I have an eCommerce store which is created on magento and is hosted on managed Google gce hosting server which is  being managed by Cloudways. But, due to the increase in data hacking attempts I want to add some extra security to my website for that I am looking forward to add BulletProof security to my website. But, I am not sure if it is sustainable with the third party host or not.? If not what do you think should I do to fully secure my website.

Advice if you want to pass it on to the Plugin Dev:  I think the optimum location for Plugins and Themes to use/create a folder for their additional scripts is directly under the /wp-content/ folder, which is what a lot of them do.  Example:  /wp-content/pum/.

Your UAEG folder whitelist rule is not correct.  See the correct folder whitelist rule below and the additional steps required to whitelist the /uploads/pum/ folder.

https://forum.ait-pro.com/forums/topic/uploads-anti-exploit-guard-uaeg-read-me-first/

To edit/customize your Uploads Anti-Exploit Guard (UAEG) .htaccess file go to the B-Core > htaccess File Editor tab page > “Your Current Uploads htaccess File” tab and do the steps below.
1. Copy and paste your entire Uploads .htaccess file code from the “Your Current Uploads htaccess File” tab on the htaccess File Editor page into the CUSTOM CODE UAEG text box.
2. Edit/modify/customize your UAEG htaccess code in the CUSTOM CODE UAEG text box.
3. Click the Save UAEG Custom Code button to save your UAEG custom code.
4. Go to the Security Modes page and click the UAEG BulletProof Mode Activate button.

If you have a LiteSpeed server:
To whitelist a folder: Remove/delete the # sign from infront of this line of code in your UAEG htaccess code and change the folder name to your actual folder name that you want to whitelist.

Your actual pum folder whitelist rule with the # sign already removed.

RewriteRule ^pum/.*$ - [L]

If you have an Apache server (this step is not required if you have a LiteSpeed server):
Delete the # signs in front of #Require env whitelist and #Allow from env=whitelist shown highlighted in yellow below in your UAEG code that you copied to CUSTOM CODE UAEG.

# FORBID THESE FILE EXTENSIONS FROM BEING ACCESSED OR EXECUTED REMOTELY
<FilesMatch "\.(7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htm|html|htx|idc|ini|ins|isp|jar|jav|java|js|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|shtm|shtml|sql|swf|sys|tar|taz|tgz|tpl|vb|vbe|vbs|war|ws|wsf|xhtml|xml|z)$">
<IfModule mod_authz_core.c>
#Require env whitelist
Require all denied
</IfModule>

<IfModule !mod_authz_core.c>
<IfModule mod_access_compat.c>
Order Allow,Deny
#Allow from env=whitelist
Deny from all
</IfModule>
</IfModule>
</FilesMatch>

Returning from my vacation I found that I couldn’t access my site or log in as admin. Clueless why this should have happened. Nothing had been done to the site.

When trying to access my site abzu.com a file is downloaded: https://prnt.sc/oyq34c

Had this problem before but the steps that were used to solve the problem before are not working now. Have checked that the PHP handler code in .htaccess corresponds to the PHP version installed. It is. This was the problem before. Have tried one of the steps offered previously to delete the AutoRestore file in phpMyAdmin hoping that would restore my site.

4. Login to PhpMyAdmin.
5. Do a search in this WordPress Database Table: xx_options for this BPS Pro AutoRestore option setting name: bulletproof_security_options_ARCM.
6. Delete the bulletproof_security_options_ARCM database option setting. AutoRestore will now be turned Off.

https://prnt.sc/oyq34c

No luck. Contacted tech support on my server BlueHost and they have yet been able to restore my site. Previously it was done by replacing the core files and restoring. No luck this time. 🙁

What is being blocked in the Motopress Hotel Booking Query String is this portion and code character in the Query String:  Next+%3E&mphb_bookings_calendar. %3E is an encoded angle bracket >.

1. Copy the modified wp-admin htaccess file Query String Exploits code below to this wp-admin Custom Code text box: 4. CUSTOM CODE BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS
2. Click the Encrypt Custom Code button – You only need to do this step if your web host has ModSecurity CRS installed and you are unable to save your custom code.
3. Click the Save wp-admin Custom Code button to save your wp-admin custom code.
4. Go to the BPS Setup Wizard page and run the Pre-Installation Wizard and Setup Wizard.

# BEGIN BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS
# WORDPRESS WILL BREAK IF ALL THE BPSQSE FILTERS ARE DELETED
# Use BPS wp-admin Custom Code to modify/edit/change this code and to save it permanently.
RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\s+|%20+\s+|\s+%20+|\s+%20+\s+)(http|https)(:/|/) [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR]
RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
#RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR]
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
#RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F]
# END BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS

The BPS free and Pro plugins are specifically designed for WordPress.  Google GCE is a virtual platform so even if you had WordPress installed I believe you would probably run into limitations and/or issues/problems.  ie some BPS free or Pro features might not work on Google GCE and would need to be turned Off.  I’m not real familiar with Google GCE, but if I had Google GCE the search terms I would use to look for additional website security for Google GCE would be:  “Google Compute Engine security” or “Google Compute Engine website security”.  You should also do the same general searches for Magento website security.

Sounds like your web host did some server changes/updates/upgrades.  If files are being downloaded instead of being processed then yes the problem is that your php/php.ini handler code in your root htaccess file is either incorrect or no longer used anymore by your particular web host. You may also be having a couple of different problems on your website. ie php/php.ini handler htaccess code is incorrect and WP Core files were quarantined due to a forced WordPress update by BlueHost.

BlueHost still appears to use php/php.ini handler htaccess code > https://my.bluehost.com/hosting/help/htaccess-php-handlers

Do these steps below:
1. Use FTP or your web host control panel file manager and rename the /bulletproof-security/ plugin folder to /_bulletproof-security/.
2. Login to your web host control panel and check the PHP version that your website is currently using.
3. Edit your Root htaccess file and add the correct php/php.ini handler htaccess code for your PHP version. Delete any other php/php.ini handler htaccess code that you find in your Root htaccess file.
4. See if you can now login to your website.  If you can login to your website then check if files have been quarantined or not and let me know that in your forum reply.
5. Copy the new php/php.ini handler htaccess code that you added to your Root htaccess file to this BPS Root Custom Code text box:  1. CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE
6. Click the Save Root Custom Code button.  Note: If your web host has ModSecurity CRS installed and you are unable to save your Custom Code then click the Encrypt Custom Code button first and then click the Save Root Custom Code button.

When I contacted  BlueHost one of the first comments I made was to confirm that the PHP version matched the PHP handler info in my .htaccess file. They said it did but I decided to check for myself and found out that it does not.

The entry in .htaccess is:

# CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE
# Use PHP7.0 as default
AddHandler application/x-httpd-ea-php70 .php
AddHandler application/php-70 .php

Checking in phpMyAdmin the version is 7.2.7 Seems the PHP was updated without my request
So, my question is, can I simply edit the current handler code in .htaccess without going through the suggested steps 1-6
to:

# Use PHP7.2.7 as default
AddHandler application/x-httpd-ea-php7.2.7 .php
AddHandler application/php-7.2.7 .php

I notice that the handler info from the link you provided for BlueHost differs slightly from the current handler syntax:

# Use PHP7 as default
            AddHandler application/x-httpd-php70 .php

vs the current:

AddHandler application/x-httpd-ea-php70 .php

which is correct ¿?

As mentioned I deleted the bulletproof_security_options_ARCM file and therefore assume that I do not have AutoRestore activated. Will activate it once i get back into my WP admin page.

Thnaks for your kind reply

My current CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE:

# Use PHP7.0 as default
AddHandler application/x-httpd-ea-php70 .php
AddHandler application/php-70 .php

# BEGIN WEBSITE SPEED BOOST
# Time cheat sheet in seconds
# A86400 = 1 day
# A172800 = 2 days
# A2419200 = 1 month
# A4838400 = 2 months
# A29030400 = 1 year

# Test which ETag setting works best on your Host/Server/Website
# with Firefox Firebug, Firephp and Yslow benchmark tests.

# Create the ETag (entity tag) response header field
# This is probably not the optimum choice to use.
#FileETag MTime Size

# Remove the ETag (entity tag) response header field
# This is most likely the optimum choice to use.
Header unset ETag
FileETag none

<IfModule mod_expires.c>
ExpiresActive on
# ExpiresByType overrides the ExpiresDefault...
# cache expiration time of 2 days|A172800.
ExpiresDefault A172800
ExpiresByType image/jpg A4838400
ExpiresByType image/jpeg A4838400
ExpiresByType image/gif A4838400
ExpiresByType image/png A4838400
ExpiresByType image/bmp A4838400
ExpiresByType image/x-icon A4838400
ExpiresByType image/svg+xml A4838400
ExpiresByType text/javascript A4838400
ExpiresByType text/x-javascript A4838400
ExpiresByType text/css A4838400
ExpiresByType text/html A4838400
ExpiresByType application/x-font-ttf A4838400
ExpiresByType application/x-font-woff A4838400
ExpiresByType font/opentype A4838400
ExpiresByType application/x-shockwave-flash A4838400
ExpiresByType application/x-javascript A4838400
ExpiresByType application/javascript A4838400
ExpiresByType video/mp4 A4838400
ExpiresByType video/ogg A4838400
ExpiresByType video/webm A4838400
</IfModule>

<IfModule mod_headers.c>
<FilesMatch "\.(js|css|flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|gif|jpg|jpeg|png|swf|webm)$">
Header append Cache-Control "public"
</FilesMatch>
<FilesMatch "\.(txt|html)$">
Header append Cache-Control "proxy-revalidate"
</FilesMatch>
<FilesMatch "\.(php|cgi|pl|htm|xml)$">
Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform"
Header set Pragma "no-cache"
</FilesMatch>
</IfModule>

<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css text/javascript
AddOutputFilterByType DEFLATE application/javascript application/x-javascript
AddOutputFilterByType DEFLATE application/x-httpd-php application/x-httpd-fastphp
AddOutputFilterByType DEFLATE application/xml application/xhtml+xml application/xml-dtd
AddOutputFilterByType DEFLATE application/rdf+xml application/rss+xml application/atom+xml
AddOutputFilterByType DEFLATE font/otf font/opentype application/font-otf application/x-font-otf
AddOutputFilterByType DEFLATE font/ttf font/truetype application/font-ttf application/x-font-ttf
AddOutputFilterByType DEFLATE image/svg+xml

# Drop problematic browsers
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html

# Make sure proxies don't deliver the wrong content
Header append Vary User-Agent env=!dont-vary
</IfModule>
# END WEBSITE SPEED BOOST

 

Q. Do I replace the above contents with my current BlueHost php handler htaccess code or append it somewhere. TIA

Use your new php handler htaccess code ONLY.

Saving the root custom code was not possible >>
Not Acceptable!
An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.

> click the Encrypt Custom Code button first and then click the Save Root Custom Code button.

Fail to see the Encrypt Custom Code option. Where is it located ¿?

Yep, very common ModSecurity CRS problem.  ModSecurity CRS causes dozens of problems for BPS Pro and 1000’s of problems for 1,000’s of other Plugins and Themes.  The good news is we spent the past two weeks ModSecurity Proofing BPS and BPS Pro > https://forum.ait-pro.com/forums/topic/xampp-mod-security-setup-owasp-modsecurity-core-rule-set-setup/#post-37778. We just released BPS Pro 14.1 recently > https://www.ait-pro.com/aitpro-blog/5567/bulletproof-security-pro/whats-new-in-bulletproof-security-pro-14-1/. If you do not see a BPS Pro upgrade notice on the WordPress Plugins page then use the manual BPS Pro upgrade steps > https://forum.ait-pro.com/forums/topic/bulletproof-security-pro-bps-pro-upgrade-installation-methods/. There are still many other less critical things that ModSecurity CRS breaks in BPS and BPS Pro that we will complete in BPS 3.7 and BPS Pro 14.2.

I have the BlueHost php handler info added to the BPS Root Custom Code text box: 1. CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE

Unable to save it for the mentioned reason. I assume that the encryption option is included in the new BPS Pro version 14.1 Is it safe to update BPS with my current unsaved situation ?

Yes, BPS Pro 14.1 is ModSecurity Proofed and includes Encryption and Decryption to evade/bypass ModSecurity CRS.  Yes, you need to upgrade to BPS Pro 14.1 in order to be able to save your Custom Code.  BPS Pro upgrades are always safe to do no matter what state your website is in.

I have the activation key I used last time to download the zip file from the BPS download area It’s not being accepted. What do I need to do to obtain a valid request key?

Ahh. Managed to get the update to show in my plug ins folder by performing a forced manual upgrade check. All good.

BPS Pro Download-Request Keys are used to Download BPS Pro and to Request BPS Pro Activation Keys.  BPS Pro Activation Keys are used to Activate BPS Pro on a website.

Setup wizards ran without a glitch. Thanks for the help. All seems well.

I didn’t receive your last forum reply email. Sometimes that happens. Probably got blocked/rejected by Spam Assassin on our host server.  I assume the new Custom Code Encryption feature to evade/bypass ModSecurity CRS worked fine to allow you to save your custom htaccess code then. Great!

The new Custom Code Encryption feature in version 14.1 to evade/bypass ModSecurity CRS worked perfectly.
Kudos on your eternal refinements to a great plugin.

Investigating the cause of my crashed site, it seems that in the implementation of a new cPanel template by BlueHost, they for whatever reason updated the PHP version to the latest. This caused a conflict with the PHP handler info in .htaccess and thus my site crashed. Reverting to 7.0 fixed the problem. Further fixes are detailed in this thread.

Thanks for confirming the new Custom Code Encryption feature successfully evades/bypasses ModSecurity CRS on BlueHost hosting.  We tested the new Custom Code Encryption|Decryption feature on several different web host testing accounts, but do not have a BlueHost test hosting account to test with.

If you would like to safely/smoothly upgrade/switch to PHP 7.2.7 do the steps below:
1. Turn Off BPS Pro AutoRestore|Quarantine.
2. Unlock your root htaccess file on the BPS Pro > B-Core > htaccess File Editor page > click the Unlock htaccess File button. Note: If your web host adds php/php.ini htaccess code in your root htaccess file when you switch php server versions then unlocking your root htaccess file allows your web host to add php handler htaccess code to the very top of your root htaccess file.
3. Login to your web host control panel and switch your php version to the php version you would like to use.
4. Go back to the BPS Pro > B-Core > htaccess File Editor page > click the Your Current Root htaccess File tab > copy the new php handler htaccess code added at the very top of your root htaccess file.  Note:  If your web host does not use php handler htaccess code then you will not see any new php handler htaccess code at the top of your root htaccess file – skip steps 5, 6, 7 and 8 and do steps 9 and 10.
5. Go to the Custom Code tab page > click the Root htaccess File Custom Code accordion tab/button.
6. Paste your new php handler htaccess code in this BPS Root Custom Code text box:  1. CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE.  Important Note: delete/cut/overwrite any older php handler htaccess code that you see in this Custom Code text box.
7. Click the Save Root Custom Code button. Note: If your web host has ModSecurity CRS installed and you are unable to save your Custom Code then click the Encrypt Custom Code button first and then click the Save Root Custom Code button.
8. Go to the Security Modes tab page > click the Root Folder BulletProof Mode Activate button.
9. Go to the htaccess File Editor tab page > click the Lock htaccess File button.
10. Turn AutoRestore|Quarantine back On.