Major conflict with Sucuri Firewall (website security)

  • Hey “Post Comments as bbPress Topics,”

    Let me begin by saying I love your plugin! Conceptually, it’s fabulous, it adds a ton of value to my site, and it works really well, except for one major problem, which is (unfortunately) a dealbreaker unless I can find a fix.

    I’ve discovered a conflict with the plugin and Sucuri’s firewall. The firewall keeps blocking all comments left on my bbpress forum when your plugin is active. (The site returns Sucuri’s “Access denied” error / code: EXPVP100 “Exploit attempt denied by virtual patching.”) I’ve taken all of the necessary steps to diagnose this (changed to a default WordPress theme, disabled all plugins, and removed all css and php modifications/snippets). I learned that when your plugin is active, I get the error message from Sucuri, but when the plugin is disabled, I’m able to receive website comments on my bbpress forum without issue, while my theme, other plugins, and all css/php modifications are in place. This goes without saying, since the issue is a conflict, but to be clear, when the Sucuri firewall is disabled and your plugin is active, visitors are able to post comments, so your plugin works fine.

    I reached out to Sucuri first, to see if they could help. Unfortunately, they aren’t able to disclose the intricacies of their firewall for obvious security reasons, so they can’t tell me where the conflict is. I’m hoping you can. Are you currently aware of any conflicts between your plugin and Sucuri’s firewall? It’s a fairly popular service, so I’m hopeful you may have encountered this issue before, and can offer a solution. Any idea how I can navigate this problem? I’m considering bypassing Sucuri’s firewall by whitelisting a path that will allow my site visitors access to my bbpress forum topics so they can successfully post their comments, but I’m not sure what that path would be.

    Currently, my site has a general bbpress forum page (e.g., domain.com/forum-root/forum/) and over 150 individual topics (e.g., domain.com/forum-root/forum/topic), each one relating to an individual blog post on my site. I’m using your plugin to display each topic on the corresponding blog post’s page (e.g., domain.com/post-name/). My end goal is for site visitors to be able to leave comments on the individual blog post pages (e.g., domain.com/post-name/), not the topic pages (e.g., domain.com/forum-root/forum/topic). Unfortunately, I cannot simply whitelist the path to each blog post page because that would require me to whitelist roughly 150 URLs on my site, essentially rendering the firewall useless. I tried whitelisting the general forum page (e.g., domain.com/forum-root/forum/) as well as the individual topic’s page (domain.com/forum-root/forum/topic) but neither of these actions allowed site visitors to leave comments on the individual post pages (e.g., domain.com/post-name/).

    You’re most familiar with the creation and organization of your plugin (i.e., its folders), so I’m wondering if you can tell me which path(s) I could try whitelisting in order for site visitors to be able to successfully leave comments on individual post pages (e.g., domain.com/post-name/), without having to whitelist every single post’s URL. I’m sure there’s a way for your plugin and Sucuri’s firewall to work together, I’m just not familiar enough with the backend of the plugin to know what I need to do to make that happen.

    Thank you! ??

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Nick

    (@nickchomey)

    Glad to hear you’re making such good use of the plugin! I’m more of a maintainer for it than the actual developer – the original Dev isn’t around anymore and @robin-w has done the majority of development in recent years.

    Sorry to hear of the sucuri conflict. I don’t know anything about it, and doubt Robin does either. Someone recently reported that it had a problem with another firewall – WordFence I think.

    Has this always been happening or just in recent versions?

    One thing you might try is using an older version – we were forced to make some changes for “security” reasons, which has caused a lot of people a lot of conflicts

    I believe 2.2.1 is the last version before those changes. They don’t affect functionality in any way. You could also just try a bunch of versions til one works…?

    https://www.ads-software.com/plugins/bbpress-post-topics/advanced/

    Let us know how it goes.

    Also, is there anything in your debug log?

    If none of that works, I’m not sure there’s much we can do about it without any actual info from sucuri about what they think the problem is. The only other alternative would be digging into the code of sucuri during a page load – I could do it, but would have to charge for the effort…

    • This reply was modified 2 years, 1 month ago by Nick.
    Thread Starter nsolano

    (@nsolano)

    Hey Nick!

    Thanks so much for your quick and helpful response. It is very, very much appreciated. ??

    I can try an earlier version (I’m currently using 2.2.4), although I’m a bit hesitant to do that, only because I’d prefer to use the version that includes your security updates. I did think of a possible workaround though. I don’t want to use much of your time, but would you mind answering one more quick question for me? This may be the fix I’m after, and a solution that could work for other plugin users who run into similar firewall-related issues.

    When the plugin is active, WordPress’s Settings -> Discussion page displays sections for “bbPress Topics for Posts Defaults” and “bbPress Topics for Posts Strings.” Since my site visitors are able to successfully comment on forum topics that are located on forum topic pages (e.g., domain.com/forum-root/forum/topic) but not on the individual post pages themselves (e.g., domain.com/post-name), I’m happy to just provide a link from each individual post page to each corresponding forum topic page, similar to the option you offer under “bbPress Topics for Posts Defaults” to display “A link to the topic,” so visitors can leave their comments over there. The problem is, when I select and save the “A link to the topic” default, the individual post pages don’t show any replies (only the link is shown), and I’d like those replies to appear. (Currently, the “bbPress Topics for Posts Defaults” options are to show the entire topic, replies only, a set number of replies, or a link to the topic, but there is no option to display both the replies AND a link to the topic so site visitors can see the replies on the individual post pages but officially respond to them on the forum topic page by following the link.) It’s unlikely that this option (to display both the replies AND a link to the topic) will become available, but I can accomplish a similar action by providing a link to the forum topic page on the individual post page. In order to do that, I’d need to receive the strings for the forum topic page (URL) and the forum topic page (TITLE)–would you happen to know what these are?

    To sum up, in the “bbPress Topics for Posts Strings” section on the Settings -> Discussion page, in the “Content of topic first post:” box, I want to write something like this:

    "Below is the Questions & Answers forum for our blog post <a href="%url">%title</a>. To ask a question or post a comment, please visit this page <a href="STRING FOR TOPIC PAGE URL">STRING FOR TOPIC PAGE TITLE</a>."

    This way, when the “Entire topic” default is selected, each individual post on my site will display the corresponding topic replies, as well as a link to the forum topic page where the firewall will allow them to post a comment. I’ll then use css to hide the comment box on the individual post pages, essentially forcing site visitors to follow the link to the forum topic page if they want to comment.

    My fingers are crossed that you can provide the strings for the topic URL and the topic TITLE. Currently, the Settings -> Discussion page provides strings for the following: %title — Post title; %url — Post Permalink; %author — Post author's display name; %excerpt — Post except (or a 150-character snippet); and %post — Full post text but the topic URL and topic TITLE are missing.

    Thank you! ??

    Plugin Author Nick

    (@nickchomey)

    The “security” updates are not meaningful. You’ll be perfectly fine at least trying out the older version to see if it fixes or narrows down the problem. That would be my first recommendation for you.

    If that doesn’t work, then I hate to seem rude/unhelpful, but could you please rewrite the rest of your message more concisely? It was a headache to try to make sense of it.

    Thread Starter nsolano

    (@nsolano)

    Hey Nick!

    Thanks so much for confirming that the “security” updates are nothing to worry about. I’ll try one or more older versions.

    Also, you don’t seem rude/unhelpful at all! I appreciate your quick responses, and your interest in sticking with me.

    Here’s what I meant to ask:

    On the Settings -> Discussion page in WordPress admin, there’s an option to use the following strings:

    %title — Post title
    %url — Post Permalink
    %author — Post author’s display name
    %excerpt — Post except (or a 150-character snippet)
    %post — Full post text

    I’m curious to know if there’s an option to use strings that identify a forum topic’s url and a forum topic’s title. I tried using “%topic_url” and “%topic_title” as well as “%topicurl” and “%topictitle” but none of these worked. My end goal is to use the topic url and topic title strings in the “Content of topic first post:” box, which is also supplied on the Settings -> Discussion page in WordPress admin.

    Thank you! ??

    Plugin Author Nick

    (@nickchomey)

    Thanks for the clarity, that’s very helpful.

    No, there isn’t any such option right now. I’ll try to look at the code in the next few days and see if it is something that can be easily added.

    In the meantime, please try out one of the older versions. All that the newer ones added was various “escaping” mechanisms that removes any html tags from text that is presented on the front-end. This has caused a major nuisance for some users because they were displaying formatted text in a few places. We plan to try to figure out a way around this that satisfies the plugin moderators concerns – it only serves to prevent site admins from displaying text/html that only they can create. You can check out some recent support tickets to see what I’m talking about

    • This reply was modified 2 years, 1 month ago by Nick.
Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Major conflict with Sucuri Firewall (website security)’ is closed to new replies.