Nick
(@kercommunications)
Same here. It seems like it is blocking OpenGraph for Facebook, LinkedIn and Google+
Since I have several web sites with OpenGraph data in use and they work fine with BWPS installed, I don’t think that is the problem. I can think of two other possibilities…
1) You have something preventing hot-linking. You need to allow hotlinking for systems like LinkedIn and Facebook to grab images from your site.
https://simple.wikipedia.org/wiki/Hotlinking
2) You have the IP addresses of LinkedIn/Google/Facebook/whatever servers in your ban list. Perhaps because you have a lot of 404 errors on your site and they got banned automatically, or for some other reason.
Nick
(@kercommunications)
Turns out that it was the Default Banned List. When I removed the manually added IPs, the problem persisted. When I disabled the Default List, OpenGraph stuff started working again.
Nick, when you disable the Default list, don’t you think that creates a security loophole? #just thinking
Wonder if there is an alternative.
Thanks
Hi all,
Our blog had the same issue.
This the offending rule is RewriteCond %{HTTP_USER_AGENT} ^Link [NC,OR]
. It basically blocks any user agent which starts with “link” (which, of course, includes “LinkedIn”).
To resolve the issue on your site:
- Read the whole set of instructions before acting.
- Temporarily Disable the “Default Banned List” (in the “Ban” tab)
- Edit
/wp-content/plugins/better-wp-security/inc/admin/hackrepair-apache.inc
-> search for ^Link
and comment out the line with #
(the line should become #RewriteCond %{HTTP_USER_AGENT} ^Link [NC,OR]
- Do the same in
/wp-content/plugins/better-wp-security/inc/admin/hackrepair-nginx.inc
- Re-enable the “Default Banned List”
- That’s all! 🙂
I’ve reported this bug there:
https://github.com/Bit51/Better-WP-Security/issues/93
Please show your interest in an official fix by commenting.
I think that HackRepair list is of very limited value. Any hacker worth their salt would make sure to set the user agent to something normal looking before accessing your web site.
In fact, I do this myself to my own web sites. I use a real cron job to handle WordPress’ scheduled tasklist. After installing BWPS I noticed the cron job wasn’t working. It turns out that WGET is one of the user agents in the HackRepair list.
So I simply used the user-agent option of wget and it started working again… like this….
wget --user-agent="Mozilla/5.0" http://www.mydomain.com/wp-cron.php?doing_wp_cron
Pretty sure most hackers would do the same, and the evidence of that is all over my log files.