wordpress-sdk icon indicating copy to clipboard operation
wordpress-sdk copied to clipboard

Published 20 hours ago verified publisher icon Freemius

Conflict with Security Plugin, need custom rule for .htacess for wp-admin/plugins.php

Open jacktator opened this issue 6 years ago • 3 comments

BulletProof Security is a very very popular security plugin, and it's having issue with plugin activation when using Freemius SDK.

Actual Behavior:

  • Upon Activation, and clicking on 'Opt in' when promoted, a 403 forbidden page shows up, and activation was not successful.
  • Activation should be successful.

Versions: (*)

  • Freemius SDK Version: 2.1.2
  • WordPress Version: 5.1
  • PHP Version: 7.0.33

Plugin / Theme: (*)

  • Name: WP REST Filter
  • Slug: wp-rest-filter
  • Freemius ID: 3359

Additional Information:

  • Browser Type: Chrome
  • Browser Version: 72.0.3626.109 (Official Build) (64-bit)
  • OS: Mac
  • Stack Traces: 
[403 GET Request: 23/02/2019 - 5:27 PM]
BPS: 3.3
WP: 5.1
Event Code: WPADMIN-SBR
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 121.211.220.16
Host Name: cpe-121-211-220-16.hhui-cr-003.cht.nsw.bigpond.net.au
SERVER_PROTOCOL: HTTP/1.0
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: https://mydomain.com/
REQUEST_URI: **/wp-admin/plugins.php?user_id=1748025&user_secret_key=sk_reLrl%3A%2AN%3C%7D8%40guU9v%40eE%287twYOoo6&user_public_key=pk_087fb825e46f48615af6621dc598d&is_marketing_allowed=1&install_id=2416069&install_secret_key=sk_db%7E8BG_%2A%3FRq%3Cb%5E3P7W%21p_gZ%7BVWw_0&install_public_key=pk_0dee86e8e2d926b8fc67d50e79806&fs_action=wp-rest-filter_activate_new&_wpnonce=a54cf44b4a**
QUERY_STRING: user_id=1748025&user_secret_key=sk_reLrl%3A%2AN%3C%7D8%40guU9v%40eE%287twYOoo6&user_public_key=pk_087fb825e46f48615af6621dc598d&is_marketing_allowed=1&install_id=2416069&install_secret_key=sk_db%7E8BG_%2A%3FRq%3Cb%5E3P7W%21p_gZ%7BVWw_0&install_public_key=pk_0dee86e8e2d926b8fc67d50e79806&fs_action=wp-rest-filter_activate_new&_wpnonce=a54cf44b4a
HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36

Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/ Under section: WPADMIN-SBR

If the Referer or Request URI has /wp-admin/ in the path then these are things that are being blocked by BPS in the wp-admin .htaccess file and a Skip/Bypass rule needs to be created for the wp-admin .htaccess file by adding it to BPS Custom Code. Typically either a wp-admin file needs to be whitelisted in the Skip/Bypass rule or a Query String needs to be whitelisted.

This can be done manually by plugin customer, however this highly technical issue should have been thought of by plugin developer and taken care off by adding a 'AutoSetup' or 'AutoFix' rule to BulletProof Security.

Is it possible to add it to Freemius SDK?

jacktator avatar Feb 23 '19 06:02 jacktator

As a customer, I've fixed this issue by the following:

This is likely due to AJAX is disabled on your wp-admin/plugins.php page. If you are using BulletProof Security Plugin, here's how to fix it.

Go to htaccess Core -> Custom Code -> wp-admin htaccess File Custom Code , paste the following code to '3. CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES' section.

# post.php skip/bypass rule
RewriteCond %{REQUEST_URI} (post\.php) [NC]
RewriteRule . - [S=2]
# plugins.php skip/bypass rule
RewriteCond %{REQUEST_URI} (plugins\.php) [NC]
RewriteRule . - [S=2]

Click 'Save wp-admin Custom Code', then go to htaccess Core -> Security Modes, click 'Activate' under 'wp-admin Folder BulletProof Mode (WBM)'

Now you should be able to activate plugin without any issue.

jacktator avatar Feb 23 '19 07:02 jacktator

Thanks for the report, @jacktator. I'm keeping this one open for now without making any changes because we need to chew on it. I don't think that it would be the right solution to inject those rules on behalf of the user, but maybe we can check if that plugin is activated and include a link with your suggested workaround.

vovafeldman avatar Feb 28 '19 13:02 vovafeldman

Hi Vova,

Thank you for your reply. You don't need to inject on behalf of the user.

What most other plugins does is to code a 'notice' to BPS Security. So that, when user activate the plugin, BPS prompts user a message:

A new plugin has been activated and new whilelist rules added, you need to click 'Setup Wizard' to add the new rule.

However I'm not too sure how to code such 'notice' to BPS Security.

jacktator avatar Mar 03 '19 10:03 jacktator