Title: Exclude URL from BPS QUERY STRING EXPLOITS Last modified: December 29, 2016 --- # Exclude URL from BPS QUERY STRING EXPLOITS * Resolved [isaacl](https://wordpress.org/support/users/isaacl/) * (@isaacl) * [9 years, 5 months ago](https://wordpress.org/support/topic/exclude-url-from-bps-query-string-exploits/) * We have a backend URL that is getting a 403 error when an apostrophe (%27) is included in a search/query on that page, but have another, almost identical page, that isn’t having that issue. That page/directory is protected by a htaccess password and only used internally, so it should work to just exclude that directory or page, rather than remove the rule fully. Is there any way way to exclude a specific directory or page from the QUERY STRING EXPLOITS rules? Thanks a lot! Viewing 5 replies - 1 through 5 (of 5 total) * Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/) * (@aitpro) * [9 years, 5 months ago](https://wordpress.org/support/topic/exclude-url-from-bps-query-string-exploits/#post-8602001) * To allow and not block apostrophe’s/single quote code characters in the backend wp-admin area use this solution: [https://forum.ait-pro.com/forums/topic/search-string-403-error/#post-14372](https://forum.ait-pro.com/forums/topic/search-string-403-error/#post-14372) * Since this is a backend whitelist rule, you can safely allow all apostrophe’s in the backend of your site. * Thread Starter [isaacl](https://wordpress.org/support/users/isaacl/) * (@isaacl) * [9 years, 5 months ago](https://wordpress.org/support/topic/exclude-url-from-bps-query-string-exploits/#post-8602024) * Thanks for the reply. * The actual page is in a separate directory, and just being loaded by an internal page – any ideas for what to do in that case? * Thanks a lot! * Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/) * (@aitpro) * [9 years, 5 months ago](https://wordpress.org/support/topic/exclude-url-from-bps-query-string-exploits/#post-8602162) * Then you are going to have to create some kind of custom htaccess code/rule for that. The BPS Query Strings Exploit code cannot have any modifications done to it besides disabling/commenting out security rules/filters. So basically you would have to comment out the BPS Query Strings Exploit security rule for apostrophes and then create a new block of code to deal with/handle apostrophes. I believe that would be too complicated to mess with and not worth the effort. So I wouldn’t bother with doing that. Allowing apostrophes does not decrease your overall security significantly. There are overlapping security rules for exactly the reason where someone would need to remove/comment out a particular rule or rules. - This reply was modified 9 years, 5 months ago by [AITpro](https://wordpress.org/support/users/aitpro/). - This reply was modified 9 years, 5 months ago by [AITpro](https://wordpress.org/support/users/aitpro/). * Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/) * (@aitpro) * [9 years, 5 months ago](https://wordpress.org/support/topic/exclude-url-from-bps-query-string-exploits/#post-8602170) * Typo|Correction: Allowing apostrophes does not decrease your overall security significantly. I left out “not” from the sentence above. * Thread Starter [isaacl](https://wordpress.org/support/users/isaacl/) * (@isaacl) * [9 years, 5 months ago](https://wordpress.org/support/topic/exclude-url-from-bps-query-string-exploits/#post-8602181) * Thanks a lot, will just remove that one then (already tested it, and it works after only removing it from the QUERY_STRING line, as long as that’s fine. * I had seen other posts where you had mentioned that it is one of the things that can be more dangerous, but as long as this shouldn’t affect too much. * Thanks a lot for all your help and hard work on the plugin, and for keeping us safe! Viewing 5 replies - 1 through 5 (of 5 total) The topic ‘Exclude URL from BPS QUERY STRING EXPLOITS’ is closed to new replies. * ![](https://ps.w.org/bulletproof-security/assets/icon-128x128.png?rev=1731938) * [BulletProof Security](https://wordpress.org/plugins/bulletproof-security/) * [Support Threads](https://wordpress.org/support/plugin/bulletproof-security/) * [Active Topics](https://wordpress.org/support/plugin/bulletproof-security/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/bulletproof-security/unresolved/) * [Reviews](https://wordpress.org/support/plugin/bulletproof-security/reviews/) * 5 replies * 2 participants * Last reply from: [isaacl](https://wordpress.org/support/users/isaacl/) * Last activity: [9 years, 5 months ago](https://wordpress.org/support/topic/exclude-url-from-bps-query-string-exploits/#post-8602181) * Status: resolved