Please post your questions or comments in the new BulletProof Security Forum. When posting questions please provide specific details about the exact problem that is occuring
A BPS free general troubleshooting help page can be found here → BulletProof Security Free Forum
A BPS Pro general troubleshooting help page can be found here → BulletProof Security Pro Forum
Example:
Provide the plugin name if there is an issue or problem with another plugin.
Provide your exact steps in specific detail that led to the error, issue or problem.
Provide the error message that is occurring.
BulletProof Security Version .47.5 >>> Released 10-22-2012
BulletProof Security Version .47.4 >>> Released 9-18-2012
BulletProof Security Version .47.3 >>> Released 8-12-2012
BulletProof Security Version .47.2 >>> Released 8-05-2012
BulletProof Security Version .47.1 >>> Released 5-11-2012
BulletProof Security Version .47 >>> Released 5-10-2012
BulletProof Security Version .46.9 >>> Released 3-14-2012
BulletProof Security Version .46.8 >>> Released 1-16-2012
BulletProof Security Version .46.7 >>> Released 1-04-2012
BulletProof Security Version .46.6 >>> Released 12-01-2011
BulletProof Security Version .46.5 >>> Released 11-21-2011
BulletProof Security Version .46.4 >>> Released 8-09-2011
BulletProof Security Version .46.3 >>> Released 6-09-2011
BulletProof Security Version .46.2 >>> Released 4-24-2011
BulletProof Security Version .46.1 >>> Released 4-09-2011
BulletProof Security Version .46 >>> Released 3-09-2011
BulletProof Security Version .45.9 >>> Released 2-22-2011
BulletProof Security Version .45.8 >>> Releases 1-27-2011
BulletProof Security Version .45.7 >>> Released 12-31-2010
BulletProof Security Version .45.6 >>> Released 11-1-2010
BulletProof Security Version .45.5 >>> Released 10-10-2010
BulletProof Security Version .45.3 >>> Released 9-18-2010
BulletProof Security Version .45.2 >>> Released 8-13-2010
BulletProof Security Version .45.1 >>> Released 7-24-2010
BulletProof Security Version .45 >>> Released 7-22-2010
If you dig it please create a link back to AITpro. Thank you.
Tags: BulletProof Security Comments, BulletProof Security Questions
Categories: BulletProof Security Plugin Support
Hi, I’m using BulletProof Security – latest version with a Tribulant Software Shopping Cart Plug In
the .htaccess is blocking the shopping cart from completing payments as the “State” function for the customer address fields won’t complete. Tribulant as well as my hosting provide sent me the same message
You have security code in your public_html/.htaccess file that is blocking access to the URL:
I was able to run a test with the .htaccess file temporarily renamed, and the state drop-down box loaded. You may need to contact the provider of the security code in your .htaccess file for information on how to prevent it from blocking your AJAX request.
I’m a newbie to this all, any help is appreciated!
Hi,
Try this htaccess skip rule below to see if this will work for this plugin. Copy and paste this code below to Your Current Root htaccess file using the BPS File Editor.
# Tribulent Shopping Cart Fix
# If you have WordPress installed in a subfolder you will need to add the
# subfolder name to the RewriteCond /blog/wp-content/plugins/wp-checkout/ [NC]
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/wp-checkout/ [NC]
RewriteRule . – [S=30]
Thanks,
Ed
Hey Ed – tried it, it allows it to get one step further then freezes the cart. Still not totaly fixed
I pasted it into the top of the plug in fixes using the BPS Editor – was that the correct place? I also tried it at the end, neither worked
looks like this
# Plugin conflicts will be handled case by case # Leave the plugin fixes code intact just in case you install one of these plugins # at a later time. Thousands of lines of htaccess code can be read in milliseconds # so leaving the code intact does not slow down your website performance at all. # Thousands of plugins have been tested with BPS and the plugin conflict fixes # contained in this BPS master file are permanent fixes for conflicts found with # these plugins. # Tribulent Shopping Cart Fix # If you have WordPress installed in a subfolder you will need to add the # subfolder name to the RewriteCond /blog/wp-content/plugins/wp-checkout/ [NC] RewriteCond %{REQUEST_URI} ^/wp-content/plugins/wp-checkout/ [NC] RewriteRule . – [S=30]Thanks for your continuing help!
Hi,
I should have specified that anywhere above the Query String Exploits was fine to add the possible code fix. In any case it did not work. It was a 50/50 chance. Ok now it looks like whatever the wp-checkout-ajax.php file does exactly is where BPS is not allowing some function to do whatever it needs to do. I took a look at your site and I see that the store is actually in a folder named /shop. I have no idea how everything is working together. I am not familiar with Tribulent at all. Any way try this code fix and let me know what happens. Also it would be nice to know exactly what the wp-checkout-ajax.php file is doing so email it to me edward[at]ait-pro[dot]com. Thanks.
# Tribulent Shopping Cart Fix # If you have WordPress installed in a subfolder you will need to add the # subfolder name to the RewriteCond /blog/wp-content/plugins/wp-checkout/ [NC] RewriteCond %{REQUEST_URI} ^/wp-content/plugins/wp-checkout/ [NC,OR] RewriteCond %{QUERY_STRING} cmd=get_states_by_country(.*) [NC] RewriteRule . – [S=30]Hi Ed – no joy on this either, the cart is completely shut down when you do that, it freezes and now won’t let you add things. And now even when I remove the code it seems somehow worse as it’s locked up so I don’t know what all is happening.
Am emailing you the Ajax File – if you want, i can send you the whole plugin file if helps
Do very much appreciate your support! I’m confident this can be figured out, as Tribulant is a pretty popular plug in I’m guessing I may not be the only one!
*** UPDATE BEGIN ***
ok i have looked through what the wp-checkout-ajax.php file is doing now I need to know how /shop figures into the mix. What is installed in the /shop folder and how is your main site related to the shop? I’m guessing that Tribulent is the actual shop so is this some sort of virtual directory setup? When I look at your source code i see Canonical URLs pointing to the /shop folder. I’m thinking that the /shop folder is what needs to not have BPS rules applied to it, but it would be helpful to know exactly what is going on in that folder. You could try adding a stripped down wp-admin htaccess file in this folder or adding a skip rule in the secure.htaccess file for this folder or possibly a default.htaccess file with a rewriterule with /shop/ in it instead of what you are doing on your main site. These are all just logical guesses without being able to know exactly how your site or sites are set up.
*** UPDATE END ***
I did not ask you if you had activated the wp-admin htaccess file, but it must be activated in order for WordPress backend functions to perform normally. This would probably not affect the Tribulent plugin and your shop, but would definitely affect other important WP admin functions. I thought of something else to try. The default.htaccess file is still using rewriting so that my be an issue depending on how your site is set up. I can’t tell from looking at your site externally – how the /shop folder comes into play. What is happening between Tribulent and the /shop folder??? I can only take logical guesses so it makes this much more difficult to guess what is going on. So maybe adding a modified wpadmin-secure.htaccess file would work. You would have to remove the filters because they are interfering with whatever is going on with your shop so try downloading the wpadmin-secure.htaccess leaving only Options -Indexes in that file. Another option would be to add RewriteEngine Off in the htaccess file that is in the /shop folder, but the parent htaccess file in the root will override that i am pretty sure. The other thing is i have no idea how your site is set up so i am not sure where Tribulent ends and the /shop begins??? Try the first suggestion and then if that does not work then i will need to know your site architecture so that i can stop guessing at what may or may not work without knowing all the details. I’ll take a look at the Ajax file to see if gives away what is happening with this plugin. Thanks.
Ed
Hi Ed – I was out of town so sorry for the delay in answering
I’m a bit of a newbie and so not sure how to answer your question on how the/shop is set up. I am running a full WordPress 3.1 site, it is the only thing on the Hosting site right now and I installed the Tribulant Plug in as specified – I FTP’d it over to it’s own directory and activated it through my plug in section. You then get a separate dashboard setting for “Checkout” where you can add products, pricing, images, etc for the cart.
Would it help if I sent you the PlugIn file? Or gave you and FTP login to look at the site?
Thanks for your persistence!
Peter
Hi,
Yeah I am willing to figure this out if you send me everything (the theme and plugin), but definitely don’t want to offer to work on your site for free. This would be setting a very bad precedent. 😉 So yeah send me your files zipped up and I’ll install and test everything on my test site. It bothers me though that the typical response from people who offer premium themes and plugins don’t feel like they need to support their work. And that happens in 90% of the cases. Ugh. In my professional opinion if you are selling a product then you need to support it and troublehoot it in any environment. That environment may include things like website security. Afterall without security you might as well just post your credit card numbers online. LOL Thanks.
Ed
After setting my permalinks, do I understand that I copy my “current root htaccess” into the secure, default, maintenance and wp-admin secure htaccess files and update them all? I then backup all files. And after that, I then activate all 4 bulletproof modes — is that the process?
When I do that, everything is green in my status, except for this:
“A BPS .htaccess file was NOT found in your root folder or you have not activated BulletProof Security for your Root folder yet, Default Mode is activated or the version of the BPS htaccess file that you are using is not .46. Please read the Read Me hover Tooltip above.
wp-config.php is NOT .htaccess protected by BPS”
I am activating bulletproof mode, and it says activated, but that message is always there. What do I need to do?
Hi,
In the process of overexplaining everything I have made something really simple and easy seem complicated – Too much information. 😉 If your WordPress installation is in your website root folder you don’t need to do anything except make sure permalinks are enabled. If your WordPress installation is in another folder you just need to make sure that that folder name is included in the path in RewriteBase and RewriteRule and the plugin fixes paths if needed. So i think what probably happened in your case is that you overwrote the top section of the secure.htaccess file. The only code that needs to be copied from the current active root htaccess file to the secure.htaccess file is the section of code the starts with # BEGIN WordPress to # END WordPress. You would just overwrite only that section of code in the secure.htaccess file. If the secure.htaccess file is now missing the rest of the code you can get a brand new master template by uninstalling and reinstalling BPS. The top section of all the master htaccess files # BulletProof .46 >>>>> is important and needs to be in the files in order for the status to display correctly. This can be modified, but then the functions.php file would need to be modified also to match your modifications. Thanks.
ok, so just copy that section into secure htaccess and don’t mess with the other htaccess folders.
I’m at hostgator. My main site is in the public_html/ folder but I have other sites in the public_html/domain_name folder. So for those other addon domain sites, I just need to make sure the rewrite rule was added? Thanks
Forgot to mention, I’m also using the wp supercache plugin.
WP Supercache has been tested with BPS and no conflicts exist with that plugin. Thanks.
Well if you never plan on activating the default.htaccess file (Default Mode) or the maintenance.htaccess file (Maintenance Mode) then you don’t need to add your WordPress folder name to them if you have WordPress installed in a subfolder. If WordPress is installed in the website root folder then you don’t need to change anything. The wpadmin-secure.htaccess file (BulletProof Mode for the wp-admin folder) does not need anything added to it because it does not do any rewriting, it just has filters added to it for security protection. If you want to get you sites protected fast just do the secure.htaccess file, then activate wp-admin BulletProof Mode and you can do the other files later. I am putting together a Screen Capture tutorial video today that will walk people through installation to activation and then another one to cover best practices and methods when using BPS. This really is a very simple plugin – I am just a blabber mouth. LOL
You should not have any issues with addon domains and BPS with hostgator. I have assisted other peeps who have had addon domains and they are seen as if they are the main website domain. Now if you have an addon domain and you install WordPress in a subfolder, then you have a WordPress subfolder installation and you would need to add that folder name to the RewriteRule and RewriteBase and anywhere else that would need the correct folder path name added. Thanks.
Ed
Thanks — looking forward to that tutorial. I’ll keep watching this space for it.
First off: great plugin. Thanks for taking the time to develop such and incredible plugin and offer a free version.
I left a comment regarding BPS on a thread started at the WP forums:
http://wordpress.org/support/topic/use-as-featured-image-link-not-working?replies=26#post-1988695
Just after installing BPS I can’t insert a featured image or delete plugins. I’m using a custom theme that I built myself. My permalink structure is /%year%/%monthnum%/%day%/%postname%/ and I am using the latest version of WP. I don’t know what more information you would need.
Any ideas?
Thanks.
P.S. When I revert to default .htaccess mode, everything works fine. What I am doing now is reverting back to default, inserting featured images on the posts I need and then reverting back to the BPS secure .htaccess.
I’d really be grateful if I found a permanent solution.
Hi Chris,
I’m about to release BPS .46 in an hour or two. Even Mo better. LOL Thanks.
Ok send me your website URL so i can look at your site and Theme to see what the issue is. Email your website URL to edward[at]ait-pro.com[dot]com and also let me know what Theme your are using and where WordPress is installed in case it is not obvious.
Thanks,
Ed
I’m having an issue with the the TimThumb script and the BulletProof plugin. The theme developer thought it was a server issue, but after contacting the hosting provider they said it was due to the modifying of the .htaccess file. Thumbnails on my client’s site are no longer working after installing the BulletProof plugin. http://www.riverkc.com/experience-us/
Developer said: ” contact your hosting provider and let them know that you are using the PHP TimThumb script on your website and it is not working as expected. You will simply need to email your webhost provider and let them know that you believe the issue is related to a mod_security rule. Ask them to please whitelist your site and reference mod_sec rule 1234234.”
And the hosting company said:
“Dear Customer,
this is caused by a custom rewrite section you added to your .htaccess file which looks like this:
# QUERY STRING EXPLOITS RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR] RewriteCond %{QUERY_STRING} boot\.ini [NC,OR] RewriteCond %{QUERY_STRING} tag\= [NC,OR] RewriteCond %{QUERY_STRING} ftp\: [NC,OR] RewriteCond %{QUERY_STRING} http\: [NC,OR] RewriteCond %{QUERY_STRING} https\: [NC,OR] RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR] RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR] RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR] RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR] RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(execute|exec|sp_executesql|request|select|insert|union|declare|drop|delete|create|alter|update|order|char|set|cast|convert|meta|script|truncate).* [NC] RewriteRule ^(.*)$ - [F,L]So you will have to correct your rules or comment them out so that they do not send a forbidden error to any calls to the timthumb script. You can see that your images show up if you comment out this line:
#RewriteRule ^(.*)$ – [F,L] (This is line 141 of your .htaccess file)”
I’m not a developer, but I’m fairly technically savvy so if I’m given specific instructions I can hack at the code.
Thanks,
Mat
Hi Mat,
There is a known issue with TimThumb, but there is a permanent fix included in the BPS secure.htaccess file. I took a look at your site and i see this Sansation/i_global/new-load.png for the URL properties of your images. I am not familiar with this Theme. I took a quick look and this is not an image thumbnail issue at first glance. What i see is Flash images. Try this as a workaround. Download the BPS default.htaccess file, upload it to /wp-content/themes/Sansation/i_global/ and then rename it to just .htaccess (remove default in front of .htaccess). If this works then you can either stick with this workaround or I will need a copy of this Premium Theme to test it in order to give you a permanent .htaccess fix. So let me know if the workaround works and we’ll take it from there. Thanks.
Ed
We have a fresh subfolder install of WP. Updated the default.htaccess file to include the correct redirect and uploaded to the server. WP pages could not be found with browser until I removed “Options -Indexes” from the .htacces code. Is this indicative of something worng with the WP installation? How should I proceed – delete Options -indexes form all .htacces files?
-Ed
Hmm this is a new one. Options -Indexes prevents a directory listing of public files when browsing a directory with no index file (index.php, default.asp etc.). It should not affect links whatsoever. I checked your site and everything looks ok right now. You have custom permalinks set up. Your links all appear to working correctly. I see that the main root website is HTML based, but that should not matter whatsoever for the WordPress site. Unless you want to enable indexing of public files – files viewable to the public displayed in an indexed list – then I would not remove Options -Indexes. Thanks.
Hi,
Thank you so much for this great plugin and was very happy with how it works. But I have some minor issues. I’ve installed this on my main domain after a fresh install of WP 3.1 and everything works smoothly. Then I added several domains, (as addon domain on Hostgator) and installed a fresh copy of WP 3.1 on all of them too. When I logged into each of those addon domains, I noticed that deleting any plugins returns a 403 Forbidden and I was being redirected to a 404 frontend page of my blog (I tried Hello Dolly & Akismet as this was all fresh install). But my main domain was all okay with deleting, activating plugins.
So I tried restoring the default .htaccess file that WP writes when changing permalinks and everything was fixed along with the 403 errors from all the other addon domains.
But I wanted to use the secure htaccess and not the default htaccess. Do you have any idea or fix with this? Looking forward to your reply.
Thanks and keep it up! 🙂
Hi,
Please read this HostGator help page on add-on domain >>> HostGator Add-on Domain Support
Depending on how you set them up they could be seen as subdomains instead of root domains. Once you taken a look at the help page let me know how your subdomains are set up. You may just need to treat these add-ons as subdomains or it might require an extra rewrite rule in the root htaccess file. If you want to keep that info private then send the info to edward[at]ait-pro[dot]com.
Thanks.
Yes, addon domains are like subdomains on Hostgator.
So basically this is how its set up:
My main domain’s WP installation is here:
public_html/
My addon domains is here along with WP installation:
public_html/addondomain/
As far as everythings going on now, its all running smooth. But not sure if the rules on root htaccess will affect those of the addon domain’s folder too. Quite confused, sorry. But thanks so much!
Yep on your other comment. Once you add a custom permalink structure then you should be good to go. Nice to know that HostGator does not require any additional htaccess rewrite rules with add-on domains. I’ll make a note of that. 😉
The way .htaccess files work is that if you had an htaccess file in only your root folder then all the folders below the root folder (subfolders) would have those rules applied in them. Since you will have different .htaccess files for each of you add-on domains (folders) they will have their own .htaccess files and will follow the rules in that specific .htaccess file. Another way of saying this is that .htaccess files are explicit to whatever folder they are in. An exception to this would be if the root htaccess file had an additional rule that the htaccess file in an add-on domain folder did not have then this rule would be added in a cumulative way. I don’t want to confuse you here just mentioning this info about htaccess files in general.
Thanks,
Ed
Hi again,
After going to the sites again, found out that I have to flush the permalinks first to have .htaccess as it wasnt created automatically. All working great so far, reverted the secure htaccess file on my main domain and will go on installing BPS on my addon domains too.
Thanks for this great plugin! 🙂
Hi,
I didnt do a backup of my htaccess, when I uninstalled Bullet Proof security, my website now redirects to website.com/login
Even if I manually type in website.com/index.php it still goes to /login
The only thing I enabled was Bulletproof mode on wp-admin
How do I disable this /login redirect, please help. Thanks
Wow that’s a new one? If you are able to log into your website then resave your custom permalink structure >>> Settings >>> Permalinks >>>> Save Changes. This will automatically create a new .htaccess file for you. If you are unable to log into your website then FTP to your website and manually replace or edit the .htaccess file that is in your root folder. You did not provide a link to your site so i have no idea if this is a root or subfolder installation. Use the BPS default.htaccess file and modify it if necessary for your WordPress website. Thanks.
I’m pretty new when it comes to working with Word Press, so I’m sure that my problem is something that I did or didn’t do. I’ve installed your plugin since I know security is very important and I want to be pro-active. I’ve had a static website hacked before and I know the headaches that can cause.
Anyway, the plugin installed with no issues and I’ve got the “green light” on all status items, but when I try any of the tests that is suggested to verify that Bullet Proof is working, my site always loads to the home page. I did load a forbidden page based on your example.
I don’t know if this matters, but the site is an add-on domain, but WP is installed at the root of that add-on domain. Everything on the site works fine. It just doesn’t appear that that the site is protected.
Any ideas, suggestions are certainly appreciated.
Yep your site is not protected right now. I ran a couple of tests, the most simple one is that i can view your WP readme.html page. There is a minor coding boo boo that I did not catch in .45.8 that is telling you that your readme.html file is protected, but it is not accurate (if BPS is setup correctly then the readme.html file is protected – the message display itself will say the file is protected whether it really is or not – my bad – will be fixed in .45.9). That will be corrected in .45.9. I looked up info on how BlueHost treats add on domains and htaccess in general and i don’t see any info that would indicate that you would need to do anything “unusual” regarding htaccess. So yeah the problem is because of the way things are set up on your site. The best way to add add-on domains is to create a folder name with that exact domain name of your add-on domain and then yeah you would install WP in that add-on folder. So in your case that would be a folder named /uncannynews.com. Now with that said you can still make things work fine with what you already have set up. So what i would need to know from you to tell you what you need to add to the .htaccess master files is:
Does this add-on domain currently have a folder created for it?
Have you set up anything in your Hosting Control Panel like aliasing or redirection?
What else (type of sites ie HTML, WP or just html files, etc) is installed or currently being used in your primary domain root for your hosting account?
You can send me an email with that info if you are not comfortable with posting it here. edward [at]ait-pro[dot]com
Thanks,
Ed
Hi, I am a novice with wordpress and everything that pertains to it. I don’t want my blog to be hacked, so I was delighted when I found this plug-in. From what I’ve seen, blogs are quite vulnerable.
I am having a problem that is either slowly getting worse, or I just keep noticing more symptoms as I do different things on my blog.
Whenever I try to delete an image, whether through the edit post area or through the media library, I am taken to a 404 error page. Yesterday, this also started happening whenever I hit the save or update button after making changes to admin. I defnintely need to fix this. Furthermore, the 404 error page I am taken to does not look like one that I have set up. My blog is brand new, so I doubt it was hacked. it can be found at [your URL link was moved to your name above] Your help is greatly appreciated.
I took a look at your website and you are using a default WordPress Permalink structure. See this page on setting up a custom permalink structure >>> http://www.ait-pro.com/aitpro-blog/2304/wordpress-tips-tricks-fixes/permalinks-wordpress-custom-permalinks-wordpress-best-wordpress-permalinks-structure/
Also you should add the www prefix for your website URL just for good measure. Go to Settings >>> General >>> add the www prefix to your website URL’s for Website address URL and Site address URL. Thanks.
Thank you so much. I followed your advice on both the permalinks and the www. I also double checked my settings and noticed I had the red warning on the .htaccess file in the admin folder. I thought I may have accidentally skipped it when I activated everything else, so I went back to that screen and activated it. Apparently, that was the case, because when I went back to my status page, the message was gone.
I am happy to report that everything is now up and running properly. And thank you so much for the support page about permalinks. I was totally confused on this subject, and it actually makes sense to me now.
Candace
Excellent! Well done. 🙂 Yep one of my rare moments where I managed not to over explain something >>> custom permalinks. LOL. Thanks.
Ed
i need help
i stupidly did not read the info about the fact the my blog is hosted in a sub directory on my site and activated something (that said something about access to htaccess – i chose the BulletProof option rather than the Default option)
now i cant access anything
cant login to my wp dashboard and noone can access the site
any advice of what i can do?
thanks
kate
the thing i didnt read:
*** Old Version Info *** – see the BPS Guide for current version info
If your WordPress installation is in a subfolder then DO NOT activate any of the BulletProof Security Modes until have fully read the help files and read the BulletProof Security Screenshots page (applies to versions .44 and .44.1) BEFORE activating any BulletProof Security modes. Setting up BulletProof Security to work correctly for your website if you have WordPress installed in a subfolder off of your root website domain WILL require a one time manual editing of the 3 .htaccess files that are provided with the BulletProof plugin. You will need to add the path to your particular folder where WordPress is installed on your website domain. Those 3 .htaccess files are located in the /plugins/bulletproof-security/htaccess/ folder. The files are named: default.htaccess, secure.htaccess and maintenance.htaccess. Download the 3 files to your computer add the path to your WordPress installation folder in all of the provided .htaccess files and then upload them back to the /plugins/bulletproof-security/htaccess/ folder. If WordPress is installed in your website domain root folder on your website then you DO NOT need to make any modifications to any of the BulletProof .htaccess files.
the page i see is this:
IISPassword
The page cannot be displayed
There is a problem with the page youare trying to reach and it cannot be displayed. It is most likely that configuration files for this url are corrupted.
Please try the following:
* Click the Refresh button, or try again later.
* Open the home page, and then look for links to the information you want.
* If you believe you should be able to view this directory or page, please contact the Web site administrator by using the e-mail address or phone number listed on the home page.
HTTP Error 500
IISPassword for Internet Information Services » IISPassword Info
IIS typically does not work with mod_rewrite and .htaccess files so take a look at this WordPress Codex regarding IIS and mod_rewrite alternatives >>> IIS and PermalinksIt also depends on what your web host OpenHosting allows or does not allow. I am researching what options your host does allow.
*** UPDATE ***
Your web host OpenHosting is using IIS6 not IIS7 and they are using ASP to perform URL rewriting >>> OpenHosting Help Link so unless you switch to an Apache server for web hosting you cannot use BPS.
Ok FTP to your website and delete the .htaccess file or files. Since you are using IIS instead of Apache then you may not be able to use BPS at all. First let’s get you access back to your website and then take a look at that. Thanks.
thanks so much for helping me with this – ok i went in and deleted the htaccess file – i found one in blog/ and one in blog/admin – now when i go the blog at http://www.enf.org.uk/blog it says
“Error establishing a database connection”; when i try to access my WordPress Dashboard it still says the same as before (about the IISPassword”
cheers
slightly calmer to know there is someone who can help 🙂
the page i see is this:
IISPassword
The page cannot be displayed
There is a problem with the page youare trying to reach and it cannot be displayed. It is most likely that configuration files for this url are corrupted.
Please try the following:
* Click the Refresh button, or try again later.
* Open the home page, and then look for links to the information you want.
* If you believe you should be able to view this directory or page, please contact the Web site administrator by using the e-mail address or phone number listed on the home page.
HTTP Error 500
IISPassword for Internet Information Services » IISPassword Info
sorry – update they both now say they cant establish connection with the database:
when i try togo the Dashboard it says:
Error establishing a database connection
This either means that the username and password information in your wp-config.php file is incorrect or we can’t contact the database server at mysqlserver. This could mean your host’s database server is down.
* Are you sure you have the correct username and password?
* Are you sure that you have typed the correct hostname?
* Are you sure that the database server is running?
If you’re unsure what these terms mean you should probably contact your host. If you still need help you can always visit the WordPress Support Forums.
also i should say – i’ve been hacked twice in thelast week – hence the reason i was trying to install added security, and so i have just re-uploaded the blog from my local folder to remote site in dreamweaver. when i open the config file in …….
ok sorry just worked this out – I’d changed the password for the db but it had defaulted to the original one when i re-uploaded the blog. now changed it and i’m back in! massive relief.
any idea how i stop getting hacked? 🙂
Cool! Glad to hear you are able to log in and access your Dashboard again. I’m not real familiar with IIS servers, but let me take a quick look around and see what kind of options you have for IIS website security. Thanks.
*** UPDATE ***
This is what I expected to find. The ASP.NET Web.config file is similar to Apache’s .htaccess file in that you can control what is filtered and what is not and even perform URL rewriting, but only if the web server is an IIS7 server.
IIS7 can be secured see this info >>> http://learn.iis.net/page.aspx/557/translate-htaccess-content-to-iis-webconfig/
IIS6 is very hard to secure, has limited security and is very dated so if your web host has not upgraded to IIS7 you should be asking yourself why you are still using them. IIS7 came out in 2007 – 4 years ago. Thanks.
thanks so much – and good to hear in a way – my webhost has been pretty unhelpful over the recent hacking and security – basically saying it cant be a problem at their end! and the issue of ftp hacking isnt their problem either. that, and some previous doubts, was making me think i’d have to move. so, thanks for your advice and hopefully once i’m moved i can finally install yr plugin 🙂 all the best
Well they are full of it. I ran a Nikto server scan and they have all sorts of wide open security vulnerabilities. Be sure to choose an Apache Linux hosting plan. Personally I think Apache is more secure, but that debate has been going on for years now. LOL I just checked my GoDaddy affiliate links and it looks like the offers expired. I never made a penny off of them anyway so time to remove them. The web host review I wrote about them stays because GD ROCKS!!! I have worked on somewhere around 30 different web hosts for myself and clients and hands down GoDaddy is the best of all of them. Good Luck. 🙂
*** UPDATE ***
Actually i just had to reactivate the GD specials links so if you plan on using GD give me click so i can earn 5 cents. LOL
http://www.ait-pro.com/aitpro-blog/category/misc-projects/web-host-review/
🙂 will do
and i’ll check them out for sure
and thanks for the info about my current host 🙂 – and i’ll get on to it first thing monday morning!
cheers
kate
Hiya! Thank you for sharing your Bulletproof Security plugin.
I’m a novice who’s starting up a new website and I just plugged in your BulletProof Security. I followed your directions and everything seemed to be working fine.
But after activating all the secure modes, (and I haven’t activated the maintenance mode at all yet), now it’s hard for me to log out of my website. (Both the online site’s upper dashboard pull-down-menu log-out-button, and the online site’s upper right-sidebar log-out-button doesn’t log-out the member, and instead the member stays logged-in.)
I’ve tried by refreshing the page itself several times, but it didn’t make any difference, I was still logged in. And then only after I close the internet browser window and bring up a brand new browser window and reload it, and then go back to my website again, do I see that I’m finally logged out.
(And my log-outs had all worked fine until I activated the BPS plugin.)
Is there any help you could offer me as to what I should do? I’m searching things and keep coming back to your page here. (I don’t know much about codes, but I’m trying my best to learn things.)
Thank you.
avoice 🙂
The problem: If you are outside of the WP Dashboard and you log out of a BuddyPress Member account nothing happens. If you are in the WP Dashboard and log out you are logged out successfully. BP Members cannot access the WP Dashboard so they cannot log out at all. I have tested htaccess coding that would take care of this problem, but it would create a security vulnerability issue so unfortunately in order for Members to successfully log out they will have to log out from within the WP Dashboard for now. I will continue to look at other ways of handling this log out issue so that security is not compromised and the external log out button works.
Thanks,
Ed
Hiya Ed! Thanks so much for the helpful information! avoice 🙂
(And thank you for your helpful willingness too! Really do appreciate it! For now I’ll post a note to let people know) 🙂
WordPress 3.0.4 must be installed for this BuddyPress fix to work. I tested on the previous versions of WP and this fix will NOT work. SFC version .25 now only requires a simple Skip rule. SFC and BuddyPress do not work together. The rules do not conflict so there is no need to comment out the SFC code. If you want to add a Facebook connect feature to BuddyPress then BP-FBConnect should be used.
# BuddyPress Logout Redirect fix - skip BPS Filters on Logout link Redirect # WordPress 3.0.4 or higher must be installed for this fix to work RewriteCond %{QUERY_STRING} action=logout&redirect_to=http%3A%2F%2F(.*) [NC] RewriteRule . - [S=30] # SFC Simple Facebook Connect Redirect Fix RewriteCond %{QUERY_STRING} redirect_to=(.*) [NC] RewriteRule . - [S=30]Thanks,
Ed
Hiya Ed! Thank you so much for your helpfulness! I have the wordpress 3.0.4 already installed. Now I just have to find out which area I paste the fix into. (I’m a novice who’s just learning this stuff and I have a couple windows open to research these things.)
Thanks again for all the information you included and for the solution you supplied! And for doing it so quickly too! Wow! I really appreciate it!
Best wishes to you and all your endeavors! avoice 🙂
oh the code fix just goes in the secure.htaccess file and also in Your Current Root htaccess file right after this line of text below. Use the File Editor, copy and paste this code directly from my site to your htaccess files and save them. You have to save them individually one at a time. 😉 Thanks.
# Plugin conflicts will be handled case by case instead of removing filters
# for the entire Plugins folder
Wow! It works great! No problems at all! Logging-out works fine! Thank you so much! 🙂
Hi,
I have the bp-maintenance mode currently running on my site. I can’t figure out how to get the site back into public view, once I have finished doing the upgrades/posts/
Hi Claire,
Just activate BulletProof Mode. Hmm I moved the Maintenance Mode activation off of the Security Modes page to a separate page so that people would not activate it by accident. So now a few people have asked this same question. Guess I need to add a help message on that page that says to just activate BulletProof Mode when you want to get out of Maintenance Mode. 😉 Thanks.
I just want to say, I am really impressed with the commitment of the plugin author. I can’t say much about the plugin itself, I am not an experience hacker or some sort, and I guess my site hasn’t been tested out in the wild, but one thing for sure, the Author care a big deal to his creation.
I am just a free user, I reported a possible bug (turned out to be a false alarm) and Ed gave some of his times to check multiple aspects of what could went wrong.
Thank you Ed, for your plugin and your concern 🙂
Thanks I think. LOL I got what you meant to say. 😉 Very welcome. 🙂
The stats plugin is;
‘WordPress.com Stats’ by Automatic, Version 1.7.5
I am running WordPress version 3.0.4.
Thanks and Regards
Fred
I have created a new page that will report plugin conflicts, the testing status and the final fix. The fix for the WordPress.com Stats plugin is now located here >>> http://www.ait-pro.com/aitpro-blog/2252/bulletproof-security-plugin-support/checking-plugin-compatibility-with-bps-plugin-testing-to-do-list/
Thanks,
Ed
I reiterate the comments re dedication by the author of this plugin – congratulations.
Unfortunately, the fix is too technical for me. I know nothing about coding.
Are you going to include it in an update?
Regards
Fred
BPS .45.7 has a built-in File Editor now so you would just click on the “Upload/Download/Edit” menu tab to go to the BPS File Editor, click on “Your Current Root htaccess File” menu tab and copy and paste this code below into the editing window. You can paste this code right after the TimThumb Thumbnail images not displaying fix. Then just click the Update File button and you’re done. You probably want to also do this for the secure.htaccess file too otherwise if you reactivate BulletProof Mode for your root folder then the master secure.htaccess file will not have the new Stats fix in it.
# WordPress.com Stats Flash SWF Graph Does Not Load Fix # If you have WordPress installed in a subfolder you will need to add the # subfolder name to the RewriteCond /blog/wp-content/plugins/stats/ [NC] RewriteCond %{REQUEST_URI} ^/wp-content/plugins/stats/ [NC] RewriteRule . - [S=15]Fixed.
Thanks you are so prompt and accurate
Many, many, thanks
Fred
Cool! Glad that took care of it. Thanks. 🙂
Hi Guys,
I have a conflict with a WordPress plugin.
The plugin is ‘WordPress.com Stats’ by WordPress.
Stats numbers are shown on tables but the graph does not appear at all.
Any clues?
Fred
Hi,
I see there are several plugins that are named similarly. Please let me know exactly which plugin it is by posting the plugin author name and version number. I will be doing testing tomorrow so I will have an answer for this tomorrow. Thanks.
I’m still trying this plugin on my PC because I’ve a very low connection to test it in my hosting.
I’m using Suffusion theme. I get only one problem when this plugin installed. When I use the search feature, the result is going to Access is forbidden page. When I switch to the default wordpress theme, the result is going to the correct page. When I delete the htaccess from this plugin at all and replace it with the original htaccess, the search feature works correctly in Suffusion theme.
Please help me and I’m sorry for my bad English.
BPS .45.7 has new additional SQL Injection Filters in the .htaccess files that will cause certain words to be blocked when using a site search (search window in your website’s Theme). See this section of the BPS Guide for more info >>> http://www.ait-pro.com/aitpro-blog/1166/bulletproof-security-plugin-support/bulletproof-security-plugin-guide-bps-version-45/#extra-website-security-protection
It is interesting that the default WordPress Theme search window is working and not the other Theme’s search window. In BPS .45.7 you can now edit the htaccess files with the built-in BPS File Editor from within the WordPress Dashboard in real time. The SQL Injecion filters are the most important htaccess filters of all of them so if you are going to remove any of the SQL syntax / words from that filter then those SQL command words can be used against your website in a hacking attempt. The better approach is to find a way to make your Theme’s search feature not see certain search words – Example >>> Exclude them as allowable search words. This is on my list of things to look at next regarding BPS. Thanks.
Thanks for your quick answer and I’m sorry I’ve lost my internet connetion for 2 days. I don’t know how to modify the code of the theme. I’ve not any knowledge about the code.
I’ve tried to remove some rule in this line:
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)||”|;|\?|\*|=$).* [NC,OR]
becomes:
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)||”|;|\*).* [NC,OR]
and the search feature of suffusion theme works correctly.
I’m sure that removing some rule in this plugins means opening some holes to my site security.
I want to contact the theme’s author but his forum site is very hard to be loaded with my connection (your site is better I can load it less than 2 second with my slow connection).
I love your plugin and suffusion theme, but how can I modify the code of the theme?
Please help me and I’m sorry for my bad English. Thanks
The best approach is to find out which code BPS is blocking and then see if you can just simply add a bypass for that code contained in a particular file (bypass the filters for that entire file itself). That way you still have the filter working for the rest of your website. So for example you could add an htaccess bypass rule like this ( i have not tested this to see if it works, but in theory it might work):
# If the Theme's search template is called search.php then bypass the BPS filters # S=15 means Skip 15 RewriteCond %{REQUEST_FILENAME} ^search.php$ RewriteRule . - [S=15]I will test this theory out on my testing website when i get a chance to see if this works.
I’ve tried it but it does’nt work.
Are you referring to the latest fix for the Suffusion Theme Search problem? If so, make sure that you are editing both your active root htaccess file and the secure.htaccess master file. Make sure there is no space after the less than < character.
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR]The permanent fix has been posted here >>> http://www.ait-pro.com/aitpro-blog/2252/bulletproof-security-plugin-support/checking-plugin-compatibility-with-bps-plugin-testing-to-do-list/
thanks for the solutions
Hello,
I’m testing different security plugins.
Bulletproof Security (BPS)
WP-Firewall (WPF)
WP-Sentinel (WPS)
When you have BPS installed it will block
some alerts from WPF and WPS. Because it
creates some lines in the .htaccess file.
Is this a good thing?
Also, BPS has other types of defence
lines then WPF and WPS.
Wich one is best?
Cheers,
Jaap
I forgot one thing also.
It has to be activated sitewide on multi-site right?
Because when I activate it only on the main blog of
al multi-site install it perfectly creates the .htaccess.
And I make some adjustments for the multi-site install
in the .htacces like is in your guide. But doesn’t seem
to block the injections on other blogs when activated
mainly.
Kind regards,
J
The whole MU thing is kind of a grey area for me because I have not gotten around to actually setting up an MU testing site for BPS yet. Logically the way BPS is written / coded, it is designed to enable website security protection for an individual website domain per installation of BPS. Example: The AITpro site is 2 websites / 2 WordPress installations in different folders so BPS is installed in both sites separately of course. So with MU sites I believe that the same logic would apply that the .htaccess files would need to be Site Specific because BPS works at the very base level of looking at the root path of the website URL to do rewriting. If these are subdomains then they have a different root paths. Example my-MU-blog.com and another-MU-subdomain.my-MU-blog.com. So if you would be willing to do some experimenting and let me know the results that would be great. Thanks.
BPS is a very simple plugin that is just handling putting .htaccess files where they should go with a click of a button instead of having to do this the typical way of uploading .htaccess files to your website folders. The coding filters are complex, but the BPS plugin is very simple for now. At some point when I do install an MU network then I will write additional code that will specifically address MU sites.
My wordpress multisite v. 3.0.3 is installed with subdirectories,
so i can’t test the subdomains. But I will test some more on WP multisite
and come back with the results.
I indeed find out that on single wordpress 3.0.3 installations it works better.
On single WP install BPS blocks some of the plugin warnings of the WP Sentinel
and WP Firewall plugin. Wich looks ok because they are possibly the same and
the .htaccess just blocks it out before the plugins do so the plugins don’t see it.
On network site (WP multi-site) BPS doens’t work correctly like u said “I will write additional code that will specifically address MU sites.”. Probably indeed because of the different paths.
I go and try some more testing on the multisite. Like single activation on every site etc.
Well I didn’t say that BPS doesn’t work correctly on MU sites. What I meant was that I would write specific functions for MU that would make using BPS much simpler in a sitewide configuration as opposed to a per site configuration. As far as I know every other person that I have helped that has an MU installation has reported that BPS works fine. They may not have tested their subdomains though to make the sure the BPS filters were working correctly on the subdomains. I appreciate any feedback you can give me and thanks for offering to take the time to check this out. Very much appreciated. 😉 I will install and test those plugins you mentioned ASAP and let you know what I find out. Thanks.
It does some things right on a WP MS, like
protecting the wp-config.php file and .ini files.
And looks like working ok, but if u test it on like /?s=declare it
doesn’t go to 403 page like when is single site and u come on the
search engine page if u have one.
Tested if it might be my multisite .htaccess file.
In the BPS guide it says:
# BEGIN WordPress RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] # uploaded files RewriteRule ^files/(.+) wp-includes/ms-files.php?file=$1 [L] RewriteCond %{REQUEST_FILENAME} -f [OR] RewriteCond %{REQUEST_FILENAME} -d RewriteRule ^ - [L] RewriteRule . index.php [L] # END WordPressMine is:
# BEGIN WordPress RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] # uploaded files RewriteRule ^([_0-9a-zA-Z-]+/)?files/(.+) wp-includes/ms-files.php?file=$2 [L] # add a trailing slash to /wp-admin RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L] RewriteCond %{REQUEST_FILENAME} -f [OR] RewriteCond %{REQUEST_FILENAME} -d RewriteRule ^ - [L] RewriteRule ^[_0-9a-zA-Z-]+/(wp-(content|admin|includes).*) $1 [L] RewriteRule ^[_0-9a-zA-Z-]+/(.*\.php)$ $1 [L] RewriteRule . index.php [L] # END WordPressDon’t really see a problem there.
So might really be that the paths of the multi site aren’t right yet.
*** Comment revised ***
A new page has been created for creating a custom 403 Forbidden page for your website
Like here is a single site from the ms:
http://bit.ly/hZZQFt
And this is the main ms site:
http://bit.ly/ckzBLS
But is in maintenence mode.
If u test on single site with /?s=union
it doesn’t go to 403 page.
Ok I will set up MU in a week or so and take a look at all the aspects involved. I am on the final push of releasing BPS .45.7 with File editing in the WP Dashboard and Upload / Download in the WP Dashboard. Plus regular clients work and projects take priority over working on personal fun stuff. 😉 I will look at those other plugins when I get a chance. Thanks 😉
I will test both of these plugins and give you an answer once I have tested them. Thanks.
Alright, thanks!
awesome security plugin…..and i just want to know about 301 redirect problem between non-www and www version on htaccess, thx very much
Thanks! 😉
BPS does not change or modify your website URL prefix. You do not need to add the URL prefix in the BPS master .htaccess files. BPS only follows whatever the WordPress URL settings that you have set under your Settings, General Settings, WordPress Address URL settings. I took a look at your website and you currently have the WordPress Address URL set to show the www prefix in your website URL. If this did not answer your question then I will need more specific details about the 301 redirect problem you are having? Thanks.
no, the case is on my fillmedia.com blog, i had changed my wp prefix, and the problem is non-www version not showed 301 redirect.. i just added this 301 redirect script on the top of your htaccess like this:
RewriteEngine On RewriteCond %{HTTP_HOST} !^www\.fillmedia\.com$ [NC] RewriteRule ^(.*)$ http://www.fillmedia.com/$1 [L,R=301]thx for your reply and sorry for my bad english 😀
Oh you were asking for htaccess code to strip or add the www prefix. 😉 Sorry I misunderstood and thought BPS was doing something wrong. Glad you found the htaccess coding you needed. Thanks.
*** Disregard comment – written by scammer or hacker per Ed ***
Hi, thanks for the reply. First, no, my domain.com/blog/ is not literally /blog/ but I did make the change to the real folder. This isn’t the problem (remember, everything works except when the select is left in the syntax).
I suppose I’d prefer to have the select in there if I can, to ensure everything’s protected as best as possible. to confirm, you are suggesting I put this in the code:
RewriteCond %{QUERY_STRING} redirect_to=(.*) [NC,OR]
RewriteCond %{REQUEST_URI} ^/simple-facebook-connect/ [NC]
RewriteRule ^(.*)$ /blog/wp-login.php?action=register [R=301,L]
RewriteRule . - [S=15]
and that the S=15 means skip the next 15 lines in the .htaccess, so that I have to make sure the above code is within 15 lines of the select syntax?
Except, the above code is not right, at least not for this situation, and we need some other check to make sure the select call is coming from facebook. Any ideas? should be more like
RewriteCond %{REQUEST_URI}
RewriteRule . - [S=15]
thanks!
The SQL “select” syntax is not a factor at all in the FB verification and login process. You can experiment any way you would like, but some of the things you are suggesting and trying do not make any sense – ie you will leave your website vulnerable to hackers and the coding changes are not logical and will not work at all. I don’t really know what to tell you here? This works fine for me on my testing site so maybe you have some addtitional setup (plugins or configurations?) that my testing site does not have??? You still have to address the query string redirect_to= issue. Take that rewrite condition out and you will see that the FB registration process does not complete successfully because you need that redirect to happen. So you need 2 things to happen to make it work. The login redirect needs to be there for FB verification and redirect to WP login and a rewriterule for ONLY your particular website setup that says to skip the filter rules for just the SFC plugin because you are claiming that the “select” filter is not working for just your website.
*** Disregard comment – written by scammer or hacker per Ed ***
Thanks. I’ll wait to see what you come up with when you get the time. In the meantime, I’ve stripped all facebook references away entirely from my .htaccess and have reoved the select as well, and everything works fine.
*** Update by Ed – As expected this scammer or hacker failed to provide a link or legitimate email address ***
Ok i looked at this again. I removed the FB code that allows FB login and connect to work and redirect correctly. As a result I am not logged in with my FB account and am not redirected to login page correctly. Instead i am sent to this page instead of being connected and redirected correclty >>> http://www.ait-pro.com/wordpress-testing-website/login/?redirect_to=http://www.ait-pro.com/wordpress-testing-website/login/?loggedout=true The redirect_to= does not complete successfully. Also I left “select” in my SQL filters and was successfully able to use SFC FB connect to successfully log in using the .htaccess code in BPS that allows the connect login redirect to be able to complete successfully. I then experimented by only commenting out the # RewriteCond %{REQUEST_URI} ^/simple-facebook-connect/ [NC] >>> my testing site hangs and when it does finally load it displays completely broken. ie the CSS is not displaying correctly and the page never really fully completes loading successfully. Now I use the TML login plugin so to elimnate that as a possibility I deactivated it so that I am using the standard wp-login. With the standard wp-login I am unable to connect with SFC FB connect when the .htaccess coding is commented out in the BPS .htaccess file. By testing commenting out # RewriteCond %{REQUEST_URI} ^/simple-facebook-connect/ [NC] >>> my testing site hangs and when it does finally load it displays completely broken. ie the CSS is not displaying correctly and the page never really fully completes loading successfully. At this point I can safely say with 100% accuracy that the FB .htaccess fix is absolutely necessary and that removing “select” from the SQL filter is not necessary and opens a website security vulnerability to hackers.
By the way I have noted that all along you never included a link to you website and are using a free Yahoo email account. I am very suspicious at this time of your intentions, but I could be completely mistaken. It is quite possible that you have some custom .htaccess coding that comes into play that could be causing some of the claims you are making.
*** If you would like to pursue this further you will need to provide a link to your website and an email address that identifies you ***
*** Also I see from your IP address that you are located in Venice, California so if you would like to discuss this over the phone then please give me a call ***
*** If on the other hand I find that you have been intentionally wasting my time I will notify your ISP – Road Runner of your actions ***
*** AITpro.com uses very sophisticated and custom made tracking software that we designed that can track you to your node if necessary ***
Thank you,
Ed
I loaded BPS yesterday and got a simple scripts update to perform today from wordpres. It doesnt accept the upgrade and comes up with reject from server (403) error. How do I get around this , do I just temporarly disable your plugin? or something else. Also I am struggling with the Maintenance help notes, where do I find all these files to download? I tried FTP to my site but there were no such files?
ps Also Reading previous comments….for interest how do you know if someones elses site has been hacked?
ps I know next to nothing about code and am now worried about the possibility of having to amend these access files, I didnt really get the message from the plug in that there were some irreversible aspects once installed.
BPS should not be blocking any script installations so I’m not sure what you mean by that. BPS is a very simple plugin and it is very simple to put your site back where it was if you need to. Please take a look at the BPS Guide online to answer the other questions you asked. If you don’t want to view it online you can just copy the entire guide and paste it into a Word document. When you install BPS nothing is changed on your website. When you activate BPS the only thing that happens is .htaccess master files are copied to your website root folder and to your website’s wp-admin folder. So if you performed a Backup before activating BPS security modes then you just need to perform a Restore. If you did not perform a backup then you will need to delete the .htaccess file in your wp-admin folder and add the generic default.htaccess file to your website root folder to put your website back to the state it was in. If you have an MU site you will have to add an MU .htaccess file.
Sorry, It must have been anothr coincidental problem as the wordpress updated to 3.0.3 no problem today.
I still dont know from reading your guide where to download such files as
Guide:- ‘Download the file maintenance.htaccess from the /wp-content/plugins/bulletproof-security/admin/htaccess folder’
Apologies for my lack of knowledge. I’d like to test the Maintenance aspect but dont want to press that button till I know I can get back in with my IP.
PSI followed your guide instructions on backup so should be fine.
Thanks
Ok glad to here that the WordPress update completed successfully.
I think maybe you are asking about how to do the download itself so if that is the case then you will need to connect to your website via FTP. Once you have connected to your website via FTP then you will go to this folder – /wp-content/plugins/bulletproof-security/admin/htaccess and dowload the file named maintenance.htaccess. Once you have downloaded the file then you will edit it and add your IP address to the file and upload it back to the same folder that you downloaded from and then you can activate the Maintenance Mode. BPS .45.7 will have new features that will allow you to do all of this from within the WordPress Dashboard – master .htaccess file editing and upload & download from within the Dashboard. I am hoping to get BPS .45.7 released in a couple of weeks.
Thanks,
Ed
I’ve FTP to my site and there is no folder as you describe above. 🙁
Stumped.
This is a WordPress site right? Is there a bulletproof-security plugin folder under the plugins folder? Do you have more than one WordPress installation? Do you have an MU installation? Do you see the bulletproof security plugin listed in your plugins folder in your Dashboard? Look at the System Info page on the BulletProof Security Settings page and post your Website Root Folder: path in a comment. This is the path where BPS is installed. You would then go to /wp-content/plugins/bulletproof-security/admin/htaccess folder.
Thanks to this plugin and your questions/advice I have now given myself a crash course in the deeper aspects of my website. I have found the required files, used filezilla to upload modified access files and successfully put my site in Maitenance mode.(not bad for a beginner) The whole process of looking at your guide very educational.
Fantastic, awesome plug in. Regards.
Excellent!
And yes FileZilla is a great FTP application – the best one I have ever found. 😉 Uploads and downloads are much more stable and consistent and actually a little faster. Thanks for the plugin compliment. 😉
*** Disregard comment – written by scammer or hacker per Ed ***
I installed your BP plugin for WP, and discovered that it is blocking my Simple Facebook Connect logins (the first time only, after authorizing the facebook application), and by trial and error, have figured out the culprit is this snippet of the .htaccess at my website-domain.com/blogfolder/ (my blog is not the top-level) level:
# QUERY STRING EXPLOITS
#RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
#RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
#RewriteCond %{QUERY_STRING} tag\= [NC,OR]
#RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
#RewriteCond %{QUERY_STRING} http\: [NC,OR]
#RewriteCond %{QUERY_STRING} https\: [NC,OR]
#RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
#RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
#RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
#RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)||’|"|;|\?|\*|=$).* [NC,OR]
#RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR]
#RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
#RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
#RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
#RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare|drop).* [NC]
#RewriteRule ^(.*)$ - [F,L]
(I’ve commented it out for now, hence the #’s at the front of each line.)
How do we add some kind of permission to the above for facebook.com?
Thanks!
Well you commented out all the security filters so you actually do not have any security protection for your website right now.
This section of code below in the BPS .htaccess master files allows SFC connections to go through normally by redirecting to the login page after FB verification. Sounds like you have WordPress installed in a subfolder from your comment – “…(my blog is not the top-level)…” so you would need to add your WordPress installation folder name to the section of code below. The example below is showing that WordPress is installed in a subfolder named “blog”.
# SFC Simple Facebook Connect Redirect Fix
# If you have WordPress installed in a subfolder you will need to add the
# subfolder name to the Rewriterule /blog/wp-login.php?action=register [R=301,L]
RewriteCond %{QUERY_STRING} redirect_to=(.*) [NC,OR]
RewriteCond %{REQUEST_URI} ^/simple-facebook-connect/ [NC]
RewriteRule ^(.*)$ /blog/wp-login.php?action=register [R=301,L]
Also I have never tested this before, but it would be possible to add this additional RewriteRule to bypass all filters for just SFC, but I don’t think you need to do this unless something has been changed with SFC in the past month.
RewriteCond %{QUERY_STRING} redirect_to=(.*) [NC,OR]
RewriteCond %{REQUEST_URI} ^/simple-facebook-connect/ [NC]
RewriteRule ^(.*)$ /blog/wp-login.php?action=register [R=301,L]
RewriteRule . - [S=15]
*** Disregard comment – written by scammer or hacker per Ed ***
by the way, here’s what the simple facebook connect (SFC) author just wrote me:
*** Additional comment combined with this one ***
Hi, thanks for the reply.
I had the first code in my .htaccess, which your plugin must place there by default. (Yes, I had the subfolder for my /blog/ set proper.) I also tried your new code, which I see mimics the style of other breakouts you have in the .htaccess for other plugins. Unfortunately, this did not work either. In either case, I get:
Forbidden
You don't have permission to access /blog/ on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Apache/1.3.42 Server at mydomain.com Port 80
I am using Simple Facebook Connect version 0.22. For some reason, the author still has 0.21 on the wordpress site, but due to several bugs, he came out with 0.22, which he reported to me on the WP forums as the one to use to fix the problems I had. His 0.22 is at http://plugins.svn.wordpress.org/simple-facebook-connect/trunk/
*** Disregard comment – written by scammer or hacker per Ed ***
Ok, I’ve isolated the problem entirely. First, that simple facebook connect section does nothing.
Second, the culprit is:
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare|drop).* [NC]
if you change it to remove “select|”, you get:
RewriteCond %{QUERY_STRING} ^.*(request|insert|union|declare|drop).* [NC]
and thus no errors whatsoever.
So, the question then becomes, what is this select variable, and how to insure facebook can get by it if we keep it in there?
That is why i added RewriteCond %{REQUEST_URI} ^/simple-facebook-connect/ [NC] combined with the Query String. If you want to remove the SQL “select” syntax / command then that is fine too. This will leave your site vulnerable to SQL Injection attacks that use “select” in the attack method.
REQUEST_URI = The resource requested is in the HTTP request line. This is basically saying if the request is coming from the SFC plugin folder, which it is and the query string is redirect_to= then send the user to the wp-login page to complete the FB verification and login. It is absolutely necessary.
Thanks,
Ed
*** Update added by Ed ***
The TimThumb Thumbnail images not displaying solution has been added to the BPS guide here >>> http://www.ait-pro.com/aitpro-blog/1166/bulletproof-security-plugin-support/bulletproof-security-plugin-guide-bps-version-45/#bulletproof-security-issues-problems
I’ve just installed Bulletproof, replaced lines for subdirectories, and backed up the master & previous .htaccess files. I activated both bulletproot (security .htaccess) and wp-admin .htaccess, but the latter didn’t show Admin CSS or allow me back to my own WP admin dashboard! Deleted wp-admin .htaccess through FTP, which fixed the Admin dashboard. However, thumbnail images are not showing up on WP in either FF/Chrome, and I cannot use drag-and-drop widgets for my theme. I’m thinking Bulletproof blocks a little too much functionality :(. Can we fix this or should I uninstall & delete the new .htaccess files?
*** From Ed ***
Due to 3 people having BPS installation issues in the last two days I have installed a fresh new installation of BulletProof Security from the WordPress repository. BPS .45.6 installed successfully, all security modes were activated and tested successfully and all functions of BPS worked perfectly.
– Thanks
Ed
Your WordPress installation is in a subfolder named /wpcms/. So you added your subfolder name to all the .htaccess master files. Not sure what you are saying here – “Admin CSS”? Do you have the Ozh Admin menus plugin installed? If so you also need to add your subdirectory folder name throughout the additional fixes for plugins in the secure.htaccess master file. The problems you are mentioning are not typical problems. There is something wrong specifically with your site or with a particular plugin that you are using. When I took a look at your site I see that thumbnail images are not displaying correctly. Activex red X errors. This is a path problem. This is the path i see for thumbnail images /wpcms/wp-content/themes/arras-theme/library/timthumb.php? I don’t think the issue is with Timthumb. The problems you are describing lead me to guess that maybe you made a typo when you added your subdomain name to the master .htaccess files. That would also explain why you could not get back into your dashboard. Your subfolder names should be added like this example below. Remember also to add your subfolder name all throughtout the master .htaccess files where specified in the BPS guide. Let me know if you continue to have problems after double checking your master .htaccess files. Thanks Ed.
# BEGIN WordPress
RewriteEngine On
RewriteBase /wpcms/
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /wpcms/index.php [L]
# END WordPress
*** Update added by Ed ***
The TimThumb Thumbnail images not displaying solution has been added to the BPS guide here >>> http://www.ait-pro.com/aitpro-blog/1166/bulletproof-security-plugin-support/bulletproof-security-plugin-guide-bps-version-45/#bulletproof-security-issues-problems
Sorry about that, by Admin CSS I was referring to the images, buttons, and fonts used on WP Admin CP.
I double-checked all the master .htaccess files and they list the subfolder correctly in each place. Widget placement still dysfunctional, same with thumbnails. Thumbnails were working just prior to bulletproof install… now trying to view any thumbnail image gives me a 403. Hmm. I will backup the updated Bulletproof .htaccess on my harddrive, deactivate the plugin, delete the .htaccess, and get back to you.
Thanks for such a fast response, I expected having to wait days!
*** Update to Reply ***
Ok now I’m totally stumped. That doesn’t happen too often. 😉
This will take more than a back and forth so let’s do this through email. Please reply via email to the email I am about to send you. Thanks.
Oh ok then that is probably a PHP4 issue. I see that your web host is Network Solutions. They have been using PHP5 since 2008. Your domain dates back to 1999 so it is possible that you are still running PHP4 on your domains. Check the System Info menu tab in BPS for your PHP Version: It should start with a 5 like 5.2.14, if the version starts with 4 then you are running php4. The widget issue is also caused by running php4 instead of php5. Now to resolve this you will have to contact Network Solutions. I looked around for the answer (which Apache directives are needed to force php5 on Network Solutions servers) and could not find it in the NS forums or on a general web search.
FYI- you can leave BPS installed. Having BPS installed does not affect your website at all. Only when you activate security modes is anything changed. And all that is happening is that the master .htaccess files are just being copied to your root and wp-admin folders. Nothing else on your website is changed at all.
Nope, it’s running PHP Version: 5.2.xx
*** Update – This is an issue with TimThumb – apparently this affects all themes that are using TimThumb ***
The TimThumb Thumbnail images not displaying solution has been added to the BPS guide here >>> http://www.ait-pro.com/aitpro-blog/1166/bulletproof-security-plugin-support/bulletproof-security-plugin-guide-bps-version-45/#bulletproof-security-issues-problems
Ok it is not the Arras Theme in itself. Widgets functioned normally in BulletProof Mode. I did not experiment with creating a child theme, but a child theme would not cause the problems you are experiencing so it is not that. I installed the Arras Theme and did not use the Regenerate plugin so my thumbnails are being pulled from where i see on your website that the full path ends with /library/timthumb.php? My thumbnails display correctly – no ActiveX red X’s the pics were displayed correctly. I will eventually test the regenerate thumbnails plugin, but that does not explain or have anything at all to do with why you do not have widget functionality. It is possible that you have a very outdated or corrupt version of BPS. There was a brief period months ago when an older version with bugs was incorrectly made available on the WordPress plugin server. Completely delete BPS and install a new fresh installation to eliminate that possibility and be sure to activate both the root and wp-admin modes again. So at this point I can’t think of anything else that would be causing the problems???
*** Update added by Ed ***
The TimThumb Thumbnail images not displaying solution has been added to the BPS guide here >>> http://www.ait-pro.com/aitpro-blog/1166/bulletproof-security-plugin-support/bulletproof-security-plugin-guide-bps-version-45/#bulletproof-security-issues-problems
*** The Widget issue was a separate issue relating to another conflict – Resolved via email ***
Deactivated plugin, .htaccess replaced. Thumbnails once again work. So does widget config (Appearance>>Widgets). It is most definitely an issue with Bulletproof permissions in secure-htaccess, which is what I had up most recently.
I am using a self-made child theme of Arras (thus it’s in a separate directory), but my overrides do very little. It doesn’t seem relevant to me, but it may help.
There is an issue with Buddy press Facebook connect: /wp-content/plugins/bp-fbconnect
Guess it’s the same as facebook connect issue, any solutions to get it working?
*** Updated Comment ***
BP-FBConnect is no longer an issue and works fine with BPS. Facebook has made a change on their end with the way apps connect using proxymail and other application connection / login coding changes.
Ok thanks. I’ll check it out in the next couple of days.
Still working on this one. The plugin code is giving me a headache. There are a couple of functions that I am really unhappy about that are handing off to javascript so I’m putting this one on the back burner for now.
*** Update added by Ed ***
The TimThumb Thumbnail images not displaying solution has been added to the BPS guide here >>> http://www.ait-pro.com/aitpro-blog/1166/bulletproof-security-plugin-support/bulletproof-security-plugin-guide-bps-version-45/#bulletproof-security-issues-problems
Hi
I don’t have a tech background and so this may be case of ignorance but I installed your plug-in and it worked fine using Chrome – BUT when I viewed it in FF, the front-page of my blog, and only this page – which has a few image sliders, had double links everywhere and showed no images where those double links now were …
Any suggestions?
Regards – MRP | the candy trail … a nomad across the planet, since 1988
Hi,
Sorry to get back to you so late. Had to deal with a real nasty computer virus for a friend – wicked bootkit that nearly had me throw in the towel and just wipe his hard drive, but I salvaged it. I will be adding that adventurous tale soon. 😉 BPS does not affect stylesheets differently across different browsers so my hunch is you have another plugin that acts differently in different browsers and for whatever reason BPS and that plugin are not playing nice with each other. I checked out your website and you are using the Mystique Theme, which I have installed and customized for other people with BPS installed so it is not a BPS and Mystique Theme issue. There is another part of the equation that is not included here. I will be sending you an email. Reply back to that email with a list of all of your plugins so I can see what might be causing the conflict.
Thanks,
Ed
Hi,
I just tried Version .45.6.
There were a number of things I wanted to retain from my existing .htaccess file, so I edited the plugin-provided secure.htaccess file. However, when I saved the edits, everything of your pre-existing text lost line breaks. The part that I had pasted into the file did not.
I was simply using Notepad in Windows as I always have when editing .htaccess files.
I could have attempted a workaround, but I thought it better to simply bring it to your attention to see what you might be able to tell me about it first. I think a workaround would be a large, extra step I’d just a soon avoid if possible.
By the way, I was looking for an email subscription link for this post’s thread so I could be notified of your reply. I’ll do an rss post-comment subscription, but won’t be offended if you send me a personal email just to let me know there’s been a specific reply.
Thanks, and peace to you,
Tom
Hi,
I was just thinking about that formatting issue you are describing 2 days ago. This happened to me as well once when I copied some text from a Word document to the .htaccess (I see you were using Notepad) file – the formatting of the text was pasted into the .htaccess file making it unusable. Eventually the plugin will allow you to do all edits from within the WP Dashboard so this will no longer be an issue in the future. For now as a workaround use WordPad to open the master .htaccess files to edit them and when you paste your text be sure to click on the Edit Menu, click Paste Special and then choose unformatted text.
Yeah sorry about the subscription feature not being available. It is on my list of things to add to AITpro. So many nick nacks – so little time. 😉
Thanks,
Ed
Thank you, Ed, for a quick and thorough reply. I shall give it another whirl.
I’m quite comfortable with Paste Special. I do it very often in Word.
I just changed the file association (HTACCESS — Windows does the all-caps with no UNIX dot) to WordPad too. I had done that once before, but evidently something stepped on it.
If I run into more difficulty, I’ll let you know.
Thanks for being interactive with your users.
Hello, thanks for your answer. Does BulletProof work properly with the WP Super Cache plugin?
Yes. BulletProof Security has been tested with WP Super Cache and there are no conflicts or problems between the 2 plugins. BPS has also been tested with WP Cache and W3 Total Cache and no conflicts or problems exist between these plugins.
Thanks,
Ed
Hi, if possible, please tell me which plugins BulletProof has conflicts or problems with?
Because two months ago when I installed this plugin, I had much problems: my blog was loaded with a blank page.
I just crated my other blog and now I need to know about it.
Hi,
At this time BulletProof Security has no known conflicts with any other plugins. 2 months ago 4 other plugins required workarounds so that both BPS and the plugin in conflict would work together without any problems. I have never heard from anyone else before that a blank page was loading. If you mean a 500 error page then the Apache directives that are being used in the htaccess master files are incorrect. This is an Apache server not an IIS server correct?
Thanks,
Ed
*** Email question sent to AITpro ***
I have an installation of the Bullet proof security plugin on the above website which is a blog. I have another blog that I am currently developing that I would like to install the plugin on. Do I just install it like any other plugin or do I have to do something special. The second blog is a sub domain of my original. thanks for the help.
Paul Palumbo
I’ll use my websites as an example since what you are asking about is what I am doing with my sites.
I have WordPress intstalled in my root folder – this is for my main site http://www.ait-pro.com
I have WordPress installed in a folder called /aitpro-blog – this is for the AITpro Blog site – http://www.ait-pro.com/aitpro-blog
Now when you say subdomain is it a true subdomain set up in your Web hosting account or is it just a subfolder? This can also be considered a subdomain.
Each separate WordPress installation is considered a separate website. If you are using WPMU you can link them all together to share the same resources otherwise each WordPress installation has its own individual SQL Database making each site completely separate.
So to answer your question – for each installation of WordPress you need a separate installation of BPS just the same as any other WP plugins. Once you have installed BPS on the new site go to the Help & FAQ menu tab and click on this help link to see examples of how to setup a WordPress subfolder website / installation >>> Modifying BPS .htaccess Files for WordPress Subfolders
Thanks,
Ed
[…] Version .45.3 | By Edward Alexander | Visit plugin site […]
I installed and activated the Bulletproof Security plugin on my site, this morning. It appeared to be working great. However, I have the Simple Facebook Connect series of plugins installed that allows people to login to my site using their FB credentials. When the Bulletproof Security plugin was activated, it prevented me from logging in using the FB connect. I’m assuming this is because public access is prevented from accessing the WP login file(s). In any case, once I went back to the default mode, I was able to login once again using FB Connect. Could you please check into this for me as I really like your plugin, but I want people to be able to login using FB connect as well. Thanks in advance.
Hi Michael,
I installed Simple Facebook Connect and it is quite impressive. I will definitely be looking into this plugin in more depth in the future. Right now I am in scramble mode to get a new project launched. I took a quick look at the FBC plugin and I see some code that may be pissing BPS off. LOL
This solution has worked for the Ozh Admin Menus plugin and for PayPal IPN conflicts. Just copy the default.htaccess master file from the /plugins/bulletproof-security/admin/htaccess folder to the /plugins/simple-facebook-connect folder and rename it to just .htaccess – removing the default name in front of .htacess. It looks the Facebook Platform PHP5 client code is what the BulletProof filters are blocking. /simple-facebook-connect/facebook-platform/facebook.php. Anyway the solution above should work for you. Let me know if this works. If it doesn’t then I will need to look deeper into the FBC plugin code to see what exactly is going on.
Thanks,
Ed
DEAD LINK – Link removed
I tried what you suggested, and no luck. I keep getting a 403 error message that reads “You don’t have permission to access /wp-login.php on this server.” I’m sure that a line probably should get added stating to allow FB connect, but I’m not a programmer. One other thing that I noticed is that the SFC folder did not have an .htaccess file (none existed when I added the default.htaccess file as you suggested). Don’t know if this makes any difference. When you get an opportunity, please check this out as I’d really like to use your plugin. I’ll check back periodically for a response. Thanks for your suggestion and help.
Hi Michael,
Yep most likely a RewriteCond will need to be added to the master .htaccess file then. I’ll have the answer for you tomorrow. I’m on the final push day to get my new Flash MSS movie officially launched. 🙂 I’ll update this comment tomorrow with the solution.
Thanks,
Ed
*** The permanent fix for this SFC redirect issue was implemented in BPS .45.5 ***
Hello,
I installed BPS .45.2 for the first time today. It has a very nice interface and helped me a lot with file & folder permissions. But I discovered a bug : If BulletProof Mode is enabled for “Root Folder .htaccess”, then all searches containing accents are blocked. For example, if I search my blog for the word “poète” :
http://www.mysite.com/?s=poète
http://www.mysite.com/?s=po%C3%A8te
then I see my home page, instead of the results. As soon as I return to Default Mode, searches with accents work again. Please correct this issue : we are not in the ASCII age anymore !
Hello,
This is not a bug. The Query filter blocks the Unicode translation of the accent character. If you want the accent character Unicode translation to be allowed and not filtered on your website then just add a pound sign (#) in front of this code line in the secure.htaccess file, which will comment out this one particular security filter. The accent character is translated to %C3%A8.
# RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]It’s not really an ASCII issue. It’s actually a Unicode character translation of the accent character. Unicode is a standard that allows you to write in virtually any language in the world, no matter what alphabet that language uses. UTF-8 (8-bit Unicode Transformation Format) is a variable-length character encoding for Unicode. Like UTF-16 and UTF-32, UTF-8 can represent every character in the Unicode character set, but unlike them it has the special property of being backwards-compatible with ASCII. The first 128 characters of the Unicode character set (which correspond directly to the ASCII) use a single octet with the same binary value as in ASCII.
Thanks,
Ed
Thank you very much ! Your solution worked like a charm.
I will always be using your plug-in from now on 🙂
Hello Ed,
Love the plugin – it’s an excellent addition that I always install first-off when I take over operation of a WP site.
I’m currently working on implementing an E-Commerce solution for a client, however BulletProof security mode seems to be blocking Instant Payment Notifications (IPNs) from Paypal. I’d assume this is because of how the paypal IPN is formatted – it probably looks different from most requests.
Is there a way to modify my .htaccess file to allow such things ONLY from paypal?
Thanks!
Hi Travis,
Yes I believe you are absolulely right about the IPN message and response format being blocked by BulletProof. I have not looked at the general IPN Listener script, but logic would tell me that messages and responses would be sent to and from the IPN Listener script for processing. Yes you can add rules to the htaccess files to allow certain files not to be filtered by BPS. Also a very simple workaround would be if the IPN listener script is located in a particular folder (and not in the root folder or root folder of /wp-admin) then you could just copy the default.htaccess master file to that particular folder and rename it to just .htaccess. I would need more specific details to provide you with a rule to add to your master .htaccess files, but try the simple workaround first if you can. It would only work if the IPN script is located in a separate folder so this may not work for you depending on how IPN is currently set up on this site.
Update after Looking at the general IPN script
If you create a folder called /IPN off the root folder. Using the example that PayPal provides:
The following listener sends email to the address specified in the ipn_email variable, as in https://your_host/IPN/live_ipn_mail.php?ipn_email=email_address. You can use this listener as a starting point for your own listener; rather than send email, your listener could take action based on the type of transaction.
The string PayPal shows in their IPN example script:
$email = $_GET[‘ipn_email’];
Looking at the “Setting Up IPN Notifications on PayPal” help it states that you set the URL on the PayPal site so I don’t see any reason why this would not work for you because you are telling PayPal to look explicitly in the IPN folder for the IPN script. And the default.htaccess file that you copied to IPN folder and renamed to just .htaccess is explicit to just the IPN folder – no filters are included in the default.htaccess file. As far as security goes I do not see any security problems or vulnerabilities that could be exploited in the IPN script.
And you can just delete this unneeded portion of code from the .htaccess file that you copied to the IPN folder:
Thanks,
Ed
[…] Bulletproof Security – I recently posted about this one – WordPress Security Plugin to Keep Hackers Out! […]
Hi Ed,
Are there any known issues with Chrome displaying the settings page properly? I have no tabs — everything is lined up down one page but cut off in System Information and no way to display Backup & Restore, Maintenance Mode, Help & FAQ and BPS Pro Modules. I haven’t noticed problems with other plugins but admittedly, I run a fairly vanilla site.
Thank you!
Regards,
Rebecca
Hi Rebecca,
I’m not sure if you are aware of this or not, but your website is currently hacked. Maybe that is why you decided to install BulletProof Security? Anyway you will need to reclaim and repair your website first. BulletProof Security protects your website from being hacked, but if your website is already hacked then there is nothing that BPS can do for you after your website has already been hacked. Except of course allow you to put your website in Maintenance mode while you repair the damage. This effectively blocks everyone except you from accessing your website while you are repairing or restoring your website from backup. The most important people to block are of course the hackers (auto bots, etc) themselves. Since your website has been hacked and contains malicious code that could do harm to someone else I cannot allow the link back to your website to be posted here because other people may pick up the Trojan virus or other malicious code that is currently on your website. Once you have reclaimed / repaired your website from the hackers then let me know and I will make your URL link active again.
Ok now to your question:
BulletProof works / displays normally in all the browsers (IE, FF, Safari, Chrome, Opera, etc). What you are describing sounds like a PHP4 problem. You should be able to confirm this by looking at the version of PHP that is displayed under what you can see of BPS System Information > PHP Info > PHP Version. Your web host is BlueHost and from the latest info on your web host it looks like they have phased out the PHP4 option and are only allowing the PHP5 option. You should check into this with BlueHost once you have take care of the virus / hack on your website. The hack on your website contains code that is redirecting your website so this may have something to do with the PHP problem.
The .htaccess Apache Directive that is used on BlueHost is >>> AddHandler application/x-httpd-php5 .php
If you go to the BPS .45.1 Guide page at the very top you will see info about how to make BPS work with PHP4 and new master .htaccess files that you can download that now contain all the various Apache Directives that allow you to force PHP5 to used instead of PHP4 when processing PHP scripts.
This info below is copied from a BlueHost help page. I don’t think you need to do anything with PHP.ini to force PHP5 so you can disregard that info.
“To use specific php settings only for a particular addon domain you will need to place a php.ini file in the addon domain’s folder.
If you need to generate a new php.ini file, this can be done in the cpanel by clicking on the icon “PHP Config” and then clicking “install php.ini master file”. This will copy the server’s master php.ini to your public_html directory as “php.ini.default”. This file must then be moved to the addon’s folder and renamed to php.ini.
If you are using the ‘single php.ini’ option in the cpanel’s “PHP Config” section, you will need to create a .htaccess file in the addon’s folder. In the addon’s .htaccess file it needs to contain a regular php handler:
AddHandler application/x-httpd-php5 .php”
Thanks,
Ed
Email reply from Rebecca:
Hi Ed,
I do apologize! You were absolutely correct about PHP. I didn’t even think to check the version because I knew Bluehost was running PHP5. Apparently what happened was that when my hosting services were set up years ago, PHP4 was the default and it wasn’t upgraded when Bluehost upgraded to PHP5. I spoke with Bluehost and have upgraded PHP so the plugin is working correctly now.
In regard to my blog being hacked, would you kindly point me to something you see indicating that it’s been hacked? It was hacked last week but has since been reclaimed (a few days ago). Your comment was a cause of great concern so I spoke to BlueHost and they can find nothing indicating that it’s still hacked. If you see something, it would be a huge help to know what it is so I can make sure that it’s fixed and also let Bluehost know so they can check other blogs. To be clear: I’m not asking you to fix anything.
Thank you for your help with the plugin and for whatever help you may be able to provide in tracking down the issue you saw on my site.
Regards,
Rebecca
Hi Rebecca,
Ok I am no longer getting a warning message when visiting your website, but when I look at your source code of your website pages I see a link to another website at the very bottom of all of your pages / posts. It’s wrapped in a script tag so it’s obviously malicious code.
This site has been blocked because it contains malicious script.
Whatever you do not execute the link code by clicking on the full link which contains a /js2.php file name after the link above.
Since this link is showing up on all your pages it must be in your Theme’s footer.php file. Open you footer.php file and delete this link.
I see 2 other problems. You have almost 6,000 blank code lines before your header starts. Open your Theme’s header.php file and remove any blank spaces before this first line of code.
Your top navigation links do not work. When I click on those links nothing happens. Your sidebar category links are working normally.
Thanks,
Ed
Update – The URL link to your website has been added back to your comment
Hi all, i have several problem with the new version of the plugin, first it a locked all my widgets, i a production website.
Second the plugin its ok rewrite the htacces for security reason but for this reason i have several bloqued request from php archives in the web. Please launch a new version but if it work correctly. You need several test for launch the plugin around the world.
Raul Fenossi
Hi Raul,
The old version of BPS did have an issue with blocking widget configuration. Also there was a 3 hour period when I first released version .45.1 that did have this problem. So you may have this older version of .45.1 installed. Deactivate and uninstall BPS and reinstall the newest released version. The newest version of .45.1 does not have this problem. You just need to activate a new /wp-admin .45.1 .htaccess file, which will replace the older BPS /wp-admin .htaccess file and this will fix that issue.
This info applies to people who installed BPS .45.1 prior to 7-25-2010, people who are running PHP4 instead of PHP5 on their web hosts (1&1 web hosting) or anyone else who is experiencing these problems. If you are unable to perform Widget Configurations or delete plugins including BPS or the Status window displays NULL instead of the correct activated BPS .htaccess files then please see the BPS .45.1 guide for the solution.
The second issue sounds like you just need to customize BPS to match the customizations you have done to your website with blocking requests from php archives. If you would like assistance with adding your specific website customizations and conditions then I will need the specific details of your website customizations. You can either email your specifics to AITpro or post them to this same question post.
As a general standard rule when designing, writing and creating software you design software to work with the most common typical setup and configuration. BPS is designed to work with the most common WordPress setup and configuration for that reason. For people with advanced or additional rules and conditions they would just need to add those additional customizations to the BPS master files or if need be then modify the core coding of BPS itself to work specifically with your particular website customizations.
Thanks,
Ed
How to change Admin user id
I noticed a warning and suggestion that I change my Administration userid to something other than ‘Admin’, however when I go to do that on my blog’s control panel I still am not able to change it. Is there some way that BulletProof security allows this?
Hi Vicki,
The simplest way to do this is to just create a new administrator account under the WP Users panel > Add New. Make sure that when you create your new unique administrator account name you give this new Administrator account Administrator rights. This is called Role in WP and the setting is located right above the Add User button at the bottom of the Add New User page.
Then log out of your WP Dashboard, log back in with the new Administrator account you just created and then delete the WP default “admin” administrator account.
Thanks,
Ed
Hi, just letting you know that the .htaccess file for wp-admin doesn’t require the WordPress specific re-write rules nor does it require the wp-config.php file protection rule. In fact, having
# BEGIN WordPress RewriteEngine On RewriteBase / RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] # END WordPressin the wp-admin .htaccess file prevents plugins from installing.
Something else you might add to all .htaccess files is a rule to prevent directory browsing e.g
Options All -Indexes
Wow! Awesome dude! I had just assumed the issue with uninstalling plugins had to do with the Query String Filter code used to block XSS and SQL attacks. I tested it out and you are exactly right. This also took care of the Widget configuration issue for the same reason. I can’t thank you enough for pointing out something I should have already figured out. You earned a spot on the Contributors page for this massive contribution – Absolutely huge! I never even thought to eliminate the index.php RewriteRule, but now that you mention it, it makes no sense having this .htaccess code for the /wp-admin folder. I tested out Options -Indexes a while back and ruled it out for some reason or another, but I’ll take another look at that now. I think it was because the folders were already unindexable or something like that. Also I did the original .44 coding so both the root and /wp-admin activations were using the same .htaccess master file – kind of screwed myself there didn’t I? LOL . That is changing right now. There was a problem with .45.1 going out tonight and I could not be happier about that now. Gives me time to make these modifications. 🙂
Yup just checked and now I remember why I ruled out Options -Indexes. 2 reasons – most if not all web hosts already have directory listing blocked and the other reason was that I felt like people would get spooked if they thought this would affect indexing by search engines. 😉 Anyway once again thanks for pointing out my /wp-admin .htaccess file coding mistake.
Thank You!
Ed
Pingback on “BulletProof Security WordPress Plugin Support”
[…] for your website A few minor modifications to the files is all that is needed – visit the BulletProof Website Security Support page for more […]
Hi I was able to get someone at GoDaddy to teach me how to delete your plug-in’s site from my hosting panel area so I could get my site to come back up thankfully – not sure what that was about. Pretty scary when your site goes away from a plug-in & it says it won’t be up again for maintenance for the next 147 days – yikes! You should look into why your plug in is possibly doing that once installed. Thanks –
Hi,
Glad you got this figured out. I am in the process of creating / writing a jQuery tabbed Administration options panel, which should hopefully help to prevent someone from accidentally enabling / activating the Maintenance Security mode in the future. The BulletProof Security Options settings page is very cluttered visually right now. I’ll probably include pop up warning messages too. ie “Are you sure you want to put your website in maintenance mode…”. 😉 Also I double checked to make sure there was nothing I missed with WordPress 3.0 compatibility – uninstalled and reinstalled BulletProof Security from the WordPress repository – activated it – enabled all modes – everything worked as it is designed to work for me. One thing I did notice is that when you are trying to completely delete the BulletProof Security plugin you need to set your website security modes back to default .htaccess security mode before you can completely delete the BulletProof plugin. Hmm interesting dilemma. I’ll have to think about the best way to code this for everyone universally covering all the different possible scenarios that could possibly occur.
Thanks,
Ed
PS If you don’t plan on using the BulletProof Security plugin for your website then make sure that you add your own custom .htaccess security file manually for your website. As a standard security measure all websites should have an .htaccess file that protects your website from hackers. The main purpose that BulletProof serves is .htaccess mode switching because the .htaccess code that blocks hackers also blocks some administrator functions for you. So instead of having to manually swap these files you can do this with one click within the Dashboard itself. Or you can always just take your chances and not add security to your website and maybe you will get lucky and never run into a problem with having your website hacked. Personally I don’t like taking unnecessary risks. 😉
OMG Please help me! My business coach told me to install this bulletproof plug to my wordpress site & I did, and now it took my entire site down! And the backend of my wordpress site looks entirely different & won’t allow me to deactivate your plug in at all to go back to the way my site was –
When go to my web address now all there is is this message in a grey box!!!! WHAT THE HECK HAPPENED?? PLEASE REPLY ASAP SO WE CAN GET your plu in off there & get the site back up & running –
youandimprovedcoaching.com
Is temporarily closed for maintenance.
Normal operation will resume as soon as possible.
Please try again later.
Site will reopen in 147 days
Hi,
Sorry you ran into a problem. Looks like you activated Maintenance mode accidentally. If you didn’t add your IP address to the maintenance.htaccess file first before activating Maintenance mode then you will also see the “…temporarily under maintenance…” message / page like anyone else who visits your website. For anyone else who does this accidentally all you have to do is FTP to your website download the .htaccess file that is currently in your website’s root folder, add your IP address to it, upload that .htaccess file back to your website root folder and you will be able to log back into your site to switch out of maintenance mode.
Thanks,
Ed
Have a coffee on me – excellent service!
Thank you very much.
Hi Dean,
Thank you very much for contributing to the BulletProof project. Please send us your business or personal logos, screenshots, URL’s and any content that you want added / posted on the BulletProof Contributors page and we will add you ASAP.
Thanks again for your generosity!
Ed
Your answer was so good I rated myself .. doh.
The address was without the www. if that makes any difference.
I don’t normally seem to do things the “typical” way lol
You are correct with your first guess I think. I created a subdomain before uploading WP to it. So both addresses are http://www.blog.domain.com.
http://blog.truckdriverdevotions.com (URL link changed by Ed – it is ok to add your actual URL’s in questions posted here) in the settings.
Thanks,
Dean.
Ok then BulletProof Security should just work with the default .htaccess settings so you should not have to change anything. The logic for this is your RewriteBase is a backslash / , which just means the root of your domain name and folder name. So when the .htaccess files are copied to your root and /wp-admin folders the RewriteBase will be the root of those folders and the RewriteRule will be your index.php files in those folders. Since you are not doing anything “fancy” with DNS then everything should work fine without having to modify any of the .htaccess files. I will update my FAQ page with this info for anyone who has this similar issue in the future.
WHOOPS just noticed you have both www and blog prefixes. You only need one of them. A www prefix or in your case the blog prefix should not make a difference. Now when you change you URL’s under Settings > General, you will then need to go to your Permalinks options page and click the Save Changes button. No need to change anything or choose anything on that page just click Save changes. Then you can just Deativate and Uninstall BulletProof Security and then reinstall and activate it again. Then of course enable any security modes you want. ALWAYS test first by opening 2 browser windows and – 1 window to enable the security modes and the other to test to make sure everything is working correctly. Everything should work fine without having to edit any of the .htaccess files once you have
Oh by the way it’s ok to plug your website with a link. I’ll edit your link to to show your actual website URL instead of the generic URL you added as an example. 😉
Voting is a good thing!!! Vote on everything! It’s more of a gimmick thing, but search engines actually keep track of voting and rating and give you more brownie points for voting and rating so vote for everything and anything you see. LOL 😉
Thanks,
Ed
Not sure what the exact path is that you require – you can get me on skype perhaps? wotcop.
Thanks,
Dean.
Hi Dean,
I see you have several domains, but this one appears to be the one with the problem >>> blog.truckdriverdevotions.com. I am getting 404 errors when I click on any of your links. I’m wondering if you just simply added blog.truckdriverdevotions.com as your Blog address (URL). What are your WordPress address (URL) & Blog address (URL) settings under General Settings in WordPress? If you haven’t done anything with DNS then your RewriteBase is not /blog/ , it would still be just / because WordPress may be installed in a folder with that full path name blog.yourdomain.com to your WordPress blog installation possibly? Just noticed that your base / root website is an HTML website. The typical simple WP installation is in a sub folder so the path would have /blog at the end of the path. Now if you set up DNS on your host and are using wildcard DNS records then you have a totally different set up. I can’t tell without looking at your CP.
Your particular scenario is different than any of the scenarios I have on my help pages so that is why you didn’t find any examples.
These are different possibilities that will vary depending on how DNS is set up on your host. First off the typical default WordPress .htaccess file looks like this:
# BEGIN WordPress RewriteEngine On RewriteBase / RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] # END WordPressWith sub domains (sub folders are also considered sub domains but in a different sense)
So to make it really confusing blog.yourdomain.com and youdomain.com/blog could be the same thing or not depending on what you are doing with DNS. LOL
Before I start going to deep let me know what you have in your General Settings as your WordPress URL and if you have DNS set up for this sub domain.
This is just an example for a subdomain redirect DON’T try this, just throwing it out there. You’ll notice that HTTP_HOST comes into play.
#This is a typical HTTP_HOST subdomain redirect
RewriteCond %{HTTP_HOST} !^subdomain\.domain\.com RewriteRule (.*) http://subdomain.domain.com/$1 [L,R=301]Oh – dagnabbit… Forgot to pass on massive kudos for your clever idea of bringing highly needed SIMPLE security via htaccess to WP installs… Goodness knows there’s millions of WP sites out there that should be using it.
Look forward also to the promised “copy of existing htaccess info” feature in a future release, as I (almost) borked my existing htaccess… Good thing I instinctively made a copy before activating the plugin.
Hi, FYI: BulletProof Security WP Plugin breaks Ozh’ Admin Drop Down Menu…
http://wordpress.org/extend/plugins/ozh-admin-drop-down-menu/
Makes sense if one thinks about it, but it’s a bit of a bummer if you (like me) believe that working with the standard WP admin interface is like being forced to walk on shoes with thumbtacks on the inside of one’s soles. 😉
Hi Alvaro,
Thanks for the heads up. I’ll install Ozh’ and see what is going on. I did not test BP with Ozh’. I have not had the time to work on seeing if I can somehow allow certain admin functions while still maintaining the high level of security. It is a bit of a nuisance for right now. Sorry about that. If it is possible I will code it. 😉
Thanks for the Kudos! Yep BulletProof needs some additional work. We pushed it out a little faster than we wanted too. The core coding is solid, but we probably should have waited until we added a Restore feature. Sigh. I should have a new release in about a week. It will include the htaccess Default Restore feature. Glad you didn’t wipe out your existing htaccess files. 😉
UPDATE
The solution to fix this is really simple and easy.
FTP to your website, download the BPS default.htaccess file from the
/wp-content/plugins/bulletproof-security/htaccess folder, then upload the
default.htaccess master file to the /plugins/ozh-admin-drop-down-menu/ folder
and rename default.htaccess to just .htaccess.
Thanks,
Ed
Hi,
I installed BP on a root blog and it works great. So I thought I’d attempt it on a sub domain and after following all your instructions as best as I could, I get a 500 Internal Server Error error when using any of the links.
Lost??
Thanks,
Dean.
Hi Dean,
For now FTP to your website and delete the .htaccess files in your WordPress installation root folder and /wp-admin folder. This will get your website back up. Then please update your comment with the exact path to your WordPress installation subfolder and I will update my comment with exact instructions for you.
Thanks,
Ed
Thanks for your generosity.
This is a great plug in for helping with my wordpress security. Because it is point and click even I can manage it!
Our pleasure. 😉 Glad you like it! It’s a huge time saver for us so we thought we should share it with the WordPress community. Plus we like sleeping at night knowing that no hacker elves are shredding websites we just built. LOL It happened once before. Hence the origin of the BulletProof Security plugin. 😉
Thank you for your positive feedback Dean. Very much appreciated!
PS We were in a hurry to get the plugin out to everyone so it is not as pretty as it could be, but it is rock solid coding and plenty of help files are included to avoid any confusion. Future releases will be “prettier” and include additional features.
PPS Checked out your site. Very interesting articles! Nice work.
Thanks again,
Ed
Hi Ed,
Speaking of Beta testing. Did you say that you were going to add a default restore button to restore the users .htaccess files? I don’t see it so I’m guessing you it’s not in version .44.? Thank you.
— Shaz
Hi Shaz,
Got pulled into another coding project so I decided to hold off on adding the additional convenience features & functions until the next version release of BulletProof. I’m sure I’ll here some griping about that, but since the core plugin is solid I think I will be forgiven for the delay in adding that convenience feature.
Thanks for volunteering as a Beta Tester! 😉
Ed
Hey Ed i’m getting this error under the File and Folder permission checker:
Thanks
Stan
Hi Stan,
That was a minor bug in the BulletProof Security Beta version release. It was caused by a conflict with another plugin using the same function name by coincidence. The function has been renamed. Just download and install the final release of BulletProof Security .44.
Thanks for volunteering as a Beta Tester! 😉
Ed
Just testing comment threading / nesting.