Comment Spam Pack plugin conflict

Hello,

I followed this guide on security and installed the bullet proof security plugin https://premium.wpmudev.org/blog/wordpress-security-101-8-tips-tricks-and-tweaks-to-secure-your-wordpress-website/

The problem is that when it is activated it causes a conflict with the comment spam pack wpmu plugin - what happens is that the captcha image that is supposed to be displayed in the comment form is blocked so it does not display the image needed to enter...

When I disable the security plugin the comment captcha is displayed... does anyone know how to fix this??

Thank you,

  • tmelbs

    Hi Mason,

    I basically went through and set it up according to their instructions.. Based on another image conflict issue I had, I think what is happening is that it has some sort of "secure" .htaccess file that is located with in the wp-admin folder and is supposed to protect that folder and I think it also protects against linking to those image files.. (if you type in the direct ling to the image in a browser you just get a 404 error, its like the file does not even exist in the site) So I would need some sort of line of code to add permission for those images to be accessed or the image files need to be moved out of the wp-admin folder into the root of the site. Problem for me is although I can see whats going on in the .htaccess I have no clue how to actually write a permission to fix this and allow it to work.

    One last note.. If you look into the bullet proof .htaccess file that it generates you will see a bunch of permissions for various plugins already in there - maybe go off of that?

    I hope this helped...

    Thank you!

  • Mason

    Hiya!

    I think what is happening is that it has some sort of "secure" .htaccess file that is located with in the wp-admin folder and is supposed to protect that folder and I think it also protects against linking to those image files..

    This is almost positively what's happening Good catch.

    Can you also paste a copy of these htaccess rules here in the forums (or to pastebin.com and provide a link). I don't have the plugin installed, but if we can take a look I'm sure we can get it sorted quickly.

    Thanks!

  • tmelbs

    Hey there .. this is what it generates for the .htaccess file within the wp-admin folder.. there are other .htaccess files that it makes as well, but I believe this is the one that is causing this conflict ..if you need the others too please let me know.

    Thanks!

    #   BULLETPROOF .46.2 WP-ADMIN SECURE .HTACCESS
    
    # If you edit the line of code above you will see error messages on the BPS status page
    # BPS is reading the version number in the htaccess file to validate checks
    # If you would like to change what is displayed above you
    # will need to edit the BPS functions.php file to match your changes
    # For more info see the BPS Guide at AIT-pro.com
    
    # FILTER REQUEST METHODS
    RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
    RewriteRule ^(.*)$ - [F,L]
    
    # QUERY STRING EXPLOITS
    RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
    RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
    RewriteCond %{QUERY_STRING} tag\= [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\:  [NC,OR]
    RewriteCond %{QUERY_STRING} http\:  [NC,OR]
    RewriteCond %{QUERY_STRING} https\:  [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(execute|exec|sp_executesql|request|select|insert|union|declare|drop|delete|create|alter|update|order|char|set|cast|convert|meta|script|truncate).* [NC]
    RewriteRule ^(.*)$ - [F,L]
  • Vladislav

    Hi,

    Thank you so much for your initial insight - I'd probably look for directory permissions or something else first, so that really saved some time You were right, the cause of this issue actually was in one of the secure .htaccess files, but not the one in admin section. The problem was in the main .htaccess file - the one in the root folder of your WordPress installation.

    The quick fix is to add another "exception" rule that will allow Comment Spam Pack images to pass through. This is how it can be done:

    1) Backup your main .htaccess file, just in case something goes wrong (it shouldn't, but better be safe then sorry).

    2) Edit your main .htaccess file - this is the file located in the root folder of your WordPress installation. Locate the exception rules for other plugins. You can tell by the comments (lines prefixed with "#" character). Scroll to the end of those rules (it was around line 105 for me).

    3). Now you should add another exception rule. Basically, we have 2 options for this - please, do just one of them.

    3a) If you have your WordPress installed in a subdirectory, copy and paste these lines after the other fixes, but before the rest of the .htaccess:

    RewriteCond %{REQUEST_URI} ^/YOUR_BLOG_DIR/wp-content/plugins/comment-spam-pack/ [NC]
    RewriteRule . - [S=30]

    where YOUR_BLOG_DIR is the name of your WordPress subdirectory. If you're not sure, look at the other plugin fixes in the file to get a good idea what that value is.

    3b) If you have a root folder installation instead, copy and paste these lines:

    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/comment-spam-pack/ [NC]
    RewriteRule . - [S=30]

    4) Save your changes and test. If there are still problems with images, let me know and we'll try a less strict approach.

  • tmelbs

    Hi Vbailovity

    I tried what you suggested and it did not work. however I think I can see two of the issues -

    in your code - it looks like you give permission to the plugins folder as well as another folder called comment-spam-pack

    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/comment-spam-pack/ [NC]
    RewriteRule . - [S=30]

    I think the problem is in those 2 folders.. if you look at the install instructions for the anti spam plugin it gets installed in the mu-plugins folder AND the comment-spam-pack folder does not exist there...

    If you check out the install instructions for the comment spam pack it has you install the files outside of the folder and into the mu-plugins folder - https://premium.wpmudev.org/project/comment-spam-pack/installation/

    When you look at where the blocked anti spam image is trying to pull from it seems to want to pull from a php file with in the mu-plugins folder... here is a sample of the image properties wp-content/mu-plugins/custom_anti_spam.php?antiselect=4 - the number on the end is what changes...

    Any other ideas?

    I am running wp in root folder and as a sub.domain.com

    Thanks for your help!

  • tmelbs

    ok... I have no idea how or why this worked but it did so I thought I would report back..

    after several variations of the RewriteCond code trying to see if I could get lucky and hit the right variation to make it work I ended up in a situation where it was blocking everything to the wp-admin folder to the point I could not access site to login.. So I went through ftp and deleted the .htaccess in the wp-admin folder so I could get back into the site. At that point everything was good.. so I reactivated the .htaccess file for the bullet proof plugin and all of a sudden it worked???

    So now I have the bullet proof plugin working AND the comment spam pack and there seems to be no conflict....

    again - i have no clue why that worked.. but I have tested it several times and it is working.. this makes me think I had something sideways with my .htaccess file that was created in the wp-admin folder this whole time and once it was re-written by the BP security plugin it must have fixed what ever was wrong in that .htaccess setting it back to what ever default mode was... Anyway... I now have no rewrite rule running and both plugins are activated and working...

    If anything changes I will open a post again.. but if you like you can mark this resolved...

    Thank you both for the help!

  • tmelbs

    AGH.. I wish I was so lucky.. somehow this is an issue again and I am not sure how or why.. I think it does need some sort of .htaccess rewrite rule but this is not an area I know anything about. i have tried several variations of the code that @VeBailovity provided but cannot seem to make it work.

    @VeBailovity had mentioned that there may be another way to do this?

    Any help is greatly appreciated!

    thank you,

  • Vladislav

    I'm very sorry for the confusion I made, the last time I had the plugin installed in /wp-content/plugins folder, so I provided you the instructions based on what worked for my install.

    Anyway, can you please try adding these lines to your main .htaccess file (the one in the root of your WordPress installation), and see if it helps?

    RewriteCond %{REQUEST_URI} /wp-content/mu-plugins/custom_anti_spam.php [NC]
    RewriteRule . - [S=30]

  • tmelbs

    Hi VeBailovity

    Please do not appologize - believe me I appreciate the effort and help!

    So after I made this post I had cotnacted my host and asked if they would be able to resolve this. They completed the support ticket before I had seen your post come back through... Here is what they added to the .htaccess and it is working - I thought I had tried this combination before but maybe I had something off - anyway here is how I have it working now...

    RewriteCond %{REQUEST_URI} ^/wp-content/mu-plugins/custom-anti-spam/ [NC]
    RewriteRule . - [S=30]

    Again thank you very much!