What file permissions are needed while editing?

Resolved leejosepho
(@leejosepho)

10 years, 7 months ago

I think I might be in my final stage of learning how BPS handles edits, saves and backups, and I thank you for your patience and clear explanations!

I just did the BULLETPROOF .49.1 update (four individual and completely separate sites), I presently have the big yellow banner at the top of each site’s Dashboard and I am going to leave things just like that until I know exactly how to work inside BPS properly rather than manually editing my .htaccess files via FTP like I have been doing.

In the past, my .htaccess modifications I have been doing manually via FTP have not been showing up in my BPS editors…and maybe that is because I had not set permissions properly beforehand. But after doing the BPS .49.1 update a few minutes ago, I *do* now see my previously-FTP-modified files in the BPS editors.

Question: Will my modifications disappear if I click “Create secure.htaccess file” in BPS or will they again be read from the file and be included like they obviously were during the update? Also, will the “Create secure.htaccess file” button cause BPS to add the various comment lines I had previously removed FTP?

What I would like to know here is how and/or where “square one” is defined before I click any button after the BPS .49.1 update.

http://wordpress.org/plugins/bulletproof-security/

Viewing 14 replies - 46 through 59 (of 59 total)

← 1 2 3 4

Thread Starter leejosepho
(@leejosepho)

10 years, 5 months ago

What type of scan would that be? cURL? DOM?

I do not know. I first saw it used by a ‘bot at one of my sites after enumeration had been used to discover an admin username. Put your own actual username in here and see what happens: www.ait-pro.com/author/AITpro/

Plugin Author AITpro
(@aitpro)

10 years, 5 months ago

on our sites this results in a 404 error, but we have done additional things so that the author urls are not displayed and we use obfuscated Admin usernames like B84J3YX6, but you have interesting point. Will play around with this.
Plugin Author AITpro
(@aitpro)

10 years, 5 months ago
Ok I think this code does what you want. Any Request URI with the author condition below is redirected to the Home page. Any Query String with the author conditions below results in a natural 404 error.
```
RewriteCond %{REQUEST_URI} ^/(.*)/author/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^author=([0-9]){1,}$ [NC]
RewriteRule ^(.*)$ $1?author=999999 [L]
```
Plugin Author AITpro
(@aitpro)

10 years, 5 months ago
Oops posted the wrong code above.

This works on a subfolder site
```
RewriteCond %{QUERY_STRING} ^author=([0-9]){1,}$ [NC]
RewriteRule ^(.*)$ $1?author=999999 [L]
RedirectMatch 301 ^/(.*)/author/(.*)$ http://www.example.com/subfolder-site/
```
This is probably what would need to be done on a root website
```
RewriteCond %{QUERY_STRING} ^author=([0-9]){1,}$ [NC]
RewriteRule ^(.*)$ $1?author=999999 [L]
RedirectMatch 301 ^/author/(.*)$ http://www.example.com/
```
Important Note: If you are still displaying author URLs on your site then the author ID could still be found. So author url functions should be removed or modified.
Plugin Author AITpro
(@aitpro)

10 years, 5 months ago
Jeez forgot to add the case insensitive code.
```
RewriteCond %{QUERY_STRING} ^author=([0-9]){1,}$ [NC]
RewriteRule ^(.*)$ $1?author=999999 [L]
# Subfolder site Author URL redirect to Home page
RedirectMatch 301 (?i)^/(.*)/author/(.*)$ http://www.example.com/subfolder-site/

RewriteCond %{QUERY_STRING} ^author=([0-9]){1,}$ [NC]
RewriteRule ^(.*)$ $1?author=999999 [L]
# Root site Author URL redirect to Home page
# On some web hosts the RedirectMatch rule above would need to be used even if the site is a root website
RedirectMatch 301 (?i)^/author/(.*)$ http://www.example.com/
```
Thread Starter leejosepho
(@leejosepho)

10 years, 5 months ago
Okay, I had confused things (or at least myself) earlier by not paying closer attention while I was testing. Using this:
```
RewriteCond %{QUERY_STRING} ^author=([0-9]){1,}$ [NC]
RewriteRule ^(.*)$ $1?author=999999 [L]
```
These are fine:
www.nnysandbox.net/?author=1 returns Home Page
www.nnysandbox.net/?author=99 returns Home Page

The earlier issue is with these:
www.nnysandbox.net/?author=(number) returns 403 Forbidden
www.nnysandbox.net/page-one/?author=(number) returns 403 Forbidden
Plugin Author AITpro
(@aitpro)

10 years, 5 months ago

Are you saying that round brackets are literally being used ( and ) in the Query String? If so, then this BPS security filter in the link below blocks round brackets in Query Strings.

http://forum.ait-pro.com/forums/topic/403-get-or-other-request-error-logged-2/#post-11074

Thread Starter leejosepho
(@leejosepho)

10 years, 5 months ago

Are you saying that round brackets are literally being used ( and ) in the Query String?

Yes, in this way:

By simply adding the string /?author=(number) to the end of you domain will result in your username being displayed if not protected.
http://llocally.com/blog/2013/08/19/what-is-your-login-username-to-your-wordpress-website/

If so, then this BPS security filter in the link below blocks round brackets in Query Strings.

http://forum.ait-pro.com/forums/topic/403-get-or-other-request-error-logged-2/#post-11074

Before looking at that, I will see what BPS does at my site with nothing at all in Custom Code in relation to any of this.

Thread Starter leejosepho
(@leejosepho)

10 years, 5 months ago

The earlier issue is with these:
www.nnysandbox.net/?author=(number) returns 403 Forbidden
www.nnysandbox.net/page-one/?author=(number) returns 403 Forbidden

BPS normally does that even prior to adding the bonus code.

I will report back after running these tests on each of the code variations we have been discussing:

/?author=(number)
/?author=0 (and/or any number up to 99999)
/author/username/ (valid username with posts)
/author/nickname/ (valid nickname with posts)
/author/username/ (valid username without posts)
/author/nickname/ (valid nickname without posts)
/author/no-such-user/ (invalid username)
Thread Starter leejosepho
(@leejosepho)

10 years, 5 months ago
These lines produced some mixed results:
```
## deny enumeration & /author/ scans
RewriteCond %{REQUEST_URI} ^/(.*)/author/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^author=([0-9]){1,}$ [NC]
RewriteRule ^(.*)$ $1?author=999999 [L]
# /?author=(number) > 403 Forbidden
# /?author=0 > 404 Page not found
# /?author=1 > 404 Page not found
# /?author=2 > 404 Page not found
# /?author=99999 > 404 Page not found
# /author/validusername1/ > Author Archives: (nickname)
# /author/validnickname1/ > Home Page
# /author/validusername2/ > Nothing found (user with no posts)
# /author/nicknamename2/ > Home Page
# /author/no-such-user/ > Home Page
```
So, here is what I am using at the moment:
```
## deny enumeration
RewriteCond %{QUERY_STRING} ^author=([0-9]){1,}$ [NC]
RewriteRule ^(.*)$ $1?author=999999 [L]
# /?author=(number) > 403 Forbidden
# /?author=0 > 404 Page not found
# /?author=1 > 404 Page not found
# /?author=2 > 404 Page not found
# /?author=99999 > 404 Page not found
## send /author/ scans to Home Page
## avoiding use of RedirectMatch 301 ^/author/(.*)$ http://www.domain.com/
RedirectMatch (?i)^/author.*$ /
# /author/validusername1/ > Home Page
# /author/validnickname1/ > Home Page
# /author/no-such-user/ > Home Page
```
It would be nice to turn that 403 into a 404, but I can live with things as they are.
Plugin Author AITpro
(@aitpro)

10 years, 5 months ago

For the 403 issue for Query Strings using round brackets you would need to do the steps in this Forum link to allow round brackets in Query Strings on your website.

http://forum.ait-pro.com/forums/topic/403-get-or-other-request-error-logged-2/#post-11074

Thread Starter leejosepho
(@leejosepho)

10 years, 5 months ago

For the 403 issue for Query Strings using round brackets you would need to do the steps in this Forum link to allow round brackets in Query Strings on your website.

Leaving undesirable vulnerabilities elsewhere, correct? I think I may have reached the end of this project!

Plugin Author AITpro
(@aitpro)

10 years, 5 months ago

Yes, anytime you modify a security filter to allow something else to do what you want then you are reducing your website’s overall security. 😉 With that said, BPS has overlapping security filters for just this reason. So let’s say you modify that 1 security filter to allow round brackets in Query Strings on your website. Then there are several other filters that protect against other parts of attack strings that would most likely still be blocked. To put a number/percentage to the risk factor it would be: .1% reduced overall security.
Thread Starter leejosepho
(@leejosepho)

10 years, 4 months ago
Okay, now this has come along:
http://www.mysite.org/author/username/page/2/

I do not know how someone knew the actual username there, but that link landed at “Author Archives: admin0” (nickname).

I have this code in place at that site:
```
# send /author/ scans to Home Page
RedirectMatch (?i)^/author.*$ /
```
However, that site is a primary domain in a server sub-folder. So, I will copy that out to public-html and see whether that makes any difference since there are other things that do not work unless they are out there.

Edit: Never mind, that was the problem. Moving that code out to htaccess for my server account (beyond the reach of BPS) makes it work!

Viewing 14 replies - 46 through 59 (of 59 total)

← 1 2 3 4

The topic ‘What file permissions are needed while editing?’ is closed to new replies.