Plugin Author
AITpro
(@aitpro)
Sounds like your public IP address has changed.
it changed back about dec 25. Not since then. I have been able to log in up to 3/22 when 2 lines of deny all appeared in my cPanel ipdeny manager at the top of the list. My host tells me this comes from the htaccess files. Since I did not make any changes until 3/22 and the lines were there before that, I doubt that is the case. I did find the order allow,deny does not work on my host. It has to be reversed to Deny,Allow for the code to work. I had been using similar ip code but without the explicit order statement.
When the deny all statement is put in with either order statement, it will throw a 403 error thanks to the deny all in the ip manager which my host says can not be entered manually.
So any ideas where in the std bps code a deny all could be picked up and put into the ip deny manager because I can’t see any. And I don’t see any in my custom code either. This ip deny manager issue has only been a problem the last 2 days. My host changed something I think but they of course deny that.
Could mod_security changes put a deny all into a cPanel ip deny manager?
The only places I find any deny from all on bps htaccess are these two code blocks. The host of course could not find out anything of use.
# DENY BROWSER ACCESS TO THESE FILES
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# wp-config.php, bb-config.php, php.ini, php5.ini, readme.html # To be able to view these files from a Browser, replace 127.0.0.1 with your actual # current IP address. Comment out: #Deny from all and Uncomment: Allow from 127.0.0.1 # Note: The BPS System Info page displays which modules are loaded on your server.
<FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|readme\.html|bb-config\.php)">
Order Allow,Deny
Deny from all
#Allow from 127.0.0.1
</FilesMatch>
+++++++++++++++++++++++++++++++
<FilesMatch "^(xmlrpc\.php|wp-trackback\.php)">
Order Deny,Allow
# Whitelist MRE Address Blocks
Allow from 24.8.64.
Deny from all
</FilesMatch>
Since these are std code blocks I can’t see why they would be a problem unless the cpanel parsing software is detecting whitespace around the deny from all and assumes it is not part of a code block.
Plugin Author
AITpro
(@aitpro)
Older versions of cPanel tools have problems where they do not detect htaccess code in htaccess files correctly. So what I recommend that you do at this point is to not use any cPanel tools like ipdeny manager and instead do everything with htaccess code in your root htaccess file.
unfortunately I can’t do that as my web host rebuilds the ipdeny manager each night in the backup run. I finally got an admission today that the ip deny parser is not working correctly. I think it is getting into the bps backup folder and reading the htaccess deny all from there. They are working on a fix but don’t know when it will be done. From some other weird things I found like copies of some of my sites inside other folders where they don’t belong dated 3/16/16 as well as the regular site folders where they belong. Found this looking thru all my sites with ftp. They are working on a new cPanel layout that looks like an attempt to make a mobile friendly one. Long scroll down the page as opposed to nav bar and layout next to the nav bar so things are easy to find.
What bothers me as munch is none of your posts were sent to me via email even though I had that option selected.
Much as I hate switching hosts, the time has come to get it done. Right after my taxes.
So tonight my webhost tech tell me the only way to remove the deny all entries from the ip deny manager is to disable bulletproof security. This tells me they are reading the htaccess files from the bps backup and other bps folders instead of just reading the htaccess file in the root of the website.
Trying to get that changed so the cPanel ip deny parser reads the correct file. Not a lot of hope on that though.
Plugin Author
AITpro
(@aitpro)
The cPanel tools were fixed about a year ago so if your host upgrades to the latest cPanel version then since the newer cPanel version tools have been fixed then they will work correctly and not cause this problem any longer. This is a known documented cPanel tools problem that started occurring around 2002 – 14 years ago and was fixed in cPanel sometime in 2015.
Plugin Author
AITpro
(@aitpro)
I am pretty sure that the cPanel ipdeny tool only looks at the root and wp-admin htaccess files and not any other htaccess files anywhere else. So you could try using Default Mode for the root htaccess file and deactivating wp-admin BulletProof Mode.
This is what my webhost says
Dear Mr. Estes,
We regret any inconvenience you may be experiencing with your WordPress plugins.
To contact Support team management, please email [email protected]. Please note that responses may be delayed.
Your complaint refers to an incompatibility between the configuration of our servers and the security plugins that you have chosen to use for your WordPress sites. Unfortunately, we will not modify the server configuration to accommodate your plugins. If they do not function properly in our environment, you will be unable to use them.
That said, the remainder of this response will operate under the assumption that the issue you are referring to in this complaint is related to the IP Deny Manager, as you have recently opened a support ticket regarding that cPanel tool.
The IP Deny Manager is a very basic tool intended to simplify IP blocking for individuals who do not wish to directly edit the .htaccess file. All of the IP Deny entries currently appearing in the IP Deny Manager originate from the .htaccess file located in your public_html folder. This tool is not sophisticated enough to detect that the Deny commands in your .htaccess file are all conditional denials contained within various FilesMatch blocks. In addition to the two Deny from all commands, the other 17 IP-specific Deny commands listed in the tool are also contained within a FilesMatch block.
Again, the IP Deny Manager is simply an interface to the .htaccess file. It does not represent some alternate security function. Your .htaccess should function properly regardless of what information is presented in the IP Deny Manager. If it is not, and assuming that there is no direct incompatibility between the contents of the .htaccess file and our server configuration, please provide more details as to the problems you’re experiencing via the support ticket so that we can attempt to assist further. If we are able to reproduce your issue, we should be able to help track down the cause.
I can’t believe they are saying bps is not compatible with their server. How can I get the code to you for my main htaccess file so you can look at it. I can’t see anything that should trigger a deny all into the ip deny manager unless the tool is only looking for the deny from all code without any regard to the context. This is totally beyond the pale with these fools.
Plugin Author
AITpro
(@aitpro)
I have been able to log in up to 3/22 when 2 lines of deny all appeared in my cPanel ipdeny manager at the top of the list. My host tells me this comes from the htaccess files.
Your host is already aware of this very common problem with the cPanel IP Deny Manager tool based on what they told you already above. The only workaround that you can use if your host does not want to upgrade cPanel or disable the IP Deny Manager tool is to remove/delete all htaccess code in your root htaccess file that the IP Deny Manager tool is grabbing automatically. I assume that would be any root htaccess file code with IP addresses in it.
Here are the code blocks that are causing the problem because the ip deny parser is ignoring the FilesMatch context
<FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|readme\.html|bb-config\.php)">
Order Allow,Deny
Deny from all
#Allow from 127.0.0.1
</FilesMatch>
# XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION
# Using this code blocks Pingbacks and Trackbacks on your website.
# You can whitelist your IP address if you use A Weblog Client
# or want to whitelist your IP address for any other reasons.
# Example: uncomment #Allow from x.x.x. by deleting the # sign and
# replace the x's with your actual IP address. Allow from 99.88.77.
# Note: It is recommended that you use 3 octets x.x.x. of your IP address
# instead of 4 octets x.x.x.x of your IP address.
<FilesMatch "^(xmlrpc\.php|wp-trackback\.php)">
Order Deny,Allow
# Whitelist MRE Address Blocks
Allow from 24.8.64.
Deny from all
</FilesMatch>
Since both of these are security blocks and the brute force is standard in the bpd htaccess generation I don’t see how to stop it being in the htaccess files. While the xmlrpc code is optional, given the number of logged xmlrpc attacks bps has stopped on my sites, I don’t want to remove or disable that either.
So far my host has not given any assurances they have these two code blocks covered in mod_security rules. And they have not given me any assurances they are willing to be responsible for my site security like on managed wordpress hosting.
And so far I have no explanation from you why I am not getting email notification of posts.
Plugin Author
AITpro
(@aitpro)
Close, but you have the problem backwards. The BPS htaccess code works fine on web hosts all over the world, except on web hosts that are using older cPanel Tools that are broken. The broken cPanel tools look at htaccess file code, interprets what it thinks it sees and then automatically creates code for itself within itself. So basically the broken cPanel tools are malfunctioning and misinterpreting the htaccess code and then creating junk/invalid rules itself within itself.
I think the broken cPanel tools are malfunctiong much worse than just not interpreting the FilesMatch code. I used to see this problem all of the time and the end result was some mangled/unrecognizable/invalid rules created by the cPanel broken tools.
In any case one of the things the broken cPanel tools definitely check for is a pattern match for IP addresses. So you will need to use BPS Custom Code to remove/delete all BPS htaccess code that has IP addresses. I cannot think of any other workaround in BPS to prevent the broken cPanel tools from wreaking havoc.
Plugin Author
AITpro
(@aitpro)
And once again this problem no longer occurs in newer versions of cPanel because cPanel fixed all of their cPanel tools last year in 2015.
If I lock my htacess files will it stop the cPanel putting rules from them into the ip deny manager?
Plugin Author
AITpro
(@aitpro)
Nope. The cPanel IP Deny Manager tool can read the root htaccess file contents no matter what the file permissions are for the file (644, 404, 400, etc).
