BulletProof Security Free Version Plugin Guide – BPS Version .47.1 – .45.5

252 CommentsRSS Site FeedAuthor: AITpro Admin
Published: July 20, 2010
Updated: October 6, 2012

Troubleshooting BulletProof Security plugin issues:

If you think BPS is causing a plugin conflict or any other issue on your website then please use these steps below to take BPS out of the equation completely for testing (no need to deactivate BPS it has built in Default Mode). If you find that BPS does have a conflict with another plugin then please check the BulletProof Security Plugin Compatibility Issues – Testing and Fixes Page (link above) to see if a fix (bypass/skip rule) is already listed.  If your plugin is not listed and you have confirmed that BPS is definitely causing a conflict then please post a comment on the Questions, Comments, Problems & Wishlist Page (link above).  Thank you.

1. Make a backup of your .htaccess files using BPS Backup.
2. Activate Default Mode on the Security Modes page.
3. Use the Delete wp-admin .htaccess feature on the Security Modes page.
4. Test your plugin or theme.
5. Restore your .htaccess files using BPS Restore.

To completely uninstall BPS you would do steps 2 and 3 above and then just delete the BPS plugin on the WP Plugins page.

NOTE:  Both the Root BulletProof Mode and the wp-admin BulletProof Mode MUST be activated at the same time/together.  If you do not activate the wp-admin BulletProof Mode then some wp-admin Dashboard functions may not work correctly like configuring Widgets or activating and deactivating plugins.

 

AutoMagic is not working / not creating Master .htaccess files or you are unable to use the built in .htaccess file editor or you are unable to Backup or Restore files

Most likely the cause of this is your Server API is DSO and not CGI.  You can check your Server API on the BPS System Info tab page.  If your Server API is DSO then some of the automated features in BPS will not work correctly because of the way ownership permissions are handled on DSO configured Servers.  You will unfortunately need to manually perform these steps below using FTP.  At some point a future version of BPS will have coding that will compensate for this and the automation will also work for DSO configured Servers.

To Create the secure.htaccess file with AutoMagic
  – Change permissions of the secure.htaccess file to 777 – /wp-content/plugins/bulletproof-security/admin/htaccess/secure.htaccess.
To Activate BulletProof Mode for your Root folder
  – Change permissions of your Root htaccess file to 777 – /your-website-root-folder/.htaccess.
To Activate BulletProof Mode for you wp-admin folder
  – Change permissions of the wp-admin htaccess file to 777 – /your-website-root-folder/wp-admin/.htaccess.
Activate Deny All htaccess Folder Protection For The BPS Master htaccess Folder
  – Change permissions of  /wp-content/plugins/bulletproof-security/admin/htaccess folder to 777.
Activate Deny All htaccess Folder Protection For The BPS Backup Folder
  – Change permissions of the /wp-content/bps-backup/htaccess file to 777.
Backup Your Currently Active .htaccess Files
  – Change /bps-backup folder permissions to 777 - /wp-content/bps-backup.
Backup Your BPS Master .htaccess Files
  – Change /master-backups folder permissions to 777 - /wp-content/bps-backup/master-backups.

Once you have completed these installation steps above then change the permissions of both htaccess files to 644 and change all of your folder permissions back to 755 or whatever you previously had for those folder permissions.  Another option is just to manually download the secure.htaccess file, wpadmin-secure.htaccess file and the deny-all.htaccess file and then just manually use FTP to upload the files to where they should be.

All information below this point is older Bulletproof Security version information – Everything in BPS is automated these days after the release of BPS .46.5 and the information below became obsolete.  This Guide page will be kept for SEO purposes.  A new current BPS troubleshooting page can be found here >>> http://www.ait-pro.com/aitpro-blog/297/bulletproof-security-plugin-support/bulletproof-security-wordpress-plugin-support/

 

 

*** BulletProof Security .46.3 – HUD now checks the root .htaccess file for any conflicts with W3TC and WPSC.  The Heads Up Display will display a warning or error message with instructions on what needs to be done to fix any root htaccess conflicts ***

*** BulletProof Security .46.2 – AutoMagic .htaccess file creation so most of the guide is still helpful for manual editing info or other various references, but setup and installation is now completely automated *** 

BulletProof Security can be installed if you are using an IIS server for web hosting, but only install BulletProof on a Windows IIS server if you absolutely understand IIS hosting very well.  BPS has a new Heads Up Display (HUD), which will tell you if you can activate BulletProof Security Modes. In most IIS cases you will only be able to use the additional features in BulletProof Security, but not be able to activate BulletProof Security Modes. IIS does not natively support mod_rewrite. This is a UNIX / Linux thing. Check with your web host and also read this WordPress Codex for more information on using Permalinks without mod_rewrite.


BulletProof Security .46.8 Specs

BulletProof Security .46.8 PHP Memory Usage > 100KB > .10MB

BulletProof Security .46.8 Total Disk Size > .98MB

BulletProof Security .46.8 Performance > Zero front end drag > Zero back end drag > Zero page load time added

 

BulletProof Security .46.4 Features

BulletProof Security is essentially a website Firewall for your website. The filters contained in the BulletProof Security master htaccess files will not allow malicious scripts to be run against your website. When the BulletProof Security filters detect malicious scripts either by a user or a bot they are immediately redirected to a Forbidden page. This could also be your 404 page if you want to add that path to your 404 page in the BulletProof Security master htaccess files.

As of BulletProof Security .46.3 – W3TC and WPSC HUD checks
As of BulletProof Security .46.3 the Maintenance Mode Form options are saved to the DB
As of BulletProof Security .46.2 everything is AutoMagic and Full Manual Control is still available
As of BulletProof Security .46.1 Maintenance Mode is AutoMagic
As of BulletProof Security .45.8 permanent online backup solution provided.
* Permanent Backup and Restore options added – permanent online backup and restore
* Permanent Backup and Restore for all .htaccess files
* Permanent Backup and Restore for File Uploader and File Downloader setup settings
* Additional new .htaccess coding and modifications added to the BulletProof Security master .htaccess files
* New plugin conflict permanent fixes added to the secure.htaccess Master file
* WordPress readme.html and /wp-admin/install.php are now protected by BulletProof Security
* Improved Success / Error messaging – more detailed success / error messages displayed
* New Help and FAQ links added – New detailed Help and Info pages created

BulletProof Security – jQuery UI Tabbed Menu

The new BulletProof Security jQuery UI tabbed menu is using the default jquery-ui-tabs script included with WordPress. The menu buttons have CSS hover effects for better visual and functional navigation.

BulletProof Security – Security Features

All SQL Injection hacking attempts blocked by htaccess protection
All XSS hacking attempts blocked by htaccess protection
wp-config.php is .htaccess protected by BPS
php.ini and php5.ini are .htaccess protected by BPS
WordPress readme.html file is .htaccess protected by BPS
WordPress /wp-admin/install.php file is .htaccess protected by BPS
Options -Indexes ensures directory browsing is not allowed
BulletProof Security File Editor – Edit BPS Files from within The WP Dashboard
BulletProof Security File Downloader – Download Files from within The WP Dashboard
BulletProof Security File Uploader – Upload Files from within The WP Dashboard
Deny All htaccess protection for your BPS Master /htaccess folder
Deny All htaccess protection for your BPS htaccess /backup folder
WordPress DB Show Errors Function Is Set To: false
WordPress Database Errors Are Turned Off
WordPress Meta Generator Tag Removed
WordPress Version Is Not Displayed / Not Shown
Default Administrator username “admin” account check
File and Folder Permission Checks
Online – Permanent Backup & Restore for .htaccess and setup files
503 Website Maintenance Mode – Enter your website info and activate
Log In / Out of your Website in Maintenance Mode
 
BulletProof Security – System Information Panels
 
Website / Server / IP Info:
Website Root Folder:
Website Document Root Path:
WP ABSPATH:
Server / Website IP Address:
Public IP / Your Computer IP Address:
Server Type:
Operating System:
Multisite:
Browser Compression Supported:
PHP Version Check:
 
BulletProof Security – PHP Information:
 
PHP Version:
PHP Memory Usage:
PHP Memory Limit:
PHP Max Upload Size:
PHP Max Post Size:
PHP Safe Mode:
PHP Allow URL fopen:
PHP Allow URL Include:
PHP Display Errors:
PHP Display Startup Errors:
PHP Expose PHP:
PHP Register Globals:
PHP Max Script Execution Time:
PHP Magic Quotes GPC:
PHP open_basedir:
PHP XML Support:
PHP IPTC Support:
PHP Exif Support:
 
SQL Database / Permalink Structure / WP Installation Folder
 
MySQL Database Version:
MySQL Client Version:
Database Host:
Database Name:
Database User:
SQL Mode:
WordPress Installation Folder:
WordPress Installation Type:
WP Permalink Structure:
Permalinks Enabled:
 

Everything after this point is old Bulletproof Security version information below – everything in BPS is automated these days, but if you are looking for some manual instructions or other info  - read on.  After the release of BPS .46.5 a lot  of this information will be  obsolete.  This content will remain for SEO purposes and should not be used as a guide or help for current BPS free versions.

Step 1 – BulletProof Security – Install and Activate BulletProof Security

BulletProof Security now has AutoMagic .htaccess file creation so setup and installation is completely automated.  The BulletProof Security Guide should be used a reference for manual .htaccess file editing and other various questions you may have about BPS.
First off do not let the amount of help info contained in the BulletProof Security guide make you think that BulletProof Security is a complicated and difficult plugin to install, setup or use. On the contrary, the BulletProof Security plugin is a very simple and easy plugin to install, setup and use. If your WordPress installation is in your website root folder then you do not need to do anything – just install and activate BulletProof Security Modes (please read Step 2 just to be absolutely sure). BulletProof Security has backup and restore so be sure to perform a backup before activating BulletProof Security Security Modes for the first time. If your WordPress installation is in a subfolder off the root of your website domain then you will need to add the WordPress folder name (the folder name where WordPress is installed on your website) to the BulletProof Security master htaccess files before activating BulletProof Security Modes.

*Installing the BulletProof Security plugin only installs the plugin files – No website security protection is activated on installation of the BulletProof Security Plugin. This also means that when you upgrade BulletProof Security your existing BulletProof Security .htaccess files are not changed until you activate the newer BulletProof Security .htaccess files. For people who are installing BulletProof Security for the first time please read Step 2 before activating BulletProof Security modes.*

BulletProof Security Settings Page

After installing BulletProof Security click on the Settings link directly under BulletProof Security in the main Plugins options window or go to the WordPress Settings panel and click on the BulletProof Security link. Either link takes you to the same BulletProof Security Settings page. If you are performing a new installation of BulletProof Security please read Step 2 before activating any BulletProof Security modes.

*If you are upgrading BulletProof Security perform a backup using BulletProof Security Backup and Restore. As of BulletProof Security .45.8 the backups are permanent and you can restore those backups after upgrading. You can of course also use the BulletProof Security File Downloader to make local backups to your computer before upgrading * Backed up files are located and stored here >>> /wp-content/bps-backup/ .

Step 2 – BulletProof Security – Checking and Determining Whether Your WordPress Installation Is In Your Website Domain Root or In a Subfolder of Your Website Domain Root

It is absolutely critical that you add the correct RewriteBase and RewriteRule in the BulletProof Security .htaccess files for WordPress to function normally. As of BulletProof Security .46.2 AutoMagic .htaccess file creation has been added so that creating the correct .htaccess files for you specific website is fully automated.  Most of the guide pertains to manually configuring or manually editing BulletProof Security and other various questions you might have.  You can now just use the BulletProof Security Guide as a reference if you run into any issues instead of as a setup or installation guide.  Also WordPress will generate the correct .htaccess code for you automatically – read the fast, simple and automated method below.  But this method of generating .htaccess code is need any longer since BPS AutoMagic will do that for you.  I have also included instructions on doing this manually – If you are using the manual method of adding your RewriteBase and RewriteRule for WordPress then please read all of Step 2 first before activating any BulletProof Security Modes. BulletProof Security .46.2 will do all of this for you automatically. The expected release date for BulletProof Security .46.2 is 4-26 to 5-1.

BulletProof Security – The fast, simple and automated method of generating the correct WordPress .htaccess code for your website

BulletProof Security now has AutoMagic .htaccess file creation so this is no longer necesary.  If you are already using WordPress permalinks go to your Settings Panel >>> click Permalinks >>> click the Save Changes button. WordPress automatically writes the correct .htaccess code to Your Current Root htaccess File. Now go to the BulletProof Security File Editor and click on the Your Current Root htaccess File menu tab and you will see the new .htaccess code that WordPress has written to Your Current Root htaccess File. You can then just copy and paste that WordPress .htaccess code to the secure.htaccess master file using the File Editor and click the Update File button to save your editing changes. You can now activate BulletProof Security Mode.

The .htaccess code that WordPress writes to Your Current Root htaccess File (your .htaccess code may look slightly different):

# BEGIN WordPress

  RewriteEngine On
  RewriteBase /
  RewriteRule ^index\.php$ - [L]
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule . /index.php [L]

# END WordPress

If you are not using WordPress permalinks yet (every WordPress website should be using a custom permalink structure for better performance and SEO reasons) then take a look at this post for instructions on why and how to add a custom permalink structure for your website >>> Best WordPress Pemalink Structure

Note: At some point in later versions of BulletProof Security the plugin fixes in the secure.htaccess file will be written to automatically (AutoMagic Mode). For now the additional plugin fixes will require manual editing ONLY if your WordPress installation is in a subfolder. This is NOT required for WordPress websites that are installed in the website domain root folder. See Modifying the BulletProof Security htaccess Master Files.

BulletProof Security – Information on Manually adding the correct .htaccess RewriteBase and RewriteRule for WordPress

After installing BulletProof Security click on the System Info Menu

Under the Website / Server / IP Info table you will see your website root folder listed.

1. Examples of Website Root Folders in the root of a website domain – WordPress Root Folder Installations where WordPress is installed into the root folder not a subfolder of the website domain

This example shows that this website root folder is also the root of this website domain. This is also the root folder for the WordPress installation in this example.

Website Root Folder: http://www.ait-pro.com/

More examples of Website Root Folders in the root of a website domain:

http://ait-pro.com/ – Same as above just without a prefix

http://blog.ait-pro.com/ – this one fools a lot of people – this is still a website root folder in the root of a website domain and not a subfolder.

2. Subfolder Examples of Website Root Folders in the root of a website domain – The difference is that WordPress is installed in a Subfolder off of the root website folder

This example shows that the “blog” folder is a subfolder of the root of this website domain. This is also considered the root folder for the WordPress installation. The wording is confusing I know.

Website Root Folder: http://www.ait-pro.com/blog/

More subfolder examples:

http://ait-pro.com/blog/ – no www. prefix, but the blog folder is a folder created in the ait-pro.com website domain root, which makes it a subfolder.

http://blog.ait-pro.com/other-folder/ – this is a subfolder WordPress installation not because of the blog prefix, but because of the folder named “other-folder” created in the website root domain of blog.ait-pro.com

Double Prefix naming mistake

http://www.blog.ait-pro.com/my-blog-folder/ – if your Website Root Folder shows 2 prefixes (www and blog) then this is a mistake that needs to be corrected in your Settings Panel > General Settings page. The subfolder in this example would be /my-blog-folder.

If your Website Root Folder is in the root of your website domain shown in example 1, then you do not need to make any modifications to the BulletProof Security master files. Go to Step 3.

IMPORTANT!

If your Website Root Folder is in a subfolder of the root of your website domain shown in example 2, then you will have to make modifications to the BulletProof Security master .htaccess files by adding your WordPress subfolder name to the BulletProof Security .htaccess files. You can use the WordPress update permalinks method to generate the correct .htaccess code for your website or you can just do this manually. Do not proceed to Step 3. Click on this link instead >>> Modifying the BulletProof Security master .htaccess files for WordPress installations in subfolders.

Step 3 – BulletProof Security – Checking and Making a Note of Red Warning Messages Displayed on the Security Status page

The warning or error messages you will see in BulletProof Security are intuitive and should be fairly self explanatory on what you need to do next. When you first install BulletProof Security you will see red warning messages informing you of what has been done or what has not been done yet or if you have any problems. You are just making a note of warnings and errors in steps 3 and 4 and mostly this is just to reassure people that seeing red warning messages when you first install BulletProof Security is completely normal.

Click on the Status menu tab and make a note of any red warning messages you see. You may see warnings such as these:

The .htaccess file that is activated in your root folder is:
string(45) “EGIN WordPress Rew”
 
√ wp-config.php is .htaccess protected by BPS
√ php.ini and php5.ini are .htaccess protected by BPS
 
Deny All protection NOT activated for BPS Master /htaccess folder
Deny All protection NOT activated for /wp-content/bps-backup folder
 
NO .htaccess file was found in your /wp-admin folder
 
After you have activated BulletProof Modes and Deny All protection you should see this
 
The .htaccess file that is activated in your root folder is:
string(45) ” BULLETPROOF .45.8 >>>>>>> SECURE .HTACCESS “
 
√ wp-config.php is .htaccess protected by BPS
√ php.ini and php5.ini are .htaccess protected by BPS
 
√ Deny All protection activated for BPS Master /htaccess folder
√ Deny All protection activated for /wp-content/bps-backup folder
 
The .htaccess file that is activated in your /wp-admin folder is:
string(45) ” BULLETPROOF .45.8 WP-ADMIN SECURE .HTACCESS “
 
Warnings Under General BulletProof Security File checks
 
√ An .htaccess file was found in your root folder
√ An .htaccess file was found in your /wp-admin folder
√ A default.htaccess file was found in the /htaccess folder
√ A secure.htaccess file was found in the /htaccess folder
√ A maintenance.htaccess file was found in the /htaccess folder
√ A bp-maintenance.php file was found in the /htaccess folder
√ A wpadmin-secure.htaccess file was found in the /htaccess folder
Your Current Root .htaccess file is NOT backed up yet
Your Current wp-admin .htaccess File is NOT backed up yet
Your File Upload settings are NOT backed up yet
Your File Download settings are NOT backed up yet
Your File Upload settings are NOT backed up yet
Your BPS Master default.htaccess file is NOT backed up yet
Your BPS Master secure.htaccess file is NOT backed up yet
Your BPS Master wpadmin-secure.htaccess file is NOT backed up yet
Your BPS Master maintenance.htaccess file is NOT backed up yet
Your BPS Master bp-maintenance.php file is NOT backed up yet
 

Step 4 – BulletProof Security – Checking and Noting red warning messages on the Backup & Restore page

Click on the Backup & Restore menu tab. At the bottom of the BulletProof Security Backup & Restore page under the “Current Backed Up .htaccess Files Status” window you should see warning messages such as these:

√ An .htaccess file was found in your root folder
NO .htaccess file was found in your /wp-admin folder
 
Your Root .htaccess file is NOT backed up either because you have not done a Backup yet, an .htaccess file did NOT already exist in your root folder or because of a file copy error. Read the “Current Backed Up .htaccess Files Status Read Me” hover ToolTip for more specific information.
 
Your wp-admin .htaccess file is NOT backed up either because you have not done a Backup yet, an .htaccess file did NOT already exist in your /wp-admin folder or because of a file copy error. Read the “Current Backed Up .htaccess Files Status Read Me” hover ToolTip for more specific information.
 
Your default.htaccess Master file has NOT been backed up yet!
Your secure.htaccess Master file has NOT been backed up yet!
Your wpadmin-secure.htaccess Master file has NOT been backed up yet!
Your maintenance.htaccess Master file has NOT been backed up yet!
Your bp-maintenance.php Master file has NOT been backed up yet!
 

Step 5 – BulletProof Security – Backup, Restore and Activation of BulletProof Security Modes

Step 5 is in need of updating – this information was written for older versions of BulletProof Security, but the general principles are still pretty much the same.

BulletProof Security now has AutoMagic .htaccess file creation so the updating Permalinks method is no longer necesary.  Looking for the fast, simple and automated installation method >>> Updating WordPress Permalinks to generate your correct htaccess code

Note: As of BulletProof Security .45.8 permanent online backup options have been added. As of BulletProof Security .45.7 you can now use the File Editor to copy and paste from your old htaccess files to your new htaccess files and Download and Upload the BulletProof Security files from within the WordPress Dashboard.

These are the 3 most common scenarios for new installations of BulletProof Security. Find the example scenario that matches what you want to do and follow the steps of that particular backup and activation scenario.

Example Scenarios:

BulletProof Security – Scenario 1

You want to make sure that you have backups of your existing htaccess files before activating any BulletProof Security Modes.

Perform a Backup now. I also recommend downloading your existing .htaccess files as an additional backup precaution. Next click on the Security Modes menu tab. Select BulletProof Mode for your website Root folder and click the activate button. Now open another separate browser window or separate browser tab. Do not leave your WordPress Dashboard yet. Make sure that your website is viewable and click on links to pages and posts to test that links are working correctly. If everything is working fine then activate BulletProof Mode for the /wp-admin folder.

If you were not able to view your site in the step above or links were not working correctly then perform a Restore by clicking on the Backup and Restore menu tab and select Restore htaccess files and click the Restore Files button. Your website is now back where it was before you activated any BulletProof Modes. At this point you will need to figure out what the issue is with your website that is causing BulletProof not to work correctly. The two most common issues are that your WordPress installation is actually in a subfolder or you are using two domain prefixes (www.blog.website.com – www and blog together being the 2 prefixes). Another common problem is that your website is running PHP4 not PHP5. The guide explains the most common problems and solutions. For assistance please post a comment – you should hear back from Ed within an hour or so. ;)

BulletProof Security – Scenario 2

The most common scenario is that you have an existing .htaccess file in your website root folder, but not in your /wp-admin folder and you are not concerned about saving or backing up the existing .htaccess file. Back it up anyway. ;)

You have a choice here of performing a Backup to back up just your existing root .htaccess file and leave the red warning message the way it is for the /wp-admin folder. It is not a critical thing either way. This is more of a cosmetic thing if you don’t like seeing red warning messages.

Or

Recommended: You can click on the Security Modes menu tab and activate BulletProof mode for just your /wp-admin folder – this generates a new htaccess file for your /wp-admin folder. Now go back to the Backup & Restore menu tab and click the One Time Backup button. This means that you backed up your original existing .htaccess file that was in your website root folder and also backed up the new .htaccess file that you just created by activating BulletProof mode for your /wp-admin folder. I also recommend downloading your existing .htaccess file as an additional backup precaution. This method is just basically a way to get rid of the red error message regarding a wp-admin .htaccess file being backed up or not on the Backup and Restore page. ;)

You should now see these green status messages displayed in the “Current Backed Up .htaccess Files Status” window and all green status messages on the Security Status page.

√ An .htaccess file was found in your root folder

√ An .htaccess file was found in your /wp-admin folder

Your original root .htaccess file is backed up.

Your original /wp-admin .htaccess file is backed up.

You can now activate BulletProof Mode for your website root folder. Click on the Security Modes menu. Activate BulletProof Mode in your website root folder. Now open another separate browser window or separate browser tab. Do not leave your WordPress Dashboard yet. Make sure that your website is viewable and click on links to pages and posts to test that links are working correctly. If everything is working fine then you are good to go.

If you were not able to view your site in the step above or links were not working correctly then perform a Restore by clicking on the Backup and Restore menu tab and select Restore htaccess files and click the Restore Files button. Your website is now back where it was before you activated any BulletProof Modes. At this point you will need to figure out what the issue is with your website that is causing BulletProof not to work correctly. The two most common issues are that your WordPress installation is actually in a subfolder or you are using two domain prefixes (www.blog.website.com – www and blog together being the 2 prefixes). Another common problem is that your website is running PHP4 not PHP5. The guide explains the most common problems and solutions. For assistance please post a comment – you should hear back from Ed within an hour. ;)

BulletProof Security – Scenario 3

You do not have any existing .htaccess files in either your website root folder or /wp-admin folders.

Nothing to Backup so you can now just go to the Security Modes menu tab and activate BulletProof Modes for both your website root folder and /wp-admin folders.

Check to make sure everything is working fine. Open another separate browser window or separate browser tab. Do not leave your WordPress Dashboard yet. Make sure that your website is viewable and click on links to pages and posts to test that links are working correctly. If everything is working fine then you are good to go.

If you run into a problem here then FTP to your website and delete the .htaccess file in your website root folder. Since you did not have any original htaccess files to begin with you will not be able to use the Restore feature.

At this point you will need to figure out what the issue is with your website that is causing BulletProof not to work correctly. The two most common issues are that your WordPress installation is actually in a subfolder or you are using two domain prefixes (www.blog.website.com – www and blog together being the 2 prefixes). Another common problem is that your website is running PHP4 not PHP5. The guide explains the most common problems and solutions. For assistance please post a comment – you should hear back from Ed within an hour. ;)

BulletProof Security – Modifying The BulletProof Security .htaccess Master Files For Website Owners With WordPress Installations In Subfolders

The fast, simple and automated method of generating the correct WordPress .htaccess code for your website

BulletProof Security now has AutoMagic .htaccess file creation so this is no longer necesary.  If you are using WordPress permalinks go to your Settings Panel >>> click Permalinks >>> click the Save Changes button. WordPress automatically writes the correct .htaccess code to Your Current Root htaccess File. Now go to the BulletProof Security File Editor and click on the Your Current Root htaccess File menu tab and you will see the new .htaccess code that WordPress has written to Your Current Root htaccess File. You can then just copy and paste that WordPress .htaccess code to the secure.htaccess master file using the File Editor and click the Update File button to save your editing changes. You can now activate BulletProof Security Mode.

If you are not using WordPress permalinks yet (every WordPress website should be using a custom permalink structure for better performance and SEO reasons) then take a look at this post for instructions on why and how to add a custom permalink structure for your website >>> Best WordPress Pemalink Structure

Note: As of BulletProof Security .45.8 permanent online backup options are available. As of BulletProof Security .45.7 you can now Edit the BulletProof Security htaccess files within the WordPress Dashboard with the new BulletProof Security File editor. BulletProof Security now also has File Download and File Upload from within the WordPress Dashboard.

If your WordPress installation is in a subfolder of your website root domain then you will need to modify these 3 BulletProof Security master .htaccess files: default.htaccess, secure.htaccess and maintenance.htaccess. Once your have made all of the necessary modifications to these 3 files you can proceed back to Step 3. These modifications should only take you about 10 minutes. I have overexplained this step so that there are no misunderstandings about what needs to be modified. Skip to the examples and if they make sense to you then you don’t need to read all the additional explanations here.

In these examples WordPress is installed in a folder called my-blog-folder. The website domain is called my-website-domain.com. If WordPress was installed in just the root website folder of www.my-website-domain.com/ then you would not need to modify any of the htaccess files. It is also of course possible that you have 2 WordPress installations (or possibly many more) – 1 in your root website domain folder – my-website-domain.com and another WordPress installation in your my-blog-folder. If this is the case then you are actually installing BulletProof Security on 2 separate WordPress websites and only the my-blog-folder WordPress website would need to have the htaccess master files modified for a WordPress subfolder installation. If you have a WordPress multisite (WPMU) set up then see the Multisite help section.

For this example WordPress is installed here in this subfolder >>> www.my-website-domain.com/my-blog-folder

This example is assuming you have chosen to manually enter your RewriteBase and RewriteRule folder name. You can have WordPress automatically generate your RewriteBase and RewriteRule folder paths if you are not 100% sure of what they are supposed to be. Updating or Creating WordPress Custom Permalinks.

Click on the BulletProof Security Upload/Download/Edit menu tab. You will see a BulletProof Security File Editing window with several menu tabs with the names of all of the .htaccess files that can be edited (read more about the BulletProof Security File Editing window). Click on the “Your Current Root htaccess File”. This is your actual currently active root .htaccess file for your website. If you don’t have an .htaccess file then you will not see any file contents – the window will display a message that you do not have an .htaccess file if one does not actually exist yet. If you choose to use the update permalinks method of automatically generating your correct RewriteBase and RewriteRule folder paths then this is the .htaccess file where WordPress will write to or create if none exists yet.

The first file you should edit is the secure.htaccess master file. Click on the secure.htaccess menu tab. You are now viewing the BulletProof Security Master secure.htaccess file that will become “Your Current Root htaccess File” once you have activated BulletProof Security Mode for your Root folder. Follow the modification examples below replacing the example folder name of “my-blog-folder” with your actual WordPress installation folder name (the folder where your WordPress installation is installed on your website).

This example is using “my-blog-folder” as the name of the example folder (subfolder) where WordPress is installed. If WordPress is installed in your website domain root folder then you will not be adding a folder name to the master htaccess files. If you are not using any of the plugins listed in the plugin fixes section of the secure.htaccess file then you don’t need to add the my-blog-folder name to them.

BulletProof Security Example: secure.htaccess file modifications

#   BULLETPROOF .45.8 >>>>>>> SECURE .HTACCESS
  # If for some strange reason your host does not have +FollowSymlinks enabled by default at
  # the root level then you will need to enable Options +FollowSymlinks for mod_rewrite to work.
  # If you are getting HTTP Error 500 Internal server errors and you have checked to make sure
  # everything else is set correctly then remove the # sign in front of Options +FollowSymlinks
  # below. If you are still getting 500 errors then immediately put the # sign back. All hosts
  # these days should have this enabled by default. Enabling this will actually cause 500 server
  # errors if your host has this enabled so you should probably never have to remove the # sign.
  # Options +FollowSymlinks
  # These are some common Apache Directives to force PHP5 to be used instead of PHP4
  # Some web hosts have very specific directives - check with your web host first
  # Remove the pound sign in front of AddType x-mapp-php5 .php for 1&1 web hosting
  # AddType x-mapp-php5 .php
  # Other common possibilities depending on your web host - check with your web host first
  # AddHandler application/x-httpd-php5 .php
  # AddHandler cgi-php5 .php

  Options -Indexes

  # BEGIN WordPress

  RewriteEngine On
  RewriteBase /my-blog-folder/
  RewriteRule ^index\.php$ - [L]
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule . /my-blog-folder/index.php [L]

  # END WordPress

  # If you want to add a custom 403 Forbidden page for your website uncomment the
  # ErrorDocument line of code below and copy the ait-pro.com example forbidden
  # HTML page to your correct website folder. See the BPS Help and FaQ page for
  # detailed instructions on how to do this.
  # ErrorDocument 403 /forbidden.html

  # Plugin conflicts will be handled case by case
  # Leave the plugin fixes code intact just in case you install one of these plugins
  # at a later time. Thousands of lines of htaccess code can be read in milliseconds
  # so leaving the code intact does not slow down your website performance at all.
  # Thousands of plugins have been tested with BPS and the plugin conflict fixes
  # contained in this BPS master file are permanent fixes for conflicts found with
  # these plugins.

  # BuddyPress Logout Redirect fix - skip BPS Filters on Logout link Redirect
  # WordPress 3.0.4 or higher must be installed for this fix to work

  RewriteCond %{QUERY_STRING} action=logout&redirect_to=http%3A%2F%2F(.*) [NC]
  RewriteRule . - [S=30]

  # SFC Simple Facebook Connect Redirect Fix
  # Also fixes any other plugins that use the redirect_to= string
  RewriteCond %{QUERY_STRING} redirect_to=(.*) [NC]
  RewriteRule . - [S=30]

  # Ozh' Admin Drop Down Menu Display Fix
  # If you have WordPress installed in a subfolder you will need to add the
  # subfolder name to the RewriteCond /blog/wp-content/plugins/ozh-admin-drop-down-menu/ [NC]
  RewriteCond %{REQUEST_URI} ^/my-blog-folder/wp-content/plugins/ozh-admin-drop-down-menu/ [NC]
  RewriteRule . - [S=30]

  # ComicPress Manager ComicPress Theme Image Fix
  # If you have WordPress installed in a subfolder you will need to add the
  # subfolder name to the RewriteCond /blog/wp-content/plugins/comicpress-manager/ [NC]
  RewriteCond %{REQUEST_URI} ^/my-blog-folder/wp-content/plugins/comicpress-manager/ [NC]
  RewriteRule . - [S=30]

  # TimThumb Thumbnail Images not displaying - Red X instead of Images
  # If your theme uses TimThumb and the file is called something else like thumb.php then change the filename below
  RewriteCond %{REQUEST_FILENAME} timthumb(.*) [NC]
  RewriteRule . - [S=30]

  # YAPB
  # If you have WordPress installed in a subfolder you will need to add the
  # subfolder name to the RewriteCond /blog/wp-content/plugins/comicpress-manager/ [NC]
  RewriteCond %{REQUEST_URI} ^/my-blog-folder/wp-content/plugins/yet-another-photoblog/ [NC]
  RewriteRule . - [S=30]

  # WordPress.com Stats Flash SWF Graph Does Not Load Fix
  # If you have WordPress installed in a subfolder you will need to add the
  # subfolder name to the RewriteCond /blog/wp-content/plugins/stats/ [NC]
  RewriteCond %{REQUEST_URI} ^/my-blog-folder/wp-content/plugins/stats/ [NC]
  RewriteRule . - [S=30]

  # podPress rewrite ?feed=podcast as /feed/podcast
  # If you are using a custom slug then add the slug name to the rewriterule
  # RewriteRule (.*) /feed/custom-slug-name/$1? [R=301,L]
  # If you have WordPress installed in a subfolder you will need to add the
  # subfolder name to the RewriteRule (.*) /blog/feed/podcast/$1? [R=301]
  RewriteCond %{QUERY_STRING} feed=podcast [NC]
  RewriteRule (.*) /my-blog-folder/feed/podcast/$1? [R=301,L]

  # podPress rewrite ?feed=enhancedpodcast as /feed/enhancedpodcast
  # If you are using a custom slug then add the slug name to the rewriterule
  # RewriteRule (.*) /feed/custom-slug-name/$1? [R=301,L]
  # If you have WordPress installed in a subfolder you will need to add the
  # subfolder name to the RewriteRule (.*) /blog/feed/enhancedpodcast/$1? [R=301]
  RewriteCond %{QUERY_STRING} feed=enhancedpodcast [NC]
  RewriteRule (.*) /my-blog-folder/feed/enhancedpodcast/$1? [R=301,L]

  # podPress rewrite ?feed=torrent as /feed/torrent
  # If you are using a custom slug then add the slug name to the rewriterule
  # RewriteRule (.*) /feed/custom-slug-name/$1? [R=301,L]
  # If you have WordPress installed in a subfolder you will need to add the
  # subfolder name to the RewriteRule (.*) /blog/feed/torrent/$1? [R=301]
  RewriteCond %{QUERY_STRING} feed=torrent [NC]
  RewriteRule (.*) /my-blog-folder/feed/torrent/$1? [R=301,L]

  # podPress rewrite ?feed=premium as /feed/premium
  # If you are using a custom slug then add the slug name to the rewriterule
  # RewriteRule (.*) /feed/custom-slug-name/$1? [R=301,L]
  # If you have WordPress installed in a subfolder you will need to add the
  # subfolder name to the RewriteRule (.*) /blog/feed/premium/$1? [R=301]
  RewriteCond %{QUERY_STRING} feed=premimum [NC]
  RewriteRule (.*) /my-blog-folder/feed/premium/$1? [R=301,L]

  # FILTER REQUEST METHODS
  RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
  RewriteRule ^(.*)$ - [F,L]

  # QUERY STRING EXPLOITS
  RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
  RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
  RewriteCond %{QUERY_STRING} tag\= [NC,OR]
  RewriteCond %{QUERY_STRING} ftp\:  [NC,OR]
  RewriteCond %{QUERY_STRING} http\:  [NC,OR]
  RewriteCond %{QUERY_STRING} https\:  [NC,OR]
  RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
  RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
  RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
  RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
  RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
  RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
  RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
  RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
  RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR]
  RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
  RewriteCond %{QUERY_STRING} ^.*(execute|exec|sp_executesql|request|select|insert|union|declare|drop|delete|create|alter|update|order|char|set|cast|convert|meta|script|truncate).* [NC]
  RewriteRule ^(.*)$ - [F,L]

# Deny Access to wp-config.php, /wp-admin/install.php, all .htaccess files
  # php.ini, php5.ini and the WordPress readme.html installation file.
  # To allow only yourself access to these files add your IP address below

  Deny from all
  # Allow from 69.40.120.88

 

BulletProof Security Example: default.htaccess file modifications

This example is using “my-blog-folder” as the name of the example folder (subfolder) where WordPress is installed. If WordPress is installed in your website domain root folder then you will not be adding a folder name to the default.htaccess master file. The default.htaccess file is a generic .htaccess file and does not provide any website security for your website. It’s intended use is for testing or troubleshooting issues – you should never leave your website in Default Mode after you have completed testing or troubleshooting.

# BULLETPROOF .45.8 >>>>>>> DEFAULT .HTACCESS
  # WARNING THE default.htaccess FILE DOES NOT PROTECT YOUR WEBSITE AGAINST HACKERS
  # This is a standard generic htaccess file that does NOT provide any website security
  # The DEFAULT .HTACCESS file should only be used for testing purposes
  # If for some strange reason your host does not have +FollowSymlinks enabled by default at
  # the root level then you will need to enable Options +FollowSymlinks for mod_rewrite to work.
  # If you are getting HTTP Error 500 Internal server errors and you have checked to make sure
  # everything else is set correctly then remove the # sign in front of Options +FollowSymlinks
  # below. If you are still getting 500 errors then immediately put the # sign back. All hosts
  # these days should have this enabled by default. Enabling this will actually cause 500 server
  # errors if your host has this enabled so you should probably never have to remove the # sign.
  # Options +FollowSymlinks

  # These are some common Apache Directives to force PHP5 to be used instead of PHP4
  # Some web hosts have very specific directives - check with your web host first
  # Remove the pound sign in front of AddType x-mapp-php5 .php for 1&1 web hosting
  # AddType x-mapp-php5 .php
  # Other common possibilities depending on your web host - check with your web host first
  # AddHandler application/x-httpd-php5 .php
  # AddHandler cgi-php5 .php

  Options -Indexes

 # BEGIN WordPress

  RewriteEngine On
  RewriteBase /my-blog-folder/
  RewriteRule ^index\.php$ - [L]
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule . /my-blog-folder/index.php [L]

  # END WordPress

BulletProof Security Example: maintenance.htaccess file modifications

As of BPS .46.1 Maintenance is AutoMagic. View the new Maintenance Mode page. You can still also manually edit the maintainance.htaccess file.

The maintenance.htaccess file looks a bit different than the other 2 files, but the same principle applies

This example is using “my-blog-folder” as the name of the example folder (subfolder) where WordPress is installed. If WordPress is installed in your website domain root folder then you will not be adding a folder name to the maintenance.htaccess master file.

#   BULLETPROOF .45.8 MAINTENANCE  .HTACCESS
  # If for some strange reason your host does not have +FollowSymlinks enabled by default at
  # the root level then you will need to enable Options +FollowSymlinks for mod_rewrite to work.
  # If you are getting HTTP Error 500 Internal server errors and you have checked to make sure
  # everything else is set correctly then remove the # sign in front of Options +FollowSymlinks
  # below. If you are still getting 500 errors then immediately put the # sign back. All hosts
  # these days should have this enabled by default. Enabling this will actually cause 500 server
  # errors if your host has this enabled so you should probably never have to remove the # sign.
  # Options +FollowSymlinks
  # These are some common Apache Directives to force PHP5 to be used instead of PHP4
  # Some web hosts have very specific directives - check with your web host first
  # Remove the pound sign in front of AddType x-mapp-php5 .php for 1&1 web hosting
  # AddType x-mapp-php5 .php
  # Other common possibilities depending on your web host - check with your web host first
  # AddHandler application/x-httpd-php5 .php
  # AddHandler cgi-php5 .php

  Options -Indexes

  RewriteEngine On
  RewriteBase /my-blog-folder/

  # FILTER REQUEST METHODS
  RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
  RewriteRule ^(.*)$ - [F,L]

  # QUERY STRING EXPLOITS
  RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
  RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
  RewriteCond %{QUERY_STRING} tag\= [NC,OR]
  RewriteCond %{QUERY_STRING} ftp\:  [NC,OR]
  RewriteCond %{QUERY_STRING} http\:  [NC,OR]
  RewriteCond %{QUERY_STRING} https\:  [NC,OR]
  RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
  RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
  RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
  RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
  RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
  RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
  RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
  RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
  RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR]
  RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
  RewriteCond %{QUERY_STRING} ^.*(execute|exec|sp_executesql|request|select|insert|union|declare|drop|delete|create|alter|update|order|char|set|cast|convert|meta|script|truncate).* [NC]
  RewriteRule ^(.*)$ - [F,L]

  # Remove the pound sign to make a condition active
  # Add a pound sign to comment a condition out.
  # Adding your IP address to the line below will display the website
  # under maintenance page to ONLY you. For Testing purposes only.
  # RewriteCond %{REMOTE_ADDR} ^75\.88\.99\.33$
  # Adding your IP address to the line below will display the website
  # under maintenance page to everyone else except you.
  # Add your Public IP address to the line directly below.
  RewriteCond %{REMOTE_ADDR} !^75\.40\.48\.207$

  # RewriteCond sends all visitors to /bp-maintenance.php Website Under Maintenance page
  # and displays the abstract-blue.png background image except for you if you entered
  # your IP address above.
  RewriteCond %{REQUEST_URI} !^/my-blog-folder/bp-maintenance\.php$
  RewriteCond %{REQUEST_URI} !^/my-blog-folder/wp-content/plugins/bulletproof-security/abstract-blue-bg\.png$

  # No matter what file was requested serve bp-maintenance.php ONLY.
  RewriteRule ^(.*)$ /my-blog-folder/bp-maintenance.php [L]

  # If your IP address was entered above bp-maintenance.php is bypassed
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule . /my-blog-folder/index.php [L]

 

BulletProof Security – Maintenance Mode – Adding Your IP Address To The maintenance.htaccess Master File

BulletProof Security Maintenance Mode has AutoMagic mode in addition to manual control mode as of .46.1. View the new Maintenance Mode help page.

The information below still applies if you are manually entering in your IP Address instead of using AutoMagic.

Adding your IP address to the maintenance.htaccess master file will allow ONLY you to view your website while a “Website Under Maintenance” message is displayed to all other website visitors. Click on the BulletProof Security Upload/Download/Edit menu tab. You will see a BulletProof Security File Editing window with several menu tabs with the names of all of the .htaccess files that can be edited (read more about the BulletProof Security File Editing window). Click on the maintenance.htaccess tab. Add your current Public IP Address that is shown on the BulletProof SecurityMaintenance Mode page to the yellow highlighted areas shown below. You can now activate Maintenance Mode and will be able to view your website while all other visitors see the Website Under Maintenance page. If you have already activated Maintenance Mode before making these IP address edits then you will need to reactivate Maintenance Mode again to copy your newly modified master maintenance.htaccess file to the root folder.

This example is only showing the bottom section of the maintenance.htaccess file where you will be adding your IP address highlighted in yellow. This example is showing htaccess code for a WordPress installation in the root website folder. If your WordPress installation is in a subfolder you would of course see the correct subfolder name that you added.

BulletProof Security Example: maintenance.htaccess file – Adding Your Public IP Address

# Remove the pound sign to make a condition active
  # Add a pound sign to comment a condition out.
  # Adding your IP address to the line below will display the website
  # under maintenance page to ONLY you. For Testing purposes only.
  # RewriteCond %{REMOTE_ADDR} ^75\.88\.99\.33$
  # Adding your IP address to the line below will display the website
  # under maintenance page to everyone else except you.
  # Add your Public IP address to the line directly below.
  RewriteCond %{REMOTE_ADDR} !^75\.40\.48\.207$

  # RewriteCond sends all visitors to /bp-maintenance.php Website Under Maintenance page
  # and displays the abstract-blue.png background image except for you if you entered
  # your IP address above.
  RewriteCond %{REQUEST_URI} !^/bp-maintenance\.php$
  RewriteCond %{REQUEST_URI} !^/wp-content/plugins/bulletproof-security/abstract-blue-bg\.png$

  # No matter what file was requested serve bp-maintenance.php ONLY.
  RewriteRule ^(.*)$ /bp-maintenance.php [L]

  # If your IP address was entered above bp-maintenance.php is bypassed
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule . /index.php [L]

 

BulletProof Security – Advanced Coding Modifications Instructions

Pending update: A couple of people have requested information about modifying and customizing the “Activated BulletProof Security .htaccess Files” text. Here is that information:

Customizing BulletProof Security to have the Master .htaccess files Display a new customized var Dump Text String (in laymans terms just change what message is displayed under Activated BulletProof Security .htaccess Files)

The .htaccess file that is activated in your root folder is:

string(45) ” BULLETPROOF .45.5 >>>>>>> SECURE .HTACCESS “

√ wp-config.php is .htaccess protected by BPS

√ php.ini and php5.ini are .htaccess protected by BPS

The .htaccess file that is activated in your /wp-admin folder is:

string(45) ” BULLETPROOF .45.5 WP-ADMIN SECURE .HTACCESS “

The file is functions.php > code lines 109-136: The functions.php file is located here > /wp-content/plugins/bulletproof-security/includes/functions.php

The yellow highlighted code below is what you need to modify to match the new text content that you add to the BulletProof Security master .htaccess files. The strpos function is checking the .htaccess master files for the BulletProof Security version number specifically the number “5” in string position #15. (# BULLETPROOF .45.5…) If you have W3 Total Cache installed position 17 applies. If the exact match if found then you should not see errors. If an exact match is not found then you will see message warnings or error messages. So whatever changes you make to the BulletProof Security master .htaccess files must match the code in the functions.php file or your head will explode. LOL ;) The code shown below is just for visual demonstration purposes and is not 100% code accurate to the code contained in functions.php.

// Get Root .htaccess content - get first 45 characters of current root .htaccess file starting from the 3rd character
// and display string dump - also checks for single character "5" in .45.5 in string position 15 to validate the version of BPS //.htaccess file and the wp-config.php status
function root_htaccess_status() {
	$filename = '.htaccess';
	if ( !file_exists(ABSPATH . $filename)) {
	_e('NO .htaccess was found in your root folder');
	_e('wp-config.php is NOT .htaccess protected by BPS');
	} else {
	if (file_exists(ABSPATH . $filename)) {
	$section = file_get_contents(ABSPATH . $filename, NULL, NULL, 3, 45);
	_e('The .htaccess file that is activated in your root folder is:');
		var_dump($section);
		$check_string = strpos($section, "5");
		if ($check_string == "15"||"17") { // if you modify BPS .htaccess files this str pos must match for valid status checks
		$wpconfig_status = '√ wp-config.php is .htaccess protected by BPS
√ php.ini and php5.ini are .htaccess protected by BPS';
		_e('' . $wpconfig_status . '');
	} else {
	_e('A BPS .htaccess file was NOT found in your root folderor the BPS .htaccess file that you are currently using does NOT include .htaccess protection for wp-config.php. Please read the Read Me hover Tooltip before activating a newer version of a BPS website root folder .htaccess file.');
	_e('wp-config.php is NOT .htaccess protected by BPS');
	}
	}
}

BulletProof Security – Modifications to BulletProof Security .45.8 – .45.2 if you want to use PHP4 instead of PHP5 – Modifying BulletProof Security .45.8 to work for PHP 4

*** PHP5 is required as of BulletProof Security verion .46 ***

BulletProof Security .45.8 – .45.2 will work ok if you are using PHP 4 instead of PHP 5. There are a couple of coding modifications that you need to make. You will not be able to get or see your PHP Memory Usage or PHP Memory Limit and the BulletProof Security Status – Activated BulletProof Security .htaccess Files window – will display the entire dump of your .htaccess files, but BulletProof Security does function correctly. I recommend of course that you switch to PHP 5 of course. PHP 4 is just about to be retired.

Go to your main Plugins Options page, click on the Edit link under BulletProof Security.

Click on /bulletproof-security/admin/options.php in the Plugin Editor.

Scroll down a little over half the page.

Make the modification shown highlighted in yellow in this code: you are adding 2 backslashes // to block this function. Save your changes by clicking the Update File button. You can of course also download the options.php file, modify it and upload it back to your website.

: // echo round(memory_get_usage() / 1024 / 1024, 2) . __(‘ MB’); ?>

Now open /bulletproof-security/includes/functions.php in the Plugin Editor.

Scroll down around a 3rd of the way down the page.

Make the modifications shown highlighted in yellow in this code:

// Get Root .htaccess content - get first 45 characters of current root .htaccess file starting from the 3rd character
// and display string dump - also checks for single character "5" in .45.5 in string position 15 to validate the version of BPS .htaccess file and the wp-config.php status
function root_htaccess_status() {
$filename = '.htaccess';
if ( !file_exists(ABSPATH . $filename)) {  - you will be deleting >>>  , NULL, NULL, 3, 45 _e('NO .htaccess was found in your root folder');
_e('wp-config.php is NOT .htaccess protected by BPS');
} else {
if (file_exists(ABSPATH . $filename)) {  - you will be deleting >>>  , NULL, NULL, 3, 45 
$section = file_get_contents(ABSPATH . $filename);
_e('The .htaccess file that is activated in your root folder is:');
var_dump($section);
$check_string = strpos($section, "5");
if ($check_string == "15") { // if you modify BPS .htaccess files this str pos must match for valid status checks
$wpconfig_status = '&radic; wp-config.php is .htaccess protected by BPS';
_e('' . $wpconfig_status . '');
} else {
_e('A BPS .htaccess file was NOT found in your root folder or the BPS .htaccess file that you are currently using does NOT include .htaccess protection for wp-config.php. Please read the Read Me hover Tooltip before activating a newer version of a BPS website root folder .htaccess file.');
_e('wp-config.php is NOT .htaccess protected by BPS');
}
}
}
}

and modify this function as well:

// Get wp-admin .htaccess content - get first 45 characters of current
// wp-admin .htaccess file starting from the 3rd character
function wpadmin_htaccess_status() {
$filename = 'wp-admin/.htaccess';
if (file_exists(ABSPATH . $filename)) {
$section = file_get_contents(ABSPATH . $filename);  - you will be deleting >>>  , NULL, NULL, 3, 45 _e('The .htaccess file that is activated in your /wp-admin folder is:');
var_dump($section);
} else {
_e('NO .htaccess file was found in your /wp-admin folder');
}
}

BulletProof Security .45.7 -.45.2 should now work fine for you if you are using PHP 4 instead of PHP 5.

BulletProof Security – Common Issues and Problems

New BulletProof Security Plugin Compatibility testing page has been added. Check the BulletProof Security Plugin Compatibility List to see if your plugin issue is listed in testing or has been resolved.

*** PHP5 is required as of BulletProof Security verion .46 ***
*** If you activate BulletProof Security Mode for your Root folder you MUST also activate BulletProof Security Mode for your /wp-admin folder and vice versa. The BulletProof Security htaccess files are designed to be used together ***

*** Also check the new BulletProof Security Error, Warning, Heads Up Display (HUD) Messages page added as of BPS .46.1 ***

The most common problem is web hosts that are still using PHP4 instead of PHP5 to process WordPress PHP scripts. PHP4 is pretty close to being phased out altogether. BulletProof Security can be modified to work using PHP4 if you are willing to sacrifice several features. I recommend using PHP5. A diagnostic check has been added to the System Info page, which will tell you if PHP5 or PHP4 is running on your WordPress website. You will also see the PHP version on the BulletProof Security System Info page > look under PHP Info > PHP Version for the version of PHP that is currently being used to process your WordPress PHP files. Even if your web host is stating that PHP5 is the default standard you may have an older website domain that it still using PHP4. I have seen this in several cases on several different web hosts. If you see that the version of PHP is 4 then do this google search > your web host name + PHP5 to find the correct Apache Directives to add to the master .htaccess files. The BulletProof Security master htaccess files include some of the most common Apache PHP Directives. They are commented out (they serve more as examples then specific solutions for your specific web host / website) so you will have to uncomment the correct Apache Directives for your specific web host if they are commented out in the master .htaccess files. If your particular Apache Directives are not in the master .htaccess files you will have to add them yourself. Check your web host help files first before uncommenting – removing the # pound sign in front of any of the Apache PHP Directives or adding any Apache Directives to the master .htaccess files.

Media Temple Directives (the Apache directives in the .htaccess master files are outdated)

Media Temple has recently updated their policies and procedures on activating PHP5 on your web host account (as of 10-18-2010). See this Media Temple link for the latest PHP5 instructions. >>> Media Temple PHP5 instructions

GoDaddy Directives for Older Accounts (if you just want to use PHP5 then you only need to add the top directive. If you want to run both PHP4 and PHP5 use both directives)

AddHandler x-httpd-php5 .php
AddHandler x-httpd-php .php4

GoDaddy Directives for Grid Hosting Accounts (if you just want to use PHP5 then you only need to add the top directive. If you want to run both PHP4 and PHP5 use both directives)

AddHandler x-httpd-php5-cgi .php
AddHandler x-httpd-php-cgi .php4

Widget Settings Not Working (unable to drag and drop widgets) – Unable To Access Settings and Options Pages For Other Plugins

If you cannot drag and drop widgets or you are unable to access settings and options pages for other plugins then you have not activated BulletProof Mode for the wp-admin folder yet

Images not Displaying – Thumbnail Images not Displaying – Red X

This .htaccess fix is included in the secure.htaccess file as of BulletProof Security .45.8. Please see the BulletProof Security Plugin Fixes page.

As a general rule if a particular plugin is conflicting with the BulletProof Security .htaccess rules then usually a simple .htacces skip rule to bypass the BulletProof Security filters for that particular plugin is all that is needed. You can perform these edits using the built-in BulletProof Security File Editor from within your WP Dashboard. Adding BulletProof Security filter htaccess skip rules for plugins should not leave your website vulnerable in any way. The logic is that a plugin may have coding in it that is triggering the BulletProof Security filters to block something that BulletProof Security has determined as “not safe”. By skipping having the filters applied to just that plugin folder then the only vulnerability I can think of would be if the particular plugin does something that could affect your website site-wide. Most plugins perform a particular task and do not affect your website site-wide so they would not have the capability of compromising your entire website security to begin with.

W3 Total Cache .htaccess Issue

Since W3 Total Cache writes .htaccess code to the root .htaccess file then you may need to redeploy W3 Total Cache when installing or activating new BulletProof Security Modes. Simply just redeploying W3 Total Cache writes new .htaccess code to your current root .htaccess file or you can use the BulletProof Security built-in File Editor if you want to manually copy and paste the W3 Total Cache .htaccess code to the root .htaccess file.

BulletProof Security – WordPress Multisite MU .htaccess Code Modifications

This serves as a general example of WordPress MU .htaccess code and may not be 100% code accurate to the current MU .htaccess code that you have for your website.

BulletProof Security works fine with WordPress Multisite installations or WordPress MU. Using the built-in BulletProof Security File Editor you will need to copy and paste your existing MU .htaccess code to the secure.htaccess file. IMPORTANT! Copy and paste your MU code shown below (it will look identical or very similar) to right after the QUERY STRING EXPLOITS section of code and before the FilesMatch section of code at the bottom of the secure.htaccess file. You will then need to delete the existing section of .htaccess code in the secure.htaccess file that starts with # BEGIN WordPress and ends with # END WordPress. For the default.htaccess master file you would just replace (overwrite) the section of code that begins with # BEGIN WordPress and ends with # END WordPress if you ever plan on activating Default Mode for any reason. Your WPMU .htaccess code may look slightly different or you may have customized your MU .htaccess code for your particular website setup. See this WordPress Codex for WordPress MU for more information on setting up and creating MU Network sites.

# BEGIN WordPress
  RewriteEngine On
  RewriteBase /
  RewriteRule ^index\.php$ - [L]

  # uploaded files
  RewriteRule ^files/(.+) wp-includes/ms-files.php?file=$1 [L]

  RewriteCond %{REQUEST_FILENAME} -f [OR]
  RewriteCond %{REQUEST_FILENAME} -d
  RewriteRule ^ - [L]
  RewriteRule . index.php [L]
  # END WordPress

 

The above MU .htaccess method of adding the MU htaccess code after the BulletProof Security filters was Contributed by Scott as well as the following information on “Activate” versus “Network Activate” for a MU setup.

“…for a subdomain install. I did just a normal Activate (not Network Activate) which seemed appropriate since there is only one root (and one root .htaccess). I verified (after making the change I mentioned above) that both the main blog and another subdomain blog were protected against your example search hack. I don’t think a subfolder MU setup would be any different, but haven’t verified that….”
- Scott

My sincere thanks and appreciation go out to Scott for his contributions to the BulletProof Security project.
- Ed

BulletProof Security – Quick Security Tests for BulletProof Security

Quick tests to make absolutely sure that the security filters are working correctly in BulletProof Security. If you install a plugin that writes to your .htaccess files it is always a good idea to do a quick security test to make sure that BulletProof Security is still protecting your website.

FilesMatch .htaccess BulletProof Security Protection Tests

On the BulletProof Security Status page you will see that readme.html and install.php are protected if you have BulletProof Modes activated. To double check that the WordPress readme.html and /wp-admin/install.php files are protected. In your browser’s URL address window type in your website URL and try to view the readme.html and install.php files directly. You should see either a 404 or 403 error depending on how your website error handling is set up. Examples: http://www.ait-pro.com/aitpro-blog/readme.html and http://www.ait-pro.com/aitpro-blog/wp-admin/install.php. This is also a good way to check to see if your custom 403 Forbidden page is set up correctly if you choose to add that in your root .htaccess file.

If you put your website in Default Mode to perform testing below be sure to put your website back in BulletProof Mode after you have performed any tests.

NOTE: If you do not have a page designated as your Forbidden page or 404 page for your website the SQL filter test will not send you to your Forbidden page or 404 page because you do not have one. What will happen is that the search is halted and you will see this in the top URL Address window http://www.your-website-domain.com/?s=union if trying to test the word “union”. Your website is still protected if you see this instead of a Forbidden page or 404 page. You can add a designated Forbidden page very easily by adding only one line of code to the secure.htaccess file – see below. Adding a designated custom Forbidden page will be a standard option in the next release of BulletProof Security.

Adding a Custom 403 Forbidden Page – ErrorDocument 403 htaccess Code Examples

BulletProof Security – SQL Injection hacking tests – MySQL Injection hacking tests

Enter any of these BulletProof Security blocked / filtered commands used in SQL Injection hacking attempts into your website search window:

Union
Select
Request
Insert
Declare
Drop

For this demonstration I am using the default GoDaddy web page that is used as the Forbidden page that visitors are redirected to if an “illegal” search or command is executed. You can of course create your own custom Forbidden page to redirect visitors to. Keep in mind that innocent mistakes do happen so you want to design your custom Forbidden page for both innocent mistakes and hackers. You could just redirect to your default 404 page.

With BulletProof Security BulletProof Mode enabled – typed in “union” (with or without quotes – both are blocked) in my search window on my website. The result:

GoDaddy Generic Forbidden Page

With BulletProof Security Default Mode enabled (BulletProof Mode disabled) – typed in “union” in my search window on my website. The result:

Website is Vulnerable to SQL Injection attack

So what does this mean – My website is vulnerable to SQL Injection attack attempts in Default Mode (BulletProof Mode disabled). Yeah I know the formatting is ugly – it’s on my list of CSS things to do. ;)

Live Demo – Browser Exploit SQL Injection vulnerability on a PostNuke Module. This is an ancient SQL Injection vulnerability and has since been corrected. This merely serves as a demo that shows that the BulletProof Security filters do not allow “union” or “select” in an attempt to perform an SQL Injection browser exploit on the AIT-pro.com website. Click the link below for testing and you will be sent to the AIT-pro.com Forbidden page. To test your website replace the URL with your website URL.

AITpro Security Test

BulletProof Security – XSS (Cross Site Scripting) Hacking Attempt Test

Copy the URL link shown below to your browser’s Address bar (aka location bar or URL bar). Edit the URL link and add your website URL in place of “enter-your-website-url-here” to this URL link to test it on your website. This is a simple common XSS cookie stealer script. The important thing to note is that BulletProof filters out and disallows URL javascript code insertion script execution and immediately redirects you, a would be hacker or automated bot program to a Forbidden page or 404 page – the script will not and cannot be executed against your website when BulletProof Security Mode is enabled.

NOTE: If you do not have a page designated as your Forbidden page or 404 page for your website the XSS test will not send you to your Forbidden page or 404 page because you do not have one. What will happen is that the XSS script tags are removed from the URL making it completely ineffective and invalid or in other words completely harmless. Your website is still protected if you see this instead of a Forbidden page or 404 page. You can add a designated 404 or Forbidden page from web host control panel or you can do this via the BulletProof Security secure.htaccess file – see the link below to create a forbidden page for your website that is controlled by the ErrorDocument 403 htaccess directive.

Adding a Custom 403 Forbidden Page – ErrorDocument 403 htaccess Code Examples

Caution! This code is very volatile. For this reason the XSS testing code has been made into an GIF image file so that the code is harmless. Click the image file below to view the code. You will need to type out the code in the image file in your browser’s URL address window in order to test it.

XSS Website Security Testing Script - GIF Image File

This website >>> Cross Site Scripting (XSS) FAQ >>> explains XSS attacks in very easy to understand laymans terms.

 

BulletProof Security – Extra Website Security Protection Against SQL Injection Attack

As of BulletProof Security .45.7 these new additional SQL Injection words / syntax in the SQL Injection filter that will block additional words associated with SQL commands from being searchable in your site search window. Individual SQL words can be removed / edited out using the built-in BulletProof Security File Editor, but the better approach is to make your website search feature not see these certain SQL command words. Example: Exclude particular words from being searchable with your particular site search feature. This is an issue that I plan to look at in the near future.

The full list of SQL syntax / words that are filtered from being searchable using your search window on your website are:

request insert
delete union
declare drop
create alter
update order
select cast
execute convert
exec meta
sp_executesql script
char truncate
set  

As you can see there are a few words that you may want to still be searchable like “order” and “update”. You can of course manually choose what SQL syntax you are willing to allow through the BulletProof Security filters. Use the BulletProof Security File Editor to edit your htaccess files from within the WordPress Dashboard. Another option is to use one of the Google Custom Search WordPress plugins or get the Google Custom Search engine directly from Google instead of using the built-in WordPress Search feature. Or installing an Advanced Search feature that will allow you exclude / include certain words as well as making comments searchable.

Previous BulletProof Security versions filtered these SQL commands:

RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare|drop).* [NC]

BulletProof Security .45.7 now filters these SQL commands:

RewriteCond %{QUERY_STRING} ^.*(execute|exec|sp_executesql|request|select|insert|union|declare|drop|delete|create|alter|update|order|char|set|cast|convert|meta|script|truncate).* [NC]

 

Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

Tags: , , ,

Categories: BulletProof Security Plugin Support

252 Responses to “BulletProof Security Free Version Plugin Guide – BPS Version .47.1 – .45.5”


  1. David says:

    Hello, I am trying to add an exception to the .htaccess file, but I can not get it to work.
    The string that is being called is /wp-content/themes/Trim/fonts/ColabThi-webfont.eot?#iefix by my theme.

    I have added the following to the .htaccess file, making sure that no numbers were duplicated in the list:

    # Theme Font Query
    RewriteCond %{QUERY_STRING} #iefix [NC]
    RewriteRule . - [S=14]

    When that didn’t work, I added (.*) to the end but that did nothing again.

    At the moment, it is giving a 403 and 500. If the .htaccess file is removed, it works, when bulletproof adds the .htaccess file back, it fails again.

    If you can point me in the right direction, that would be great. Thank you.

    • AITpro Admin says:

      Try this skip/bypass rule instead, but ?# may be a problem in itself since it is technically a malformed query string.

      # Theme Font bypass/skip rule
      RewriteCond %{REQUEST_URI} ^/wp-content/themes/Trim/fonts/ [NC]
      RewriteRule . - [S=14]
      
      • David says:

        Hello, it is this type of service that shows large companies up. Almost every business we deal with, no matter the price, has absolutely terrible support.

        You are a star. Thank you so much.

        This plugin takes a bit of playing with to get used to, as anything new does. Once you get the hang of it, it works like a charm.

        • AITpro Admin says:

          Thank you for the awesome Kudos! Very much appreciated. Have a great one.

          • David says:

            Sorry, the code didnt seem to post properly. You can view the coding here: http://pastebin.com/FduaBpqh

            t is much deserved. Your support is awesome.
            Sorry to bug you again, but one item is failing and I assume it to be due to the protection.
            The user is sent to a page which loads the paypal info needed to automatically forward them to paypal. However, the user is never forwarded when bulletproof is enabled.
            The coding (from the page source) is as follows:

            Domain1 is the site the customer is on and Domain2 is the order system we use which is embedded on Domain1 using a WHMCS integration plugin.
            I assume the redirection is being blocked by bulletproof. If you could provide some assistance, that would be awesome.

            The first issue (the last one reported) was for an Elegant Themes theme for wordpress.
            The issue I have just reported (above) is for WHMCS Integration by WPMUDEV.
            Thought you may want this info so you can put it on your list, allowing other customers to have this info without needing to contact you.

            Thanks again

          • AITpro Admin says:

            The Form code itself looks ok. The problem is going to be how the Form code is processed so please send URL links to the Form or Forms using the AITpro contact form.

          • David says:

            Sorry, that should have said “the testimonial is much deserved.”

            Thank you. I am sending you the detail now.

  2. MARK says:

    [Comment was removed due to yelling/all caps & offensive nature]

  3. Fred says:

    Hi

    How can I Auto block an IP try to access: http://website.com/phpmyadmin/

    Thanks
    Fred

  4. Pete says:

    Have installed the latest version. Great plugin, thank you very much. Activated as per instructions and protected directories are per recommendations (705)

    WordPress 3.3.1
    PHP 5.3.3
    Plesk 10.4.4

    I noticed after installing on a couple of sites that I now have problems uploading files over a certain size to the Media. Getting a 500 error on the server. Same thing on installing new plugins. These worked prior to installing this plugin and work fine on other sites that do not have BP security installed.

    I am sure it is a customization of the .htaccess file, however, am unsure as to the proper settings. Please elaborate.

    • AITpro Admin says:

      BPS free does not do anything regarding file uploading size limits. Typically file upload size is controlled by a php.ini file. Under the BPS System Info tab you will see your PHP Max Upload Size: and your PHP Max Post Size: for your website. To increase your file upload size you would need to change these 2 directives in your php.ini file. 1. post_max_size = 20M and 2. upload_max_filesize = 20M. Both must be changed and both must have the same matching size limitation. If you are using a plugin to upload media then BPS could be blocking that plugin. If you are using the standard WP Media uploader then BPS does not block or restrict that in any way.

      BPS free does not block installing new plugins.

      What i suspect is these 2 issues are symptoms of another problem. There are too many possibilities to accurately troubleshoot the problem without more information. Check your php error logs and check your Server logs for more information on why the 500 errors are occurring. Some possibilities: you are exceeding your Server’s memory limit allocated to you, database damage or corruption, web host problems with the Server itself (hard drive intermittently failing), etc etc etc etc.

  5. HollyKNY says:

    Hello! Thanks for providing this great plug-in. Quick question about the free version. I have a customer with a primary domain name and one WordPress install on the root, and a subdomain name with a second WordPress install inside that one. In other words, 2 separate sites, 2 separate WP installs. If I install this on the primary domain will it automatically protect the subdomain site, or should I install it on both? Thanks!

    • AITpro Admin says:

      You would install BPS on both sites since the rewriterules would be unique for each WordPress site. Thanks.

      • HollyKNY says:

        Thank you!

      • Sharell says:

        Hi there, thanks for this fantastic plug in. I have a similar situation as the original poster — a wordpress installation, then numerous additional wordpress installations (add on domains) in sub folders. It’s with Bluehost. So, just to confirm with you, to get the plugin working, I need to install it on all sites. Is that all? Are there any modifications that I need to do to any files to take into account all these other wordpress installations in the add on domains. Or do I just go along and activate each option in the plug in on each site, and the automation feature will take care of it all? I’m a little apprehensive about it because I’m really new to the back end of WordPress! I’m not sure how it all works.

        • AITpro Admin says:

          Yes, BPS needs to installed on each website because the .htaccess files that are created with AutoMagic are unique to each website. The RewriteBase (folder location) will be different for each website because they are installed in separate folders. No, additional manual editing or modifications to the .htaccess files is not necessary – AutoMagic does this for you. You have nothing to fear. If something goes wrong you only need to do one thing and that is to delete the .htaccess file in root folder of the website.

  6. KB says:

    Great plugin.

    I have a site that has been scanned by Website Defender, it is giving me an Alert to add to my htaccess to address the following security concern.

    “The display_error PHP configuration directive is enabled. This means that untrusted sources can see detailed web application environment error messages which might include sensitive information which can be used to craft further attacks.”

    They are suggesting I add the following to the htaccess file.
    .htaccess
    php_flag display_errors off
    php_flag log_errors on

    So, I am a little unsure which htaccess file I should add this to using the BPS control page (secure.htaccess)? And where in this file is the best place to add this?

    I was thinking of adding it right above this (near the bottom of the secure.htaccess content.)
    # IMPORTANT!!! DO NOT DELETE!!! the END WordPress text below
    # END WordPress

    Or do you do not feel it is needed? (Explain if no.)

    One other thing. I also have my wp-config file outside site folder (so one folder higher than the wordpress and .htaccess file.) I guess my wp-config is the NOT protected by BPS htaccess files?

    Thanks again.

    • AITpro Admin says:

      The suggestion they are giving you would only work if your Server is configured with DSO (mod_php, Apache Module) or possibly if you have Litespeed as your SAPI. Most web hosts have their Servers configured with suPHP. If your SAPI type in BPS System Info is CGI then adding the php_flag or php_value directives in your .htaccess file will probably cause your website to crash. Typically with Servers configured with suPHP CGI you would want to change the display_errors directive setting in a custom php.ini file and not add php_flag or php_value to an .htaccess file.

      If your wp-config.php file is above your root then no BPS will not be able to add protection for it, but since it is above the root folder then it is already protected.

  7. Serapis says:

    Firstly, thanks for this awesome free plugin – and I use the word awesome in the literal sense! WOW!

    I am concerned because I have a pretty new WP site (I am a total noob to WP), but right away I see something that I am not sure about – apparently I do not have an .htaccess in my admin folder, but I should – I think?

    Do I copy the one on the root of WP to the admin folder and then proceed with BPS? Or should there have been one there ‘automagically’ with the WP installation (v3.3.1, installed via Fantastico from my hosting company, Site5)?

    I would like to proceed with this to secure my site but this has me a bit worried. Please advise!

    (I am very impressed, by the way, with the support you provide for this free plugin, it rivals the customer support of my hosting company, which always impresses me with their level of responsiveness)

    Thank you in advance~

  8. mike says:

    your captcha is a total pain

  9. mike says:

    Thank you for the free plugin. I would like to mention that I had a difficult time installing. The main problem is a failure to mention how permissions must be changed for initial setup, and then restricted once installation is completed.

    Here is what I had to do for installation. You might want to consider the messages displayed by W3 Total Cache, they are very helpful.

    Create secure.htaccess – Change permissions of secure.htaccess file to 0777.

    Activate security mode root folder – Change permissions of htaccess file to 666

    Activate security mode admin folder – Change permissions of htaccess file to 777

    Activate Deny All htaccess Folder Protection For The BPS Master htaccess Folder – Change permissions of

    Your_root_folder_location/wp-content/plugins/bulletproof-security/admin/htaccess folder to 777

    Activate Deny All htaccess Folder Protection For The BPS Backup Folder – change permissions of htaccess file to 777 located at

    Your_root_folder_location/wp-content/bps-backup

    Backup Your Currently Active .htaccess Files – change bps-backup folder permissions to 777 at

    Your_root_folder_location/wp-content/bps-backup

    Backup Your BPS Master .htaccess Files – change master-backups folder permissions to 777 at

    Your_root_folder_location/wp-content/bps-backup/master-backups

    Once completed with installation change the permissions of both htaccess files to 0644.

    Check security status and reset permisiions as recommended.

    • AITpro Admin says:

      Unfortunately, you must be in the 5% minority of folks that have PHP running as an Apache Module / mod_php / DSO. I have designed BPS as well as a could to be compatible with every single web host out of the 100′s of them and taking into consideration the variations in possible environments and then also taking into consideration the millions of different possible scenarios and configurations. In any case i am coder, not an oracle or a wizard and can only create something that is widely compatible. I think it is fair to say that it would be impossible to create something that works right out of the box on the millions of different possible scenarios, environments, conditions, etc for each persons website.

      From the permissions you are showing me you have PHP running as an Apache module / DSO. Your Hosting / Server environment is in the minority as most Web Hosts are now running PHP as CGI and explains why you had to do these additional steps. Most people (probably 95%) do not need to do any of this.

      Unfortunately, i would not add any of this because for the majority of people 95% this would cause confusion for them so i apologize for the additional steps that are required for your environment, but the fact is that you are in that 5% minority of folks that will have to do additional steps to get BPS working correctly.

      And personally if it was my site in this Server environment then i think i would just opt for manually creating the .htaccess files and uploading them to where they need to be. To me it seems like this would be a less time consuming method, but unfortunately yes this means that the automation in BPS would not be usable during set up.
      Thanks.

      • Dave says:

        I think I’m in the same boat as Mike. Thanks, Mike, by the way, for writing out those directions-they came in handy for me. Couldn’t figure out why the “auto” buttons weren’t working until I came across this post. Regardless, the tiny bit of inconvenience seems a small price to pay for a significantly more secure site.

        Thanks for a great plugin!

  10. Jenoll says:

    Ok, so this rookie needs major help. I was trying to enable contirbutors to post articles on the front end of my site and some how getting my self shut out of wp-admin. I am at a loss of what I did, but in adding or subtracting # in the .htaccess file(s) I pretty much locked myself out. I can’t get back into the dashboard and get a 404 when I try. So before I just totally panic and restore from back up, I thought You guys may be able to easily talk me off the ledge. I didn’t touch any of the rewrite code. Suggestions? Ps. get me out of this and I will buy a BPS PRo License.

    • AITpro Admin says:

      LOL no need to buy BPS Pro to get help for BPS Free. ;) If you are looking for the best WordPress website security that you can get for your money, then yeah get BPS Pro.

      To get out of being “locked out” of your site you simply need to use FTP or your Web Host Control Panel and delete the .htaccess file that is in the Root folder for this website. This will allow you to get back into your WP Dashboard and then you can click the AutoMagic buttons to create new Master .htaccess files and then activate all BulletProof Modes.

      • Sarah says:

        I did as instructed by removing the .htaccess file from the root directory, but I am still getting a 500 error. I tried deleting the file from the wp-admin folder as well and nothing. I can’t get into my site and I don’t know what to do. PLEASE HELP!

  11. Kevin says:

    Hi There,

    I keep getting 500 Internal Error msgs when activating BPS.
    I’m pretty new to this stuff. Not sure if I’m doing something wrong.

    Cheers.

    • AITpro Admin says:

      I need more information to troubleshoot this. Please read through the help info around the AITpro site and then if you can’t find the problem with your site then let me know what you checked and tried. Thanks.

  12. Dugald Logan says:

    Great blog here! Also your web site loads up very fast! What web host are you using? Can I get your affiliate link to your host? I wish my website loaded up as quickly as yours lol

  13. Mlama says:

    Aha …all worked well !
    Thank you very much for your help and direction ..really appreciate it !
    The auto magic buttoms are indeed Magic Buttoms .

    As for the WP Root Folder ; i found it pretty simple , how ever reading infos 1st are helpful .

    I Created htaccess Master Files ( both default and secure ) Then
    Activate Website Root Folder .htaccess
    ActivateWebsite wp-admin Folder .htaccess
    ActivateDeny All htaccess Folder Protection For The BPS Master htaccess Folder
    ActivateDeny All htaccess Folder Protection For The BPS Backup Folder
    Security Satus – turns ALL GREEN .
    BACK UP htaccess Files
    BACK UP BPS Master .htaccess Files

    And I did the update for new version 46.5

    After the new version of BPS update was activated
    I had to again activate Bullet proof to
    Website Root Folder .htaccess
    Website wp-admin Folder .htaccess
    Activate Deny All htaccess Folder Protection For The BPS Master htaccess Folder

    Thats it !

  14. Mlama says:

    Hello ,
    Firstly , Thank you very much for your Free BPS Security Plugin !
    am total new with WP .
    i installed free version 46.4 BPS Security Plugin yesterday and after reading the instruction (very detail info’s thanks )
    i applied Scenario 1 .It worked all well as per the instruction .
    i have my -
    Website Root Folder .htaccess (ACTIVATED)
    Website wp-admin Folder .htaccess (ACTIVATED)
    Yes just one click did the Job.
    Do I need to back up and activate any other part ?
    & great ! there is an new update this morning 46.5 ;
    how do i update to new version?
    Should i update automatically or should i deactivate / delete and install the new version ?
    Your tips and help will be highly appreciated .

    • AITpro Admin says:

      Yikes that info in the BPS Guide is seriously dated. Yes it can still be useful for understanding what is basically going on, but the Guide is pending a complete overhaul and update. When you update / upgrade BPS – only the plugin files are replaced. Your currently active .htaccess files are not replaced. You will see warnings that you website is not protected, but if you read the message carefully on the Security Status page you will see that it says something like “if you are upgrading BPS, then BPS does not see that the new version of BPS .htaccess files are being used” – your site is still protected with your old currently active htaccess files. Always perform a backup using the BPS built-in .htaccess file Backup anytime you are upgrading BPS. You will then just need to create new Master .htaccess files using the AutoMagic buttons, if you have added any custom or additional .htaccess code to your currently active .htaccess files then copy that .htaccess code to your new Master .htaccess file >>> secure.htaccess. Then activate all BulletProof Modes on the Security Modes page. Thanks.

  15. Gman says:

    this is all way too complicated for the average WP user. You need to make a 1 click plugin without all this heavy shit.

    • AITpro Admin says:

      Well BPS Free is pretty much one click. Well ok 3 or 4 clicks here and there then. ;) BPS free also offers full manual control. A typical problem with plugins that are too simplified or too automated is that they will also be too limited in their capabilities of what you can do with them. In order to set up BPS free you simply need to click the AutoMagic buttons to create customized .htaccess Master files specific to your website and then Activate those one click Master files that you created All the other available advanced options are for complete control of anything more advanced that you want to do with BPS. If you just want simple then use AutoMagic and Activate and go about your other business and don’t look any deeper into BPS. BPS is designed for everyone – regular folks to advanced level coders. What you do with BPS is up to you. Thanks.

      • Hi, I have been using BPS with ease for some time, but the new version .46.6 went over my head. I can no longer access a sub folder I have in my blog’s domain. I get 403 forbidden. I tried all the form-buttons but I still get locked out. Your secure htaccess file became very long and apparently one must modify and shorten it to suit their blog. I would like to see an opposite approach: a simple htaccess file that can be made more complex (by clicking and pasting additional BPS blocks of code into it) for the more advanced users…. now how can I access my subfolder?

        • AITpro Admin says:

          This may be the cause of the 403 Forbidden problem >>> http://www.ait-pro.com/aitpro-blog/3429/wordpress-tips-tricks-fixes/bulletproof-security-403-forbidden-errors-troubleshooting/

          The new .htaccess security filters make your website 1,000 times more secure. Yes you can create a simpler less secure .htaccess file by using the built-in File Editor. BPS gives you the ability to do a one click installation or the ability to manually create whatever you want. When you create your site’s Master .htaccess files using AutoMagic you can edit them before activating them – BulletProof Mode – this design is intentionally designed as a 2 step process so that you are not forced to do anything. If you need to get back into your website to start all over again then just FTP or use your Control Panel and delete the .htaccess file that is in your website root folder. Thanks.

        • OK… Making this modification did the trick

          RewriteCond % { THE_REQUEST } ( %0A| %0D ) [ NC, OR ]

          I can now access the url and go to my page … However, I still get a Forbidden lockout if I refresh the screen … mmm…

          • sorry… that didn’t really work. maybe something else – with cookies?? AutoMagic needs to be more auto, mate… lol

          • AITpro Admin says:

            Do you have any other security plugins installed? WordPress Firewall breaks BPS and there are some other very badly coded security plugins that also cause problems with BPS. Try temporarily disabling other plugins that could be conflicting with BPS. Then what i need from you in order to actually be able to troubleshoot this issue is specific information about where and when problems are occurring and the exact error messages if any. Or if you want to create a temporary Admin login account just send that info to info[at]ait-pro[dot]com. Thanks.

            And not really sure how i could automate BPS much more without going in the complete wrong direction. I have automated it to the point where manual editing for the million different possible scenarios is still available to all the different possible set ups. ;) The number 1 reason i abandon plugins and no longer use them is because they are too automated and do not give me the control i want and need. I usually just create my own plugins based on plugins that have a great idea, but are lacking full control.

          • It was this setting that kept me from accessing my subdomain :

            # DIRECTORY INDEX FORCE INDEX.PHP

            since I use index.html in my subdomain
            I fixed it and things work just fine now….

          • AITpro Admin says:

            Yep that is correct. If your index file is index.html and not index.php like the WordPress index file, then yep you want to rewrite to index.html or index.htm.

  16. I also think therefore , perfectly pent post! .

  17. This website is my aspiration , very excellent layout and perfect written content .

  18. matt coulter says:

    Hi There,

    Great product! One question: I have sub-directories under my webroot which had been protected (using the simple cPanel password protection function). After installing BPS I cannot access any files in these protected directories.

    As I click to open a PDF in this directory I get wordpress’s 404 error page instead of an auth window. Click on the prayersheet link for an example:

    my-domain/prayer-sheet/
    my-domin/prayersheet/PrayerSheet.pdf

    Any suggestions would be most appreciated!

    • AITpro Admin says:

      Well the links that you gave me to look at do not go to a valid directory. This is the path to the prayer sheet that i see – 75.127.92.212/~laconweb/prayersheet/PrayerSheet.pdf. When i click on that link then i am prompted for a username and password. Thanks.

  19. Very great post. I just stumbled upon your blog and wished to mention that I have really loved browsing your weblog posts. In any case I will be subscribing on your feed and I am hoping you write once more very soon!

  20. I think this is one of the most important information for me. And i am glad reading your article. But want to remark on few general things, The site style is wonderful, the articles is really excellent : D. Good job, cheers

  21. Ron says:

    We have WP installed in a subdirectory of our main domain. Everything is working correctly in regards to BPS; except we are unable to activate the module for the root folder only. We have backed up the htaccess files in both the root folder and the wp-admin and everything is showing correctly according to BPS. We have activated the wp-admin module with success; but we still are unable to activate the root folder module. Any tips and or suggestions would be helpful.

    • AITpro Admin says:

      Your Main site is and HTML site and your WordPress site is installed in /blog. Ok i ran some tests on your site and yes i see that a BPS root .htaccess file is not in use. Please explain this in more detail “unable to activate the module for the root folder”. Did you use the AutoMagic buttons to create your master .htaccess files first? Did you create a custom permalink structure? Is your site using PHP5 and not PHP4? What happens when you try to activate BulletProof Mode for the root folder? Do you get an error message? If so, what is that error message? I am not familiar with your web host so do they have any special conditions regarding use of .htaccess files? I do get a Forbidden message when trying to view blog/.htaccess. Does an .htaccess file exist in your root folder? Check the BPS built-in File Editor – do you see that and .htaccess file is actually in your root folder? Also this is a long shot, but have you done anything with permissions like making the current .htaccess file read only – 444? Have you changed the folder permissions in your root directory? Thanks.

      • Ron says:

        1. WE used auto magic to create both the default and secure htaccess files.
        2. We are not using custom permalinks.
        3. We are using PHP V.5.3.6
        4. Here is the backup file info:
        An .htaccess file was found in your root folder
        √ An .htaccess file was found in your /wp-admin folder

        √ Your Root .htaccess file is backed up.
        √ Your wp-admin .htaccess file is backed up.

        √ The default.htaccess Master file is backed up.
        √ The secure.htaccess Master file is backed up.
        √ The wpadmin-secure.htaccess Master file is backed up.
        √ The maintenance.htaccess Master file is backed up.
        √ The bp-maintenance.php Master file is backed up.
        √ The bps-maintenance-values.php Master file is backed up.

        5. We are able to properly enable all of the security modes; except for the root folder; as we get the following error message: Failed to Activate BulletProof Security Root Folder Protection! Your Website is NOT protected with BulletProof Security!

        6. Here is the following File Editor Info:
        File Open and Write test successful! The secure.htaccess file is writable.
        File Open and Write test successful! The default.htaccess file is writable.
        File Open and Write test successful! The maintenance.htaccess file is writable.
        File Open and Write test successful! The wpadmin-secure.htaccess file is writable.
        File Open and Write test successful! Your currently active wp-admin .htaccess file is writable.

        • AITpro Admin says:

          Hmm “subdirectory of our main domain”. Is this a “having WordPress in it’s own directory” set up? If so you will need to see the WordPress Codex on this if you have done anything that is not a standard WordPress installation and set up. Also you should be using a custom permalink structure. This is a standard thing with WordPress that every WordPress site should be using for SEO and other reasons. Please see this post on the best custom permalink structures to use >>> Best Custum Permalink Structure
          Also you need to look at the existing .htaccess file in your root folder. BPS is telling you that an .htaccess file already exists in your root folder so you need to look at what is actually in that .htaccess file using the built-in BPS .htaccess File Editor and you need to check the permissions set for that root .htaccess file. The .htaccess file permission should be set to 644. Check the BPS Security Status page to see what permissions the root .htaccess file has. The other possibility is that the permissions for your root folder are set too restrictive – it needs to be 755.

          • Ron says:

            Hooray we finally got everything to work correctly; even we had to change all of the file permissions to 666. According to the control panel all of the modules are working correctly; even though I can not view any of the actual htaccess files using the file editor as I receive an error message from the webserver that I am forbidden to view these files.

  22. pi says:

    This part of secure.htaccess in root of my site kills it! I get 403. Its like “Deny from all” everywhere.

    # Deny Access to wp-config.php, bb-config.php, /wp-admin/install.php, all .htaccess files
    # php.ini, php5.ini and the WordPress readme.html installation file.
    # To allow ONLY yourself access to these files add your current IP address below to the
    # Allow from line of code and remove the # sign in front of Allow from to uncomment it
    #
    # Deny from all
    # Allow from xxx.xxx.xxx.xxx
    #

    I have to hash-out filesmatch rule :/ to get my site working.

    The other problem I have is with wpadmin-secure.htaccess…AutoMagic didn’t work for me and I had to paste my default .htaccess into wpadmin-secure.htaccess. Site is up and working but I can’t write settings to options of my wordpress and manage my media for ex. delete them and so on.

    Any ideas?

    • AITpro Admin says:

      The FilesMatch section of htaccess code is ONLY blocking those files listed in that section from being opened directly. It does not interfere with the normal function or operation of the files listed in FilesMatch. So if you tried to open one of the files listed in FilesMatch directly then you would get a 403 Forbidden message. You should not see a 403 Forbidden error for any other reason. It is possible that your server is misconfigured, but still all that FilesMatch does is to not allow someone to open the files directly and nothing else.
      Just to be sure you are activating correctly – AutoMagic creates your master files then you would activate those master files by selecting all the BulletProof Modes and clicking the Activate buttons. if this is not the problem then I am not sure why automagic did not work for your wp-admin folder, but maybe your permissions are set too restrictive somewhere. You should have 755 permissions for all of your WordPress folders. You CANNOT use the default.htaccess htaccess file in your wp-admin folder because it has URL rewriting in that htaccess file which will break all of your admin functions. The wp-admin folder should not have any URL rewriting occurring. That is why your backend admin is not working correctly. Activate BulletProof Mode for your wp-admin folder. If you cannot do this because something is wrong on your site then you should be able to manually add a wp-admin htaccess file using the built-in BPS File editor and doing a copy and paste from the wp-admin master file to Your Current wp-admin htaccess File. Thanks.

      • pi says:

        I bet It has smth to do with my hosting IdeaWebServer/v0.70
        Thats why I posted all of my hosting info before which (don’t know why) was moderated.
        AutoMagic did not work for me but manually i managed to make BulletProof Status window green…
        Permissions are correct.

        • pi says:

          OK. I found a solution. I hashed out SQL commands filter and everything works now fine.

      • pi says:

        Yes, I didn’t use default.htaccess in my wp-admin folder. My mistake, I got confused bc I had to manage those files manually as AutoMagic didn’t work. My hosting provider is known for mis-configuring servers.

        • AITpro Admin says:

          By hashing out the SQL commands filter you have left your website open to SQL Injection hacking methods and your website would not be protected from SQL Injection hacking attempts. This is the most important filter in BPS so you do not want to block it or comment it out. You should check with your web host and find out why this problem is occurring. You may be able to remove only a single SQL command from the filtered SQL commands instead of removing the entire SQL filtered command list so check with your web host and ask them about this.

          • pi says:

            strangest thing….
            I think I found “the what”! Correct me if iIm wrong, but i think setting like in the example aboveis the same as one long SQL commands filter rule. The question is now “why” does it work like this?

            RewriteCond %{QUERY_STRING} ^.*(execute|exec|sp_executesql|request|select|insert|union|declare|drop|delete).* [NC] 
            RewriteCond %{QUERY_STRING} ^.*(create|alter|update|order|char|set|cast|convert|meta|script|truncate).* [NC] 
            RewriteRule ^(.*)$ - [F,L]

            I get no more 403 screens in admin panel of WP. For me solved. Problem occurs on IdeaWebServers

          • AITpro Admin says:

            The most important and critical BPS security filter is the SQL Injection filter. The most commonly used SQL commands by hackers in hacking scripts and the most dangerous are: request, select, insert, delete, create and update.
            Removing one SQL command or another increases your chances of a hacker being able to successfully inject code using an SQL Injection hacking script. With the SQL Injection filter modified the way you have modified it you might as well remove it altogether because you have removed the most important SQL commands to block. In other words you have rendered the SQL Injection filter completely useless. What would be the best approach would be is to contact your host and find out from them what your options are for viewing your error logs that will show htaccess errors. This varies widely between web hosts so there is no point in listing all the different methods here. Your host may even allow your to use flags in your htaccess files – php_flag log_errors on – but most likely will not. In any case you will need to check with your host to ask them about htaccess restrictions on your hosting account. If they do not allow something that you should be able to have or there is an issue about protecting your website with this host then the obvious answer is to move on to a web host that has / offers what you need. Thanks.

          • pi says:

            I’m sorry but I don’t get it. I didn’t remove any SQL commands. I divided RevriteCond into to parts bc one long line in htaccess gives me often 403 Error in admin panel of wp. Is Dividing RewriteCond like I did usless?

          • AITpro Admin says:

            Oh my mistake I misunderstood what you were saying. Yep the modification you did of splitting the SQL commands to filter would be ok, but logically there is no reason to need to do this. Since you do not have [NC,OR] after the first line of SQL commands in the {QUERY_STRING} the second line will probably be ignored. So add the [NC,OR] and then test again. Most likely you will end up with the same original problem you had. Also with all the problems you have encountered with using htaccess on your site have you contacted your web host to ask them why you are having all these problems? Something is seriously not right either with your host or you have a major misconfiguration somewhere. You should not be having all these problems with BPS. Most people just have to activate all the BulletProof Modes and they are done in less than 5 minutes. Thanks.

          • pi says:

            no problem. my English is not as good as I would like.

            my web host admits its the limit of signs in a line. I was going nuts and now I’m sure its not my fault. splitting htaccess solves my problem.
            Thanks

          • pi says:

            I meant splitting RewriteCond solves my problem ;)

          • AITpro Admin says:

            Cool! Glad you got it working. Thanks.

  23. Leokoo says:

    Hi!

    I installed the bulletproof plugin for wordpress on our site, and activated the 1st two options, as it wasn’t very clear. Before I could do the 3rd option, I tried logging in and out again, and then suddenly found our plugin, theme and root folder suddenly unaccessible =.=

    Do kindly advise..

    Leo

    • AITpro Admin says:

      *** UPDATE Problem Resolved ***
      Problem was resolved via email – procedural mistakes issue

      Hi Leo,
      You have a new domain purchased March 4, 2011, your host is IPserverone (dedicated hosting), Apache Linux server and you have a root domain WordPress installation.

      Everything checks out – your host allows htaccess on dedicated hosting and did not need to use the AutoMagic buttons because you have a root WordPress installation. By just enabling root htaccess protection without wp-admin protection would only break your WP backend and not your frontend. So i am not sure what you did wrong there to break the frontend of your website. The default settings in BPS are designed to work automatically for a root wordpress installation.

      In order to get your site back online you will need to FTP to your website and download the htaccess file in your root folder. Once you have downloaded it then delete it from your server. See if you can now access your website. If not you will need to email me your htaccess file so that i can take a look at it and send you a corrected htaccess file. Thanks.

  24. Vlada says:

    Hello.

    Just wondering, before start to mess up with .htaccess, did you try those sql protection lines/filters on some other platform, like Social Engine 4 ? It is social network platform, very popular and good plugins support etc, and would be good to implement extra layer of security, but don’t want to mess up something because is already live and have constant traffic, don’t want downtime.

    Regards

    • AITpro Admin says:

      No i have not ever tested on SE4. Looks like a great platform. htaccess is a standard website security measure for Apache Linux servers so as long as you are using Linux hosting then you can use htaccess website security. So since the htaccess filters are standard then they should work on SE4 as well. You would of course have to manually use the BPS htaccess files because the plugin is designed specifically for WordPress. I know very little about SE4, but if you wanted to safely test the BPS htaccess filters you could create a test subsite and test the htaccess filters in that subsite. Or maybe just install a new test site altogether. Thanks.

      • Vlada says:

        Thank you for the fast answer. Yes, I did the test site, and almost all lines from your .htaccess are compatible, no 500 Error. Just last line , RewriteRule ^(.*)$ – [F,L] , doesn’t work.
        I also included lines from another WP plugin , W3 Total Cache lines for optimization of cache, expired headers etc, that works too.Not efficient like on WP platform but I got slightly better performance in page loading :)

        Thanks for

        • AITpro Admin says:

          The rewriterule is very important and should not be removed or commented out. Without it you are not processing the filters so that if a condition is met that is not allowed / Forbidden it will NOT be sent to your Forbidden page. By removing the rewriterule you are saying do nothing if one or more of the Query Exploits Filters conditions are met. So basically you DO NOT have any website security protection if you remove the rewriterule. thanks.

          • Vlada says:

            Wow…So I am stuck because when I activate that line whole site is down. Tonight I will research one Help page on Apache, maybe will find something.

          • AITpro Admin says:

            I tried looking up info on SE4 and htaccess and all i found was that yes you should be able to use a typical htaccess file with SE4. I could not find any specific examples anywhere though. If you can find a standard htaccess file for SE4 then you can start adding BPS filters to it until you come to the one or ones that are not working with SE4. I really don’t have any idea where to tell you to look because these filters should work on all platforms.

  25. [...] few more layers of security to a WP install. This plugin is a great way to do that. Just be sure to read the instructions before creating new .htaccess files.4. Give yourself more SEO options with WordPress SEO – Out of [...]

  26. Seguridad Wordpress – Plugins para Wordpress » BulletProof Security Plugin – Seguridad Avanzada para Wordpress says:

    [...] La gente de AITpro ha realizado un buen trabajo con este magnífico plugin, tanto en su versión free como en la versión profesional. Para ello, han escrito extensamente una guía de instalación y ayuda (la última versión es del 9 Abril del 2011) que puedes ver en el siguiente enlace: Guía de instalación y ayuda de BPS. [...]

  27. Vlado says:

    Hi!

    Does BulletProof Security work on WordPress Network?
    Because I activate it on the Network Dashboard and then I continue with installation according to this tutorial and it’s doesn’t working.
    What should I do?

    Thanks,
    Vlado

    • AITpro Admin says:

      Hi,
      Yes BPS does work for WordPress Multisites. See the MU section of help in the guide. BPS WordPress Multisite Setup
      Thanks,
      Ed

      • Vlado says:

        Thank’s, but it still doesn’t working.

        Architecture of my site looks like this:

        WP MU – “SimpleSite Networks” then I have sites in subfolders like simplesite.com/offsite and simplesite.com/onsite and If I active Bulletproof in “root website” – simplesite.com/, then I see on the sites /offsite & /onsite
        Not Found
        The requested URL /sample was not found on this server.

        Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

        I don’t know, how I can install it…It is possible that I do some mistake?

        Thanks,
        Vlado

        • AITpro Admin says:

          Ok this is how .htaccess files work. If a parent folder has an .htaccess file in it and the children subfolders do not have .htaccess files in them then the directives / rules in the .htaccess file in the parent folder will be applied to all the children. Since URL rewriting is occuring in the .htaccess files then each child site needs its own .htaccess file in the root folder of that child site. It is possible to handle all of the child sites from one .htaccess file in the parent site root folder with the correct directives / rules. You would need to add rewrite conditions for the child sites. If this is what you want to do then take a look at this post to get you pointed in the right direction >>> Apache Web Server Forum
          The current .htaccess coding in BPS is for a per site installation because that is the most common scenario, but it would not be difficult to add .htaccess coding / rules to do something like what the link above is showing you how to do.
          What i recommend is that you get your sites working using the standard .htaccess method = 1 root .htaccess file for each site, which also requires 1 /wp-admin .htaccess file per site then experiment with adding .htaccess coding for one of your child sites in the parent .htaccess file. Once you have one child site working from the parent .htaccess file then it should be pretty quick to just add the additional child sites to the parent .htaccess file.
          Since the ErrorDocument directive is giving you 404 errors this means that your paths are not correct. This is going to happen if your RewriteBase is for your parent site and you’re trying to force an error document from another folder that is not in the correct RewriteBase path. My hunch is that you are trying to do everything from one .htaccess file without creating the addtional .htaccess rules that you need to add for a Multisite to work from only 1 parent .htaccess file. Do this to get things working correctly first. Manually create the .htaccess files for your parent site and then manually create an .htaccess file for one of your subfolder / child sites and upload the .htaccess files via FTP to the root folders of each site. Once you have things working correctly by using this manual method of testing you can then just add whatever .htaccess code that would be equivalent to this manual test in the parent .htaccess file. Thanks.

  28. Verite says:

    Hi, please can you provide step by step instructions on how to resolve the following red alerts ad I’ve tried everything but with no success:

    A BPS .htaccess file was NOT found in your root folder or you have not activated BulletProof Mode for your Root folder yet, Default Mode is activated or the version of the BPS htaccess file that you are using is not .46.1. Please read the Read Me hover Tooltip above.

    wp-config.php is NOT .htaccess protected by BPS

    Recommended Security Changes: Username “admin” is being used. It is recommended that you change the default administrator username “admin” to a new unique username.

    The WP readme.html file is not .htaccess protected
    The WP /wp-admin/install.php file is not .htaccess protected

    Regarding the “admin” username change my dashboard doesn’t allow me to change the username- how do I get around this?

    Thanks

  29. atom says:

    46.1 – thanks for the update! your work on the maintenance mode page is really impressive!

    2 comments…

    1) i know you mentioned about diddling around with e-commerce plugs in the near future. if interested, Cart66, including PayPal IPN, seems to work right out of the box with BPS (i also see you you have a hack for DukaPress – cool – good guys)

    2) i noticed in the documentation that options -indexes is supposed to be included in the root htaccess (i assume the root)? it’s not. the only place “options -indexes” is found is in the readme and i don’t think it’s preventing directory browsing there :) just wanted to let you know (i just add it manually).

    • AITpro Admin says:

      Thanks! Long overdue. I’m lovin that the initial form setup takes 1 minute and activate away. hee hee. I’ve been needing this for a while now for my work so I’m totally stoked with it. Most regular folks will probably never use it or use it once in a blue moon. ;)
      1. Good to know and yep they are good peeps.
      2. Options -Indexes was included in the last version of BPS and many versions before that, but i never wanted to add it and it is really not necessary for a WordPress PHP site. For an HTML site it would be a necessary thing. The final straw was that I had 2 people who were getting 500 Server errors because of the Options directive not being allowed on their 2 different hosts. Hasta La Vista Options -Indexes. he he ;)

      And even with Options -Indexes added in the past you could do things like open the master htaccess files with a URL. So the combination of using FilesMatch and having a deny all htaccess file in the critical places is a much better security approach.

  30. DoktorThomas says:

    If one back-ups his WP site with WP-DBmanager, then he may well have moved file .htaccess from content/plugins/wpdb-manager to content/back-updb, as the error message after db back-up with that plugin suggests. If so, when first activating BPS, the “Activate Website Root Folder .htaccess Security Mode” selection appears ineffective, as no version of the .htaccess file moves to the root file (free standing blog using WP 3.0.5).

    Where should .htaccess be moved to be secured by BPS?

    • AITpro Admin says:

      BPS does not conflict with WP-DBManager in any way. WP-DBmanager backs up you SQL Database not local files in your website folders. WP-DBmanager does use it’s own .htaccess file which should be manually added by you to this folder /backup-db/.htaccess. This htaccess file has nothing to do with BPS. It is a self protection htaccess file that that plugin author is recommending you add.

      If you wanted to manually add an htaccess file you would just add it to whatever folder you want protected by htaccess. Keep in mind that the rules in htaccess file in the parent folder will be applied to all subfolders of that parent. So if this is for WordPress then you MUST add add the wp-admin htaccess file manually as well or adminstrative functions in your WordPress dashboard will not work correctly.

      So the reasons that the copy function may not be working for you could be you are using IIS hosting, you are running PHP4 not PHP5 or your permissions are too restrictive for the copy function to copy files to your root folder.

      Take a look at the BPS Status and System Info tab pages and post the information here regarding which version of PHP you are running, which Server OS you are using, if permalinks are enabled, check your folder permissions they should be 755. Thanks.

  31. Vlado says:

    Hi!

    Please what should I do if I have 2 subdomains working on WordPress?

    Thanks,
    Vlado

    • AITpro Admin says:

      If you have 2 separate WordPress installations under one domain then you would install BulletProof Security in both WordPess sites and add the correct subfolder names where WordPress is installed for each site. If you are talking about addon or aliased domains under 1 hosting account then the folders that those addons or aliased domains are in do not count as a subfolder. Now if you had an addon domains called website1 and website2 and wordpress was installed in subfolders called blog1 and blog2 under each addon domain then you would have wordpress subfolder installations /website1/blog1 and /website2/blog2. What you would add to the htaccess files would just be /blog1 and /blog2 not the addon domain or aliased domain folder name. Thanks.

      • Vlado says:

        Thanks,

        but I had in mind that I have etc. Mydomain.com running on WordPress and than I have 2 subfolders running on the WordPress etc. 1.mydomain.com and 2.mydomain.com so it looks /public_html/1/ and /public_html/2/.

        So what shoud I do if I intall Bulletproof Security and I want to set up subdomains and domains.
        What shoud I do in .htaccess I think if I had in .htaceess:

        # BEGIN WordPress
          RewriteEngine On
          RewriteBase /my-blog-folder/
          RewriteRule ^index\.php$ - [L]
          RewriteCond %{REQUEST_FILENAME} !-f
          RewriteCond %{REQUEST_FILENAME} !-d
          RewriteRule . /1/index.php [L]
        # END WordPress

        Where shoud I put the 2 subdomain?

        Thanks

        • AITpro Admin says:

          I still don’t understand exacly what end result you want. Are these separate website domains or are these separate WordPress installations in subfolders? If these are separate website domains, do you want any HTTP_HOST request to be redirected to one location? Do you want all your WordPress sites to redirect to one website domain? Do you want one htaccess file that will rewrite each separate HTTP_HOST request to the correct website domain (or folder)? I need to know what the end result is before i can provide the code you want.

          Do you want to install BulletProof in the root of your domain on one WordPress installation and have that one WordPress installation and htaccess file in your domain root do all the rewriting for all of your WordPress installations instead of installing BulletProof Security in each WordPress site? If you want only one htaccess file controlling all other domains or subfolder then you will have to manually add the wpadmin-secure.htaccess file (and rename the file to just .htaccess) to ALL of your other WordPress installation’s /wp-admin folders otherwise you will have problems with administrator functions with the WordPress sites that do not have this file manually copied to the /wp-admin folder for each of those additional WordPress sites / installations. Thanks.
          Ed

  32. B says:

    I tried to set up BP from the Scenario 3 of starting in this condition:

    NO .htaccess was found in your root folder

    wp-config.php is NOT .htaccess protected by BPS

    Deny All protection NOT activated for BPS Master /htaccess folder
    Deny All protection NOT activated for /wp-content/bps-backup folder

    NO .htaccess file was found in your /wp-admin folder

    The following problems developed after following the instructions for installation, which created htaccess files…

    At the bottom of the blog, this error message appeared:

    Not Found
    The requested URL /index.php was not found on this server.
    Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request

    And, when I tried to view comments from the blog, I got a 404 page, yet the comments are still viewable from the Dashboard.

    So I tried removing BP and reverting. I did not have a mirror image to revert to so restored changed files and folders from backup and manually removed the htaccess files. This did not work so I reinstalled WP 3.1, which also did not work.

    Still, I have the error message at the bottom of the blog, and get a 404 when I try to view comments. Help?

    • AITpro Admin says:

      Please provide your website URL so I can troubleshoot this issue. Also I see that your IP address is coming from a Tor Relay to make it anonymous so if you would prefer to keep your URL anonymous then send me an email directly using the AITpro contact form. Thanks.