Plugin is (maybe wrongly) scoring even internal sub-requests 404

Hi @username,

Thank you for the detailed report and screenshot.

What happened:

You clicked “Edit Plugin” while BotFend had Disable Plugin/Theme Editor enabled. BotFend blocked access to plugin-editor.php and displayed a styled block message. That message attempted to load admin-file-guard.css. The CSS file was missing from the initial ww.wp.xz.cn upload (my mistake – fixed in next release). Your browser requested the missing file → 404 → BotFend’s 404 System logged and scored it.

Why this is actually good security:

In a real attack scenario, a hacker’s browser requests the same CSS/JS assets. If I excluded asset files from scoring, attackers would have a free bypass. Every single request from a non-whitelisted IP should be scored. The system is working as designed.

The immediate solution (already built into the plugin):

Go to BotFend Settings → Paths tab → IP Whitelist. Add your IP address. Whitelisted IPs bypass ALL security checks – no scoring, no logging, no blocking. This is the intended workflow for trusted administrators.

The permanent fix (next release):

I have already added admin-file-guard.css to the plugin package. The next update will have no 404 for that file.

Why I won’t use inline CSS or exclude asset files:

• Inline CSS violates WordPress coding standards and can be blocked by security headers
• Excluding .css/.js from 404 scoring creates a security hole – attackers would simply request asset files instead of PHP files

Summary for you right now:

1. Add your IP to the whitelist (Paths tab)
2. Stay in Log Only Mode until confident in your settings
3. Update to the next plugin version when released

Thank you for the report – it helped identify the missing CSS file. Trusted admins should always whitelist their own IPs when using security plugins.

Thanks again.