BulletProof Security Free Version Plugin Guide – BPS Version .47.1 – .45.5

252 CommentsRSS Site FeedAuthor: AITpro Admin
Published: July 20, 2010
Updated: October 6, 2012

Troubleshooting BulletProof Security plugin issues:

If you think BPS is causing a plugin conflict or any other issue on your website then please use these steps below to take BPS out of the equation completely for testing (no need to deactivate BPS it has built in Default Mode). If you find that BPS does have a conflict with another plugin then please check the BulletProof Security Plugin Compatibility Issues – Testing and Fixes Page (link above) to see if a fix (bypass/skip rule) is already listed.  If your plugin is not listed and you have confirmed that BPS is definitely causing a conflict then please post a comment on the Questions, Comments, Problems & Wishlist Page (link above).  Thank you.

1. Make a backup of your .htaccess files using BPS Backup.
2. Activate Default Mode on the Security Modes page.
3. Use the Delete wp-admin .htaccess feature on the Security Modes page.
4. Test your plugin or theme.
5. Restore your .htaccess files using BPS Restore.

To completely uninstall BPS you would do steps 2 and 3 above and then just delete the BPS plugin on the WP Plugins page.

NOTE:  Both the Root BulletProof Mode and the wp-admin BulletProof Mode MUST be activated at the same time/together.  If you do not activate the wp-admin BulletProof Mode then some wp-admin Dashboard functions may not work correctly like configuring Widgets or activating and deactivating plugins.

 

AutoMagic is not working / not creating Master .htaccess files or you are unable to use the built in .htaccess file editor or you are unable to Backup or Restore files

Most likely the cause of this is your Server API is DSO and not CGI.  You can check your Server API on the BPS System Info tab page.  If your Server API is DSO then some of the automated features in BPS will not work correctly because of the way ownership permissions are handled on DSO configured Servers.  You will unfortunately need to manually perform these steps below using FTP.  At some point a future version of BPS will have coding that will compensate for this and the automation will also work for DSO configured Servers.

To Create the secure.htaccess file with AutoMagic
  – Change permissions of the secure.htaccess file to 777 – /wp-content/plugins/bulletproof-security/admin/htaccess/secure.htaccess.
To Activate BulletProof Mode for your Root folder
  – Change permissions of your Root htaccess file to 777 – /your-website-root-folder/.htaccess.
To Activate BulletProof Mode for you wp-admin folder
  – Change permissions of the wp-admin htaccess file to 777 – /your-website-root-folder/wp-admin/.htaccess.
Activate Deny All htaccess Folder Protection For The BPS Master htaccess Folder
  – Change permissions of  /wp-content/plugins/bulletproof-security/admin/htaccess folder to 777.
Activate Deny All htaccess Folder Protection For The BPS Backup Folder
  – Change permissions of the /wp-content/bps-backup/htaccess file to 777.
Backup Your Currently Active .htaccess Files
  – Change /bps-backup folder permissions to 777 - /wp-content/bps-backup.
Backup Your BPS Master .htaccess Files
  – Change /master-backups folder permissions to 777 - /wp-content/bps-backup/master-backups.

Once you have completed these installation steps above then change the permissions of both htaccess files to 644 and change all of your folder permissions back to 755 or whatever you previously had for those folder permissions.  Another option is just to manually download the secure.htaccess file, wpadmin-secure.htaccess file and the deny-all.htaccess file and then just manually use FTP to upload the files to where they should be.

All information below this point is older Bulletproof Security version information – Everything in BPS is automated these days after the release of BPS .46.5 and the information below became obsolete.  This Guide page will be kept for SEO purposes.  A new current BPS troubleshooting page can be found here >>> http://www.ait-pro.com/aitpro-blog/297/bulletproof-security-plugin-support/bulletproof-security-wordpress-plugin-support/

 

 

*** BulletProof Security .46.3 – HUD now checks the root .htaccess file for any conflicts with W3TC and WPSC.  The Heads Up Display will display a warning or error message with instructions on what needs to be done to fix any root htaccess conflicts ***

*** BulletProof Security .46.2 – AutoMagic .htaccess file creation so most of the guide is still helpful for manual editing info or other various references, but setup and installation is now completely automated *** 

BulletProof Security can be installed if you are using an IIS server for web hosting, but only install BulletProof on a Windows IIS server if you absolutely understand IIS hosting very well.  BPS has a new Heads Up Display (HUD), which will tell you if you can activate BulletProof Security Modes. In most IIS cases you will only be able to use the additional features in BulletProof Security, but not be able to activate BulletProof Security Modes. IIS does not natively support mod_rewrite. This is a UNIX / Linux thing. Check with your web host and also read this WordPress Codex for more information on using Permalinks without mod_rewrite.


BulletProof Security .46.8 Specs

BulletProof Security .46.8 PHP Memory Usage > 100KB > .10MB

BulletProof Security .46.8 Total Disk Size > .98MB

BulletProof Security .46.8 Performance > Zero front end drag > Zero back end drag > Zero page load time added

 

BulletProof Security .46.4 Features

BulletProof Security is essentially a website Firewall for your website. The filters contained in the BulletProof Security master htaccess files will not allow malicious scripts to be run against your website. When the BulletProof Security filters detect malicious scripts either by a user or a bot they are immediately redirected to a Forbidden page. This could also be your 404 page if you want to add that path to your 404 page in the BulletProof Security master htaccess files.

As of BulletProof Security .46.3 – W3TC and WPSC HUD checks
As of BulletProof Security .46.3 the Maintenance Mode Form options are saved to the DB
As of BulletProof Security .46.2 everything is AutoMagic and Full Manual Control is still available
As of BulletProof Security .46.1 Maintenance Mode is AutoMagic
As of BulletProof Security .45.8 permanent online backup solution provided.
* Permanent Backup and Restore options added – permanent online backup and restore
* Permanent Backup and Restore for all .htaccess files
* Permanent Backup and Restore for File Uploader and File Downloader setup settings
* Additional new .htaccess coding and modifications added to the BulletProof Security master .htaccess files
* New plugin conflict permanent fixes added to the secure.htaccess Master file
* WordPress readme.html and /wp-admin/install.php are now protected by BulletProof Security
* Improved Success / Error messaging – more detailed success / error messages displayed
* New Help and FAQ links added – New detailed Help and Info pages created

BulletProof Security – jQuery UI Tabbed Menu

The new BulletProof Security jQuery UI tabbed menu is using the default jquery-ui-tabs script included with WordPress. The menu buttons have CSS hover effects for better visual and functional navigation.

BulletProof Security – Security Features

All SQL Injection hacking attempts blocked by htaccess protection
All XSS hacking attempts blocked by htaccess protection
wp-config.php is .htaccess protected by BPS
php.ini and php5.ini are .htaccess protected by BPS
WordPress readme.html file is .htaccess protected by BPS
WordPress /wp-admin/install.php file is .htaccess protected by BPS
Options -Indexes ensures directory browsing is not allowed
BulletProof Security File Editor – Edit BPS Files from within The WP Dashboard
BulletProof Security File Downloader – Download Files from within The WP Dashboard
BulletProof Security File Uploader – Upload Files from within The WP Dashboard
Deny All htaccess protection for your BPS Master /htaccess folder
Deny All htaccess protection for your BPS htaccess /backup folder
WordPress DB Show Errors Function Is Set To: false
WordPress Database Errors Are Turned Off
WordPress Meta Generator Tag Removed
WordPress Version Is Not Displayed / Not Shown
Default Administrator username “admin” account check
File and Folder Permission Checks
Online – Permanent Backup & Restore for .htaccess and setup files
503 Website Maintenance Mode – Enter your website info and activate
Log In / Out of your Website in Maintenance Mode
 
BulletProof Security – System Information Panels
 
Website / Server / IP Info:
Website Root Folder:
Website Document Root Path:
WP ABSPATH:
Server / Website IP Address:
Public IP / Your Computer IP Address:
Server Type:
Operating System:
Multisite:
Browser Compression Supported:
PHP Version Check:
 
BulletProof Security – PHP Information:
 
PHP Version:
PHP Memory Usage:
PHP Memory Limit:
PHP Max Upload Size:
PHP Max Post Size:
PHP Safe Mode:
PHP Allow URL fopen:
PHP Allow URL Include:
PHP Display Errors:
PHP Display Startup Errors:
PHP Expose PHP:
PHP Register Globals:
PHP Max Script Execution Time:
PHP Magic Quotes GPC:
PHP open_basedir:
PHP XML Support:
PHP IPTC Support:
PHP Exif Support:
 
SQL Database / Permalink Structure / WP Installation Folder
 
MySQL Database Version:
MySQL Client Version:
Database Host:
Database Name:
Database User:
SQL Mode:
WordPress Installation Folder:
WordPress Installation Type:
WP Permalink Structure:
Permalinks Enabled:
 

Everything after this point is old Bulletproof Security version information below – everything in BPS is automated these days, but if you are looking for some manual instructions or other info  - read on.  After the release of BPS .46.5 a lot  of this information will be  obsolete.  This content will remain for SEO purposes and should not be used as a guide or help for current BPS free versions.

Step 1 – BulletProof Security – Install and Activate BulletProof Security

BulletProof Security now has AutoMagic .htaccess file creation so setup and installation is completely automated.  The BulletProof Security Guide should be used a reference for manual .htaccess file editing and other various questions you may have about BPS.
First off do not let the amount of help info contained in the BulletProof Security guide make you think that BulletProof Security is a complicated and difficult plugin to install, setup or use. On the contrary, the BulletProof Security plugin is a very simple and easy plugin to install, setup and use. If your WordPress installation is in your website root folder then you do not need to do anything – just install and activate BulletProof Security Modes (please read Step 2 just to be absolutely sure). BulletProof Security has backup and restore so be sure to perform a backup before activating BulletProof Security Security Modes for the first time. If your WordPress installation is in a subfolder off the root of your website domain then you will need to add the WordPress folder name (the folder name where WordPress is installed on your website) to the BulletProof Security master htaccess files before activating BulletProof Security Modes.

*Installing the BulletProof Security plugin only installs the plugin files – No website security protection is activated on installation of the BulletProof Security Plugin. This also means that when you upgrade BulletProof Security your existing BulletProof Security .htaccess files are not changed until you activate the newer BulletProof Security .htaccess files. For people who are installing BulletProof Security for the first time please read Step 2 before activating BulletProof Security modes.*

BulletProof Security Settings Page

After installing BulletProof Security click on the Settings link directly under BulletProof Security in the main Plugins options window or go to the WordPress Settings panel and click on the BulletProof Security link. Either link takes you to the same BulletProof Security Settings page. If you are performing a new installation of BulletProof Security please read Step 2 before activating any BulletProof Security modes.

*If you are upgrading BulletProof Security perform a backup using BulletProof Security Backup and Restore. As of BulletProof Security .45.8 the backups are permanent and you can restore those backups after upgrading. You can of course also use the BulletProof Security File Downloader to make local backups to your computer before upgrading * Backed up files are located and stored here >>> /wp-content/bps-backup/ .

Step 2 – BulletProof Security – Checking and Determining Whether Your WordPress Installation Is In Your Website Domain Root or In a Subfolder of Your Website Domain Root

It is absolutely critical that you add the correct RewriteBase and RewriteRule in the BulletProof Security .htaccess files for WordPress to function normally. As of BulletProof Security .46.2 AutoMagic .htaccess file creation has been added so that creating the correct .htaccess files for you specific website is fully automated.  Most of the guide pertains to manually configuring or manually editing BulletProof Security and other various questions you might have.  You can now just use the BulletProof Security Guide as a reference if you run into any issues instead of as a setup or installation guide.  Also WordPress will generate the correct .htaccess code for you automatically – read the fast, simple and automated method below.  But this method of generating .htaccess code is need any longer since BPS AutoMagic will do that for you.  I have also included instructions on doing this manually – If you are using the manual method of adding your RewriteBase and RewriteRule for WordPress then please read all of Step 2 first before activating any BulletProof Security Modes. BulletProof Security .46.2 will do all of this for you automatically. The expected release date for BulletProof Security .46.2 is 4-26 to 5-1.

BulletProof Security – The fast, simple and automated method of generating the correct WordPress .htaccess code for your website

BulletProof Security now has AutoMagic .htaccess file creation so this is no longer necesary.  If you are already using WordPress permalinks go to your Settings Panel >>> click Permalinks >>> click the Save Changes button. WordPress automatically writes the correct .htaccess code to Your Current Root htaccess File. Now go to the BulletProof Security File Editor and click on the Your Current Root htaccess File menu tab and you will see the new .htaccess code that WordPress has written to Your Current Root htaccess File. You can then just copy and paste that WordPress .htaccess code to the secure.htaccess master file using the File Editor and click the Update File button to save your editing changes. You can now activate BulletProof Security Mode.

The .htaccess code that WordPress writes to Your Current Root htaccess File (your .htaccess code may look slightly different):

# BEGIN WordPress

  RewriteEngine On
  RewriteBase /
  RewriteRule ^index\.php$ - [L]
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule . /index.php [L]

# END WordPress

If you are not using WordPress permalinks yet (every WordPress website should be using a custom permalink structure for better performance and SEO reasons) then take a look at this post for instructions on why and how to add a custom permalink structure for your website >>> Best WordPress Pemalink Structure

Note: At some point in later versions of BulletProof Security the plugin fixes in the secure.htaccess file will be written to automatically (AutoMagic Mode). For now the additional plugin fixes will require manual editing ONLY if your WordPress installation is in a subfolder. This is NOT required for WordPress websites that are installed in the website domain root folder. See Modifying the BulletProof Security htaccess Master Files.

BulletProof Security – Information on Manually adding the correct .htaccess RewriteBase and RewriteRule for WordPress

After installing BulletProof Security click on the System Info Menu

Under the Website / Server / IP Info table you will see your website root folder listed.

1. Examples of Website Root Folders in the root of a website domain – WordPress Root Folder Installations where WordPress is installed into the root folder not a subfolder of the website domain

This example shows that this website root folder is also the root of this website domain. This is also the root folder for the WordPress installation in this example.

Website Root Folder: http://www.ait-pro.com/

More examples of Website Root Folders in the root of a website domain:

http://ait-pro.com/ – Same as above just without a prefix

http://blog.ait-pro.com/ – this one fools a lot of people – this is still a website root folder in the root of a website domain and not a subfolder.

2. Subfolder Examples of Website Root Folders in the root of a website domain – The difference is that WordPress is installed in a Subfolder off of the root website folder

This example shows that the “blog” folder is a subfolder of the root of this website domain. This is also considered the root folder for the WordPress installation. The wording is confusing I know.

Website Root Folder: http://www.ait-pro.com/blog/

More subfolder examples:

http://ait-pro.com/blog/ – no www. prefix, but the blog folder is a folder created in the ait-pro.com website domain root, which makes it a subfolder.

http://blog.ait-pro.com/other-folder/ – this is a subfolder WordPress installation not because of the blog prefix, but because of the folder named “other-folder” created in the website root domain of blog.ait-pro.com

Double Prefix naming mistake

http://www.blog.ait-pro.com/my-blog-folder/ – if your Website Root Folder shows 2 prefixes (www and blog) then this is a mistake that needs to be corrected in your Settings Panel > General Settings page. The subfolder in this example would be /my-blog-folder.

If your Website Root Folder is in the root of your website domain shown in example 1, then you do not need to make any modifications to the BulletProof Security master files. Go to Step 3.

IMPORTANT!

If your Website Root Folder is in a subfolder of the root of your website domain shown in example 2, then you will have to make modifications to the BulletProof Security master .htaccess files by adding your WordPress subfolder name to the BulletProof Security .htaccess files. You can use the WordPress update permalinks method to generate the correct .htaccess code for your website or you can just do this manually. Do not proceed to Step 3. Click on this link instead >>> Modifying the BulletProof Security master .htaccess files for WordPress installations in subfolders.

Step 3 – BulletProof Security – Checking and Making a Note of Red Warning Messages Displayed on the Security Status page

The warning or error messages you will see in BulletProof Security are intuitive and should be fairly self explanatory on what you need to do next. When you first install BulletProof Security you will see red warning messages informing you of what has been done or what has not been done yet or if you have any problems. You are just making a note of warnings and errors in steps 3 and 4 and mostly this is just to reassure people that seeing red warning messages when you first install BulletProof Security is completely normal.

Click on the Status menu tab and make a note of any red warning messages you see. You may see warnings such as these:

The .htaccess file that is activated in your root folder is:
string(45) “EGIN WordPress Rew”
 
√ wp-config.php is .htaccess protected by BPS
√ php.ini and php5.ini are .htaccess protected by BPS
 
Deny All protection NOT activated for BPS Master /htaccess folder
Deny All protection NOT activated for /wp-content/bps-backup folder
 
NO .htaccess file was found in your /wp-admin folder
 
After you have activated BulletProof Modes and Deny All protection you should see this
 
The .htaccess file that is activated in your root folder is:
string(45) ” BULLETPROOF .45.8 >>>>>>> SECURE .HTACCESS “
 
√ wp-config.php is .htaccess protected by BPS
√ php.ini and php5.ini are .htaccess protected by BPS
 
√ Deny All protection activated for BPS Master /htaccess folder
√ Deny All protection activated for /wp-content/bps-backup folder
 
The .htaccess file that is activated in your /wp-admin folder is:
string(45) ” BULLETPROOF .45.8 WP-ADMIN SECURE .HTACCESS “
 
Warnings Under General BulletProof Security File checks
 
√ An .htaccess file was found in your root folder
√ An .htaccess file was found in your /wp-admin folder
√ A default.htaccess file was found in the /htaccess folder
√ A secure.htaccess file was found in the /htaccess folder
√ A maintenance.htaccess file was found in the /htaccess folder
√ A bp-maintenance.php file was found in the /htaccess folder
√ A wpadmin-secure.htaccess file was found in the /htaccess folder
Your Current Root .htaccess file is NOT backed up yet
Your Current wp-admin .htaccess File is NOT backed up yet
Your File Upload settings are NOT backed up yet
Your File Download settings are NOT backed up yet
Your File Upload settings are NOT backed up yet
Your BPS Master default.htaccess file is NOT backed up yet
Your BPS Master secure.htaccess file is NOT backed up yet
Your BPS Master wpadmin-secure.htaccess file is NOT backed up yet
Your BPS Master maintenance.htaccess file is NOT backed up yet
Your BPS Master bp-maintenance.php file is NOT backed up yet
 

Step 4 – BulletProof Security – Checking and Noting red warning messages on the Backup & Restore page

Click on the Backup & Restore menu tab. At the bottom of the BulletProof Security Backup & Restore page under the “Current Backed Up .htaccess Files Status” window you should see warning messages such as these:

√ An .htaccess file was found in your root folder
NO .htaccess file was found in your /wp-admin folder
 
Your Root .htaccess file is NOT backed up either because you have not done a Backup yet, an .htaccess file did NOT already exist in your root folder or because of a file copy error. Read the “Current Backed Up .htaccess Files Status Read Me” hover ToolTip for more specific information.
 
Your wp-admin .htaccess file is NOT backed up either because you have not done a Backup yet, an .htaccess file did NOT already exist in your /wp-admin folder or because of a file copy error. Read the “Current Backed Up .htaccess Files Status Read Me” hover ToolTip for more specific information.
 
Your default.htaccess Master file has NOT been backed up yet!
Your secure.htaccess Master file has NOT been backed up yet!
Your wpadmin-secure.htaccess Master file has NOT been backed up yet!
Your maintenance.htaccess Master file has NOT been backed up yet!
Your bp-maintenance.php Master file has NOT been backed up yet!
 

Step 5 – BulletProof Security – Backup, Restore and Activation of BulletProof Security Modes

Step 5 is in need of updating – this information was written for older versions of BulletProof Security, but the general principles are still pretty much the same.

BulletProof Security now has AutoMagic .htaccess file creation so the updating Permalinks method is no longer necesary.  Looking for the fast, simple and automated installation method >>> Updating WordPress Permalinks to generate your correct htaccess code

Note: As of BulletProof Security .45.8 permanent online backup options have been added. As of BulletProof Security .45.7 you can now use the File Editor to copy and paste from your old htaccess files to your new htaccess files and Download and Upload the BulletProof Security files from within the WordPress Dashboard.

These are the 3 most common scenarios for new installations of BulletProof Security. Find the example scenario that matches what you want to do and follow the steps of that particular backup and activation scenario.

Example Scenarios:

BulletProof Security – Scenario 1

You want to make sure that you have backups of your existing htaccess files before activating any BulletProof Security Modes.

Perform a Backup now. I also recommend downloading your existing .htaccess files as an additional backup precaution. Next click on the Security Modes menu tab. Select BulletProof Mode for your website Root folder and click the activate button. Now open another separate browser window or separate browser tab. Do not leave your WordPress Dashboard yet. Make sure that your website is viewable and click on links to pages and posts to test that links are working correctly. If everything is working fine then activate BulletProof Mode for the /wp-admin folder.

If you were not able to view your site in the step above or links were not working correctly then perform a Restore by clicking on the Backup and Restore menu tab and select Restore htaccess files and click the Restore Files button. Your website is now back where it was before you activated any BulletProof Modes. At this point you will need to figure out what the issue is with your website that is causing BulletProof not to work correctly. The two most common issues are that your WordPress installation is actually in a subfolder or you are using two domain prefixes (www.blog.website.com – www and blog together being the 2 prefixes). Another common problem is that your website is running PHP4 not PHP5. The guide explains the most common problems and solutions. For assistance please post a comment – you should hear back from Ed within an hour or so. ;)

BulletProof Security – Scenario 2

The most common scenario is that you have an existing .htaccess file in your website root folder, but not in your /wp-admin folder and you are not concerned about saving or backing up the existing .htaccess file. Back it up anyway. ;)

You have a choice here of performing a Backup to back up just your existing root .htaccess file and leave the red warning message the way it is for the /wp-admin folder. It is not a critical thing either way. This is more of a cosmetic thing if you don’t like seeing red warning messages.

Or

Recommended: You can click on the Security Modes menu tab and activate BulletProof mode for just your /wp-admin folder – this generates a new htaccess file for your /wp-admin folder. Now go back to the Backup & Restore menu tab and click the One Time Backup button. This means that you backed up your original existing .htaccess file that was in your website root folder and also backed up the new .htaccess file that you just created by activating BulletProof mode for your /wp-admin folder. I also recommend downloading your existing .htaccess file as an additional backup precaution. This method is just basically a way to get rid of the red error message regarding a wp-admin .htaccess file being backed up or not on the Backup and Restore page. ;)

You should now see these green status messages displayed in the “Current Backed Up .htaccess Files Status” window and all green status messages on the Security Status page.

√ An .htaccess file was found in your root folder

√ An .htaccess file was found in your /wp-admin folder

Your original root .htaccess file is backed up.

Your original /wp-admin .htaccess file is backed up.

You can now activate BulletProof Mode for your website root folder. Click on the Security Modes menu. Activate BulletProof Mode in your website root folder. Now open another separate browser window or separate browser tab. Do not leave your WordPress Dashboard yet. Make sure that your website is viewable and click on links to pages and posts to test that links are working correctly. If everything is working fine then you are good to go.

If you were not able to view your site in the step above or links were not working correctly then perform a Restore by clicking on the Backup and Restore menu tab and select Restore htaccess files and click the Restore Files button. Your website is now back where it was before you activated any BulletProof Modes. At this point you will need to figure out what the issue is with your website that is causing BulletProof not to work correctly. The two most common issues are that your WordPress installation is actually in a subfolder or you are using two domain prefixes (www.blog.website.com – www and blog together being the 2 prefixes). Another common problem is that your website is running PHP4 not PHP5. The guide explains the most common problems and solutions. For assistance please post a comment – you should hear back from Ed within an hour. ;)

BulletProof Security – Scenario 3

You do not have any existing .htaccess files in either your website root folder or /wp-admin folders.

Nothing to Backup so you can now just go to the Security Modes menu tab and activate BulletProof Modes for both your website root folder and /wp-admin folders.

Check to make sure everything is working fine. Open another separate browser window or separate browser tab. Do not leave your WordPress Dashboard yet. Make sure that your website is viewable and click on links to pages and posts to test that links are working correctly. If everything is working fine then you are good to go.

If you run into a problem here then FTP to your website and delete the .htaccess file in your website root folder. Since you did not have any original htaccess files to begin with you will not be able to use the Restore feature.

At this point you will need to figure out what the issue is with your website that is causing BulletProof not to work correctly. The two most common issues are that your WordPress installation is actually in a subfolder or you are using two domain prefixes (www.blog.website.com – www and blog together being the 2 prefixes). Another common problem is that your website is running PHP4 not PHP5. The guide explains the most common problems and solutions. For assistance please post a comment – you should hear back from Ed within an hour. ;)

BulletProof Security – Modifying The BulletProof Security .htaccess Master Files For Website Owners With WordPress Installations In Subfolders

The fast, simple and automated method of generating the correct WordPress .htaccess code for your website

BulletProof Security now has AutoMagic .htaccess file creation so this is no longer necesary.  If you are using WordPress permalinks go to your Settings Panel >>> click Permalinks >>> click the Save Changes button. WordPress automatically writes the correct .htaccess code to Your Current Root htaccess File. Now go to the BulletProof Security File Editor and click on the Your Current Root htaccess File menu tab and you will see the new .htaccess code that WordPress has written to Your Current Root htaccess File. You can then just copy and paste that WordPress .htaccess code to the secure.htaccess master file using the File Editor and click the Update File button to save your editing changes. You can now activate BulletProof Security Mode.

If you are not using WordPress permalinks yet (every WordPress website should be using a custom permalink structure for better performance and SEO reasons) then take a look at this post for instructions on why and how to add a custom permalink structure for your website >>> Best WordPress Pemalink Structure

Note: As of BulletProof Security .45.8 permanent online backup options are available. As of BulletProof Security .45.7 you can now Edit the BulletProof Security htaccess files within the WordPress Dashboard with the new BulletProof Security File editor. BulletProof Security now also has File Download and File Upload from within the WordPress Dashboard.

If your WordPress installation is in a subfolder of your website root domain then you will need to modify these 3 BulletProof Security master .htaccess files: default.htaccess, secure.htaccess and maintenance.htaccess. Once your have made all of the necessary modifications to these 3 files you can proceed back to Step 3. These modifications should only take you about 10 minutes. I have overexplained this step so that there are no misunderstandings about what needs to be modified. Skip to the examples and if they make sense to you then you don’t need to read all the additional explanations here.

In these examples WordPress is installed in a folder called my-blog-folder. The website domain is called my-website-domain.com. If WordPress was installed in just the root website folder of www.my-website-domain.com/ then you would not need to modify any of the htaccess files. It is also of course possible that you have 2 WordPress installations (or possibly many more) – 1 in your root website domain folder – my-website-domain.com and another WordPress installation in your my-blog-folder. If this is the case then you are actually installing BulletProof Security on 2 separate WordPress websites and only the my-blog-folder WordPress website would need to have the htaccess master files modified for a WordPress subfolder installation. If you have a WordPress multisite (WPMU) set up then see the Multisite help section.

For this example WordPress is installed here in this subfolder >>> www.my-website-domain.com/my-blog-folder

This example is assuming you have chosen to manually enter your RewriteBase and RewriteRule folder name. You can have WordPress automatically generate your RewriteBase and RewriteRule folder paths if you are not 100% sure of what they are supposed to be. Updating or Creating WordPress Custom Permalinks.

Click on the BulletProof Security Upload/Download/Edit menu tab. You will see a BulletProof Security File Editing window with several menu tabs with the names of all of the .htaccess files that can be edited (read more about the BulletProof Security File Editing window). Click on the “Your Current Root htaccess File”. This is your actual currently active root .htaccess file for your website. If you don’t have an .htaccess file then you will not see any file contents – the window will display a message that you do not have an .htaccess file if one does not actually exist yet. If you choose to use the update permalinks method of automatically generating your correct RewriteBase and RewriteRule folder paths then this is the .htaccess file where WordPress will write to or create if none exists yet.

The first file you should edit is the secure.htaccess master file. Click on the secure.htaccess menu tab. You are now viewing the BulletProof Security Master secure.htaccess file that will become “Your Current Root htaccess File” once you have activated BulletProof Security Mode for your Root folder. Follow the modification examples below replacing the example folder name of “my-blog-folder” with your actual WordPress installation folder name (the folder where your WordPress installation is installed on your website).

This example is using “my-blog-folder” as the name of the example folder (subfolder) where WordPress is installed. If WordPress is installed in your website domain root folder then you will not be adding a folder name to the master htaccess files. If you are not using any of the plugins listed in the plugin fixes section of the secure.htaccess file then you don’t need to add the my-blog-folder name to them.

BulletProof Security Example: secure.htaccess file modifications

#   BULLETPROOF .45.8 >>>>>>> SECURE .HTACCESS
  # If for some strange reason your host does not have +FollowSymlinks enabled by default at
  # the root level then you will need to enable Options +FollowSymlinks for mod_rewrite to work.
  # If you are getting HTTP Error 500 Internal server errors and you have checked to make sure
  # everything else is set correctly then remove the # sign in front of Options +FollowSymlinks
  # below. If you are still getting 500 errors then immediately put the # sign back. All hosts
  # these days should have this enabled by default. Enabling this will actually cause 500 server
  # errors if your host has this enabled so you should probably never have to remove the # sign.
  # Options +FollowSymlinks
  # These are some common Apache Directives to force PHP5 to be used instead of PHP4
  # Some web hosts have very specific directives - check with your web host first
  # Remove the pound sign in front of AddType x-mapp-php5 .php for 1&1 web hosting
  # AddType x-mapp-php5 .php
  # Other common possibilities depending on your web host - check with your web host first
  # AddHandler application/x-httpd-php5 .php
  # AddHandler cgi-php5 .php

  Options -Indexes

  # BEGIN WordPress

  RewriteEngine On
  RewriteBase /my-blog-folder/
  RewriteRule ^index\.php$ - [L]
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule . /my-blog-folder/index.php [L]

  # END WordPress

  # If you want to add a custom 403 Forbidden page for your website uncomment the
  # ErrorDocument line of code below and copy the ait-pro.com example forbidden
  # HTML page to your correct website folder. See the BPS Help and FaQ page for
  # detailed instructions on how to do this.
  # ErrorDocument 403 /forbidden.html

  # Plugin conflicts will be handled case by case
  # Leave the plugin fixes code intact just in case you install one of these plugins
  # at a later time. Thousands of lines of htaccess code can be read in milliseconds
  # so leaving the code intact does not slow down your website performance at all.
  # Thousands of plugins have been tested with BPS and the plugin conflict fixes
  # contained in this BPS master file are permanent fixes for conflicts found with
  # these plugins.

  # BuddyPress Logout Redirect fix - skip BPS Filters on Logout link Redirect
  # WordPress 3.0.4 or higher must be installed for this fix to work

  RewriteCond %{QUERY_STRING} action=logout&redirect_to=http%3A%2F%2F(.*) [NC]
  RewriteRule . - [S=30]

  # SFC Simple Facebook Connect Redirect Fix
  # Also fixes any other plugins that use the redirect_to= string
  RewriteCond %{QUERY_STRING} redirect_to=(.*) [NC]
  RewriteRule . - [S=30]

  # Ozh' Admin Drop Down Menu Display Fix
  # If you have WordPress installed in a subfolder you will need to add the
  # subfolder name to the RewriteCond /blog/wp-content/plugins/ozh-admin-drop-down-menu/ [NC]
  RewriteCond %{REQUEST_URI} ^/my-blog-folder/wp-content/plugins/ozh-admin-drop-down-menu/ [NC]
  RewriteRule . - [S=30]

  # ComicPress Manager ComicPress Theme Image Fix
  # If you have WordPress installed in a subfolder you will need to add the
  # subfolder name to the RewriteCond /blog/wp-content/plugins/comicpress-manager/ [NC]
  RewriteCond %{REQUEST_URI} ^/my-blog-folder/wp-content/plugins/comicpress-manager/ [NC]
  RewriteRule . - [S=30]

  # TimThumb Thumbnail Images not displaying - Red X instead of Images
  # If your theme uses TimThumb and the file is called something else like thumb.php then change the filename below
  RewriteCond %{REQUEST_FILENAME} timthumb(.*) [NC]
  RewriteRule . - [S=30]

  # YAPB
  # If you have WordPress installed in a subfolder you will need to add the
  # subfolder name to the RewriteCond /blog/wp-content/plugins/comicpress-manager/ [NC]
  RewriteCond %{REQUEST_URI} ^/my-blog-folder/wp-content/plugins/yet-another-photoblog/ [NC]
  RewriteRule . - [S=30]

  # WordPress.com Stats Flash SWF Graph Does Not Load Fix
  # If you have WordPress installed in a subfolder you will need to add the
  # subfolder name to the RewriteCond /blog/wp-content/plugins/stats/ [NC]
  RewriteCond %{REQUEST_URI} ^/my-blog-folder/wp-content/plugins/stats/ [NC]
  RewriteRule . - [S=30]

  # podPress rewrite ?feed=podcast as /feed/podcast
  # If you are using a custom slug then add the slug name to the rewriterule
  # RewriteRule (.*) /feed/custom-slug-name/$1? [R=301,L]
  # If you have WordPress installed in a subfolder you will need to add the
  # subfolder name to the RewriteRule (.*) /blog/feed/podcast/$1? [R=301]
  RewriteCond %{QUERY_STRING} feed=podcast [NC]
  RewriteRule (.*) /my-blog-folder/feed/podcast/$1? [R=301,L]

  # podPress rewrite ?feed=enhancedpodcast as /feed/enhancedpodcast
  # If you are using a custom slug then add the slug name to the rewriterule
  # RewriteRule (.*) /feed/custom-slug-name/$1? [R=301,L]
  # If you have WordPress installed in a subfolder you will need to add the
  # subfolder name to the RewriteRule (.*) /blog/feed/enhancedpodcast/$1? [R=301]
  RewriteCond %{QUERY_STRING} feed=enhancedpodcast [NC]
  RewriteRule (.*) /my-blog-folder/feed/enhancedpodcast/$1? [R=301,L]

  # podPress rewrite ?feed=torrent as /feed/torrent
  # If you are using a custom slug then add the slug name to the rewriterule
  # RewriteRule (.*) /feed/custom-slug-name/$1? [R=301,L]
  # If you have WordPress installed in a subfolder you will need to add the
  # subfolder name to the RewriteRule (.*) /blog/feed/torrent/$1? [R=301]
  RewriteCond %{QUERY_STRING} feed=torrent [NC]
  RewriteRule (.*) /my-blog-folder/feed/torrent/$1? [R=301,L]

  # podPress rewrite ?feed=premium as /feed/premium
  # If you are using a custom slug then add the slug name to the rewriterule
  # RewriteRule (.*) /feed/custom-slug-name/$1? [R=301,L]
  # If you have WordPress installed in a subfolder you will need to add the
  # subfolder name to the RewriteRule (.*) /blog/feed/premium/$1? [R=301]
  RewriteCond %{QUERY_STRING} feed=premimum [NC]
  RewriteRule (.*) /my-blog-folder/feed/premium/$1? [R=301,L]

  # FILTER REQUEST METHODS
  RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
  RewriteRule ^(.*)$ - [F,L]

  # QUERY STRING EXPLOITS
  RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
  RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
  RewriteCond %{QUERY_STRING} tag\= [NC,OR]
  RewriteCond %{QUERY_STRING} ftp\:  [NC,OR]
  RewriteCond %{QUERY_STRING} http\:  [NC,OR]
  RewriteCond %{QUERY_STRING} https\:  [NC,OR]
  RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
  RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
  RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
  RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
  RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
  RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
  RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
  RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
  RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR]
  RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
  RewriteCond %{QUERY_STRING} ^.*(execute|exec|sp_executesql|request|select|insert|union|declare|drop|delete|create|alter|update|order|char|set|cast|convert|meta|script|truncate).* [NC]
  RewriteRule ^(.*)$ - [F,L]

# Deny Access to wp-config.php, /wp-admin/install.php, all .htaccess files
  # php.ini, php5.ini and the WordPress readme.html installation file.
  # To allow only yourself access to these files add your IP address below

  Deny from all
  # Allow from 69.40.120.88

 

BulletProof Security Example: default.htaccess file modifications

This example is using “my-blog-folder” as the name of the example folder (subfolder) where WordPress is installed. If WordPress is installed in your website domain root folder then you will not be adding a folder name to the default.htaccess master file. The default.htaccess file is a generic .htaccess file and does not provide any website security for your website. It’s intended use is for testing or troubleshooting issues – you should never leave your website in Default Mode after you have completed testing or troubleshooting.

# BULLETPROOF .45.8 >>>>>>> DEFAULT .HTACCESS
  # WARNING THE default.htaccess FILE DOES NOT PROTECT YOUR WEBSITE AGAINST HACKERS
  # This is a standard generic htaccess file that does NOT provide any website security
  # The DEFAULT .HTACCESS file should only be used for testing purposes
  # If for some strange reason your host does not have +FollowSymlinks enabled by default at
  # the root level then you will need to enable Options +FollowSymlinks for mod_rewrite to work.
  # If you are getting HTTP Error 500 Internal server errors and you have checked to make sure
  # everything else is set correctly then remove the # sign in front of Options +FollowSymlinks
  # below. If you are still getting 500 errors then immediately put the # sign back. All hosts
  # these days should have this enabled by default. Enabling this will actually cause 500 server
  # errors if your host has this enabled so you should probably never have to remove the # sign.
  # Options +FollowSymlinks

  # These are some common Apache Directives to force PHP5 to be used instead of PHP4
  # Some web hosts have very specific directives - check with your web host first
  # Remove the pound sign in front of AddType x-mapp-php5 .php for 1&1 web hosting
  # AddType x-mapp-php5 .php
  # Other common possibilities depending on your web host - check with your web host first
  # AddHandler application/x-httpd-php5 .php
  # AddHandler cgi-php5 .php

  Options -Indexes

 # BEGIN WordPress

  RewriteEngine On
  RewriteBase /my-blog-folder/
  RewriteRule ^index\.php$ - [L]
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule . /my-blog-folder/index.php [L]

  # END WordPress

BulletProof Security Example: maintenance.htaccess file modifications

As of BPS .46.1 Maintenance is AutoMagic. View the new Maintenance Mode page. You can still also manually edit the maintainance.htaccess file.

The maintenance.htaccess file looks a bit different than the other 2 files, but the same principle applies

This example is using “my-blog-folder” as the name of the example folder (subfolder) where WordPress is installed. If WordPress is installed in your website domain root folder then you will not be adding a folder name to the maintenance.htaccess master file.

#   BULLETPROOF .45.8 MAINTENANCE  .HTACCESS
  # If for some strange reason your host does not have +FollowSymlinks enabled by default at
  # the root level then you will need to enable Options +FollowSymlinks for mod_rewrite to work.
  # If you are getting HTTP Error 500 Internal server errors and you have checked to make sure
  # everything else is set correctly then remove the # sign in front of Options +FollowSymlinks
  # below. If you are still getting 500 errors then immediately put the # sign back. All hosts
  # these days should have this enabled by default. Enabling this will actually cause 500 server
  # errors if your host has this enabled so you should probably never have to remove the # sign.
  # Options +FollowSymlinks
  # These are some common Apache Directives to force PHP5 to be used instead of PHP4
  # Some web hosts have very specific directives - check with your web host first
  # Remove the pound sign in front of AddType x-mapp-php5 .php for 1&1 web hosting
  # AddType x-mapp-php5 .php
  # Other common possibilities depending on your web host - check with your web host first
  # AddHandler application/x-httpd-php5 .php
  # AddHandler cgi-php5 .php

  Options -Indexes

  RewriteEngine On
  RewriteBase /my-blog-folder/

  # FILTER REQUEST METHODS
  RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
  RewriteRule ^(.*)$ - [F,L]

  # QUERY STRING EXPLOITS
  RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
  RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
  RewriteCond %{QUERY_STRING} tag\= [NC,OR]
  RewriteCond %{QUERY_STRING} ftp\:  [NC,OR]
  RewriteCond %{QUERY_STRING} http\:  [NC,OR]
  RewriteCond %{QUERY_STRING} https\:  [NC,OR]
  RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
  RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
  RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
  RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
  RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
  RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
  RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
  RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
  RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR]
  RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
  RewriteCond %{QUERY_STRING} ^.*(execute|exec|sp_executesql|request|select|insert|union|declare|drop|delete|create|alter|update|order|char|set|cast|convert|meta|script|truncate).* [NC]
  RewriteRule ^(.*)$ - [F,L]

  # Remove the pound sign to make a condition active
  # Add a pound sign to comment a condition out.
  # Adding your IP address to the line below will display the website
  # under maintenance page to ONLY you. For Testing purposes only.
  # RewriteCond %{REMOTE_ADDR} ^75\.88\.99\.33$
  # Adding your IP address to the line below will display the website
  # under maintenance page to everyone else except you.
  # Add your Public IP address to the line directly below.
  RewriteCond %{REMOTE_ADDR} !^75\.40\.48\.207$

  # RewriteCond sends all visitors to /bp-maintenance.php Website Under Maintenance page
  # and displays the abstract-blue.png background image except for you if you entered
  # your IP address above.
  RewriteCond %{REQUEST_URI} !^/my-blog-folder/bp-maintenance\.php$
  RewriteCond %{REQUEST_URI} !^/my-blog-folder/wp-content/plugins/bulletproof-security/abstract-blue-bg\.png$

  # No matter what file was requested serve bp-maintenance.php ONLY.
  RewriteRule ^(.*)$ /my-blog-folder/bp-maintenance.php [L]

  # If your IP address was entered above bp-maintenance.php is bypassed
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule . /my-blog-folder/index.php [L]

 

BulletProof Security – Maintenance Mode – Adding Your IP Address To The maintenance.htaccess Master File

BulletProof Security Maintenance Mode has AutoMagic mode in addition to manual control mode as of .46.1. View the new Maintenance Mode help page.

The information below still applies if you are manually entering in your IP Address instead of using AutoMagic.

Adding your IP address to the maintenance.htaccess master file will allow ONLY you to view your website while a “Website Under Maintenance” message is displayed to all other website visitors. Click on the BulletProof Security Upload/Download/Edit menu tab. You will see a BulletProof Security File Editing window with several menu tabs with the names of all of the .htaccess files that can be edited (read more about the BulletProof Security File Editing window). Click on the maintenance.htaccess tab. Add your current Public IP Address that is shown on the BulletProof SecurityMaintenance Mode page to the yellow highlighted areas shown below. You can now activate Maintenance Mode and will be able to view your website while all other visitors see the Website Under Maintenance page. If you have already activated Maintenance Mode before making these IP address edits then you will need to reactivate Maintenance Mode again to copy your newly modified master maintenance.htaccess file to the root folder.

This example is only showing the bottom section of the maintenance.htaccess file where you will be adding your IP address highlighted in yellow. This example is showing htaccess code for a WordPress installation in the root website folder. If your WordPress installation is in a subfolder you would of course see the correct subfolder name that you added.

BulletProof Security Example: maintenance.htaccess file – Adding Your Public IP Address

# Remove the pound sign to make a condition active
  # Add a pound sign to comment a condition out.
  # Adding your IP address to the line below will display the website
  # under maintenance page to ONLY you. For Testing purposes only.
  # RewriteCond %{REMOTE_ADDR} ^75\.88\.99\.33$
  # Adding your IP address to the line below will display the website
  # under maintenance page to everyone else except you.
  # Add your Public IP address to the line directly below.
  RewriteCond %{REMOTE_ADDR} !^75\.40\.48\.207$

  # RewriteCond sends all visitors to /bp-maintenance.php Website Under Maintenance page
  # and displays the abstract-blue.png background image except for you if you entered
  # your IP address above.
  RewriteCond %{REQUEST_URI} !^/bp-maintenance\.php$
  RewriteCond %{REQUEST_URI} !^/wp-content/plugins/bulletproof-security/abstract-blue-bg\.png$

  # No matter what file was requested serve bp-maintenance.php ONLY.
  RewriteRule ^(.*)$ /bp-maintenance.php [L]

  # If your IP address was entered above bp-maintenance.php is bypassed
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule . /index.php [L]

 

BulletProof Security – Advanced Coding Modifications Instructions

Pending update: A couple of people have requested information about modifying and customizing the “Activated BulletProof Security .htaccess Files” text. Here is that information:

Customizing BulletProof Security to have the Master .htaccess files Display a new customized var Dump Text String (in laymans terms just change what message is displayed under Activated BulletProof Security .htaccess Files)

The .htaccess file that is activated in your root folder is:

string(45) ” BULLETPROOF .45.5 >>>>>>> SECURE .HTACCESS “

√ wp-config.php is .htaccess protected by BPS

√ php.ini and php5.ini are .htaccess protected by BPS

The .htaccess file that is activated in your /wp-admin folder is:

string(45) ” BULLETPROOF .45.5 WP-ADMIN SECURE .HTACCESS “

The file is functions.php > code lines 109-136: The functions.php file is located here > /wp-content/plugins/bulletproof-security/includes/functions.php

The yellow highlighted code below is what you need to modify to match the new text content that you add to the BulletProof Security master .htaccess files. The strpos function is checking the .htaccess master files for the BulletProof Security version number specifically the number “5” in string position #15. (# BULLETPROOF .45.5…) If you have W3 Total Cache installed position 17 applies. If the exact match if found then you should not see errors. If an exact match is not found then you will see message warnings or error messages. So whatever changes you make to the BulletProof Security master .htaccess files must match the code in the functions.php file or your head will explode. LOL ;) The code shown below is just for visual demonstration purposes and is not 100% code accurate to the code contained in functions.php.

// Get Root .htaccess content - get first 45 characters of current root .htaccess file starting from the 3rd character
// and display string dump - also checks for single character "5" in .45.5 in string position 15 to validate the version of BPS //.htaccess file and the wp-config.php status
function root_htaccess_status() {
	$filename = '.htaccess';
	if ( !file_exists(ABSPATH . $filename)) {
	_e('NO .htaccess was found in your root folder');
	_e('wp-config.php is NOT .htaccess protected by BPS');
	} else {
	if (file_exists(ABSPATH . $filename)) {
	$section = file_get_contents(ABSPATH . $filename, NULL, NULL, 3, 45);
	_e('The .htaccess file that is activated in your root folder is:');
		var_dump($section);
		$check_string = strpos($section, "5");
		if ($check_string == "15"||"17") { // if you modify BPS .htaccess files this str pos must match for valid status checks
		$wpconfig_status = '√ wp-config.php is .htaccess protected by BPS
√ php.ini and php5.ini are .htaccess protected by BPS';
		_e('' . $wpconfig_status . '');
	} else {
	_e('A BPS .htaccess file was NOT found in your root folderor the BPS .htaccess file that you are currently using does NOT include .htaccess protection for wp-config.php. Please read the Read Me hover Tooltip before activating a newer version of a BPS website root folder .htaccess file.');
	_e('wp-config.php is NOT .htaccess protected by BPS');
	}
	}
}

BulletProof Security – Modifications to BulletProof Security .45.8 – .45.2 if you want to use PHP4 instead of PHP5 – Modifying BulletProof Security .45.8 to work for PHP 4

*** PHP5 is required as of BulletProof Security verion .46 ***

BulletProof Security .45.8 – .45.2 will work ok if you are using PHP 4 instead of PHP 5. There are a couple of coding modifications that you need to make. You will not be able to get or see your PHP Memory Usage or PHP Memory Limit and the BulletProof Security Status – Activated BulletProof Security .htaccess Files window – will display the entire dump of your .htaccess files, but BulletProof Security does function correctly. I recommend of course that you switch to PHP 5 of course. PHP 4 is just about to be retired.

Go to your main Plugins Options page, click on the Edit link under BulletProof Security.

Click on /bulletproof-security/admin/options.php in the Plugin Editor.

Scroll down a little over half the page.

Make the modification shown highlighted in yellow in this code: you are adding 2 backslashes // to block this function. Save your changes by clicking the Update File button. You can of course also download the options.php file, modify it and upload it back to your website.

: // echo round(memory_get_usage() / 1024 / 1024, 2) . __(‘ MB’); ?>

Now open /bulletproof-security/includes/functions.php in the Plugin Editor.

Scroll down around a 3rd of the way down the page.

Make the modifications shown highlighted in yellow in this code:

// Get Root .htaccess content - get first 45 characters of current root .htaccess file starting from the 3rd character
// and display string dump - also checks for single character "5" in .45.5 in string position 15 to validate the version of BPS .htaccess file and the wp-config.php status
function root_htaccess_status() {
$filename = '.htaccess';
if ( !file_exists(ABSPATH . $filename)) {  - you will be deleting >>>  , NULL, NULL, 3, 45 _e('NO .htaccess was found in your root folder');
_e('wp-config.php is NOT .htaccess protected by BPS');
} else {
if (file_exists(ABSPATH . $filename)) {  - you will be deleting >>>  , NULL, NULL, 3, 45 
$section = file_get_contents(ABSPATH . $filename);
_e('The .htaccess file that is activated in your root folder is:');
var_dump($section);
$check_string = strpos($section, "5");
if ($check_string == "15") { // if you modify BPS .htaccess files this str pos must match for valid status checks
$wpconfig_status = '&radic; wp-config.php is .htaccess protected by BPS';
_e('' . $wpconfig_status . '');
} else {
_e('A BPS .htaccess file was NOT found in your root folder or the BPS .htaccess file that you are currently using does NOT include .htaccess protection for wp-config.php. Please read the Read Me hover Tooltip before activating a newer version of a BPS website root folder .htaccess file.');
_e('wp-config.php is NOT .htaccess protected by BPS');
}
}
}
}

and modify this function as well:

// Get wp-admin .htaccess content - get first 45 characters of current
// wp-admin .htaccess file starting from the 3rd character
function wpadmin_htaccess_status() {
$filename = 'wp-admin/.htaccess';
if (file_exists(ABSPATH . $filename)) {
$section = file_get_contents(ABSPATH . $filename);  - you will be deleting >>>  , NULL, NULL, 3, 45 _e('The .htaccess file that is activated in your /wp-admin folder is:');
var_dump($section);
} else {
_e('NO .htaccess file was found in your /wp-admin folder');
}
}

BulletProof Security .45.7 -.45.2 should now work fine for you if you are using PHP 4 instead of PHP 5.

BulletProof Security – Common Issues and Problems

New BulletProof Security Plugin Compatibility testing page has been added. Check the BulletProof Security Plugin Compatibility List to see if your plugin issue is listed in testing or has been resolved.

*** PHP5 is required as of BulletProof Security verion .46 ***
*** If you activate BulletProof Security Mode for your Root folder you MUST also activate BulletProof Security Mode for your /wp-admin folder and vice versa. The BulletProof Security htaccess files are designed to be used together ***

*** Also check the new BulletProof Security Error, Warning, Heads Up Display (HUD) Messages page added as of BPS .46.1 ***

The most common problem is web hosts that are still using PHP4 instead of PHP5 to process WordPress PHP scripts. PHP4 is pretty close to being phased out altogether. BulletProof Security can be modified to work using PHP4 if you are willing to sacrifice several features. I recommend using PHP5. A diagnostic check has been added to the System Info page, which will tell you if PHP5 or PHP4 is running on your WordPress website. You will also see the PHP version on the BulletProof Security System Info page > look under PHP Info > PHP Version for the version of PHP that is currently being used to process your WordPress PHP files. Even if your web host is stating that PHP5 is the default standard you may have an older website domain that it still using PHP4. I have seen this in several cases on several different web hosts. If you see that the version of PHP is 4 then do this google search > your web host name + PHP5 to find the correct Apache Directives to add to the master .htaccess files. The BulletProof Security master htaccess files include some of the most common Apache PHP Directives. They are commented out (they serve more as examples then specific solutions for your specific web host / website) so you will have to uncomment the correct Apache Directives for your specific web host if they are commented out in the master .htaccess files. If your particular Apache Directives are not in the master .htaccess files you will have to add them yourself. Check your web host help files first before uncommenting – removing the # pound sign in front of any of the Apache PHP Directives or adding any Apache Directives to the master .htaccess files.

Media Temple Directives (the Apache directives in the .htaccess master files are outdated)

Media Temple has recently updated their policies and procedures on activating PHP5 on your web host account (as of 10-18-2010). See this Media Temple link for the latest PHP5 instructions. >>> Media Temple PHP5 instructions

GoDaddy Directives for Older Accounts (if you just want to use PHP5 then you only need to add the top directive. If you want to run both PHP4 and PHP5 use both directives)

AddHandler x-httpd-php5 .php
AddHandler x-httpd-php .php4

GoDaddy Directives for Grid Hosting Accounts (if you just want to use PHP5 then you only need to add the top directive. If you want to run both PHP4 and PHP5 use both directives)

AddHandler x-httpd-php5-cgi .php
AddHandler x-httpd-php-cgi .php4

Widget Settings Not Working (unable to drag and drop widgets) – Unable To Access Settings and Options Pages For Other Plugins

If you cannot drag and drop widgets or you are unable to access settings and options pages for other plugins then you have not activated BulletProof Mode for the wp-admin folder yet

Images not Displaying – Thumbnail Images not Displaying – Red X

This .htaccess fix is included in the secure.htaccess file as of BulletProof Security .45.8. Please see the BulletProof Security Plugin Fixes page.

As a general rule if a particular plugin is conflicting with the BulletProof Security .htaccess rules then usually a simple .htacces skip rule to bypass the BulletProof Security filters for that particular plugin is all that is needed. You can perform these edits using the built-in BulletProof Security File Editor from within your WP Dashboard. Adding BulletProof Security filter htaccess skip rules for plugins should not leave your website vulnerable in any way. The logic is that a plugin may have coding in it that is triggering the BulletProof Security filters to block something that BulletProof Security has determined as “not safe”. By skipping having the filters applied to just that plugin folder then the only vulnerability I can think of would be if the particular plugin does something that could affect your website site-wide. Most plugins perform a particular task and do not affect your website site-wide so they would not have the capability of compromising your entire website security to begin with.

W3 Total Cache .htaccess Issue

Since W3 Total Cache writes .htaccess code to the root .htaccess file then you may need to redeploy W3 Total Cache when installing or activating new BulletProof Security Modes. Simply just redeploying W3 Total Cache writes new .htaccess code to your current root .htaccess file or you can use the BulletProof Security built-in File Editor if you want to manually copy and paste the W3 Total Cache .htaccess code to the root .htaccess file.

BulletProof Security – WordPress Multisite MU .htaccess Code Modifications

This serves as a general example of WordPress MU .htaccess code and may not be 100% code accurate to the current MU .htaccess code that you have for your website.

BulletProof Security works fine with WordPress Multisite installations or WordPress MU. Using the built-in BulletProof Security File Editor you will need to copy and paste your existing MU .htaccess code to the secure.htaccess file. IMPORTANT! Copy and paste your MU code shown below (it will look identical or very similar) to right after the QUERY STRING EXPLOITS section of code and before the FilesMatch section of code at the bottom of the secure.htaccess file. You will then need to delete the existing section of .htaccess code in the secure.htaccess file that starts with # BEGIN WordPress and ends with # END WordPress. For the default.htaccess master file you would just replace (overwrite) the section of code that begins with # BEGIN WordPress and ends with # END WordPress if you ever plan on activating Default Mode for any reason. Your WPMU .htaccess code may look slightly different or you may have customized your MU .htaccess code for your particular website setup. See this WordPress Codex for WordPress MU for more information on setting up and creating MU Network sites.

# BEGIN WordPress
  RewriteEngine On
  RewriteBase /
  RewriteRule ^index\.php$ - [L]

  # uploaded files
  RewriteRule ^files/(.+) wp-includes/ms-files.php?file=$1 [L]

  RewriteCond %{REQUEST_FILENAME} -f [OR]
  RewriteCond %{REQUEST_FILENAME} -d
  RewriteRule ^ - [L]
  RewriteRule . index.php [L]
  # END WordPress

 

The above MU .htaccess method of adding the MU htaccess code after the BulletProof Security filters was Contributed by Scott as well as the following information on “Activate” versus “Network Activate” for a MU setup.

“…for a subdomain install. I did just a normal Activate (not Network Activate) which seemed appropriate since there is only one root (and one root .htaccess). I verified (after making the change I mentioned above) that both the main blog and another subdomain blog were protected against your example search hack. I don’t think a subfolder MU setup would be any different, but haven’t verified that….”
- Scott

My sincere thanks and appreciation go out to Scott for his contributions to the BulletProof Security project.
- Ed

BulletProof Security – Quick Security Tests for BulletProof Security

Quick tests to make absolutely sure that the security filters are working correctly in BulletProof Security. If you install a plugin that writes to your .htaccess files it is always a good idea to do a quick security test to make sure that BulletProof Security is still protecting your website.

FilesMatch .htaccess BulletProof Security Protection Tests

On the BulletProof Security Status page you will see that readme.html and install.php are protected if you have BulletProof Modes activated. To double check that the WordPress readme.html and /wp-admin/install.php files are protected. In your browser’s URL address window type in your website URL and try to view the readme.html and install.php files directly. You should see either a 404 or 403 error depending on how your website error handling is set up. Examples: http://www.ait-pro.com/aitpro-blog/readme.html and http://www.ait-pro.com/aitpro-blog/wp-admin/install.php. This is also a good way to check to see if your custom 403 Forbidden page is set up correctly if you choose to add that in your root .htaccess file.

If you put your website in Default Mode to perform testing below be sure to put your website back in BulletProof Mode after you have performed any tests.

NOTE: If you do not have a page designated as your Forbidden page or 404 page for your website the SQL filter test will not send you to your Forbidden page or 404 page because you do not have one. What will happen is that the search is halted and you will see this in the top URL Address window http://www.your-website-domain.com/?s=union if trying to test the word “union”. Your website is still protected if you see this instead of a Forbidden page or 404 page. You can add a designated Forbidden page very easily by adding only one line of code to the secure.htaccess file – see below. Adding a designated custom Forbidden page will be a standard option in the next release of BulletProof Security.

Adding a Custom 403 Forbidden Page – ErrorDocument 403 htaccess Code Examples

BulletProof Security – SQL Injection hacking tests – MySQL Injection hacking tests

Enter any of these BulletProof Security blocked / filtered commands used in SQL Injection hacking attempts into your website search window:

Union
Select
Request
Insert
Declare
Drop

For this demonstration I am using the default GoDaddy web page that is used as the Forbidden page that visitors are redirected to if an “illegal” search or command is executed. You can of course create your own custom Forbidden page to redirect visitors to. Keep in mind that innocent mistakes do happen so you want to design your custom Forbidden page for both innocent mistakes and hackers. You could just redirect to your default 404 page.

With BulletProof Security BulletProof Mode enabled – typed in “union” (with or without quotes – both are blocked) in my search window on my website. The result:

GoDaddy Generic Forbidden Page

With BulletProof Security Default Mode enabled (BulletProof Mode disabled) – typed in “union” in my search window on my website. The result:

Website is Vulnerable to SQL Injection attack

So what does this mean – My website is vulnerable to SQL Injection attack attempts in Default Mode (BulletProof Mode disabled). Yeah I know the formatting is ugly – it’s on my list of CSS things to do. ;)

Live Demo – Browser Exploit SQL Injection vulnerability on a PostNuke Module. This is an ancient SQL Injection vulnerability and has since been corrected. This merely serves as a demo that shows that the BulletProof Security filters do not allow “union” or “select” in an attempt to perform an SQL Injection browser exploit on the AIT-pro.com website. Click the link below for testing and you will be sent to the AIT-pro.com Forbidden page. To test your website replace the URL with your website URL.

AITpro Security Test

BulletProof Security – XSS (Cross Site Scripting) Hacking Attempt Test

Copy the URL link shown below to your browser’s Address bar (aka location bar or URL bar). Edit the URL link and add your website URL in place of “enter-your-website-url-here” to this URL link to test it on your website. This is a simple common XSS cookie stealer script. The important thing to note is that BulletProof filters out and disallows URL javascript code insertion script execution and immediately redirects you, a would be hacker or automated bot program to a Forbidden page or 404 page – the script will not and cannot be executed against your website when BulletProof Security Mode is enabled.

NOTE: If you do not have a page designated as your Forbidden page or 404 page for your website the XSS test will not send you to your Forbidden page or 404 page because you do not have one. What will happen is that the XSS script tags are removed from the URL making it completely ineffective and invalid or in other words completely harmless. Your website is still protected if you see this instead of a Forbidden page or 404 page. You can add a designated 404 or Forbidden page from web host control panel or you can do this via the BulletProof Security secure.htaccess file – see the link below to create a forbidden page for your website that is controlled by the ErrorDocument 403 htaccess directive.

Adding a Custom 403 Forbidden Page – ErrorDocument 403 htaccess Code Examples

Caution! This code is very volatile. For this reason the XSS testing code has been made into an GIF image file so that the code is harmless. Click the image file below to view the code. You will need to type out the code in the image file in your browser’s URL address window in order to test it.

XSS Website Security Testing Script - GIF Image File

This website >>> Cross Site Scripting (XSS) FAQ >>> explains XSS attacks in very easy to understand laymans terms.

 

BulletProof Security – Extra Website Security Protection Against SQL Injection Attack

As of BulletProof Security .45.7 these new additional SQL Injection words / syntax in the SQL Injection filter that will block additional words associated with SQL commands from being searchable in your site search window. Individual SQL words can be removed / edited out using the built-in BulletProof Security File Editor, but the better approach is to make your website search feature not see these certain SQL command words. Example: Exclude particular words from being searchable with your particular site search feature. This is an issue that I plan to look at in the near future.

The full list of SQL syntax / words that are filtered from being searchable using your search window on your website are:

request insert
delete union
declare drop
create alter
update order
select cast
execute convert
exec meta
sp_executesql script
char truncate
set  

As you can see there are a few words that you may want to still be searchable like “order” and “update”. You can of course manually choose what SQL syntax you are willing to allow through the BulletProof Security filters. Use the BulletProof Security File Editor to edit your htaccess files from within the WordPress Dashboard. Another option is to use one of the Google Custom Search WordPress plugins or get the Google Custom Search engine directly from Google instead of using the built-in WordPress Search feature. Or installing an Advanced Search feature that will allow you exclude / include certain words as well as making comments searchable.

Previous BulletProof Security versions filtered these SQL commands:

RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare|drop).* [NC]

BulletProof Security .45.7 now filters these SQL commands:

RewriteCond %{QUERY_STRING} ^.*(execute|exec|sp_executesql|request|select|insert|union|declare|drop|delete|create|alter|update|order|char|set|cast|convert|meta|script|truncate).* [NC]