BulletProof Security Free Version Plugin Guide – BPS Version .47.1 – .45.5

252 Comments RSS Site Feed Author: AITpro Admin
Published: July 20, 2010
Updated: October 6, 2012

Troubleshooting BulletProof Security plugin issues:

If you think BPS is causing a plugin conflict or any other issue on your website then please use these steps below to take BPS out of the equation completely for testing (no need to deactivate BPS it has built in Default Mode). If you find that BPS does have a conflict with another plugin then please check the BulletProof Security Plugin Compatibility Issues – Testing and Fixes Page (link above) to see if a fix (bypass/skip rule) is already listed.  If your plugin is not listed and you have confirmed that BPS is definitely causing a conflict then please post a comment on the Questions, Comments, Problems & Wishlist Page (link above).  Thank you.

1. Make a backup of your .htaccess files using BPS Backup.
2. Activate Default Mode on the Security Modes page.
3. Use the Delete wp-admin .htaccess feature on the Security Modes page.
4. Test your plugin or theme.
5. Restore your .htaccess files using BPS Restore.

To completely uninstall BPS you would do steps 2 and 3 above and then just delete the BPS plugin on the WP Plugins page.

NOTE:  Both the Root BulletProof Mode and the wp-admin BulletProof Mode MUST be activated at the same time/together.  If you do not activate the wp-admin BulletProof Mode then some wp-admin Dashboard functions may not work correctly like configuring Widgets or activating and deactivating plugins.

 

AutoMagic is not working / not creating Master .htaccess files or you are unable to use the built in .htaccess file editor or you are unable to Backup or Restore files

Most likely the cause of this is your Server API is DSO and not CGI.  You can check your Server API on the BPS System Info tab page.  If your Server API is DSO then some of the automated features in BPS will not work correctly because of the way ownership permissions are handled on DSO configured Servers.  You will unfortunately need to manually perform these steps below using FTP.  At some point a future version of BPS will have coding that will compensate for this and the automation will also work for DSO configured Servers.

To Create the secure.htaccess file with AutoMagic
  – Change permissions of the secure.htaccess file to 777 – /wp-content/plugins/bulletproof-security/admin/htaccess/secure.htaccess.
To Activate BulletProof Mode for your Root folder
  – Change permissions of your Root htaccess file to 777 – /your-website-root-folder/.htaccess.
To Activate BulletProof Mode for you wp-admin folder
  – Change permissions of the wp-admin htaccess file to 777 – /your-website-root-folder/wp-admin/.htaccess.
Activate Deny All htaccess Folder Protection For The BPS Master htaccess Folder
  – Change permissions of  /wp-content/plugins/bulletproof-security/admin/htaccess folder to 777.
Activate Deny All htaccess Folder Protection For The BPS Backup Folder
  – Change permissions of the /wp-content/bps-backup/htaccess file to 777.
Backup Your Currently Active .htaccess Files
  – Change /bps-backup folder permissions to 777 – /wp-content/bps-backup.
Backup Your BPS Master .htaccess Files
  – Change /master-backups folder permissions to 777 – /wp-content/bps-backup/master-backups.

Once you have completed these installation steps above then change the permissions of both htaccess files to 644 and change all of your folder permissions back to 755 or whatever you previously had for those folder permissions.  Another option is just to manually download the secure.htaccess file, wpadmin-secure.htaccess file and the deny-all.htaccess file and then just manually use FTP to upload the files to where they should be.

All information below this point is older Bulletproof Security version information – Everything in BPS is automated these days after the release of BPS .46.5 and the information below became obsolete.  This Guide page will be kept for SEO purposes.  A new current BPS troubleshooting page can be found here >>> http://www.ait-pro.com/aitpro-blog/297/bulletproof-security-plugin-support/bulletproof-security-wordpress-plugin-support/

 

 

*** BulletProof Security .46.3 – HUD now checks the root .htaccess file for any conflicts with W3TC and WPSC.  The Heads Up Display will display a warning or error message with instructions on what needs to be done to fix any root htaccess conflicts ***

*** BulletProof Security .46.2 – AutoMagic .htaccess file creation so most of the guide is still helpful for manual editing info or other various references, but setup and installation is now completely automated *** 

BulletProof Security can be installed if you are using an IIS server for web hosting, but only install BulletProof on a Windows IIS server if you absolutely understand IIS hosting very well.  BPS has a new Heads Up Display (HUD), which will tell you if you can activate BulletProof Security Modes. In most IIS cases you will only be able to use the additional features in BulletProof Security, but not be able to activate BulletProof Security Modes. IIS does not natively support mod_rewrite. This is a UNIX / Linux thing. Check with your web host and also read this WordPress Codex for more information on using Permalinks without mod_rewrite.


BulletProof Security .46.8 Specs

BulletProof Security .46.8 PHP Memory Usage > 100KB > .10MB

BulletProof Security .46.8 Total Disk Size > .98MB

BulletProof Security .46.8 Performance > Zero front end drag > Zero back end drag > Zero page load time added

 

BulletProof Security .46.4 Features

BulletProof Security is essentially a website Firewall for your website. The filters contained in the BulletProof Security master htaccess files will not allow malicious scripts to be run against your website. When the BulletProof Security filters detect malicious scripts either by a user or a bot they are immediately redirected to a Forbidden page. This could also be your 404 page if you want to add that path to your 404 page in the BulletProof Security master htaccess files.

As of BulletProof Security .46.3 – W3TC and WPSC HUD checks
As of BulletProof Security .46.3 the Maintenance Mode Form options are saved to the DB
As of BulletProof Security .46.2 everything is AutoMagic and Full Manual Control is still available
As of BulletProof Security .46.1 Maintenance Mode is AutoMagic
As of BulletProof Security .45.8 permanent online backup solution provided.
* Permanent Backup and Restore options added – permanent online backup and restore
* Permanent Backup and Restore for all .htaccess files
* Permanent Backup and Restore for File Uploader and File Downloader setup settings
* Additional new .htaccess coding and modifications added to the BulletProof Security master .htaccess files
* New plugin conflict permanent fixes added to the secure.htaccess Master file
* WordPress readme.html and /wp-admin/install.php are now protected by BulletProof Security
* Improved Success / Error messaging – more detailed success / error messages displayed
* New Help and FAQ links added – New detailed Help and Info pages created

BulletProof Security – jQuery UI Tabbed Menu

The new BulletProof Security jQuery UI tabbed menu is using the default jquery-ui-tabs script included with WordPress. The menu buttons have CSS hover effects for better visual and functional navigation.

BulletProof Security – Security Features

All SQL Injection hacking attempts blocked by htaccess protection
All XSS hacking attempts blocked by htaccess protection
wp-config.php is .htaccess protected by BPS
php.ini and php5.ini are .htaccess protected by BPS
WordPress readme.html file is .htaccess protected by BPS
WordPress /wp-admin/install.php file is .htaccess protected by BPS
Options -Indexes ensures directory browsing is not allowed
BulletProof Security File Editor – Edit BPS Files from within The WP Dashboard
BulletProof Security File Downloader – Download Files from within The WP Dashboard
BulletProof Security File Uploader – Upload Files from within The WP Dashboard
Deny All htaccess protection for your BPS Master /htaccess folder
Deny All htaccess protection for your BPS htaccess /backup folder
WordPress DB Show Errors Function Is Set To: false
WordPress Database Errors Are Turned Off
WordPress Meta Generator Tag Removed
WordPress Version Is Not Displayed / Not Shown
Default Administrator username “admin” account check
File and Folder Permission Checks
Online – Permanent Backup & Restore for .htaccess and setup files
503 Website Maintenance Mode – Enter your website info and activate
Log In / Out of your Website in Maintenance Mode
 
BulletProof Security – System Information Panels
 
Website / Server / IP Info:
Website Root Folder:
Website Document Root Path:
WP ABSPATH:
Server / Website IP Address:
Public IP / Your Computer IP Address:
Server Type:
Operating System:
Multisite:
Browser Compression Supported:
PHP Version Check:
 
BulletProof Security – PHP Information:
 
PHP Version:
PHP Memory Usage:
PHP Memory Limit:
PHP Max Upload Size:
PHP Max Post Size:
PHP Safe Mode:
PHP Allow URL fopen:
PHP Allow URL Include:
PHP Display Errors:
PHP Display Startup Errors:
PHP Expose PHP:
PHP Register Globals:
PHP Max Script Execution Time:
PHP Magic Quotes GPC:
PHP open_basedir:
PHP XML Support:
PHP IPTC Support:
PHP Exif Support:
 
SQL Database / Permalink Structure / WP Installation Folder
 
MySQL Database Version:
MySQL Client Version:
Database Host:
Database Name:
Database User:
SQL Mode:
WordPress Installation Folder:
WordPress Installation Type:
WP Permalink Structure:
Permalinks Enabled:
 

Everything after this point is old Bulletproof Security version information below – everything in BPS is automated these days, but if you are looking for some manual instructions or other info  – read on.  After the release of BPS .46.5 a lot  of this information will be  obsolete.  This content will remain for SEO purposes and should not be used as a guide or help for current BPS free versions.

Step 1 – BulletProof Security – Install and Activate BulletProof Security

BulletProof Security now has AutoMagic .htaccess file creation so setup and installation is completely automated.  The BulletProof Security Guide should be used a reference for manual .htaccess file editing and other various questions you may have about BPS.
First off do not let the amount of help info contained in the BulletProof Security guide make you think that BulletProof Security is a complicated and difficult plugin to install, setup or use. On the contrary, the BulletProof Security plugin is a very simple and easy plugin to install, setup and use. If your WordPress installation is in your website root folder then you do not need to do anything – just install and activate BulletProof Security Modes (please read Step 2 just to be absolutely sure). BulletProof Security has backup and restore so be sure to perform a backup before activating BulletProof Security Security Modes for the first time. If your WordPress installation is in a subfolder off the root of your website domain then you will need to add the WordPress folder name (the folder name where WordPress is installed on your website) to the BulletProof Security master htaccess files before activating BulletProof Security Modes.

*Installing the BulletProof Security plugin only installs the plugin files – No website security protection is activated on installation of the BulletProof Security Plugin. This also means that when you upgrade BulletProof Security your existing BulletProof Security .htaccess files are not changed until you activate the newer BulletProof Security .htaccess files. For people who are installing BulletProof Security for the first time please read Step 2 before activating BulletProof Security modes.*

BulletProof Security Settings Page

After installing BulletProof Security click on the Settings link directly under BulletProof Security in the main Plugins options window or go to the WordPress Settings panel and click on the BulletProof Security link. Either link takes you to the same BulletProof Security Settings page. If you are performing a new installation of BulletProof Security please read Step 2 before activating any BulletProof Security modes.

*If you are upgrading BulletProof Security perform a backup using BulletProof Security Backup and Restore. As of BulletProof Security .45.8 the backups are permanent and you can restore those backups after upgrading. You can of course also use the BulletProof Security File Downloader to make local backups to your computer before upgrading * Backed up files are located and stored here >>> /wp-content/bps-backup/ .

Step 2 – BulletProof Security – Checking and Determining Whether Your WordPress Installation Is In Your Website Domain Root or In a Subfolder of Your Website Domain Root

It is absolutely critical that you add the correct RewriteBase and RewriteRule in the BulletProof Security .htaccess files for WordPress to function normally. As of BulletProof Security .46.2 AutoMagic .htaccess file creation has been added so that creating the correct .htaccess files for you specific website is fully automated.  Most of the guide pertains to manually configuring or manually editing BulletProof Security and other various questions you might have.  You can now just use the BulletProof Security Guide as a reference if you run into any issues instead of as a setup or installation guide.  Also WordPress will generate the correct .htaccess code for you automatically – read the fast, simple and automated method below.  But this method of generating .htaccess code is need any longer since BPS AutoMagic will do that for you.  I have also included instructions on doing this manually – If you are using the manual method of adding your RewriteBase and RewriteRule for WordPress then please read all of Step 2 first before activating any BulletProof Security Modes. BulletProof Security .46.2 will do all of this for you automatically. The expected release date for BulletProof Security .46.2 is 4-26 to 5-1.

BulletProof Security – The fast, simple and automated method of generating the correct WordPress .htaccess code for your website

BulletProof Security now has AutoMagic .htaccess file creation so this is no longer necesary.  If you are already using WordPress permalinks go to your Settings Panel >>> click Permalinks >>> click the Save Changes button. WordPress automatically writes the correct .htaccess code to Your Current Root htaccess File. Now go to the BulletProof Security File Editor and click on the Your Current Root htaccess File menu tab and you will see the new .htaccess code that WordPress has written to Your Current Root htaccess File. You can then just copy and paste that WordPress .htaccess code to the secure.htaccess master file using the File Editor and click the Update File button to save your editing changes. You can now activate BulletProof Security Mode.

The .htaccess code that WordPress writes to Your Current Root htaccess File (your .htaccess code may look slightly different):

# BEGIN WordPress

  RewriteEngine On
  RewriteBase /
  RewriteRule ^index\.php$ - [L]
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule . /index.php [L]

# END WordPress

If you are not using WordPress permalinks yet (every WordPress website should be using a custom permalink structure for better performance and SEO reasons) then take a look at this post for instructions on why and how to add a custom permalink structure for your website >>> Best WordPress Pemalink Structure

Note: At some point in later versions of BulletProof Security the plugin fixes in the secure.htaccess file will be written to automatically (AutoMagic Mode). For now the additional plugin fixes will require manual editing ONLY if your WordPress installation is in a subfolder. This is NOT required for WordPress websites that are installed in the website domain root folder. See Modifying the BulletProof Security htaccess Master Files.

BulletProof Security – Information on Manually adding the correct .htaccess RewriteBase and RewriteRule for WordPress

After installing BulletProof Security click on the System Info Menu

Under the Website / Server / IP Info table you will see your website root folder listed.

1. Examples of Website Root Folders in the root of a website domain – WordPress Root Folder Installations where WordPress is installed into the root folder not a subfolder of the website domain

This example shows that this website root folder is also the root of this website domain. This is also the root folder for the WordPress installation in this example.

Website Root Folder: http://www.ait-pro.com/

More examples of Website Root Folders in the root of a website domain:

http://ait-pro.com/ – Same as above just without a prefix

http://blog.ait-pro.com/ – this one fools a lot of people – this is still a website root folder in the root of a website domain and not a subfolder.

2. Subfolder Examples of Website Root Folders in the root of a website domain – The difference is that WordPress is installed in a Subfolder off of the root website folder

This example shows that the “blog” folder is a subfolder of the root of this website domain. This is also considered the root folder for the WordPress installation. The wording is confusing I know.

Website Root Folder: http://www.ait-pro.com/blog/

More subfolder examples:

http://ait-pro.com/blog/ – no www. prefix, but the blog folder is a folder created in the ait-pro.com website domain root, which makes it a subfolder.

http://blog.ait-pro.com/other-folder/ – this is a subfolder WordPress installation not because of the blog prefix, but because of the folder named “other-folder” created in the website root domain of blog.ait-pro.com

Double Prefix naming mistake

http://www.blog.ait-pro.com/my-blog-folder/ – if your Website Root Folder shows 2 prefixes (www and blog) then this is a mistake that needs to be corrected in your Settings Panel > General Settings page. The subfolder in this example would be /my-blog-folder.

If your Website Root Folder is in the root of your website domain shown in example 1, then you do not need to make any modifications to the BulletProof Security master files. Go to Step 3.

IMPORTANT!

If your Website Root Folder is in a subfolder of the root of your website domain shown in example 2, then you will have to make modifications to the BulletProof Security master .htaccess files by adding your WordPress subfolder name to the BulletProof Security .htaccess files. You can use the WordPress update permalinks method to generate the correct .htaccess code for your website or you can just do this manually. Do not proceed to Step 3. Click on this link instead >>> Modifying the BulletProof Security master .htaccess files for WordPress installations in subfolders.

Step 3 – BulletProof Security – Checking and Making a Note of Red Warning Messages Displayed on the Security Status page

The warning or error messages you will see in BulletProof Security are intuitive and should be fairly self explanatory on what you need to do next. When you first install BulletProof Security you will see red warning messages informing you of what has been done or what has not been done yet or if you have any problems. You are just making a note of warnings and errors in steps 3 and 4 and mostly this is just to reassure people that seeing red warning messages when you first install BulletProof Security is completely normal.

Click on the Status menu tab and make a note of any red warning messages you see. You may see warnings such as these:

The .htaccess file that is activated in your root folder is:
string(45) “EGIN WordPress Rew”
 
√ wp-config.php is .htaccess protected by BPS
√ php.ini and php5.ini are .htaccess protected by BPS
 
Deny All protection NOT activated for BPS Master /htaccess folder
Deny All protection NOT activated for /wp-content/bps-backup folder
 
NO .htaccess file was found in your /wp-admin folder
 
After you have activated BulletProof Modes and Deny All protection you should see this
 
The .htaccess file that is activated in your root folder is:
string(45) ” BULLETPROOF .45.8 >>>>>>> SECURE .HTACCESS “
 
√ wp-config.php is .htaccess protected by BPS
√ php.ini and php5.ini are .htaccess protected by BPS
 
√ Deny All protection activated for BPS Master /htaccess folder
√ Deny All protection activated for /wp-content/bps-backup folder
 
The .htaccess file that is activated in your /wp-admin folder is:
string(45) ” BULLETPROOF .45.8 WP-ADMIN SECURE .HTACCESS “
 
Warnings Under General BulletProof Security File checks
 
√ An .htaccess file was found in your root folder
√ An .htaccess file was found in your /wp-admin folder
√ A default.htaccess file was found in the /htaccess folder
√ A secure.htaccess file was found in the /htaccess folder
√ A maintenance.htaccess file was found in the /htaccess folder
√ A bp-maintenance.php file was found in the /htaccess folder
√ A wpadmin-secure.htaccess file was found in the /htaccess folder
Your Current Root .htaccess file is NOT backed up yet
Your Current wp-admin .htaccess File is NOT backed up yet
Your File Upload settings are NOT backed up yet
Your File Download settings are NOT backed up yet
Your File Upload settings are NOT backed up yet
Your BPS Master default.htaccess file is NOT backed up yet
Your BPS Master secure.htaccess file is NOT backed up yet
Your BPS Master wpadmin-secure.htaccess file is NOT backed up yet
Your BPS Master maintenance.htaccess file is NOT backed up yet
Your BPS Master bp-maintenance.php file is NOT backed up yet
 

Step 4 – BulletProof Security – Checking and Noting red warning messages on the Backup & Restore page

Click on the Backup & Restore menu tab. At the bottom of the BulletProof Security Backup & Restore page under the “Current Backed Up .htaccess Files Status” window you should see warning messages such as these:

√ An .htaccess file was found in your root folder
NO .htaccess file was found in your /wp-admin folder
 
Your Root .htaccess file is NOT backed up either because you have not done a Backup yet, an .htaccess file did NOT already exist in your root folder or because of a file copy error. Read the “Current Backed Up .htaccess Files Status Read Me” hover ToolTip for more specific information.
 
Your wp-admin .htaccess file is NOT backed up either because you have not done a Backup yet, an .htaccess file did NOT already exist in your /wp-admin folder or because of a file copy error. Read the “Current Backed Up .htaccess Files Status Read Me” hover ToolTip for more specific information.
 
Your default.htaccess Master file has NOT been backed up yet!
Your secure.htaccess Master file has NOT been backed up yet!
Your wpadmin-secure.htaccess Master file has NOT been backed up yet!
Your maintenance.htaccess Master file has NOT been backed up yet!
Your bp-maintenance.php Master file has NOT been backed up yet!
 

Step 5 – BulletProof Security – Backup, Restore and Activation of BulletProof Security Modes

Step 5 is in need of updating – this information was written for older versions of BulletProof Security, but the general principles are still pretty much the same.

BulletProof Security now has AutoMagic .htaccess file creation so the updating Permalinks method is no longer necesary.  Looking for the fast, simple and automated installation method >>> Updating WordPress Permalinks to generate your correct htaccess code

Note: As of BulletProof Security .45.8 permanent online backup options have been added. As of BulletProof Security .45.7 you can now use the File Editor to copy and paste from your old htaccess files to your new htaccess files and Download and Upload the BulletProof Security files from within the WordPress Dashboard.

These are the 3 most common scenarios for new installations of BulletProof Security. Find the example scenario that matches what you want to do and follow the steps of that particular backup and activation scenario.

Example Scenarios:

BulletProof Security – Scenario 1

You want to make sure that you have backups of your existing htaccess files before activating any BulletProof Security Modes.

Perform a Backup now. I also recommend downloading your existing .htaccess files as an additional backup precaution. Next click on the Security Modes menu tab. Select BulletProof Mode for your website Root folder and click the activate button. Now open another separate browser window or separate browser tab. Do not leave your WordPress Dashboard yet. Make sure that your website is viewable and click on links to pages and posts to test that links are working correctly. If everything is working fine then activate BulletProof Mode for the /wp-admin folder.

If you were not able to view your site in the step above or links were not working correctly then perform a Restore by clicking on the Backup and Restore menu tab and select Restore htaccess files and click the Restore Files button. Your website is now back where it was before you activated any BulletProof Modes. At this point you will need to figure out what the issue is with your website that is causing BulletProof not to work correctly. The two most common issues are that your WordPress installation is actually in a subfolder or you are using two domain prefixes (www.blog.website.com – www and blog together being the 2 prefixes). Another common problem is that your website is running PHP4 not PHP5. The guide explains the most common problems and solutions. For assistance please post a comment – you should hear back from Ed within an hour or so. ;)

BulletProof Security – Scenario 2

The most common scenario is that you have an existing .htaccess file in your website root folder, but not in your /wp-admin folder and you are not concerned about saving or backing up the existing .htaccess file. Back it up anyway. ;)

You have a choice here of performing a Backup to back up just your existing root .htaccess file and leave the red warning message the way it is for the /wp-admin folder. It is not a critical thing either way. This is more of a cosmetic thing if you don’t like seeing red warning messages.

Or

Recommended: You can click on the Security Modes menu tab and activate BulletProof mode for just your /wp-admin folder – this generates a new htaccess file for your /wp-admin folder. Now go back to the Backup & Restore menu tab and click the One Time Backup button. This means that you backed up your original existing .htaccess file that was in your website root folder and also backed up the new .htaccess file that you just created by activating BulletProof mode for your /wp-admin folder. I also recommend downloading your existing .htaccess file as an additional backup precaution. This method is just basically a way to get rid of the red error message regarding a wp-admin .htaccess file being backed up or not on the Backup and Restore page. ;)

You should now see these green status messages displayed in the “Current Backed Up .htaccess Files Status” window and all green status messages on the Security Status page.

√ An .htaccess file was found in your root folder

√ An .htaccess file was found in your /wp-admin folder

Your original root .htaccess file is backed up.

Your original /wp-admin .htaccess file is backed up.

You can now activate BulletProof Mode for your website root folder. Click on the Security Modes menu. Activate BulletProof Mode in your website root folder. Now open another separate browser window or separate browser tab. Do not leave your WordPress Dashboard yet. Make sure that your website is viewable and click on links to pages and posts to test that links are working correctly. If everything is working fine then you are good to go.

If you were not able to view your site in the step above or links were not working correctly then perform a Restore by clicking on the Backup and Restore menu tab and select Restore htaccess files and click the Restore Files button. Your website is now back where it was before you activated any BulletProof Modes. At this point you will need to figure out what the issue is with your website that is causing BulletProof not to work correctly. The two most common issues are that your WordPress installation is actually in a subfolder or you are using two domain prefixes (www.blog.website.com – www and blog together being the 2 prefixes). Another common problem is that your website is running PHP4 not PHP5. The guide explains the most common problems and solutions. For assistance please post a comment – you should hear back from Ed within an hour. ;)

BulletProof Security – Scenario 3

You do not have any existing .htaccess files in either your website root folder or /wp-admin folders.

Nothing to Backup so you can now just go to the Security Modes menu tab and activate BulletProof Modes for both your website root folder and /wp-admin folders.

Check to make sure everything is working fine. Open another separate browser window or separate browser tab. Do not leave your WordPress Dashboard yet. Make sure that your website is viewable and click on links to pages and posts to test that links are working correctly. If everything is working fine then you are good to go.

If you run into a problem here then FTP to your website and delete the .htaccess file in your website root folder. Since you did not have any original htaccess files to begin with you will not be able to use the Restore feature.

At this point you will need to figure out what the issue is with your website that is causing BulletProof not to work correctly. The two most common issues are that your WordPress installation is actually in a subfolder or you are using two domain prefixes (www.blog.website.com – www and blog together being the 2 prefixes). Another common problem is that your website is running PHP4 not PHP5. The guide explains the most common problems and solutions. For assistance please post a comment – you should hear back from Ed within an hour. ;)

BulletProof Security – Modifying The BulletProof Security .htaccess Master Files For Website Owners With WordPress Installations In Subfolders

The fast, simple and automated method of generating the correct WordPress .htaccess code for your website

BulletProof Security now has AutoMagic .htaccess file creation so this is no longer necesary.  If you are using WordPress permalinks go to your Settings Panel >>> click Permalinks >>> click the Save Changes button. WordPress automatically writes the correct .htaccess code to Your Current Root htaccess File. Now go to the BulletProof Security File Editor and click on the Your Current Root htaccess File menu tab and you will see the new .htaccess code that WordPress has written to Your Current Root htaccess File. You can then just copy and paste that WordPress .htaccess code to the secure.htaccess master file using the File Editor and click the Update File button to save your editing changes. You can now activate BulletProof Security Mode.

If you are not using WordPress permalinks yet (every WordPress website should be using a custom permalink structure for better performance and SEO reasons) then take a look at this post for instructions on why and how to add a custom permalink structure for your website >>> Best WordPress Pemalink Structure

Note: As of BulletProof Security .45.8 permanent online backup options are available. As of BulletProof Security .45.7 you can now Edit the BulletProof Security htaccess files within the WordPress Dashboard with the new BulletProof Security File editor. BulletProof Security now also has File Download and File Upload from within the WordPress Dashboard.

If your WordPress installation is in a subfolder of your website root domain then you will need to modify these 3 BulletProof Security master .htaccess files: default.htaccess, secure.htaccess and maintenance.htaccess. Once your have made all of the necessary modifications to these 3 files you can proceed back to Step 3. These modifications should only take you about 10 minutes. I have overexplained this step so that there are no misunderstandings about what needs to be modified. Skip to the examples and if they make sense to you then you don’t need to read all the additional explanations here.

In these examples WordPress is installed in a folder called my-blog-folder. The website domain is called my-website-domain.com. If WordPress was installed in just the root website folder of www.my-website-domain.com/ then you would not need to modify any of the htaccess files. It is also of course possible that you have 2 WordPress installations (or possibly many more) – 1 in your root website domain folder – my-website-domain.com and another WordPress installation in your my-blog-folder. If this is the case then you are actually installing BulletProof Security on 2 separate WordPress websites and only the my-blog-folder WordPress website would need to have the htaccess master files modified for a WordPress subfolder installation. If you have a WordPress multisite (WPMU) set up then see the Multisite help section.

For this example WordPress is installed here in this subfolder >>> www.my-website-domain.com/my-blog-folder

This example is assuming you have chosen to manually enter your RewriteBase and RewriteRule folder name. You can have WordPress automatically generate your RewriteBase and RewriteRule folder paths if you are not 100% sure of what they are supposed to be. Updating or Creating WordPress Custom Permalinks.

Click on the BulletProof Security Upload/Download/Edit menu tab. You will see a BulletProof Security File Editing window with several menu tabs with the names of all of the .htaccess files that can be edited (read more about the BulletProof Security File Editing window). Click on the “Your Current Root htaccess File”. This is your actual currently active root .htaccess file for your website. If you don’t have an .htaccess file then you will not see any file contents – the window will display a message that you do not have an .htaccess file if one does not actually exist yet. If you choose to use the update permalinks method of automatically generating your correct RewriteBase and RewriteRule folder paths then this is the .htaccess file where WordPress will write to or create if none exists yet.

The first file you should edit is the secure.htaccess master file. Click on the secure.htaccess menu tab. You are now viewing the BulletProof Security Master secure.htaccess file that will become “Your Current Root htaccess File” once you have activated BulletProof Security Mode for your Root folder. Follow the modification examples below replacing the example folder name of “my-blog-folder” with your actual WordPress installation folder name (the folder where your WordPress installation is installed on your website).

This example is using “my-blog-folder” as the name of the example folder (subfolder) where WordPress is installed. If WordPress is installed in your website domain root folder then you will not be adding a folder name to the master htaccess files. If you are not using any of the plugins listed in the plugin fixes section of the secure.htaccess file then you don’t need to add the my-blog-folder name to them.

BulletProof Security Example: secure.htaccess file modifications

#   BULLETPROOF .45.8 >>>>>>> SECURE .HTACCESS
  # If for some strange reason your host does not have +FollowSymlinks enabled by default at
  # the root level then you will need to enable Options +FollowSymlinks for mod_rewrite to work.
  # If you are getting HTTP Error 500 Internal server errors and you have checked to make sure
  # everything else is set correctly then remove the # sign in front of Options +FollowSymlinks
  # below. If you are still getting 500 errors then immediately put the # sign back. All hosts
  # these days should have this enabled by default. Enabling this will actually cause 500 server
  # errors if your host has this enabled so you should probably never have to remove the # sign.
  # Options +FollowSymlinks
  # These are some common Apache Directives to force PHP5 to be used instead of PHP4
  # Some web hosts have very specific directives - check with your web host first
  # Remove the pound sign in front of AddType x-mapp-php5 .php for 1&1 web hosting
  # AddType x-mapp-php5 .php
  # Other common possibilities depending on your web host - check with your web host first
  # AddHandler application/x-httpd-php5 .php
  # AddHandler cgi-php5 .php

  Options -Indexes

  # BEGIN WordPress

  RewriteEngine On
  RewriteBase /my-blog-folder/
  RewriteRule ^index\.php$ - [L]
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule . /my-blog-folder/index.php [L]

  # END WordPress

  # If you want to add a custom 403 Forbidden page for your website uncomment the
  # ErrorDocument line of code below and copy the ait-pro.com example forbidden
  # HTML page to your correct website folder. See the BPS Help and FaQ page for
  # detailed instructions on how to do this.
  # ErrorDocument 403 /forbidden.html

  # Plugin conflicts will be handled case by case
  # Leave the plugin fixes code intact just in case you install one of these plugins
  # at a later time. Thousands of lines of htaccess code can be read in milliseconds
  # so leaving the code intact does not slow down your website performance at all.
  # Thousands of plugins have been tested with BPS and the plugin conflict fixes
  # contained in this BPS master file are permanent fixes for conflicts found with
  # these plugins.

  # BuddyPress Logout Redirect fix - skip BPS Filters on Logout link Redirect
  # WordPress 3.0.4 or higher must be installed for this fix to work

  RewriteCond %{QUERY_STRING} action=logout&redirect_to=http%3A%2F%2F(.*) [NC]
  RewriteRule . - [S=30]

  # SFC Simple Facebook Connect Redirect Fix
  # Also fixes any other plugins that use the redirect_to= string
  RewriteCond %{QUERY_STRING} redirect_to=(.*) [NC]
  RewriteRule . - [S=30]

  # Ozh' Admin Drop Down Menu Display Fix
  # If you have WordPress installed in a subfolder you will need to add the
  # subfolder name to the RewriteCond /blog/wp-content/plugins/ozh-admin-drop-down-menu/ [NC]
  RewriteCond %{REQUEST_URI} ^/my-blog-folder/wp-content/plugins/ozh-admin-drop-down-menu/ [NC]
  RewriteRule . - [S=30]

  # ComicPress Manager ComicPress Theme Image Fix
  # If you have WordPress installed in a subfolder you will need to add the
  # subfolder name to the RewriteCond /blog/wp-content/plugins/comicpress-manager/ [NC]
  RewriteCond %{REQUEST_URI} ^/my-blog-folder/wp-content/plugins/comicpress-manager/ [NC]
  RewriteRule . - [S=30]

  # TimThumb Thumbnail Images not displaying - Red X instead of Images
  # If your theme uses TimThumb and the file is called something else like thumb.php then change the filename below
  RewriteCond %{REQUEST_FILENAME} timthumb(.*) [NC]
  RewriteRule . - [S=30]

  # YAPB
  # If you have WordPress installed in a subfolder you will need to add the
  # subfolder name to the RewriteCond /blog/wp-content/plugins/comicpress-manager/ [NC]
  RewriteCond %{REQUEST_URI} ^/my-blog-folder/wp-content/plugins/yet-another-photoblog/ [NC]
  RewriteRule . - [S=30]

  # WordPress.com Stats Flash SWF Graph Does Not Load Fix
  # If you have WordPress installed in a subfolder you will need to add the
  # subfolder name to the RewriteCond /blog/wp-content/plugins/stats/ [NC]
  RewriteCond %{REQUEST_URI} ^/my-blog-folder/wp-content/plugins/stats/ [NC]
  RewriteRule . - [S=30]

  # podPress rewrite ?feed=podcast as /feed/podcast
  # If you are using a custom slug then add the slug name to the rewriterule
  # RewriteRule (.*) /feed/custom-slug-name/$1? [R=301,L]
  # If you have WordPress installed in a subfolder you will need to add the
  # subfolder name to the RewriteRule (.*) /blog/feed/podcast/$1? [R=301]
  RewriteCond %{QUERY_STRING} feed=podcast [NC]
  RewriteRule (.*) /my-blog-folder/feed/podcast/$1? [R=301,L]

  # podPress rewrite ?feed=enhancedpodcast as /feed/enhancedpodcast
  # If you are using a custom slug then add the slug name to the rewriterule
  # RewriteRule (.*) /feed/custom-slug-name/$1? [R=301,L]
  # If you have WordPress installed in a subfolder you will need to add the
  # subfolder name to the RewriteRule (.*) /blog/feed/enhancedpodcast/$1? [R=301]
  RewriteCond %{QUERY_STRING} feed=enhancedpodcast [NC]
  RewriteRule (.*) /my-blog-folder/feed/enhancedpodcast/$1? [R=301,L]

  # podPress rewrite ?feed=torrent as /feed/torrent
  # If you are using a custom slug then add the slug name to the rewriterule
  # RewriteRule (.*) /feed/custom-slug-name/$1? [R=301,L]
  # If you have WordPress installed in a subfolder you will need to add the
  # subfolder name to the RewriteRule (.*) /blog/feed/torrent/$1? [R=301]
  RewriteCond %{QUERY_STRING} feed=torrent [NC]
  RewriteRule (.*) /my-blog-folder/feed/torrent/$1? [R=301,L]

  # podPress rewrite ?feed=premium as /feed/premium
  # If you are using a custom slug then add the slug name to the rewriterule
  # RewriteRule (.*) /feed/custom-slug-name/$1? [R=301,L]
  # If you have WordPress installed in a subfolder you will need to add the
  # subfolder name to the RewriteRule (.*) /blog/feed/premium/$1? [R=301]
  RewriteCond %{QUERY_STRING} feed=premimum [NC]
  RewriteRule (.*) /my-blog-folder/feed/premium/$1? [R=301,L]

  # FILTER REQUEST METHODS
  RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
  RewriteRule ^(.*)$ - [F,L]

  # QUERY STRING EXPLOITS
  RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
  RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
  RewriteCond %{QUERY_STRING} tag\= [NC,OR]
  RewriteCond %{QUERY_STRING} ftp\:  [NC,OR]
  RewriteCond %{QUERY_STRING} http\:  [NC,OR]
  RewriteCond %{QUERY_STRING} https\:  [NC,OR]
  RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
  RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
  RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
  RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
  RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
  RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
  RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
  RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
  RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR]
  RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
  RewriteCond %{QUERY_STRING} ^.*(execute|exec|sp_executesql|request|select|insert|union|declare|drop|delete|create|alter|update|order|char|set|cast|convert|meta|script|truncate).* [NC]
  RewriteRule ^(.*)$ - [F,L]

# Deny Access to wp-config.php, /wp-admin/install.php, all .htaccess files
  # php.ini, php5.ini and the WordPress readme.html installation file.
  # To allow only yourself access to these files add your IP address below

  Deny from all
  # Allow from 69.40.120.88

 

BulletProof Security Example: default.htaccess file modifications

This example is using “my-blog-folder” as the name of the example folder (subfolder) where WordPress is installed. If WordPress is installed in your website domain root folder then you will not be adding a folder name to the default.htaccess master file. The default.htaccess file is a generic .htaccess file and does not provide any website security for your website. It’s intended use is for testing or troubleshooting issues – you should never leave your website in Default Mode after you have completed testing or troubleshooting.

# BULLETPROOF .45.8 >>>>>>> DEFAULT .HTACCESS
  # WARNING THE default.htaccess FILE DOES NOT PROTECT YOUR WEBSITE AGAINST HACKERS
  # This is a standard generic htaccess file that does NOT provide any website security
  # The DEFAULT .HTACCESS file should only be used for testing purposes
  # If for some strange reason your host does not have +FollowSymlinks enabled by default at
  # the root level then you will need to enable Options +FollowSymlinks for mod_rewrite to work.
  # If you are getting HTTP Error 500 Internal server errors and you have checked to make sure
  # everything else is set correctly then remove the # sign in front of Options +FollowSymlinks
  # below. If you are still getting 500 errors then immediately put the # sign back. All hosts
  # these days should have this enabled by default. Enabling this will actually cause 500 server
  # errors if your host has this enabled so you should probably never have to remove the # sign.
  # Options +FollowSymlinks

  # These are some common Apache Directives to force PHP5 to be used instead of PHP4
  # Some web hosts have very specific directives - check with your web host first
  # Remove the pound sign in front of AddType x-mapp-php5 .php for 1&1 web hosting
  # AddType x-mapp-php5 .php
  # Other common possibilities depending on your web host - check with your web host first
  # AddHandler application/x-httpd-php5 .php
  # AddHandler cgi-php5 .php

  Options -Indexes

 # BEGIN WordPress

  RewriteEngine On
  RewriteBase /my-blog-folder/
  RewriteRule ^index\.php$ - [L]
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule . /my-blog-folder/index.php [L]

  # END WordPress

BulletProof Security Example: maintenance.htaccess file modifications

As of BPS .46.1 Maintenance is AutoMagic. View the new Maintenance Mode page. You can still also manually edit the maintainance.htaccess file.

The maintenance.htaccess file looks a bit different than the other 2 files, but the same principle applies

This example is using “my-blog-folder” as the name of the example folder (subfolder) where WordPress is installed. If WordPress is installed in your website domain root folder then you will not be adding a folder name to the maintenance.htaccess master file.

#   BULLETPROOF .45.8 MAINTENANCE  .HTACCESS
  # If for some strange reason your host does not have +FollowSymlinks enabled by default at
  # the root level then you will need to enable Options +FollowSymlinks for mod_rewrite to work.
  # If you are getting HTTP Error 500 Internal server errors and you have checked to make sure
  # everything else is set correctly then remove the # sign in front of Options +FollowSymlinks
  # below. If you are still getting 500 errors then immediately put the # sign back. All hosts
  # these days should have this enabled by default. Enabling this will actually cause 500 server
  # errors if your host has this enabled so you should probably never have to remove the # sign.
  # Options +FollowSymlinks
  # These are some common Apache Directives to force PHP5 to be used instead of PHP4
  # Some web hosts have very specific directives - check with your web host first
  # Remove the pound sign in front of AddType x-mapp-php5 .php for 1&1 web hosting
  # AddType x-mapp-php5 .php
  # Other common possibilities depending on your web host - check with your web host first
  # AddHandler application/x-httpd-php5 .php
  # AddHandler cgi-php5 .php

  Options -Indexes

  RewriteEngine On
  RewriteBase /my-blog-folder/

  # FILTER REQUEST METHODS
  RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
  RewriteRule ^(.*)$ - [F,L]

  # QUERY STRING EXPLOITS
  RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
  RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
  RewriteCond %{QUERY_STRING} tag\= [NC,OR]
  RewriteCond %{QUERY_STRING} ftp\:  [NC,OR]
  RewriteCond %{QUERY_STRING} http\:  [NC,OR]
  RewriteCond %{QUERY_STRING} https\:  [NC,OR]
  RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
  RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
  RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
  RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
  RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
  RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
  RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
  RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
  RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR]
  RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
  RewriteCond %{QUERY_STRING} ^.*(execute|exec|sp_executesql|request|select|insert|union|declare|drop|delete|create|alter|update|order|char|set|cast|convert|meta|script|truncate).* [NC]
  RewriteRule ^(.*)$ - [F,L]

  # Remove the pound sign to make a condition active
  # Add a pound sign to comment a condition out.
  # Adding your IP address to the line below will display the website
  # under maintenance page to ONLY you. For Testing purposes only.
  # RewriteCond %{REMOTE_ADDR} ^75\.88\.99\.33$
  # Adding your IP address to the line below will display the website
  # under maintenance page to everyone else except you.
  # Add your Public IP address to the line directly below.
  RewriteCond %{REMOTE_ADDR} !^75\.40\.48\.207$

  # RewriteCond sends all visitors to /bp-maintenance.php Website Under Maintenance page
  # and displays the abstract-blue.png background image except for you if you entered
  # your IP address above.
  RewriteCond %{REQUEST_URI} !^/my-blog-folder/bp-maintenance\.php$
  RewriteCond %{REQUEST_URI} !^/my-blog-folder/wp-content/plugins/bulletproof-security/abstract-blue-bg\.png$

  # No matter what file was requested serve bp-maintenance.php ONLY.
  RewriteRule ^(.*)$ /my-blog-folder/bp-maintenance.php [L]

  # If your IP address was entered above bp-maintenance.php is bypassed
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule . /my-blog-folder/index.php [L]

 

BulletProof Security – Maintenance Mode – Adding Your IP Address To The maintenance.htaccess Master File

BulletProof Security Maintenance Mode has AutoMagic mode in addition to manual control mode as of .46.1. View the new Maintenance Mode help page.

The information below still applies if you are manually entering in your IP Address instead of using AutoMagic.

Adding your IP address to the maintenance.htaccess master file will allow ONLY you to view your website while a “Website Under Maintenance” message is displayed to all other website visitors. Click on the BulletProof Security Upload/Download/Edit menu tab. You will see a BulletProof Security File Editing window with several menu tabs with the names of all of the .htaccess files that can be edited (read more about the BulletProof Security File Editing window). Click on the maintenance.htaccess tab. Add your current Public IP Address that is shown on the BulletProof SecurityMaintenance Mode page to the yellow highlighted areas shown below. You can now activate Maintenance Mode and will be able to view your website while all other visitors see the Website Under Maintenance page. If you have already activated Maintenance Mode before making these IP address edits then you will need to reactivate Maintenance Mode again to copy your newly modified master maintenance.htaccess file to the root folder.

This example is only showing the bottom section of the maintenance.htaccess file where you will be adding your IP address highlighted in yellow. This example is showing htaccess code for a WordPress installation in the root website folder. If your WordPress installation is in a subfolder you would of course see the correct subfolder name that you added.

BulletProof Security Example: maintenance.htaccess file – Adding Your Public IP Address

# Remove the pound sign to make a condition active
  # Add a pound sign to comment a condition out.
  # Adding your IP address to the line below will display the website
  # under maintenance page to ONLY you. For Testing purposes only.
  # RewriteCond %{REMOTE_ADDR} ^75\.88\.99\.33$
  # Adding your IP address to the line below will display the website
  # under maintenance page to everyone else except you.
  # Add your Public IP address to the line directly below.
  RewriteCond %{REMOTE_ADDR} !^75\.40\.48\.207$

  # RewriteCond sends all visitors to /bp-maintenance.php Website Under Maintenance page
  # and displays the abstract-blue.png background image except for you if you entered
  # your IP address above.
  RewriteCond %{REQUEST_URI} !^/bp-maintenance\.php$
  RewriteCond %{REQUEST_URI} !^/wp-content/plugins/bulletproof-security/abstract-blue-bg\.png$

  # No matter what file was requested serve bp-maintenance.php ONLY.
  RewriteRule ^(.*)$ /bp-maintenance.php [L]

  # If your IP address was entered above bp-maintenance.php is bypassed
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule . /index.php [L]

 

BulletProof Security – Advanced Coding Modifications Instructions

Pending update: A couple of people have requested information about modifying and customizing the “Activated BulletProof Security .htaccess Files” text. Here is that information:

Customizing BulletProof Security to have the Master .htaccess files Display a new customized var Dump Text String (in laymans terms just change what message is displayed under Activated BulletProof Security .htaccess Files)

The .htaccess file that is activated in your root folder is:

string(45) ” BULLETPROOF .45.5 >>>>>>> SECURE .HTACCESS “

√ wp-config.php is .htaccess protected by BPS

√ php.ini and php5.ini are .htaccess protected by BPS

The .htaccess file that is activated in your /wp-admin folder is:

string(45) ” BULLETPROOF .45.5 WP-ADMIN SECURE .HTACCESS “

The file is functions.php > code lines 109-136: The functions.php file is located here > /wp-content/plugins/bulletproof-security/includes/functions.php

The yellow highlighted code below is what you need to modify to match the new text content that you add to the BulletProof Security master .htaccess files. The strpos function is checking the .htaccess master files for the BulletProof Security version number specifically the number “5” in string position #15. (# BULLETPROOF .45.5…) If you have W3 Total Cache installed position 17 applies. If the exact match if found then you should not see errors. If an exact match is not found then you will see message warnings or error messages. So whatever changes you make to the BulletProof Security master .htaccess files must match the code in the functions.php file or your head will explode. LOL ;) The code shown below is just for visual demonstration purposes and is not 100% code accurate to the code contained in functions.php.

// Get Root .htaccess content - get first 45 characters of current root .htaccess file starting from the 3rd character
// and display string dump - also checks for single character "5" in .45.5 in string position 15 to validate the version of BPS //.htaccess file and the wp-config.php status
function root_htaccess_status() {
	$filename = '.htaccess';
	if ( !file_exists(ABSPATH . $filename)) {
	_e('NO .htaccess was found in your root folder');
	_e('wp-config.php is NOT .htaccess protected by BPS');
	} else {
	if (file_exists(ABSPATH . $filename)) {
	$section = file_get_contents(ABSPATH . $filename, NULL, NULL, 3, 45);
	_e('The .htaccess file that is activated in your root folder is:');
		var_dump($section);
		$check_string = strpos($section, "5");
		if ($check_string == "15"||"17") { // if you modify BPS .htaccess files this str pos must match for valid status checks
		$wpconfig_status = '√ wp-config.php is .htaccess protected by BPS
√ php.ini and php5.ini are .htaccess protected by BPS';
		_e('' . $wpconfig_status . '');
	} else {
	_e('A BPS .htaccess file was NOT found in your root folderor the BPS .htaccess file that you are currently using does NOT include .htaccess protection for wp-config.php. Please read the Read Me hover Tooltip before activating a newer version of a BPS website root folder .htaccess file.');
	_e('wp-config.php is NOT .htaccess protected by BPS');
	}
	}
}

BulletProof Security – Modifications to BulletProof Security .45.8 – .45.2 if you want to use PHP4 instead of PHP5 – Modifying BulletProof Security .45.8 to work for PHP 4

*** PHP5 is required as of BulletProof Security verion .46 ***

BulletProof Security .45.8 – .45.2 will work ok if you are using PHP 4 instead of PHP 5. There are a couple of coding modifications that you need to make. You will not be able to get or see your PHP Memory Usage or PHP Memory Limit and the BulletProof Security Status – Activated BulletProof Security .htaccess Files window – will display the entire dump of your .htaccess files, but BulletProof Security does function correctly. I recommend of course that you switch to PHP 5 of course. PHP 4 is just about to be retired.

Go to your main Plugins Options page, click on the Edit link under BulletProof Security.

Click on /bulletproof-security/admin/options.php in the Plugin Editor.

Scroll down a little over half the page.

Make the modification shown highlighted in yellow in this code: you are adding 2 backslashes // to block this function. Save your changes by clicking the Update File button. You can of course also download the options.php file, modify it and upload it back to your website.

: // echo round(memory_get_usage() / 1024 / 1024, 2) . __(‘ MB’); ?>

Now open /bulletproof-security/includes/functions.php in the Plugin Editor.

Scroll down around a 3rd of the way down the page.

Make the modifications shown highlighted in yellow in this code:

// Get Root .htaccess content - get first 45 characters of current root .htaccess file starting from the 3rd character
// and display string dump - also checks for single character "5" in .45.5 in string position 15 to validate the version of BPS .htaccess file and the wp-config.php status
function root_htaccess_status() {
$filename = '.htaccess';
if ( !file_exists(ABSPATH . $filename)) {  - you will be deleting >>>  , NULL, NULL, 3, 45 _e('NO .htaccess was found in your root folder');
_e('wp-config.php is NOT .htaccess protected by BPS');
} else {
if (file_exists(ABSPATH . $filename)) {  - you will be deleting >>>  , NULL, NULL, 3, 45 
$section = file_get_contents(ABSPATH . $filename);
_e('The .htaccess file that is activated in your root folder is:');
var_dump($section);
$check_string = strpos($section, "5");
if ($check_string == "15") { // if you modify BPS .htaccess files this str pos must match for valid status checks
$wpconfig_status = '&radic; wp-config.php is .htaccess protected by BPS';
_e('' . $wpconfig_status . '');
} else {
_e('A BPS .htaccess file was NOT found in your root folder or the BPS .htaccess file that you are currently using does NOT include .htaccess protection for wp-config.php. Please read the Read Me hover Tooltip before activating a newer version of a BPS website root folder .htaccess file.');
_e('wp-config.php is NOT .htaccess protected by BPS');
}
}
}
}

and modify this function as well:

// Get wp-admin .htaccess content - get first 45 characters of current
// wp-admin .htaccess file starting from the 3rd character
function wpadmin_htaccess_status() {
$filename = 'wp-admin/.htaccess';
if (file_exists(ABSPATH . $filename)) {
$section = file_get_contents(ABSPATH . $filename);  - you will be deleting >>>  , NULL, NULL, 3, 45 _e('The .htaccess file that is activated in your /wp-admin folder is:');
var_dump($section);
} else {
_e('NO .htaccess file was found in your /wp-admin folder');
}
}

BulletProof Security .45.7 -.45.2 should now work fine for you if you are using PHP 4 instead of PHP 5.

BulletProof Security – Common Issues and Problems

New BulletProof Security Plugin Compatibility testing page has been added. Check the BulletProof Security Plugin Compatibility List to see if your plugin issue is listed in testing or has been resolved.

*** PHP5 is required as of BulletProof Security verion .46 ***
*** If you activate BulletProof Security Mode for your Root folder you MUST also activate BulletProof Security Mode for your /wp-admin folder and vice versa. The BulletProof Security htaccess files are designed to be used together ***

*** Also check the new BulletProof Security Error, Warning, Heads Up Display (HUD) Messages page added as of BPS .46.1 ***

The most common problem is web hosts that are still using PHP4 instead of PHP5 to process WordPress PHP scripts. PHP4 is pretty close to being phased out altogether. BulletProof Security can be modified to work using PHP4 if you are willing to sacrifice several features. I recommend using PHP5. A diagnostic check has been added to the System Info page, which will tell you if PHP5 or PHP4 is running on your WordPress website. You will also see the PHP version on the BulletProof Security System Info page > look under PHP Info > PHP Version for the version of PHP that is currently being used to process your WordPress PHP files. Even if your web host is stating that PHP5 is the default standard you may have an older website domain that it still using PHP4. I have seen this in several cases on several different web hosts. If you see that the version of PHP is 4 then do this google search > your web host name + PHP5 to find the correct Apache Directives to add to the master .htaccess files. The BulletProof Security master htaccess files include some of the most common Apache PHP Directives. They are commented out (they serve more as examples then specific solutions for your specific web host / website) so you will have to uncomment the correct Apache Directives for your specific web host if they are commented out in the master .htaccess files. If your particular Apache Directives are not in the master .htaccess files you will have to add them yourself. Check your web host help files first before uncommenting – removing the # pound sign in front of any of the Apache PHP Directives or adding any Apache Directives to the master .htaccess files.

Media Temple Directives (the Apache directives in the .htaccess master files are outdated)

Media Temple has recently updated their policies and procedures on activating PHP5 on your web host account (as of 10-18-2010). See this Media Temple link for the latest PHP5 instructions. >>> Media Temple PHP5 instructions

GoDaddy Directives for Older Accounts (if you just want to use PHP5 then you only need to add the top directive. If you want to run both PHP4 and PHP5 use both directives)

AddHandler x-httpd-php5 .php
AddHandler x-httpd-php .php4

GoDaddy Directives for Grid Hosting Accounts (if you just want to use PHP5 then you only need to add the top directive. If you want to run both PHP4 and PHP5 use both directives)

AddHandler x-httpd-php5-cgi .php
AddHandler x-httpd-php-cgi .php4

Widget Settings Not Working (unable to drag and drop widgets) – Unable To Access Settings and Options Pages For Other Plugins

If you cannot drag and drop widgets or you are unable to access settings and options pages for other plugins then you have not activated BulletProof Mode for the wp-admin folder yet

Images not Displaying – Thumbnail Images not Displaying – Red X

This .htaccess fix is included in the secure.htaccess file as of BulletProof Security .45.8. Please see the BulletProof Security Plugin Fixes page.

As a general rule if a particular plugin is conflicting with the BulletProof Security .htaccess rules then usually a simple .htacces skip rule to bypass the BulletProof Security filters for that particular plugin is all that is needed. You can perform these edits using the built-in BulletProof Security File Editor from within your WP Dashboard. Adding BulletProof Security filter htaccess skip rules for plugins should not leave your website vulnerable in any way. The logic is that a plugin may have coding in it that is triggering the BulletProof Security filters to block something that BulletProof Security has determined as “not safe”. By skipping having the filters applied to just that plugin folder then the only vulnerability I can think of would be if the particular plugin does something that could affect your website site-wide. Most plugins perform a particular task and do not affect your website site-wide so they would not have the capability of compromising your entire website security to begin with.

W3 Total Cache .htaccess Issue

Since W3 Total Cache writes .htaccess code to the root .htaccess file then you may need to redeploy W3 Total Cache when installing or activating new BulletProof Security Modes. Simply just redeploying W3 Total Cache writes new .htaccess code to your current root .htaccess file or you can use the BulletProof Security built-in File Editor if you want to manually copy and paste the W3 Total Cache .htaccess code to the root .htaccess file.

BulletProof Security – WordPress Multisite MU .htaccess Code Modifications

This serves as a general example of WordPress MU .htaccess code and may not be 100% code accurate to the current MU .htaccess code that you have for your website.

BulletProof Security works fine with WordPress Multisite installations or WordPress MU. Using the built-in BulletProof Security File Editor you will need to copy and paste your existing MU .htaccess code to the secure.htaccess file. IMPORTANT! Copy and paste your MU code shown below (it will look identical or very similar) to right after the QUERY STRING EXPLOITS section of code and before the FilesMatch section of code at the bottom of the secure.htaccess file. You will then need to delete the existing section of .htaccess code in the secure.htaccess file that starts with # BEGIN WordPress and ends with # END WordPress. For the default.htaccess master file you would just replace (overwrite) the section of code that begins with # BEGIN WordPress and ends with # END WordPress if you ever plan on activating Default Mode for any reason. Your WPMU .htaccess code may look slightly different or you may have customized your MU .htaccess code for your particular website setup. See this WordPress Codex for WordPress MU for more information on setting up and creating MU Network sites.

# BEGIN WordPress
  RewriteEngine On
  RewriteBase /
  RewriteRule ^index\.php$ - [L]

  # uploaded files
  RewriteRule ^files/(.+) wp-includes/ms-files.php?file=$1 [L]

  RewriteCond %{REQUEST_FILENAME} -f [OR]
  RewriteCond %{REQUEST_FILENAME} -d
  RewriteRule ^ - [L]
  RewriteRule . index.php [L]
  # END WordPress

 

The above MU .htaccess method of adding the MU htaccess code after the BulletProof Security filters was Contributed by Scott as well as the following information on “Activate” versus “Network Activate” for a MU setup.

“…for a subdomain install. I did just a normal Activate (not Network Activate) which seemed appropriate since there is only one root (and one root .htaccess). I verified (after making the change I mentioned above) that both the main blog and another subdomain blog were protected against your example search hack. I don’t think a subfolder MU setup would be any different, but haven’t verified that….”
- Scott

My sincere thanks and appreciation go out to Scott for his contributions to the BulletProof Security project.
- Ed

BulletProof Security – Quick Security Tests for BulletProof Security

Quick tests to make absolutely sure that the security filters are working correctly in BulletProof Security. If you install a plugin that writes to your .htaccess files it is always a good idea to do a quick security test to make sure that BulletProof Security is still protecting your website.

FilesMatch .htaccess BulletProof Security Protection Tests

On the BulletProof Security Status page you will see that readme.html and install.php are protected if you have BulletProof Modes activated. To double check that the WordPress readme.html and /wp-admin/install.php files are protected. In your browser’s URL address window type in your website URL and try to view the readme.html and install.php files directly. You should see either a 404 or 403 error depending on how your website error handling is set up. Examples: http://www.ait-pro.com/aitpro-blog/readme.html and http://www.ait-pro.com/aitpro-blog/wp-admin/install.php. This is also a good way to check to see if your custom 403 Forbidden page is set up correctly if you choose to add that in your root .htaccess file.

If you put your website in Default Mode to perform testing below be sure to put your website back in BulletProof Mode after you have performed any tests.

NOTE: If you do not have a page designated as your Forbidden page or 404 page for your website the SQL filter test will not send you to your Forbidden page or 404 page because you do not have one. What will happen is that the search is halted and you will see this in the top URL Address window http://www.your-website-domain.com/?s=union if trying to test the word “union”. Your website is still protected if you see this instead of a Forbidden page or 404 page. You can add a designated Forbidden page very easily by adding only one line of code to the secure.htaccess file – see below. Adding a designated custom Forbidden page will be a standard option in the next release of BulletProof Security.

Adding a Custom 403 Forbidden Page – ErrorDocument 403 htaccess Code Examples

BulletProof Security – SQL Injection hacking tests – MySQL Injection hacking tests

Enter any of these BulletProof Security blocked / filtered commands used in SQL Injection hacking attempts into your website search window:

Union
Select
Request
Insert
Declare
Drop

For this demonstration I am using the default GoDaddy web page that is used as the Forbidden page that visitors are redirected to if an “illegal” search or command is executed. You can of course create your own custom Forbidden page to redirect visitors to. Keep in mind that innocent mistakes do happen so you want to design your custom Forbidden page for both innocent mistakes and hackers. You could just redirect to your default 404 page.

With BulletProof Security BulletProof Mode enabled – typed in “union” (with or without quotes – both are blocked) in my search window on my website. The result:

GoDaddy Generic Forbidden Page

With BulletProof Security Default Mode enabled (BulletProof Mode disabled) – typed in “union” in my search window on my website. The result:

Website is Vulnerable to SQL Injection attack

So what does this mean – My website is vulnerable to SQL Injection attack attempts in Default Mode (BulletProof Mode disabled). Yeah I know the formatting is ugly – it’s on my list of CSS things to do. ;)

Live Demo – Browser Exploit SQL Injection vulnerability on a PostNuke Module. This is an ancient SQL Injection vulnerability and has since been corrected. This merely serves as a demo that shows that the BulletProof Security filters do not allow “union” or “select” in an attempt to perform an SQL Injection browser exploit on the AIT-pro.com website. Click the link below for testing and you will be sent to the AIT-pro.com Forbidden page. To test your website replace the URL with your website URL.

AITpro Security Test

BulletProof Security – XSS (Cross Site Scripting) Hacking Attempt Test

Copy the URL link shown below to your browser’s Address bar (aka location bar or URL bar). Edit the URL link and add your website URL in place of “enter-your-website-url-here” to this URL link to test it on your website. This is a simple common XSS cookie stealer script. The important thing to note is that BulletProof filters out and disallows URL javascript code insertion script execution and immediately redirects you, a would be hacker or automated bot program to a Forbidden page or 404 page – the script will not and cannot be executed against your website when BulletProof Security Mode is enabled.

NOTE: If you do not have a page designated as your Forbidden page or 404 page for your website the XSS test will not send you to your Forbidden page or 404 page because you do not have one. What will happen is that the XSS script tags are removed from the URL making it completely ineffective and invalid or in other words completely harmless. Your website is still protected if you see this instead of a Forbidden page or 404 page. You can add a designated 404 or Forbidden page from web host control panel or you can do this via the BulletProof Security secure.htaccess file – see the link below to create a forbidden page for your website that is controlled by the ErrorDocument 403 htaccess directive.

Adding a Custom 403 Forbidden Page – ErrorDocument 403 htaccess Code Examples

Caution! This code is very volatile. For this reason the XSS testing code has been made into an GIF image file so that the code is harmless. Click the image file below to view the code. You will need to type out the code in the image file in your browser’s URL address window in order to test it.

XSS Website Security Testing Script - GIF Image File

This website >>> Cross Site Scripting (XSS) FAQ >>> explains XSS attacks in very easy to understand laymans terms.

 

BulletProof Security – Extra Website Security Protection Against SQL Injection Attack

As of BulletProof Security .45.7 these new additional SQL Injection words / syntax in the SQL Injection filter that will block additional words associated with SQL commands from being searchable in your site search window. Individual SQL words can be removed / edited out using the built-in BulletProof Security File Editor, but the better approach is to make your website search feature not see these certain SQL command words. Example: Exclude particular words from being searchable with your particular site search feature. This is an issue that I plan to look at in the near future.

The full list of SQL syntax / words that are filtered from being searchable using your search window on your website are:

request insert
delete union
declare drop
create alter
update order
select cast
execute convert
exec meta
sp_executesql script
char truncate
set  

As you can see there are a few words that you may want to still be searchable like “order” and “update”. You can of course manually choose what SQL syntax you are willing to allow through the BulletProof Security filters. Use the BulletProof Security File Editor to edit your htaccess files from within the WordPress Dashboard. Another option is to use one of the Google Custom Search WordPress plugins or get the Google Custom Search engine directly from Google instead of using the built-in WordPress Search feature. Or installing an Advanced Search feature that will allow you exclude / include certain words as well as making comments searchable.

Previous BulletProof Security versions filtered these SQL commands:

RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare|drop).* [NC]

BulletProof Security .45.7 now filters these SQL commands:

RewriteCond %{QUERY_STRING} ^.*(execute|exec|sp_executesql|request|select|insert|union|declare|drop|delete|create|alter|update|order|char|set|cast|convert|meta|script|truncate).* [NC]

 

Tags: , , ,

Categories: BulletProof Security Plugin Support

252 Responses to “BulletProof Security Free Version Plugin Guide – BPS Version .47.1 – .45.5”


  1. Bryan says:

    I am getting the error below when I try to activate the plugin:

    Warning: mkdir() [function.mkdir]: Permission denied in /home/callfort/public_html/wp-content/plugins/bulletproof-security/admin/includes/admin.php on line 25

    Warning: Cannot modify header information – headers already sent by (output started at /home/callfort/public_html/wp-content/plugins/bulletproof-security/admin/includes/admin.php:25) in /home/callfort/public_html/wp-includes/functions.php on line 851

    Warning: Cannot modify header information – headers already sent by (output started at /home/callfort/public_html/wp-content/plugins/bulletproof-security/admin/includes/admin.php:25) in /home/callfort/public_html/wp-includes/functions.php on line 852

    What should I do?

    • AITpro Admin says:

      When you activate BPS it automatically tries to create this folder /wp-content/bps-backup. It appears that your folder permissions are set to restrictive to create this folder. mkdir is the command to create a folder or Make a Directory. Change the folder permissions via FTP for the /wp-content folder to 755, which is the standard permissions for that WordPress folder. Then try to activate BPS again. Thanks.
      Ed

      PS what’s up with the iframe redirect???

  2. Trevor says:

    I just upgraded a site to .46 and now get a 500 Internal Server Error. Am I right if I delete the plugin that everything will still be set and it won’t solve the 500 Internal Server Error?

    What can I do?

    • AITpro Admin says:

      hi Trevor,
      Just installing BPS will not cause a 500 error. Activating BulletProof Mode will cause a 500 error if something is incorrect with your website settings or if the BPS htaccess file is not set up correctly. Installing and uninstalling the BPS plugin does not affect your website in any way. Only the .htaccess files in your root folder is the only thing that is changed when you activate BulletProof Mode. You will need to FTP to the site download the root .htaccess file and make any necessary corrections. if you don’t see an .htaccess file in the root folder then that is why your are getting the 500 error. Or you can upload the default.htaccess file to the root folder just to get the site up then you can update your custom permalink structure to get things going again and then activate BulletProof mode after you check what WordPress has added to Your Current Root htaccess file and copy and paste it to the secure.htaccess file and then activate BPS root mode.

  3. Scott Carter says:

    Hi Ed,

    I just updated and tried out the latest version .46 of the plugin. I had a few comments:

    Thanks for adding support for Peter’s Custom Anti-Spam Image Plugin, but this isn’t working for me. I think the problem is that the folks at premium.wpmudev.org are bundling it and putting it in a different directory. This isn’t really your problem, so I will take it up with them.

    Have you considered adding protection for bb-config.php, in addition to wp-config.php? This is used by BBPress, which is bundled with BuddyPress. This file has the same datbase connection information as wp-config.php.

    I noted that your new version of secure.htaccess has a couple lines commented out:
    # RewriteCond %{QUERY_STRING} feed=podcast [NC]
    # RewriteRule (.*) /feed/podcast/$1? [R=301,L]

    Is this on purpose?

    Thanks,

    Scott

    • AITpro Admin says:

      on Perter’s… Ok yep i got it working on my standard WordPress testing site so it works, but if you have other more complex setups then yeah you will have to adjust your htaccess code to match. ;)

      on bb-config.php protection… Awesome Hot Tip!!! I will add that to the FilesMatch section and release it as a standard in the next BPS release.

      on the podpress fix…. Yep that is a boo boo on my part. I was doing testing and forgot to uncomment those code lines. Only people using podpress would be affected by this, but I will add that heads up info on the Plugin Testing and Compatibility page and will have correct this shortly.

      Actually i found a typo in my readme.txt plugin file so i need to update the latest upload of BPS so i will correct the podpress isssue in that update. That means that anyone who installs or reinstalls BPS will have these corrections.

      Thanks for all your awesome feedback and your eagle eye!
      Regards,
      Ed

      *** UPDATE ***
      bb-config.php has been added to FilesMatch in the secure.htaccess file
      podpress commented out lines have been corrected in the secure.htaccess file
      readme.txt typo corrected
      updated files were uploaded at 12:34 PM PST and will be available in the plugin repository by 1:00 PM PST

  4. Scott Carter says:

    Hi Ed,

    I’d like to suggest an improvement to your filters for QUERY_STRING keywords.

    I ran into a problem at my site where I was using Peter’s Custom Anti-Spam Image Plugin for WordPress. http://www.theblog.ca/anti-spam

    It generates images with a URL such as:
    wp-content/mu-plugins/custom_anti_spam.php?antiselect=8

    This triggers the condition in your filters:

    RewriteCond %{QUERY_STRING} ^.*(execute|exec|sp_executesql|request|select|insert|union|declare|drop|delete|create|alter|update|order|char|set|cast|convert|meta|script|truncate).* [NC]
    
    matching "|select"
    
    This could be fixed by making sure that the keyword in the filter is found by itself, and not as a subset of a larger word.
    
    Couple ways to fix this:
    RewriteCond %{QUERY_STRING} (^|&)(execute|exec|...)(=|$) [NC]
    
    or
    
    RewriteCond %{QUERY_STRING} (^|[^a-z0-9_-])(execute|exec|...)([^a-z0-9_-]|$) [NC]
    

    In the first case, we look for start of query expression or “&”, followed by one of the keywords, followed by “=” or end of query expression (in order to provide a match).

    In the second case, we are a little less exact by saying that the keyword must be bounded by a character not in the set (or start/end of expression) in order to match.

    Either may be fine, though the first case may be more precise?

    In the first case though, should the tail include both “&” and “=”?
    i.e. … ([=&]|$) [NC]

    Scott

    • AITpro Admin says:

      Hi Scott,
      Yep very nice. I made a decision regarding plugin fixes to do them case by case instead of modifying the main filters for a number of future growth reasons. Not sure if an htaccess skip rule will work for this plugin, but I will test that. Thanks.

      *** UPDATE ****
      Once again thanks for you excellent suggestion. If there were only a finite number of variables (plugins that currently exist and plugins that will exist in the future) then I would modify the filters, but like I said I am trying to avoid that because of potential future growth problems. I tested this plugin and I really like it. I will most likely be adding this plugin to my sites. Yep a simple htaccess skip works for this plugin. The image is displayed and all other functions work perfectly.

      # Peters Custom Anti-Spam Image fix
      # If you have WordPress installed in a subfolder you will need to add the
      # subfolder name to the RewriteCond /blog/wp-content/plugins/peters-custom-anti-spam-image/ [NC]
      RewriteCond %{REQUEST_URI} ^/wp-content/plugins/peters-custom-anti-spam-image/ [NC] 
      RewriteRule . - [S=30]
      
  5. womennews says:

    Hi Ed – Big thx 4yr assist. We have been trying to activate BPS plugin, but have error pages showing. When trying to navigate the site all go to pages show error screen. The home page shows correct with all complete. We did an assessment & – yes we have PhP5+ via BlueHost, yes we have installation showing in root folder….. but think this situation might be the problem (I’ll just quote you here): “you are using two domain prefixes (www.blog.website.com – www and blog together being the 2 prefixes).” Not sure this is it… but it’s the only other idea left in your troubleshoot. Hoping to learn what to do next to fix this. Can you direct in easy detail for someone still in big learning curve w code? Thx — FYI: Your plugin instructs are very clear for beginners to follow.. (BACKGROUND: Our site delivers global news & is listed on 1st page (listing 2) of Google Search in its main news topic. We also show in Google News regularly. We are a news site that publishes frequently to United Nations – covering human rights global – because we deal with issues on human trafficking… child brides.. FGM.. etc…. site security is VITAL. Let me know what info you need to help us know what to do to fix and use your great plugin. : )

    • AITpro Admin says:

      Hi,
      I took a look at your site and you are using WordPress.com hosting via Layered Tech servers. Is this paid hosting? You are the first person that i am aware of that is using BPS on WordPress.com hosting so this is an area that i am not familiar with. In order to install plugins you must have paid for something correct? Your womensnewsnetwork domain is actually showing as a subdomain of wordpress.com so that may be the issue. Typically this would be the same as an add-on domain so you would not need to add the folder name to the Rewriterule and Rewritebase. Update you permalinks and then take a look at Your Current Root htaccess file with the BPS File Editor. WordPress will write your correct Rewritebase and Rewriterule for you by doing this. Thanks.

      • womennews says:

        Hi Ed – Our site has been on wp.com for almost six years. The new site is almost ready to go live in the next few days.New site is using wp.org in BlueHost with temp url: http://66.147.244.181/~womennew/ (that will be pointing domain from GoDaddy soon). Let me know if you need any more info. Thanks for your good work. – Womennews

        • womennews says:

          Asked Bluehost assist today to check to see if our site is showing in root file. They said yes, but I’m not good enough to go in and know the difference checking it myself. Do have some empty folders in PhP I did notice. Is is possible the BPS is linking to one of the empty folders instead. PhP shows this:
          information schema (34)
          womennew
          _newdb (24)
          _womennews (empty)
          _womennews1 (empty)
          _wrd1 (22)
          _wrd3 (11)

          • AITpro Admin says:

            Hi,
            BPS does not write anything to the DB. Great looking site!!! Let me know if you have problems once you have everything finally setup. Thanks.

          • womennews says:

            Hi and thanks Ed. Any work around to get BPS working with the site sitting in newdb? We hope so. Should we delete the plugin if no work around? Thx

          • AITpro Admin says:

            Well i still don’t know exactly what problem you are having. Your original description of the problem is too general so I was waiting for you to actually launch your website first. Without being able to look at a fully launched website I cannot really begin to troubleshoot any issues you are having. Is WordPress going to be installed in the root folder or a subfolder? Do you have your custom permalink structure set up yet? I would need to know things like do you have any redirection DNS settings set up on your web host. So before i could even begin to assist you i would need to the basic information about your website. For a starting point. set up your custom permalinks and then email me the htaccess file that is created automatically by WordPress when you do that. edward[at]ait-pro[dot]com. Thanks

          • womennews says:

            Hi Ed – Just took many hours looking through WP forums to find a solution to no access in root folder. All I had to do was turn off ALL plugins and update the new version (which I already had) of WP 3.1 It worked! That was too simple. Now very happy to have your program providing security as we launch our site to LIVE. Hope this simple fix is shared and will help others. : )

          • AITpro Admin says:

            Great! Glad to hear you got everything working. :) Thanks.
            Ed

          • womennews says:

            Hi Again dear Ed – Will definitely will be staying in touch w you as other fix bugs may arise. We do want to send you a contribution for your plugin also. Let us know where to go for this. We will contribute in the next week. All our permalinks are set. Hope that the GoDaddy domain point will find all the files correctly including all plugins. Thx for your past returns to us in our needs 4assist & for yr latest offer to help further before our simple fix was found. : )

          • AITpro Admin says:

            Well if you want to see your name in lights and get a DoFollow link back to your website you can contribute here. Plus contributors automatically get BulletProof Security Pro for free – woo hoo! >>> http://www.ait-pro.com/aitpro-blog/category/bulletproof-security-contributors/. :)

            Thanks,
            Ed

  6. Sara says:

    Hi Ed –

    Thanks for the great security plugin :) I’ve read all the information on the site and tried to set it up for my site. I think I did okay, but I wanted to check with you because I still have a few red errors on the status page.

    My site is installed in the root folder, so I did the following:

    1. Installed and activated the plugin
    2. (Read your instructions, then) Clicked “Backup and Restore” tab and made initial backup of .htaccess Files”
    3. Under “Security Modes” tab, selected “BulletProof Mode” for “Activate website wp-admin folder .htaccess” and activated
    4. Went back to “Backup and Restore” tab and selected backed up .htaccess files again
    5. Under “Security Modes” tab, activated “BulletProof Mode” for “Activate website root folder .htaccess”
    6. Checked the website in a separate window to ensure that it was still working and links worked

    At this point was I done? Wasn’t sure, so I did the following:
    7. Activated Deny All htaccess Folder Protection For The BPS Master htaccess Folder
    8. Activate Deny All htaccess Folder Protection For The BPS Backup Folder

    Now under the Status tab, I see that everything is green and good to go under “Activated BulletProof Security .htaccess Files.” All my File and Folder Permissions are using the recommended settings and “Additional Website Security Measures” are all green. But I still see these red errors under “General BulletProof Security File Checks”:

    Your File Upload settings are NOT backed up yet
    Your File Download settings are NOT backed up yet
    Your File Upload settings are NOT backed up yet
    Your BPS Master default.htaccess file is NOT backed up yet
    Your BPS Master secure.htaccess file is NOT backed up yet
    Your BPS Master wpadmin-secure.htaccess file is NOT backed up yet
    Your BPS Master maintenance.htaccess file is NOT backed up yet
    Your BPS Master bp-maintenance.php file is NOT backed up yet

    What do I need to do? Was I supposed to “Deny All protection activated for BPS Master /htaccess folder” and “Deny All protection activated for /wp-content/bps-backup folder”?

    Thanks!!! Sorry I am ignorant on this, but want to make sure I do it right :) Looking forward to your PRO modules as well – looks like there are some awesome tools there as well.

    Sara

    • Sara says:

      I realized that to get rid of some of the errors all I had to do was make backups of the BPS Master, etc. on the Backups tab. Is that necessary? (I did it :) )

      Under the file upload and download tab, it reads that if your installation is in the root folder then uploads/downloads will be automatically set correctly. Does that mean I don’t need to do anything?

      Thanks :)
      Sara

      • AITpro Admin says:

        The BPS Master file backup is there for people who had a WordPresss subfolder installation or for anyone who had to customize the Master files for their particular site. Most people have a single WordPress installation in their root folder so a backup is really not necessary at all. For people who had to customize their master files they could just do a restore after upgrading BPS and use the BPS File Editor to copy and paste their customizations to the new BPS Master files and then back those up.

        Yep the file uploader will work automatically (no one-time set up needed) for people who have WordPress installed in the root folder. The downloader requires a one-time set up and then you just click the Save button on the bottom of the page. That makes a backup of your saved settings, which you can then just restore when you upgrade BPS. In later versions of BPS this will be completely automated, but for now it requires the one-time set up. Thanks.
        Ed

    • AITpro Admin says:

      Hi Sara,
      Thanks for the kudos!
      A+ and a Gold Star for actually reading the miles of instructions I have all over the place. LOL
      Looks like you did the BPS Master files backup in your next comment so I’ll answer the other question you have in that comment to make it easier to follow for someone else if they have the same question. ;) Thanks.
      Ed

      • Sara says:

        Thanks, Ed, for your quick reply.

        Ok – now I understand the instructions. I will not worry about the file uploader instructions, but will go through the one-time file download instructions as needed. Thanks!

        Did come upon another issue though – with the “Status Updater” plugin available in the WP plugin repository (http://wordpress.org/extend/plugins/fb-status-updater/). This plugin updates Facebook and Twitter pages automatically when a post is published on a blog. It requires Php4 or higher, Curl and Json libraries to operate properly.

        After setting up Status Updater, I realized that it wouldn’t connect properly to the Twitter/Facebook services. I contacted my host provider tech support and they said the BulletProof Security plugin had done some altering to the htaccess that “is causing the Status Updater plugin to redirect incorrectly and the htaccess makes it think the page doesn’t exist.” This results in a 404 Not Found error on my site rather than connecting me to Twitter to finish setup for the Status Updater plugin.

        Sorry if it sounds complicated. Wondering if there is a work around? And I know you said let you know if we found any bugs or incompatibilities :)

        Thanks!
        Sara

        • AITpro Admin says:

          Ok I will add the Status Updater plugin to the plugin testing list and post the fix there and here once I have looked at what BPS is not allowing. Thanks for the heads up.
          Ed

          *** UPDATE ***
          It appears that a simple htaccess skip rule will work as a fix for this plugin. Copy and paste the fix shown below to the BPS File Editing window for Your Current Root htaccess file and save the file. Please confirm that this fix works for you. On my end the cron jobs run completed successfully and the pushed posts log displays the post ids for the posts to be pushed.

          # Status Updater plugin fix
          # If you have WordPress installed in a subfolder you will need to add the
          # subfolder name to the RewriteCond /blog/wp-content/plugins/fb-status-updater/ [NC]
          RewriteCond %{REQUEST_URI} ^/wp-content/plugins/fb-status-updater/ [NC] 
          RewriteRule . - [S=30]
          
  7. Scott says:

    Hi Ed,

    Thanks for your hard work on this plugin!

    I’m testing this on a local server and ran across an issue. The site is setup for WordPress MU using subdomains, so my WordPress .htaccess looks like:
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ – [L]

    # uploaded files
    RewriteRule ^files/(.+) wp-includes/ms-files.php?file=$1 [L]

    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^ – [L]
    RewriteRule . index.php [L]

    I followed your instructions for modifying secure.htaccess, inserting the above code between # BEGIN WordPress and # END WordPress

    I also enabled use of forbidden.html. I enabled Bulletproof mode and verified that the root .htaccess was correct.

    I then proceeded to try one of your suggested attacks:
    http://www.mydomain.com/?s=union

    I was not redirected to the forbidden page. I enabled the RewriteLog at level 4 to follow the rewrite flow. It was then apparent that nothing would probably make it past the rewrite rules in the WordPress section, since there was a wildcard rule with no condition:
    RewriteRule . index.php [L]
    which apparently picked up everything that got to that point.

    To make this work with your filters, it seems like I should move the following rules to the very bottom of the .htaccess file:

    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^ – [L]
    RewriteRule . index.php [L]

    I tried this and sure enough, the hack attempt at
    http://www.mydomain.com/?s=union
    worked and redirected. The XSS attack was also correctly redirected.

    BTW, I wanted to mention that I have the following in my httpd.conf. Not sure if this has an influence on what is happening:

    DirectoryIndex index.html index.php

    Am I doing something wrong, or do those rules really need to go to the bottom of the .htaccess file?

    Thanks,

    Scott

    • AITpro Admin says:

      Hmm this is the mssing piece of information i have been looking for regarding WPMU. Since i don’t have a WPMU testing site I have been unable to do any actual hands on WPMU testing. Yes you are absolutely correct – nice one! I believe WP added this new WPMU htaccess code addition (in the last 2 version releases) to increase website performance overall. I will update my guide and help files to reflect this info and of course give you Kudos “New WPMU htaccess coding fix provided by ?” let me know what you want to replace the ? – your name or a URL link to your site or even both – your name with a link to your site. ;) Thanks Ed.

      • Scott says:

        Hi Ed,

        No credit needed. You can simply mention “Scott” if you wish.

        I also wanted to note something about “Activate” versus “Network Activate” for a MU setup.

        I think I know the answer to this one for a subdomain install. I did just a normal Activate (not Network Activate) which seemed appropriate since there is only one root (and one root .htaccess). I verified (after making the change I mentioned above) that both the main blog and another subdomain blog were protected against your example search hack. I don’t think a subfolder MU setup would be any different, but haven’t verified that.

        Hope that helps.

        I’ll keep you posted if I run across anything else related to a MU setup.

        Scott

        • AITpro Admin says:

          Hi Scott,

          Excellent info and very much appreciated! I’ll add this additional info to the MU section of the BPS guide with a “Contributed by Scott” tag. ;)

          Thanks again,
          Ed

  8. extremeram says:

    *** COMMENTS COMBINED BY ED ***

    Hi, as a dumbass newbie I didn’t check the notes before installing the plugin. So I just installed and activated the Secure Mode. After that my site went blank and also my admin area wasn’t accessable any more. So I removed the plugin on my server and made htaccess file back to original but site was still blank and I can’t get it to work. I have htaccess file in my root but what else could it be? Please help, I want to get the plugin back and install it right this time.

    I got the site visible but admin is still not accessible. Any ideas what went wrong?

    • AITpro Admin says:

      When you say “admin is still not accessible” what exactly do you mean? I see that you are using a Premium Auction WordPress Theme so are you talking about the admin panel for the premium theme? This is interesting – I tried to check what server platform you are using on your web host and I got a 403 Forbidden error. I have never seen this before. Is your website hosted on an Apache server or IIS server? If the problem turns out to be with this particular Theme itself then I would need a copy of the Theme for testing (Theme will be deleted on completion of testing). Here is something I noticed that may or may not be causing a problem. Your domain does not have a www prefix. Go to your WordPress Settings panel, under General Settings add the www prefix to your WordPress Address URL and Site Address URL. Also are you using a custom permalink structure? Also when i visit your site i am getting an object error – multifile_compressed.js is not loading correctly. Also you want to remove / delete the BulletProof Security .htaccess file that was copied to your /wp-admin folder if you activated BulletProof Mode for your wp-admin folder. And check if your premium theme came with its own .htaccess files. Thanks.

  9. Andrew says:

    Hi Ed,

    It’s me again. Quick question this time: Does your plugin at the line RewriteRule ^(.*)$ - [F,L] to the .htaccess file? If so, I think it may be interfering with my podcast feed.

    I’ve been having a problem using the feed ending in “?feed=podcast” when changing my permalink structure to a non-default, but (and here’s the weird thing) the feed ending in “/feed/podcast” works fine.

    I was encountering a 403 error when trying to validate “?feed=podcast” under the non-default permalink scheme and the plugin designer of my podcast plugin (podPress) suggested it may have something to do with that line of code.

    Is he correct? And is there a way I can fix this?

    • AITpro Admin says:

      *** Update ***
      This code had some issues so read further down in this series of comments to get code that is working. The working code fix has been added to the Plugin Compatibility and Testing page

      # podPress rewrite ?feed=podcast as feed=podcast
      # If you have WordPress installed in a subfolder you will need to add the
      # subfolder name to the RewriteRule (.*) /blog/feed=podcast/$1? [R=301]
      RewriteCond %{QUERY_STRING} feed=podcast [NC]
      RewriteRule (.*) /feed=podcast/$1? [R=301]
      
      • Andrew says:

        I’m still getting a 403 error when I try to validate “/?feed=podcast” under a non default permalink scheme.

        I edited my .htaccess file through your plugin(under the edit menu) and updated both the secure and root file. Still the same results.

        • Andrew says:

          Disregard that, now “/?feed=podcast” is coming up as a 404 error.

          • AITpro Admin says:

            Confirmed working code to rewrite ?feed=podcast to /feed/podcast/ without generating a 403 Forbidden error and successfully opening the podcast feed.

            # podPress rewrite ?feed=podcast as /feed/podcast/
            # If you have WordPress installed in a subfolder you will need to add the
            # subfolder name to the RewriteRule (.*) /blog/feed/podcast/$1? [R=301,L]
            RewriteCond %{QUERY_STRING} feed=podcast [NC]
            RewriteRule (.*) /feed/podcast/$1? [R=301,L]
            

            BPS htaccess code for the other podPress feeds can be found on the Plugin Testing & Fixes Page. This new code will be included in the next version release of BPS.

  10. Ray says:

    I see, thanks for the prompt reply and detailed explanation. I really must learn to read up on stuff before I jump in!

    Thanks.

  11. Ray says:

    Hi,

    New to this and wordpress. Looks like a great plugin and seems ok so far, but what if I get a problem in the future? (In my rush to install, I didn’t back up my original .htaccess).

    Would I be ok to deactivate the plugin and then just delete the .htaccess files in both my root folder and my wp-admin folders, to get it back the way it was??

    Thanks…

    • AITpro Admin says:

      BulletProof only changes one thing about your website – adds .htaccess files to your website – nothing else is added or modified whatsoever. You can just activate Default Mode to put your website in an unprotected state. The default .htaccess file is jsut a standard basic .htaccess file that WordPress uses. The default .htaccess file does not contain any website security protection so before leaving your website wide open to hackers you should probably do a little research on what .htaccess website protection is all about. If you just delete the .htaccess file in your root folder then it is possible that your site will not be viewable, you will be unable to log into your Dashboard and generate a 500 server error. That of course depends on many different possible factors on how your site is set up, but to be safe just put a generic .htaccess file in your root folder or activate the default mode. Like I said your site is not protected when you do this. ;) You can delete the /wp-admin .htaccess file without having to so anything else. This leaves your /wp-admin folder and subfolders unprotected though. Thanks.

  12. If I go into Bulletproof mode the search widget doesn’t work. Default .htaccess it works. Can’t not have a search function on the blog. Error page displayed below:
    ===========================
    Directory has no index file.

    Browsing this site or directory without an index file is prohibited.
    If you are the site’s webmaster, you can remedy this problem by creating a default HTML page with one of the following names:

    index.html
    index.htm
    default.htm
    Default.htm
    home.html
    Home.chtml
    NOTE: Filenames are case sensitive, i.e., Home.html is not the same as home.html

    • AITpro Admin says:

      *** Updated with fix for Suffusion Theme Search Issue ***

      There are couple of characters that are being filtered that are causing the search to generate a 403 Forbidden redirect. They are not critical and can safely be removed. Replace this line of code in the BPS secure.htaccess file:

      RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|< |>|"|;|\?|\*|=$).* [NC,OR]
      with this line of code:
      RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|< |>).* [NC,OR] 
      

      The less than, greater than and opening and closing bracket characters are important. Make sure there is not a blank space after the less than character < or you will get a 500 error.
      The permanent fix has been posted here >>> http://www.ait-pro.com/aitpro-blog/2252/bulletproof-security-plugin-support/checking-plugin-compatibility-with-bps-plugin-testing-to-do-list/

      Your domain name is interesting. I had assumed your web host was FatCow, but it is actually iPage. Any special reason for the domain name naming convention you are using? It is named like a free web hosting subdomain account and if I try to look up DNS info I see FatCow domain info???? Something appears to be odd about that. Yep something is up with the Suffusion Theme’s search feature itself. I just installed it and tested it and got a 403 Forbidden error when trying to search. I will do some testing and post the fix once I find out what is causing the problem.

      The Options -Indexes htaccess directive blocks directory browsing. If you want to allow directory browsing just comment it out.
      Thanks,
      Ed

  13. Ed says:

    Hi! How do you disable maintenance mode? It does not deactivate even if the maintenance mode is unchecked.

    • AITpro Admin says:

      Hi,
      You would just need to choose and activate another mode on the Security Modes page. Originally Maintenance Mode was on the Security Modes page, but it was being activated by mistake so Maintenance Mode has been moved to it’s own page to avoid accidental activation. Thanks.

  14. Renman2735 says:

    Hi there,

    I followed your instructions such that my status now reads
    The .htaccess file that is activated in your root folder is:
    string(45) ” BULLETPROOF .45.7 >>>>>>> SECURE .HTACCESS ”

    √ wp-config.php is .htaccess protected by BPS
    √ php.ini and php5.ini are .htaccess protected by BPS
    √ Deny All protection activated for BPS Master /htaccess folder
    √ Deny All protection activated for BPS htaccess /backup folder

    The .htaccess file that is activated in your /wp-admin folder is:
    string(45) ” BULLETPROOF .45.7 WP-ADMIN SECURE .HTACCESS ”

    HOWEVER,
    I tried both your tests for

    MySQL Injection hacking tests
    Entering any of those
    Union
    Select
    Request
    Insert
    Declare
    Drop

    and it didn’t work. It just came up as if no posts were found.

    In addition, I tried
    XSS (Cross Site Scripting) Hacking Attempt Test

    My normal homepage loaded up.

    Any ideas what I should be looking at?

    PS: Sorry I should say for the first test that what happened was not the “no posts found page” but rather, the page stays the same but the URL becomes
    http://www.mywebsite.com/?s=union

    Thanks!

  15. Adam says:

    Excellent, thank you! I had placed the full path in there during troubleshooting because just having the filename in there wasn’t working.

    Copying over the default htaccess worked like a charm though. Thanks again!

    • AITpro Admin says:

      Welcome! Yeah I thought you probably added the full path as a troubleshooting test to see what would happen. That is exactly what I would have done too. ;) I took the opportunity in my comment to over explain what is happening with the .htaccess code so that it might be helpful to someone else who has a timthumb issue in the future. I’m sure there are plenty more to come. LOL Cool glad the default.htaccess copy and rename “fix” worked. ;) Thanks.

  16. Adam says:

    I followed the advise provided above regarding the TimThumb issue, but its still problematic.

    In the secure.htaccess within the plugin’s directory, I added:

    # TimThumb Thumbnail Images not displaying - Red X Displayed Instead of Images
    # If your theme uses TimThumb and the file is called something else like thumb.php then change the filename below
    # If you have WordPress installed in a subfolder you will need to add the
    # subfolder name to the RewriteCond !/blog/timthumb.php$
    RewriteCond %{REQUEST_FILENAME} !/wp-content/themes/softshell/lib/scripts/timthumb.php$
    RewriteRule . - [S=15]

    # FILTER REQUEST METHODS
    RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
    RewriteRule ^(.*)$ - [F,L]

    Doing so gave no results. I also made the change to the root htaccess. What am I missing?

    The timthumb.php for me is located at root//wp-content/themes/softshell/lib/scripts/timthumb.php.

    • AITpro Admin says:

      Your WordPress installation is installed in the root folder so you would not need to change anything in the BPS htaccess file for this to work for you. So that would just be he default condition RewriteCond %{REQUEST_FILENAME} !timthumb.php$
      REQUEST_FILENAME looks at the “The full local filesystem path to the file or script matching the request.” So it does not require the actual full path to the file, just the filesystem, which translates to wherever you have WordPress installed. In your website’s case it is the root folder. For a few people depending on which WordPress Theme they are using the .htaccess code is not doing the trick. So what has worked in 100% of those case where the htaccess code is not working is to copy the BPS default.htaccess file to the same folder that timthumb.php is located and then renaming the default.htaccess file to just .htaccess. Thanks.

      • SD admin says:

        Thanks AITpro Admin, for both your assistance and for the BPS plugin.

        I am running BPS version .45.7, but apparently I upgraded to the new version BEFORE you made changes regarding TimThumb. My copy still had the exclamation mark, so I changed it to the caret. However, like the user above, my thumbnails were still not appearing.

        After reading the comment above, I copied ‘default.htaccess’ from /wp-content/plugins/bulletproof-security/admin/htaccess (in case anyone didn’t know the path) using my FTP software, and pasted that file into the folder which contains ‘timthumb.php’. After renaming ‘default.htaccess’ to ‘.htaccess’, everything worked perfectly.

        In my case, ‘timthumb.php’ is included as part of my theme – Arthemia Premium, and is located in /wp-content/themes/arthemia-premium/scripts (again for anyone interested).

        Glad it all worked out well, I have had issues in the past with secure .htaccess files being a little too secure, and thus breaking website functionality, but this seemed to solve it.

        AITpro Admin – you might want to highlight this solution at the top, so that others don’t have to search through the comments section, please.

        Thanks again,
        SD

        • AITpro Admin says:

          Thank you for the very detailed and descriptive feedback. I think what needs to happen now for future releases of BPS is that I need to create a function that will search anyone’s site for the existence of the timthumb.php file, if it is found then echo a message that the timthumb.php file was found. then at that point display a one click “fix” button or link, which would automatically copy the default.htaccess file to whichever folder timthumb.php is in and then rename the file automatically to just .htaccess. The .htaccess condition / rule seems to be 50/50, which is not so good. I am not sure why exactly that is, but since there are so many coding variations with the different WordPress Themes, I think the best approach is a timthumb.php fix button. Thank you again for your excellent feedback. ;)
          Regards,
          Ed

          • SD Admin says:

            I was just checking to see if there was any feedback from my comment the other day as I was setting up another WordPress site for a client. That client chose the Vulcan – Minimalist Business WordPress Theme 4 (version 1.2) theme. I have never worked with that theme before, but as I was implementing BPS I found that most of the images had broken links. Again the culprit was TimThumb. For those that are searching, ‘timthumb.php’ is located in theme’s root directory ‘/wp-content/themes/vulcan’. Again, just copy the ‘default.htaccess’ to the root theme folder and rename it ‘.htaccess’ and you’re in business!

            I also had a chance to play around with the maintenance mode and do a little modding of the bp-maintenance.php file. I thought that it might use calls to or so I was surprised to see that I had to edit that manually, along with the date/time, which you mentioned above. I don’t want to add to your workload, but it might be nice to have a little function inside BPS which could allow the user to enter some of those pieces data directly from the plugin settings area. Just a thought.

            It was also a little unnerving turning on maintenance mode – I wanted to try the test function using my own IP addy, but I was hoping that as soon as I did that I wouldn’t be locked out of the BPS plugin, and have to FTP in to replace the htaccess file. As you know, it worked fine and I could still make modification to BPS even with maintenance mode preventing my access to the public site. It wasn’t entirely clear in the instructions that this was the case. Still, it all worked out well.

            A huge thanks again for a great plugin, and for the responses

          • AITpro Admin says:

            Cool! Even though the manual copy and rename works it still is not a “clean” fix to me. I still consider that a workaround, but hey if it’s working for now until I can get something permanent in place then yippee! LOL Thanks again for the excellent feedback!

            Yep the whole Maintenance Mode thing got pushed to a lower priority. I agree with you 100%. There needs to be a whole full editing page for just the Maintenance page with all kinds of stuff you can add on the fly – graphics, text content and configurations. And in a way where it is completed automated. ie Add Title, Add Date and Time, etc and just click Update File and the page is done / created. Making the whole process take less than 5 minutes max is my goal. It is coming I just don’t know exaclty when that will be completed. ;)

            Yes I agree with you if you are putting a Live site into Maintenance Mode it does make even me double check everything because of the seriousness of putting any Live website (especially a high traffic Live site) into an under maintenance state. I think the best solution is to add a Preview Option before an actual Activate action. And possibly going as far as to add an option to showi both what you see and what a visitor will see. Yep like I said the Maintenance Mode has been pushed into a lower priority task so it is lacking in quite a few things – ease of use and help documentation. Yes the Maintenance Mode works perfectly, but it is not super user friendly at this point.

            Thank you again for all of your excellent input!!!
            Regards,
            Ed

          • SD Admin says:

            Ahh, nevermind, I figured out that I could just make another line in the maintenance htaccess file, like so:

            # Adding your IP address to the line below will display the website
            # under maintenance page to everyone else except you.
            # Add your Public IP address to the line directly below.
            RewriteCond %{REMOTE_ADDR} !^123\.456\.789\.900$
            RewriteCond %{REMOTE_ADDR} !^123\.456\.789\.901$

          • AITpro Admin says:

            Whoops guess I was replying at the same time ;) Thanks again for all the great feedback!

        • SD Admin says:

          Ohh, I remembered another question… is it possible to specify two ore more IP addresses for the maintenance mode, so that the site could be down but accessible by the client and myself?

          Thanks again

          • AITpro Admin says:

            Yep you can add as many IP addresses as you want or entire subnets or blocks. Just duplicate the line of htaccess code that exists and then enter the additional IP addresses for each remote address connection that you want to allow.

            RewriteCond %{REMOTE_ADDR} !^75\.22\.105\.44$
            RewriteCond %{REMOTE_ADDR} !^88\.66\.33\.100$
            RewriteCond %{REMOTE_ADDR} !^10\.10\.10\.10$
            
          • SD Admin says:

            Thanks for the responses, and I think you’re absolutely right about having a maintenance mode with previews, simple and quick options, etc. But again, these things take time to develop, and it’s probably not the highest priority issue for BPS users at the moment.

            One other thing I noticed is that in the Status section you don’t seem to check for the default WordPress database table prefix ‘wp_’, though maybe its included in the Pro modules. I have seen a few other plugins, like WP Security Scan check for that vulnerability and even offer a prefix rewriting function (which seems a little dangerous). I typically rename my wp-config prefix and db table names to lessen the likelihood of some forms of automated hacks, though using Godaddy for most of my sites and client sites means doing it after the install via PHPmyadmin – still, it only takes about 5 minutes to convert the prefixes. Anyway, I think checking the prefix in wp-config would be useful in the status section – what do you think?

            Thanks again Ed

          • AITpro Admin says:

            Yeah to do the Maintenance Mode feature all out the way I envision it would probably take a couple days of solid coding work so as soon as I have a 2 day opening of time to focus on this I’ll create it.
            Yep automating changing the WPDB table prefix is not a complicated thing to do at all. That is on the list of things to do, but it has a lower priority as it would just be an additional security measure and not a primary essential security measure. The logic is that BPS is a first line of defense so a hacker should never be able to even get to the WPDB tables at all, but I agree that it should be added as just one more additional security measure. BPS Pro is going to primarily focus on tracking, logging and alerting in real time so the DB prefix security measure would be added to the regular BPS versions.
            Thanks,
            Ed

  17. Hi Ed,

    Thanks for a great plugin. I have an installation issue. I can’t find the fix in your very comprehensive and easy to follow documentation.

    When testing BP mode for the Root Folder — all pages and links are accessible. However when activating BP Mode for wp-admin Folder — I get the following error message:

    “Unable to copy /var/www/vhosts/johnlbradfield.com/httpdocs//wp-content/plugins/bulletproof-security/admin/htaccess/wpadmin-secure.htaccess to /var/www/vhosts/johnlbradfield.com/httpdocs//wp-admin/.htaccess.”

    I can see a problem in the path (double forward slash after httpdocs) but I’m not sure where it’s coming from or how to fix it. Can you help me? I’m pretty sure it’s something simple.

    Everything in my “status” is green with two exceptions.
    1. “Admin” name must be changed and
    2. “NO .htaccess file was found in you /wp-admin folder”

    Thanks, John

    • AITpro Admin says:

      Hi John,

      Double forward slashes in URL’s are usually ignored by web servers so that is not what is causing the problem. Most likely the problem is because of the folder permissions set on the wp-admin folder itself. Take a look at the BPS Status page and check the folder permissions for the wp-admin folder. 755 is fine and is the standard folder permission that will keep the wp-admin folder protected well enough (wp-admin is protected by the WP coding itself when the folder permission is set to 755). Since the root .htaccess copy worked then there is either a permission issue with just the wp-admin folder or possibly a plugin conflict with another plugin that protects the wp-admin folder or some custom coding that is blocking the copy function from copying to the wp-admin folder. Worst case scenario you would have to manually upload the wp-admin .htaccess file. I am releasing BPS .45.7 today hopefully or by tomorrow at the latest. BPS .45.7 has file editing, uploading and downloading from within the WP Dashboard, but in your case this version of BPS will not upload a file the folder of your choosing (preset upload folder destination) so you would still be stuck with manually uploading the file via FTP to your wp-admin folder. Thanks.

      • Hi Ed,

        Thanks for the speedy reply, much appreciated :-)

        I renamed “wpadmin-secure.htaccess” to “.htaccess” and uploaded it manually as you suggested, a simple enough solution. Now all that remains is to rename “admin” and sort out my folder permissions.

        I am so impressed with this plugin and looking forward to BPS .45.7. Thanks again for your help!

  18. Vlada says:

    Hi,
    I installed your plugin and everything is “green”, no problem and seems to work, but when I try to do sql and xss test seems that .htaccess doesn’t do a job. I am getting normal pages, not 404 redirect.
    Is it in bulletproof mode. Please if you have time can you see what is the possible problem ? It is not urgent.

    Thanks

    Regards,
    V.P

    • AITpro Admin says:

      Hi,
      You have a shared web hosting account on SingleHop using an Apache Server. WordPress eCommerce store Theme. WordPress root folder installation.
      I ran a number of hacking scripts on your site and it is not protected. I was able to hack your site in under 3 minutes. :( It does not appear that you have an .htaccess file in your root folder. At least I was not able to detect one with a scan. If you go to my site and try to bring up the .htaccess file >>> http://www.ait-pro.com/aitpro-blog/.htaccess >>> you will be sent to my forbidden page. If you have an existing .htaccess file it is not really protecting your website, but it looks like you do not have an .htaccess file at all. Like I said I hacked your site in less than 3 minutes. I have not had any other people contact me that have the same WP Store Theme that you have, but it is possible that this theme has some kind of issue. Not very likely, but possible. Things to check out would be >>> does this WP store theme come with protection. If so, is it PHP based instead of .htaccess based. When you FTP to your website do you see an .htaccess file in your root folder? Thanks.

      • Vlada says:

        Please, if you can remove the site from my previous post until I find some solution for protection, so some hacker doesn’t take free breakfast..
        Actually, I have 3 sites under same hosting plan. I will send you domains on some email if you want to check, but other two are joomla and Internet Shopping Cart ,work in progress.
        Yes, I know what is the .htaccess from before, and over firezilla I see files where they supposed to be. Joomla have .htaccess and it is protected good – at least I think so – with various scripts and addons from their repository and redirecting some affiliate 301 links is working. Internet shopping cart is still without any protection, recently uploaded and not in hurry for work. I will try ton to add your filters in my root .htaccess, maybe that will work. Thanks for help.

        • Vlada says:

          No, does not work for my wordpress. I tred custom made .htaccess for joomla and added your filters and rules, in few folders actually, does not work. have to see what google have to say.
          Thanks again.

          • Vlada says:

            I found solution, made complete new .htaccess file with basic rewrite settings from one site and added your sql/xss lines, works perfectly now. Please try to “hack” me now, just to be sure. I don’t know those stuff.

            Thanks again

          • AITpro Admin says:

            Your website looks ok. Glad you figured it out.
            By the way, all the IP addresses that I have for each of your comment posts are all listed as coming from questionable IP subnets. To look at what bad behavior spamming behavior your IP addresses are reported as being involved in you can check them on the Project Honey Pot website >>> http://www.projecthoneypot.org/ip_200.88.112.157 This does not necessarily mean that you personally are involved in spamming of course, but it is something that you should be aware of. It could cause you problems down the road if they shut down or ban these IP blocks. All your IP’s appear to be coming from COMPAA DOMINICANA DE TELFONOS C. , which I assume is for a DSL connection? That’s a bad sign though when an ISP is being flagged as a spamming network. Thanks.

          • Vlada says:

            Yes, I am aware that my IP looks bad outside, some pages blocking me but it is not my fault – I recently moved to another apartment and until get new land line I am on 3G connection of company Claro / Codetel, over interjet usb stick. on same IP they have connected 100 and more users, it is impossible to figure out who is spammer, hacker or whatever. It is very slow, most of users are downlading movies, rapidshare and hotfile are constantly blocked because somebody is downloading non-stop, etc…

  19. Dinah says:

    Hi Ed,

    Help!

    I seem to have done something really wrong because each time I try to access my website I get the 404 Not found message.
    I thought removing the BPS plugin via my FTP would allow me to start again but I still get the same message.
    I’ve tried removing the .htaccess files as previously advised but this does not work either… more so when I return to my FTP the .htaccess seems to reappear… I’m not sure why or what I’m doing wrong :-/
    I can’t access the WP admin log in either as I get the 404 Page not found message too.

    Thanks in advance

    • AITpro Admin says:

      Hi,
      Yeah the only thing you need to change is the actual .htaccess file in your root folder to get you site viewable again. I was able to view your website so it looks like you already figured out the issue. You have a subfolder WordPress installation so you probably just needed to add the folder name “blog” to the master .htaccess files and reactivate BPS. Thanks.
      Merry Xmas!
      Ed

  20. Andrew says:

    Hello.

    Thank you for the plugin and, as far as I’m concerned, simple instructions on how to use it.

    I do have one problem through.

    It seems that when I try to manually enter the URL of my website in Facebook’s “link” field, it doesn’t come up with the image I have chosen. In fact, no image comes up at all, just a URL and a link. I currently use the Share and Follow plugin, which the images works fine with if you use the buttons located at the bottom the post. I was wondering if your plugin would have anything to do with this, seeing as it was the last thing I installed before this happened.

    Thanks.

    • AITpro Admin says:

      BPS should not block any images requested from a HTTP request link to FB so just to be sure put your website in Default security mode and try to share a link again. If this is still occurring after puting your site in Default security mode then I will install the Share and Follow plugin on my testing site and see what happens. Thanks.

      • Andrew says:

        Still having the same problem, even after putting BPS in Default.

        • AITpro Admin says:

          Ok then the problem is not with BPS. When i look at the source code of the plugin i see blank.png for the <img src= image name. Also when i look at some of your posts there aren't any images associated with the posts so not sure what image you are trying to grab and attach to the URL. Your website banner and some other random images on your website with <img src= are the only images that will be grabbed, unless the most obvious thing is occurring – when you try to share your particular posts the blank.png image file is being seen = equals a blank image. ;) Thanks.

          This is the method i use to have FB see my AITpro logo as one of my image choices to choose from. In my footer i have added the AITpro logo image with this code. The beginning brace < in front of img has been removed and the closing brace /> otherwise you would see an image in this comment not the code.

          img src=”http://www.ait-pro.com/aitpro-blog/wp-content/themes/AITpro/images/aitpro-logo-footer.png” alt=”AITpro Website Design” width=”79″ height=”79″ align=”left” style=”margin-top:-7px;”

          • Andrew says:

            Although I understand completely what you are telling me, I’m still not getting any results.

            What I used to get was this:

            And what I’m getting now is

            It may be a completely Share and Follow’s fault, seeing as I have all of the options designated to what image shows up when I copy and paste my URL in FB; all of which are under the “Setup share image” heading in the plugin’s settings page. If it does boil down to this, I’m sorry for wasting your time.

            Thank you for your time and patience.

          • AITpro Admin says:

            By putting BPS in default security mode you eliminated that BPS was causing the issue. To make absolutely sure you could also rename the .htaccess file in your /wp-admin folder, but it should not be involved at all in the whole image attachment process. The other options i pointed out were things i had to do to on the AITpro site to get images to show up when i did FB or other sharing because i had the exact same issues with images that you are describing. Nope not wasting my time at all. Glad to help out if i can. Thanks.
            Ed

          • Andrew says:

            Sorry, thought <img src= tags were allowed in your comment box. The first image in my post was supposed to be… *** link removed by Ed as it would be a hot link to an image *** …and the result I’m getting now is this.

          • AITpro Admin says:

            braces are tricky even when you put them inside of code tags in my commenting template. I need to do add an exclude to allow this. I just realized that when i went to add an img src link with braces myself. Your link was removed from your comment as it would create a hot link even with a nofollow attribute. I’m not really sure what you were trying to show me because that image link was just going to your uploads folder. I tested sharing a URL to FB on my site and did not have any problems with getting images to choose from, but i am using the Add to Any Sharing plugin so that only tells you that images are not blocked by FB sharing on my site with plugin I’m using not if there is a conflict with your sharing plugin. I will install that sharing plugin and take it for a test ride. I’ll let you know what happens. Thanks.
            Ed

            Ok took the plugin for a test drive – Very nice plugin and great features, but I am having the same problem. Images in the posts are not available to add to an FB share. I completely took BPS out of the equation on my testing site – used standard WordPress .htaccess file in the root folder only – images are not captured from the posts when i do an FB share. I set the configuration to allow images to be captured from posts, but it has no effect. I think all that is needed here is some coding work on this plugin to correct this minor problem. This is definitely an issue with the plugin itself. And when i say this i mean it could be that the problem is really with FB seeing the images, but the AddtoAny plugin does not have this issue so whatever coding was used in that plugin should also be incorporated in this plugin. Thanks.
            Ed

          • Andrew says:

            Ed,

            I’d like to thank you for taking the time to answer my questions. I sent a message to the creator of Share and Follow last night hoping he could help. The response I got was not nearly as polite or easy to understand as all of yours. He completely blames Facebook for the problem, stating that, because the profiles changed over the weekend, it has to be an issue with their coding. Then he proceeded to tell me that my site needed better descriptions and that I wasn’t using his plugin correctly; even though it had been working perfectly until yesterday, when I contacted you.

            All in all, I sent a message to the Facebook Team this morning with my problem. I’m still waiting for a response, but I would just like to thank you for your patiences and apologize for any confusion I may have caused.

          • AITpro Admin says:

            Andrew,
            Very welcome. ;) Yeah I thought it might end up being something like this. Things tend to change constantly in the software development World so you have to be ready to adapt on the fly. Sorry the plugin author was short with you – he or she is probably overworked and underpaid. LOL Don’t get me wrong, I like FB a lot and use it on a regular basis, but I would never personally create a plugin that tied into FB because of all the additional headaches involved. I personally really liked the Share and Follow plugin so I might be switching over to it at some point. It’s a well designed plugin and the features are really nice.

            Contacting FB regarding a 3rd party WordPress plugin may be a very long wait indeed if you ever get a response at all. It took me 2 months to get an FB Application Developer account. The most important thing to note and maybe to pass on to the author of this sharing plugin, without offending him or her, is that the AddtoAny plugin already has coding that is currently working so it would require looking at the coding and incorporating the necessary coding changes into this plugin. I was able to see my footer image throughout all the testing i did – only the post images were not available – so it is not an account specific issue. It is isolated to images not being seen within posts by FB, due to some needed coding modifications or additions to this sharing plugin. Thanks.
            Ed

  21. Alex Feldman says:

    Hi Ed, and thanks for this wonderful security tool!!

    I seem to have successfully activated Bullet Proof Security Mode on my root and wp-admin folders (got no red warnings and website seems to be functioning perfectly). BUT when I tested the words insert and union on my search window, it seemed to return results instead of showing a “Forbidden” page. So, does this mean something went wrong? Could you please help me correct this issue? Thanks!

    • AITpro Admin says:

      Your Blog site is using a Google Custom Search feature so no in your case these words will not redirect someone to either a 404 or 403 page. As long as you set up your site as a WordPress subfolder site ( /blog being the folder where WordPress is installed) then you should be fine. You can use the XSS test URL in the BPS Guide to check your site to make sure BPS is working correctly. I ran the XSS test on your site and was redirected to your 403 Forbidden page. Thanks.
      Ed

      *** Comment Updated ***
      Also for anyone interested in creating a custom 403 Forbidden page for their website. A new page has been created for creating a custom 403 Forbidden page for your website

  22. Terry Platt says:

    I know you’ve heard this one before: I found your information and your plugin after having a new site attacked. Strange, but I am sort of glad it happened since it was the beginning of a huge multi-user site and now I know I better get some things in place for defense.

    I was going to delete the site and begin again but instead I thought I might use it for gaining some understanding of all this security stuff.

    So, I have one question: Where might one find information on what to do AFTER all this mess? Your plugin revealed 35 SQL injections along with 80 or so assorted problems. I have a fully equipped training ground here!

    Thanks for all the education material here and a very important tool? When is PRO going to be available?

    Terry

    • AITpro Admin says:

      Yep most people only going looking for website security after they have been attacked. I did the very same thing years ago when my first website got hacked. At the time I had assumed that my web host would provide all the security I needed for my website, but I have come to understand that a web host can only provide so much website security and then it is the website owner’s job to BulletProof it (sorry I couldn’t help myself lol). ;)

      What you can do after you website has been hacked is you can put the website in Maintenance Mode. If you cannot access your site correctly depending on how malicious the hack is then you may have to manually upload the maintenance.htaccess file (rename it to just .htaccess after uploading to your root folder) and bp-maintenance.php files to your root directory so that you can gain access to your website and bypass any malicious code. So the info you would need to look at is adding your IP address to the Maintenance mode htaccess file in the BPS guide before uploading it to your website root folder. What this does is any visitors to your site will be sent to the website under maintenance page while you can login into your website and try and fix the damage. Hopefully you had a backup plugin that will allow you to restore your WP DB from within your WP Dashboard. If not then you will have to use the restore feature that your web host provides for you. Most if not all web hosts make daily backups of your website so you can restore from your control panel. Trying to manually pick through your website and SQL DB to repair the site is not advisable unless you are very knowledgeable in both WordPress and SQL. Even being very knowledgeable this can turn into a very time consuming effort and it is quicker to do the restore.

      BPS Pro is kind of on the backburner for now so I cannot give you a release date. I am continuing to release free versions of BPS that are just as secure as the Pro version. BPS Pro will have tracking, logging and notification bells and whistles. I have decided to keep adding creature comforts to the free version. ie uploading, downloading, advanced backup, editing and other functional features and enhancements.
      Thanks,
      Ed

  23. Cong says:

    I have a question about WordPress installation in subdirectories. I installed WP in a subdirectory “wordpress” under the WWW root, and then I configured my site according to this documentation from WP: Giving WordPress Its Own Directory. The site is now accessible using the site root without specifying the “/wordpress” subdirectory in the URL.

    Now, do I still have to modify the default htaccess files from BulletProof Security before activating the protection mode?

    Best regards,
    Cong.

    • AITpro Admin says:

      Hmm that is an interesting question. You are the first person to ask this question. The question I am wondering about is will you be able to use the Activate button to activate security modes or will you have to manually copy the files to your root and wp-admin folders. On the BulletProof Security Settings page click on the System Info menu and take a look at your Website Root Folder: . If the /wordpress folder is shown as the Root Folder then you will have to manually copy the files to both your root folder and wp-admin folder. If your website root folder is shown WITHOUT the /wordpress folder then you should be able to activate security modes as if you had a true WordPress root folder installation and not a subfolder installation. This will also tell you what you are going to need to do with the .htaccess files – Before activating any security modes – Click on your Settings Panel, Click on Permalinks, click on the Custom Structure radio button, then paste this pretty permalink into the window /%post_id%/%category%/%postname%/ and then click Save Changes button. Now FTP to your website and download the .htaccess file that was generated by creating Pretty Permalinks and take a look at the RewriteBase /. If you DO NOT see RewriteBase /wordpress/ then you should be able to activate the BPS security modes as if you had a true root folder WordPress installation. If you DO see RewriteBase /wordpress/ then I believe you will have to manually copy the BPS master files to your folders. If you add the /wordpress subfolder to the BPS master .htaccess files I am pretty sure you will not be able to access your website. Let me know what happens as this is something new.
      Thanks,
      Ed

      • Cong says:

        Thank you for you explanation.

        The System Info page shows the root directory without the /wordpress part, and the .htaccess file generated after modifying the Permalink pattern does not contain /wordpress in the RewriteBase directive. After checking that, I activated BPS without modifying any stock .htaccess files.

        The result is indeed perplexing. The site is accessible as usual without breaking normal functionality. However, BPS protection seems to be working only for the “http://my.site.domain/wordpress” but NOT the root URL. This is verified first by using the example XSS attack and then by testing query strings matching the forbidden patterns.

        Even if I manually copy the BPS-generated .htaccess file from the /wordpress directory into the root, there’s still no effects.

        • AITpro Admin says:

          Yep I thought you may end up some kind of issue such as this. In a sense you have created a virtual directory by the methods used to “give WordPress it’s own directory”. Also this method is problematic (will cause 404 broken links for existing URL’s) for many other reasons. If I were you I would put your website back in it’s original state without using the “give WordPress it’s own directory” method and just use this .htaccess directive below. The htaccess file would go in your root folder not in the /wordpress folder because this directive will redirect all requests for the /wordpress folder to your website root. So you would modify the master BPS secure.htaccess file by adding this directive and then you will have to manually add the secure.htaccess file to your root directory and rename it to just .htaccess. The wp-admin security mode can be activated without performing any manual editing or copying of files as it only contains security filters and no rewriterules or directives.

          RedirectMatch 301 ^/wordpress/$ http://your-website.com/
          
          or 
          
          RedirectMatch permanent ^/wordpress/$ http://your-website.com/

          or you could just do this – this method requires a little more overhead but it works the same. Notice you have the wordpress folder as the base, but the RewriteRule sends someone to the root instead of the wordpress folder. The RedirectMatch method is better.

          # BEGIN WordPress
          RewriteEngine On
          RewriteBase /wordpress/
          RewriteCond %{REQUEST_FILENAME} !-f
          RewriteCond %{REQUEST_FILENAME} !-d
          RewriteRule . /index.php [L]
          # END WordPress
          • Cong says:

            Hi,

            After reading your suggestion, I decided to just migrate the WP-powered site to the root directory altogether to avoid any further complications. So far things seem to be working fine.

            Thank you for making a great plugin and very detailed and helpful suggestions!

            Best regards,
            Cong

          • AITpro Admin says:

            Well my friend you just made the smartest possible choice you could have made of all of them. ;)
            And you are very welcome! Thanks.
            Regards,
            Ed

  24. Mart says:

    I Recommend this excellent plug in and the support is excellent. I have added a link to my website.

  25. Ian says:

    I’ve recently installed this excellent plugin, but when I try to activate any of the security codes in the security mode panel… I get a warning error up reffering to public_html/wp-content/plugins/bulletproof-security/includes/functions.php on line 75 …

    Any suggestions?

    Thanks
    Ian

  26. Hi
    with secure mode enabled, searching Persian words get a 403 error:
    http://www.newbie.ir/?s=وردپرس
    check my blog and search a word (even English) using search form to see the problem.

    thanks a lot

    • AITpro Admin says:

      Hi,
      You just need to comment out this Query filter in the secure.htaccess master file and reactivate Secure Mode in your Root folder. To comment out this Query string filter add a pound sign (#) in front of this line of code.

      RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]

      This is not an essential query filter and a fair amount of people from other countries are having this same problem so I will not be using this filter in future version of BPS. Thanks.

  27. Thank you so much for this excellent plugin. I have a very small WP site that I just created and although I know that security is important, I’ve been struggling with the concept of .htaccess files, where to put them, and all the damage that my limited knowledge could do to my site : )

    I honestly can’t thank you enough for the clear instructions and easy setup, and will be sure to stop by and rate this plugin on WP.

    • AITpro Admin says:

      Very welcome! And thank you for your generosity in donating to the ongoing support of the BulletProof Security plugin. I have added your website to the BulletProof Security Contributor’s page with a DoFollow link back to your website >>> S. D. Livingston

      PS Great website – I love your writing style >>> eloquent with a nice touch of witty sarcasm. ;)

      Visit the S. D. Livingston website

      Sincerely,
      Ed

  28. Dave Matthews says:

    I have realized what happens when you work too late into the night. I put the site into maintenance mode without adding my IP address to the the maintenance.htaccess. Needless to say I am now locked out of my site. I tried retroactively adding my IP to the maintenance.htaccess in the main folder and to the file in the htaccess folder. Neither way opened the site back up to me. Am I missing something? I tried it as straight numbers and with the characters inbetween each character like in the example. Thanks.

    • AITpro Admin says:

      Just download the .htaccess file in your root folder and add your current IP address shown on the Website Under Maintenance page for your website and then upload it back to your website root folder. The master maintenance.htaccess file is copied, renamed to just .htaccess and moved to your root folder when you activate Maintenance mode. The IP format is 75\.88\.99\.33 so you will just be replacing your IP address numbers and keeping the existing format.

      • Dave Matthews says:

        Awesome! Thank you for your prompt response. One more question, I am running WP in multisite mode and I have made edits to my original .htaccess file. A few redirects and calls for avatars etc that are not working now. Do I add these to the .htaccess file in my root folder? I was under the impression the original htaccess file would some how be still valid and readable even from a secured state. Excuse my misunderstanding..

        • AITpro Admin says:

          This version of BPS does not write the .htaccess file code so what you want to do is manually combine your existing MU and other .htaccess code with the BPS master .htaccess files and then activate. Basically all that is happening is you are creating new custom master .htaccess files that contain both your existing .htaccess coding with the BPS master .htaccess files coding. BPS .45.7 will allow you to edit the .htaccess files from within the WP dashboard, but for now manual editing is still required. You could of course edit only the .htaccess file in your root folder, but if you activate a security mode then it overwrites that current .htaccess file so that is why you would want to make the changes to the master and then activate. I’m hoping to get BPS .45.7 done in the next two weeks, but have a lot on my plate right now. ;) BPS .45.7 will also have new backup features making future BPS upgrades much smoother.

  29. Hi Ed,

    Just installed this on a WP 3.0.2 site set up running in multisite mode. It worked fine on the home blog, but the subblogs didn’t work — the theme wouldn’t display. I hit the wonderful restore button and it is back to normal.

    I looked at your instruction fo multisite — but I couldn’t find the code in my original htaccess file. Maybe I’m crazy, but didn’t that particular section get rewritten in the when WPMU was folded into 3.0?

    Here’s something similare in my .htaccss:

    # END WPSuperCache
    
    #uploaded files
    RewriteRule ^(.*/)?files/$ index.php [L]
    RewriteCond %{REQUEST_URI} !.*wp-content/plugins.*
    RewriteRule ^(.*/)?files/(.*) wp-includes/ms-files.php?file=$2 [L]
    
    # add a trailing slash to /wp-admin
    RewriteCond %{REQUEST_URI} ^.*/wp-admin$
    RewriteRule ^(.+)$ $1/ [R=301,L]
    
    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule . - [L]
    RewriteRule  ^([_0-9a-zA-Z-]+/)?(wp-.*) $2 [L]
    RewriteRule  ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
    RewriteRule . index.php [L]
    

    Any of that make sense?

    • Also, I did activate the plugin network wide. Perhaps that was a mistake?

      • AITpro Admin says:

        I’m not 100% sure about doing an Activate Site Wide for BPS. Logically BPS is designed to work per domain so sitewide might be the cause for the other sites not displaying correctly. Just to be safe I would choose – Activate Plugin Per Blog Basis and see what happens.

        Your MU htaccess code looks ok so you would just replace the section of the BPS master htacess files code where you see # BEGIN WordPress to # END WordPress with your MU htaccess code. I’m not sure about your last question? I have only done troubleshooting for MU sites via comments or email. Never actually set up an MU site or fiddled around with one. ;)
        Thanks,
        Ed

  30. Eric says:

    Wow it works fine !
    Thanks Ed, very appreciated !
    Eric

  31. Eric says:

    Hi –

    Thanks for this wonderful product!

    I have a question, when I activated the BPS, when I search a word with accent (french Chararcter e.g. é), that returning me to an error page. But when I swith to default mode, everything is OK. Do you have a bypass code to the UTF-8???

    Best Regards, Eric

    • AITpro Admin says:

      Hi Eric,
      The Query filter blocks the Unicode translation of the accent character. If you want the accent character Unicode translation to be allowed and not filtered on your website then just add a pound sign (#) in front of this code line shown below in the secure.htaccess file, which will comment out this one particular security filter. The accent character is translated to %C3%A8.

      # RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]

      This is one of the less critical query filters that is extra insurance to block XSS attacks. You can comment this filter out and still be protected from most XSS script attacks.

      Thanks,
      Ed

  32. Tammy says:

    Hi, Ed –

    I’m trying to activate BPS and have followed all the steps outlined up to activation. When I try to activate BulletProof mode in either the root or wp-admin, I get this type of error message:

    “Unable to copy [...wp-content/plugins/bulletproof-security/admin/htaccess/secure.htaccess] to [domain.com/httpdocs//.htaccess]

    I’m running a multisite setup and have modified the secure.htaccess as instructed. WordPress is installed in the root.

    Any idea what I’m doing wrong? Thanks!

    • AITpro Admin says:

      Hmm the document root is showing httpdocs so you have a virtual dedicated server and your web host is Media Temple correct? The issue is that the copy and move function in BPS either does not see the correct document root path or the directory permissions are set too restrictive to copy the file. You can manually add the .htaccess files to your directories, but that takes all the fun out of a one click solution. ;) My hunch is that you have created folders within httpdocs (website1.com, website2.com, etc) and for whatever reason the website root is reverting to the httpdocs document root. The other possibility is that the way you have your MU sites set up could be causing the problem. There are a number of variables to a MU site so it would be hard for me to guess the way you have your sites set up. Send me your original existing .htaccess file so that i can take a look at it for some clues. Also this WordPress MU info may be helpful in troubleshooting this issue >>> WP Create_A_Network

  33. Zach says:

    Well, I installed the plugin and activated it. My home page will load, but all of the other pages cause a server 500 error. I deleted the htaccess files via ftp in hopes that it would bring back the site…no luck. Rather than wipe my site… any suggestions?

    • AITpro Admin says:

      Hi Zach,
      Sounds like you have more than a standard WordPress set up. Typically just deleting the .htaccess files in both your root folder and your wp-admin folders should put your website back where it was to start with. BulletProof does not modify anything regarding your WordPress installation / website. When you activate the security modes BulletProof copies .htaccess files to your root and wp-admin folders, so deleting them will put your website back where it was. What is your website URL? Do you have an WPMU set up? Have you set up subdomains in your web hosting account? Thanks.
      Ed

  34. Peggy says:

    As far as I can tell, BPS hasn’t broken anything – I haven’t tried secure mode yet – but when I backup the htaccess files, I get the following errors:

    Warning: copy(/home/xxxxx/public_html/wp//wp-content/plugins/bulletproof-security/admin/backup/root.htaccess) [function.copy]: failed to open stream: No such file or directory in /home/xxxxx/public_html/wp/wp-content/plugins/bulletproof-security/includes/functions.php on line 31
    
    Warning: copy(/home/xxxxx/public_html/wp//wp-content/plugins/bulletproof-security/admin/backup/wpadmin.htaccess) [function.copy]: failed to open stream: No such file or directory in /home/xxxxx/public_html/wp/wp-content/plugins/bulletproof-security/includes/functions.php on line 33
    

    I also get the ‘good’ message that begins “Your Orginal .htaccess files have been backed up successfully.”

    What’s wrong and is there something I should do to fix it? My server is running PHP 5.2.9.

    Thanks!
    Peggy

    • AITpro Admin says:

      hmm well the conflicting good and bad messages is a minor coding boo boo for me to fix. What is probably happening or happened is you did not have any existing .htaccess files to begin with so you were getting the warning message and the good message is generated by clicking the activate button. I took a look at the code lines in the error and I see that I left out a couple of lines of code on the backup and restore function. All the other functions have a “or die(“Unable to copy $old1 to $new1.”);” line of code. Thanks for pointing this out.

  35. Mike Johnson says:

    I have quite a few modifications to my .htaccess file right now that incorporate link cloaking and different mod rewrite options. I understand that setting this up before I use this plugin is optimal, but what will using this plugin affect the usage of these modificaitons on my site or is this plugin just setting up a redirect for my .htaccess file as a security measure?

    Mike

    • AITpro Admin says:

      Hi Mike,
      To avoid any conflicts you should probably just use the sections of the BPS master files that contain the filters to block XSS and SQL Injection attacks. Email me your current .htaccess file so I can take a look and make sure you will not have any problems combining the code. edward[at]ait-pro.com. Thanks.

  36. Get free unlimited one way backlinks here! says:

    Hey friend…

    Increase Free Website Traffic here!…

    *** Deceptive Redirection Link Removed ****
    *** Your web host GoDaddy has been notified ***

    On a personal note it’s not too smart to post deceptive redirection links to a website that focuses on security, hackers, deception and generally bad Internet behavior.

    Thanks,
    Ed

  37. W says:

    Hi, I just installed and followed the directions to activate Bulletproof mode for root and wp-admin and see this in the status window. I do not have W3 installed. Please advise, thanks! :)

    ***

    Warning: file_get_contents() expects at most 2 parameters, 5 given in /nfs/c01/h13/mnt/14376/domains/XXX/html/wp-content/plugins/bulletproof-security/includes/functions.php on line 118
    The .htaccess file that is activated in your root folder is:
    NULL 
    
    A BPS .htaccess file was NOT found in your root folder or the BPS .htaccess file that you are currently using does NOT include .htaccess protection for wp-config.php. Please read the Read Me hover Tooltip before activating a newer version of a BPS website root folder .htaccess file.
    
    wp-config.php is NOT .htaccess protected by BPS
    
    Warning: file_get_contents() expects at most 2 parameters, 5 given in /nfs/c01/h13/mnt/14376/domains/XXX/html/wp-content/plugins/bulletproof-security/includes/functions.php on line 143
    The .htaccess file that is activated in your /wp-admin folder is:
    NULL
    
    • AITpro Admin says:

      Hi Will,
      This is caused by PHP4 being used to run WordPress PHP scripts instead of PHP5. I will take a look at your web host and let you know which Apache directives you need to add to your master .htaccess files. Also there is a huge mess going on with the BPS at the WP SVN server. I have been working to fix this now for about 10 hours. I hope to have this completely resolved in the next couple of hours. The update is still sending me in and endless loop only now it appears the damage is in both .45.4 and .45.3 tagged versions. So the version you most likely have installed is .45.3 not .45.4 or .45.5. Sigh.
      Thanks,
      Ed

      *** Update ***
      Your web host is Media Temple. They have recently updated their policies and procedures on activating PHP5. See this Media Temple link. >>> Media Temple PHP5 instructions

    • Chris says:

      I have this error as well on a brand new MT installation from yesterday.

      • Chris says:

        Just checked and sure enough — an add-on domain was done with PHP4 — weird.

        • AITpro Admin says:

          Hi Chris,
          Yeah I know. I’ve seen this on at least 6 different web hosts that are all stating that they are using PHP5 by default. Logically I guess it is better to set the Apache server to default to PHP4 just in case a website or website platform does not function correctly in PHP5? PHP4 is in the process of being phased out, but this is an overlap period for PHP4 end of life so until PHP4 is completely retired I would imagine that this issue will go on for at least another 6 months.
          Thanks,
          Ed

  38. Scott says:

    For what reasons would someone NOT want to go with the “secure.htaccess” option (use default.htaccess)?

    • AITpro Admin says:

      Yep very good point. It is a left over feature from the original plugin. Originally it was for troubleshooting and actually served a purpose. Now it’s just a useless feature that I keep meaning to remove. Next version for sure. The main focus of Version .45.4 was to permanently fix any conflicts or bugs with other plugins. A few other nice things were added as well – more php information and php.ini protection.
      Thanks,
      Ed
      FYI – To anyone who is trying to install the update to .45.4 – There is still an issue with SVN so don’t bother trying to install .45.4 it will just send you in an endless loop because .45.3 is being installed instead of .45.4. You can get .45.4 directly from AITpro for now. I may make this a permanent thing – very tired of having problems every single time I have to upload a new version to SVN. Ugh.

    • Scott says:

      BTW, great plugin. There is certainly a need for it.

      I had an issue with the sub-navigation on one of my beta sites where it seemed to push you back to the root folder. I believe it was due to the /wp-admin/.htaccess file.

      For example:
      * clicking on the sub-nav link to foo.com/subfoo (or more specifically, http://12.345.67.89/~mysite)
      * resulted in going here – http://12.345.67.89/~mysite/~mysite
      * it happened for any sub-pages

      Any ideas?

      (I also have Bad Behavior, Secure WordPress, WordPress Ultimate Security and WP Security Scan plugins installed. Caching plugin is off.)

      • AITpro Admin says:

        Hi Scott,
        Your comment was flagged as Spam so I didn’t see it until a minute ago. Using your excellent fun example :). My guess is that the htaccess files where modified for a WordPress subfolder installation when they didn’t need to be. I could of course be wrong. Just a hunch. I have tested WP Security Scan with BPS and no conflicts remain with that plugin. There was a conflict many months ago that was fixed. I have not tested Bad Behvior yet, but it is at the top of my list. I will also test Secure WordPress and WUS with BPS.
        Thanks,
        Ed

        • Scott says:

          you were correct on it being a path issue.

          this code did NOT work:

          # BEGIN WordPress
          RewriteEngine On
          RewriteBase /
          RewriteCond %{REQUEST_FILENAME} !-f
          RewriteCond %{REQUEST_FILENAME} !-d
          RewriteRule . /index.php [L]
          # END WordPress
          
          this code DID work:
          
          # BEGIN WordPress
          RewriteEngine On
          RewriteBase /
          RewriteCond %{REQUEST_FILENAME} !-f
          RewriteCond %{REQUEST_FILENAME} !-d
          RewriteRule . /~mysite/index.php [L]
          # END WordPress
          • AITpro Admin says:

            Hi Scott,
            Glad you figured it out. As you probably guessed I was a little preoccupied the last couple of days with the SVN issue. ;) I normally do a little back and forth to get the issue nailed down, but I was on the brink of insanity at the time (ok slight exaggeration, but I definitely lost some more hair) so my mind was elsewhere. LOL
            Thanks.
            Ed

  39. Espresso says:

    COOL! That’s what I needed. It worked like a charm. Thanks so much. Curious about Pro. It has a key and then activate, but doesn’t tell me if it’s free, hahaha.

    • AITpro Admin says:

      Cool! Yeah weird little glitch with W3. ;) BPS .45.4 will already have the spaces added to the .htaccess file. Some day I’ll get BPS Pro out the door. It’s already built and I’m using it on my test site, but I just don’t want to release it until I am in a position to fully support it. The javascript in the activation key window is set to see all keys as invalid and key DB is not connected so it will not verify or allow any entries at this point. ;) BPS Pro will be $20 bucks when I do finally release it. Then again I may never release it. LOL Now if I can just get SFC to coorperate so I can release BPS .45.4. Got a wierd redirect issue that is driving me totally nuts. LOL
      Thanks,
      Ed

  40. Espresso says:

    In Bullet Proof Security Status, it reads:

    The .htaccess file that is activated in your root folder is:
    string(45) “ULLETPROOF .45.3 >>>>>>>> SECURE .HTACCESS #”

    A BPS .htaccess file was NOT found in your root folder or the BPS .htaccess file that you are currently using does NOT include .htaccess protection for wp-config.php. Please read the Read Me hover Tooltip before activating a newer version of a BPS website root folder .htaccess file.

    wp-config.php is NOT .htaccess protected by BPS

    The .htaccess file that is activated in your /wp-admin folder is:
    string(45) ” BULLETPROOF .45.3 WP-ADMIN SECURE .HTACCESS ”

    I’ve been trying to fix it with the Read Me section, and it still reads this way. Clicking on links on my site still leave an Internal Server Error message.

    • AITpro Admin says:

      Well you’re not going to find the answer in the BulletProof Guide because it’s not added there. You must have the W3 Total Cache plugin installed and there is a very minor silly issue between W3 and BPS. I put off adding the fix in the guide because I am just about to release .45.4, which takes care of several known plugin issues. Anyway all you have to do is add 2 blank spaces after the first # (pound sign) and before BULLETPROOF .45.3 >>>>>>>> SECURE .HTACCESS at the top of the secure.htaccess master file.

      Before # BULLETPROOF .45.3 >>>>>>>> SECURE .HTACCESS
      After #    BULLETPROOF .45.3 >>>>>>>> SECURE .HTACCESS

      Notice that I have added 2 blank spaces in the “After” example
      Since you have already activated BPS then do this to both the .htaccess file that was copied to your domain root folder and the master htaccess file. By the way since you are using W3 Total Cache I recommend that you do a Backup once you have W3 working the way you want it to work (ie configurations, etc). That way you have a backed .htaccess file that contains the BPS filters and also the W3 htaccess code combined already.
      Thanks,
      Ed

      FYI – BPS has been tested with WP-Cache, W3 Total Cache and WP Super Cache. The blank space issue only affects W3. The other 2 plugins do not have any problems with BPS. BPS .45.4 will resolve this silly issue with W3. Expected release date of .45.4 is 10-18-2010 or 10-19-2010.

  41. Espresso says:

    I am a novice, and have no real understanding of your instructions, and am at a loss on how to fix the issues. If you had an instructional video, it may help more. Some learn by doing, some by reading, some by seeing. I am seeing a lot of red font in the BulletProof Security Status. After reading this page, the Read Me sections and so on, I am at a loss as how to get this up and running.

    • AITpro Admin says:

      No biggee. Send me an email with this info >>> Click on the System Info menu tab and tell me what version of PHP is displayed >>> example: PHP Version: 5.2.14. Then click on the Status tab in BPS and take a screenshot and email it to me >>> info[at]ait-pro[dot]com.

      Thanks,
      Ed

  42. Joe says:

    Hi Ed,

    I am using Version .45.3 and I love it. Can’t wait to see pro. Really appreciate all your hard work.

  43. Joe says:

    I tried to install BPS Pro Modules and it says page cannot be found :(

    • AITpro Admin says:

      Whoops good catch. The link had been changed since BPS version .45.2. I updated the link in the plugin repository for version .45.3, but that will not affect anyone who has already upgraded to BPS .45.3. It’s not a real big deal because BPS Pro is not available yet anyway. FYI – The BPS Pro Activation Key Verification page is here >>> . When BPS Pro is available I will let everyone know.
      Thanks,
      Ed

  44. Adrian says:

    Hi AITpro,

    Thumbs up for an awesome BulletProof Security Plugin and good prompt support rendered as well! On the first impression of the plugin, installing it sounds so complicated which may lead to the crash. But in fact, I was proven WRONG and have began to gain confidence in this plugin. For those users who are specially concerned with security issues, I highly recommend you to try this out first and you know.

    Thank you for such an excellent effort to invent such a powerful security plugin! :)

  45. Everything seems to work great. However, my wordpress control panel is all messed up. I prefer to use Ozh’ Admin Drop Down Menu version 3.4.2. I’ve sent them a message as well. Please advise if you know what the problem might be. Thank you!

    • AITpro Admin says:

      Hi Rebecca,

      Whoops I thought you were another Rebecca. Too funny. ;) I wrote the original comment with the other Rebecca in mind so I have rewritten this entire comment so it will make sense to you.

      The solution is really simple and easy. FTP to your website, download the default.htaccess file from the /wp-content/plugins/bulletproof-security/htaccess folder, then upload the default.htaccess master file to the /plugins/ozh-admin-drop-down-menu/ folder and rename default.htaccess to just .htaccess. I just tested this it works fine. ;)

      Thanks,
      Ed

  46. Jack says:

    I’ve delete htaccess in my root website folder,I’ve seen the main page om my site but can not view other pages. when I visit other pages always appear the words:
    Page Not Found

    The page you are looking for Might have been removed, Had its name changed, or is temporarily Unavailable. Please try the Following:

    * If you typed the page address in the Address bar, make sure That it is spelled Correctly.
    * Click the Back button in your browser to try another link.
    * Use a search engine like Google to look for information on the Internet.

    Thank’s

    • AITpro Admin says:

      Ok so did you activate a BPS security mode yet? If you do not have an .htaccess file at all this could cause that problem. Also have you checked your Permalinks Settings page? Go ahead and click the Save Changes button on the Permalinks Settings page and see if your links work now. Activate BPS default mode and check your website links. If everything is ok then activate the BulletProof Mode. I just released version .45.2 a little while ago so it will be available in about an hour. I am in the process of updating the .45.1 guide to reflect the new changes in .45.2. If you want to use the Maintenance mode I have sent you those instructions via email.

      Thanks,
      Ed

      • Jack says:

        thank you very much Edward , please to send me email the instruction of maintenace mode,
        especially how to make a site only can be accessible and seen by admin only, while others only can see the maintenance mode

  47. Jack says:

    Please help me, I have a problem my site always says:

    Not Found

    The requested URL /bp-maintenance.php was not found on this server.

    Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

    the problem begin after I previously installed bullet proof plugins, and I try to activate maintenance mode. after this maintenance mode always appears on my site. I can not log in through wp-admin.
    so I tried to go to cpanel and delete the file bullet proof plugins.

    What should I do?

    • AITpro Admin says:

      Hi Jack,

      I pinged your website and it is up, but I cannot view it so that tells me that the RewriteBase and RewriteRule have incorrect paths added to them. To manually get your site back up > FTP to your website and delete the .htaccess file and the bp-maintenance.php file located in your website root folder. After you have done this you should be able to get back into your website. You do not need to modify any of the BPS master .htaccess files for your website domain. Reinstall the latest version of BPS and reactivate the root and wp-admin security modes and you should be fine.

      Thanks,
      Ed

  48. Tripz says:

    any chance you making this compatible with E107? and if it already is could ya drop a few guides :)

    • AITpro Admin says:

      Hi,
      I’ve never looked at the backend or guts of e107. When I get a chance I’ll take a look at the core app. Actually I just took a look and it looks like it would be a fair amount of work. Not a huge amount of work so I’ll consider adding the plugin over there down the road sometime. Not for a least a month or two. Right now I’ve just got too much going on to take on this project.
      Thanks,
      Ed

  49. Brian Hatano says:

    How do you set the maintenance mode countdown timer? I don’t want to scare visitors into expecting the site to be down for over 100 days!

    Thanks!

    P.S. Great plugin!

    • AITpro Admin says:

      Hi Brian,

      I will be adding a detailed section about editing the maintenance mode file tomorrow. For now this should get you going.
      Go to the main Plugins page, click on the Edit link under BulletProof Security, on the right side of the Edit Plugins page you will see 5 Plugin Files listed, click on the bulletproof-security/admin/options.php
      file link, you will now see a whole bunch more Plugin Files listed, click on bulletproof-security/admin/htaccess/bp-maintenance.php, scroll to the very bottom of that file and you will see this code below. I have bolded where you would add the date that you want your site to be open again. For example what is there now is November 28 so that is where the 100 days is coming from. Just put in whatever date you want there. ie August 5, etc.

      //dynamically get this Christmas' year value. If Christmas already passed, then year=current year+1
      var thischristmasyear=(new Date().getMonth()>=11 && new Date().getDate()>25)? currentyear+1 : currentyear
      // add the date and time that your website maintenance will be done below
      // no need to add a year it is precalculated by +thischristmasyear+
      var christmas=new cdtime("countdowncontainer2", "November 28, "+thischristmasyear+" 20:0:00")
      christmas.displaycountdown("days", formatresults2)

      Thanks for the compliment!

      Note: You have just edited the maintenance mode master file so what you need to do now is reactivate maintenance mode again to reflect your new edits, modifications and changes. Reactivating is just taking the newly edited master file and overwriting the older copy of bp-maintenance.php that was copied to your root folder on your last maintenance mode activation. ;)

      Let me know if you need any further assistance and like I said I will be adding a new help section tomorrow on this maintenance mode file. In the next release I plan on doing a lot more with the maintenance mode page and feature. For now there were too many other important things that needed to get done for the core BPS plugin first. ;)

      Thanks,
      Ed