BPS Pro Links

BPS Free Links

BulletProof Website Security Contributors

BulletProof Security Donations Page

BulletProof Security Guide - BPS version .46.8 – .45.5

BulletProof Security Screenshots – BPS .46.8

BulletProof Security Setup Video Tutorial

BulletProof Security WordPress Plugin FAQ’s

BulletProof Security Comments, Questions, Problems & Wishlist

BulletProof Security .htaccess file modifications

BulletProof Security WordPress Plugin Download

BPS .46.8 Specs BPS .46.8 PHP Memory Usage > 100KB > .10MB BPS .46.8 Total Disk Size > .98MB BPS .46.8 Performance > Zero front end drag > Zero back end drag > Zero page load time added

If you dig BPS please create a link back to AITpro. Thank you.   The information below is outdated. Please see the BPS Guide.

*** Old Version Info *** – see the BPS Guide for current version info BulletProof Security Version .44.1 released 5/5/2010 now includes a backup and restore feature to backup and restore your original existing .htaccess files. Download your /htaccess folder if you have Version .44 installed before upgrading to Version .44.1 and upload it back to the BulletProof Security plugin folder after you have upgraded.

*** Old Verion Info *** – see the BPS Guide for current version info BEFORE activating any BulletProof Security modes look at your root path to your website’s WordPress installation shown within the BulletProof Security Options page under BulletProof .htaccess Security Modes (within the BulletProof Security Options page). If your WordPress installation is installed in your website domain root folder than you will see http://your-website-domain-name/.htaccess. If your WordPress installation is installed in a subfolder off of your website domain root than you will see something like this for example http://your-website-domain-name/a-folder-name/.htaccess. If your WordPress installation is in your website domain root you DO NOT need to modify anything and can just activate any BulletProof Security modes you want now. If your WordPress installation is in a subfolder of your website domain root then read the IMPORTANT!!! info shown below. *** Old Version Info *** – see the BPS Guide for current version info If your WordPress installation is in a subfolder then DO NOT activate any of the BulletProof Security Modes until have fully read the help files and read the BulletProof Security Screenshots page (applies to versions .44 and .44.1) BEFORE activating any BulletProof Security modes. Setting up BulletProof Security to work correctly for your website if you have WordPress installed in a subfolder off of your root website domain WILL require a one time manual editing of the 3 .htaccess files that are provided with the BulletProof plugin. You will need to add the path to your particular folder where WordPress is installed on your website domain. Those 3 .htaccess files are located in the /plugins/bulletproof-security/htaccess/ folder. The files are named: default.htaccess, secure.htaccess and maintenance.htaccess. Download the 3 files to your computer add the path to your WordPress installation folder in all of the provided .htaccess files and then upload them back to the /plugins/bulletproof-security/htaccess/ folder. If WordPress is installed in your website domain root folder on your website then you DO NOT need to make any modifications to any of the BulletProof .htaccess files.

BulletProof Security WordPress Plugin FAQ’s

If you do not see the answer to your question posted here, then please post your question on the Comments, Questions, Problems & Wishlist page. We will answer your question there and then also post those questions and answers here if appropriate.

What does the BulletProof Security WordPress Plugin Do?

The BulletProof Security Plugin is a secure radio button form with options that you select for what level of .htaccess security you want for your root and /wp-admin folders. You can switch between (enable) all available modes – default .htacces security, bulletproof .htaccess security and maintenance modes in less than 5 seconds – ALL from within your WordPress Dashboard – No need to access your website via FTP or from your web host Control Panel to do anything more. For more information read the BulletProof Security Plugin Overview or take a look at the BulletProof Security screenshots page.(applies to versions .44 and .44.1)

My Website Has Already Been Hacked – Can BulletProof Security Help?

Yes, but only by allowing you to put your website in Maintenance Mode.  This will take your website offline until you can restore your website from backup or manually repair your website.  This will prevent other people from getting a “virus” from your website and also block the hackers from accessing your website until it is fully restored / repaired.  I recommend restoring your website from backup if you are not an experienced coder.  The more sophisticated hackers and hacking programs are designed to do multiple things and leave multiple backdoors.  Repairing your website could take much longer than just restoring your website from backup.  Once your website is fully restored from backup you will have to immediately reinstall BPS and either reactivate Maintenance Mode or activate BulletProof Security Modes right away to block all future hacking attempts or your other option is to use the BPS master .htaccess master files manually via FTP during the process of restoring your website.  For example if you do a complete restore of your entire website from backup then BPS will not exist on that backup.  If it did your website never could have been hacked in the first place from an XSS or SQL hacking method.  The exact second that your website is restored you would upload the BPS master .htaccess file via FTP to your website root folder.  You will need to rename whichever master .htaccess file you chose to manually upload to your website folder.  If you choose secure.htaccess rename it to .htaccess and upload to your root folder.  If you choose maintenance.htaccess rename it to .htaccess and upload to your root folder.  You will also need to upload the bp-maintenance.php file to your root folder.

How do I change or remove the admin user account?

The simplest way to do this is to just create a new administrator account under the WP Users panel > Add New.  Make sure that when you create your new unique administrator account name you give this new Administrator account Administrator rights.  This is called Role in WP and the setting is located right above the Add User button at the bottom of the Add New User page.Then log out of your WP Dashboard, log back in with the new Administrator account you just created and then delete the WP default “admin” administrator account.

Are there any known conflicts with BulletProof Security and other WordPress Plugins?  Ozh’ Admin Drop Down Menu Plugin Fix

BulletProof Security has been tested with over 1000 WordPress plugins and one conflict has been found with the Ozh’ Admin Drop Down Menu plugin.  The fix is quick and simple.  FTP to your website, download the BPS default.htaccess file from the /wp-content/plugins/bulletproof-security/htaccess folder, then upload the default.htaccess master file to the /plugins/ozh-admin-drop-down-menu/ folder and rename default.htaccess to just .htaccess.

How to install the BulletProof Security WordPress Plugin?

*New BPS Version .45.2 Guide link above* You can download and install the BulletProof Security WordPress plugin from the WordPress Plugin Directory and of course directly from within your WordPress Dashboard by using the “Add New” option under your WordPress Plugins Panel.If you are downloading the zip file from the WordPress Plugin Directory Download the bulletproof-security.zip file to your computer and unzip it. Upload the bulletproof-security folder (including all files within) to your /wp-content/plugins folder. Activate the BulletProof Security plugin. Activating BulletProof Security DOES NOT enable any of the BulletProof Security modes. To enable any of the BulletProof Security modes you will need to go to your Settings Panel in your WordPress Dashboard and click on BulletProof Security to go to the BulletProof Security Options page. Before activating any of the BulletProof Security modes read the information below. You will need to add the path to your WordPress installation (folder name) to the 3 .htaccess files provided with BulletProof Security (located in the bulletproof-security/htaccess folder) ONLY if your WordPress installation is NOT installed in your website domain root folder (ie if WordPress is installed in a subfolder named something like /blog for example). If your WordPress installation is in your website domain root folder than you DO NOT need to edit anything to start using BulletProof Security. Enjoy!

I already have an existing .htaccess file created for my WordPress website. Can I use my custom .htaccess file instead of using the BulletProof Security .htaccess files included with the plugin?

Yes. Of course. The secure.htaccess BulletProof file contains .htaccess code that protects your website against XSS (Cross Site Scripting) and SQL Injection hacking attacks. View a screenshot of the BulletProof Security secure.htaccess file. (applies to versions .44 and .44.1) Add your own additional .htaccess code to the Master .htaccess files to make them even more BulletProof to hackers or replace the provided BulletProof Security .htaccess master files with your own personal .htaccess security files. The primary function of BulletProof Security plugin is to act as a .htaccess file handler from within the WordPress Dashboard.The WordPress core app is already very secure, but if by some chance custom coding or “dirty” code is added to your website you could have a vulnerability that can be exploited. When your website is in BulletProof Secure Mode it does not matter if you have “dirty” code somewhere on your website because it cannot be exploited if the BulletProof secure .htaccess file is enabled.

Does the BulletProof Plugin create or write the .htaccess files?

No. The .htaccess files have already been created so you can just add more code to them or create completely new .htaccess master files if you want. BulletProof is designed to handle copying, renaming and moving the .htaccess files. BulletProof Security Pro (release date TBA) does perform file writing as well as some other additional advanced functions.

Is the BulletProof Security WordPress Plugin Secure?

Yes. Of course.

Does BulletProof Security Block or Prevent any WordPress Website Administrator Functions?  Widget Configurations? Deleting Plugins?

If your web host is still using PHP4 instead of PHP5 you will experience several different problems.  If you are unable to perform Widget Configurations or delete plugins including BPS or the Status window displays NULL instead of the correct activated BPS .htaccess files then please see the BPS .45.2 guide for the solution.

If I deactivate the BulletProof Security plugin are my original .htaccess files restored?

No. You need to restore them using the restore feature in BPS or manually from your computer by uploading replacement .htaccess files via FTP.

BPS .45 specific problem – I installed BPS .45 and the menus are broken and I am getting all kinds of errors on the BulletProof Security Options Pages

Check if you are using PHP 4 on your website.  You can check this from within BPS .45.  If your version of PHP starts with 4 instead of PHP 5 then you can remove or recode BPS .45 to work for PHP 4 if you want.  PHP 4 is about due to be completely phased out so there is no point in doing the extra coding work to make BPS .45 compatible with PHP 4.  BPS .45 will function with PHP4, but it does not look visually correct and you will be missing many of the available features.  Your host should provide you with the option of using PHP4 or PHP5.  Obviously I recommend using PHP5.

I Still Need to Use PHP4 for My WordPress Website

Coding Modifications to make BPS .45.2 work with PHP 4

PHP4 problem in BPS .44 and .44.1 – File_get_contents function error

Error message displayed under Current Active BulletProof .htaccess FilesWarning: file_get_contents() expects at most 2 parameters, 5 given in /home/content/xxx/xxx/xxx/ezdrycarpet/html/ezb/wp-content/plugins/bulletproof-security/bulletproof-security.php on line 173

There is a similar error message with BPS .45 due to using PHP 4 instead of PHP 5.  Your Web Hosting account is running an older version of PHP – PHP 4. If you have the option to choose whether you want to run PHP 4 or PHP 5 then just choose to run PHP 5 from your Web Host Control Panel. If you need to run PHP 4 and cannot use PHP 5 then you will have to either ignore the error message or modify the bulletprooof-secure,php file code as shown below. I will not be adding backwards compatible PHP 4 coding to BP for this one particular known issue with the file_get_contents function.

existing code line >>> file_get_contents(ABSPATH . $filename, NULL, NULL, 3, 44);

modified code line to work for PHP4 >>> file_get_contents(ABSPATH . $filename);

Unfortunately, this means that the entire contents of whatever .htaccess file is activated will be dispayed insted of just the first 44 characters of the .htaccess files. This is a PHP 4 thing so I will not be addressing it in this one particular case.

PHP4 problem in BPS .44 and .44.1 – fileperms function stat failed for error

Error message displayed under File and Folder PermissionsWarning: fileperms(): Stat failed for ../wp-admin/.htaccess (errno=2 – No such file or directory) in /home/content/sss/sss/sss/ezdrycarpet/html/ezb/wp-content/plugins/bulletproof-security/bulletproof-security.php on line 298

This similar error has been corrected in BPS .45 by suppressing the clearstatcache PHP error.  Error checking is now controlled by other functions that output customized specific warning messages.  If you are still using an older version of BPS (.44 or.44.1) you can edit the bulletproof-security.php file and suppress the clearstatcache function by adding an @ symbol – do a search for the clearstatcache function and put an @ symbol in front of the clearstatcache function.  Like this @clearstatcache.

Plugins that have been tested with BPS, waiting to be tested with BPS, .htaccess plugin fixes and solutions or other miscellaneous testing issues are listed here.  Most plugin conflicts or issues require a simple .htaccess skip rule if there is a conflict or issue or the plugin is doing something that BPS is blocking because it is actually unsafe or appears to be unsafe.  If you need to apply an .htaccess skip rule this does not mean that your website is less secure by adding that .htaccess skip rule.  BPS Pro has several layers of overlapping security protection and BPS Free also has some overlapping security protection to compensate for allowing any .htaccess skip rules.  

All plugin issues or conflicts go through thorough security testing before an official fix is released.  New recent plugin fixes can be added manually to your current version of BPS if you are having a problem with a plugin listed on this page or other miscellaneous issue and it has not yet been added to the latest version of BPS.  If you are using a plugin that is not playing nice or is being blocked by BPS, then please add a comment here with the plugin name, the author’s name and the version of the plugin and that plugin will be added to the list to be tested ASAP.  Please perform general troubleshooting steps first such as refreshing your browser, clearing your browser cache and making sure your ISP connection does not have a problem before submitting an issue.  Thank you.

BulletProof Security CAN be installed if you are using an IIS6 or IIS7 server for web hosting.  BUT DO NOT activate BulletProof Modes on an IIS6 or IIS7 servers ever.  You can use the additional features in BPS, but mod_rewriting does not work on IIS6 or IIS7 servers.  There are several prerequisites that are needed for an IIS7 server and you can install the URL Rewrite Module for IIS7 and create a web.config file in place of the root .htaccess file.  This would of course require that you modify the coding in BPS to look for the root web.config file instead of the root .htaccess file.  You could then use the built-in File Editor to edit your web.config file.  If you are not familiar with what is required for an IIS7 server and “mod_rewriting” then read this WordPress Codex for more information on using Permalinks without mod_rewrite. 

INTesting = a possible conflict was reported – plugin is in testing
Testing PR = a conflict was found and a workaround may exist.  A permanent fix may or may not be pending.
Tested NC = the plugin was tested and No existing conflicts were found.
PUDV = the plugin was tested, but is either not working correctly or other issue. A fix may or may not have been created – Pending User Verification or Developer verification.
DCON = Direct conflict with BPS (may also be dangerous / not safe to use) – recommended action is to delete plugin
DCONTesting = direct conflict with BPS
Resolved = a conflict was found and a solution has been created.  Premium plugin fixes will not automatically be included in BPS Pro and BPS Free .htaccess coding and do require that you manually add the .htaccess code solution to your root .htaccess file.
NI = Non Issue or Not an Issue
SF = similar functionality – ie another security plugin that performs security functions. Possible conflicting security functions or overlapping functions.
NF = New Fix
NLIC = no longer an issue or conflict or the new BPS .htaccess code permanently resolves this issue.  NLIC issues are automatically and permanently included in each new version of BPS Pro and BPS Free that is released.
Pro =  the conflict and solution applies to only BPS Pro and does not apply to BPS Free.

Plugin Name	Plugin Author	Plugin Version	Status
W3 Total Cache	fredericktownes	All	NLIC
WP-Cache	gallir	All	Tested NC
WP Super Cache	donncha, automattic	All	NLIC
BuddyPress – member log out	multiple authors	All	NLIC
Status Updater	Francesco Castaldo	All	NLIC
Adminer	bueltge	All	NLIC
Peter’s Custom Anti-Spam Image	pkthree	All	NLIC
Stream Video Player	Rodrigo Polo	All	NLIC
My Calendar	joedolson	1.10.6	PUDV
XCloner	xcloner	All	NLIC
XCloner – Cron Job Only	xcloner	All	Resolved-Pro
WP-Invoice	multiple authors	All	Resolved
WP-DBManager	GamerZ	All	Resolved-Pro
EZPZ One Click Backup	EZPZSolutions	All	Resolved-Pro
SecureDL	Premium paid plugin	All	Resolved-Pro
Shopp e-commerce	Premium paid plugin	All	Resolved
event espresso	Premium paid plugin	All	Resolved
WordPress Firewall	seoegghead	All	DCON
Cart66	Premium paid plugin	All	Resolved
Digi Auto Links	Premium paid plugin	All	Resolved
RSS Link Bomber	Premium paid plugin	All	Resolved
WP Twin AUTO BACKUP	Premium paid plugin	All	Resolved
Ad Trackz Gold	Premium paid plugin	All	Resolved-Pro
Full Screen Background Images Pro	Premium paid plugin	All	Resolved

Other Issues – WP Theme or other miscellaneous issue	Status
All Login Password Reset or Redirect problems	Resolved
Atahualpa Theme – Export / Download blocked by BPS	Resolved
BPS menus or other CSS – visual look or menus not displaying correctly	Resolved
PayPal IPN or PDT scripts – NO conflicts exist	Tested NC
WPMU – multisite plugins – network plugins - General Fix	Resolved
Plugin 403 Forbidden Errors	Resolved
Infinite .htaccess Loops – not necessarily related to BPS	General Fix

 

NEW PLUGIN FIXES METHODS – As of BPS .46.5 – The way Rules & Rulesets are processed has changed significantly 

SQL Injection Filtering
Any SQL Injection fixes are no longer necessary as a pre-filter has been added to any filtered SQL Commands.  This means that words / commands that were blocked before are no longer blocked by themselves alone.  Example:  The word / command “union” is no longer blocked / forbidden and now “; union” with a semi-colon in front of it or with any of the other pre-filter characters in front of it would be blocked.  The pre-filter contains characters that are used in SQL Injection attacks.

Plugin Fixes
To fix a plugin conflict or not block a particular plugin from doing something the new method of adding an .htaccess Skip rule resolves any plugin conflict or issue.  The general concept to get is that the .htaccess Skip rules go in descending order and the Skip number order is very important.

The example below shows the new section of code in the BPS Root .htaccess file that deals with plugin conflicts.  In this example I have added a fictitious plugin fix for a plugin called “example-plugin-fix”.  Since I added the plugin fix after the “Comment Spam Pack MU Plugin” fix this means that I have added another RewriteRule in this section of .htaccess code so the 2 plugin fixes that came before (are above) this new RewriteRule need to have their Skip rule numbers changed to increase by 1 to skip the additional new example RewriteRule that was added.  The Example Plugin Fix is S=11.  The RewriteRule that was S=11 will now be changed to S=12 and the RewriteRule above S=12 will now be changed to S=13.  An .htaccess Skip rule skips the number of RewriteRules that you tell it to skip.  If you count down the RewriteRules (in your actual root .htaccess file for your website) you will see that what happens is that the Skip rules cause these plugin fixes to skip all the RewriteRules that deal with other plugin fixes and the thumbnailer Forbid RewriteRule and the Query String Exploits filter RewriteRule and go directly to the WordPress RewriteRule and skip all the other RewriteRules that come before the WordPress RewriteRule.

This .htaccess code below is the newest .htaccess code that is included as of BPS Pro 5.1.3 and .46.8 (the example code used in this example will obviously not be in the BPS .htaccess code). This code also shows the new TimThumb .htaccess code that will be included in .46.8 when it is officially released.

# PLUGINS AND VARIOUS EXPLOIT FILTER SKIP RULES
# IMPORTANT!!! If you add or remove a skip rule you must change the S= number to the new skip number
# Examples: If RewriteRule S=5 is deleted than change S=6 to S=5, S=7 to S=6, etc.
# If you add a new skip rule above S=12 it will be skip rule S=13
# Adminer MySQL management tool data populate
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/adminer/ [NC]
RewriteRule . - [S=13]
# Comment Spam Pack MU Plugin - CAPTCHA images not displaying
RewriteCond %{REQUEST_URI} ^/wp-content/mu-plugins/custom-anti-spam/ [NC]
RewriteRule . - [S=12]
# Example Plugin Fix - Just an example of how to add a new plugin fix 
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/example-plugin-fix/ [NC]
RewriteRule . - [S=11]
# Peters Custom Anti-Spam display CAPTCHA Image
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/peters-custom-anti-spam-image/ [NC]
RewriteRule . - [S=10]
# Status Updater plugin fb connect
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/fb-status-updater/ [NC]
RewriteRule . - [S=9]
# Stream Video Player - Adding FLV Videos Blocked
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/stream-video-player/ [NC]
RewriteRule . - [S=8]
# XCloner 404 or 403 error when updating settings
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/xcloner-backup-and-restore/ [NC]
RewriteRule . - [S=7]
# BuddyPress Logout Redirect
RewriteCond %{QUERY_STRING} action=logout&redirect_to=http%3A%2F%2F(.*) [NC]
RewriteRule . - [S=6]
# redirect_to=
RewriteCond %{QUERY_STRING} redirect_to=(.*) [NC]
RewriteRule . - [S=5]
# Login Plugins Password Reset And Redirect 1
RewriteCond %{QUERY_STRING} action=resetpass&key=(.*) [NC]
RewriteRule . - [S=4]
# Login Plugins Password Reset And Redirect 2
RewriteCond %{QUERY_STRING} action=rp&key=(.*) [NC]
RewriteRule . - [S=3]

# TIMTHUMB FORBID RFI BY HOST NAME BUT ALLOW INTERNAL REQUESTS
RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
RewriteRule .* index.php [F,L]
RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
RewriteRule . - [S=1]

 

Permanent Fixes For Plugin Conflicts with BPS

As of BPS .46.5 and BPS Pro 5.1 the Master (AutoMagic) .htaccess code automatically permanently resolves several plugin conflicts that previously existed.  The “Other Issues – WP Theme or other miscellaneous issue” section of this help page may still apply in some cases and have been highlighted if they still apply to the new version of BPS.

W3TC – CDN / Cloudflare and possible eaccelerator conflicts with BPS

If you are not using CDN / Cloudflare or eaccelerator then there are not any problems, issues or conflicts.  The conflicts are isolated to using CDN /  Cloudflare and eaccelerator and is pending further investigation.   Symptoms:   Random pop up messages similar to this ”Are you sure you want to do this?” messages with no confirm button.

BuddyPress – BuddyPress Member log out does not log Members out – included in BPS .45.8

This fix requires that WordPress 3.0.4 is installed. This fix will NOT work with previous versions of WordPress. There is a conflict with the SFC plugin and BuddyPress so if you want to have a Facebook Connect feature then you should use the BP-FBConnect plugin. This plugin has been tested with BPS and no conflicts were found.

# BuddyPress Logout Redirect
RewriteCond %{QUERY_STRING} action=logout&redirect_to=http%3A%2F%2F(.*) [NC]
RewriteRule . - [S=6]

Status Updater – FB and Twitter posts not updating – Cron jobs not running – included in BPS .46.1

# Status Updater plugin fb connect
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/fb-status-updater/ [NC]
RewriteRule . - [S=9]

WP-eXtplorer – login or other issue – exact problem is not clear – included in BPS .46.1
I was unable to get this plugin to work through WordPress with BPS secure mode activated or deactivated, but I was able to login to eXtplorer manually by adding an .htaccess skip rule.  Pending verification from the user who reported this problem that this fix works.

# wp-extplorer login or other problem fix
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/wp-extplorer/ [NC]
RewriteRule . - [S=13]

Adminer BPS conflict fix – included in BPS .46.1
A simple .htaccess skip rule for Adminer is all that is required to resolve this plugin conflict. Copy and paste this .htaccess code below to Your Current Root htaccess File using the built-in BPS File Editor.

# Adminer MySQL management tool BPS conflict fix
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/adminer/ [NC]
RewriteRule . - [S=12]

Peter’s Custom Anti-Spam Image plugin -included in BPS .46.1
A simple .htaccess skip rule for Peter’s Custom Anti-Spam Image plugin is all that is required to resolve this plugin conflict. Copy and paste this .htaccess code below to Your Current Root htaccess File using the built-in BPS File Editor.

# Peters Custom Anti-Spam Image fix
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/peters-custom-anti-spam-image/ [NC]
RewriteRule . - [S=10]

Stream Video Player – Unable to Add FLV Videos – 404 or 403 Errors – included in BPS .46.1 
A simple .htaccess skip rule for the Streaming Video Player plugin is all that is required to resolve this plugin conflict. Copy and paste this .htaccess code below to Your Current Root htaccess File using the built-in BPS File Editor.

# Stream Video Player - Adding FLV Video Blocked By BPS
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/stream-video-player/ [NC]
RewriteRule . - [S=8]

My Calendar – overwrites root .htaccess code and causes other problems with BPS and other plugins
The plugin author is currently working on fixing this problem. Pending plugin Developer confirmation. To get around the problems with with this plugin you can lock your root .htaccess file which will not allow this plugin to write to the root .htaccess file. I have no idea if the plugin will continue to work, but it will not interfere with BPS or any other plugins by locking the root .htaccess file.

# Stream Video Player - Adding FLV Video Blocked By BPS
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/stream-video-player/ [NC]
RewriteRule . - [S=8]

XCloner – Settings page update causes a 404 or 403 error – included in BPS .46.2

A simple .htaccess skip rule fixes this issue.  Copy and paste this .htaccess code below to Your Current Root htaccess File file using the built-in BPS File Editor.

# XCloner 404 or 403 error when updating settings
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/xcloner-backup-and-restore/ [NC]
RewriteRule . - [S=7]

XCloner – Cron Jobs not working – BPS Pro ONLY

The custom php.ini file that comes with BPS Pro has register_argc_argv turned Off by default >>>  register_argc_argv = Off.  For Cron jobs to work correctly change the register_argc_argv setting to On >>> register_argc_argv = On.

WP-Invoice – Updating / editing an Invoice generates a 403 error 

Requires 2 .htaccess skip rules – 1 in your Root .htaccess file and 1 in your wp-admin .htaccess file.  Copy and paste this .htaccess code below to Your Current Root htaccess File using the built-in BPS File Editor.  This .htaccess code should be added to your root .htaccess file before skip rule 12 [S=12].

# WP-Invoice query string Root skip rule
RewriteCond %{QUERY_STRING} page=wpi_(.*) [NC]
RewriteRule . - [S=13]

Copy and paste this .htaccess code below to Your Current wp-admin htaccess File using the built-in BPS File Editor.  This .htaccess code solution goes after # REQUEST METHODS FILTERED .htaccess code and before the start of the block of BPS security filters RewriteCond %{HTTP_USER_AGENT} …. in your wp-admin .htaccess file (not your Root .htaccess file).

# WP-Invoice query string wp-admin skip rule
RewriteCond %{QUERY_STRING} page=wpi_(.*) [NC]
RewriteRule . - [S=1]

WP-DBManager – Automatic backups not working – BPS Pro ONLY

The custom php.ini file that comes with BPS Pro has these php functions disabled by default in the disable_functions directive >>>  disable_functions = system, exec, passthru, shell_exec, show_source, popen, pclose, pcntl_exec.  WP-DBManager uses the system, exec and passthru functions.  To allow these php functions to be enabled / allowed on your website remove them from the disable_functions directive in your custom php.ini file >>> disable_functions = shell_exec, show_source, popen, pclose, pcntl_exec.

EZPZ One Click Backup – Backups not working – BPS Pro ONLY

The custom php.ini file that comes with BPS Pro has these php functions disabled by default in the disable_functions directive >>>  disable_functions = system, exec, passthru, shell_exec, show_source, popen, pclose, pcntl_exec.  EZPZ uses the exec function.  To allow the php function to be enabled / allowed on your website remove it from the disable_functions directive in your custom php.ini file >>> disable_functions = system, passthru, shell_exec, show_source, popen, pclose, pcntl_exec.

SecureDL – secure downloading plugin – Downloads are not working – file name is public_html – BPS Pro ONLY

Symptoms / problem:  You are seeing files named public_html instead of the file name that you should be seeing in the download.  The custom php.ini file that comes with BPS Pro has allow_url_fopen turned Off by default >>>  allow_url_fopen = Off.  SecureDL uses an URL fopen technique in order to securely download files.  To allow the URL fopen download technique to work correctly change the allow_url_fopen setting to On >>> allow_url_fopen = On.

Shopp e-commerce shopping cart plugin – Premium plugin

A simple .htaccess skip rule fixes this issue. Copy and paste this .htaccess code below to Your Current Root htaccess File using the built-in BPS File Editor.  If you are using another e-commerce shopping cart plugin then try this type of fix, replacing the name of the plugin folder with your shopping cart plugin’s folder name.  The S= # is very important.  It is an .htaccess Skip rule.  The skip rules are in descending order S=12, S=11, S=10, etc and this number order is very important.  If you add a plugin fix above Skip rule #11 (S=11) then your new skip rule will be S=12.  If you add another skip rule above S=12 it will be S=13.

# Shopp e-Commerce shopping cart skip rule
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/shopp/ [NC]
RewriteRule . - [S=12]

Event Espresso – 403 Forbidden Errors or 500 Errors – Unable to log back into website – included in .46.7
Also if you are using event espresso you may also need to delete the wp-admin .htaccess file or comment out all the security filters in the wp-admin .htaccess file.  You might also need to add an .htaccess Skip rule for this plugin in your root .htaccess file.  Pending new testing with the latest version of BPS – .46.8. 

Cart66 e-commerce shopping cart plugin – Premium plugin
A simple .htaccess skip rule fixes this issue. Copy and paste this .htaccess code below to Your Current Root htaccess File using the built-in BPS File Editor.  If you are using another e-commerce shopping cart plugin then try this type of fix, replacing the name of the plugin folder with your shopping cart plugin’s folder name.  The S= # is very important.  It is an .htaccess Skip rule.  The skip rules are in descending order S=12, S=11, S=10, etc and this number order is very important.  If you add a plugin fix above Skip rule #11 (S=11) then your new skip rule will be S=12.  If you add another skip rule above S=12 it will be S=13.

# Cart66 AJAX Request skip rule
RewriteCond %{QUERY_STRING} cart66AjaxCartRequests=(.*) [NC]
RewriteRule . - [S=12]

Digi Auto Links plugin – Premium plugin
A simple .htaccess skip rule fixes this issue. Copy and paste this .htaccess code below to Your Current Root htaccess File using the built-in BPS File Editor.  If you are using another plugin then try this type of Query String fix, replacing the name of the Query String with the Query String that is being blocked by BPS.  The S= # is very important.  It is an .htaccess Skip rule.  The skip rules are in descending order S=12, S=11, S=10, etc and this number order is very important.  If you add a plugin fix above Skip rule #11 (S=11) then your new skip rule will be S=12.  If you add another skip rule above S=12 it will be S=13.

# Digi Auto Links Approval Check Query String Skip Rule
RewriteCond %{QUERY_STRING} checkpostid=(.*) [NC,OR]
RewriteCond %{QUERY_STRING} checkapproved=(.*) [NC]
RewriteRule . - [S=12]

RSS Link Bomber – Premium Plugin – Cron job is being blocked
This plugin uses wget to perform Cron jobs and wget is blocked in the root .htaccess file.  You can either allow wget by removing it from the BPS security filters (not recommended) or an alternative Cron command line command that is safer to use is lynx -source instead of wget -O.  You would simply replace the wget command line with lynx -source.

WP Twin AUTO BACKUP – Premium Plugin – Cron job is being blocked
This plugin uses wget to perform Cron jobs and wget is blocked in the root .htaccess file.  You can either allow wget by removing it from the BPS security filters (not recommended) or an alternative Cron command line command that is safer to use is lynx -source instead of wget -O.  You would simply replace the wget command line with lynx -source.

Ad Trackz Gold – unable to create or view files – BPS Pro ONLY
The custom php.ini file that comes with BPS Pro has allow_url_fopen turned Off by default >>>  allow_url_fopen = Off.  To be able to view or create files change the allow_url_fopen setting to On >>> allow_url_fopen = On.

Full Screen Background Images Pro – Premium plugin – Unable to upload images – Choose images is blocked with 403 error
To allow this plugin to use the WP media-upload.php file without being blocked by BPS add this .htaccess code below to Your Current wp-admin htaccess File (not your Root .htaccess file) using the built-in BPS File Editor.  If you are using another plugin that needs to use a standard WordPress file in the WP backend admin area and it is being blocked / protected by BPS then then try this type of REQUEST_URI / file request fix, replacing the name of the file that is being requested.  This .htaccess code solution goes after # REQUEST METHODS FILTERED .htaccess code and before the start of the block of BPS security filters RewriteCond %{HTTP_USER_AGENT} ….   The skip rule says to skip the BPS security filters by using [S=1].  This skip rule is safe to use because the wp-admin area is already protected with WP Authentication security.

# Allow wp-admin files that are called by plugins
RewriteCond %{REQUEST_URI} (media-upload\.php) [NC]
RewriteRule . - [S=1]

Other Issues – WP Theme or other miscellaneous issues

Password Reset Problems – Login Plugins Password Reset or Redirection Conflicts – inluded in BPS .46.1

These .htaccess skip rules resolve any issues with login plugins that use a password reset.

# Login Plugins Password Reset And Redirect Conflicts Fix 1
RewriteCond %{QUERY_STRING} action=resetpass&key=(.*) [NC]
RewriteRule . - [S=4]

# Login Plugins Password Reset And Redirect Conflicts Fix 2
RewriteCond %{QUERY_STRING} action=rp&key=(.*) [NC]
RewriteRule . - [S=3]

Atahualpa Theme Export / Download blocked by BPS

In order to export / download your Theme settings you will need to put your site in Default Mode temporarily and then put your site back in BulletProof Mode after exporting / downloading your Theme settings.

BPS Menus or Other CSS Visual Style or Menus Not Displaying Correctly – Very minor issue
If another plugin is causing the BPS menus or other visual styles to not display correctly then please leave a comment and we will notify the plugin authors of the coding fix that is needed to fix this.  This post on Loading Plugin CSS and js scripts and styles in the WP Admin area provides the necessary fundamental plugin coding to fix this issue.  To add a temporary fix until the plugin author can fix this you can add the plugin’s stylesheet name to the FilesMatch section of your root htaccess file.  Example:  if the stylesheet name is jquery-ui-1.8.5.custom.css for that particular plugin then add it to the FilesMatch section like this |jquery-ui-1.8.5.custom\.css

PayPal IPN – PayPal IPN or PDT Scripts – No Known Conflicts Exist

If for some reason you are experiencing a problem with your PayPal IPN or PDT script then copy the BPS default.htaccess file to the folder where the PayPal IPN script is contained and rename the default.htacces file to just .htaccess (removing default from the file name).  This will completely eliminate the BPS is blocking your PayPal IPN or PDT script for testing.  There is not one standard type of PayPal IPN or PDT scripts and many custom PayPal IPN and PDT scripts exist.  The PayPal IPN or PDT script that you are using should ONLY open a secure SSL port 443 connection to a paypal.com server.  Therefore there is no need to secure the PayPal IPN or PDT script if for some reason BPS appears to be blocking the script.  It cannot be exploited as long as the ONLY connection allowed in your particular PayPal IPN or PDT script is a connection to / from a PayPal secured SSL server.

WPMU – multisite plugins – network plugins - General Fix

Contributed by the WPMU Dev website and Tom – The same general htaccess skip rule that you would use for standard WordPress plugins also applies to WPMU plugins.  In this specific example BPS was blocking the CAPTCHA images from displaying for the Comment Spam Pack MU plugin.  All that is required to fix this is to include the /mu-plugins folder name in the REQUEST_URI path as shown below.  The same general fix principle should work for all other MU plugins as well.

Comment Spam Pack MU Plugin - CAPTCHA images not displaying
RewriteCond %{REQUEST_URI} ^/wp-content/mu-plugins/custom-anti-spam/ [NC]
RewriteRule . - [S=11]

Plugin 403 Forbidden Errors Troubleshooting

The plugin that is not working or that is being blocked is performing an action that BPS considers unsafe or violates the .htaccess security filters rules.  Creating an htaccess skip rule by either allowing a unique portion of the query string that is being blocked or by adding the plugin folder name in the skip rule will typically fix the issue.  Use the plugin fixes above as a reference to create plugin skip rules.

Fix for Infinite Loops in either your .htaccess files or coding – this is a general fix for Infinite Loops and does not pertain specifically to BPS

The error message related to Infinite Loops is this – Request exceeded the limit of 10 internal redirects due to probable configuration error. Use ‘LimitInternalRecursion’
to increase the limit if necessary. Use ‘LogLevel debug’ to get a backtrace or you may see Request exceeded the limit, probable configuration error, Use ‘LogLevel debug’ to get a backtrace or Use ‘LimitInternalRecursion’ to increase the limit if necessary.  The symptoms are that some php coding is looping infinitely, which causes extreme lag times or your website comes to a complete halt when trying to process a php script.

# .htaccess Fix for Infinite Loops
RewriteEngine On
RewriteCond %{ENV:REDIRECT_STATUS} 200
RewriteRule .* - [L]