RafaelDeJongh

https://www.rafaeldejongh.com/xmlrpc.php
https://www.sandhillsstudio.com/xmlrpc.php
https://www.boaztimmermans.com/xmlrpc.php
https://mrj.agency/xmlrpc.php

The htaccess code is something I’ve wrote myself when I was troubleshooting, I’ve actually never experienced this before and when testing on all the websites that I’ve got this installed on (which are on various different servers) I get the same problem with them as well and they’re not even using Zapier but that’s pretty much just the connection/access to XMLRCP, example:

These are all on different servers and with all different kind of themes/plugins the only thing they have in familiar is BPS. The first link for example doesn’t use Swift rather uses WP Rocket.

I’ve tried without caching plugin but that didn’t change anything either, it is only when activating BPS that the blocking starts.

The only thing I can imagine is that it has something to do with server configuration? As while they all are on a different shared webhost, they are on the same webhost seller being NeoStrada.

I just checked a site from one of my clients with BPS installed on another webhost and for some reason there it doesn’t seem to have any conflict.

So I am really not entirely sure to why it would behave such a way on this particular server. I also tried this on a complete clean install WP site on Neostrada and it indeed had the same problem.

Would any of the security modules or so affect BPS to block it when the plugin is activated? If you need any testing account I am happy to provide you with one.

That said however with the htaccess code I’ve mocked up I could possible just Allow All if needed but on the other side it’s not a bad thing to restrict XMLRPC either to prevent brute force attacks I assume.

So yea really not sure what’s going on here, but it does seem localized to the webhost as a whole even if all the sites linked above are on different shared hosting accounts.

Forum: Plugins
In reply to: [BulletProof Security] BPS Blocking Zapier

Thread Starter RafaelDeJongh

(@rafaeldejongh)

Zapier pretty much just gets posts via XMLRCP and then uses it to distribute it to other platforms like Facebook, Twitter, Instagram, Linkedin, Discord, etc. It doesn’t require plugins or any other kind of integration just an account that you setup on their site and yours and that XMLRCP is accessible, so there’s not really a conflict directly with BPS as far as I know.

Even when I try to access the file via my browser instead of getting the normal message: XML-RPC server accepts POST requests only. I also get:

nendoaddicts.be 403 Forbidden Error Page

If you arrived here due to a search or clicking on a link click your Browser's back button to return to the previous page. Thank you.

IP Address: X.X.X.X

I’ve checked all settings and I’ve not changed anything other than using the Wizard and adding the security headers/swift caching code via the custom code. I also couldn’t find anything related to this and when I actually white list either my direct IP or via useragent on that specific file in the htaccess then it seems to work without any problem.

If you’d like to have a look on the site I can always provide you a temp login if that helps you find out the problem? As now that I am checking this on all my other sites where I am using BPS I am also receiving this access 403 error page when trying to access xmlrpc.php directly.

So it doesn’t seem to be an isolated problem for this particular website?

Forum: Plugins
In reply to: [BulletProof Security] BPS Blocking Zapier

Thread Starter RafaelDeJongh

(@rafaeldejongh)

The actual plugin to be honest via the dashboard to be honest, and I do think the htaccess files are kept even when disabling the plugin. So I can connect to XMLRPC.php when the BPS plugin is disabled with both the root and admin htaccess files still in tact, but not when I have the plugin activated.

Currently I’ve been troubleshooting and came up with the following htaccess code:

<FilesMatch "xmlrpc\.php$">
SetEnvIfNoCase User-Agent Zapier xmlrpc_access
Order Deny,Allow
Deny from All
Allow from env=xmlrpc_access
</FilesMatch>

As Zapier uses a specific User Agent this seems to actually work pretty well, I have placed this under block 13 (13. CUSTOM CODE DENY BROWSER ACCESS TO THESE FILES:) and that does make it work.

However that doesn’t explain why BPS itself (as the plugin) is blocking the access to it right?

Forum: Plugins
In reply to: [BulletProof Security] BPS Blocking Zapier

Thread Starter RafaelDeJongh

(@rafaeldejongh)

Thanks for the followup, I have also not used that Bonus code, in fact I’ve not used any bonus codes other than the extra added snippets by the wizzard, but those are not related to blocking xmlrpc either.

I first tried the custom loop change you suggested and tried accessing from another source and receive the same error:

[403 POST Request: 25/02/2019 - 03:19]
BPS: 3.3
WP: 5.1
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: GDPR Compliance On
Host Name: ec2-52-0-79-228.compute-1.amazonaws.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: GDPR Compliance On
HTTP_FORWARDED: GDPR Compliance On
HTTP_X_FORWARDED_FOR: GDPR Compliance On
HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On
REQUEST_METHOD: GET
HTTP_REFERER: 
REQUEST_URI: /xmlrpc.php
QUERY_STRING: 
HTTP_USER_AGENT: Zapier
REQUEST BODY: <?xml version='1.0'?>
<methodCall>
<methodName>wp.getPosts</methodName>
<params>
<param>
<value><string></string></value>
</param>
<param>
<value><string>zapier</string></value>
</param>
<param>
<value><string>Nendo-Addicts-Zapier</string></value>
</param>
<param>
<value><struct>
<member>
<name>post_status</name>
<value><string>publish</string></value>
</member>
<member>
<name>post_type</name>
<value><string>post</string></value>
</member>
</struct></value>
</param>
</params>
</methodCall>

Yet nothing in the htaccess that I directly see/can find related to blocking xmlrpc, here is the full htaccess code:

#   BULLETPROOF 3.3 SECURE .HTACCESS     

# CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE
### Begin Caching Performance ###
# Use UTF-8 encoding for anything served text/plain or text/html
AddDefaultCharset UTF-8
# Force UTF-8 for a number of file formats
<IfModule mod_mime.c>
	AddCharset UTF-8 .atom .css .js .json .rss .vtt .xml
</IfModule>

# FileETag None is not enough for every server.
<IfModule mod_headers.c>
Header unset ETag
</IfModule>

# Since we’re sending far-future expires, we don’t need ETags for static content.
FileETag None

<IfModule mod_alias.c>
	<FilesMatch "\.(html|htm|rtf|rtx|txt|xsd|xsl|xml)$">
	<IfModule mod_headers.c>
		Header unset Pragma
		Header append Cache-Control "public"
		Header unset Last-Modified
	</IfModule>
</FilesMatch>

<FilesMatch "\.(css|htc|js|asf|asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|eot|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|json|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|mpp|otf|odb|odc|odf|odg|odp|ods|odt|ogg|pdf|png|pot|pps|ppt|pptx|ra|ram|svg|svgz|swf|tar|tif|tiff|ttf|ttc|wav|wma|wri|xla|xls|xlsx|xlt|xlw|zip)$">
		<IfModule mod_headers.c>
			Header unset Pragma
			Header append Cache-Control "public"
		</IfModule>
	</FilesMatch>
</IfModule>

# Gzip Compression
<IfModule mod_deflate.c>
	# Force compression for mangled headers.
	<IfModule mod_setenvif.c>
		<IfModule mod_headers.c>
			SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
			RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
			# Don’t compress images and other uncompressible content
			SetEnvIfNoCase Request_URI \
			\.(?:gif|jpe?g|png|rar|zip|exe|flv|mov|wma|mp3|avi|swf|mp?g|mp4|webm|webp|pdf)$ no-gzip dont-vary
		</IfModule>
	</IfModule>
	# Compress all output labeled with one of the following MIME-types
	<IfModule mod_filter.c>
	AddOutputFilterByType DEFLATE "application/atom+xml" \
								"application/javascript" \
								"application/json" \
								"application/ld+json" \
								"application/manifest+json" \
								"application/rdf+xml" \
								"application/rss+xml" \
								"application/schema+json" \
								"application/vnd.geo+json" \
								"application/vnd.ms-fontobject" \
								"application/x-font-ttf" \
								"application/x-javascript" \
								"application/x-web-app-manifest+json" \
								"application/xhtml+xml" \
								"application/xml" \
								"font/eot" \
								"font/opentype" \
								"image/bmp" \
								"image/svg+xml" \
								"image/vnd.microsoft.icon" \
								"image/x-icon" \
								"text/cache-manifest" \
								"text/css" \
								"text/html" \
								"text/javascript" \
								"text/plain" \
								"text/vcard" \
								"text/vnd.rim.location.xloc" \
								"text/vtt" \
								"text/x-component" \
								"text/x-cross-domain-policy" \
								"text/xml"
	</IfModule>
	<IfModule mod_headers.c>
		Header append Vary: Accept-Encoding
	</IfModule>
</IfModule>

<IfModule mod_mime.c>
	AddType text/html .html_gzip
	AddEncoding gzip .html_gzip
</IfModule>
<IfModule mod_setenvif.c>
	SetEnvIfNoCase Request_URI \.html_gzip$ no-gzip
</IfModule>

# Expires headers
<IfModule mod_expires.c>
	ExpiresActive on
	ExpiresDefault									"access plus 1 month"
	
# cache.appcache needs re-requests in FF 3.6
	ExpiresByType text/cache-manifest				"access plus 0 seconds"
	
# CSS
	ExpiresByType text/css							"access plus 1 year"

# Data interchange
	ExpiresByType application/json					"access plus 0 seconds"
	ExpiresByType application/xml					"access plus 0 seconds"
	ExpiresByType text/xml							"access plus 0 seconds"

# Favicon (cannot be renamed!)
	ExpiresByType image/x-icon						"access plus 1 week"

# HTML components (HTCs)
	ExpiresByType text/x-component					"access plus 1 month"

# HTML
	ExpiresByType text/html							"access plus 0 seconds"

# JavaScript
	ExpiresByType application/javascript			"access plus 1 year"

# Manifest files
	ExpiresByType application/x-web-app-manifest+json	"access plus 0 seconds"
	ExpiresByType text/cache-manifest					"access plus 0 seconds"

# Media
	ExpiresByType image/gif							"access plus 1 month"
	ExpiresByType image/jpeg						"access plus 1 month"
	ExpiresByType image/png							"access plus 1 month"
	ExpiresByType video/mp4							"access plus 1 month"
	ExpiresByType audio/ogg							"access plus 1 month"
	ExpiresByType video/ogg							"access plus 1 month"
	ExpiresByType video/webm						"access plus 1 month"

# Web feeds
	ExpiresByType application/atom+xml				"access plus 1 hour"
	ExpiresByType application/rss+xml				 "access plus 1 hour"

# Web fonts
	ExpiresByType application/font-woff				"access plus 1 month"
	ExpiresByType application/font-woff2			"access plus 1 month"
	ExpiresByType application/vnd.ms-fontobject		"access plus 1 month"
	ExpiresByType application/x-font-ttf			"access plus 1 month"
	ExpiresByType font/opentype						"access plus 1 month"
	ExpiresByType image/svg+xml						"access plus 1 month"
</IfModule>

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_METHOD} !POST
RewriteCond %{QUERY_STRING} ^$
RewriteCond %{HTTP:Cookie} !^.*(wordpress_logged_in).*$
RewriteCond %{REQUEST_URI} !^/wp-content/cache/swift-performance/([^/]*)/assetproxy
RewriteCond %{HTTP_USER_AGENT} (Mobile|Android|Silk|Kindle|BlackBerry|Opera+Mini|Opera+Mobi) [NC]
RewriteCond /home/nendoa1q/public_html/wp-content/cache/swift-performance/%{HTTP_HOST}%{REQUEST_URI}/mobile/unauthenticated/index.html -f
RewriteRule (.*) wp-content/cache/swift-performance/%{HTTP_HOST}%{REQUEST_URI}/mobile/unauthenticated/index.html [L]

RewriteCond %{REQUEST_METHOD} !POST
RewriteCond %{QUERY_STRING} ^$
RewriteCond %{HTTP:Cookie} !^.*(wordpress_logged_in).*$
RewriteCond %{REQUEST_URI} !^/wp-content/cache/swift-performance/([^/]*)/assetproxy
RewriteCond %{HTTP_USER_AGENT} !(Mobile|Android|Silk|Kindle|BlackBerry|Opera+Mini|Opera+Mobi) [NC]
RewriteCond /home/nendoa1q/public_html/wp-content/cache/swift-performance/%{HTTP_HOST}%{REQUEST_URI}/desktop/unauthenticated/index.html -f
RewriteRule (.*) wp-content/cache/swift-performance/%{HTTP_HOST}%{REQUEST_URI}/desktop/unauthenticated/index.html [L]
</IfModule>

# Send CORS headers if browsers request them; enabled by default for images.
<IfModule mod_setenvif.c>
	<IfModule mod_headers.c>
		# mod_headers
		<FilesMatch "\.(gif|png|jpe?g|svg|svgz|ico|webp)$">
			SetEnvIf Origin ":" IS_CORS
			Header set Access-Control-Allow-Origin "*" env=IS_CORS
		</FilesMatch>
	</IfModule>
</IfModule>

# Webfont access
<IfModule mod_headers.c>
	<FilesMatch "\.(tt[cf]|otf|eot|woff|woff2|font.css|css|js)$">
		Header set Access-Control-Allow-Origin "*"
	</FilesMatch>
</IfModule>
### End Caching Performance ###

# CUSTOM CODE TURN OFF YOUR SERVER SIGNATURE
# Security Headers
<IfModule mod_headers.c>
Header set Developed-By "Rafael De Jongh"
Header set Content-Security-Policy "img-src 'self' https: data: blob:; font-src 'self' https: data:; base-uri 'self';"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-XSS-Protection "1; mode=block"
Header set Referrer-Policy "no-referrer-when-downgrade"
Header set Expect-CT "max-age=86400,enforce"
Header set Feature-Policy "fullscreen *;camera 'none';microphone 'none'"
Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure"
Header always unset "X-Powered-By"
</IfModule>

# DO NOT SHOW DIRECTORY LISTING
# Disallow mod_autoindex from displaying a directory listing
# If a 500 Internal Server Error occurs when activating Root BulletProof Mode 
# copy the entire DO NOT SHOW DIRECTORY LISTING and DIRECTORY INDEX sections of code 
# and paste it into BPS Custom Code and comment out Options -Indexes 
# by adding a # sign in front of it.
# Example: #Options -Indexes
Options -Indexes

# DIRECTORY INDEX FORCE INDEX.PHP
# Use index.php as default directory index file. index.html will be ignored.
# If a 500 Internal Server Error occurs when activating Root BulletProof Mode 
# copy the entire DO NOT SHOW DIRECTORY LISTING and DIRECTORY INDEX sections of code 
# and paste it into BPS Custom Code and comment out DirectoryIndex 
# by adding a # sign in front of it.
# Example: #DirectoryIndex index.php index.html /index.php
DirectoryIndex index.php index.html /index.php

# BRUTE FORCE LOGIN PAGE PROTECTION
# PLACEHOLDER ONLY
# Use BPS Custom Code to add Brute Force Login protection code and to save it permanently.
# See this link: https://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/
# for more information.

# BPS ERROR LOGGING AND TRACKING
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# BPS has premade 400 Bad Request, 403 Forbidden, 404 Not Found, 405 Method Not Allowed and 
# 410 Gone template logging files that are used to track and log 400, 403, 404, 405 and 410 errors 
# that occur on your website. When a hacker attempts to hack your website the hackers IP address, 
# Host name, Request Method, Referering link, the file name or requested resource, the user agent 
# of the hacker and the query string used in the hack attempt are logged.
# All BPS log files are htaccess protected so that only you can view them. 
# The 400.php, 403.php, 404.php, 405.php and 410.php files are located in /wp-content/plugins/bulletproof-security/
# The 400, 403, 405 and 410 Error logging files are already set up and will automatically start logging errors
# after you install BPS and have activated BulletProof Mode for your Root folder.
# If you would like to log 404 errors you will need to copy the logging code in the BPS 404.php file
# to your Theme's 404.php template file. Simple instructions are included in the BPS 404.php file.
# You can open the BPS 404.php file using the WP Plugins Editor or manually editing the file.
# NOTE: By default WordPress automatically looks in your Theme's folder for a 404.php Theme template file.

ErrorDocument 400 /wp-content/plugins/bulletproof-security/400.php
ErrorDocument 401 default
ErrorDocument 403 /wp-content/plugins/bulletproof-security/403.php
ErrorDocument 404 /404.php
ErrorDocument 405 /wp-content/plugins/bulletproof-security/405.php
ErrorDocument 410 /wp-content/plugins/bulletproof-security/410.php

# DENY ACCESS TO PROTECTED SERVER FILES AND FOLDERS
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# Files and folders starting with a dot: .htaccess, .htpasswd, .errordocs, .logs
RedirectMatch 403 \.(htaccess|htpasswd|errordocs|logs)$

# WP-ADMIN/INCLUDES
# Use BPS Custom Code to remove this code permanently.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F]
RewriteRule ^wp-includes/theme-compat/ - [F]

# WP REWRITE LOOP START
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]

# REQUEST METHODS FILTERED
# If you want to allow HEAD Requests use BPS Custom Code and copy 
# this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code 
# text box: CUSTOM CODE REQUEST METHODS FILTERED.
# See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F]
RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]

# PLUGINS/THEMES AND VARIOUS EXPLOIT FILTER SKIP RULES
# To add plugin/theme skip/bypass rules use BPS Custom Code.
# The [S] flag is used to skip following rules. Skip rule [S=12] will skip 12 following RewriteRules.
# The skip rules MUST be in descending consecutive number order: 12, 11, 10, 9...
# If you delete a skip rule, change the other skip rule numbers accordingly.
# Examples: If RewriteRule [S=5] is deleted than change [S=6] to [S=5], [S=7] to [S=6], etc.
# If you add a new skip rule above skip rule 12 it will be skip rule 13: [S=13]

# CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES
# Nextend Facebook Connect Query String skip/bypass rule
RewriteCond %{QUERY_STRING} loginFacebook=(.*) [NC]
RewriteRule . - [S=15]

# WooCommerce order & wc-ajax= Query String skip/bypass rule
RewriteCond %{QUERY_STRING} .*(order|wc-ajax=).* [NC]
RewriteRule . - [S=14]

# WooCommerce shop, cart, checkout & wishlist URI skip/bypass rule
RewriteCond %{REQUEST_URI} ^.*/(shop|cart|checkout|wishlist).* [NC]
RewriteRule . - [S=13]

# Adminer MySQL management tool data populate
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/adminer/ [NC]
RewriteRule . - [S=12]
# Comment Spam Pack MU Plugin - CAPTCHA images not displaying 
RewriteCond %{REQUEST_URI} ^/wp-content/mu-plugins/custom-anti-spam/ [NC]
RewriteRule . - [S=11]
# Peters Custom Anti-Spam display CAPTCHA Image
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/peters-custom-anti-spam-image/ [NC] 
RewriteRule . - [S=10]
# Status Updater plugin fb connect
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/fb-status-updater/ [NC] 
RewriteRule . - [S=9]
# Stream Video Player - Adding FLV Videos Blocked
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/stream-video-player/ [NC]
RewriteRule . - [S=8]
# XCloner 404 or 403 error when updating settings
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/xcloner-backup-and-restore/ [NC]
RewriteRule . - [S=7]
# BuddyPress Logout Redirect
RewriteCond %{QUERY_STRING} action=logout&redirect_to=http%3A%2F%2F(.*) [NC]
RewriteRule . - [S=6]
# redirect_to=
RewriteCond %{QUERY_STRING} redirect_to=(.*) [NC]
RewriteRule . - [S=5]
# Login Plugins Password Reset And Redirect 1
RewriteCond %{QUERY_STRING} action=resetpass&key=(.*) [NC]
RewriteRule . - [S=4]
# Login Plugins Password Reset And Redirect 2
RewriteCond %{QUERY_STRING} action=rp&key=(.*) [NC]
RewriteRule . - [S=3]

# CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
# TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# Remote File Inclusion (RFI) security rules
# Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files
RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
RewriteRule .* index.php [F]
# 
# Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php)
RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
# Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*
RewriteCond %{HTTP_REFERER} ^.*nendoaddicts.be.*
RewriteRule . - [S=1]

# CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS
# BEGIN BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
# Good sites such as W3C use it for their W3C-LinkChecker. 
# Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
# User Agent filters directly below or to modify/edit/change any of the other security code rules below.
RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|winhttp|clshttp|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] 
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F]
# END BPSQSE BPS QUERY STRING EXPLOITS

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# WP REWRITE LOOP END

# DENY BROWSER ACCESS TO THESE FILES 
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# wp-config.php, bb-config.php, php.ini, php5.ini, readme.html
# To be able to view these files from a Browser, replace 127.0.0.1 with your actual 
# current IP address. Comment out: #Require all denied and Uncomment: Require ip 127.0.0.1
# Comment out: #Deny from all and Uncomment: Allow from 127.0.0.1 
# Note: The BPS System Info page displays which modules are loaded on your server. 

<FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|readme\.html|bb-config\.php)">
<IfModule mod_authz_core.c>
Require all denied
#Require ip 127.0.0.1
</IfModule>

<IfModule !mod_authz_core.c>
<IfModule mod_access_compat.c>
Order Allow,Deny
Deny from all
#Allow from 127.0.0.1
</IfModule>
</IfModule>
</FilesMatch>

# HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE
# PLACEHOLDER ONLY
# Use BPS Custom Code to add custom code and save it permanently here.

So as mentioned I am not using any bonus code that I am aware off or have added myself to block it, yet BPS is actively blocking connection to it as if I disable BPS I can access it without a problem and as can be seen in the log requests to the file are indeed getting blocked.

I will troubleshoot this some more, if I find anything I’ll post it here!

This reply was modified 7 years, 2 months ago by RafaelDeJongh.
This reply was modified 7 years, 2 months ago by RafaelDeJongh.

Forum: Plugins
In reply to: [BulletProof Security] BPS Blocking Zapier

Thread Starter RafaelDeJongh

(@rafaeldejongh)

Thanks for the response but I am not using the BPS POST Attack Protection Bonus Custom Code and section 8 is completely empty for me.

So I don’t directly have a specific part that would block the XMLRPC that I’ve set personally that isn’t added by the wizard itself?

Does the steps still provide me the right information to solve this or am I just misunderstanding your explenation?

Either way thanks!

Forum: Themes and Templates
In reply to: [GeneratePress] Smooth Scroll

Thread Starter RafaelDeJongh

(@rafaeldejongh)

@edge22

Hmm that’s strange, then it might have something to do with Elementor, might see if they have something to do with it.

I am using the free version, and I thought it had because the back to top button had a smooth scroll animation.

But well if it does not I guess it is Elementor as I do not have any other plugins that actually have any smooth scroll by default.

Thanks for the fast response, I’ll go hear with the Elementor team!

Forum: Plugins
In reply to: [UpdraftPlus: WP Backup & Migration Plugin] Doesn’t automatically do the backup

Thread Starter RafaelDeJongh

(@rafaeldejongh)

@davidanderson

Yep I do think that was the case, didn’t realise it until having the setup done on another site!

Thanks for the information.

Forum: Themes and Templates
In reply to: [GeneratePress] Deque Generatepress fonts

Thread Starter RafaelDeJongh

(@rafaeldejongh)

Oh alright that’s good to know. I’ll just wait and see or in the meantime perhaps just manually remove it from the parents theme.

Forum: Plugins
In reply to: [UpdraftPlus: WP Backup & Migration Plugin] Doesn’t automatically do the backup

Thread Starter RafaelDeJongh

(@rafaeldejongh)

@bcrodua

I think I found the problem, an optimisation plugin disabled the plugin’s access to the front-end and I think updraft uses something like if the site is visited then it is triggered. I disabled that feature and it does seem to back up again now.

This was a feature from Swift Performance that I did enable myself as I wanted to optimise the way all the plugins worked and didn’t think updraft required front-end access. Guess I was wrong.

I do think everything is working as should now though!

Forum: Plugins
In reply to: [Contact Form 7] reCAPTCHA v3

RafaelDeJongh

(@rafaeldejongh)

@mediafluent

You aren’t supposed to do it like that, read the information about the :not() selector here: https://developer.mozilla.org/en-US/docs/Web/CSS/:not

In general this should work:

body:not(.page-id-833):not(.page-id-944) .grecaptcha-badge{display:none}

DO NOTE HOWEVER that the code and javascript requests and actual security IS STILL PRESENT on every page! It is better to exclude the JavaScript and CSS files being added to each site by CF7 to exclude those all together. This can be easily done via some PHP in functions.php or by a plugin manager where you disable the plugin everywhere else other than the specific urls you want. For example Swift Performance or so.

As far as I’ve read the badge isn’t required to be on the page, what is HOWEVER is that you need to provide proper information in your privacy policy AND that they do need to accept via a checkbox with the privacy policy + privacy policy/cookie policy bar that your users are fine that such data and cookies are being placed on the users pc.

Just make sure everything GDPR wise is in order!

This reply was modified 7 years, 5 months ago by RafaelDeJongh.

Forum: Plugins
In reply to: [Contact Form 7] reCAPTCHA v3

RafaelDeJongh

(@rafaeldejongh)

Yep indeed! Check the change log: https://contactform7.com/2018/12/11/contact-form-7-51/#more-29897

Forum: Plugins
In reply to: [Contact Form 7] reCAPTCHA v3

RafaelDeJongh

(@rafaeldejongh)

Hmm is this still not implemented?

Forum: Plugins
In reply to: [Favicon by RealFaviconGenerator] Insane Autoload Size

Thread Starter RafaelDeJongh

(@rafaeldejongh)

@phbernard

Thanks for the reply, and yea those suggestions would work great!
I guess it also differs from image to image and I do now also understand the reason to why it is that size.

So thank you for the explenation and looking into things, your suggestions for it would be highly appreciated!

Forum: Plugins
In reply to: [Favicon by RealFaviconGenerator] Insane Autoload Size

Thread Starter RafaelDeJongh

(@rafaeldejongh)