Follow @BPSPro

BulletProof Security Pro Questions, Comments & FAQ

216 Comments RSS Site Feed Author: AITpro Admin
Published: August 2, 2011
Updated: November 9, 2012

Tags: , , ,

Categories: BulletProof Security Pro

216 Comments to “BulletProof Security Pro Questions, Comments & FAQ”

  1. Greg says:


    I purchased the pro version through paypal a couple of hours ago but have not yet received an email with my serial number. How long does it take to receive the email.

    The transaction ID number on my email receipt from paypal is Unique Transaction ID 69W18918FR622174Y if this helps.

    Thank you

    • AITpro Admin says:

      Hello Greg,
      Your Download Key email was sent at 3:19 AM to your PayPal email address. I have resent your Download Key email. If you do not see the email then check your Spam or Junk folder. Thank you.

      • Greg says:

        Thank you, have received it but now have another problem. I have installed bullet proof pro and did not change any of the default settings.

        As soon as I did this I now cannot log back into my wordpress admin section.

        The error message is “Forbidden- You don’t have permission to access /wp-admin/ on this server.”


        • AITpro Admin says:

          What does this mean exactly – “I have installed bullet proof pro and did not change any of the default settings.”

          Are you saying you did not click the AutoMagic Buttons before activating ALL BulletProof Modes?

        • AITpro Admin says:

          to get back into your website use FTP or your web host control panel file manager and delete the .htaccess file that is in your website root folder. Example: /public_html/.htaccess

  2. Hrvoje says:

    I have followed all your video tutorials about setting up BPS PRO Version. I think that everything works except that I CANNOT Restore or Delete files in Quarantine. Excluding dynamic folders went fine but I couldn’t exclude single file (followed video instructions) nor delete or restore files that exist in quarantine (they got in there before I excluded dynamic cache folder).
    Please advice what can I do to delete those files. I’m not a ‘coder’ so …

    Hrvoje Busic

    • AITpro Admin says:

      I see that the frontend of your Server is NGINX. Did you have any issues or problems with creating htaccess files with AutoMagic and Activating BulletProof Modes? If you would like I can login to the site and see what the issues/problems are. Please create a temporary WordPress Admin account and send that login information to edward[at]ait-pro[dot]com. Thanks.

  3. Yusuf says:

    I was using the free BPS plugin on my site and it worked fine. I purchased the Pro BPS.Removed my BPS the way your info says to (default mode etc) and know when I try to install the BPS Pro on my sie i get the following error:

    Warning: require_once(/home/xxxxx/public_html/wp-content/plugins/bulletproof-security/includes/class.php) [function.require-once]: failed to open stream: No such file or directory in /home/xxxxx/public_html/wp-content/plugins/bulletproof-security1/bulletproof-security.php on line 62
    Fatal error: require_once() [function.require]: Failed opening required '/home/xxxxx/public_html/wp-content/plugins/bulletproof-security/includes/class.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/xxxxx/public_html/wp-content/plugins/bulletproof-security1/bulletproof-security.php on line 62
  4. I activated the pro plugin and when I click to go to B-Core, the page is blank. Not the whole page, but the part where I choose new .htm files, etc. The notifications show at the top, but nothing underneath.

  5. Roger says:

    Certain bulk edit actions produce a 403 message now. for instance, trying to delete (move to trash) multiple posts in wordpress. using BPS-Pro current version, and WP MU 3.4.2
    Not sure when the problem first occurred, it was reported to me Friday when I was still at 3.4.1

    • AITpro Admin says:

      Ok what was the exact scenario and i will test this.
      Example: I am logged in as a Super Admin or Site Admin and am in a subsite or the primary site and i select multiple posts to send to trash and a 403 error occurs.

      • Roger says:

        we have multiple users, mainly 1 blog per user. When the user is logged into their blog, they select multiple posts (usually older posts), then try to move to trash and get a 403 error.
        What’s odd is, sometimes if you go in and create a new post and immediately try to move to trash, it lets you.

        as site admin, I can not go in and move to trash, I get the 403 error also.

        • AITpro Admin says:

          Ok so what Role does the user have? Author, Editor, Super Admin, Site Admin, etc. I will test moving multiple posts to Trash as a Site Admin, but i would still like to know the Role that the user has. Thanks.

        • AITpro Admin says:

          Also what type of Network/MU site is this? Subdirectory or Subdomain?

          • Roger says:

            The user is administrator of their site.
            blogs are subdirectories.

            this is a server that started out at 2.X something when MU was a different fork than wordpress, upgraded periodically and is now at 3.4.2

            going back to ‘default’ allows the bulk edit action.

          • AITpro Admin says:

            The bulk edit query string contains square brackets [ ] in the query string. that is what is being blocked. ARGH! this 1 particular security filter below causes enough random issues that i might decide to revert back to the old security filter that does not contain the square bracket characters.

            Modify this security filter in your root .htaccess file

            RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|%3c|%3e|%5b|%5d).* [NC,OR]
            to this...
            RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
          • roger says:

            That fixed it. thanks.

      • Chuck says:

        I tried to do what was instructed here and am still having the same problem. I have woocommerce installed and when I try to delete in bulk products it sends me out of the site and to some post error page. I tried to change the code you siggested in this string but it didn’t change a thing.

  6. Jeremy Loome says:

    The comments are closed on the “conflicts” page regarding 644 permissions vs 404 but I believe netfirms new server is doing this too. I upgraded to the latest version today and am now locked out by a 403 forbidden. I suspect when I get an ftp look (at home, after work, dammit) it will be that it didn’t allow 404.

    • AITpro Admin says:

      [Comment Moved]
      I checked the Gig City website and it is currently up right now and your login is accessible. Thanks.

  7. Prospirity says:


    Just installed BPS and I can’t access my site now. I use Cloudflare and it see BPS as a threat

    • AITpro Admin says:

      There are not any issues or conflicts with BPS and CloudFlare so that is not the problem. The screenshot indicates that there is some kind of a problem with either your browser or the computer you are using has some kind of malware/spyware on it.

      Actually it looks like your Server is an nginx Server. BPS Pro uses .htaccess files, which are specific to Apache Linux Servers and nginix uses another type of similar file, but they are not the same or interchangeable at all. I have sent you a direct email to resolve this issue. Thanks.

  8. Hello,

    Currently we are using your free version but was looking at your pro version for the added features. We are trying to keep plugins down to the very few best of the best that we can find and was wondering if you were considering adding a functional 301/404 page monitor and add/edit redirects tab to your pro version? Manually adding them is ok, but not as easy as having a input/monitor interface like other 301 plugins. I am asking because we have been watching the plugin “redirection” and it looks as if that developer may have stopped supporting it. And of course we can not install non-supported plugins on our vital client based websites. Hope this is something you have already been working on in the background ๐Ÿ™‚

    Thank you for your plugin and for keeping up its development!!

    • AITpro Admin says:

      This idea might make a nice addition to Pro-Tools so i will look into it further. One thing to keep in mind is that we try to avoid bells and whistles fancy displaying of “monitored” things and stick to displaying “monitored/logged” info in a way that does not cause unnecessary additional performance drain for an individual website or resource drain for your Server (static text files are used in place of bloated bells and whistles displays). To put it another way – if you create a real fancy real-time monitor it will cost your website performance speed / your website load performance with suffer and you will use up more Server memory. So if i was to add a Tool where you could monitor 301 and 404 activity then the output would be a static log file and not some fancy displayed monitor that uses unnecessary memory/Server resources and would cause a loss in website performance. Thanks for the great idea.

      • Oh yes i agree. A log is fine. What i saw in the ‘redirection’ plugin that i liked was a easy to use interface for seeing the 404 and from that screen a click to create a 301 redirect in an easy manner. And of course when i tested that plugin – the 404 was shown correctly and then the 301 redirect worked first go. Other such plugins – they say it works, but does not. So again, this is a perfect time for you to add this function into your plugin as others like me who do not want to use plugins that are not actively developed will look for other solutions. Normally this 404/301 function is only needed when we move websites – change permalinks etc, it could also be helpful in affiliate link marketing… This could also eliminate another plugin for others who promote affiliate programs. Thank you again, Richie

  9. Gary Gordon says:

    This sounds outstanding. Thank you for your continued work at keeping our sites safe with the use of Bulletproof Security Pro. I am extremely happy with my decision to use your application. And your ongoing efforts to improve, what has already proven to be an excellent product, is very much appreciated.

    Gary Gordon

  10. Victor Font says:

    ARQ won’t turn on for my site. This is a multisite installation with 10 domains. The error message is that I haven’t backed up my wp-content directory yet. The display shows:

    wp-content Files
    Backup: Jul 05 2012 20:25:49
    Total Backup Files: 7137

    How long should it take to backup wp-content?

    • AITpro Admin says:

      Ok the ARQ Cron FailSafe Shutdown has kicked in because something is not right on your website. I have sent you a private email. Please respond to that email. Thanks.

  11. Danny Jones says:

    Hi there

    Just installed latest version on a site, but cant save anyt options or generate a htaccess files as as soon as i press any button in your plugin I just get a 404

    Any ideas?

    • AITpro Admin says:

      Go to the B-Core System Info page and post these 4 things in your comment reply:
      Server Type:
      Operating System:
      Server API:

      • Danny Jones says:

        Server Type: Apache/2.2.20 (Unix) mod_ssl/2.2.20 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/ ย 
        Operating System: Linux ย 
        Server API: cgi-fcgi – Your Host Server is using CGI. ย 
        Multisite: Multisite is not enabled

        • AITpro Admin says:

          Ok your System Info looks good so that leaves only one likely possibility – you did not activate BulletProof Mode for your wp-admin folder. Both BulletProof Modes Root and wp-admin must be activated together. Also if you are doing anything like GWIOD or something with DNS then double check that you have done everything correctly and then create new Master .htaccess files with AutoMagic and activate all BulletProof Modes.

          • Danny Jones says:

            I cant create anything with any button all of them produce a 404

            I have BPS pro running on several sites on same server all setup the same way

        • AITpro Admin says:

          Hmm another possibility could be that you have added an invalid php handler or php.ini handler in your root .htaccess file.

  12. sinabada says:


    Yesterday I upgraded to the latest worpress on two of my sites, both with the same theme and the same plugins, both with different hosts.

    One site upgraded perfectly and the other one which is my main site was the one affected, it broke the theme and I couldn’t even go into the theme editor to restore it, it was blank and my dashboard folder was also blank.

    I contacted my server who copied all my date and the database into the root directory, other problem, they did not make a full backup of the database and when I import the database through php admin I see only 20 posts, there should be 60 odd posts and I am unable to log into the admin area after restoring the database they had saved, the host say they may have not backed it up properly and it is too late to restore it as it has been overwritten.

    My host advised me to reinstall wordpress which I did. But of course now I just have an empty web site with the new wordpress and the theme, is there anything I can do through BPS pro to to restore my site, I also had this installed prior to the disaster.

    I am feeling desperate, this is 9 months of intense 8 hours a day working on this site basically as far as I can see at the moment is gone.

    Wondering if someone can put me on the right track.

    Maureen Dutler

    • AITpro Admin says:

      Well first off i hate to tell you this, but when WP upgrades fail you ONLY need to restore your website files from a backup and NOT your Database. Was a full backup of your site files and database made by a backup plugin that you are using? Do you have any backups stored on your computer? Your Host should have made a full backup of your site and database before doing any restoring of files or your DB. If you cannot find any Database backups that are more recent then the only thing i can think of to get your content back would be to do Google searches and grab the cached information before it disappears from Google Cache.

      Do a site search to get all of your indexed pages

      Then depending on whatever Browser you are using you want to find the “Cached” link and click on it.
      If you are lucky then you will be able to manually get all of your content from your posts.
      This is a time sensitive thing so you need to try this right away.

  13. Tony Payne says:

    Update to my WP-Super-Cache problem…

    I think I might have it figured, but there must be an easier way…

    (a) Install BPS-Pro
    (b) Create Default .htaccess file
    (c) Click on warning link to modify .htaccess settings for WP-Super-Cache
    (d) Create Secure .htaccess file
    (e) Activate Bulletproof mode
    (f) Click on warning link to modify .htaccess settings for WP-Super-Cache
    (g) Activate other bulletproof modes, lock files etc.

    • AITpro Admin says:

      Not sure why your comments got spammed??? I just moved them to approved.

      The procedural steps for both W3TC and WPSC are this.

      1. Create your Master files with AutoMagic
      2. Activate all BulletProof Modes. This will automatically unlock your Root .htaccess file intentionally so that you can allow other plugins like W3TC and WPSC to write their .htaccess code to the Root .htaccess file.
      3. Turn Off AutoRestore to allow other plugins to write to your protected files.
      4. If you are using W3TC or WPSC you will then see a warning message telling you what to do next for either W3TC or WPSC. If you have locked your root .htaccess file then you need to unlock it again first before doing what the displayed warning message says to do next for either W3TC or WPSC.
      5. After either W3TC or WPSC .htaccess has been written to your Root .htaccess file you can then lock your Root .htaccess file.
      6. Go to AutoRestore, click the Backup Files Now button and turn the AutoRestore Cron back On.

      And Yes as an alternative you copy the WPSC .htaccess code to BPS Custom Code so that it will be saved permanently and will always be automatically written to your Root .htaccess file with the rest of the BPS .htaccess code.

      You would save the WPSC .htaccess code to the TOP Custom Code text box for your Root .htaccess file (not the wp-admin file Custom Code boxes). IMPORTANT!!! If you have custom php.ini handler code for your particular web host then you need to add that first to the TOP box above the WPSC .htaccess code. see example below. Then click the AutoMagic buttons and activate Root Folder BulletProof Mode again.

      CUSTOM CODE TOP: Add php.ini handler code and / or miscellaneous custom code here

      AddHandler x-httpd-php5 .php

      then add your WPSC .htaccess below your php.ini handler code – ONLY if you are already using php.ini handler code in your Root .htaccess file for your custom php.ini file. If you do not have php.ini handler code then you do not need to do this.

  14. Tony Payne says:

    I am using WP-Super-Cache and keep getting errors because the code needs to be added to the .htaccess file.

    Do I:
    (a) activate WP-Super-Cache and update the .htaccess file after BPS-Pro has created the default
    (b) add the code for WP-Super-Cache to the custom code section (which one – top, middle,bottom?)
    (c) something else…

    I always get confused here, and sometimes my web site url when called without the “www” displays the feed rather than redirecting to the “www” (if that makes sense).

  15. Jason says:

    Edward, I have one suggestion for the Almighty of security plugins.

    If a single button was added that when pushed would unlock all locked files and turn off autorestore.

    Then another single button to re-enable everything back.

    It would make it sooooo much easier when I needed to update a plugin or edit a file.

    On the same note, to be able to “select all” when Locking / Unlocking Mission Critical Files.

    Going down the list for each file using a drop down is tedious work.

    **** disclaimer *******
    The above is in no way a complaint in any way for BulletProof Security.
    BPS far excess anything on the market and will always continue to if what I have heard about the big update/upgrade is true.
    Not having the above options is just me being lazy and will not hinder the user-friendliness within the plugin itself.


    Thank You.

    • AITpro Admin says:

      There are actually already some “overrides” in BPS that do automatically unlock files as needed and in BPS Pro 5.1.8 there are FailSafe ARQ Cron Shutdowns to prevent problems if something has not been done or done correctly. One of the hardest problems to solve has been how to add the simplest controls without compromising/negating what AutoRestore is doing. There is a limit to what should be allowed or not be allowed or what can be done altogether under one function. Yep F-Lock could easily have a lock all or unlock all and i will add that convenience feature down the road. With the new ARQ Infinity in BPS Pro 5.1.8, F-Lock is now actually not really even necessary to use. ๐Ÿ˜‰

      In BPS Pro 5.1.8 there are even more ARQ Infinity controls needed because of the complexity of adding Full Site AutoRestore and Full Site Quarantine. With Full Site AutoRestore and Quarantine – ARQ Infinity – each WordPress folder has unique file requirements that require unique separate controls. Trying to lump an entire website under 1 control option does not work for many different reasons. But with that said i have created ARQ Infinity in a way that it is a 5 click process. You click 4 Backup Files buttons for: Root files, wp-admin files, wp-includes files and wp-content files and 1 click to turn the ARQ Cron On. Then you also have an Add / Exclude Files option and controls to add additional website folders and files outside of WordPress.

      What i am planning on doing is creating a Post that fully explains the ARQ Infinity concept, optimum settings, best uses and everything else about ARQ Infinity.

  16. Dave says:

    I have BPS pro and when I try and go to B-Core all I get is a blank white screen. Every other link/page works and comes up fine.

    Any solutions?

  17. Guillermo says:

    Hi, my host won’t let me change the php.ini file, but I want to still get the errors. I set up the path to be the same as “seen by server”, but I keep getting emails with php errors, but the log is not changing (either on bulletproof security, or in my actual error log read via php)… any thoughts?

    Also, I tried the crosssite exploit vulnerability test and now I keep getting alerts from McAfee that a trojan was quarantined.

    • AITpro Admin says:

      Typically the default Server PHP error log location that Host’s use is error_log. If your Host does not allow you to add or modify php.ini files then you would add “error_log” to the PHP Error Log Location Set To: text box.

      PHP Error Log Location Set To: error_log
      Error Log Path Seen by Server: error_log

      Regarding – “I tried the crosssite exploit vulnerability test and now I keep getting alerts from McAfee that a trojan was quarantined”
      Just remove whatever code or file you added for testing that is causing the test to quarantine the file or code.

  18. Nick says:

    Thanks in advance.

    I just installed the plugin and attempted to lock all the files down with F-Lock. I saved the setting and now my entire site is down. 404 is all I get. What did I do wrong and where do I go from here to regain permissions? Thanks.

    • AITpro Admin says:

      This problem was resolved directly on 5-24. Cause of issue: A few web hosts do not allow you to use 404 file permissions for .htaccess files (this forced 644 file permission by a few Hosts was intended to protect the .htaccess file from being written too, but this actually backfires since 644 permissions are much less secure than 404). If you set .htaccess file permissions to 404 on these hosts you will see 403 errors and be unable to access your site. In order to get back into your site 2 files will need to be deleted: the .htaccess file in the autorestore backup folder /wp-content/bps-backup/autorestore/auto_.htaccess (delete this file first) and the .htaccess file in the root website folder. Once you are logged back into the site, deactivate and reactivate the BulletProof Security plugin (as of BPS Pro 5.1.8) This will delete the F-Lock (and AutoRestore and Quarantine DB options) saved DB options so that the F-Lock options can be saved again without locking the root .htaccess file again and causing the same problem.

  19. I just installed the latest version of the WordPress plugin and I am getting this error message: Warning: require_once(/home/gator915/ [function.require-once]: failed to open stream: No such file or directory in /home/gator915/ on line 60

    So what am I supposed to do next?

  20. A+S Ideas says:


    I installed BPS Pro on a client’s website, and so far it’s been working very well. However, I just ran into the following issue:

    – I need to edit the wp-config.php file in order to localize the site to Spanish (by defining the value of WPLANG to es_ES), and I also need to add a line of code in order to use W3 Total Cache’s page caching option. I went ahead and unlocked the file via F-Lock, made my edits and saved the file back to the server. HOWEVER, the file reverts back to its prior state (without my edits) within a few seconds…

    I’ve tried renaming wp-config.php, editing locally and re-uploading the file, but the same thing happens…

    I even tried turning off bulletproof mode, made the changes, and turned bulletproof mode back on, same results.

    I also added wp-config.php to the BPS Pro’s php-ini editor, amde the changes there, but got the same result.

    Hosting provider is Bluehost (with dedicated IP), site is running WP 3.3.2.

    Any ideas?

    • AITpro Admin says:

      The files are being autorestored with AutoRestore. Turn off AutoRestore while you are making manual edits to protected files or allowing another plugin to write to protected files, then before turning AutoRestore back on click on the AutoRestore Backup Files Now button and then turn the AutoRestore Cron back on. Thanks.

  21. can you scan a site, (before) installing the plugin to see the security issues, (if any) and how much is that software, if available?

    • AITpro Admin says:

      We do not offer any sort of scanning service. Here are the pitfalls of website scanners. They can only look for what they are told to look for, which is malicious code signatures. What scanners cannot detect is hacker files that have legitimate php functions in them. There are plenty of plugins that claim they can find all hacker files, but they are of course full of it. ๐Ÿ˜‰ So honestly it comes down to monitoring files that you know are good for any changes or if new files have been introduced / uploaded into your Hosting Environment – this is the only sure way to know what is legitimate and what is not – a scanner cannot magically do this. The future of BPS Pro is going in the direction of monitoring all files and autorestoring them and we have a new feature that we have not announced yet. These new features will be available in the coming future versions of BPS Pro.

  22. Mitch says:


    Is there support for SSL with this plugin?


    • AITpro Admin says:

      Can you be more specific? If you are using SSL and have a valid SSL certificate then BPS Pro works fine on websites using SSL.

  23. DonAlan says:

    I just got the proversion, and on a new install 3.3.2 , I added the BPS, and click to go to the Launch S-Monitor but absolutely nothing shows up. Below the 3 yellow notices the screen is in blank. It is a brand new install and I just added the plugin after so not sure what to do?


    • AITpro Admin says:

      The API Server log shows that the BPS Pro Activation Key you are entering is missing a dot ( . ) on the end of the Activation Key. Please type in the dot and resave your Activation Key. Thank you.

  24. Richard says:

    I am unclear about updating WordPress while BPS Pro is active. Do we need to turn off AutoRestore, unlock the locked files, then do the WordPress update, then re-lock the files and then update the time under AutoRestore and then turn AutoRestore back on?

    And what about when we update BPS now? Say from 5.1.5-Pro to 5.1.6-Pro, and then from 5.1.6-Pro onward? Is the internal upload and upgrade functionality going to take care of all of the above automatically?

    Or is none of that stuff in the 1st paragraph I wrote *ever* necessary?

    And has all this been documented somewhere? — because I couldn’t find it.

    And sorry to be so obtuse.

    • AITpro Admin says:

      AutoRestore needs to be turned off when updating WordPress and once you have finished updating WordPress you would click the AutoRestore Backup Files Now button to create new AutoRestore backup files and turn AutoRestore back on. No need to unlock files, the WP updater will automatically chmod / unlock files if they need to be replaced or modified during the update / upgrade.

      BPS Pro 5.1.7 will contain direct upgrade installation coding so that BPS Pro 5.1.8 can be installed directly from within the WP Dashboard instead of having to use the zip upload installer. Or if you are asking if we are going to code BPS to automatically turn off AutoRestore when an WP upgrade is available then no we will not be doing that because we found that a displayed notification is 100% effective and an automatic “turn off” has a margin of error of about 1%, due to all the possible different website configurations and many other factors that are very difficult to predict and calculate with 100% accuracy. A 1% margin of error is not acceptable.

      Documentation can be found under the Read Me button on the AutoRestore page and also here —


    • Richard says:

      Holy crap, I just saw a lot of this was documented above. Was that already there when I commented? Sorry.

      • AITpro Admin says:

        Yep too funny, but in your defense the AITpro site is definitely in need of restructuring and redesign. At this point things are a bit cluttered and disorganized. ๐Ÿ˜‰ After we release BPS Pro 5.1.7, we are going to be doing a redesign of the AITpro site.

  25. P.Color says:


    I have BulletProof Security Pro 5.1.6 Plugin

    I get this error message:

    Fatal error: Cannot_actlinks() (previously declared in /home/xxxxx/public_html/wp-content/plugins/bulletproof-security.php

    I can not activate the plugin.
    What should I do?

    thank you P.Color

  26. I installed the free version without an issue. When I removed the plugin to upgrade to the Pro version, I get a Fatal Error Below. Please advise as I am a novice. Thanks, Harry

    The theme has encountered a problem that it cannot recover from. Please use the following information to try to resolve the problem.

    Error Code:	php_code_error:64:/home2/xxxxxx/public_html/wp-content/plugins/bulletproof-security-take-2/bulletproof-security.php:43:require_once() [function.require]: Failed opening required '/home2/xxxxxx/public_html/wp-content/plugins/bulletproof-security/includes/class.php' (include_path='.:/usr/lib64/php:/usr/lib/php:/usr/share/pear')
    Message:	A fatal code error occurred.

Skip to toolbar