Bulletproof Security block Google to access images

Please check your BPS Security Log and ONLY post a log entry that pertains to/is relevant to this particular issue. Please do not post your entire Security Log. I can then tell you what you will need to do next to create a whitelist or skip/bypass rule to allow this.

Hi, think you for your answer! Here are 2 Exemples : One for Googlebot-Image, and another one for Googlebot.

(I’ve replaced: MYTHEME, MYDOMAIN, MYIMAGE)

403 ERROR
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-content/themes/MYTHEME/functions/timthumb.php?src=https://www.MYDOMAIN.com/wp-content/uploads/2013/02/MYIMAGE.jpg&w=300&h=168&q=100
QUERY_STRING:
HTTP_USER_AGENT: Googlebot-Image/1.0

403 ERROR
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-content/themes/MYTHEME/functions/timthumb.php?src=https://www.MYDOMAIN.com/wp-content/uploads/2013/04/MYIMAGE.jpg&w=300&h=168&q=100
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (compatible; Googlebot/2.1; +https://www.google.com/bot.html)

Regards,

A skip/bypass rule for your Theme should do the trick. I am surprised that the existing timthumb skip/bypass rule is not already working. Did you click the AutoMagic buttons before activating BulletProof Modes? If not, then do that and test. If you have clicked the AutoMagic buttons before activating BulletProof Modes then do this below…

1. Copy this .htaccess code below to the Custom Code CUSTOM CODE PLUGIN FIXES: text box
2. Save your new custom code by clicking the Save Root Custom Code button.
3. Click the Create secure.htaccess File AutoMagic button on the Security Modes page.
4. Activate BulletProof Mode for your Root folder on the Security Modes page.

NOTE: If your WordPress installation is in a subfolder then add your WordPress subfolder name in the path.
Example: /my-wordpress-installation-folder-name/wp-content/plugins/google-document-embedder/

Try this first…

# Theme Timthumb skip/bypass rule
RewriteCond %{REQUEST_URI} ^/wp-content/themes/MYTHEME/(.*)timthumb\.php [NC]
RewriteRule . - [S=13]

…if the skip/bypass rule above does not work then try this…

# Theme Timthumb skip/bypass rule
RewriteCond %{REQUEST_URI} ^/wp-content/themes/MYTHEME/functions/ [NC]
RewriteRule . - [S=13]

Another approach would be to whitelist the Googlebot User Agent. You would add RewriteCond %{HTTP_USER_AGENT} ^.*Googlebot.* to this security filter in your root .htaccess file.

# TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
# Only Allow Internal File Requests From Your Website
# To Allow Additional Websites Access to a File Use [OR] as shown below.
# RewriteCond %{HTTP_REFERER} ^.*YourWebsite.com.* [OR]
# RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*
RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
RewriteRule .* index.php [F,L]
RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
RewriteCond %{HTTP_REFERER} ^.*example.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*Googlebot.*
RewriteRule . - [S=1]

IMPORTANT NOTE: Keep in mind that User Agents, IP Addresses, Hostnames, etc. can all be faked by spammers or hackers.

Please post a status update. If the issue/problem is resolved please resolve this thread. Thank you.

Hello,

Sorry for the delay, I chose the solution that allow access to google by USER_AGENT.

[OR]
RewriteCond %{HTTP_USER_AGENT} ^.*Googlebot.*

I’m perfoming test and wait to see how google now interact with my images. I’ll post you the results soon ??

Regards,

Please post a status update. If the issue/problem is resolved please resolve this thread. Thank you.

Hello AITpro,

Past days I’ve got few problems with google that couldn’t parse my website. That was because WP Super cache didn’t updated to core htaccess.

I still got to wait 1 or 2 days to see if it can access to my images.

i’m sorry for the delay,
I’ll keep the post updated ??

Ok I’ll quit pestering you. Just want folks to know that we are here.

I will still receive email notifications when you get a chance to post again. Resolving so that I do not keep checking this thread. ??

Okay,

After weeks of tests, I decided to use this code :

# Theme Timthumb skip/bypass rule
RewriteCond %{REQUEST_URI} ^/wp-content/themes/MYTHEME/(.*)timthumb\.php [NC]
RewriteRule . - [S=13]

The HTTP_USER_AGENT worked for Google, but there were still problems with the indexation of my images.

Now it works nice ??

Great thanks for confirming. Also just a reminder that BPS does not block the Googlebot/Google image retrieval. What is actually happening is that pretty much all plugins and themes use timthumb scripts in a way that simulate RFI hacking attempts against your website, which triggers a 403 error. The image retrieval is not affected in any way ie images are retrieved by google and all other search engines successfully without having to do anything, but a nuisance 403 error is generated because of the simulated RFI hacking attempt. This is very common unfortunately since most plugins and themes are using this sketchy/poor timthumb image retrieval method.