BulletProof Security Pro Questions, Comments & FAQ

216 Comments RSS Site Feed Author: AITpro Admin
Published: August 2, 2011
Updated: November 9, 2012

Tags: , , ,

Categories: BulletProof Security Pro

216 Responses to “BulletProof Security Pro Questions, Comments & FAQ”


  1. Dan says:

    Hey, team

    I’m trying to set up my Pro plugin’s php.ini files, my webhost Crucial.com.au isn’t in the list.

    What’s the next step for you to be able to tell which .ini type I require?

    Thanks – loving the plugin so far!

    Dan

    • AITpro Admin says:

      Hello,
      The first step is determining your Hosting type. It looks like your web host focuses more on Business, VPS and Reseller Hosting so do you have Shared, VPS or Dedicated Hosting? Please respond with your Hosting type. Glad your loving BPS Pro. ;) Thanks.

      Actually I just came across Help info about custom php.ini file setup for your Web Host.
      Your Host Server type is SA and requires php.ini handler code in your Root .htaccess file. Your custom php.ini file would be created in your /public_html/ folder here – /home/cPanel-account-name-here/public_html/php.ini. You will find your “cPanel-account-name-here” account name under the B-Core System Info page.

      1. Add this php.ini handler code below to the BPS Pro Custom Code Top box and click save to save it, click the secure.htaccess AutoMagic button and Activate BulletProof Mode for your Root folder again.
      # CRUCIAL PARADIGM PHPINI HANDLER CODE
      suPHP_ConfigPath /home/cPanel-account-name-here/public_html/

      2. You can use the custom php.ini setup instructions for these web hosts (disregard the special notes in blue font) >>> http://www.ait-pro.com/aitpro-blog/2853/bulletproof-security-pro/php-ini-general-and-host-specific-php-ini-information-for-bps-pro/#aussiehq-jumba-uberglobal

  2. Seshalyn says:

    I Have been locked out of my admin with maintenace mode! Help!

    When I try to login to my site, the maintenance text appears, I can’t login. I thought the maintenance was only supposed to be for the user side? I need to resolve this asap. Please advise…

    Thanks!

    • AITpro Admin says:

      If you are unable to log back into your WordPress Dashboard and are also seeing the Website Under Maintenance page then you will need to FTP to your website or use your Web Host control panel and either delete the .htaccess file in your website root folder or download the .htaccess file and edit it and add your correct current Public IP address and upload it back to your website. There was a section of Read Me help text that was removed in the last version release and will be added back to BPS Pro 5.1.7. It explains that IP addresses are dynamic and are given to you by your ISP. When you reboot your computer or loose your connection to the Internet, it is very likely that you will get a new IP address from your ISP, which will cause you to also see the Maintenance page because your IP Address has changed and does not match the IP address in your Maintenance Mode .htaccess file.

  3. Tony Payne says:

    I am trying to download the latest Pro version, but an being asked for a Download Key.

    I installed Pro about 6 weeks ago and can’t find the original key.

    When I log in to download the update, do I get emailed a new Download Key, or am expected to use the old one?

    I have looked in my registered email and Paypal accounts, but no email has been received. I logged in to download more than 30 minutes ago.

    • AITpro Admin says:

      Hello Tony,

      I just resent your Download Key to your PayPal email address used to purchase BPS Pro. I am so looking forward to the release of BPS Pro 5.1.7, which will have the direct BPS upgrade installation coding in it – no more zip downloading after 5.1.7 Yeah!

  4. Paul says:

    Is there another way to install the update?

    Every time I use the upload zip and install method, it doesn’t work.

    I can get the zip uploaded, but the install doesn’t work. I’ve tried it on both of my sites and in different browsers.

    Thanks.

    • AITpro Admin says:

      Are you using the WordPress upload zip installer or the BPS Pro upload zip installer? See this help post >>> http://www.ait-pro.com/aitpro-blog/3139/bulletproof-security-pro/bulletproof-security-pro-zip-installation-zip-backup-and-download/

      • Paul says:

        I get it to this point:

        “Zip File Upload Successful. Click the Install Now button to install BulletProof Security Pro.

        But when I click “install” the only thing I get is this:

        File Open, Zip and Downloading is enabled for your IP address only ===67.170.66.151

        Nothing else, just a blank page.

        • AITpro Admin says:

          Ok well i guess for whatever reason on your Server you are not able to use the BPS built-in upload zip installer. If your Web Host does not have the ZipArchive class installed on your Server then the zip installer will not work. You can just use the manual method of uploading the files via FTP or use your Host Control Panel to upload the unzipped BPS files. Unzip the bulletproof-security.zip file and copy the entire contents of the bulletproof security folder and overwrite your existing bulletproof security files.

        • AITpro Admin says:

          Also we will either hook into the WordPress PCLZIP installer for direct upgrade installations within the WP Dashboard in BPS Pro 5.1.8. or add additional coding for Servers that do not have all the latest zip installers installed.

          • Paul says:

            I’m on a VPS/Cpanel. Is there anything I can do to open it up?

          • AITpro Admin says:

            Well if the problem is that ZipArchive is not available on your Server then it is something that only your Host can do. To test if this is the problem – try and perform a zip backup and if you see a ZipArchive error then you know for sure that this is not installed on your Server.

          • Paul says:

            Yup, that didn’t work either.

            I FTP’d the files but the upgrade reminder remains.

            What do you think?

          • Paul says:

            Never mind. I just turned off the alert.

            It says 5.1.6, so the files are in there. The alert is another matter.

            Thanks.

          • AITpro Admin says:

            Oops. Just deactivate and reactivate BPS Pro on the Plugins page. The new coding to clear the upgrade Cron check did not take effect on install. Deactivating and reactivating BPS Pro will clear and rerun the Cron version upgrade check, which will clear the upgrade notice. This will only occur in this particular version as we are transitioning to a direct upgrade installation for BPS Pro. Sorry for this inconvenience. Also for future zip upgrade installations, if you prefer that over a direct upgrade, then the upgrade notice will be cleared on zip installation.

  5. Jack Miller says:

    After installing and activating BPS Pro, we see only blank pages, with S-Monitor and F-lock warnings at the top of the page, but no content below the warnings.

    This site is an sub folder of a wordpress website, if that matters. (e.g. some domain.com/blog). The main domain (e.g.somedomain.com) is properly protected by BPS Pro.

    ideas?

    • AITpro Admin says:

      The Activation Key you are entering is missing the dot ( . ) on the end of the encrypted key. please add the dot and resave the Activation Key.

  6. Alan Smith says:

    Hi

    I have only one error:

    [23-Mar-2012 09:46:24] PHP Parse error: syntax error, unexpected ‘{‘ in /home/xxxxxx/public_html/new-green-earth.net/wp-content/plugins/bulletproof-security/admin/test/bps-error-log-test.php on line 5

    How can I resolve this problem?

    Kind Regards – Alan

    • Alan Smith says:

      Moreover I had to set the permissions on the php.ini file to 700, to be able to create the php.ini Master File – is this correct?

    • AITpro Admin says:

      Hi,
      Yep we have made the PHP Error log test clearer in BPS Pro 5.1.6 so that it is very clear that this is an intentional PHP Error generated to test that your PHP Error log is working correctly. In BPS Pro 5.1.6 you will see “PHP Error Log Test” displayed to you when the php error test occurs. Thanks.

      • Alan says:

        Hi

        Thanks for your answers.

        But if I go to PHP Error log and test it, it displays – the website can not be show.
        I get a blank page. Why?

        Best Regards – Alan

        • AITpro Admin says:

          Yes that is correct and intentional. The php error test should generate a 500 Internal Server Error. We will be changing that php error test to a simple php coding error that will still display the page, but also intentionally generate a php error so that we can display / echo a message that this is only a test and also generate the php error in your log for testing.

  7. Ahmad Ali says:

    Hello,
    I just purchased BulletproofPro few hours back and facing some problem when i try to activate the plugin. Here ist he message wordpress gives me:

    Plugin could not be activated because it triggered a fatal error.

    Fatal error: Cannot redeclare bps_plugin_actlinks() (previously declared in /hermes/xxxxx/xxxxx/xxxxx/public_html/beautyskin/wp-content/plugins/bulletproof-security/bulletproof-security.php:57) in /hermes/xxxxx/xxxxx/xxxxx/public_html/beautyskin/wp-content/plugins/bulletproof/bulletproof-security.php on line 85

    Can you help me resolve this issue?

    Ahmad
    kam965@hotmail.com

  8. sander says:

    hi there!
    got a small issue with a javascript doing an xmlhttp request getting blocked (403)
    this is the url it is sending:
    http://www.somesite.com/?ptype=crating&id=340&action=add&path=http://www.somesite.com/?ptype=crating&imgIndex=2_14_

    i am not that good with htaccess, but how to i let this url structure pass?
    Can any of you advice on this?

    many thanks!

    • AITpro Admin says:

      You would create a unique Query String skip / bypass rule by taking a very small section of the query string that is unique. And then create this skip / bypass rule above skip rule #12. If the skip / bypass rule works then add it to the new Custom Code feature in B-Core.

      # xmlhttp bypass / skip rule
      RewriteCond %{QUERY_STRING} ptype=crating(.*) [NC]
      RewriteRule . - [S=13]
      
      • sander says:

        Hi, thanks for the quick update mate!
        i applied the code, and tried, but no luck.

        When i removed the “http://” bit from the query-string manually, it passed.
        (eg http://www.somesite.com/?ptype=crating&id=35&action=add&path=www.somesite.com/?ptype=crating&imgIndex=2_14_ )

        so it seems to check on “http://” within the query-string. how to pass this?

        • AITpro Admin says:

          *** UPDATE ***
          Email Reply:

          After checking the php script and looking what is does with this parameter… nothing!
          it seems an old parameter, since he commented it out, and used a local parameter for this ‘path’ value.

          So, i modified the javascript to NOT set this paht parameter and still works and problem solved.

          Well blocking the http:// part is critical and protects against RFI hacking attempts on your website. This link is simulating a hacking attempt against your website so you need to isolate something that will limit the vulnerability of adding this rule. I need to know more information. There is obviously more going on then just this link then. I will send you and email with some questions that i will need for you to answer so that i can see the whole picture and not just this one small part of it.

  9. BF says:

    I recently purchased BPS Pro to lock down several wordpress sites after repeated hacks. I love the product and feel very confident that my sites are protected now.

    I do have one issue however. One plugin I use is called Video ShowCase. This is part of the DisplayBuddy set of plugins from ithemes (http://pluginbuddy.com/purchase/displaybuddy/ ).

    Video Showcase allows me to add a set up youtube videos that play in a pop up lightbox. Unfortunately, every since installing BPS pro and tightening down my .htaccess file, the Video showcase does not work. Every time I use it I get a custom 403 error generated by BPS pro.

    here is the link for a video in a lightbox -http://mysite.net/wp-admin/admin-ajax.php?action=vscdoom&movie=http://www.youtube.com/watch?v=BLLxSvr2io8&feature=relmfu

    I would appreciate your support.

    • AITpro Admin says:

      *** UPDATE ***
      Confirmed fix to allow admin.ajax to be called outside of the wp-admin area.
      This bypass / skip rule will be added to the plugin fixes page.

      # Allow wp-admin files that are called by plugins
      # Fix for WP Press 
      This RewriteCond %{REQUEST_URI} (press-this\.php|admin-ajax\.php) [NC]
      RewriteRule . - [S=1]

      At what point are you seeing a 403 error? When trying to add a video or when trying to view the video? If this 403 error is occurring when trying to view the video then please send the actual link to where the video is posted on your site in a private email to info[at]ait-pro[dot]com. Thanks.

  10. balancek says:

    Hi,

    I get this error message when i try to activate BPS Pro:

    Warning: require_once(/home/xxxxxx/public_html/news2/wp-content/plugins/bulletproof-security/includes/class.php) [function.require-once]: failed to open stream: No such file or directory in /home/xxxxxx/public_html/news2/wp-content/plugins/bulletproof-security-for-Wordopress/bulletproof-security.php on line 43

    The free version is working fine so far and the file class.php is on the server and on its place.

    Any ideas.

    Thank’s

    balance

    • AITpro Admin says:

      The name of the plugin folder is critical in order for any plugin to work correctly. You cannot rename the plugin folder name. Please rename the folder /bulletproof-security-for-Wordopress to /bulletproof-security. Also if you have renamed the bulletproof-security.zip file to some other name then you will need to rename it back to bulletproof-security.zip.

  11. Simon says:

    I set my WP site up over a year ago. I’ve currently got BulletProof Security .45.7. WP is telling me there’s an update to .46.8 and offering me the option to ‘update automatically’. Does automatic update work with BPS or will I have to configure everything again? Frankly, I can’t really remember how to do that so I’ll have to dig out the manual again, if necessary.

    • AITpro Admin says:

      For BPS Free you would update it like any other plugin and yes the plugin files would be updated automatically. What is not updated automatically is any new .htaccess code that has been added to BPS from .45.7 to .46.8. A lot has changed. AutoMagic was added several versions back, which will automatically create new Master .htaccess files for your website with one click. Please read the Read Me help button in .46.8 for additional specific help info.

  12. Robert says:

    Hi,
    I love your plugin so far. I tend to use a lot of custom fonts when developing sites and your plugin seems to have blocked those. Is this possible and is there a workaround? Thanks.

    • AITpro Admin says:

      *** UPDATE ***
      Not a BPS issue – the issue was isolated to IE7 and IE8 and cache

      BPS would not be blocking fonts directly so logically maybe a stylesheet being called from a Theme is being blocked? Some Themes use allow_url_fopen to open image files and stylesheets. Try changing allow_url_fopen from Off to On in your custom php.ini file.

  13. James says:

    Hey guys, I want to upgrade from my free BP security plugin to the Pro version. How can I do this without leaving any time for vulnerability? (i.e. while the old free plugin is deleted and the Pro plugin is not activated yet)

    Thanks,

    James

    • AITpro Admin says:

      When you uninstall the free version in order to install BPS Pro the .htaccess files for the free version remain on your website. Only the BPS free plugin files themselves are removed. This means that your website is fully protected even when you uninstall the BPS free version. ;)

  14. Good afternoon,

    I have successfully installed Bulletproof Pro and activated my website for the first time.

    I advised individuals of my website and advised them that the new site is http://rcmpveteransvancouver.com.

    Most of my friends were able to open the website while others received an ‘unknown site’ or the Shaw.ca screen. When I when to check different search engines the website was not found.

    Is my problem associated to how my Bulletproof Security plug is configured?

    Thanks in advance

    Sheldon

    • AITpro Admin says:

      I was able to open and view your website, but i found these things below very odd.
      Your domain age is: Record created on 2011-10-14 06:19:40.
      You do not have any pages indexed by Google using the “site” search term: site:rcmpveteransvancouver.com
      You are using a sitemap plugin and i can see that your sitemap goes back to November: http://www.rcmpveteransvancouver.com/sitemap.xml
      Do you by any chance have WordPress Privacy set to: Ask search engines not to index this site.?

      Your source code shows this: meta name=”robots” content=”index, follow” so it does appear that you are allowing indexing.
      And your website DNS info looks good.

      I am not exactly sure what is wrong, but BPS does not affect indexing of pages or sitemaps.
      What i recommend is that you create a Google Webmaster Tools account and add your site to see what might be wrong with it.

      And i thought of one more possibility – is this a duplicate website? If you have 2 identical websites with identical content then Google will only index one of them and not both of them.

      And Shaw.ca is an ISP not a web host so that would be an Internet connection problem and not a website / web host problem.

  15. Learnactive says:

    Installed BPS Pro and I have a few problms that I’d like to resolve before we go live (currently the site is private):

    PHP Errors – I get the following persistent errors in my php error log:
    PHP Warning: session_start() [function.session-start]: open(/var/chroot/home/content/xx/xxxxx/tmp/sess_5948b9c281b696e5f52eac0f5cdda5fa, O_RDWR) failed: No such file or directory (2) in /home/content/xx/xxxxx/html/content/wp-content/plugins/events-manager/classes/em-notices.php on line 11

    PHP Warning: Unknown: open(/var/chroot/home/content/xx/xxxxx/tmp/sess_5948b9c281b696e5f52eac0f5cdda5fa, O_RDWR) failed: No such file or directory (2) in Unknown on line 0

    PHP Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct () in Unknown on line 0

    I had added a skip rule for Events Manager but the errors persist.

    WP Super Cache and WP 3 Cache
    I tried installing both plugins but aftter manually adding the “define(‘WP_CACHE’, true);” to WP_CONFIG, I lose access to my admin area and get a blank screen. With WP 3 Cache, I also see the HTML for my WP-CONFIG (complete with user name and password) when I go to my login page after activating cache in WP-Config

    Backup Budddy
    I get a red warning for disabled php functionssystem, exec, passthru, shell_exec, show_source, popen, pclose, pcntl_exec; and two yellow warning for (1) Zip Methods exec (best) > ziparchive > pclzip (worst) ziparchive, pclzip & (2) AddHandler in .htaccess host dependant exists

    Minor Issue: I am able to get Google XML Sitemaps to generate a sitemap

  16. Tony Payne says:

    Hopefully the last problem… WP Super Cache…

    Having upgraded to BPS Pro I tried to activate WP Super Cache, but had to manually add the “define(‘WP_CACHE’, true);” line to my wp-config.php file.

    Within a minute of doing this, the update is gone, so I guess the auto check and restore functionality of BPS Pro is working fine.

    What procedure should I use please to make changes to install a plugin like WP AUper Cache which updates the wp-config.php and .htaccess files?

    • AITpro Admin says:

      Yep we have couple of things to iron out with AutoRestore. That is why we only released AutoRestore CM for the WP Core Root files. This post focuses on W3TC, but the same principles apply to WPSC >>> http://www.ait-pro.com/aitpro-blog/3894/bulletproof-security-pro/autorestore-cm-automatic-file-restore-countermeasure-help-and-faq/

      Once we are satisfied with how the first generation of AutoRestore CM is performing then we will release the Full Site AutoRestore. The biggest concern of course is making absolutely 100% sure that Full Site AutoRestore does not interfere with WordPress upgrades. ;)

      • Tony Payne says:

        Thanks for that. Guess I need to turn off the auto-restore so I can edit and backup my files, then turn it back on again. Once the site is stable it should be ok.

        • AITpro Admin says:

          Yep unfortunately for now this extra step is necessary. I think the winning concept is going to be a pop up alert that alerts you that a file has been modified outside of BPS and do you want this change to be allowed. Then when you click Yes (timer countdown) then AutoRestore will back this new file up, which will make both your active file and the backed up autorestore file identical and autorestore will not try to restore the file.

  17. Tony Payne says:

    Sigh, always a problem when you least expect it :(

    I just tried to install BPS Pro having already been using the basic version, and now I have a problem…

    I thought I followed the instructions, unzipping the downloaded files into a folder called “bulletproof-security” and uploading that into my plugins folder, overwriting the previous version.

    When I go into my site, I get a banner at the top of the dashboard that tells me the first thing I need to do is to Activate the plugin. When I click on that link, I get the following error…

    Fatal error: Call to undefined function __e() in /home/xxxxx/public_html/_mydomain.com/wp-content/plugins/bulletproof-security/admin/activation/activation.php on line 86

    I’m not sure what the best thing to do is to proceed. I thought to delete the folder and to re-upload the Pro version on it’s own, but rather than make a worse mess, I hope this is something that is easy to fix.

    Thanks.

    • AITpro Admin says:

      The easiest way out of a “bad” installation is just to deactivate and delete all plugin installations of BPS Free and BPS Pro from within the WP Dashboard. This does not remove your website security and ONLY removes all the BPS plugin files. Then use the WP Upload Zip installer and install the BPS Pro zip file. Once you have BPS Pro installed successfully you will then use the BPS Pro built-in upload zip installer for any future upgrade installations. In BPS Pro 5.1.6 we will be adding a direct upgrade installation, but BPS Pro 5.1.6 will still require that you download the zip file and then use the BPS Pro upload zip installer. BPS Pro 5.1.7 will be a direct upgrade installation from within the WP Dashboard.

      • Tony Payne says:

        And I just saw that I should have renamed the existing bulletproof-security folder before uploading. Oh well… Will see if this works…

        Everything takes time to create and make perfect, I have to admit after 30 years in IT that automated processes that eliminate the need for people to do little else but press an install button are a lot less error proof than manual installs :)

        • Tony Payne says:

          Houston, we no longer have a problem, thanks for the prompt response.

          If I install for BPS Pro for subsequent sites, do I need to get a new Activation key for each? I assume I use the same Download Key of course.

          • AITpro Admin says:

            Yep Activation Keys are unique to each site so yes you would need to use the Get Key button to request an Activation Key for each individual website. And yep your Download Key works for all of your websites.

        • AITpro Admin says:

          Yep I could not agree with your more about automation. I have 20+ years in IT so yeah the more automation you have the less user errors you have. ;) BPS already has a massive amount of automation, but we are always trying to increase that automation to the max limit. Too much automation creates other problems so there is a point where too much automation becomes a bad thing.

  18. Jon says:

    I was putting my site into maintenance mode, but when I did so it kicked me out of the admin console so I cannot get in to make changes. How can I fix this? You can see it at http://myduhawk.com

    Thanks,

    Jon

    • AITpro Admin says:

      Hi,
      I just responded to the email you sent. If you are locked out of your site you will need to FTP or use your Web Host Control Panel and delete the .htaccess file in the Root folder of your website. This will allow you to log back in and then use AutoMagic to create new Master .htaccess files and then Activate BulletProof Modes. Thanks.

  19. Tommy says:

    Is there a developer version of the bulletproof pro so I don’t have to get a license for each and every install?

    • AITpro Admin says:

      We may decide to offer a Developer version of BPS Pro at a later date. The general idea is we are offering BPS Pro at a ridiculously cheap price considering what the finished BPS Pro product will eventually be and we are not limiting installations or requiring an annual subscription. So for now the licensing rules are as follows:

      The BulletProof Security Pro license does not have a limitation on the number of websites, website domains and website hosting accounts that you can install BulletProof Security Pro on, as long as these websites, website domains and website hosting accounts are either owned directly by you, supported directly by you or managed directly by you on an ongoing basis. Please read the BulletProof Security Pro Software License before purchasing BulletProof Security Pro.

      The licensing problems we have already encountered so far are: If someone is primarily offering web hosting services then giving BPS Pro away free as part of the hosting cost is not cool. If someone is building websites for people then giving BPS Pro away free as part of the website design cost is not cool.

      So what we are looking into and discussing is how to offer something to Developers that will make their jobs easier and at the same time not shoot ourselves in the foot and create a huge problem for ourselves. We should come to a final resolution on how to best proceed by March or April.

      Thanks,
      Ed

  20. Ahmad Wali says:

    And yes another question the PRo license is for unlimited sites of mine? I have more than one wordpress blog, thank you.

    • AITpro Admin says:

      Yes, here is the general policy of the license.
      The BulletProof Security Pro license does not have a limitation on the number of websites, website domains and website hosting accounts that you can install BulletProof Security Pro on, as long as these websites, website domains and website hosting accounts are either owned directly by you, supported directly by you or managed directly by you on an ongoing basis. Please read the BulletProof Security Pro Software License before purchasing BulletProof Security Pro.

  21. Ahmad Wali says:

    Hello Ed,

    I have few questions regarding BPS Pro.

    Is there any tutorial step by step in setting up the pluging?

    Is it ok to use with W3 Total Cache Plugin? (w3 total cache add some strings to .htaccess)

    LIke any other plugins it is automatically updated with single click from WP dashboard for updates?

    Thank you

    Regards
    Wali

    • AITpro Admin says:

      The only tricky thing to set up at this point is the custom php.ini file because manual steps may be required if your Host is not a big brand name Host. We will have this as automated as much as possible in the release of BPS Pro 5.1.5 within the next 1 week to 2 weeks. The P-Security video tutorial shows the steps that you would need to perform to manually create your custom php.ini file. All the other aspects of BPS Pro set up is all point and click so tutorials are really not needed. BPS Pro has extensive Help info throughout the plugin and BPS Pro has an extensive messaging system that will tell you what needs to be done – no guessing and no possibility that some part of the setup was not done. Yes BPS Pro is designed with W3TC specifically in mind and has custom coding checks just for W3TC to ensure everything is working together with W3TC.

  22. Christine says:

    Hi there, great plugin, the pro version is working awesome on one of my sites. I attempted to install it on a second site and it doesn’t work properly. It seems to activate properly but none of the functions are visible. You can see a screenshot of the problem here. All functions such as b-core, p-security, s-monitor, etc., look like that. Nothing shows up beneath the gray line. I’m not sure if I’m doing something wrong or if there’s an incompatibility … ? Can you help? Thanks, Christine

    • AITpro Admin says:

      Hi Christine,

      I just checked the Server Logs and i see the problem. You are one of those unlucky people who got a dot ( . ) on the end of your Activation Key. The dot is actually part of the encrypted key. ;) If i had known beforehand what a pain this was going to turn out to be i would have stripped out all dots from the encrypted keys. Too late now because too many people have Activation Keys with dots in them. Sigh. So just add the dot on the end of your Activation Key and resave it. Thanks for choosing BPS Pro!!!!

      Best Regards,
      Ed

  23. I just installed pro… did all of the setup per the instructions… everything is Green, seems good, but I cannot get maintenance mode to work.

    I followed all of the steps.

    The radio button will not turn on, and maintenance mode will not take effect.

    I had the exact same problem with the free version, that’s why I bought Pro.

    However, I have the same problem and am stuck.

    • AITpro Admin says:

      After you have created your new Maintenance Mode form (filled in your Form text boxes, click the Save Form Settings button, click the Create Form button) when you Preview your Maintenance Mode page (clicked the Preview Form button) does the Maintenance page display correctly?
      When you click the Create htaccess file do you see this message displayed? >>> Success! Your Maintenance Mode htaccess file was created successfully! Select the Maintenance Mode radio button and click Activate to put your website in Maintenance Mode.
      If your Root .htaccess file is locked you will see this error message >>> Failed to Activate Maintenance Mode! Your Website is NOT in Maintenance Mode!
      If your Root .htaccess file is locked you must unlock it first before activating Maintenance Mode.

      When Maintenance Mode is successfully activated you will see this message displayed
      Warning: Maintenance Mode Is Activated. Your website is now displaying the Website Under Maintenance page to everyone except you. To switch out of Maintenance mode activate BulletProof Security Mode. You can log in and out of your Dashboard / WordPress website in Maintenance Mode as long as your current IP address does not change. If your current IP address changes you will have to FTP to your website and delete the .htaccess file in your website root folder (or download the .htaccess file and add your new IP address and upload it back to your root website folder) to be able to log back into your WordPress Dashboard. Your ISP provides your current Public IP address. If you reboot your computer or disconnect from the Internet there is a good chance that you will get a new Public IP address from your ISP.

      Are you seeing any error messages?

      Thanks

      • OK I unlocked the root .htaccess.

        In maint mode I clicked on create .htaccess.

        This is the message I got: Your Root .htaccess File is not Locked
        Click Here To Lock your Root .htaccess file.
        Success! Your Maintenance Mode htaccess file was created successfully! Select the Maintenance Mode radio button and click Activate to put your website in Maintenance Mode.

        Then I click the radio button, and click on activate maint mode.

        I get this:

        Your Root .htaccess File is not Locked
        Click Here To Lock your Root .htaccess file.

        Failed to Activate Maintenance Mode! Your Website is NOT in Maintenance Mode!
        If your Root .htaccess file is locked you must unlock it first before activating Maintenance Mode.

        I’m going around in a tight circle.

        Thanks for your help.

        • Also… FYI… nowhere in the activate maint mode instructions does it state to unlock the root.htaccess file.

          • AITpro Admin says:

            *** UPDATE – The Maintenance Mode Form will now override the File Lock so it is no longer necessary to unlock the Root .htaccess file first and Help Info has been updated as well – The new bulletproof-security.zip file with these changes is now available for download ***
            Yep that Help info needed to be updated and has already been updated in 5.1.4. ;)

        • AITpro Admin says:

          Ok these are 2 separate messages. You obviously want your Root .htaccess file to be unlocked when you are trying to activate Maintenance Mode so you can disregard that warning message.

          Ok so you are getting as far as successfully creating the maintenance mode .htaccess file so what this means is that the copy function is unable to copy the maintenance .htaccess file to your website Root folder.
          Are you doing anything with DNS, redirection, special WordPress setup or is this just a standard WordPress set up? I doubt it would be a folder permission issue since you are able to activate the Root .htaccess file. Most likely I will need to log into your site and see what the problem is. I will send you an email directly in a few minutes.

  24. Hi, Edward,

    Thanks for BPS Pro 5.1.3. It’s great. I just did a new installation on http://mymobicontact.mobi and I cannot get the server to find the correct error log. I have set the error log appropriately and it functions. I just can’t get the server to find the php.ini file I’ve created at the root of public_html. I have the correct error log in the php.ini file and the server just keeps reading “error_log”. I contacted Hostgator and they helped–yet the problem persists.

    In BPS Pro 5.1.2 you had the specific adjustments in the .htaccess code for Hostgator which really worked. I see they are no longer used in BPS Pro 5.1.3. That used to be the way I could get the server to find the correct php.ini folder.

    Any suggestions? You have both Admin and FTP privileges for the website. (I’ll send you the details separately.)

    I really appreciate the effort and quality of the BPS Pro product. Thanks for being so good!! Best Regards, Joel

    • AITpro Admin says:

      BPS Pro 5.1.3 is doing some advanced DNS Name Server / Host detection now to automatically write your php.ini handler .htaccess code to your Root .htaccess file when you click the Create secure.htaccess AutoMagic button. In your case you had a Private Name Server that had not been added to BPS Pro AutoMagic yet. I logged in installed BPS Pro with your Private Name Server added and your php.ini handler Root .htaccess code was automatically written for your website correctly. If you have any other sites that have Private Name Servers just send the names of those Private Name Servers and we can quickly add them to BPS and send you a new zip file with your Private Name Server added to AutoMagic. Please also see this post for reference >>> http://www.ait-pro.com/aitpro-blog/3576/bulletproof-security-pro/custom-php-ini-faq/#web-hosts-list

      Thank you.

      Ed

  25. Jon says:

    I have been trying to install BPS Pro on some of my websites and on a few they will not send out the activation key for that particular website. Have had no issues on most of my websites that I have installed it on – tried reinstalling, deleting files with nothing seeming to work. Any ideas of what I might have done wrong or need to do? Thanks.

  26. Dave says:

    Re: 5.1.1 upgrade

    I backed up my current BPS Pro and downloaded it, then uploaded the new 5.1.1 zip vis the BPS uploader. I went to the f-lock page and configured it to stop checking wp-config.php because it one level up from the wordpress install, but it still complains. It’s also reporting that the version is 5.1

    Do you think it only partially upgraded or is something else wrong?

    • Dave says:

      It’s now reporting that other files are not locked as well: http://i1139.photobucket.com/albums/n554/itsupportcm/filelock-2.png

      • AITpro Admin says:

        Is this occurring even after you refresh your browser or reload the page? Even though real-time checking is going on you still need to reload the page for the PHP script to run those checks. If you have reloaded the page and you are still seeing these errors then create a temporary WP Admin login and send it to info[at]ait-pro[dot]com. Thanks

    • AITpro Admin says:

      5.1.1 is sub release of 5.1. The .htaccess files will still show 5.1, but if you look at the footer links in BPS you will see 5.1.1. I will be releasing at least one more sub release 5.1.2 before 5.2 is released. What is the exact error message and problem going on with the wp-config.php file?

      • Dave says:

        The problem is that despite a full logout and re-login, as you can see in the screenshot it is giving warnings despite having “turn off checking and alerts” for wp-config.php. If you recall we can’t monitor this file because it is one level up from the site.

        I’ll move this conversation over to you email now and add more.

        • AITpro Admin says:

          Yep that was why i added the Turn Off Checking and alerts option for the wp-config.php file. I must have missed a condition check in the coding somewhere if it is not turning off checking for the wp-config.php file. yep send me an email and include a temp Admin login account so i can create the additional coding to correct this. I will then incorporate this coding in the next release.

  27. Dave says:

    More questions:

    1) The Security Status page has recommended permissions for key folders and files. Are the folder permissions meant to be applied recursively? If so, to all folders/files/both?

    2) Is there a way to hide what plugins are installed?

    For example, someone can go to my site and check for BPS using:

    http://www.domain.com/wp-content/plugins/bulletproof-security/admin/images/bps-pro-logo.png

    This can be done for most plugins and seems like a potential risk.

    • AITpro Admin says:

      1. I have added the folder permissions recursively on my sites, but i cannot recommend this to anyone because you may have subfolders for plugins or other things that may then not work correctly. So if you decide to use recursive folder permissions then be sure to monitor your php error log for errors and note the folder location of whatever plugin or whatever else is not happy about the new folder permissions, then you can manually change the folder permission for just that specific folder.

      2. Well here is the thing in general about trying to hide things. You can hide things from human visitors very easily, but it is pretty much impossible to hide from bots (unless of course you write specific code to deal with specific bots). 99% of all hacking recon and hacking attempts are done with bots. ;)

      Yes, this is known as a Signature. Unfortunately, no matter what approach you take you will be giving away that BPS is installed – no response, 500 response, 404 response, 403 response, etc. BPS is designed to BlackHole hackers scripts instead of trying to hide itself or hide anything else, since using a hiding approach is never going to provide any sort of real security. BPS has built-in self protection to protect itself – all plugin files and all security files – .htaccess and php.ini. You cannot view any core BPS plugin files from a remote location and you must be logged in as an Admin in order to perform any Admin tasks.

  28. Hello,

    I’m an experienced WP user but just installed and configured your plugin last night (at home) and all checks went well and the site was working great.

    I’m now in another location and the site won’t load, either the frontend of the backend. I get this message:

    lifestylechangeup.com
    Your IP Address is: 72.91.2.11

    I am guessing that the .htaccess rules the plugin created are maybe restricting access to the IP of my home network, but I really don’t know…it’s just a guess.

    Have you seen this error before and if so, can you offer some advice on how I may correct this? Unfortunately I have a need to connect to the site from various locations.

    Thanks for any advice or troubleshooting you can help me with.

    • AITpro Admin says:

      It looks like you have Maintenance Mode activated if you are seeing this. Please create your Master .htaccess files by clicking the AutoMagic buttons, then add any additional custom .htaccess code to your secure.htaccess file (using the built-in File Editor) if you have any custom .htaccess code (a php handler, additional rewrite rules, additional filters, etc) before activating it and then Activate BulletProof Mode for you Root folder.

  29. Dave says:

    I’ve just got BPS Pro up and running, but i’ve got a few questions.

    1) In CGI Permissions & Status Table, I’m getting errors that “The wp-config.php file does not exist.”, but BPS is looking in the wrong location. My config file is stored 1 level up oustide the www folder as specified here: http://codex.wordpress.org/Hardening_WordPress#Securing_wp-config.php, ie /home/username/ not /home/username/domain.com/

    What should i do?

    2) I’m getting the same errors for GWIOD – Root .htaccess and index.php, and it indicates that is is looking for them
    in the root of my hosting (/home/username/) and not the www root. Should I actually have an .htaccess and index.php there or should i disable Checking & Alerts for this? Sorry if i missed this in the instructions

    3) The php.ini file for Dreamhost contains the following:

    [IonCube for PHP 5.3+ and FastCGI]
    [DH is using IonCube over Zend Optimizer - they are really almost exactly the same thing]
    [IonCube is very important for increasing security and performance]
    [Replace username below with your DreamHost shell username / host account username]

    zend_extension = /home/username/ioncube/ioncube_loader_lin_5.3.so

    Am I supposed to go download this file and add it? That file doesn’t exist in my account. I’m intending to use a phprc file and not a php.ini file btw.

    4) I’m getting a some PHP errors after switching to PHP 5.3 and adding the BPS suggested changes to the PHP configuration. There seems to be a conflict with the qtranslate plugin:

    [05-Dec-2011 09:30:03] PHP Warning: Cannot modify header information – headers already sent by (output started at /home/username/domain.com/wp-content/plugins/bulletproof-security/403.php:34) in /home/username/domain.com/wp-content/plugins/qtranslate/qtranslate_core.php on line 71

    5) Is there any benefit to using WordPress Firewall 2 or similar plugins in conjunction with BPS pro, or does BPS already do everything offered by Firewall 2? Also, have you looked at the 5G firewall (http://perishablepress.com/5g-firewall-beta/) to see if there is anything it covers that BPS doesn’t?

    Lastly, the mouseover tips have a lot of good info but implementing them as a mouseover is less usefull for end users. Even on a big screen, some of the larger help mouseovers don’t fit vertically and info is cut off. It’s also not possible to copy and paste the info, so for bits and pieces i want to keep i have to view the source and copy it from there. It would be much more useful to just have them as popup windows imho.

    Thank you for your hard work on this fantastic plugin.

    • AITpro Admin says:

      1. yep we have already created a solution for this. All F-Lock files now have “Turn Off…” option to turn off checking and alerts for each file individually. This will be included in 5.1.1 that should be released by Wednesday or maybe by tomorrow. For now please just ignore this warning.

      2. GWIOD already has a “Turn Off…” option so just turn that checking off. GWIOD is just for those folks who are using “Giving WordPress its Own Directory” method.

      3. With DH you can have some options explained here and there are some DH resource links included also >>> http://www.ait-pro.com/aitpro-blog/2853/bulletproof-security-pro/php-ini-general-and-host-specific-php-ini-information-for-bps-pro/#dreamhost
      The BPS master php.ini file for DH already contains everything you need including the Zend / IonCube directive. Also when you save your custom php.ini file you will be naming it phprc without a file extension. The end result and full path where the custom php.ini file will be is going to look like this >>> /home/username/.php/5.3/phprc for DreamHost. If you want us to set this up for you then just complete the first Control Panel steps of creating the /.php/5.3/ folders in your Control Panel. The help info for DreamHost on the php.ini help page has been updated.

      4. Hmm ok i will put this plugin in testing. What the error message looks like at first glance is that something in qtranslate is being blocked / 403 Forbidden.
      *** Update*** ok i tested the qtranslate plugin and was able to replicate the error. What is happening is qtranslate is trying to set a cookie for the 403 template when a 403 Error occurs. Or in other words qtranslate is actually trying to translate the 403 template. The template is designed as a BlackHole template that logs HTTP errors, therefore qtranslate is generating a php error because the qtranslate script is failing. This is only a PHP Warning error in any case. You will also see a corresponding HTTP error in your HTTP Error log when whatever Forbidden action caused a 403 Forbidden error. Unfortunately, this is a normal BPS process and usually will NOT generate an additional php error, but due to the way that qtranslate is designed to work an additional php is being generated. Hopefully this will not occur that often. You will only see these errors when someone performs an activity on your site that is Forbidden or when a hacker is trying to hack your website.

      5. BPS already does it all. ;) But you could use additional security plugins if you like. Yep i have looked over the Perishable Press site and have found at least one thing that i incorporated. Mostly the Perishable Press site is focusing on blacklisting and blocking the bad guys. BPS is focused on BlackHoling (sending em to no mans land) and Logging the bad guys.

      Yep I am aware of that issue and what i did as a temporary measure is to create this page >>> http://www.ait-pro.com/aitpro-blog/2845/bulletproof-security-pro/bulletproof-security-pro-hover-tooltips/ but you are correct the hover tooltips are grossly maxed out. We are looking at several alternatives at this point and the #1 choice is your suggestion – a thickbox pop up. ;)

      • Dave says:

        1) OK, so I will turn ignore the warning for now, but just to be 100% clear, keeping wp-config.php 1 level up *is* better than keeping it within the wordpress folder & using CGI locking?

        2) Got it, thanks

        3) “The BPS master php.ini file for DH already contains everything you need including the Zend / IonCube directive”

        Yes, but it is the file referenced in the master php.ini that is confusing me:

        end_extension = /home/username/ioncube/ioncube_loader_lin_5.3.so

        I don’t have any ioncube folder in my user directory, should i?

        4) re: qtranslate, the 403 error does seem to be happening a *lot* and my site isn’t live yet and is a private site for students that requires login. Perhaps people are just poking at random URLs, but that should redirect them to the login page. I’ll check the https logs to see if i can make more sense of it. I do know that I’ve intentially caused 403 errors trying to go to blocked resources and nothing was added to the log, but somethings I’ll see 10 errors within a 5-10 second period. With your better understanding of the problem, if there’s anything you can explain to the qtranslate dev to get rid of this by all means please do!

        I’ve one additional php error coming up daily as well from the BackWPup:

        [05-Dec-2011 16:39:15] PHP Notice: ob_end_clean() [ref.outcontrol]: failed to delete buffer. No buffer to delete in /home/username/domain.com/wp-content/plugins/backwpup/job/job_run.php on line 38

        If you’re interested to recreate this error as well, it seems to happen running any job (backups, db optimize). I’m backing up to sugarsync if that matters…

        5) Woohoo!

        I hate to complain further, but you guys really need some kind of forum for the plugin soon. Browsing this comment list will be very cumbersome as it grows at it will probably create extra work for yourselves too.

        • AITpro Admin says:

          1. Both moving wp-config.php to a Server Protected folder and file locking basically achieves equal file security protection. So one is not better than the other because both achieve the same thing.

          2. Cool.

          3. This is a loaded extension file so all you need to add is your actual /username/ which is your account name that you see after /home/. The ioncube folder exists at a level that you will not see or are restricted from seeing – This is a Server Protected folder that only Server Admins can access.

          4. A typical regular website will probably average about 2 hacking attempts a day. The AITpro website averages around 700 hacking attempts a day. ;) 99% of hacking attempts or hacking recon is done with bots. The bot programs are completely automated and can be told where to go or they can also just follow URL’s randomly based on programmed search criteria. Well i guess adding some sort of php if statement like this in qtranslate – if this file is the BPS 403.php template file then exit script processing. At least that is the approach i would take. ;) The thing is what is occurring is natural up to qtranslate trying to translate the 403.php template. I’ll send an email to the qtranslate author about this.

          Regarding the backwpup error and any other php errors that occur the idea is that php error logging is a good thing. The errors tell you that there is an issue or problem with some coding somewhere that you should look at. These php errors were occurring before on your website, but you just did not know about them. ;) You have different levels of php errors: The 3 main ones are Notice, Warning and Fatal. Also the default error reporting directive in the custom php.ini Master files is >>> error_reporting = E_ALL | E_STRICT. You can change this to show only php Fatal errors, but the idea is that php error logging is there to let you know about issues and there are a lot of php errors that will occur naturally, such as a temporary loss of connectivity by your host or many other things that can occur naturally.

          Yep tell me about it. I am planning on adding a sophisticated comment searching feature that will actually find the exact comment in the search term you used. This is getting closer to making it to the top of my list of things that need to get done. ;)

  30. angelo says:

    BulletProof Pro 5.1 – For those who have made attempts to set secure.htaccess to allow the use of the script: / wp-content/themes/themecurrent/scripts/timthumb.php (secure version) I can not get thumbnails of images. Only by setting the default.haccess (to root) I can get the preview images. My theme is a central use of previews and I can not give up this option. The instructions and the FAQ for setting the RewriteCond and RewriteRule controls are not very clear, especially for those not speaking English and does not know the instructions of Apache rewrite. I have already made ​​many attempts at trying to set all the possible permissions of the directory / scripts / cache (755 or 777). And ‘possible to have a clear example of the writing section # ALLOW SCRIPTS TO DISPLAY IMAGES thumbnailer in my condition assuming that the RewriteRule skip the previous section is set to S = 2 as the basis of secure.htaccess in version 5.1? It ‘possible that the error is somewhere else?

    • AITpro Admin says:

      In order to have thumbnail images display and Skip all BPS security filters you only need to change — RewriteRule . – [F,L] to RewriteRule . – [S=1]
      The additional instructions are ONLY there to let you know that if you decide to remove the RewriteRule altogether then you would need to change all the other Skip Rule numbers S=2, etc. that come before this Skip Rule. If changing [F,L] to [S=1] does not work then please create a temporary WP Admin account and send it to info@ait-pro. Thanks.

      Another cause for thumbnail images not displaying:
      If you are using the Thesis Theme or another Theme that uses allow_url_fopen to handle displaying thumbnail images then you will need to change allow_url_fopen from Off to On in your custom php.ini file. The BPS .htaccess filters already protect against RFI hacking attempts so it is ok to change this php.ini setting / directive.

  31. Eric says:

    OK, so having difficulty with the php.ini logs and files on dreamhost. I apologize, but I just don’t comprehend your instructions on getting the path correct on dreamhost. And with regard to my error log, when I test it, I’m receiving this error:

    Parse error: syntax error, unexpected ‘{‘ in /home/xxxxxxxx/wp-content/plugins/bulletproof-security/admin/test/bps-error-log-test.php on line 5

    • AITpro Admin says:

      Yep DreamHost custom php.ini set up is very complex. If you want we would be glad to check that everything is ok. Just create a temporary Admin login account and send it to info[at]ait-pro[dot]com. The error message is intentional – when you click to the Test Error Log button it will generate a PHP error in your PHP error log to test that it is working correctly. ;) Thanks.

  32. Eric says:

    I removed the BP Free folder, and tried to install BP Pro – now I’m getting this error:

    Warning: require_once(/home/xxxxxxx/wp-content/plugins/bulletproof-security/includes/class.php) [function.require-once]: failed to open stream: No such file or directory in /home/ericr/ridleylawoffices.com/wp-content/plugins/bulletproof-security1/bulletproof-security.php on line 44

    • Eric says:

      Ah, never mind. Found it. It was the file renaming error.

      • AITpro Admin says:

        Cool. We already posted a reply so we will leave that reply up for anyone else who might run into this issue. What i have noticed in the PCLZIP coding is that this is actually a built-in feature to not overwrite something so it is actually a safety precaution and not a bug. By renaming a bulletproof-security folder first before using PCLZIP this issue of an appended number being added does not occur. ;) Thanks.
        Ed

    • AITpro Admin says:

      This is a known issue when using the WordPress PCLZIP zip installer. If you look at the error message you will see that the bulletproof-security folder has a number appended on to the end of it >>> bulletproof-security1. FTP to your website and rename the folder to just bulletproof-security by removing the appended number 1 from the folder name. Once you have BPS Pro installed then in future installations of BPS Pro you should use the built-in BPS Pro Zip installer. We will be releasing Full and Incremental upgrades so the WP Zip installer would not work for all the things that we need to do. Plus we wanted to add a Zip backup. Thanks.
      Ed

  33. [...] BulletProof Security Pro Questions, Comments & FAQ [...]

  34. Mark Ayers says:

    I need some help figuring out how to keep the secure .htaccess AND allow the HUMANS.TXT plugin to write the humans.txt file to root. I’ve started exploring for an answer/education for myself. Still, I don’t want to hack the good .htaccess provided and wreck the good it is doing.

    • AITpro Admin says:

      Upgrade to BPS Pro 5.1 and let me know if this problem still exists. I will install this plugin and test it out for security coding issues and to see what is being blocked. Thanks.

      *** UPDATE ****
      I have looked at the coding in this plugin and it does not contain any security coding whatsoever. I cannot approve it and will not continue to test it any further.
      What should be in the coding of this plugin that is not is:
      1. is_admin
      2. if (current_user_can(‘manage_options’)) {
      3. check_admin_referer( ‘the_nonce_for_the_form’ );
      4. wp_nonce_field(‘the_nonce_for_the_form’);

      For Settings API
      Needs to be Registered, Filtered and Validated.
      1. settings_fields(‘the_settings_fields_option’);

      This plugin contains raw code without any security coding whatsoever. Use at your own risk or add your own security coding before using it.

      FYI – in most cases if BPS is blocking something it is usually for a very good reason. ;)

      Thanks,
      Ed

  35. Joel Montgomery says:

    I’ve been receiving messages that my BPS error log has been changed. When I go to the site and check-out the error log, it’s clean. Does this mean that a bot is trying to hack the site? From what I see, the site is still “bulletproof.”

    By the way, do you have an affiliate program? I’m promoting your software to my friends.

    • AITpro Admin says:

      I’m not sure what you mean by “clean”, but i assume you mean that you do not see any new php errors in the log?

      This is most likely what is going wrong.
      Are you clicking the Reset Last Modified Time in DB button when BPS alerts you about a new php error?
      If not, then the BPS new php error message will remain persistently until you click the Reset Last Modified Time in DB to reset this check. Also if you have email alerts set up for php errors then you will receive an email once an hour until you reset the last modified time in the DB.

      Less likely:
      Your php error log path has not been added in your custom php.ini file or the path is incorrect
      Open your custom php.ini file with the php.ini File Editor and check that the path to your BPS php error log is correct.
      The correct path is displayed on the PHP Error Log page and will look something like this >>> /home/content/xx/xxxxxx/html/wp-content/plugins/bulletproof-security/admin/php/bps_php_error.log

      If you have multiple websites you should probably only use one BPS php error log for all of your sites. Example: if you have a WordPress site installed in your root folder and a WordPress site installed in a subfolder then the path to the BPS php error log should be the same for both sites to view the php error log and designating only one of them to store the actual BPS php error log. This allows you to view your php error log on all your sites, but the php error log only exists under one site. You are designating one location for the BPS php error log to exist. There really isn’t any need to have mulitple php error logs, but you can probably do that if your host allows it. I don’t think most hosts do allow this.

      Once i get 5.1 completed i will start working on an affiliate program thing. BPS Pro 5.1 is just about ready for release. Probably in about 4 days from now. Thanks.

  36. Jamal says:

    Hi,

    I creating subdomain at my wordpress blog.

    http://www.abcsubdomain.domain.com

    http://www.domain.com/abcsubdomain

    But when I “Activate Website Root Folder .htaccess Security Mode” the site is fail to access http://www.domain.com/abcsubdomain and showing errorpage 404.

    But, if I deactivate the .htaccess security mode, the site can access the subdomain and subfolder.

    How to solve this issue?

    Hope to hear from you :)

    Thank you.

    Regards,

    Jamal

    • AITpro Admin says:

      A valid domain prefix does not contain 2 domain name prefixes – www as well as the subdomain name.

      Invalid – 2 domain name prefixes
      http://www.your-subdomain-name.your-website-url.com

      Valid – 1 domain name prefix
      your-subdomain-name.your-website-url.com

      You should not need to change anything in your root .htaccess file. WordPress already has a setting that will allow you to do this. Go to your WP Settings panel >>> click on General and add the correct URL prefix that you want to use under >>> WordPress address (URL) and Site address (URL).

      CAUTION!!! Be prepared to access your WordPress DB in your Host Control Panel phpMyAdmin if you are unable to log back into your site. You may have to add the old URL back in your WordPress DB. There are several scenarios that could be going on and some web hosts automatically do DNS setting changes for subdomain sites. In the end you may have to modify the root .htaccess file in order to rewrite to the correct RewriteBase and will not be able to use an unmodified BPS AutoMagic Master .htaccess file without manually modifying it first before activating it.

      Thanks.

  37. Chau says:

    Hello, I just installed the plugin and running into some weird problems, I fixed a few but then now I can’t seems to go into an posts? For example: I would click any posts and would get this: “The requested URL /2011/10/23/mixtape-jay-z-kanye-west-adele-brooklyn-chicago-london/ was not found on this server.”

    Does that have something to do with the .htaccess file configuration? Please help it’s very urgent since I don’t know to go back to the original.

  38. Matt Fraser says:

    Edward,

    Forgive me if this is a dumb question, but if a wp plugin requires a file permission setting of 777 will BPS still keep you site secure? The plugin am referring to is web traffic genius which syndicates your RSS feed across RSS aggregators.

    • AITpro Admin says:

      777 permissions should only be used temporarily and never left permanently. 777 permissions mean that anyone can write to the files. No BPS would not be able to protect the files from being written to by anyone because you have told BPS that this is ok to do. Thanks.

  39. Lisa says:

    Well now, I seem to have a problem. I tried to do a “Network Activate” on this but it seems to have tanked the entire installation. I need to find out how to turn it until it can be activated properly on a WordPress Multi User blog :/

    • AITpro Admin says:

      If you made a backup of your .htaccess files do a restore to restore the original .htaccess file to the root folder. If you did not do a backup then you can manually edit the root .htaccess file with the MU specific .htaccess code for WordPress MU. The MU .htaccess code for a Network / MU site is different than the .htaccess code used in a WP single site.

      BPS Pro should not be activated using Network Activate. Also the AutoMagic buttons are primarily designed for WP Single sites at the moment. AutoMagic can be used for MU, but you need to do a couple of additional steps. Those steps are explained in the Read Me hover tooltip on the Security Modes page next to the AutoMagic buttons. I am in the process of adding additional coding for BPS Pro that will prevent something like this from happening in future versions. Here is the logic with Network / MU sites. The sub sites are generated virtually meaning that the URL path is virtual and not a literal folder path. BPS Pro only needs to be activated for the Primary site and this will protect all sub sites whether you are using sub domains or a sub directories Network. So the coding i need to add is – only the Primary site and Super Admin should be able to activate bulletproof modes. I will alter the coding so that things like System Info and Security Status can be viewed in the sub sites, but activation and anything else that can screw up the Primary site’s .htaccess files will not be enabled for sub sites. So the logic is only the Primary site should be able to create, activate, etc and the sub sites should only be able to view info.

      I am not sure if you are able to access your WP Dashboard from your comment so if you need to manually edit your root .htaccess file using FTP or your Host Control Panel here is the MU specific .htaccess code that you would need to add.

      SubFolder Example

      # BEGIN WordPress
      RewriteEngine On
      RewriteBase /
      RewriteRule ^index\.php$ - [L]
      
      # uploaded files
      RewriteRule ^([_0-9a-zA-Z-]+/)?files/(.+) wp-includes/ms-files.php?file=$2 [L]
      
      # add a trailing slash to /wp-admin
      RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]
      
      RewriteCond %{REQUEST_FILENAME} -f [OR]
      RewriteCond %{REQUEST_FILENAME} -d
      RewriteRule ^ - [L]
      RewriteRule  ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) $2 [L]
      RewriteRule  ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
      RewriteRule . index.php [L]
      
      # END WordPress
      

      SubDomain Example

      # BEGIN WordPress
      RewriteEngine On
      RewriteBase /
      RewriteRule ^index\.php$ - [L]
      
      # uploaded files
      RewriteRule ^files/(.+) wp-includes/ms-files.php?file=$1 [L]
      
      RewriteCond %{REQUEST_FILENAME} -f [OR]
      RewriteCond %{REQUEST_FILENAME} -d
      RewriteRule ^ - [L]
      RewriteRule . index.php [L]
      # END WordPress
      
  40. JoelMonty says:

    Edward, I am also using the program developed by Jason Fladlien and Wilson Mattos called WP Twin on all of my WordPress sites. It clones the sites–for transfer to new domains–and also backs-up all files. It has its own htaccess files.

    I’ve asked the developers to contact you to make sure that it works well with BulletproofSecurityPro 5.0 (and beyond). Can you please check with them for the same purpose?
    “WP Twin Support” Refer to Support Ticket Opened [#853930]. That’s the “formal” way I asked them to contact you about the compatibility of WP Twin and its automatic back-up feature with BPSPro 5.0.

    Thanks.

    Joel Montgomery

    • AITpro Admin says:

      Hi Joel.
      I have never had any success with being contacted by other plugin developers collaboratively so i can pretty much guarantee you that they will not contact me or work with me. What i do instead is with premium plugins or themes i just have people send me the plugin or theme and i do whatever testing or fixes that are necessary. So just send me the plugin. Thanks.

  41. JoelMonty says:

    I’ve received several messages from BPS

    “A new PHP Error has been logged is in your PHP Error Log File.

    Site: joelmontypresents.com

    To view the php error go to the BPS P-Security PHP Error Log page.”

    When I go to the error log I don’t see any entries. Is my site being “attacked”? The only thing I see is the location of the error log

    “PHP Error Log Location
    Default BPS Error Log Location: /home3/xxxxxx/public_html/joelmontypresents/wp-content/plugins/bulletproof-security/admin/php/bps_php_error.log
    PHP Error Log Location Set To:

    PHP Error Log Last Modified TimeRead Me
    Error Log Last Modified Time in DB: September 14 2011 00:16:46.
    Error Log Last Modified Time in File: September 26 2011 09:00:24.”

    (That’s when I updated the error log.)

    Hopefully BPS is protecting all of my WP sites from attack–I’ve been targeted by some malware programs, cleaned everything up, and have BPS installed and active on all of my WP sites.

    By the way, I have an HTML site that was also attacked and “cleaned-up”. I don’t know how to protect it. Should I convert it to WP so the BPS can protect it, too?

    Best Regards,

    Joel

    • AITpro Admin says:

      It appears that the error log path has not been added to your custom php.ini file yet. I will be sending you an email in a minute. Thanks.

      • JoelMonty says:

        Thanks for all your help, Edward!!

        I’m still getting lots of these error messages. Today I went through the entire BPSPro set-up again, your “magic file creation”, bullet-proofing, and backing-up the folders. Hopefully that will reset something. I have BPSPro protecting all of my WP sites and the only one currently reporting errors is JoelMontyPresents.

        Your feedback and direct support are invaluable. Thanks again. It’s a pleasure to be your customer. I encourage other WP users to sign-up as well.

        Best Regards,

        Joel Montgomery

        • AITpro Admin says:

          Very welcome.
          At this point your PHP cPanel setting still needs to be done so that your Server is looking at your custom php.ini file and not the Server’s default php.ini file. I think the email i sent you with instructions must have been “spammed” or “junked” so i will post that info here.
          Your web host is BlueHost (BlueHost, HostMonster and FastDomain are all the same parent company so this applies to all 3 of these hosts) so in order to have your custom php.ini file seen as the Loaded Configuration File for your website you need to do these steps:

          Login to your cPanel
          Click on the PHP Config icon located under “Software/Services”
          DO NOT choose / click ”INSTALL PHP.INI MASTER FILE”.
          Select PHP Single php.ini and click the Save Changes button.
          Choosing the PHP Single php.ini option will do 3 things:
          1. The Server’s default php.ini file will be copied to your /public_html website root folder
          2. Your Loaded Configuration file path will be changed from /etc/php.ini to /home3/xxxxxx/public_html/
          3. This .htaccess code below will be written to your root BPS Pro .htaccess file

          # Use PHP5 Single php.ini as default
          AddHandler application/x-httpd-php5s .php

          Cut the new handler code that was written to the top of the BPS Pro root .htaccess file and paste it as shown below.

          # BULLETPROOF PRO 5.0 SECURE .HTACCESS

          # If you edit the line of code above you will see error messages on the BPS status page
          # BPS is reading the version number in the htaccess file to validate checks
          # If you would like to change what is displayed above you
          # will need to edit the BPS functions.php file to match your changes
          # For more info see the BPS Guide at AIT-pro.com

          # Use PHP5 Single php.ini as default
          AddHandler application/x-httpd-php5s.php

          Go to the PHP Info Viewer tab page and click on View PHPINFO button to check that your Loaded Configuration file path is now showing the path to your /public_html folder instead of the default server location /etc/php.ini. The final thing that you will need to do is to now create your custom php.ini file that will overwrite the Server’s default php.ini file that was copied to your /public_html folder.

          Choose BlueHost from the dropdown php.ini Creator dropdown list.
          Add the folder path to your /public_html folder and include the file name php.ini in the path
          Example: /home3/xxxxxx/public_html/php.ini
          This completes the custom php.ini file creation.

          We offer free setup for BPS Pro so if you don’t want to be bothered with setting up BPS Pro then we will be happy to set it up for you.

          Regarding PHP errors in general
          In your particular case you just needed to click the “Reset Last Modified Time in DB” button to re-sync the last modified time for the php error log. I have already gone ahead and done that on your website. The way the php error log works is this. When a new php error is logged you are notified by display and email if you choose this option. To clear the displayed alert you should click the Reset Last Modified Time in DB button. What is happening here is a comparison of the last modified time of the php error log file and a saved time in your WordPress DB. By clicking the Reset Last Modified Time in DB button your are saving the new last modified time to your DB and both the file last modified time and your DB last modified time will be the same and no error alerts will be displayed and no email alerts will be sent to you if you have that option enabled. I have intentionally designed the coding check in this way instead of having a new error alert displayed for each new php error, which could cause quite a lot of unnecessary displayed alerts.

          Many folks have wondered why they are seeing php errors or new php errors in their php error log. The errors existed before, but they were not aware of them. Seeing the php errors is a good thing. The php errors tell you the file name, the function name, the code line and the exact type of php error that occurred. They are alerting you to problems you have with your coding, website or a hacker is trying to exploit some code on your website. Some php errors just occur and do not need any attention. Such as a temporary connectivity problem with your Server or other random php errors that are “natural” php errors. Other php errors should be looked at and fixed if necessary to prevent additional problems or ongoing problems or to prevent a hacker from repeatedly going after a particular file to try and break into your website. You can copy any php error into the google search window and you will find what the problem is, why it is happening and more importantly how to fix it.

          • Joel Montgomery says:

            I have another WordPress Installation using Bulletproof Security Pro on Hostgator. When I set everything up, it worked fine–including editing the phpini file for the BPS error log position. Now, when I look at the cPanel, 0 bites are listed for /home/xxxxxx/public_html/wp-content/plugins/bulletproof-security/admin/php/hostgator-phpini.ini. The feedback says that the file is open and writeable and the error log says everything is OK. When I go to edit the file using your phpini editor, nothing comes up–the empty file with zero bytes.

            Suggestions for redoing my Hostgator phpini file?

          • AITpro Admin says:

            hmm well that means that the contents of the BPS master php.ini file for HostGator was deleted somehow. Re install BPS using the BPS built-in Zip installer – Do Not Use the WordPress PCLZIP zip upload installer. It is problematic. You should then see a new hostgator-phpini.ini master file and can create a new custom php.ini file from it for this site. Thanks.

  42. JoelMonty says:

    I have a new “drop-in” plugin called “Install.php” in my Plugins folder under WP-content.

    I didn’t install it. Did BPS PRO install something? How can I find out if it is a security problem or not?

    Thanks for your support. I feel better with BPS Pro protecting my WP sites.

    JoelMonty

    • AITpro Admin says:

      Nope BPS Pro does not add this file. BPS Pro does have an installation file, but it is called installation.php and is located within the admin area of the BPS Pro plugin folders. Did you migrate or move your website recently? Or at one point did you use Backup Buddy to move your website? Open the install.php file using the WordPress editor and see what code is in that file. If it looks suspicious then send me the install.php file. edward@ait-pro.com. Thanks.

      • JoelMonty says:

        Responding to Ed’s comment on September 16th, 2011

        No, I didn’t use back-up buddy for anything. When I opened the file–index.php, it says the code says “silence is golden” and nothing else??!!

        I hate to download it to my computer to send to you if it’s infected. I just made sure my computer was clean and it took 3 days.

        I had to use the cPanel editor on BlueHost to find anything out about the file. In WordPress it says it is a “drop in” Plugin named “install.php”. (That doesn’t show up in my cPannel. Index.php does show up.

        There seems to be a rash of attacks these days or I was going higher up on Google’s pages and made myself a target.

        • AITpro Admin says:

          The index.php file in the /wp-content folder that only has “silence is golden” in it is a valid WordPress file and is supposed to be there. Typically when you see a drop-in plugin listed called install.php this just indicates that you have a custom script file in your /wp-content folder. This is not going to be something that i can answer without knowing more details. I will be sending you an email shortly. Thanks.

  43. I have BPS running and I installed an additional blog in a subfolder of my site as a test blog. The primary WordPress installation is in the main folder, not a subfolder and that is where BPS is running. After creating the new blog in a subfolder via cPanel, I cannot access it: I get 404 pages. Is this due to BPS? And if so, what can I do about it? Thanks. :)

    • AITpro Admin says:

      When you say primary WordPress installation do you mean you have a Network / MU installation of WordPress? For Network / MU you only want BPS set up for the primary site and not the subsites. For single site WordPress installations you want BPS installed on each site. If you do not do this then the parent site’s .htaccess rules will be applied to all the subfolder sites, which will cause 404 errors because the parent’s .htaccess rules – RewriteBase and RewriteRule will be applied to the subfolder site and are not going to be correct for the subfolder site. Thanks.

  44. It is unclear to whether I should Network Activate or Activate Blog by Blog. I tried both and got the same message:
    Warning: require_once(D:\dev.alarmsearch.com\wordpress/wp-content/plugins/bulletproof-security/includes/class.php) [function.require-once]: failed to open stream: No such file or directory in D:\dev.alarmsearch.com\wordpress\wp-content\plugins\bulletproof-security1\bulletproof-security.php on line 45

    Can you help please. I know nothing about this sort of thing. Thanks, Chuck

    • AITpro Admin says:

      Hello,
      The error indicates that you have used the WordPress Upload Zip installer to install BPS Pro. If you look at the part of the error that says “No such file or directory in…” you will notice that the BulletProof Security folder name has a number 1 appended to it – “bulletproof-security1″. This is the one of the reasons why we created the BPS Pro built-in Zip installer. There are known issues and problems with the PCLZIP installer that WordPress uses so we created our own Zip Upload installer. Plus we wanted to additionally add a Zip backup feature to make backups one click.

      You actually have a much bigger problem. Your website is hosted on an IIS6 Server. You will not be able to use the B-Core for an IIS Server (IIS6 or IIS7 or IIS7.5) because IIS Windows Servers do not use .htaccess files. You can use the P-Security php.ini file creator to create php.ini files, but i have found that this can be a huge hassle on IIS Servers. You may or may not be able to change your master php.ini file settings on IIS hosting. It is going to depend on what type of hosting account you have and how much control and access permissions you are granted by your web host.

      No need to post back here just reply to the email that I sent to you. Thanks
      Regards,
      Ed

  45. [...] BulletProof Security Pro Questions, Comments & FAQ [...]

  46. Mac says:

    Pre sales questions about BP Pro.

    1) Your license is detailed but, I’m sorry, I didn’t understand if it’s possible to install the plugin on multiple sites (as per GPL) or not.

    2) License is related to BP Pro 5.0 and for that one you warrant lifetime updates, what happen if BP Pro become 6.0 or above?

    Thanks in advance for answer, this plugin is interesting but I think that those points require a better explanation.

    • AITpro Admin says:

      *** UPDATE ***
      The AITpro software license for BulletProof Security Pro has been updated. Thank you again Mac for pointing out areas of the license that needed clarification and corrections.
      http://www.ait-pro.com/aitpro-blog/2951/bulletproof-security-pro/bulletproof-security-pro-5-0-software-license/

      Yes you are correct that the information needs to stated more clearly in the license on these points. These points will be stated more clearly and corrected / updated today. Yes you can install BPS Pro on all sites that you directly own, support or manage. The general idea is I don’t want to limit anyone who has paid for BPS to be limited to a set number of installations that they can do on all their sites. So if you had 1 site or 100 sites then there is no limitation at all. What I obviously do not want to happen is to have people give BPS to other people who have not paid for a license. The price is extremely fair and having it be unlimited as far as the number of sites you can install BPS on is extremely fair too so hopefully people will feel that paying a one time price for life with free upgrades for life is really a great deal and not distribute BPS all over the place. ;) In any case 5.1 will include and require activation so anyone with a pirated copy of 5.0 will not be able to upgrade to any future version of BPS Pro and there is some really awesome stuff in the works. ;) BPS Pro 5.0 is just the beginning – lots more to come. :)

      Yep the wording needs to be changed. This is not word play, but it could be construed as that. So i will also make the necessary corrections to clearly point out that BPS Pro 5.0 and all updates to BPS Pro (without a version number) are included in the one-time cost. Thank you for pointing out these two areas in the license that need to be corrected. Much appreciated.
      Ed

  47. Alan says:

    file_get_contents(/home/jempyrea/public_html/myweightcare.com/wp-admin/.htaccess) [function.file-get-contents]: failed to open stream: No such file or directory in /home/jempyrea/public_html/myweightcare.com/wp-content/plugins/bulletproof-security/includes/functions.php on line 422
    [10:18:47 AM] rigids.php: you are overloading wordpress with untested PLUGIN

    • AITpro Admin says:

      hello,
      We don’t have you on record as purchasing BPS Pro or as one of the Donaters. Also the rigids.php error is not a valid php error. This is either a made up / fake error or an error that was not been completely copied with its full valid php error level notice. If you purchased BPS Pro please contact us directly for assistance. If you have not and this is a spam tactic please do not post here again. Your URL links have been removed from your post. They will be restored once we confirm that this is not a spam tactic. Thank you.

  48. [...] BulletProof Security Pro Questions, Comments & FAQ [...]

  49. [...] BulletProof Security Pro Questions, Comments & FAQ [...]