[Plugin: BulletProof Security] Google Analytics plugin by Joost conflicts

Thank you for posting the query string. ?? Makes it nice and simple to see the issue. Google Analytics for WordPress is calling admin-ajax.php for use in this plugin so you just need to allow this action in the wp-admin .htaccess file. You can add this skip/bypass rule to BPS wp-admin Custom Code CUSTOM CODE WPADMIN PLUGIN FIXES: and save it so that it is saved permanently to your DB. Then activate BulletProof Mode for your wp-admin folder again.

# GAW admin-ajax.php skip/bypass rule
RewriteCond %{REQUEST_URI} (admin-ajax\.php) [NC]
RewriteRule . - [S=2]

For Google Analytics Dashboard the .htaccess code only exists in the Root .htaccess file and not the wp-admin .htaccess file for BPS. I need to update this on the plugin testing and compatibility page. You will find that security filter in this section of the BPS security filters coding.

...
...
...
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|%3c|%3e|%5b|%5d).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x5b|\x5d|\x7f).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
...
...
...

Thanks.

Thanks, the Google Analytics for WordPress bypass has worked to get rid of the 403 error but just has flatlines where it should show pageviews, exits and uniques stats for each post. Does this need time to rebuild the data?

The google analytcs dashboard fix has worked, if i use the auto magic buttons to create a new secure .htaccess file, will i need to change that line again?

I’m not really sure how the Google Analytics for WordPress plugin is supposed to work so i will install it and test it. Will post my findings back here after testing.

If you add plugin fixes to the BPS Custom Code plugin fixes text area it is permanently saved to your WP Database (until you delete it of course) so that each time you click the secure.htaccess AutoMagic button that custom code will be included in your new .htaccess master file (AutoMagic creates master .htaccess files) and then when you activate BulletProof Mode for your Root folder (copies and renames the master .htaccess file to your website root folder) you will see that your custom code is included in your Root .htaccess file.

I didn’t realize that Google Analytics for WordPress was adding to Custom Variables within Google Analytics itself so my guess is you would have to wait the normal 24 hour period for GA stats to be updated. So let me know if you do not see updated GA info tomorrow. Very Cool plugin! Thanks.

Yes Joost makes a lot of good plugins. Cool, nohing is still showing yet, but will give it some more time to populate, thanks for the fix.

re Google analytics dashboard, I understand that if you have custom code then it will continue to be added when you update, but I had to change the line within the actual root .htaccess file itself from:

RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|%3c|%3e|%5b|%5d).* [NC,OR]

to:
RewriteCond %{QUERY_STRING} ^.*(\[|\]||%3c|%3e|%5b|%5d).* [NC,OR]

so i thought if i create a new .htaccess file from the automagic buttons i would lose my changes, as i altered the code in the root .htaccess file itself. So wouldn’t it get overwritten when a new one is created?

Yes, since this is an important standard BPS security filter rule that will remain as it is in all future versions of BPS then it would have to be manually modified again if you used AutoMagic again, but as of BPS .47.2, BPS will autoupdate itself on upgrade and change the .htaccess file version numbers and add any new .htaccess security filters automatically so that you do not have to use AutoMagic after you upgrade BPS each time. These autoupdates do not change/alter any customization’s you have made to your .htaccess files. So your security filter modification would remain as it is now.

No news is usually good news, but checking in with you to see if everything is good now. Please confirm whether or not this thread can be resolved. Thanks.

That’s good news to hear about the security filter updating in future versions of BPS.
I was waiting to see if the analytics section of the posts page populated, but it is still showing nothing. Not a big deal as my analytics are still tracking and the Google analytics dashboard widget is now showing after amending the .htaccess code, but must be some minor conflict between the two plugins.
Thanks for your help with this, much appreciated.

On my XAMPP testing site everything appears to be working normally for the Google Analytics for WordPress plugin, but since this is a local install then the only data that was recorded on the Google Analytics site in Custom Variables was the administrator login since I do not get traffic to my local XAMPP installation. When i have some extra time I will install this plugin on a Live site and confirm that it works in a Live environment as well. Thanks.

Thanks, i’d be interested to know the results.
Just one more question, in the ‘edit/upload/download menu’ when i click ‘Lock .htaccess file’ it causes my site to crash and give a ‘403 forbidden access’ error message when i try to access any page on the actual site.
Does the .htaccess file need to be locked?

At the minute in the file editing it says:
File Open and Write test successful! The secure.htaccess file is writable.
File Open and Write test successful! The default.htaccess file is writable.
File Open and Write test successful! The maintenance.htaccess file is writable.
File Open and Write test successful! The wpadmin-secure.htaccess file is writable.
File Open and Write test successful! Your currently active root .htaccess file is writable.
File Open and Write test successful! Your currently active wp-admin .htaccess file is writable.

No, the .htaccess file does not need to be locked. This is just an additional “bonus” security measure. Most likely your web host has created a strict rule on your Server that .htaccess files can only have 644 permissions. Which web host do you have so i can make a note of it? Thanks.

Interesting, when i create the .htaccess files with the auto-magic buttons and then activate all four options, about 10 minutes later i get the browser message pop up saying i don’t have BPS security activated and to go to the BPS settings page. I then go through the same process and about 10 minutes later i get the same message saying i don’t have BPS security activated even though i used the auto-mgic buttons and have activated Bulletproof mode on all four options.

I have managed to get rid of the 403 error and by locking the .htaccess file in the ‘edit/upload/download’ menu, the error message about not having BPS security that pops up at the top of the browser disappears.

My .htaccess permissions are set to 404 as per the recommended permissions in the ‘security status’ menu. I use Justhost.com.

It sounds like either you have the classic cPanel Broken HotLink Protection tool problem, which will automatically change your root .htaccess file and add gibberish broken code to it or you have another plugin installed that is modifying the root .htaccess file at regular intervals automatically. There is a wp pre-made function called flush_rewrite_rules() that is very problematic if used incorrectly as it will remove all .htaccess code and replace it with the default wp .htaccess code.

You originally stated that you were unable to look your root .htaccess file and now you stated that you have changed it to 404 permissions. I assume you then changed the file permissions manually with FTP. Some hosts (not many – i think around 6 total out of 100’s) will automatically reset .htaccess permissions to 644 after you try and change the permissions.

So what you need to check at this point are these things:
1. check cPanel and see if you see the HotLink Protection Tool.
2. make a copy of your root .htaccess file and then when it is changed automatically again after the 10 minute interval make another copy and compare the 2 files and see what has been modified.
3. recheck the root .htaccess file permissions when the problem occurs again and see if the permissions are set back to 644.
4. the 6scan plugin also used to break BPS and add blank spaces to the root .htaccess file, but it has been a long while since i checked to see if that plugin is still doing that.

I have a hotlink protection tool under ‘security options’ but no broken hotlink protection tool in my cpanel. Not sure if this is the same thing? The blurb says
“Hotlink protection prevents other websites from directly linking to files (as specified below) on your website. Other sites will still be able to link to any file type that you don’t specify below (i.e., HTML files).”

I changed the permissions via FTP and they are still set to 404, so hopefully they are not ones that are automatically reset.

After i lock the file i don’t receive the warning message that BPS security is not active. I’m not running 6scan and the only other security plugin i have is ‘WP security scan’ by Website defender if this has any conflict?

The cPanel HotLink Protection tool is a tool in cPanel – that is the thing that i was referring to that is broken. I have posted more info about this problem with a Sticky Thread Post since the problem continues pop up year after year – see more details here – https://www.ads-software.com/support/topic/plugin-bulletproof-security-broken-cpanel-hotlink-tool-404-errors-unable-to-edit-htaccess-files?replies=2

Ok well by locking the .htaccess file with 404 permissions then you are blocking something else that has been causing the problem. Sure sounds like the cPanel Hotlink Protection Tool problem, but if it is not then some other plugin you have installed was automatically writing to your root .htaccess file when it was not locked. There are not any conflicts between BPS and the WP Security scan plugin that i am aware of.