• Resolved dawnw777

    (@dawnw777)


    On one domain that I’m switching to use BPS, I also have Memberpress.

    Looking in htaccess, I see this code:

    # BEGIN MemberPress Rules
    <IfModule mod_rewrite.c>
    RewriteCond %{HTTP_COOKIE} mplk=([a-zA-Z0-9]+)
    RewriteCond /home/domainname/public_html/wxyz/wp-content/uploads/mepr/rules/%1 -f
    RewriteRule ^(.*)$ – [L]
    RewriteCond %{REQUEST_URI} !^/(wp-admin|wp-includes|wp-content/plugins|wp-content/themes)
    RewriteCond %{REQUEST_URI} \.(zip|gz|tar|rar|doc|docx|xls|xlsx|xlsm|pdf|mp4|m4v|mp3|ZIP|GZ|TAR|RAR|DOC|DOCX|XLS|XLSX|XLSM|PDF|MP4|M4V|MP3)$
    RewriteRule . /wxyz/wp-content/plugins/memberpress/lock.php [L]
    </IfModule>
    # END MemberPress Rules

    Which box do I add this to?
    I looked on your site but only saw one conversation about memberpress and that was a bit convoluted and confusing – 3 years ago too. It looks like memberpress htaccess code has changed in the meantime.

    Thanks

    https://www.ads-software.com/plugins/bulletproof-security/

Viewing 15 replies - 1 through 15 (of 15 total)
  • Plugin Author AITpro

    (@aitpro)

    Yep, this forum topic went all over the place, but in the end the solution was a very simple one: https://forum.ait-pro.com/forums/topic/memberpress-plugin-htaccess-general-compatibility/page/2/#post-7083. I updated the forum topic and added Custom Code steps.

    Thread Starter dawnw777

    (@dawnw777)

    Well, I did what the link said and posted the code into the custom bottom box.

    Unfortunately, as I’d discovered after doing something slightly different before, from the second I did that and cleared the security logs they started filling up with messages.

    For example:

    [403 GET Request: 25th August 2016 – 11:03 pm]
    Event Code: WPADMIN-SBR
    Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: xxx.xxx.xxx.xxx
    Host Name: xxx.xxx.xxx.xxx
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: https://www.domain.com/wxyz/wp-admin/admin.php?page=bulletproof-security%2Fadmin%2Fsecurity-log%2Fsecurity-log.php
    REQUEST_URI: /wxyz/wp-content/plugins/memberpress/images/[email protected]
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0

    and

    [403 GET Request: 25th August 2016 – 11:03 pm]
    Event Code: PSBR-HPR
    Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: xxx.xxx.xxx.xxx
    Host Name: xxx.xxx.xxx.xxx
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: https://www.domain.com/wxyz/wp-admin/admin.php?page=bulletproof-security%2Fadmin%2Fsecurity-log%2Fsecurity-log.php
    REQUEST_URI: /wxyz/wp-content/plugins/memberpress-aws/tooltip.js?ver=4.6
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0

    Dozens in a matter of minutes, all relating to memberpress.
    I followed the link to topic/security-log-event-codes/ but I frankly couldn’t make any sense of what I found there.

    The event code PFWR-PSBR-HPR I can only assume to be the same as that reported, which is PSBR-HPR.

    I added the following into the skip codes box, previous was 12, so this one number 13:

    # MemberPress skip/bypass rule
    RewriteCond %{REQUEST_URI} ^/wxyz/wp-content/plugins/memberpress-aws/ [NC]
    RewriteRule . – [S=13]

    But that stops nothing. I’m assuming it’s correct.
    I tried to work out what I’m supposed to do with the second error code, the one that I think needs to be fixed in the wp-admin htaccess, but I cannot for the life of me see any way to correlate the error message with any of the information on the error codes page, and there’s nothing I can see anywhere about how to allow memberpress to work.

    I first installed bps a couple of hours ago and I’ve been looking at this last bit for an hour now and I’m losing the will to live.

    Plugin Author AITpro

    (@aitpro)

    I assume you used your actual MemberPress htaccess code in BPS Custom Code correct and not the example code that was posted in the forum topic?

    The Security Log entries look like you used the example code, unless you edited them and changed the domain name, etc.

    Plugin Author AITpro

    (@aitpro)

    I don’t have MemberPress installed, but when I test the MemberPress htaccess code and use it like this below right after the BPS WP Rewrite Loop start code things work fine:

    Note: This line of code does not make sense/does not look valid in the example MemberPress code you posted: RewriteCond /home/domainname/public_html/wxyz/wp-content/uploads/mepr/rules/%1 -f
    The reason it is not valid is it is folder path and not a URL|URI path. /home/domainname/public_html/ is not valid since it is a folder path.

    # WP REWRITE LOOP START
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    
    RewriteCond %{HTTP_COOKIE} mplk=([a-zA-Z0-9]+)
    RewriteCond ^/wp-content/uploads/mepr/rules/%1 -f
    RewriteRule ^(.*)$ - [L]
    RewriteCond %{REQUEST_URI} !^/(wp-admin|wp-includes|wp-content/plugins|wp-content/themes)
    RewriteCond %{REQUEST_URI} \.(zip|gz|tar|rar|doc|docx|xls|xlsx|xlsm|pdf|mp4|m4v|mp3|ZIP|GZ|TAR|RAR|DOC|DOCX|XLS|XLSX|XLSM|PDF|MP4|M4V|MP3)$
    RewriteRule . /wp-content/plugins/memberpress/lock.php [L]
    Plugin Author AITpro

    (@aitpro)

    The MemberPress htaccess code also appears to work at the bottom of the root htaccess file.

    Plugin Author AITpro

    (@aitpro)

    When I look around the Internet I see other people posting invalid MemberPress htaccess code with a file path insted of a URI|URL path. So that tells me the MemberPress htaccess code itself is fubar. So you will need to correct that fubar MemberPress htaccess code mistake manually in your code.

    Plugin Author AITpro

    (@aitpro)

    https://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewritecond

    The RewriteCond directive defines a rule condition. One or more RewriteCond can precede a RewriteRule directive. The following rule is then only used if both the current state of the URI matches its pattern, and if these conditions are met.

    RewriteCond uses a URI and not a folder path since a folder path is not valid.

    Thread Starter dawnw777

    (@dawnw777)

    First, the line you mentioned – RewriteCond /home/domainname/public_html/wxyz/wp-content/uploads/mepr/rules/%1 -f – was edited by me when I pasted it here, just to conceal the real names. As far as I can see there’s no way to publish private data in these forums.

    I notice that your example above doesn’t use
    <IfModule mod_rewrite.c>

    </IfModule>
    at the start and end, which mine, copied from the original htaccess code, does. Is that relevant? Other than that the code is identical to original.

    Also my server uses nginx as a reverse proxy and I know that has caused all sorts of grief with redirects. Don’t know if that makes a difference.

    I notice, oddly, that in the original htaccess, the memberpress code gets inserted just before the #end wordpress part. I didn’t think that was normal, but it worked so..

    Truth is, “So you will need to correct that fubar MemberPress htaccess code mistake manually in your code.” doesn’t help in my case as I have no idea what to write or even what I should be looking to achieve.

    If I get the pro version of bps, will that sort itself out automatically or will this repeat itself? I have a site under constant attack at present, but which does not exist without memberpress…so I must find an answer pronto!

    Thread Starter dawnw777

    (@dawnw777)

    My colleague, who bought the memberpress plugin, has contacted them, but apparently their support page says it might take 2 days to get a reply. I’m not sure what else I can do now..

    Thread Starter dawnw777

    (@dawnw777)

    Okay, I haven’t heard from memberpress, but my hosting guys at futurehosting.com have, as usual, bent over backwards to help.

    The adjusted the htaccess entry to:

    <IfModule mod_rewrite.c>
    RewriteCond %{HTTP_COOKIE} mplk=([a-zA-Z0-9]+)
    RewriteCond /home/xxxxx/public_html/xxxxx/wp-content/uploads/mepr/rules/%1 -f
    RewriteRule ^(.*)$ – [L]
    RewriteCond %{REQUEST_URI} !^/(wp-admin|wp-includes|wp-content/plugins|wp-content/themes)
    RewriteCond %{REQUEST_URI} !\.(php|phtml|jpg|jpeg|gif|css|png|js|ico|PHP|PHTML|JPG|JPEG|GIF|CSS|PNG|JS|ICO)
    RewriteRule . /xxxx/wp-content/plugins/memberpress/lock.php [L]
    </IfModule>

    It still looks the same to little ol’me but the crap has vanished from the security logs. Hope that doesn’t just mean they’ve been broken!!!!

    It looks to me like they added this via cpanel to the htaccess file. I’m a little wary of just one thing…..if I start clicking stuff like ‘activate secure htaccess’ or whatever it’s called, will that overwrite what they added? I’m not sure what overwrites what and when..

    Sorry for being dumb.

    Plugin Author AITpro

    (@aitpro)

    I updated the forum topic here with new Custom Code steps: https://forum.ait-pro.com/forums/topic/memberpress-plugin-htaccess-general-compatibility/page/2/#post-7083

    EDIT|Updated: 8-2016 – MemberPress htaccess code has changed a bit. The newer htaccess code and steps to add the MemberPress htaccess code to BPS Root Custom Code are below.

    IMPORTANT NOTE: The MemberPress htaccess code has a line of invalid htaccess code that needs to be manually corrected.
    RewriteCond /xxxxx/public_html/wp-content/uploads/mepr/rules/%1 -f. This is not valid htaccess code because the RewriteCond directive uses URI’s|URL’s and not folder paths. The corrected MemberPress htaccess should be something like this: RewriteCond ^/wp-content/uploads/mepr/rules/%1 -f

    1. Go to the BPS htaccess File Editor page, click on the Your Current Root htaccess File tab, scroll down in your Root .htaccess file code until you see this .htaccess code below.

    # WP REWRITE LOOP START
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]

    2. Copy your # WP REWRITE LOOP START code to this BPS Root Custom Code text box: CUSTOM CODE WP REWRITE LOOP START

    3. Copy your actual MemberPress htaccess code (the MemberPress htaccess code below is example code) that you see in your root htaccess file and add it after the WP REWRITE LOOP START htaccess code in the CUSTOM CODE WP REWRITE LOOP START text box. Your code should look similar to the example code below.
    4. Click the Save Root Custom Code button.
    5. Go to the Security Modes page and click the Root Folder BulletProof Mode Activate button.

    # WP REWRITE LOOP START
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    
    # BEGIN MemberPress Rules
    <IfModule mod_rewrite.c>
    RewriteCond %{HTTP_COOKIE} mplk=([a-zA-Z0-9]+)
    RewriteCond ^/wp-content/uploads/mepr/rules/%1 -f
    RewriteRule ^(.*)$ - [L]
    RewriteCond %{REQUEST_URI} !^/(wp-admin|wp-includes|wp-content/plugins|wp-content/themes)
    RewriteCond %{REQUEST_URI} \.(zip|gz|tar|rar|doc|docx|xls|xlsx|xlsm|pdf|mp4|m4v|mp3|ZIP|GZ|TAR|RAR|DOC|DOCX|XLS|XLSX|XLSM|PDF|MP4|M4V|MP3)$
    RewriteRule . /wp-content/plugins/memberpress/lock.php [L]
    </IfModule>
    # END MemberPress Rules
    Thread Starter dawnw777

    (@dawnw777)

    Excellent…glad to know it wasn’t me being a dummy!!

    Plugin Author AITpro

    (@aitpro)

    Also one final clarification and correction here:
    RewriteCond %{DOCUMENT_ROOT} can be used for folder conditions.
    So the corrected MemberPress code would be something like this:
    RewriteCond %{DOCUMENT_ROOT}/wp-content/uploads/mepr/rules/%1 -f
    But I think overall it would be better to use a RewriteCond %{REQUEST_URI} condition.

    Sorry to barge in on your thread but at this point I’m desperate.

    I am completely lost on this. The whole thing was working just fine until it wasn’t. Subscribers can still access the podcast on my website but cannot use the feed to subscribe manually via iTunes (something you could do before). It just keeps popping back up asking for username and password. This is so annoying.

    This is what my .htaccess code for Memberpress looks like and as you can see it’s missing a whole section:

    # BEGIN MemberPress Rules
    <IfModule mod_rewrite.c>

    RewriteCond %{HTTP_COOKIE} mplk=([a-zA-Z0-9]+)
    RewriteCond /home/partyfa5/public_html/wp-content/uploads/mepr/rules/%1 -f
    RewriteRule ^(.*)$ – [L]

    RewriteCond %{REQUEST_URI} !^/(wp-admin|wp-includes|wp-content/plugins|wp-content/themes)
    RewriteCond %{REQUEST_URI} \.(zip|gz|tar|rar|doc|docx|xls|xlsx|xlsm|pdf|mp4|m4v|mp3|ZIP|GZ|TAR|RAR|DOC|DOCX|XLS|XLSX|XLSM|PDF|MP4|M4V|MP3)$
    RewriteRule . /wp-content/plugins/memberpress/lock.php [L]

    </IfModule>
    # END MemberPress Rules

    # END WordPress

    # BEGIN MemberPress Rules
    <IfModule mod_rewrite.c>
    RewriteCond %{SERVER_PORT} 80
    RewriteRule ^(.*)$ https://partyfavorz.com/$1 [R,L]
    RewriteCond %{HTTP:Authorization} ^(.*)
    RewriteCond %{HTTP_COOKIE} mplk=([a-zA-Z0-9]+)
    RewriteCond /home/partyfa5/public_html/wp-content/uploads/mepr/rules/%1 -f
    RewriteRule ^(.*)$ – [L]

    RewriteCond %{REQUEST_URI} !^/(wp-admin|wp-includes|wp-content/plugins|wp-content/themes)
    RewriteCond %{REQUEST_URI} \.(zip|gz|tar|rar|doc|docx|xls|xlsx|xlsm|pdf|mp4|m4v|mp3|ZIP|GZ|TAR|RAR|DOC|DOCX|XLS|XLSX|XLSM|PDF|MP4|M4V|MP3)$
    RewriteRule . /wp-content/plugins/memberpress/lock.php [L]

    </IfModule>
    # END MemberPress Rules

    # END WordPress
    #AddType Content/Disposition+attachment music.mp3

    AddHandler application/x-httpd-php70 .php .php5 .php4 .php3

    Should I add:

    # WP REWRITE LOOP START
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ – [L] at the beginning of the code?

    This has been a real source of irritation for my subscribers as more and more move to access everything via mobile.

    Plugin Author AITpro

    (@aitpro)

    @kjam – This does not sound like the exact same problem. Please post a new forum thread/topic either in the BPS support forum (WP forum) or on the ait-pro.com forum site here: https://forum.ait-pro.com/forums/forum/bulletproof-security-free/#no-topic-0 Also be sure to check your BPS Security Log and post any relevant Security Log entries that show what is being blocked. If the problem is just with your iTunes feed and not with MemberPress then see this forum topic for the solution: https://forum.ait-pro.com/forums/topic/itunes-cannot-read-feed/#post-2787

Viewing 15 replies - 1 through 15 (of 15 total)
  • The topic ‘Adding memberpress’ is closed to new replies.