Plugin Compatibility Testing – Plugin Conflicts – Plugin Fixes

191 Comments RSS Site Feed Author: AITpro Admin
Published: January 5, 2011
Updated: March 8, 2014

Tags: , , , ,

Categories: BulletProof Security Plugin Support

191 Responses to “Plugin Compatibility Testing – Plugin Conflicts – Plugin Fixes”


  1. katinka says:

    The latest update shut down WP Remote’s ability to update plugins from afar. The owners say adding 107.22.153.142. to the whitelist section of the plugin should fix it. Since there is no such section in the admin area, I think you all need to fix this.

    • AITpro Admin says:

      BPS now has this new additional security coding below which of course adds more security protection for your website to prevent RFI hacking attempts and other forms of remote file exploits and website hacking. For now you can choose to not use this additional security protection by commenting out this line of code in your root .htaccess file by adding a # sign in front of it – # RewriteCond %{HTTP_REFERER} ^.*your-website-domain-name.com.*. Or you can add the wp-remote IP Address whitelist code RewriteCond %{REMOTE_ADDR} ^107.22.153.142 as shown below. Important note!!! You will need to add the [OR] flag after the line of code with your domain name as shown below. Please confirm that this works on your site. The code has been tested, but has not been tested specifically for the wp-remote plugin.

      # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
      # Only Allow Internal File Requests From Your Website
      # To Allow Additional Websites Access to a File Use [OR] as shown below.
      # RewriteCond %{HTTP_REFERER} ^.*YourWebsite.com.* [OR]
      # RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*
      RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
      RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
      RewriteRule .* index.php [F,L]
      RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
      RewriteCond %{HTTP_REFERER} ^.*your-website-domain-name.com.* [OR]
      RewriteCond %{REMOTE_ADDR} ^107.22.153.142
      RewriteRule . - [S=1]
      
    • AITpro Admin says:

      Also i have contacted the wp-remote folks as i think another condition is going to be required for the URI and am waiting for their reply. Thanks.

    • AITpro Admin says:

      Also i think i have a much better approach for this issue, but i am not getting any response from the wpremote folks so if you would test this code below for me i would very much appreciate it. Edit your root .htaccess file and add this Whitelist .htaccess code above skip rule #12 – # Adminer MySQL management tool data populate – in your root .htaccess file.

      # Whitelist wpremote skip/bypass
      RewriteCond %{REMOTE_ADDR} ^107.22.153.142
      RewriteRule . - [S=13]
      
      • theWebalyst says:

        I just tried this (and the previous fix) and neither worked.

        Mark

        • AITpro Admin says:

          Ok how about a simple typical plugin skip/bypass rule like this. This plugin skip/bypass rule would go directly above skip/bypass rule #12 – # Adminer MySQL management tool data populate – in your root .htaccess file. Thanks.

          # wpremote skip/bypass rule
          RewriteCond %{REQUEST_URI} ^/wp-content/plugins/wpremote/ [NC]
          RewriteRule . - [S=13]
          
          • theWebalyst says:

            Frustratingly.. no change!

            Maybe you need to sign up and test it – its a free service.

            Mark

          • AITpro Admin says:

            Yep i have an account with them from over a year ago for testing of another issue. I will reconfigure a Server for testing again. One of the considerations we have to take into account is that we get somewhere between 1,500 and 2,000 hacking attempts per day since we are a target for hackers. Once the Server is reconfigured then i can safely open some stuff up for testing. I am not implying that wpremote is unsafe to use, but i am making the point that the AITpro is a prime target for hackers so we have to be extra careful about what we allow and do not allow on our sites. ;)

          • AITpro Admin says:

            And since wpremote does not work on a Local XAMPP site then testing has to be done on a Live Development or Production site. ;)

          • AITpro Admin says:

            ARGH! this is the same old issue and is not a new issue. The solution is here >>> http://www.ait-pro.com/aitpro-blog/2252/bulletproof-security-plugin-support/checking-plugin-compatibility-with-bps-plugin-testing-to-do-list/#wpremote

            This is my mistake for not catching this early on. Several people thought that this was a new problem and instead of doing what i should have done right away i bought into it and took a jog down stupid Lane. Sigh. Just apply the solution in the link above.

          • theWebalyst says:

            Suggest you get a cheap hosting account and set up a WP test site on it. Take 10 minutes.

            I do good rates: [Link Removed by LinkStripper]

            And a massive discount offer here: [Link Removed by LinkStripper]

            Mark

          • AITpro Admin says:

            Yep that is on the to do list. Thanks. ;)

      • theWebalyst says:

        Yep, sorted.

        The issue needs updating because it refers to backups, whereas at present this rule prevents WP Remote from getting the website status and it generates a “WP 403″ error.

        Thanks for the solution. Both BPS and WP-Remote are very useful plugins so am pleased I can have them both working together.

        Mark

        • AITpro Admin says:

          I got a 200 OK status on the wpremote site from my account. Or are you saying just to edit the text regarding the explanation and add that the HTTP Status code displays a 403 status error?

  2. Barth Gimbal says:

    Cardoza’s WordPress Poll plugin messes up BPS menus and screen formatting. I’ve contacted the author too. Any quick fixes in the meantime?

    • AITpro Admin says:

      Thanks for the heads up. To block another plugin’s js scripts and css scripts from loading everywhere throughout the WordPress Dashboard, which is a coding mistake, you can right mouse click on any of the BPS options pages and click View Source to view your source code. Then look for the js and css scripts that this plugin is mistakenly loading in other plugins pages and throughout your WordPress Dashboard and post them here so that i can tell you how to block them in the root .htaccess file. Also you can send this link to the plugin author so that he/she can fix this mistake – http://www.ait-pro.com/aitpro-blog/2734/misc-projects/wordpress-tips-tricks-fixes/wordpress-load-css-and-js-scripts-on-wordpress-plugin-pages-only-wordpress-top-level-plugin-menu-admin-scripts/

      • Barth Gimbal says:

        oops… let me try that again.
        Thanks for the quick response!

        Here are the relevant lines when I view the source of a BPS page:

        link rel='stylesheet' id='cwpcss-css'  href='http://myabcdomain.org/wp-content/plugins/cardoza-wordpress-poll/public/css/CWPPoll.css?ver=3.4.2' type='text/css' media='all' />
        link rel='stylesheet' id='cwpcssjqui-css'  href='http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.14/themes/base/jquery-ui.css?ver=3.4.2' type='text/css' media='all' />
        
        script type='text/javascript' src='http://myabcdomain.org/wp-content/plugins/cardoza-wordpress-poll/public/js/CWPPoll.js?ver=3.4.2'>
        script type='text/javascript' src='http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.14/jquery-ui.min.js?ver=3.4.2'>
        
        • AITpro Admin says:

          Ok it looks like the cardoza-wordpress-poll plugin is the plugin that has the coding mistake. Not sure why you have a link to the google api because WordPress already contains the jQuery library bundled with WP. Maybe the 1.8 version was needed for some reason? this may also be causing the problem, but only add that file name to the FilesMatch code as a last resort because this could cause frontend visual problems for your website. if this jQuery file is being called in some fubar way then it could totally mess up the visual appearance of your site if you block the file.

          Ok so go to the BPS htaccess file editor page – Edit/Upload/Download – and edit you root .htaccess file like this below adding the CWPoll.js file to the FilesMatch htaccess code.

          <FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|readme\.html|bb-config\.php|CWPPoll\.js)">
          Order allow,deny
          Deny from all
          #Allow from 88.77.66.55
          </FilesMatch>
          
        • AITpro Admin says:

          Reposted the code – the angle brackets were stripped out.

          • Barth Gimbal says:

            The edit to .htaccess seems to have no effect.
            The author not only ignored me, he deleted my post regarding the way his plugin breaks BPS menus (which I stated in the nicest way possible) *sigh*

          • AITpro Admin says:

            Uh what are you talking about??? I have made several replies to your comment post. Your comment post obviously exists and was not deleted because you just left another reply to that comment post??? When i have a chance i will install and test this plugin. Please keep in mind that we support over 500,000 people, with most of those people being free BPS plugin users, and move as quickly as we can to resolve all problems in a timely manner. Thank you.

          • Barth Gimbal says:

            I was referring to the author of the offending plugin, not you. I had posted the issue on his board and he has deleted it. You have been VERY responsive and VERY helpful! That is why I’ll be upgrading to the Pro version of BPS and why I’ll likely be removing his plugin from all my sites.

          • AITpro Admin says:

            Oh my mistake. I misinterpreted what you said. Sorry. ;) I am going to test that plugin in about 1 hour, but yeah bad support usually gets me running, not walking to the nearest exit. ;) I will be testing this plugin anyway as any conflict that exists anywhere in the wild needs to be addressed and “fixed”. Thanks and sorry again for misunderstanding your reply. ;)

          • Barth Gimbal says:

            No worries, I could have been more clear myself. Cardoza replied to my post asking why he deleted my other post – anyway, here is what he had to say:


            I haven’t deleted your comment instead I put hold to do more research.
            Always there will be a conflict between wordpress plugins CSS because it is developed by various people. Regarding the design issues, either myself or the Bulletproof author should change their class names in the CSS. Alternatively, you can also change the css class names in the css and my plugin code.

          • AITpro Admin says:

            Actually the issue is that CWPPoll.css, CWPPoll.js, jquery-ui.css, jquery-ui.min.js is loading in the BPS admin options pages and throughout the WordPress Admin backend in all plugins pages and WordPress itself. So i can easily block all these scripts from loading using .htaccess code, but this of course causes all your scripts to stop working. What i have done with BPS is to confine my scripts to ONLY my plugin pages following this method >>> http://www.ait-pro.com/aitpro-blog/2734/misc-projects/wordpress-tips-tricks-fixes/wordpress-load-css-and-js-scripts-on-wordpress-plugin-pages-only-wordpress-top-level-plugin-menu-admin-scripts/

            I believe your scripts need to load both frontend and backend, but in the backend admin area those scripts should be confined to only your plugin’s admin options pages. ;) Thanks.

          • AITpro Admin says:

            Oops I thought you were the plugin author since you posted his comment back to you. ha ha ha. Actually his plugin is proving more of a challenge to block those scripts then i thought because he is calling 2 of them from ajax.googleapis.com and those scripts are doing most of the damage. And you were not kidding about messing up the BPS options pages – they are a complete mess since all these other scripts from WordPress Poll are overiding my js and css plugin scripts. ugh.

          • Barth Gimbal says:

            I’ve been posting your comments to the author’s site (including your most recent one – currently awaiting approval). Feel free to jump into the thread:

            http://www.fingerfish.com/cardoza-wordpress-poll/comment-page-5/#comment-1027

          • AITpro Admin says:

            Yep just about to get back to this issue. The release of BPS .47.5 included a new much better approach to blocking remote file exploits and unfortunately it did several things. Plugins that need to remotely post to remote websites are being blocked. Another issue on a larger scale was that a popular Server malware scanner was triggered by this new coding and saw it as malicious coding and was quarantining the .htaccess files. This issue has been solved, but the remote posting issue is still being worked on.

            So i am at a point again where i can switch gears and find a solution for the WordPress Poll plugin problem. Will be trying some additional .htaccess coding to block the external call to the jquery scripts from Google without completely breaking WordPress Poll – this is proving to be the tricky part. I can easily block the scripts, but it is breaking the WordPress Poll plugin. ;)

          • Barth Gimbal says:

            I definitely appreciate the work you’re putting in on this, but if it’s a case of bad coding with the poll plugin, why should you have to create the work-around?

            I’m not completely married to this poll plugin, BTW. If you don’t feel like fixing other people’s bad code, I fully understand. In any case, I appreciate it!

          • AITpro Admin says:

            Sorry i got a little backlogged. I will get you some .htaccess code shortly. thanks.

          • AITpro Admin says:

            ARGH! This one is giving me fits. I can come up with brilliant .htaccess code like this below, but i cannot stop one dumb plugin from creating a mess. jeez.

            New htaccess code that will be in BPS .47.6

            # BLOCK ALL REQUESTS/ACCESS TO BPS PLUGIN FILES AND OTHER PLUGIN FILES
            # Whitelist AITpro.com - this is only for BPS Pro folks
            # to continue to allow them to connect to the AITpro API Server.
            # You can add additional plugins that you would like to protect by
            # adding the plugin folder name as shown below.
            # NOTE: Some plugins utilize an index.php file in their plugin folder
            # that will negate the REQUEST_URI filter below.
            RewriteCond %{THE_REQUEST} ^(GET|POST|PUT)
            RewriteCond %{HTTP_REFERER} !^.*(Your-Website-Domain-Name-Here.com|ait-pro.com).* [NC]
            RewriteCond %{REMOTE_HOST} !^(173\.201\.92\.1|88\.77\.66\.55)
            RewriteCond %{REQUEST_URI} ^plugins/(bulletproof-security|example-plugin-name1|example-plugin-name2)/(.*)$ [NC]
            RewriteRule ^(.*)$ - [F,L]
            
          • AITpro Admin says:

            Wow this plugin is doing something i have never seen before. no wonder i cannot block its scripts. I can block my own scripts and even WordPress scripts, but this plugin appears to be forcing its scripts into the Headers. my god.

          • AITpro Admin says:

            Nope it is not possible to block this plugin’s bad script calls with .htaccess code. I can of course simply add some code to fix the plugin coding, but this should be done by the plugin author so that the next version release has new corrected code. When i finally was able to block this plugin’s scripts it ended up blocking other good script calls. i can understand that this plugin author wants to use the latest jQuery library for his plugin, but he should be bundling that library with his plugin or correct the way he is calling external ajax.googleapis.com libraries. Or he can of course apply the method that i use to contain my plugin scripts to only my plugin pages >>> http://www.ait-pro.com/aitpro-blog/2734/misc-projects/wordpress-tips-tricks-fixes/wordpress-load-css-and-js-scripts-on-wordpress-plugin-pages-only-wordpress-top-level-plugin-menu-admin-scripts/

          • Barth Gimbal says:

            I found another plugin that this poll plugin breaks the admin menus on: NextGEN Gallery

            I suppose that I’ll just have to uninstall it after my currently running poll closes. Why is it that there never seems to be any good FREE poll solutions. Of all the gadgets and whizbang things I’ve added to websites through the years, this is the one thing that seems to elude me. There are good PAID solutions, but come on, freeware has been around since the 1970s and THIS is the one program that can’t ever be produced? Weird.

            Thanks again for your Herculean efforts to solve what most developers would consider “not their problem”. I REALLY appreciate your excellent support. As soon as I can convince my clients that they want to pay for it, I’ll be upgrading to BPS Pro.

          • AITpro Admin says:

            Yep the WordPress Poll plugin will break any other plugins or WordPress functionality that has anything to do with jQuery because of the way the plugin is calling its scripts. I have a feeling that this particular plugin author will fix this issue in his plugin so give him a chance and some time to fix this. ;)

            If any issues or problems are even slightly related too or connected too BPS and BPS Pro it is my problem. What i see too often is that plugin authors get too overly focused on their plugin and forget that their plugin is not the center of the Universe. I understand how this thinking can happen and sometimes i have dumb thoughts like BPS and BPS Pro are more important than other plugins because of what BPS and BPS Pro are doing. This is of course totally irrational thinking because what good is any plugin if it interferes with your essential day to day operations and functionality. it is not enough to create a plugin that does magical things – the plugin also has to do its magic in a way that there is perfect harmony and balance with all the other planets in the Universe. ;)

          • Barth Gimbal says:

            Dude, you really speak my language. :-) You’re a classy guy. Thanks!

  3. Jayen says:

    Hi

    I’ve been using your plugin now on all my sites for some time and it’s has become a mayor pilor of my security protection method, so thank you very much.

    However I’ve now come across the first problems ;)

    With the site in the web field of this comment (and all others set up with the same theme etc) I’m finding that BPS is blocking theme options from working, the ones i am aware of for sure are background color (background reverts back to white as soon as root .htaccess protection is activated), the theme losses it’s outer table, theme fonts change & selected color for menus reverts back to white.

    Compare the site quoted with this one using the same theme, server, worpdress and plugins and versions, but with out the BPS .htaccess files activated: http://www.lasereyesurgerytoday.com/ and you’ll see quickly what I’m talking about (outer table, background color, font size in sidebar…)

    The theme being used here is the premium theme from authoritypro.com, this theme has diverse options from changing fonts colors etc which are activated via the “The AP Launcher” and “The Authority Pro Engine” plugins that come with the theme, however i tried using the built in WP background selector also and this too wont show on the site with BPS.

    The sites are hosted on Lunar pages, all files permissions are set to 755 for folders and 644 for files (the norm for this host).

    Any ideas?
    Thanks
    Jayen

    • AITpro Admin says:

      Have you activated both Root and wp-admin BulletProof Modes?
      Is this Theme using any /wp-admin files in order to display images? Such as media.php, admin.php or admin-ajax.php?

      • Jayen says:

        Hi

        Yes I originally had both root and wp-admin .htaccess files activated, plus the two deny folder access options and this problem was the same. I only said that the problem occurs when activating the root .htaccess file because in testing I found that to be when things go wrong.

        In fact in the sites I’ve reverted back to the standard root .htaccess files I’ve left the BPS WP-admin .htaccess file in place, since i didn’t have a default one, is this ok to do?

        In terms of the theme using media.php etc, the theme does use the build in WP file uploader to upload and store images in the media libery, and show them.. however this is the case of the header of the site and as you can see that isn’t affected…

        The font and backgound color options are imputed into the database from what i understand, maybe it’s more to do with BPS blocking the plugins that run the theme?

        If you want I can get you FTP and Admin access to this site so you can take a quick look. And or send you the plugins for investigation, although you wouldn’t be able to test them with out the theme…

        Thanks

        • AITpro Admin says:

          When Premium Themes or Plugins are involved then we cannot test these since that would violate the licensing agreement of that Theme or Plugin. Also we only access websites for BPS Pro customers. What i can do is look at your website to hopefully determine the problem. What i need to know is how exactly the Theme or Plugin or both is calling the images. Looking at the source code of your website i see this below in regards to how your CSS stylesheet is being called.

          /dynamic-css.php?themestyling=

          So logically you can probably create a skip/bypass rule for this file (which is a REQUEST_URI). Use the BPS built-in file editor and edit your root .htaccess file and add the dynamic-css.php file to the TimThumb skip/bypass rule as shown below.

          # TimThumb Forbid RFI By Host Name But Allow Internal Requests
          RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
          RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
          RewriteRule .* index.php [F,L]
          RewriteCond %{REQUEST_URI} (dynamic-css\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
          RewriteRule . - [S=1]
          
          • Jayen says:

            Hi there

            Thanks, that seems to have fix it :)

            I’m still testing but from what I can see everything seems to work now.

            I’ll let you know If I come across any other irregularities.

            I guess this means that I’ll have to edit this with every update from now on then as I can’t do this edit with the custom insert in any way can I?

          • AITpro Admin says:

            Yep that seemed like it would logically work. Thanks for confirming the “fix”. I see another possible potential problem, but I believe the amember plugin has been tested and there were not any conflicts or issues. When i look at your source code i see an amember link that is calling this file below from this folder location below. Please test that amember and any other affiliate related features on your site are working correctly. Thanks.

            /affads/affiliatejs.php?id=

          • AITpro Admin says:

            Oh and to answer your question regarding having to repeat this edit on every update of BPS – no, you would not have to make this edit again when you update BPS because BPS automatically updates your .htaccess files on BPS upgrades, but upgrades will not alter any custom edits that you have made to your .htaccess files. If you use the AutoMagic buttons and activate BulletProof Mode for your Root folder again then yes you would have to make the edit/modification again.

  4. peky says:

    I was thinking to install BPS on my site… because I saw some great references from users and serious work but…I found uphere message:

    WPSC – specific .htaccess code checking and messaging – included as of BPS .45.8
    BPS will display WPSC specific error warning messages when WPSC .htaccess code needs to be updated.

    …information with status not resolved ( NLIC – what is this mean) for WP Super Cashe.. I’ sorry, but I dont understand.. I have wordpress 3.4.1 and what code needs to be uptated, and where? in BPS panel after I install plugin, or what?

    Is this fixed actualy or if not.. how to fix it?
    It says there included as of BPS 45.8… curent BPS version is 47.4 . Is this resolved by now?

    Thanks

    • AITpro Admin says:

      NLIC means this is No Longer an Issue or Conflict – it means Resolved. BPS has additional custom bonus code that was created to specifically check for issues or problems with both WPSC and W3TC – BPS custom coding and BPS custom error messages have been added to BPS to check these plugins specifically for any issues or problems or conflicts with BPS since both of these plugins can write .htaccess code to your root .htaccess file.

  5. Steve says:

    My website is located at http://www.bluphoenix-webdesign.com. I am having a 500 internal server error with WordPress.

    My error log says:

    SecurityException in Application.cpp:188: Do not have root privileges. Executable not set-uid root?

    Premature end of script headers: index.php

    I currently running BPS security and have 2 other sites down as well. The admin panel is inaccessible and I can’t figure out what the issue is. Major plugins that are consistent across all 3 sites would be:

    – Bulletproof Security
    – Quick Cache
    – WordPress SEO by Yoast
    – Akismet

    I really need help!!! Any help would be appreciated. Thank you.

  6. Denis says:

    Plugin named “Download Protect”
    http://wordpress.org/extend/plugins/download-protect/
    Some downloads with that plugin works OK, but some don’t.
    It says:
    Forbidden
    You don’t have permission to access /wp-content/plugins/download-protect/downloader.php on this server.

    Following your recommendation for turning off BPS … I found that everything works OK when BPS is off.

    • AITpro Admin says:

      Are you saying that some downloads are downloading successfully with BPS in BulletProof Mode and other downloads are not? If so, then what is the difference between the downloads that are downloading and the ones that are not downloading when BPS is in BulletProof Mode. example: file path differences, file name differences, downloading from a protected or not protected folder, etc.

      • Denis says:

        Yes, this is the most interesting part!

        The files are in the same folder and all with the same CHMOD…

        Naturally – file names are different…

        I though that there is a problem with file names length… But it happens with both long and short ones…

        Well the download-protect plugin is quite old… and I believe you’re not very interested in BPS compatibility with it.

        So it would just be great if you could help with some kind of rule to exclude DP-plugin from BPS processing…

        I can send you some sample links of problem. Please send me your email.

        Best Regards!

        • AITpro Admin says:

          First off i want to point out the obvious thing about BPS since it is a security plugin. The term “plugin conflict” is not really correct when referring to BPS blocking things that it sees as a vulnerability, threat or unsafe for your website. BPS only blocks things are unsafe for your website.

          Yes, the download plugin has not been updated in a while, but I would of course still test this plugin. What i wanted to know from you is the specific details of the problem occurring so i know exactly what and where to look for the problem and am not wasting time in testing it. So yes send me the links via the AITpro Contact form as they will be helpful for me to see the exact problem and then i will test this plugin. Thanks.

          • Denis says:

            I believe that I didn’t use “plugin conflict”… But if I did… Sorry. My fault.

            Surely I understand that BPS close every possible holes at wordpress site.

            I followed your recommendation with contact form.

          • AITpro Admin says:

            I was just mentioning this because a lot of folks are conditioned to think of all plugin issues as “conflicts” and in the case of BPS it is a bit different since BPS is actively protecting a website. So if BPS sees something that appears like a vulnerability for your website then BPS takes action and blocks it. ;)

            I got your download links and the first link looks fine, the URL encoding looks completely valid and the download works fine. The second link you sent me looks bad. The URL encoding has non URL encoded characters spaced between valid URL encoded characters so i think that once you fix that issue then everything will be ok. Did you name the filename with unusual characters? UTF-8 sometimes will not correctly translate unusual characters. You should use standard characters for filenames – A – Z and 0 – 9 and you can use hyphens and some other characters or course, but stay away from using characters like the @ symbol, apostrophes, double hyphens, etc in file names.

  7. James says:

    Hi,

    The “My Shortcodes” plugin seem to partially not work correct when the BPS “Website Root Folder .htaccess Security Mode” is activated.

    See plugin details here: http://wordpress.org/extend/plugins/my-shortcodes/

    The plugin functions fine in that the shortcodes all work correctly. The problem is that when you click on the “My Shortcodes Builder” button to add a new shortcode to a post or page, the box that pops up is blank apartment from a 403 server error message. Going back to the default .htaccess file it all works fine.

    …”blank apart from a 403 server error message” that should be. Pesky spell checker!

    Could you please suggest a fix?

    Thanks,
    James

    • AITpro Admin says:

      The My Shortcodes Plugin has been scheduled for testing and a solution will be posted after testing is completed.
      Note: If a bad coding practice is the cause of the problem that would leave your website vulnerable to being hacked then a solution will not be posted and the plugin author will be notified.

      • AITpro Admin says:

        Testing completed – no problems or conflicts were found.
        When clicking the My Shortcodes Builder button in a new test post no errors occurred and the shortcode was added successfully.

        • James says:

          That’s strange! Just re-tested on my WP installation. When the ‘BulletProof Mode’ security is enabled for the ‘Website Root Folder .htaccess’ then the My Shortcodes Plugin does not work within a post or thread editing screen. I just get a 403 server error in the pop-up box when I click the button.

          Turn off the BPS security (i.e. enable ‘Default Mode’ for the root folder .htaccess) and the plugin instantly starts to work as it should. Turn BPS security mode back on and it instantly stops working.

          So 100% sure it is something in the BPS .htaccess file that is causing the conflict. I’ve repeated this test 3 times now on 3 different days on my install so confused as to why you aren’t able to reproduce it.

          Any thoughts please or suggestions for finding the cause or solution please?

          Thanks,
          James

          • AITpro Admin says:

            Ok then some condition on your site is different then the site i am testing on.
            Have you activated all BulletProof Modes – both Root and wp-admin BulletProof Modes?
            Do you have any of these plugins below installed? Each of these plugins interferes with BPS in some way and will cause problems that are difficult to troubleshoot. If so, then deactivate all of them, click the AutoMagic buttons and activate all BulletProof Modes again and then test again.

            Firewall
            Better WP Security
            6Scan

            It may also be possible, but unlikely, that your Theme may have something to do with this since you are going from a front side edit link to your secure WP dashboard area.
            Another possibility, but unlikely, is this could be the known broken cPanel HotLink protection tool problem. Do you have a cPanel? if so, do you see the HotLink Protection Tool option?

  8. sweetrobot says:

    BPS Free plugin causes “Strx Zurb CSS3 Awesome Buttons” not to work completely, resulting in this error – Failed to load resource: the server responded with a status of 403 (Forbidden) : /wp-content/plugins/strx-zurb-css3-awesome-buttons/css/strx-zurb-css3-awesome-buttons-css.php?fontFamily=Arial%2C+Helvetica%2C+%27Helvetica+Neue%27%2C+Verdana%2C+sans-serif+%21important&ver=2176

    The ‘buttons’ generated byt he plugin don’t have any styling. i did all the standard troubleshooting, and it’s definitely an issue with BPS.

    Thanks for the great plugin!

    • AITpro Admin says:

      hmm very odd looking query string. %27 is the single quote which will be blocked by BPS as it is very dangerous, but my question is why is formatting being added to a query string like this. a safer way to do this would be to add a class to the query string. i will test this plugin and post my findings and then notify the plugin author about any unsafe coding practices. Thanks.

      Example WP Smiley Wink class:

      http://www.ait-pro.com/aitpro-blog/wp-includes/images/smilies/icon_wink.gif' alt=';)' class='wp-smiley'
      
    • AITpro Admin says:

      Actually i cannot test this plugin because it does not meet the minimum requirements for testing.

      Requires: 2.5 or higher
      Compatible up to: 3.0.5
      Last Updated: 2010-12-19
      Downloads: 1,199

      • sweetrobot says:

        thanks very much for the response. i will be looking to replace it, or simply style the buttons myself, which is more practical at this point.

        best

  9. Jon says:

    Hello,

    Great plugin! I just recently found it and putting it on all my sites to evaluate before buying Pro. On one of my sites I use a plugin called events made easy and I have getting 403 Forbidden you don’t have permission, every time someone tries to registrar. I have to use the WP Default htaccess File for it to work. Any suggestions?

    Thank you!

    • AITpro Admin says:

      Please post the URL that you see in your Browser window (address bar) when you get the 403 error. Thanks.

        • AITpro Admin says:

          That Query string is malformed/no good and is exploitable. ?# is bad news in general.
          A valid Query string would look like this ?src=something#eme-rsvp-message

          • Jon says:

            Ok so, I emailed that other plugin maker and here is what he said

            “what the person writes there (see above) is just wrong. Rewriting rules
            for wordpress forces these kind of url’s, and are for sure not
            exploitable.
            “?#eme-rsvp-message” means “the current page, anchor eme-rsvp-message”,
            so no need to add something like “src=…” to it.
            If they don’t like these url’s, there’s not much I can do.”

            What can I do? For now, is there a way for BulletProof to allow this plugin to work?

          • AITpro Admin says:

            That is not a good response in general from the plugin author and i will say nothing more about his/her response.
            Please send that plugin author these 2 links regarding the CGI flaw found by the php.net folks so that this plugin author will now become aware of this known exploit:
            http://wordpress.org/support/topic/plugin-bulletproof-security-buddypress-and-403?replies=31
            http://www.php.net/archive/2012.php#id2012-05-06-1

          • Jon says:

            Thank you for your response. I sent over the links. While I’m waiting is there a way I can by pass this to get it to work?

          • AITpro Admin says:

            Well the problem is and what this plugin author does not fully understand is that a pound sign # is treated the same as http://.
            So in order to allow this bad query string to work you will need to comment out an important BPS security filter that protects against RFI hacking attempts.
            this is the security filter you would need to comment out in your root .htaccess file for now by adding a # sign in front of it. ironic huh? LOL A pound sign means something entirely different in .htaccess coding compared to HTML coding. ;)

            #RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
            
          • Jon says:

            I would image even though I comment that part out, it is still better to use the .htaccess file by BulletProof then the default wordpress one? I will start searching for a new plugin, unless he fixes it soon.

          • AITpro Admin says:

            Yes you are correct. Basically by commenting out that 1 BPS security filter it just means that an RFI attack could be used against your website, but that attack would require some exploitable coding in combination with the security filter being commented out. This recently added new security filter in BPS specifically blocks the new CGI Exploit found by the php.net folks.

            RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
            

            I took a look the Events Made Easy plugin’s coding and it looks like it would be very simple to fix the malformed query string.

            $destination = "?".$_SERVER['QUERY_STRING']."#eme-rsvp-message";
            
            simple coding modification
            $destination = "?page=".$_SERVER['QUERY_STRING']."#eme-rsvp-message";
            
            simple coding modification - maybe the "?" is really not necessary
            $destination = $_SERVER['QUERY_STRING']."#eme-rsvp-message";
            
  10. Hello,

    Unfortunately I just discovered that BPS prevent Powerpress from working properly… after iTunes removed my 4 years old podcast without warning.

    After 2 weeks of emails exchange with Apple they finally told me that my podcast feed “have too much 403 errors”… which finally led me to BPS as the main cause.

    I see that you posted a fix for that in the comments, so I have 2 questions :
    – If I implement this fix to make iTunes works again, will I have do this fix each time I upgrade BPS ?
    – Do you plan to integrate directly this fix in BPS in the future ?

    Olivier

    • AITpro Admin says:

      Wow that was crummy of them to do that without warning considering your long standing/posting with them. very sorry to hear that they did that.

      There was an old Powerpress issue that was resolved back in 2011 when the new .htaccess loop structure in BPS was changed, but someone else recently mentioned that they were having a problem with Powerpress. So something has changed in Powerpress or on the iTunes/Apple side of things. Did they by any chance give you the exact details of what in your podcast feed was generating 403 errors? For example the exact query string or characters in the podcast feed URL that are dangerous, unsafe or would leave your website vulnerable to a hacker? BPS only blocks things that can get your website hacked, but BPS is also built with overlapping security protection so adding skip/bypass rules may allow a vulnerability, but it will be very limited and most likely some other security filter will overlap that security vulnerability.

      I will test Powerpress and find what has changed and create a new skip/bypass rule for this, but what i need from you is the exact details about what exactly is being blocked. Please send all details and information about exactly what is being blocked to info[at]ait-pro[dot]com.

      Regarding implementing the fix permanently – BPS now automatically updates the .htaccess files when upgrading. This will automatically add any new security filters when they are available and update your .htaccess files, but any coding fixes you have added will not be removed, altered or changed. So if you add the new Powerpress skip/bypass rule and then update/upgrade BPS then your Custom Code will not be altered or modified when upgrading BPS. And if you use the BPS Custom Code feature to add this new plugin skip/bypass rule then if you ever need to use AutoMagic again to create new master .htaccess files then your Powerpress custom plugin fix would be included in your root .htaccess file because BPS Custom Code is saved to your WordPress Database permanently or until you delete it.

  11. asegar says:

    Thank you for providing a great plugin (I’m using v47.1). I am using BPS on a Dreamhost install of WordPress, and my Dreamhost stats, which used to work with the following custom code added to the root .htaccess no longer do so since my install was moved to a different Dreamhost server:

    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_URI} ^/(stats|failed_auth\.html).*$ [NC]
    RewriteRule . – [L]

    Can you suggest a fix?

    • AITpro Admin says:

      Well since your .htaccess code did not change, but you changed Servers then you would need to look at what is different about the Server. Is Stats set up on this new Server? Is this new Server using DSO or CGI? Check with DreamHost and see if they can tell you what the difference is between your old Server and new Server and if Stats is set up on the new Server.

  12. […] CharacterThe Difficulty of Art in Video GamesNew trailer reveals ‘Black Ops’ futurePlugin Compatibility Testing – Plugin Conflicts – Plugin Fixes .aa6b_box {font-size: 14px !important;font-style: normal !important;font-weight: normal […]

  13. […] Errors Recent CommentsRecent CommentsBulletProof Security Pro Questions, Comments & FAQ on Plugin Compatibility Testing – Plugin Conflicts – Plugin FixesBulletProof Security Pro Hover ToolTips Text Format – BPS Pro Help Files on Plugin […]

  14. […] CommentsBulletProof Security Pro Hover ToolTips Text Format – BPS Pro Help Files on Plugin Compatibility Testing – Plugin Conflicts – Plugin FixesBulletProof Security Pro Hover ToolTips Text Format – BPS Pro Help Files on BPS Free vs BPS […]

  15. […] WordPress FilesBulletProof Security WordPress Plugin Support – WordPress Website Security on Plugin Compatibility Testing – Plugin Conflicts – Plugin FixesBulletProof Security Pro Features ~ BPS Pro Features on Plugin Compatibility Testing – Plugin […]

  16. […] Errors Recent CommentsRecent CommentsBulletProof Security Pro Features ~ BPS Pro Features on Plugin Compatibility Testing – Plugin Conflicts – Plugin FixesBulletProof Security Free Version Plugin Guide – BPS Version .46.9 – .45.5 on […]

  17. […] Help and FAQ, WordPress Automatic File Restore, AutoRestore WordPress FilesAITpro Admin on Plugin Compatibility Testing – Plugin Conflicts – Plugin FixesJack Miller on Plugin Compatibility Testing – Plugin Conflicts – Plugin FixesAITpro […]

  18. Jack Miller says:

    We seem to have an issue with wpremote, a backup plugin from
    http://wpremote.com

    Human Made Limited

    version 2.13

    We tried adding a skip, but no joy.

    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/wpremote/ [NC]
    RewriteRule . – [S=13]

    • AITpro Admin says:

      *** UPDATE ***
      This security filter in the BPS Root .htaccess file is blocking wpremote.

      RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|< |>|%3c|%3e|%5b|%5d).* [NC,OR] 
      

      Looking at the coding of this plugin I see 2 general things that it requires that would be blocked by BPS Pro.

      This plugin uses shell_exec – remove shell_exec from the disable_functions directive
      disable_functions = system, exec, passthru, show_source, popen, pclose, pcntl_exec

      This plugin uses persistent MySQL connections – set the mysql.allow_persistent directive to On from Off
      mysql.allow_persistent = On

      Without knowing more specific details about the exact problem and error i can only generalize possible solutions. Please post specific details about what exactly is not working or is being blocked by BPS. Thanks.

  19. MattR says:

    It would be nice if the current permission setting would be visibly highlighted if it differs from the recommended setting. Or at least if the current setting is less restrictive than the recommended setting.

    • AITpro Admin says:

      *** UPDATE & FINAL CONCLUSION ***
      this comment has been removed as it is no longer valid. new coding changes have been made to the 6scan plugin.

      • MattR says:

        6Scan claims to only do a scan for weaknesses. There is a subscription service for a vulnerability cleanup tool of some kind. At the moment, 6Scan is not reporting any problems to me, but maybe BulletProof is protecting the site from 6Scan’s vulnerability tests.

      • MattR says:

        Where is the troublesome extra blank line? There are many \n\n in the root .htaccess file — wherever there is a blank line.

      • 6Scan says:

        Good day AITpro Admin,

        I represent 6Scan, and want to comment on your post.

        First of all – I am ready to answer your questions regarding technical aspects of our plugin, if you still have some left (After reviewing our code).

        Bulletproof detects its presence and status by reading the .htaccess and expecting several characters to be positioned at specified offset. While I understand the idea behind that technique, it will not work if another plugin changes the .htaccess.
        In this case – 6scan does change this file and adds its directives to the beginning of the .htacces. In this case, Bulletproof will indeed fail to detect its presence in the system ( though the main functionality – protecting rules – are intact).

        We do want to improve our plugin and are open to suggestions. Would you like to describe what part of our design/code you have found unsatisfying?

        P.S.
        The code you quoted actually does something else (It does not add 2 LFs to the beginning, but adds 2 LFs between 6Scan’s directives and the rest )

        • AITpro Admin says:

          I will test the latest version of 6scan to see if this problem is still occurring.
          “It is confirmed that this plugin is interfering with BPS either intentionally or unintentionally by adding 2 blank spaces to the beginning of the root .htaccess file on plugin activation.”

          If the problem still exists i will offer a coding solution.
          if the problem no longer exists i will remove this entire comment as it would no longer be valid information.

          Thank you.

          • AITpro Admin says:

            Also several of the comments in this thread have been removed due to being offensive in nature and the person who posted it was warned. Thank you.

        • AITpro Admin says:

          Test Environment
          Local XAMPP installation

          The coding of 6scan has changed and the old coding that was mentioned before no longer exists.

          New problem
          Blank spaces are inserted at the top of the .htaccess file on each failed plugin activation.

          Error message on failed activation
          There was a problem registering your site with 6Scan: There are no HTTP transports available which can complete the requested request..

          A solution was found to prevent the blank space from being inserted on failed activation on the local XAMPP testing site.
          Since the plugin was not tested in a Live Environment this test does not indicate whether or not this same problem would occur on a Live site. This test does although pinpoint the problem code in a XAMPP testing Environment.

          To complete testing on XAMPP site this file’s coding was modified and the blank space was no longer being inserted into the root .htaccess file on failed activation.
          /6scan-protection/admin/includes/installation.php

          Code lines modified related to problematic function – sixscan_installation_try_direct_write_file

          377
          if ( file_exists( SIXSCAN_HTACCESS_FILE ) ){	
          381-387 - commented out
          	/*	Taken from WordPress file.php, with minor changes for our needs, we are testing direct file access */
          	/*$context = trailingslashit( $context );
          	$temp_file_name = WP_CONTENT_DIR . 'temp-write-test-' . time();
          	if ( sixscan_installation_try_direct_write_file( $temp_file_name , TRUE ) == TRUE )
          		return 'direct';		
          
          	return FALSE;
          */
          390-403
          entire sixscan_installation_try_direct_write_file function was commented out.
          

          After commenting out this function and related calls to this function the problem of the blank space being inserted into the top of the root .htaccess file no longer occured

          • 6Scan says:

            Good day!

            Are you sure it was this function? It just tries to open .htaccess for write access, and then immediately closes it ( I’ve tested it again, but this specific code does not add symbols to the file being opened)
            We will try to see why a failed installation adds LF symbols to .htaccess.

            In any case, perhaps you have a proposition about how to check whether BulletProof is installed? Currently it expects the .htaccess rules to be positioned in very exact places ( The $check_string_cur_ver variable).
            When 6Scan adds itself to the beginning of .htaccess, users see BulletProof inactive (When in fact, this is not correct)

    • MattR says:

      Incidentally, sorry about putting this highlight-permission suggestion here in the compatibility discussion. I meant to put it in the more general comments, but didn’t realize which window I was typing into.

  20. MattR says:

    The 6Scan plugin prepends some changes to the root .htaccess which triggers the following from BulletProof:

    Either a BPS .htaccess file was NOT found in your root folder or you have not activated BulletProof Mode for your Root folder yet, Default Mode is activated, Maintenance Mode is activated or the version of the BPS Pro htaccess file that you are using is not .46.9 or the BPS QUERY STRING EXPLOITS code does not exist in your root .htaccess file. Please read the Read Me button above.
    wp-config.php is NOT .htaccess protected by BPS
    The WP readme.html file is not .htaccess protected
    
    • AITpro Admin says:

      Ok thanks for the heads up. I will download this plugin and see what it does.

      • Alan Pae says:

        Hi there.

        I’ve been trying to work with 6Scan to get the issues ironed out between the two plugins. I have installed 6Scan version 2.2.8 and Bulletproof version .47.3.

        Using a previous version of Bulletproof and 6scan together would result in HTTP 500 errors on my blog. I’ve since updated Bulletproof but have been leaving 6Scan disabled. I would of course prefer to have both.

        Since the 500 errors I have intentionally been leaving 6Scan disabled. I was asked by the authors of 6Scan to do some testing and possibly find the 500 errors in the Apache logs and send back whatever I could.

        Now when I enable 6Scan and Bulletproof I no longer get 500 errors. Instead now the only thing I get is that Bulletproof can’t find it’s config stuff in .htaccess. So whatever it is it unfortunately looks like a Bulletproof issue and not a 6Scan issue. The only thing that has changed is I’ve upgraded Bulletproof to a more current version.

        Please make whatever changes need to be made so 6Scan and Bulletproof can co-exist peacefully.

        Thank you,
        alan

        • AITpro Admin says:

          Yep the old issue is no longer a problem, but there is another quirky issue going on. 6scan is borrowing a little snippet of coding from the WordPress Core and for whatever reason that snippet of coding is adding blank spaces to the top of the root .htaccess file when activating 6scan. The 6scan folks are aware of this issue and i assume they will fix it in the next version release. So to manually fix this problem all your need to do is go to the BPS Edit/Upload/Download page and delete the blank spaces at the top of your Root .htaccess file. We could easily provide a coding fix to get around this problem, but that would be putting a band-aid on the real issue of why that snippet of WordPress coding is inserting blank spaces into the root .htaccess file. So it is better that 6scan actually takes care of that root problem. Thanks.

          • Alan Pae says:

            Not good.

            I opened up .htaccess and there were no black lines of any kind at the top of .htaccess. The first character in the file was a # for a comment line.

            So I just shuffled your stuff on top of theirs and no one’s complaining. :-) So now the Bulletproof stuff comes first followed by 6Scan.

            alan

          • AITpro Admin says:

            Excellent! Thanks for confirming that everyone is playing nice now. ;) FYI – To see the blank spaces you have to view the .htaccess file with the BPS built-in .htaccess file editor. When you download the file and open it you will not see the blank spaces. Thanks.

  21. Michael says:

    Hi Ed!

    I’m wanting to speed up my sites, but I know there have been security issues with some of the cache plugins. I see the ‘major’ ones have been tested, but I am anxious about allowing, for instance, quick cache the file permissions it wants (755 when you are recommending 705, etc.) Can you give me a suggestion for the cache plugin that will play best with BPS Pro? Or perhaps I should focus on other methods of speeding up my page loads.

    Thanks!!

    • AITpro Admin says:

      Actually there are not any security issues with any reputable caching plugins. I think Quick Cache is a reputable caching plugin. Typically a plugin may need 755 file permissions only temporarily to be able to write to a particular file. With caching plugins those particular files are usually ONLY going to be wp-config.php and .htaccess. I think Quick Cache only needs to write to the wp-config.php file temporarily and does not do caching with .htaccess code. The key thing to note is “temporarily” write to a file. Once a plugin has done whatever temporary write it needs to do then you should be able to change the file permissions to whatever you want after that. My personal favorite caching plugin is W3TC.

  22. robin says:

    Just checking to see if you have had any conflicts with the Wishlist Member Plugin? I have several Wishlist Member website that I want to put BPS but I want to check with you first.

    Thanks in advance for your help in this matter.

    • AITpro Admin says:

      No one has ever reported a conflict regarding this plugin. What i suggest is installing BPS on one of the sites and testing that everything is working normally. If there is a conflict somewhere then a simple skip / bypass rule will fix the conflict. Please post back here if there is a conflict. Thanks.

  23. Victor Font says:

    I just purchased the s2member plugin to upgrade my membership management features of my various sites. I am also using BPS Pro 5.1.5. With s2member active, when I click on a protected page without logging in first, BPS Pro produces a 403 error. I’ve copied the uri below. Perhaps you can help me understand what the issue is and how to fix it?

    • AITpro Admin says:

      *** UPDATE ***
      This fix will be added to the plugin fixes page.
      This fix requires the specific URI path to whatever protected page is being blocked.

      # S2Member protected URL rewrite / redirect bypass
      RewriteCond %{REQUEST_URI} ^/example-URI-path/example-registration-page/ [NC]
      RewriteRule . - [S=13]
      

      issue resolved via direct email.

  24. Jim says:

    I have a couple of flv files I’m trying to play in posts, Since installing BPS I can’t get them to play using the plugin “XVE Various Embed”. I tried the Stream Video Player, but it fails with current IE version and doesn’t seem to be updated anymore. I have the posts removed at the moment. But any help is appreciated

    • AITpro Admin says:

      I will test this plugin. Can you give me some specific details about the exact steps are you doing and the end result that is not occurring / working correctly. Thanks.

    • AITpro Admin says:

      Ok i have tested this plugin by adding a local FLV file and BPS did not block the video. If BPS is blocking something else then please state specifically exactly what is being blocked.

      • Jim says:

        I have the FLV file in the default upload directory, and after installing BPS I can’t get any videos to play with any web browser. Chrome at least will load the player but then the stream fails with it can’t find the file.

        I took the lines from the stream video player above and changed them to this….
        “# XVE Various Embed – Adding FLV Video Blocked By BPS
        RewriteCond %{REQUEST_URI} ^/wp-content/plugins/xve-various-embed/ [NC]
        RewriteRule . – [S=8]”

        Adding that failed to fix it, and I could not get it work again, I will try some more tonight. Thanks for checking into it.

        • AITpro Admin says:

          *** UPDATE ***
          The problem was caused by a simulated RFI attack due to a coding problem and not a conflict – the coding that was causing this problem has been corrected no .htaccess skip rule is needed for this plugin

          The successful test i did was the same then. I uploaded an FLV file and then added the shortcode to a test post with the path the FLV file and it worked without requiring an .htaccess skip / bypass rule so it appears this plugin is not blocked by BPS. If you can provide me with a URL link to the FLV file on your site i will look at your site’s source code for errors. Thanks.

          Also i chose the JW Player as i think it is probably the most stable player out of all of them.

          Also this plugin seems like a nice alternative if you can’t get this one to work >>> JW Player for WordPress

  25. Brian says:

    I am having a bit of trouble with a plugin called Rsvpmaker. I have added the following to my root htaccess…

    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/rsvpmaker/ [NC]
    RewriteRule . – [S=13]

    But still receive a 403 error. If I disable my secure htaccess and go back to the default it works fine… Clearly i’m doing something wrong, any ideas?

    • AITpro Admin says:

      Is this for the free version 2.4.2 or the premium version? If this is for the free version of the plugin i will test it. If this is for the premium version then you will need to troubleshoot it by looking at exactly what this plugin is doing when BPS is set in Default Mode. Is a query string displaying in a URL? If so copy that query string and then you can create a query string skip rule.

      *** UPDATE ***
      I tested the free version and everything I tested worked fine. What exact specific feature is not working correctly for you?

  26. Tony Payne says:

    I have been using the WSD Security plugin (wp-security-scan) on my sites as well as BPS. I am a bit paranoid after getting hacked earlier this year.

    I wondered if this plugin offered me any benefits (other than being able to change the table prefix) and if I am better off without it?

    So many plugins on WordPress all claiming that they are the best thing since sliced bread, it’s hard to know.

    I trust you guys – just purchased my BPS Pro copy today having tried the basic version for a few weeks.

    • AITpro Admin says:

      The DB table prefix renaming thing is a novelty idea and not really a security solution. Yes I actually get kind of angry when i read some of the BS in the WP plugin repository for some of the security plugins, but then i remind myself that if someone really feels that their plugin is the best thing since sliced bread then they are allowed to think and believe that. I have found that when people have a little knowledge about something they tend to think they know more then they really do. When someone has vast knowledge of a particular area they tend to be more humble. Ironic, but makes complete sense. And then of course you have the typical scammers and liars. LOL

  27. Tony Payne says:

    It’s great to have hotlinking to images blocked, however I do link to some images on my site(s) from my pages on Squidoo.com and having installed BPS of course these images are no longer showing.

    Is it easy to change the hotlinking protection to allow 1 or more specific sites to hotlink to images?

    Would it be easier/safer/preferrable to place those images in a separate folder (rather than the standard media library) for use by external sites? I would have to use FTP to place the images there, but I could by doing this maybe restrict hotlinking to a specific folder.

    I’m not sure how easy it would be to do this.

    • AITpro Admin says:

      BPS Pro is not blocking Hotlinking. I have added some optional code in the Root .htaccess file, but it is commented out and not being used. I would need more specific information about what exactly is not working correctly. Is it a plugin that is doing the linking? Did you create custom links or coding to do this linking? Please post specific details with example URLs. Thanks.

      • Tony Payne says:

        I created custom links which were working before I re-installed the site on a new host. I checked and the images are still there in the uploads folder. Will do some further investigation, I assumed it was hotlinking protection causing it.

        • AITpro Admin says:

          Yep just compare the literal URL to the image file in your uploads folder with the URL link in your coding and if that is ok then it is NOT going to be a timthumb thing because we have put that puppy to bed finally with the new .htaccess code for timthumb scripts so another thing i have seen is that with some Themes they use allow_url_fopen to open image files. Why a Theme author would do something that dumb is beyond me, but if you have set up a custom php.ini file then you may need to change allow_url_fopen = Off to allow_url_fopen = On.

  28. jorge ghb says:

    Hi,

    Im having troubles with google analytics dashboard, it shows this error: “Could not load Google Analytics data.”.

    I have tried to change rules but it doesnt work…. any idea??
    ——————— .HTACCESS

    ### new characters rules
    #OLD RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|).* [NC,OR]
    #RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)||%3c|%3e|%5b|%5d).* [NC,OR]
    #RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x5b|\x5d|\x7f).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)||%3c|%3e|%5b|%5d).* [NC,OR]
    ### end new characters rules

  29. tom says:

    I got the below error when activated plugin. (using Pro 5.1.3)

    Plugin could not be activated because it triggered a fatal error.

    Warning: require_once(/home2/standav7/public_html/wp-content/plugins/bulletproof-security/includes/class.php) [function.require-once]: failed to open stream: No such file or directory in /home2/standav7/public_html/wp-content/plugins/bulletproof-security1/bulletproof-security.php on line 43

    Fatal error: require_once() [function.require]: Failed opening required ‘/home2/standav7/public_html/wp-content/plugins/bulletproof-security/includes/class.php’ (include_path=’.:/usr/lib64/php:/usr/lib/php:/usr/share/pear’) in /home2/standav7/public_html/wp-content/plugins/bulletproof-security1/bulletproof-security.php on line 43

    • AITpro Admin says:

      This is a common issue that happens when you use the WordPress Upload Zip installer (PCLZIP). A number has been appended to the bulletproof-security folder name during PCLZIP installation >>> bulletproof-security1. You can either use FTP or your Web Host control panel to rename the folder to bulletproof-security by removing the number “1”. BPS Pro has a built-in Upload Zip installer for this reason and a couple of other reasons. So all future upload zip installations of BPS Pro should be done using the built-in BPS Pro Upload Zip installer. Thanks.

  30. Cart66 Plugin does not work with BPS when using any front-side AJAX calls. Throws 403 errors.

  31. Regina Smola says:

    Two plugins that are causing conflicts are Bad Behavior and Wassup on 403 pages (example readme.html):

    Warning: Cannot modify header information – headers already sent

    • AITpro Admin says:

      Yes, i have noticed that these plugins and some others are trying to track the BPS Pro 403.php BlackHole template and are generating these headers already sent PHP errors. The 403.php template should not be tracked or monitored because it is intended to send hackers or people using “bad” requests to this 403.php template. This nuisance issue is on my list of things to take care of and I will have a solution to compensate for this nuisance issue in BPS Pro 5.1.4. It is also acceptable to change your error_reporting to not show all php errors – just show Fatal php errors, but not Notices or Warnings, but I will still find a solution to not have these plugins generate these nuisance php errors. ;)

      ; Examples:
      ;
      ; – Show all errors, except for notices and coding standards warnings
      ;
      ;error_reporting = E_ALL & ~E_NOTICE
      ;
      ; – Show all errors, except for notices
      ;
      ;error_reporting = E_ALL & ~E_NOTICE | E_STRICT
      ;
      ; – Show only errors
      ;
      ;error_reporting = E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR
      ;
      ; – Show all errors, except coding standards warnings
      ;
      ;error_reporting = E_ALL

    • AITpro Admin says:

      A solution has been created in the 403 BlackHole template and these nuisance php errors are no longer being generated by these 2 plugins.

  32. Jeroen says:

    After I installed the last update I got the following error. I can’t enter the website or the admin part.

    —————
    Parse error: syntax error, unexpected ‘<', expecting ')' in /home/otd/public_html/wp-content/plugins/bulletproof-security/includes/functions.php on line 167
    —————

    Please help.

  33. Dr Sunil Kumar Verma says:

    Dear Sir,

    I have installed BPS latest version on my site (http://indianscholars.net). It is a WP Multisite install on sub-directory. I had ‘network enabled’ BPS and used magic buttons to create proper .htacess files.

    Problem is that images uploaded via the dashboard are not visible in post/pages etc on subdirectory sites. ON the main site, they are OK and visible.

    In fact I have noticed that ‘Set as Featured Image’ link also get disappeared from dashboard on main as well as subdirectoiry sites as soon as BPS is activated in secure mode. I also notced that icon named ‘add image’ (mear ‘add media icon in dashboard) also disappears.

    May you kindly suggest an appropriate solution to the above.

    Regards,

    S. K. Verma

  34. Kenneth Fiil says:

    Hey, first thanks for a super super cool plug-in! I have a little problem when I use the plugin with the XXX plugin(here )! I are doing a call to

    http://www.newblog.com/?b2w=http://oldblog.blogspot.com/2010/09/post123.html

    that should resolve to

    http://www.newblog.com/2010/09/post123.html

    Any ideas?

    Ups, the XXX is Blogger To WordPress Redirection and a link here http://wordpress.org/extend/plugins/blogger-to-wordpress-redirection/

    • AITpro Admin says:

      This is simulating a RFI – Remote File Inclusion hack on your website and is one of the primary things that BPS blocks in the Query String Exploits filters. To allow only this plugin to do this try this skip rule below. CAUTION!!!. I have not looked at the coding in this plugin, so if there is a way that a hacker can hook into this plugin then they will be able to successfully hack your website using an RFI attack. As long as the plugin has security code in it to ensure that only internal links are allowed to redirect then your site is safe otherwise your site will get hacked. When i get a chance i will test this plugin to see if i can hack it and hack a testing site.

      # Plugin - Blogger To WordPress Redirection - link redirection / inclusion
      # CAUTION this is extremely dangerous - this plugin has not been tested yet
      # If you have WordPress installed in a subfolder you will need to add the
      # subfolder name to the RewriteCond /blog/wp-content/plugins/blogger-to-wordpress-redirection/ [NC]
      RewriteCond %{REQUEST_URI} ^/wp-content/plugins/blogger-to-wordpress-redirection/ [NC]
      RewriteRule . - [S=30]
      
      • Kenneth Fiil says:

        sorry I have not replied before, I just tested it and it seems to work perfectly. If I look in the plugin code, what it do is that it looks for some meta values in the database and if it finds them and they match it makes a redirect if they don’t match it just a redirect to home_url () so I think it is safe… maybe :)

  35. WCGS says:

    Hi,

    Thanks for the great plugin. Looks like it will work great.

    I’m having one problem, and I haven’t been successful with a workaround. I am using the plugin User Avatar 1.4.6 and I have been unable to display avatars in the blog with BPS activated.

    Have tried:
    RewriteCond %{REQUEST_URI} ^/wp-content/uploads/avatars/ [NC]
    RewriteRule . – [S=30]

    no luck there.

    Any help would be greatly appreciated. Thanks!

    • AITpro Admin says:

      *** UPDATE ****
      Actually i just noticed that the Request URI rule you added is incorrect. try this instead

      # User Avatar skip rule
      RewriteCond %{REQUEST_URI} ^/wp-content/plugins/user-avatar/ [NC]
      RewriteRule . - [S=30]

      I have tested User Avatar and the avatars displayed correctly in Comments using the WP 2011 Theme. Have you double checked Settings >>> Discussion >>> Avatars to make sure the Show Avatars option is on? This could possibly be a Theme issue i guess, but i seriously doubt that. I see that you have comments turned off. Normally an avatar is displayed in comments. When i look at “About The Author” i see that the image URL is your-domain-url/wp-content/plugins/user-avatar/user-avatar-pic.php?src=your-domain-url/wp-content/uploads/avatars/1/1295828258-bpfull.jpg&w=80&id=1&random=1295828258.

      This is similar to a common thumbnailer image link and simulates an RFI hacking attempt by adding src= after your URL with a link to your images. So my guess is that you will need to do something like this. use a safe portion of the query string to allow this simulated RFI attack to be allowed to bypass the bps exploit filters. Whatever you do DO NOT use src= or src=http://. if you do allow src= to bypass the query string exploits filters then you are guaranteeing that your website will be hacked at some point. Thanks.
      ONLY TRY THIS RULE IF THE ABOVE SKIP RULE DOES NOT WORK

      RewriteCond %{QUERY_STRING} w=80&id=1&random=(.*) [NC]
      RewriteRule . - [S=30]
      • WCGS says:

        I tried both fixes with no joy. I’m sure they would work on the standard setup, but I just remembered I’m doing something a bit outside the box. I’m calling the User-Avatar images from a plugin called People Lists. People Lists allows one to build lists of links and display them using a separate template. So, People Lists uses a code %thumbnail% to display a users image, which is drawing from /wp-content/uploads/avatars/ , which is populated by the User Avatars plugin (by my understanding). The template is a table that includes the following for the image:

        %thumbnail%

        Any ideas? I really appreciate the help.

        You can see the areas that are missing the images on the Teachers page.

        • AITpro Admin says:

          hmm. Ok first off i want to say that the /uploads folder is kind of a dangerous area in general and especially if opened up to the public so you want to be very careful about creating rules that allow access or removing any security filtering relating to that particular folder. And if you end up allowing something that gets your images to display correctly but your website gets hacked then this is going to a self defeating thing because you will be losing time restoring / repairing your website.
          Ok so here is the main issue that you are facing. You are simulating and creating a Remote File Inclusion (RFI) hack on your own site so you need to be able to allow this intentional hack on your site, but limit the possibility of a hacker bot detecting this vulnerability / exploit to take advantage of it. That is why taking the Query String rule approach is dangerous because your own query string skip rule could be used against your site by extending the query string with other variables. Here is the worst case scenario that i see. You open up your uploads folder to a hacker, he / she is able to upload a file and execute it remotely with RFI. both the uploading and remote execution can be done by exploiting the rule you create to bypass the filters. i played around with this and i was successfully able to accomplish both an upload and remote execution of the uploaded script using several different skip rules.
          This is most likely the primary RFI exploit filter that is blocking you from hacking your own site. RewriteCond %{QUERY_STRING} http\: [NC,OR] This is a very, very important filter so if you comment it out you are asking for trouble.
          Have you tried something simple like creating a skip rule for the People Lists plugin?
          I can easily see a way for you to open up the /uploads/avatars folder to the public (and hackers of course) and get your images to display correctly, but as i have explained above when i did this in testing i was very easily able to upload a test script (neutered Alucar Shell) and execute it remotely – uploaded script with an image file extension and executed it remotely to generate a new file with a .php file extension, which gave me a fully functionubg Shell login script to log in with and take total control of the testing website.

          Ok so looking at the trouble spots:
          The src attribute specifies the URL of an external script file.
          The external script file cannot contain the tag “script” – but this can be exploited by pointing the src= attribute to a script tag
          BPS sees the URL to the image file as an external link that is trying to perform an RFI hack on your site
          http:// is filtered because this is used in a typical RFI attack

          So after looking at all the more complex approaches i just thought of something really simple – take a block image hotlinking approach but use skip instead. This may or may not work as is. You may need to add additional conditions, but i think this is the general approach you should be taking.

          # If Referrer is not empty
          # If Referrer is my domain skip the exploit filters for gif, jpg and png files
          RewriteCond %{HTTP_REFERER} !^$
          RewriteCond %{HTTP_REFERER} ^http://(www\.)?my-site.com/.*$ [NC] 
          RewriteRule \.(gif|jpg|png)$ - [S=30] 
          • James says:

            Hi,

            Same problem here I’m afraid with the User Avatar plugin. Not of the above three fixes seem to work.

            Any further ideas? Regards, James

          • AITpro Admin says:

            The User Avatar Plugin has been scheduled for testing and a solution will be posted after testing is completed.
            Note: If a bad coding practice is the cause of the problem that would leave your website vulnerable to being hacked then a solution will not be posted and the plugin author will be notified.

          • AITpro Admin says:

            Testing completed – no problems or conflicts were found.
            The User Avatar plugin and People Lists plugin were tested together and no conflicts were found with BPS. I was able to create a custom avatar as a new user, create a reply to a comment as a new user and the custom Avatar displayed correctly.

  36. *** Comment has been moved to the appropriate page ****
    I use Inline Editor Version 0.7.6 | By WPXpand it allows you to make quick changes to posts from the main front page. When I activate BPS it seems to effect this plugin as when I click save to the post the page hangs forever?

    How do I give this plugin rights to read & write to posts ?

    • AITpro Admin says:

      Inline Editor Version 0.7.6 | By WPXpand has been tested with the WP 2011 Theme and also with your Adventure Journal Theme and there are no conflicts. Inline Editor works fine with BPS without any conflicts. Please check things like caching plugins, clear your browser cache, ping or tracert your host server, etc. This sounds like either a caching problem or connectivity problem, but could also be something like your DB needs to be optimized or your DB is damaged. Thanks.

  37. Selektor says:

    I have a Dewplayer plugin on my website that doesn’t work with BPS.
    Thanks

    • AITpro Admin says:

      *** UPDATE ***
      Actually this plugin is not safe to use because this coding in the plugin is not protected with sufficient security checks and security coding protection. This can be hijacked very easily and a hacker could very easily exploit this code. If you remove this function from the plugin then it will be safe to use, but i would go ahead and add the additional security checks coding that is missing from the plugin coding too. And actually you will need to remove the dewplayer_check_plugin_version function and this action add_action( ‘after_plugin_row’, ‘dewplayer_check_plugin_version’ );

      function dewplayer_getinfo()
      {
      		$checkfile = "http://www.royakhosravi.com/pub/Dewplayer_wordpress_plugin_version.txt";
      		
      		$status=array();
      		return $status;
      		$vcheck = wp_remote_fopen($checkfile);
      				
      		if($vcheck)
      		{
      			$version = $dewplayer_localversion;
      									
      			$status = explode('@', $vcheck);
      			return $status;				
      		}					
      }
      

      *** See UPDATE above ***
      This plugin is quite old, but i downloaded it and looked at the coding and it looks generally ok. Now when i say ok i mean that it does not have any security coding in it, but for what this plugin is doing I think that it will not create a security vulnerability on your site. Checks like is_admin, current_user_can(‘manage_options’) and checking the referrer in forms, etc on the backend – the coding does not contain any security checks coding. The last update for this plugin was almost 4 years ago and the plugin author’s website is no longer around.

      Please tell me the specific error or problem that is occurring. Thank you.

      • Selektor says:

        Thank you for your prompt reply! I will just remove the DewPlayer and use a different one.
        Also, i’ve just noticed that after i installed BPS on my website, google analytics shows 0 visitors. It is receiving data, analytics code is fine. From Oct 12th (day when i activated BPS) to this day, it says there are 0 visits. Not that i bothers me, just wanted to let you know.
        Thank you in advance!

        • AITpro Admin says:

          Yep no problem. I never should have allowed Timthumb scripts to be allowed by default to skip BPS .htaccess filters. So the last thing i want to do is repeat doing something like that. If people want to make the choice of possibly getting their website hacked then that will be their choice. All future version releases of BPS have all thumbnailer scripts Forbidden by default in the root .htaccess file. I would rather get complaints from people that they have to do an extra step to get their thumbnailer scripts to work then have them get their websites hacked because they were not paying attention.

          Are you talking about a GA plugin or GA itself? I don’t have any issues with GA on any of my sites.

          FYI – are you aware that “Selektor” is a known hacker’s handle. I have collected a bunch of his scripts from hacking attempts against AITpro. ;)
          Thanks.

  38. I use a membership plugin called s2 member pro. s2member.com

    When BPS is activated, s2member pro does not function correctly. There is a URL which returns to the site after a purchase is made but BPS does not allow this and I get a 403 page.

    Can you advise?

    Thanks.

    • AITpro Admin says:

      BPS has been tested with S2 and NO compatibility problems were found. Things change constantly though. The problem is most likely isolated to the URL request itself. A filtered word used in the URL is being blocked by BPS as being seen as an external request made in the query string. Please post the URL so that i can tell you what is causing the problem. Thanks.

  39. […] check the BulletProof Security Plugin Compatibility Testing and Fixespage for new fixes that are not yet included in the most current version of BPS. Typically a simple […]

  40. Ryan says:

    I run Blubrry’s PowerPress as well as James and have recently encountered the following error when attempting to verify the media (mp3) URL when creating a post under the ‘Podcast Episode’ element of a post edit: The requested URL returned error: 404.

    If I copy and paste the same media URL into my address bar, the .mp3 queues right up. I have successfully produced 20+ episodes prior to this occuring.

    I was hoping I could reverse engineer the code you have for podPress, thinking they may be similar in their snags, but I do not know how to tailor it for PowerPress.

    Best regards and thanks for any assistance,
    Ryan

    • Ryan says:

      For what it’s worth, I’ve zapped the call to all BPS in my public_html/.htaccess and desired functionality of PowerPress was restored… so now I know the culprit code is in there somewhere…

    • AITpro Admin says:

      Ok here is the fix for the 403 / 404 redirection problems with Blubrry PowerPress. You must use a virtual directory name. i have randomly chosen “bpp”, but you can choose any name you want here. You cannot redirect back to your root folder because this is in direct conflict with the root .htaccess file. This will cause a hang while the RewriteRule processing loops into infinity. I will make this a standard plugin fix in the BPS master .htaccess file and add this fix on the Plugin Compatibility and Testing page. Thanks for notifying me of this problem.

      Test links to verify BPS and BPP are getting along now:
      >>>
      >>> http://www.ait-pro.com/verum/

      # Blubrry PowerPress 404 / 403 redirection fix
      # You can change the made up directory name "bpp" to any other name you want /media/ or /podcast/ etc but you 
      # must have something here. You cannot redirect back to your root folder or BPP will hang
      RewriteCond %{QUERY_STRING} powerpress_pinw=(.*) [NC]
      RewriteRule (.*) /bpp/$1 [R=301,L]
      • Ryan says:

        Thanks for the quick sniping of this issue, however my tech illiteracy prevents me from understanding ‘virtual directory’ a Google search only further gobsmacks… is this something I’d designate in WHM, cPanel or my FTP client, or from within WP?

        I hate answering a solution with a request for education, but must needs as the devil drives.

        • AITpro Admin says:

          Virtual directory was just the wording i used to describe /bpp/ . There is no technical term called “virtual directory” that pertains to websites that i am aware of. this was just my choice of wording. Looks like i will have to change that wording. :) So basically all i am saying is you must have a folder name like /bpp/. it could be /media/ or /mystuff/ or /podcast/ or whatever else you want to make up. The folder name you are adding here does not really exist on your site so it is just a virtual name that you are adding here. If you do not add a make believe folder name in the RewriteRule it will loop back into your root site .htaccess file to be processed again and again….then again…then again…..then again…….. into infinity. Thanks.

          • Ryan says:

            I was lead down a rabbit hole b/c the code did not work for me (and virtual directory is something in hosting apparently –increased my knowledge base there, tho :). Finally I’ve had success when deleting:

            # FILTER REQUEST METHODS
            RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
            RewriteRule ^(.*)$ - [F,L]

            With this gone, the

            # Blubrry PowerPress 404 / 403 redirection fix
            # You can change the virtual directory name "bpp" to any other name you want but you
            # must have something here. You cannot redirect back to your root folder or BPP will hang
            RewriteCond %{QUERY_STRING} powerpress_pinw=(.*) [NC]
            RewriteRule (.*) /n3rd/$1 [R=301,L]

            is not needed for PowerPress to verify a podcast episode when creating a post, but I feel the code I’ve omitted may leave a chink in the armor or undermine BPS..?

          • AITpro Admin says:

            Hmm ok well if the Request Method Filters are blocking something then that would mean that the Podcast Request is coming from an external source other than your site, which would make perfect sense. I did my testing by adding a local mp3 on the test site.. I did not test adding a podcast from an external source. The mp3 will not load in an external window unless i use the query string rewriterule. I just rechecked your site and the podcasts that were working before on your site are no longer loading in an external window anymore. They are looping into reopening the same window instead of launching the mp3. Could you add a URL link to an example podcast that is working now so that i can look at what is going on. I will set up some other various podcasts at a later date when i have more time to fiddle around with this. I provided a couple of links in my previous comment that go to working local mp3 file that is correctly loading in an external window for verification that the htaccess query string rewriterule works. So any way add a URL that i can look at to see what the exact type of usage you are doing with Blubrry.

            Test links to verify BPS and BPP are getting along now:
            >>>
            >>> http://www.ait-pro.com/verum/

            Thanks.

  41. I have been using Bluberry Poerpress and now the audio player is not working. Also I use an external flash player as an internet radio player, this has also stopped functioning since I installed BulletProof Security. Please advise

  42. ggbps says:

    Hi,

    There seems to be a conflict with Bulletproof Security and WP Robot 3 for autoposting. Using WP Robot 3 has an external Control Panel to automate campaigns for multiple domains. Can you please test?

    • AITpro Admin says:

      Ok thanks I will put it in testing.

      • AITpro Admin says:

        A simple htaccess skip rule appears to work fine at least for the free demo version. I am only testing with the demo free version since this is a premium plugin. If this fix does not work for the paid version of this plugin then check with the plugin authors since this is a premium plugin they should support their product and provide you with further assistance for their product. Thanks.

        # WP Robots fix
        # If you have WordPress installed in a subfolder you will need to add the
        # subfolder name to the RewriteCond /blog/wp-content/plugins/WPRobot3/ [NC]
        RewriteCond %{REQUEST_URI} ^/wp-content/plugins/WPRobot3/ [NC]
        RewriteRule . – [S=30]

  43. Tom says:

    Hello,

    There was a great post about this plugin here :
    http://wpmu.org/wordpress-security-101-8-tips-tricks-and-tweaks-to-secure-your-wordpress-website/

    I followed the instructions but now I have a plugin conflict with the anti spam images not showing up – I am wondering if you can help me with the rewrite rule as described here http://premium.wpmudev.org/forums/topic/comment-spam-pack-plugin-conflict

    Thank you!

    • AITpro Admin says:

      Hi Tom,
      I read through the entire post and see that you guys got it figured out by adding the mu-plugins folder in the Request_uri string / path. I have added your WPMU general plugin solution to the BPS Plugin Compatibility and testing page as a general fix technique to try for all WPMU plugins. Well done!!! Thanks.

  44. entre2lignes says:

    I have an issue with the reset password link in wordpress. I can enter my username, get the email from wordpress, click the link, the page load to change the password but when i enter my new password and hit reset, it brings me a 404 page. I tried to delete my htaccess file and it worked! There is someting with the bulletproof security htaccess files that is wrong. Can someone help me plz!

    • AITpro Admin says:

      *** UPDATE ***
      Actually i just received confirmation that these two new standard fixes are working successfully to deal with issues with all login plugins. These are the common hooks that are used in most login plugins. Add these 2 fixes to Your Current Root htaccess file using the BPS built-in File Editor. You can copy and paste them directly into your root htaccess file from here. In your case you may or may not need to add the default.htaccess file fix in addition. Try these first and then if you are still experiencing a problem try the default.htaccess fix IN ADDITION to adding these new skip rules below.

      # Login Plugins Password Reset And Redirect Conflicts Fix 1
      RewriteCond %{QUERY_STRING} action=resetpass&key=(.*) [NC]
      RewriteRule . - [S=30]
       
      # Login Plugins Password Reset And Redirect Conflicts Fix 2
      RewriteCond %{QUERY_STRING} action=rp&key=(.*) [NC]
      RewriteRule . - [S=30]
      

      *** END UPDATE ***

      You left out a lot of important information. ;) I registered to your site. I then tried to reset the password and was directed to SimplePress Forum not WordPress. I will put this in testing, but since you have a /forum subfolder my guess is that the BulletProof root .htaccess file rules are being applied to the /forum folder for SimplePress Forum. Try this until i can get to testing this plugin and scenario – download the BulletProof Security default.htaccess master file, edit the rewritebase and rewriterule as shown below, upload it to your /forum folder and then rename it to just .htaccess (removing default from in front of .htacess). Let me know what happens. Thanks.

      # BEGIN SimplePress Forum
      
      RewriteEngine On
      RewriteBase /forum/
      RewriteRule ^index\.php$ - [L]
      RewriteCond %{REQUEST_FILENAME} !-f
      RewriteCond %{REQUEST_FILENAME} !-d
      RewriteRule . /forum/index.php [L]
      
      
      # END SimplePress Forum
      

      Also you may need to comment out this line of the htaccess code above. RewriteRule ^index\.php$ – [L]
      like this # RewriteRule ^index\.php$ – [L]

      There is also another possible cause that is very similar to another issue that i am working on.
      This particular section of the string needs to be allowed to bypass the BPS filters. action=rp&key=
      Add this fix below to your root htaccess file.

      # password reset possible fix - pending confirmation
      RewriteCond %{QUERY_STRING} action=rp&key=(.*) [NC]
      RewriteRule . - [S=30]
      
  45. OrdiFacil' says:

    I’m just discovering your plugin and I’m not yet using it. In fact before installing it to my blog I was wondering if there’s any known conflict with the Secure WordPress plugin. Could this plugin cause any double features problem with yours?

    Thanks a lot for your work and for sharing it with us!

    • AITpro Admin says:

      I am not 100% sure and I will eventually test this plugin at some point. It appears that it could add a few extra protective things to your website. It might make a nice supplement to BPS website security. Check the “See what others are saying” area for this plugin. There seem to be some negative statements about this plugin causing a Server load problem.

      Also a new client of mine sent me this information on them. Several of his websites were being hacked on a daily basis. He was using the Secure WordPress plugin and the website defender plugin. I believe they are both made by the same person.

      “Hi,
      Have you ever heard of these guys?
      Secure WordPress
      There program did not help me at all….
      http://www.websitedefender.com/secure-wordpress-plugin/
      They did not understand this virus”

      I don’t believe in saying negative things about other people’s work, but the bottom line was that the client’s websites were hacked when using these plugins. He is now using BulletProof Security on all his websites and they have never been hacked again.
      Thanks.

  46. Sean says:

    Two plugins don’t work with BPS enabled.

    These are: WP-eXtplorer and Adminer

    Throws 403 errors.

    • AITpro Admin says:

      Ok thanks for the heads up. I will put both of these plugins in testing. Thank you.

      • AITpro Admin says:

        *** UPDATE ***
        Sehr schönes Plugin Frank. ;)
        Adminer has been tested. A simple .htaccess skip rule is all that is required to resolve this conflict between Adminer and BPS.

        wp-eXtplorer has been tested. I could not get this plugin to work with BPS Security enabled or disabled. I was able to manually access the eXtplorer admin login window by creating an .htaccess skip rule. I have no idea how you have this plugin setup or if you have it working, but try the .htaccess skip rule fix I have added above and let me know if that works for you. The eXtplorer manual login test was performed successfully by going directly to /wp-content/plugins/wp-extplorer/helpers/index.php. Thanks.

  47. msrosyidi says:

    *** FOR ANYONE WHO SEES THIS COMMENT DO NOT DO THIS ***
    **************** Comment edited by Ed *****************
    Thank for the solutions. I also try this:
    RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)||"|;|\?|\*).* [NC,OR]
    and it works.

    • AITpro Admin says:

      Hmm that actually should not work and is removing the most important part of that filter the less than and greater than characters used in malicious script attacks. Most likely when you posted this code here the greater than and less than characters were stripped out of the comment. There are some limitations on what can be posted in comments.

  48. […] Checking Plugin Compatibility with BPS – Plugin Testing – To Do List […]