above in relation to wp-comments-post. So, I just added the above and will watch to see what happens.

    Plugin Author AITpro

    (@aitpro)

    %22 is the URL encoded double quote coding characters and should not be used in URLs. Most likely this is being caused by a plugin or theme that is doing something wrong with magic_quotes. Or maybe the double quotes have been added by mistake. BPS has 2 security filters that will block the double quote coding characters in URLs since these can be used against your website in attacks. My hunch is that a combination of the double quotes and “select” in the Form are causing the 404 error, but the error is really a 403 error that is mistakenly being seen as a 404 error. The SQL Injection security filter is the most likely filter that would be blocking URLs with double quotes in them.

    /page-one/”post+a+comment”+subscriber&ct=clnk

    http://stackoverflow.com/questions/17187673/22-double-quotes-added-to-url-out-of-nowhere

    User Agent filter
    RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    
    SQL Injection filter
    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    leejosepho

    (@leejosepho)

    BPS has 2 security filters that will block the double quote coding characters in URLs since these can be used against your website in attacks.

    Please forgive me for not being clear since the kind of http://www.mydomain.com/page-one/+%22post+a+comment%22+subscriber&ct=clnk link I had mentioned is coming from ‘bots…and now I know how they end up as 404s!

    Thanks again.

    Plugin Author AITpro

    (@aitpro)

    Oh ok. I thought maybe you thought this was a problem, but obviously you are aware that these malicious bot probes/attacks are being blocked already. 😉

    Plugin Author AITpro

    (@aitpro)

    After testing many variations of bot probe code this code works the best.

    # WP AUTHOR ENUMERATION BOT PROBE PROTECTION
    # Redirects to author=999999 that does not actually exist
    # which results in a standard 404 error. To the hacker bot
    # it appears that this author does not exist without giving
    # any clues that the author does actually exist.  
    
    RewriteCond %{QUERY_STRING} ^author=([0-9]){1,}$ [NC]
    RewriteRule ^(.*)$ $1?author=999999 [R=301]
    Plugin Author AITpro

    (@aitpro)

    Actually the L flag is better to avoid any possible redirect looping.

    # WP AUTHOR ENUMERATION BOT PROBE PROTECTION
    # Redirects to author=999999 that does not actually exist
    # which results in a standard 404 error. To the hacker bot
    # it appears that this author does not exist without giving
    # any clues that the author does actually exist.  
    
    RewriteCond %{QUERY_STRING} ^author=([0-9]){1,}$ [NC]
    RewriteRule ^(.*)$ $1?author=999999 [L]
    leejosepho

    (@leejosepho)

    Ah, okay, and thanks again. I had only tested to 99!

    leejosepho

    (@leejosepho)

    How much trouble would it be to make the new code just go to “Home” rather than returning a 404?

    RewriteCond %{QUERY_STRING} ^author=([0-9]){1,}$ [NC]
    RewriteRule ^(.*)$ $1?author=999999 [L]

    Is that as simple as changing [L] to [L,R=301]?

    In our case, the issue is anonymity and that is why we also have this:

    # send /author/ scans to Home Page
    RedirectMatch (?i)^/author.*$ /

    Edit: After changing [L] to [L,R=301] and trying www.nnysandbox.net/?author=0, I ended up at http://www.nnysandbox.net/?author=999999 and “Firefox has detected that the server is redirecting the request for this address in a way that will never complete.”

    Plugin Author AITpro

    (@aitpro)

    If you are using a 404.php Theme template file then by default your 404.php template file should be loaded within your Theme’s other template files. Hacker Bot probes will most likely be done using the root domain URL and not any deeper than the root URL. The 404 error is natural so that the hacker bot will not think that author ID / User ID actually exists, which is the ideal scenario.

    Example test site results

    www.ait-pro.com/verum/?author=1
    www.ait-pro.com/verum/sample-page/?author=1

    In our case, the issue is anonymity and that is why we also have this:

    I don’t understand what this statement means above? If anything is viewable to the public on the Internet it can be found and cannot be made to be anonymous or hidden – that is not possible on the Internet if something is publicly viewable.

    To redirect the Query String you would first probably have to disable your 404.php template file or maybe create a custom ErrorDocument rule. I will see if this is possible without creating a big mess / wrecking normal template functionality on a website.

Viewing 15 replies - 16 through 30 (of 59 total)
  • The topic ‘What file permissions are needed while editing?’ is closed to new replies.