Plugin Firewall General Information
Plugin Firewall AutoPilot Mode
AutoPilot Mode automatically detects and creates Plugin Firewall whitelist rules. AutoPilot Mode logs any new Plugin Firewall whitelist rules that were created in your BPS Pro Security Log. Your BPS Pro Dashboard Status Display displays the next scheduled Cron check for any new Plugin Firewall whitelist rules: PFW: AutoPilot : 15 Min : 10:56 AM
The Plugin Firewall .htaccess file blocks external/remote access to your plugins folder and files. If Plugin Firewall AutoPilot Mode is turned On, it will automatically detect and create any additional or new Plugin Firewall whitelist rules in real-time for frontloading website plugin scripts that need to be whitelisted for website visitors. Your Public IP Address (ISP) is whitelisted by default to allow only your IP address unrestricted access to all plugin folders and files. When your Public IP Address changes the Plugin Firewall .htaccess file will be updated automatically with your new Public IP address.
Whitelisting frontloading plugin scripts allows those whitelisted plugin scripts to load on the frontside of your website for any IP address. This is completely safe to do since only the frontloading plugin script that you whitelist in the Plugin Firewall will load on the frontside of your website for all IP addresses (website visitor IP addresses) and all other plugin files will still remain protected/not accessible behind the Plugin Firewall to any other IP addresses except for your IP address.
List of common things that can break the Plugin Firewall and cause various secondary issues|problems
Minify Plugins: If you are using a Minify plugin then you will probably not see Security Log entries / alerts. Most if not all minifying plugins allow you to choose to exclude plugin scripts that you do not want to minify. If you want to use the BPS Pro Plugin Firewall then you can choose not to minify particular plugin scripts so that you can use both minifying and the Plugin Firewall together. It is recommended that you turn Off/deactivate minifying to get the plugin scripts that need to be whitelisted in the Plugin Firewall. After you have added those plugin scripts to your Plugin Firewall whitelist you can then exclude those same plugin scripts from being minified in your minify plugin and turn On/activate your Minify plugin. Note: If you are using a Minify plugin and you do not want to exclude any js plugin scripts then you CANNOT use the Plugin Firewall due to the way plugin scripts are minified. You cannot add plugin scripts manually or whitelist the Minify plugin’s folder or use the Plugin Override tool either due to the way the true origin of the plugin scripts are combined / minified. The Plugin Firewall is completely optional – you can turn it On or Off.
Issue/Problem: BPS menu tabs not displaying correctly, visual format is broken, CSS format is broken
Solution:
Other plugins or themes loading their js scripts in BPS plugin pages:
The Script|Style Loader Filter (SLF) In BPS Plugin Pages option under Setup > UI|UX Settings > SLF On setting may or may not fix the problem. In some cases the Plugin Firewall cannot be used with some plugins or themes if BPS cannot prevent them from loading their scripts in BPS Pro plugin pages and breaking the Plugin Firewall.
Troubleshooting: Reset|Clear The Plugin Firewall (fixes most if not all Plugin Firewall issues/problems)
Note: To find out if an issue/problem is related to or being caused by the Plugin Firewall do BPS Pro troubleshooting step #3 in the BPS Pro troubleshooting link: https://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting
Fix all general Plugin Firewall issues/problems:
1. Go to the Plugin Firewall page.
2. Click the Plugin Firewall BulletProof Mode Deactivate button.
3. Delete all of your Plugin Firewall whitelist rules out of the Plugins
Script|File Whitelist Text Area.
4. Click the Save Whitelist Options button.
5. Click the Activate button to activate the Plugin Firewall.
6. Set the AutoPilot Mode Cron Check Frequency to 1 minute and turn on AutoPilot Mode if it is not already turned on.
7. Check your site using http://boomproxy.com/ and click on all main website pages: contact form page, home page, login page, etc.
8. Recheck the Plugins Script|File Whitelist Text Area and you should see new Plugin Firewall whitelist rules have been created.
9. Change the AutoPilot Mode Cron Check Frequency to 15 minutes or whatever frequency time you would like to use.
Fix all general Plugin Firewall issues/problems and Proxy server configuration mistakes:
Note this fix also applies to using a VPN|Proxy when you are logged into your website.
Additional steps to fix both general Plugin Firewall issues/problems and to compensate for an additional Proxy server configuration mistake (whitelist the Proxy IP Address). Note: This only applies to Proxy server issues/problems. Use the steps above unless specifically instructed to use these steps below to fix/whitelist a Proxy server IP address problem.
1. Go to the Plugin Firewall page.
2. Click the Plugin Firewall Additional Whitelist Tools accordion tab.
3. Enter Proxy server IP address: xxx.xxx.xxx.xxx in the Whitelist by Hostname (domain name) and IP Address text box.
4. Click the Save Hostname and IP Address Rules button.
5. Click the Plugin Firewall BulletProof Mode Deactivate button.
6. Delete all of your Plugin Firewall whitelist rules out of the Plugins
Script|File Whitelist Text Area.
7. Click the Save Whitelist Options button.
8. Click the Plugin Firewall BulletProof Mode Activate button.
9. Set the AutoPilot Mode Cron Check Frequency to 1 minute and turn on AutoPilot Mode if it is not already turned on.
10. Check your site using http://boomproxy.com/ and click on all main website pages: contact form page, home page, login page, etc.
11. Recheck the Plugins Script|File Whitelist Text Area and you should see new Plugin Firewall whitelist rules have been created.
12. Change the AutoPilot Mode Cron Check Frequency to 15 minutes or whatever frequency time you would like to use.
Maintenance Mode Feature or Plugin or Theme Maintenance Mode Feature:
Depending on how the Maintenance Mode feature is designed|works in another plugin or theme, it can prevent the Plugin Firewall from working correctly. So the temporary workaround is to keep the Plugin Firewall turned Off while the site is in Maintenance Mode and then once the site is out of Maintenance Mode then the Plugin Firewall can be activated|turned on. Note: Your site should be protected by the Maintenance Mode Feature or Plugin or Theme Maintenance Mode Feature so there is no need to worry about having the Plugin Firewall turned off.
Older Help Info: Checking Your Security Log For Plugin Scripts To Manually Add To The Whitelist (older info – AutoPilot Mode now does this automatically)
If a plugin script is being blocked by the Plugin Firewall then a Security Log entry will be made and you can manually copy the plugin script path found in your Security Log to the Plugins Script/File Whitelist Text Area. An Example of a Security Log entry for a plugin script that needs to be manually Whitelisted is shown below. You would copy this plugin script path – /bbpress/bbp-theme-compat/js/topic.js – to the Plugins Script/File Whitelist Text Area, click the Save Whitelist Options button and click the Plugin Firewall BulletProof Mode Activate button.
When you click the Save Whitelist Options button this permanently saves the plugin script path to your WordPress Database. If you have additional plugin script paths that need to be added to the Plugins Script/File Whitelist Text Area you would repeat the steps of copying the plugin script path from your Security Log and pasting it into your Plugins Script/File Whitelist Text Area and once you have all plugin script paths added and saved then you would click the Plugin Firewall BulletProof Mode Activate button.
This is the Plugin Script path that you would add to the Plugins Script/File Whitelist Text Area /bbpress/bbp-theme-compat/js/topic.js based on the Security Log error below.
>>>>>>>>>>> 403 Error Logged - January 19, 2013 - 12:10 pm <<<<<<<<<<< REMOTE_ADDR: 94.44.197.195 Host Name: apn-94-44-197-195.vodafone.hu HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: https://forum.ait-pro.com/forums/topic/read-me-first-free/ REQUEST_URI: /wp-content/plugins/bbpress/bbp-theme-compat/js/topic.js?ver=2.1.2 QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20100101 Firefox/17.0
Older Manual Help Info: Other Examples Of Checking The Security Log For A Plugin Script That Needed To Be Whitelisted Can Be Found in The Links Below
https://forum.ait-pro.com/forums/topic/contact-form-7-plugin-firewall-security-log-403-error/
https://forum.ait-pro.com/forums/topic/bulletproof-5-5-pro-and-the-new-error-messages/
Regular Expressions (Regex) – Using Regex to Create Plugin Firewall Whitelist Rules
All of the standard Regex characters can be used to create custom whitelist rules. Regex is short for Regular Expression. See this very nice website that explains Regex for beginners to super advanced techo coding nerds. http://www.regular-expressions.info/tutorial.html
/plugin-folder-name1/js/some-plugin-script.js
To whitelist all .js scripts in the above example plugin folder you would use (.*) which means match anything / any file name that has a .js file extension.
/plugin-folder-name1/js/(.*).js
Let’s say you have several plugin scripts that need to be whitelisted and each plugin has several js scripts that need to be whitelisted. You would use Regex to simplify the your Plugin Firewall whitelist rules. It is very safe to whitelist js scripts. Hackers target php scripts and use them to inject code into js files.
/revslider/rs-plugin/js/(.*).js, /screets-chat/assets/js/(.*).js, /contact-form-7/includes/js/(.*).js, /seriesengine_plugin/css/se_styles.php, /seriesengine_plugin/js/(.*).js, /all-in-one-event-calendar/app/view/admin/js/(.*).js, /easy-fancybox/easy-fancybox.css.php, /easy-fancybox/(.*).js, /jquery-collapse-o-matic/js/(.*).js, /toggle-box/js/(.*).js, /easy-wordpress-donations/includes/css/progress-bar.css.php, /media-element-html5-video-and-audio-player/mediaelement/(.*).js, /easy-timer/libraries/(.*).js
Plugin Firewall Blue Read Me help button setup and help information
Forum Help Links & Video Tutorials:
Setup Wizard Video Tutorial
Security Log Video Tutorial
Security Log Forum Link
Plugin Firewall Forum Link
BPS Pro Troubleshooting Steps
Plugin Firewall Setup using the Setup Wizard
1. Run the Pre-installation Wizard & Setup Wizard.
Note: Plugin Firewall AutoPilot Mode is turned On by default when running the Setup Wizard (unless you have turned AutoPilot Mode Off) and the AutoPilot Cron check is set to 15 minutes.
Plugin Firewall Manual Setup Steps
1. Copy and paste plugin scripts/whitelist rules to the Plugins Script|File Whitelist Text Area.
2. Click the Save Whitelist Options button.
3. Turn AutoPilot Mode On.
4. Click the Plugin Firewall BulletProof Mode Activate button.
Plugin Firewall Whitelist Tools
Plugins Script|File Whitelist Text Area
This text area is where you add any plugin scripts that need to be Whitelisted in your Plugin Firewall. Note: AutoPilot Mode creates plugin script whitelist rules automatically. When you click the Save Whitelist Options button this saves anything that you have added in this text area to your database. You can add and remove plugin scripts at any time and then click the Save Whitelist Options button to save your changes. After saving your changes you click the Activate button.
Payment Providers – Payment Gateway Providers
If you have a Shopping Cart plugin or other plugin that needs to communicate/receive payment transaction data then check the Payment Gateway Provider checkboxes (PayPal, Google Checkout, Amazon Checkout and Authorize.net) that your Shopping Cart plugin or other plugin needs to communicate with and receive transaction data from. If you want to add additional Payment Provider hostnames/domains/websites or IP addresses you can add additional Whitelist rules for additional hostnames/domains/websites and IP addresses that you want to whitelist. See the Plugin Firewall Additional Whitelist Tools – Whitelist by Hostname (domain name) and IP Address help section for additional details and examples.
Save Whitelist Options button
Saves plugin scripts that you have added in the Plugins Script|File Whitelist Text Area and Payment Provider options you have selected to your database. Note: AutoPilot Mode creates plugin script whitelist rules automatically. You can add and remove plugin scripts or Payment Provider options at any time and then click the Save Whitelist Options button to save your changes. After saving your changes you click the Activate button.
Plugin Firewall AutoPilot Mode
The BPS Pro Dashboard Status Display will display: PFW:AutoPilot : 00 Min : 00:00 AM when AutoPilot Mode is turned On. The Cron check frequency is displayed and the next Cron check time is displayed. The Plugin Firewall AutoPilot Mode is designed to check your website in real-time for any additional or new whitelist rules that need to be created in the Plugin Firewall. If you install a new plugin and AutoPilot Mode detects that a new Plugin Firewall whitelist rule needs to be created for that plugin then a new whitelist rule will be automatically created in the Plugins Script|File Whitelist Text Area and your Plugin Firewall htaccess file. When a new Plugin Firewall whitelist rule is detected and created in your Plugin Firewall htaccess file it is logged in your BPS Pro Security Log.
Example Plugin Firewall AutoPilot Mode Security Log entry:
[Plugin Firewall AutoPilot Mode New Whitelist Rule(s) Created: November 3, 2014 – 11:32 am]
Whitelist Rule: /nextgen-gallery/products/photocrati_nextgen/modules/ajax/static/persist.js
Whitelist Rule: /nextgen-gallery/products/photocrati_nextgen/modules/ajax/static/ajax.js
Whitelist Rule: /cforms/js/cforms.js
Whitelist Rule: /nextgen-gallery/products/photocrati_nextgen/modules/lightbox/static/lightbox_context.js
Whitelist Rule: /nextgen-gallery/products/photocrati_nextgen/modules/ajax/static/ngg_store.js
AutoPilot Mode Cron Check Frequency:
Choose how often the AutoPilot Mode Cron Check should be performed. Every 1 minute, Every 5 Minutes, etc. The Default Cron Frequency Check is set to 15 minutes by the Setup Wizard. You can of course change this to any other Cron frequency checking time that you want to use. Running a Cron check every 15 minutes is probably the best setting to use.
Turn On|Off AutoPilot Mode:
Turn the Plugin Firewall AutoPilot Mode Cron Check On or Off. You can turn AutoPilot Mode On or Off as needed or just leave it turned On or Off.
Plugin Firewall Additional Whitelist Tools
Whitelist by Hostname (domain name) and IP Address
This option is for adding additional whitelist rules to whitelist additional Hostnames (domain names) or IP addresses in your Plugin Firewall .htaccess file. Example whitelist rules: example.com will whitelist the example.com hostname/domain name. 100.99.88.77 will whitelist IP address 100.99.88.77. Whitelist rules are separated by a comma and a space. Example: example.com,100.99.88.77, example-2.com. After clicking the Save Hostname and IP Address Rules button, click the Activate button to activate the Plugin Firewall again.
Additional Roles IP Whitelist
This option is for folks who have additional Administrators, Editors, Authors and Contributors who log into the website to create Posts or perform other website tasks. When you select and save additional Roles this means that any person with the Role capabilities that you have selected will have their IP addresses automatically Whitelisted when they log into the website.
Notes:
If you are using a Minify plugin then you will not see any Security Log entries due to the general way that a minifying plugin works. Most if not all Minify plugins allow you to exclude plugin scripts from being minified. You will need to create exclude rules in your Minify plugin for whatever plugin scripts cannot be minified in order for them to be whitelisted successfully in the Plugin Firewall.
Plugin Firewall AutoPilot Mode automatically adds/creates Plugin Firewall whitelist rules in real-time. This is a completely automated process. You should not need to check for and add Plugin Firewall whitelist rules manually unless you have AutoPilot Mode turned Off.
The Plugin Firewall blocks external/remote access to plugin files that are located in the plugins folder. If you have a script/file outside of the plugins folder then you do not need to Whitelist it. Your Public IP Address (ISP) is whitelisted by default to allow only your IP address unrestricted access to all plugin folders and files. When your Public IP Address changes the Plugin Firewall .htaccess file will be updated automatically with your new Public IP address.
When manually creating plugin script whitelist rules, each plugin script/file path that you add MUST be separated by a comma and a space. Example: /plugin-folder-name/example-file-name.js, /example-plugin-folder-name/api/paypal-ipn-script.php, /another-example-plugin-folder-name/example-script-name.php. The path name starts with the plugin folder name (do not add /wp-content in the path name). After manually adding your script/file name path to the Plugins Script|File Whitelist Text Area click the Save Whitelist Options button and click the Activate button.
Plugin Whitelisting rules use standard Regex characters. For example you could Whitelist all .js files in a particular plugins folder by creating this whitelist rule: /example-plugin-folder-name/(.*).js. The (.*) Regex characters mean match anything. The rule says match any file name in the /example-plugin-folder-name/ folder that is a .js file.
If invalid whitelist rules are detected the Plugin Firewall will be automatically deactivated/turned Off to prevent causing any problems for your website. Your saved whitelist rules will not be deleted. An error message will be displayed with an exact description of what the problem is with the whitelist rule or rules that need to be fixed/corrected. Fix/correct the invalid whitelist rule or rules and do the Plugin Firewall Manual Setup Steps.
Activating the Plugin Firewall BulletProof Mode for your Plugins folder copies and renames the plugins.htaccess file located in the /plugins/bulletproof-security/admin/htaccess/ folder to your /plugins folder and renames it to just .htaccess. To manually edit the Plugin Firewall .htaccess file go to the htaccess File Editor page and click on the Your Current Plugins htaccess File tab.
You can add additional Whitelist rules for additional Payment Providers, hostnames/domains/websites and IP addresses that you want to whitelist. See the Plugin Firewall Additional Whitelist Tools – Whitelist by Hostname (domain name) and IP Address help section for additional details and examples.
What does Whitelist/Whitelisting Plugin Scripts Mean? Whitelisting plugin scripts means that you are creating exceptions or exclusion rules that tell the Plugin Firewall to allow those plugin scripts to load publicly on the front end of your website so that those plugin scripts will function normally and not be blocked by the Plugin Firewall for visitors to your website.
You can check your BPS Pro Security Log to see if any plugin scripts are being blocked by the Plugin Firewall and those plugin script paths to the Plugins Script|File Whitelist Text Area. If you are using a Minify plugin then you will NOT see any plugin script errors in your Security Log file unless you have excluded those plugin scripts from being minified in your Minify plugin.
Pro-Tools cURL Multi Page Scanner
The cURL Multi Page Scanner tool is located in BPS Pro Pro-Tools. This is an older Pro-Tool that is a predecessor of AutoPilot Mode, but may be useful in certain cases. AutoPilot Mode should find and create all plugin script whitelist rules automatically. So using the cURL Multi Page Scanner Pro-Tool should not be necessary. The Multi page cURL Scan Tool scand the total number of Pages and Posts that you enter in the Limit Number Of Pages To Scan text box. The default scan is already set to scan up to 50 Pages/Posts. This scanner is designed to look for plugin scripts to add to the Plugin Firewall Whitelist. This scanner has been tested up to scanning 1500 website Pages & Posts simultaneously.
Troubleshooting The Plugins htaccess File
Plugin Firewall AutoPilot Mode is designed to automatically correct most issues or problems. To check if the Plugin Firewall is causing another plugin not to work correctly or blocking a plugin script/file check your BPS Pro Security log file for 403 Errors. The script/file name and path will be listed in your Security log if it is being blocked. You can then add this plugin script/file name to the Plugins Script|File Whitelist Text Area to whitelist this plugin script/file name, click the Save Whitelist Options button and click the Activate button.
To turn Off the Plugin Firewall click the Deactivate button. Test the plugin that was having a problem and if the problem is still occurring then the Plugins Firewall BulletProof Mode is not causing the problem. Click the BPS Pro Troubleshooting Steps link at the top of this Read Me help file for additional BPS Pro troubleshooting steps.
