How to avoid Hackrepair to block php includes

On my site, I have also a strange behaviour when Hackrepair is set enable : in that case the schedule backups of the backwpup plugin does not start.

@drauth

Could you post how that php include call exactly looks like ?

dwinden

Here it is: real name of script hidden for security purposes

<?php include ‘https://www.panarea.com/banners/xxxxxxx.php?settore=I&#8217;; ?>

also tried

<?php include ‘/var/www/panarea/data/www/panarea.com/banners/xxxxxxx.php?settore=I’; ?>

Thanks

@drauth

The following Hackrepair blacklist line in the .htaccess file might cause your issue:

RewriteCond %{HTTP_USER_AGENT} “^$” [NC,OR]

Change it to:

# RewriteCond %{HTTP_USER_AGENT} “^$” [NC,OR]

and then retry while using your first example syntax (HTTP).

I think the second example include command does not work because it is invalid. This is explained in Example #3 of the online PHP manual.

dwinden

Drauth:

Check the .htaccess file, and see if there is any string of characters that matches the URL or Query String of the http call made; or of the data that the other site returns.

If the included file tries to get data that is suspicious, iThemes Security will Block It.

I can’t debug it from the little you’ve shown, and it’s too complex to teach here. If you want, I can probably troubleshoot it for you. glerner.com/contact.php

harasse:

You have to enable /wp-admin/admin.php?page=backwpupsettings

backWPup running a job calls /wp-admin/admin.php (or /wp-admin/network/admin.php on Multi-Site ). ‘admin’ is commonly blocked.

Check your .htaccess file to see what strings are being blocked.

(I have iThemes Security and BackWPup both working; but I’ve customized my .htaccess to tell me what got blocked and why, so I don’t know what specifically is being blocked for you.)

Apparently dwinden suggestion works.

Is there a way to tell Ithemes Security to allow scripts from a given URL? A sort of Whitelist…

@drauth

No such feature is default not available within the Plugin.
But there is something else you can do.

The iTSec plugin HackRepair.com blacklist setting uses template files for inserting the necessary .htaccess lines.

These template files (3) are located in the better-wp-security/core/modules/ban-users/lists folder.

You can change the entries in these template files anyway you want.
So if you are using Apache webserver edit the hackrepair-apache.inc file.

After making your changes don’t forget to make a backup copy of the .inc file and save it in a secure location OUTSIDE the better-wp-security folder.
When updating the plugin all changes will be lost …

If you decide to change a template file don’t forget to disable the Banned Users HackRepair.com blacklist setting, save all changes and then reenable the HackRepair.com blacklist setting and save all changes, in order to propagate the template file changes to your .htaccess file …

It seems your issue got resolved so please mark this topic as ‘resolved’.

dwinden

@drauth

If you require no further assistance please mark this topic as ‘resolved’.

dwinden

Solved thanks