mhenschel

Hi,
it really turned out that the update of another plugin caused the issues with woocommerce.
Sorry for the trouble. This was a little difficult to understand since the issue occured randomely and it just happened that the issue seemed to get better when I disabled your security features.

Thanks for trying to help out
Michael

It’s something like this
WordPress Address (URL). https://www.sitename.de/wordpress
…and…
Site Address (URL). https://www.sitename.de

So what is the suggstion? Does it help to deactivate better wp security and then let BPS create the .htaccess files new?

I’m waiting with sending you the email with the urls and steps to reproduce the woocommerce issues. After all my testing, I found that it maybe might not be a BPS problem. Sometimes the checkout process went fine although the BPS .htaccess security had been set. The problem is occurring randomly. I couldn’t figure it out for certain so far.

Thanks so far
Michael

To look at the website go to
https://Www.oekofaktum.de
It’s on maintenance so please give me your ip address and I enable you to see the page.

Michael

Unfortunately I don’t see any entries there. It reads:

File Open and Write test successful! Your Security Log file is writable.

BPS SECURITY / HTTP ERROR LOG
==============================
==============================

Nothing else. I have done:
1. Activate Website wp-admin Folder .htaccess Security Mode
2. Turned on error logging

Then I did some shopping to recreate the problem.

Michael

Hello,
some more informations:

1. I’m no longer using AIOWPS. It’s been deleted totally.
2. I deactivated and deleted the Better WP Security (iThemes Security) and the problem remained.
3. When I delete the wp-admin htaccess file from within BPS everything is working fine.

Michael

Reading your answers above again (some came while I was writing my reply) I guess you had come to the same conclusion already. I don’t understand the vhost stuff. I had never messed around with this. Don’t know if I’m running on vhost….

I searched for my httpd-vhosts.conf and found this dummy stuff:

<VirtualHost *:80>
    ServerAdmin [email protected]
    DocumentRoot "c:/Apache24/docs/dummy-host.example.com"
    ServerName dummy-host.example.com
    ServerAlias www.dummy-host.example.com
    ErrorLog "logs/dummy-host.example.com-error.log"
    CustomLog "logs/dummy-host.example.com-access.log" common
</VirtualHost>

So what does this tell me? Do I have to insert some reasonable stuff here?

Above you wrote that among the changes to .50.1 was
index.php uses the __FILE__ Magic constant for the require path

So that’s the reason I’m seeing this problem now, is it?

Michael

Hi,
the problem not only occurred on the local wamp server but also online. However, online I was just getting a white page. I think I have disabled displaying errors somewhere.

The maintenance page had been working a few days ago. The last updates I did in the last few days were “BPS” and two times “iThemes Security” (formerly Better WP Security, update 4.0.0 -> 4.0.2 -> 4.0.5). Then the maintenance page wasn’t working anymore. On the online site (which is running in maintenance mode and is not online so to say) I got the maintenance page running again by exchanging the database with a 2 day old backup version. This was before updating to 4.0.5. I also uploaded iThemes Security 4.0.2 again.
Then the maintenance page showed up again. I then updated everything again and now the maintenance page is working again. Strange!

But on my local install the problem persists.

I have noticed that BPS writes into the index.php. I think this is where the problem is hidden.

My wordpress url is in a subfolder of my site url.
Therefor I have an index.php in the root directory and one in the folder of the wordpress install. BPS changes both files when turning maintenance mode on.
In the root index.php it writes the following:

if ( in_array( $_SERVER['REMOTE_ADDR'], $bps_maintenance_ip ) || in_array( $matches_three[0], $bps_maintenance_ip ) || in_array( $matches_two[0], $bps_maintenance_ip ) || in_array( $matches_one[0], $bps_maintenance_ip )) {
# BEGIN BPS MAINTENANCE MODE GWIOD
require( dirname( __FILE__ ) . 'https://localhost/oekofaktum/_oeko_wp/wp-blog-header.php' );
} else {
require( dirname( __FILE__ ) . 'https://localhost/oekofaktum/_oeko_wp/bps-maintenance.php' );
}
# END BPS MAINTENANCE MODE GWIOD

Here it writes https://localhost/oekofaktum and this is where the wrong url is build.
In the index.php in the wordpress folder it doesn’t do that. It writes:

if ( in_array( $_SERVER['REMOTE_ADDR'], $bps_maintenance_ip ) || in_array( $matches_three[0], $bps_maintenance_ip ) || in_array( $matches_two[0], $bps_maintenance_ip ) || in_array( $matches_one[0], $bps_maintenance_ip )) {
require( dirname( __FILE__ ) . '/wp-blog-header.php' );
} else {
require( dirname( __FILE__ ) . '/bps-maintenance.php' );
}

Is this a bug?

On my online installation this isn’t happening.

Michael

Hi,
the problem couldn’t be solved from the “all-in-one-wp-security-and-firewall” plugin support either. I’m not using the mailchimp plugin anymore at the moment, so the problem is solved for me.

Thanks for helping
Michael

As I said, I also have the problem when I’m not in maintenance mode. I’m not using the mailchimp plugin anymore, so it doesn’t maller for me anymore.

Thanks for helping.

Michael

I don’t see an option in “all-in-one-wp-security-and-firewall” to put adresses on a whitelist. There is only a whitelist for login ip.

Michael

Yes, it is enabled, however, disabling the lockout doesn’t make a difference.

Hi,
I have a response from All In One WP Security & Firewall regarding this issue:

Is this strange or can this be explained?

No this is not strange and is easily explained because the word “encode” appears in the query params and is thus causing the bad query rules to block the request.

As we’ve mentioned before, this is why we have deliberately made our plugin flexible by creating a number of firewall rules which can be enabled/disabled to suit different sites and setups. Sometimes some of these rules may affect functionality (such as in your case) but you can always deactivate that rule if needed.

So the plugin’s name is causing all this trouble. What a bummer.

Michael

Funny, I can find the plugin as mentioned above, but I can’t install it. It says:

Forbidden
You don’t have permission to access /wp-admin/update.php on this server.

I have now come to the bottom of it. It’s the “Bad Query Strings”. When this is enabled, the plugin won’t install, activate, yes you can’t even search it. Is this strange or can this be explained?

And to be even more precise, I get this error when enabling the “Additional Firewall rules”.