Known conflicts with security plugins

We notice several conflicts with popular security plugins.

Table of Contents


iThemes Security

Reason

When the option Security -> Settings -> Advanced -> System Tweaks -> Disable PHP in Plugins is enabled, all AJAX calls of the live search will be blocked.

Solution

You could disable this option, but we have a more secure solution. After saving this option, iThemeSecurity adds the following code to your .htaccess file:

This line requires a small change to make it work with FiboSearch. We have to exclude the FiboSearch endpoint path from the RewriteRule. Follow these steps:

Step 1 – Add a custom code

Add the following code snippet to your functions.php or in the CodeSnippets plugin.

add_filter( 'itsec_filter_apache_server_config_modification', function ( $modification ) {
	$modification = str_replace( 'RewriteRule ^wp\-content/plugins/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]', 'RewriteRule ^wp\-content/plugins/(?!ajax\-search\-for\-woocommerce\-premium/includes/Engines/TNTSearchMySQL/Endpoints/search\.php).*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]', $modification );

	return $modification;
}, PHP_INT_MAX - 5 );

Step 2 – Save iThemes security settings again

Go to Security -> Settings -> Advanced -> System Tweaks. Uncheck the option “Disable PHP in Plugins” and save settings. Right after that check it again and save settings one more time. Thanks to this, iTheme security should add a changed version of RewriteRule in your .htaccess file.

As a result, your website will be protected against PHP execution in the plugins directory, but the FiboSearch endpoint will be excluded from these restrictions.


Sucuri Security

Reason

Sucuri security firewall may block AJAX calls of the live search

Solution

  1. You need to log in to your Sucuri panel https://login.sucuri.net.
  2. Go to the settings
  3. Find section Access Control -> whitelist URL
  4. Add the following URL to the white list:
https://your-domain.com/wp-content/plugins/ajax-search-for-woocommerce-premium/includes/Engines/TNTSearchMySQL/Endpoints/search.php

WP Defender by WPMU DEV

Reason

WP defender may disable PHP execution from the plugins directory. Then AJAX calls of the live search will be blocked.

Solution

Go to Defender -> Recommendations -> Actioned -> Prevent PHP execution and add following file as exception.

search.php

Still not working?

Some security plugins don’t clean up after themselves. Try to check manually if you have security rules added to e.g. .htaccess in the following paths:

wp-content/.htaccess
wp-content/plugins/.htaccess

NGINX configuration blocks AJAX endpoint

Some nginx configuration may block executing PHP files included directly in the plugins directory. There is no one solution. It depends on your NGINX configuration. We recommend contact your hosting provider and ask to allow to execute the following file:

https://your-domain.com/wp-content/plugins/ajax-search-for-woocommerce-premium/includes/Engines/TNTSearchMySQL/Endpoints/search.php

Here are few samples nginx config which helps other users.

  1. Adding extra rules to /usr/local/nginx/conf/wpsecure_${vhostname}.conf
# Whitelist Exception for FiboSearch endpoint
location ~ ^/wp-content/plugins/ajax-search-for-woocommerce-premium/includes/Engines/TNTSearchMySQL/Endpoints/ {
  include /usr/local/nginx/conf/php.conf;
}