Please post your questions or comments in the new BulletProof Security Forum. When posting questions please provide specific details about the exact problem that is occuring
A BPS free general troubleshooting help page can be found here → BulletProof Security Free Forum
A BPS Pro general troubleshooting help page can be found here → BulletProof Security Pro Forum
Example:
Provide the plugin name if there is an issue or problem with another plugin.
Provide your exact steps in specific detail that led to the error, issue or problem.
Provide the error message that is occurring.
BulletProof Security Version .47.5 >>> Released 10-22-2012
BulletProof Security Version .47.4 >>> Released 9-18-2012
BulletProof Security Version .47.3 >>> Released 8-12-2012
BulletProof Security Version .47.2 >>> Released 8-05-2012
BulletProof Security Version .47.1 >>> Released 5-11-2012
BulletProof Security Version .47 >>> Released 5-10-2012
BulletProof Security Version .46.9 >>> Released 3-14-2012
BulletProof Security Version .46.8 >>> Released 1-16-2012
BulletProof Security Version .46.7 >>> Released 1-04-2012
BulletProof Security Version .46.6 >>> Released 12-01-2011
BulletProof Security Version .46.5 >>> Released 11-21-2011
BulletProof Security Version .46.4 >>> Released 8-09-2011
BulletProof Security Version .46.3 >>> Released 6-09-2011
BulletProof Security Version .46.2 >>> Released 4-24-2011
BulletProof Security Version .46.1 >>> Released 4-09-2011
BulletProof Security Version .46 >>> Released 3-09-2011
BulletProof Security Version .45.9 >>> Released 2-22-2011
BulletProof Security Version .45.8 >>> Releases 1-27-2011
BulletProof Security Version .45.7 >>> Released 12-31-2010
BulletProof Security Version .45.6 >>> Released 11-1-2010
BulletProof Security Version .45.5 >>> Released 10-10-2010
BulletProof Security Version .45.3 >>> Released 9-18-2010
BulletProof Security Version .45.2 >>> Released 8-13-2010
BulletProof Security Version .45.1 >>> Released 7-24-2010
BulletProof Security Version .45 >>> Released 7-22-2010
If you dig it please create a link back to AITpro. Thank you.
Tags: BulletProof Security Comments, BulletProof Security Questions
Categories: BulletProof Security Plugin Support
Love this plugin. Thanks for making a FREE version.
I installed the FREE version and I think I missed something along the way.
Now, when I try to access my wp-admin folder, I get a 404 error.
Did I do something wrong? How do I access my admin dashboard now that BPS is running?
Thanks,
Rich
FTP or use your Control Panel and delete the .htaccess file in your wp-admin folder and delete the .htaccess file in your root folder. log back into your site and make sure you use AutoMagic and then Activate all BulletProof Modes. If you are attempting to use password protection on your wp-admin folder then read all the help information before attempting to do this. I do no recommend adding BasicAuth protection on the wp-admin folder. It is a silly thing and a waste of time.
I was looking for extra security and had 6scan and they were just looking for money before proving what they would do for me and then I found yours and it certainly seems better… BUT… When I went to delete their (after installing yours and doing the htaccess backups etc) I went to delete the other plugin and it gave me a 404 error. I finally had to ftp into my site to delete their plugin.. I was thinking that it was their plugin and it was buggy.
Well I just went to delete an inactive plugin and I got the same 404 error. Now I’m going to deactivate your plugin and see what happens also I’d like to know if I uninstall your does it put my system (including my htaccess) back to original condition? Or do I have to dig out my back up copy to find my htaccess before you made changes to it…
I just don’t want to spend all day fixing my site if I rip the guts out… by simply uninstalling your plugin… Just because I need extra security, it does not mean I want the extra work of rebuilding my site if I uninstall the plugin…
BPS is very simple to work with.
Go to Backup and Restore – Do a backup of your .htaccess files first.
Go to Security Modes.
put your site in Default Mode in the Security Modes page
delete the wp-admin file in the Security Modes page
Your site is now in a Default WordPress state and BPS is not a factor in the equation any more
After testing is complete go back to Backup and Restore and restore your .htaccess files.
If you are planning on deleting BPS then just deactivate and delete at this point instead of restoring the BPS .htaccess files
Hi, I just installed BPS Free and I had some questions about the file permissions section.
First, being an inexperienced user, should I just leave permissions alone or are they important to change? If they are important, below are my questions.
1. It says to change permissions for .htaccess. I can’t find this file in my file manager anymore except for the ones in the BPS plugin folders. Does BPS hide these files and if so how then can I change the permissions? Also, is it just the one in the root directory that needs to be changed, or all of them?
2. I previously moved the wp-config.php file to the home directory. BPS says that current permissions are 0 and I should change to 400. In my file manager though it says permissions are 0755. Should I do anything with this or just leave the file where it is and permissions as they are?
3. Index.php – There are a lot of these files. Do I need to find each one and change permissions for all?
4. root folder – This is just the public_html directory right?
5. Below is a link to a thread I started on the WordPress support forum. I just had a couple other initial questions that I listed there. I wasn’t sure if that was the correct place to post, so here is the link:
http://wordpress.org/support/topic/bulletproof-security-new-installation
Hope that wasn’t too much…
Thank you!
Yep File permissions are important and on the Security Status page you will see – File and Folder Permissions – CGI or DSO Read Me help button that explains file permissions in some detail.
1. Nope the .htaccess files should not be hidden. You should have an .htaccess file in your website root folder and one in your /wp-admin folder. If your SAPI is CGI then change the root .htaccess file permission to 404. If you have DSO then you can only use 644 as the most restrictive file permission allowed. You would change your file permissions using FTP or your CP File Manager.
2. 0 file permissions just means NULL because BPS is only looking in your website root folder for this file. Since you have moved it up to your Home directory BPS does not see it. You should change the file permission to 400 if your SAPI is CGI. 755 would typically be a folder permission and not a file permission.
3. Nope just change the Root index.php to 400 permissions if your SAPI is CGI.
4. /public_html/ would be your Document Root folder and could also be your website root folder if your website is installed in the Root folder and not a subfolder below the root.
5. Yep answered those already. 😉
1. Should I move wp-config back to where it was then if BPS isn’t seeing it? Is it still protected by what BPS does where it is?
2. The .htaccess files are visible when I use ftp but not when I am using my cpanel file manager. Can you foresee this causing issues or should I just change the permissions via ftp and not worry about it?
3. Regarding where the root folder is I notice public_html and then there is another simply titled “www” that seem to be identical. As far as I can tell if I make a change to public_html the www folder automatically reflects those changes. Should I just change permissions on publlic_html and not worry about the other or do you think it would be wise to contact my hosting provider and ask them?
Thanks again!
Hi, I cleared #2 and 3 above up with my hosting provider. I’m still curious if the wp-config file is in the wrong place though whenever you get a chance.
Thanks
shawn
and just one more quick thing…
I was able to change all file permissions to the recommended except for the root folder to 705. this breaks the site entirely and only shows a 403 error page.
At this point I think I’ll just leave it at 755 unless it is a major security hole or really easy to fix.
so that and the question about the wp-config file placement and I think that should be it…I hope 😉
Well if you cant set the folder permissions more strict then 755 you really don’t have a choice. If you were trying to change the /public_html folder permissions that is usually not allowed by the Host Server.
using the moving wp-config.php file to a higher protected server folder is fine. I don’t do this personally, but i think it is a good security practice to use.
Hi, I’m currently using wp super cache (using PHP) and keep getting the “WP Super Cache is activated, but either you are not using WPSC mod_rewrite to serve cache files or the WPSC .htaccess code was NOT found in your root .htaccess file” even though I have added # WPSuperCache to my root htaccess file? What am I doing wrong?
P.s. I’m a newbie at this!
Thanks.
Make sure the root .htaccess file is not locked when you are adding # WPSuperCache to your root .htaccess file. You may also need to refresh your browser to make the error message go away.
I’ve done as you said but the error message still appears, even several. Does it matter where exactly i put the # WPSuperCache?
even after several days*
it can go anywhere in the Root .htaccess file. The coding check looks for that string and if it is found then the error message goes away. if it is not found then the error message will still display.
hi, i am being irritated by people trying to gain access to my site via the wp admin page using the account “admin” (which doesn’t exist anyway. I thought this plug in stopped that? ANy idea how i can remove the ability for someone to try and use Admin to gain entry?
No BPS does not do anything like that, but there might already be plugins that do something like that. I guess you could add code to your login script that did something like “if admin is entered for the username then do this or do nothing”. If the username “admin” does not exist anyway then the cracker is wasting his / her / Bot time trying to crack a user account that does not exist.
I am working on a website which has buddypress forum. In that while replying to a forum topic it redirects to a page which ends like /?#post-21. It results in a forbidden page error, without BPS its working fine. How to overcome this.
Thanks for help.
none of these characters are a threat and they would not be blocked. Most likely it is the redirect itself that is being blocked. Post the entire link and change your domain name to example.com if you do not want to expose it here.
The link is http://example.com/nicconnect/groups/java/forum/topic/framework/?#post-23
I found the rewrite condition which is blocking this URL
RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
RewriteRule ^(.*)$ – [F,L]
can I disable this condition or is there other way to make the link work.
Thanks for the reply
It is always better to create a specific bypass / skip rule for a condition then to disable / comment out an entire security rule. Once you find a fix that works you can add it to Custom Code to save it permanently and have it written to your Root .htaccess file automatically. I have added an example fix that may work for you below. Also you can check this help post for other examples that may work >>> http://www.ait-pro.com/aitpro-blog/2252/bulletproof-security-plugin-support/checking-plugin-compatibility-with-bps-plugin-testing-to-do-list/
# CUSTOM CODE PLUGIN FIXES - Your plugin fixes .htaccess code will be created here with AutoMagic # Example bypass / skip rule RewriteCond %{REQUEST_URI} ^nicconnect/ [NC] RewriteRule . - [S=13] # Adminer MySQL management tool data populate RewriteCond %{REQUEST_URI} ^/wp-content/plugins/adminer/ [NC] RewriteRule . - [S=12]It works, thanks.
Hi, thanks for this great plugin. I have just moved to innohosting & since migrating I need to add a custom code for the php ini file, however BPS is not saving it in the “custom code” area (also, in case you need it, our php ini code is – suPHP_configPath /home/XXXXXX/php.ini – but I’m not sure if this is for all innohosting users or just for us because of the migration etc). I’ve had to manually re-insert it after creating & activating the BPS .htaccess files in order to get the site working again, however that has resulted in a number of warnings in red within BPS security status, however at least the site is working / accessible now.
Other information:
We are using the latest BPS version – .46.9, and latest WordPress 3.3.1
My WordPress installation type is: standard wordpress single type
My Server is using CGI
My WordPress installation / site is installed in the root folder
I have used AutoMagic to create my master .htaccess files
I have activated all BulletProof modes
Thanks, and hope this feedback helps.
Regards Karen
When you add your custom code you need to save it by clicking the Save Custom Code button, then use AutoMagic to create a new Master secure.htaccess file and then activate the new Root .htaccess file. Thanks.
THANK YOU!!! It is working brilliantly now (…I did the same as before but it didn’t disappear this time when I pressed “save”, so perhaps there was something playing up on my site earlier, but regardless, your clear instructions helped enormously). Kind Regards, Karen
Re: Press This… With BPS activated I’m still able to get to the admin post page via the Press This tool, but the styling is broken and I lose access to the editing toolbar. Have you got a workaround for me?
P.S. HackBots had their way with my entire DreamHost account! It’s taken me a week to recover. Thank You for making Bullet Proof Security!
I don’t use Press This, but i noticed that the WYSIWYG editor formatting toolbar displays hidden by default when you use Press This. Click the Show/Hide Kitchen Sink button to display the full wysiwyg editor formatting toolbar once you have captured the content and saved it as a Draft. If this is not the issue then i just tested Press This and other then the thing i just mentioned everything else works like a normal WordPress Post.
FYI – Press This does not have the full Post Editor functionality that you will find in the WP Dashboard Post Editor and the wysiwyg editor does not display in the Press This javascript Orphan window. You would have to save the Post as a Draft to get full WP Dashboard Post Editor functionality.
I tried a bunch of stuff before I commented and it appeared as though reverting to the default htaccess brought the WYSIWYG editor tools back. But I was wrong, and everything is now fine (I think it might have been a memory issue on my shared acct) with BPS activated. So thanks again!
Ahh yeah memory issues are tough to detect without a php error log in place. And they can be caused by a lot of different things or can indicate that there is a problem with your Server’s hardware or software. ie hard drive is about to fail completely. Thanks for confirming that this is not a BPS issue. Thanks.
BulletProof Security is installed on the main domain where there are several addon domains too.
In one of these addon domains in cgi-bin folder i have perl cgi script installed which is used by external site on external server. What i need to change in .htaccessaand is it posible to allow this cdi bin script to work normally without to be blocked by BPS with error 403? Would this kind of exception compromise security for my site?
I would need specific details in order to be able to assist you. The information you have given me is too vague. In general BPS is not going to block the cgi bin folder so most likely something that the script itself is doing is being blocked. I would need to know the exact error message. Any query strings involved in the error. paths, folder names, etc. Basically i need all the information about what exactly is not working or being blocked. If this has something to do with a plugin, then i need the name of the plugin. If this is a custom script then state that it is a custom script.
Hosting account with 6 addon domains.
Main domain site “A” has BulletProof Security installed.
Addon domain site “B” is in subfolder and also has BulletProof Security installed.
In cgi-bin folder in site “B” there is Form to Inbox Perl script – fblite002 http://www.htmlite.com/script002.php that is used from external site “C” .
When external site “C” trying to process this perl script occures error 403 Forbidden ie. http://www.site-B.com/cgi-bin/fblite002.cgi.
Site A /home/username/public_html/
/home/username/public_html/wp-admin
/home/username/public_html/wp-content
/home/username/public_html/wp-includes
BulletProof Security installed
Site B /home/username/public_html/site B/
/home/username/public_html/site B/cgi-bin/fblite002.cgi
/home/username/public_html/site B/wp-admin
/home/username/public_html/site B/wp-content
/home/username/public_html/site B/wp-includes
BulletProof Security installed
Oh ok then just add a RewriteEngine Off .htaccess file to the folder where you do not want security applied.
create a text file.
add only this text in it >>> RewriteEngine Off.
Save the file with this name >>> securityoff.htaccess.
Upload it to the folder where you do not want security applied and rename it to just .htaccess.
Now it works!
Thanks! Very good plugin , i like it.
Email hosting means that a company offers to perform email functions for customers. These functions can be as basic as send and receive and as complicated as database processing and global searching.
Hello.
My WordPress installation type is: standard wordpress single type
My Server is using CGI
My WordPress installation / site is installed in the root folder
I have used AutoMagic to create my master .htaccess files
I have activated all BulletProof modes
I’m using the Podpress plugin to publish a podcast. The feed is valid, but itunes cannot update from the feed because it returns a 403 error.
I’ve added the following to my secure.htaccess and root htaccess files
# podPress rewrite ?feed=podcast as /feed/podcast# If you are using a custom slug then add the slug name to the rewriterule
# RewriteRule (.*) /feed/custom-slug-name/$1? [R=301,L]
# If you have WordPress installed in a subfolder you will need to add the
# subfolder name to the RewriteRule (.*) /blog/feed/podcast/$1? [R=301]
RewriteCond %{QUERY_STRING} feed=podcast [NC]
RewriteRule (.*) /feed/podcast/$1? [R=301,L]
Any help you can offer in diagnosing & resolving this issue would be very appreciated. Thanks!
That is an old .htaccess bypass / skip fix that should no longer be necessary. What i need is the exact itunes thing that is being blocked. If it is a particular query string then i can create a bypass / skip rule for you, but i would need to know exactly what is being blocked. So put your site in a Default state by backing up your current .htaccess files with the BPS built-in backup, then go to Security Modes, choose Default Mode, Activate it and then choose Delete wp-admin file and activate it. Your site will now be in a Default unprotected state without BPS security filters. Test itunes and find the query string that it uses to make the connection or whatever else it is doing. Once you have that info i can create a bypass / skip rule for you. Be sure to use the Restore feature on the Backup and Restore page to restore your BPS security once you found that query string / finished testing.
Greetings, I own timlist.NET. I have a WP site there with BPS in the root dir. Now I added timlist.COM. This is in a sub folder as an add-on domain? within timlist.net file/folder.
Do I need to install BPS on the .com WP site also? Or is the whole think locked down as it is in the top or main domain root? Thanks. Sorry if I have not described this well. I am not a WP or domain expert.
If I ever make any money I will be able to upgrade to the pay product. Thanks much!
Tim
The BPS plugin should be installed on every single installation of WordPress. You could manually add the .htaccess files for other sites in other folders, but that’s what BPS is for. 😉
I installed BulletProof Security plugin after our site was hacked. So far BPS has kept us secure!
However, I just installed the Participants Database plugin and when I try to upload a csv file I get following errors:
Warning: move_uploaded_file(/home/bautista/public_html/wp-content/uploads/participants-database/Convencion_ WordPress_Church_List.csv) [function.move-uploaded-file]: failed to open stream: No such file or directory in /home/bautista/public_html/wp-content/plugins/participants-database/upload_csv.php on line 26
Warning: move_uploaded_file() [function.move-uploaded-file]: Unable to move ‘/tmp/php6jAkuX’ to ‘/home/bautista/public_html/wp-content/uploads/participants-database/Convencion_ WordPress_Church_List.csv’ in /home/bautista/public_html/wp-content/plugins/participants-database/upload_csv.php on line 26
Is this due to my BPS settings?
Yes it is quite possible that BPS is blocking the upload. Try this fix and let me know if it works. I will test this plugin today to see if there are any direct security conflicts with BPS. Disregard the fix below. This plugin is broken or has coding mistakes in it. I tested it and got the same errors with BulletProof Modes On or Off. Thanks.
# PLUGINS AND VARIOUS EXPLOIT FILTER SKIP RULES # IMPORTANT!!! If you add or remove a skip rule you must change S= to the new skip number # Example: If RewriteRule S=5 is deleted than change S=6 to S=5, S=7 to S=6, etc. # Participants Database - allow upload RewriteCond %{REQUEST_URI} ^/wp-content/plugins/participants-database/ [NC] RewriteRule . - [S=13] # Adminer MySQL management tool data populate RewriteCond %{REQUEST_URI} ^/wp-content/plugins/adminer/ [NC] RewriteRule . - [S=12]A quick and simple way to determine if BPS Pro is blocking a plugin is to make a backup of your current .htaccess files using the BPS built-in Backup & Restore feature, then on the Security Modes tab – Activate Default Mode, Delete the wp-admin .htaccess and then test your plugin. If the plugin starts working then BPS is blocking it. If the plugin is still not working then BPS is not blocking it. IMPORTANT!!! – Remember to use Restore on the Backup & Restore tab to put your website back into BulletProof Mode after testing.
Thanks for the great help.
I will get in contact with the plug-in developer.
I appreciate the prompt and informative reply.
I installed yesterday morning and got hacked by .htaccess injection last night a code was injected into my .htaccess whereas when people accessed my site through a search engine they were referred here:
http://bannortim-qimulta.ru/industry/index.php
Hello Gary,
First off I empathize with you. Having your website hacked is a horrible experience. I have copied the email response to your email below. Thank you.
These are the 2 most likely reasons for this.
1. If your website was previously hacked before installing BPS Pro then most likely some hackers code or files may still have been in your website when you installed BPS. BPS Pro is designed to keep hackers out, but if they are already inside your website then BPS cannot automatically clean out the hackers code and scripts. It is recommended that you restore your website from a known good backup from a date before your website was hacked.
2. Your Web Host Server is being hacked directly with a Brute Force FTP Password Cracking method. I am currently working on and will be releasing a new Countermeasure feature in BPS Pro 5.1.5 and it will be released in about 4-5 days from now.
There has been a massive worldwide hacking effort going on for the past 4 weeks and it is still going on. I know of at least 30 Web Hosts Worldwide that have had their Host Servers hacked in the past 4 weeks. They are going after weaker Host Servers because they have found a new Server vulnerability in the smaller Hosting outfits. The big brand name Hosts are all ok at this point – UPDATE: actually I now know of 3 big brand name Hosts that have had Servers compromised as of 2-21-2012. They have sufficient DoS and DDoS security in place. The hacking method is Brute Force FTP Cracking methods to hack into vulnerable Host Servers. I am currently working on and will be releasing a new Countermeasure feature in BPS Pro 5.1.5 and it will be released in about 4-5 days from now. Thanks.
In general what I am seeing in hacking trends is that hackers are realizing that they cannot hack a website directly with BPS Pro installed so their focus has now primarily shifted to hacking the Host Servers. Hacking Host Servers is not something new, but what is significant now is the increased percentage of those attacks. This new feature i will be releasing in BPS Pro is called AutoRestore CM. Without going into all the technical details and specifics about AutoRestore CM the basic idea is that if your Host Server has been compromised and if code has been injected into your files your files are automatically restored with good copies of your files. We will always try to evolve our defenses as fast as the hackers evolve new attack methods. Thank you.
Best Regards,
Ed
Hi,
I’m having problems with 404 page not found errors on post and archive pages and believe that it’s down to HTACCESS files & Bulletproof security, can anybody advise me how I can resolve it.
Every couple of hours the post and archive pages start throwing 404 page not found errors, which are only resolved if I change the permalink structure, only for the same problem to come back again within a hour or too, with again changing the permalink structure curing the problem.
I’m ripping my hair out here, (good job I’ve got plenty), can you please suggest how I can resolve this.
Best wishes,
Holmey
URL’s should be a permanent thing and not change on their own so you need to find out what and how URL’s are being changed. If you are resaving your permalink structure then you are creating a new WordPress default .htaccess file each time you save your permalinks. If your website is hacked then it is possible that your .htaccess file is being changed. What you need to look at the next time this occurs is your .htaccess file. If you find any code in that file that should not be there then most likely your website has been hacked and you have hackers code or files inside your website files and / or folders or your Host Server is being hacked. There is a massive Worldwide Brute Force FTP password cracking hacker campaign going on right now. I know of at least 20 different web hosts that have had their Servers hacked in the last 3 weeks and it is still going on. Change your FTP password immediately and then if the problem occurs again check your .htaccess file.
I did get hacked about a week ago, with it not being a brute force attack, but by an executable .php script introduced to my server via the code being put in the header of a pre sales support ticket submitted via my WHMCS client portal.
While I cleared all the files out, (including a massive file of scripts placed in the images folder of WHMCS, is it possible that I’ve still got some sort of hidden script still on my server from the hack that is capable of rewriting my htaccess file every couple of hours or changing the permalink structure?
I ask as it seems that every couple of hours the website I’ve reinstalled in the root folder starts throwing 404 page not found errors on post pages and I’m having to reset the permalink structure to get them to display again and it appears that the cause of this is either that the “Bulletproof Security” secure htaccess file in the root folder is being rewritten every couple of hours or the permalink structure is being changed every couple of hours and the htaccess file is not being updated as it should.
If there could still a script doing this on the server, can you suggest any way that I can find and delete it as I’m not confident in doing any more work on any sites on the server until it’s sorted.
When a hacker hacks your site typically they leave several backdoor scripts in place. Some will be obvious to find and some will be very well hidden. Hacker scripts can executed remotely if they have already got their scripts on / in your website files. Unless you are very experienced at de-hacking a website i don’t recommend that you go this route. It is very time consuming and most likely you will not find all of the hackers scripts. What i recommend is that you restore your website from a known good backup to a date before your website was hacked and delete all files for your current site. The best way to do this is to restore to a new folder, then rename your existing website folder, then rename your restore folder to your website folder and delete your old website folder – you want to delete all of the files for your old website. You may also need to restore your WP DB or create a new one, but see if restoring your website files is enough.
Hi,
I installed BPS Free on a debian squeeze + Apache + php 5.3.3-7 + WP 3.3.1 server, all up-to-date.
Created the WP Network / MU Automagic files.
When I activate the BulletProof Mode, I instantly get 500 errors for all pages (admin and all)
I found out that commenting the following lines in the .htaccess file removes the errors:
#DirectoryIndex index.php index.html /index.php
#Order allow,deny
#Deny from all
#Allow from 88.77.66.55
Any idea why these lines cause 500 errors?
Basic Checks for MU
BPS should not be Network Activated – only the Primary Site should have BPS activated on it
Only the Primary site should have BulletProof Modes activated – subsites should NOT have BulletProof Modes activated.
Normally if a Web Host does not allow a particular .htaccess directive to be used then you will see 500 errors. For example on Hosts that do not allow the Options directive to be used the BPS Options -Indexes directive will cause a 500 error on that Host. It may be that your Host does not allow the DirectoryIndex directive to be used. Check with your Web Host about this. I have no idea at all why the other things you commented out in FilesMatch would cause this, but if your posted comment did not contain the entire code then maybe FilesMatch is also not allowed on your Web Host. Check with your Web Host about this. Thanks.
thank you for this fast reply.
BPS is not Network Activated, just enabled on the primary site.
Also, I don’t think it is a server problem, since pasting the uncommented line directly in the apache config file (in /etc/apache/sites-enabled) doesn’t give any error.
so DirectoryIndex and FilesMatch are allowed on this server. And for the web host, it is a dedicated VM that I installed myself from a clean squeeze install, nothing fancy about apache or php settings.
I tried to deactivate all other WP extensions, but didn’t found any conflict here…
Well if you access to the httpd.conf file then you are controlling what is and what is not allowed in the httpd.conf file itself. .htaccess files are the child configuration file of an httpd.conf file. most people do not have access to the httpd.conf file so they have to use .htaccess files to add additional security. In your case you should read up on httpd.conf files and you will see that you could add lot of things directly into the httpd.conf file, but i personally like using separate .htaccess files per site. This gives you more flexibility per site when you have a cross platform environment and of course each site has its own security rules. Some things obviously need to be per site and cannot be added to a httpd.conf file like rewriting specific site rewritebases. 😉 So maybe you just need to create master rules in your httpd.conf file that can then be followed in the .htaccess files. This is pretty advanced stuff so you should read up on what you can do with httpd.conf files.
Also this .htaccess code is going to removed permanently for any MU site types in the next version release. It is apparently also problematic for MU subdirectory installations as well as subdomain installations.
Thanks.
Well, like I said, I didn’t changed anything in the base apache or php conf files, I too like to change things elsewhere, so I don’t have problems with apache or php upgrades.
While I’ve found the 2 things that seem to cause problem, my concern is that:
– I don’t quite understand why they cause problem in the .htaccess file, when they are working elsewhere
– they could magically reappear when upgrading BPS on a future version.
Thanks for the possible problematic rules in a MU install, I’ll have a look at them also.
Yep you did the exact 2 things that I would have done in the apache config file in your next comment after this one so no need to answer here, but once again Well Done! 😉
ok, problem sorted:
in the wordpress apache conf file, you need to be sure that you have Indexes (for DirectoryIndex) and Limit (for Allow and Deny) allowed, you should have a line that look something like that:
AllowOverride FileInfo Options Indexes Limit
After adding these 2 to my AllowOverride, everything works ok.
Well done my friend. Yep that was exactly the direction i was trying to point you in, but without knowing your technical skill level i didn’t dare open up that can of worms and try and explain all that technical info to you if you were not knowledgeable in this area. 😉 I have made a note that you are a high level technical person so that in any future communications i now know your technical skill level so that i will go pure tech talk and not laymans. 😉
Hi , my friend moved her wordpress site (one provided) to another host. we now get a 404 error when trying to access http://www.site/wp-admin. (the 404 error url generated is http://www.site/login?redirect_to=http%3A%2F%2Fsite%2Fwp-admin%2F&reauth=1. The site is installed in root, it runs on php 5.2.17. I have tried to do what you advised with Jenoll (Feb 3, 2012) but this does not work. Any advice would be very welcome.
Most likely you did not update your wp-config.php file from the old site for your new site. Open the wp-config.php file and add the correct new WP DB name, username and password for the new site on the new Host. If this does not fix the problem then you will need to access your new WP DB in your Control Panel using phpMyAdmin and correct the information in your new WP DB. Please see the WordPress Codex for all things to check or change in your new WP DB. Thanks.
Thanks for the input, I will do as you say. btw, fyi, the error log shows
[12-Feb-2012 09:37:02] WordPress database error Unknown column ‘referrer’ in ‘field list’ for query INSERT INTO 63676_BWPS_d404 (computer_id, qstring, referrer, attempt_date)
VALUES (‘118.210.##.###’, ‘/wp-content/uploads/2011/01/zero-footer.jpg’, http://site/login?redirect_to=http%3A%2F%2Fsite%2Fwp-admin%2F&reauth=1, 1329039422); made by require, require_once, include, get_header, locate_template, load_template, require_once, wp_head, do_action, call_user_func_array, BWPS->d404_check, BWPS->d404_log
nb – I’ve used ### to blank out my IP address.
Does this align with your thoughts as provided? IF not, any suggestions would be appreciated. PeterS
Fixed – diabled all my plugins via php admin as per WordPress Codex. Now have access. cheers. P
Great! Glad you got it sorted out. 😉
There is a conflict with Google Analytics Dashboard Widget. When activated any of the Bullet Proof options, the Widget stopped working, when I deactivated BPS, it worked again.
Yep here is the fix. I just have not posted it yet. Thanks.
In both your Root .htaccess file and your wp-admin .htaccess file….
change this security filter... RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR] to this... RewriteCond %{QUERY_STRING} ^.*(\[|\]|<|>).* [NC,OR]And actually there are new filters about to be released in the next version.
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|%3c|%3e|%5b|%5d).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x5b|\x5d|\x7f).* [NC,OR]I am a new user of your plugin. I am using it on a wordpress multi-site blog network and have done the following:
– Created the default.htaccess file and secure.htaccess file under: Use These AutoMagic Buttons For Your Website For WP Network / MU sub-directory Installations
– Activated bulletproof mode all the security modes under Activate Security Modes
However, it seems that when I activate the first bulletproof mode under “Activate Website Root Folder .htaccess Security Mode,” none of my images work any longer. The logo for my site becomes inaccessible and not found. Once I resort to Default Mode for the WP Default htaccess File, my images work again.
I would like to enable this security feature, but how can I do so without breaking all my images?
This is actually the same issue as Susan below me. However, I have network deactivated it and only activated it on my main site. I still get the issue, though.
Thanks
Please see this post for possible causes of images not displaying for MU sites >>> http://www.ait-pro.com/aitpro-blog/3454/wordpress-tips-tricks-fixes/wordpress-network-mu-images-not-displaying-images-not-displaying-in-media-library-images-not-displaying-on-website/
Another thing that can cause this for certain WordPress Themes is if you have a custom php.ini file and you have allow_url_fopen = Off. Some Themes use allow_url_fopen to display image files so you would need to change this php.ini directive to allow_url_fopen = On in order for images to display correctly.
Hi – I just installed the plugin yesterday to my multisite, which I am still adding new sites to, and everything was working fine except images are not showing on the networked site and only the super admin password works to access the sites.
I need the images to show – I think the code above is to fix this, but I have no idea where to place this code… in the .htaccess file anywhere?
I also need to have separate logins for each site – we have a few ppl that post everyday that need to have their own access – and not to the main network.
Can you help, please?
Thanks!
BPS should not be Network Activated – The BPS plugin should only be activated on the Primary site.
Only the Primary Site should have BulletProof Modes activated – subsites should not have BulletProof Modes activated.
Please see this post for MU image problems >>> http://www.ait-pro.com/aitpro-blog/3454/wordpress-tips-tricks-fixes/wordpress-network-mu-images-not-displaying-images-not-displaying-in-media-library-images-not-displaying-on-website/
BPS does not block logins by Roles or do anything else with Roles besides displaying the BPS menus to only Super Admins.
There is a coding correction that will be released in BPS .46.9. This fix is for a header error that occurs in subsites and does not pertain to the problems that you are experiencing.
The code in the /bulletproof-security/admin/includes/admin.php file at code lines 33-37 to be replaced is:
// BPS Menu function bulletproof_security_admin_menu() { if (is_multisite() && !is_super_admin()) { echo 'Only Super Admins can access BPS Pro'; } else { with this new code // BPS Menu function bulletproof_security_admin_menu() { if (is_multisite() && !is_super_admin()) { $bpsSuperAdminsError = 'Only Super Admins can access BPS Pro'; return $bpsSuperAdminsError; } else {Ok, that’s most likely the problem – it is network activated on the network site.
Basically, http://www.what-the-ish.com is the main, primary site. The plug-in was installed on http://www.what-the-ish.com/wp-admin/network/plugins.php
So, I need to install it on http://www.what-the-ish.com/wp-admin/plugins.php right? Only I’m not able to add new plugins only activate them and BPS isn’t listed there to activate unless I install it in the network and network activate it.
I’m so confused – but I really appreciate your help on this.
I am not sure why you are showing me folder paths, but those links have been removed. You don’t want people clicking on those links here that are going to your site. BPS is not a Network Plugin. Only Network Plugins are installed as Network plugins. Network Deactivate the BPS plugin. Then go to your Primary Site and activate the BPS plugin for ONLY the Primary site. Then use AutoMagic to create your Master .htaccess files for ONLY your Primary site. Then Activate BulletProof Modes for your Primary site – ONLY.
I think you are in Network Admin. This is another level of your Primary Site where you can perform Network Admin tasks. Your Primary Site is the first site you installed. You can go to your Primary Site by clicking on All Sites, then click on the Dashboard link for your Primary site under “Sites” NOT your sidebar Admin Panel Dashboard link.
Hi, installed the plugin, activated, backed up and created default and secure htaccess. Now cant get back into dashboard or login. Error messages start: Allowed memory size of 33554432 bytes exhausted
Unfortunately didnt see that WordPress Firewall is a conflict so that is installed and activated. Ideas to fix this appreciated! Thanks. Peter
HI, I increased the memory limits in wp-config.php and php.ini but that didnt solve the problem. I contacted my hosting company with the error message and they increased the memory limit. Problem is resolved so no reply is needed. Thanks for creating the plugin. I will now uninstall WP firewall and run a scan for timthumb vulnerabilities.
Peter
Yep WP Firewall is very bad news. It will break just about everything in your WP backend. I think Firewall2 may be ok, but I have not tested the latest version yet. 😉
HI, I need your help! this memory issue has locked me out of Dashboard now so I cant even activate default mode. I havent added a memory increase to htaccess though – I did try and it broke.
php.ini and wp-config are both set to 128M
I wonder if there is a plug in conflict – all the fatal errors are variations on this:
Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 30720 bytes) in /home/peterus/public_html/wp-content/plugins/simple-forum/template-tags/sf-template-tags-tags.php on line 188
I need to work out how to get back into dashboard and start over!
Thanks
Peter.
PS I was using Firewall 2 now uninstalled. It wasnt the cause of the memory error though.
32M is not enough memory overhead for WordPress.
Your web host is A Small Orange, LLC. I see that several other people using your Host have also had this issue occurring on their websites very recently. Increasing the memory limit did fix their problems. In your php.ini file you should have a minimum of 64M for the memory limit directive. memory_limit = 64M
You should be running PHP5 and not PHP4 on your website.
HI, as I said earlier php.ini and wp-config are both set to min 128M. Im on php5.
Small Orange are associated with my hosting company, Hostnine, who advised that in addition I should add this to htaccess:
SetEnv PHPRC /home/USERNAME/public_html
I did that in file manager and that has restored access to the dashboard. I’ll get back to you if any more problems.
Peter
Well then you would not have been seeing a memory limit error for 32M if the php.ini setting was really working. The .htaccess code they gave you to put in your .htaccess file is php.ini handler code. It tells your website to look at your custom php.ini file and not the Server’s Default php.ini file. So my assumption is that you may have changed your memory limit in your php.ini file, but your website was still looking at the Server’s Default php.ini file and not yours in your public_html folder.
Well, now I really have a problem. There is no htaccess in wp-admin. I run into memory errors trying to create one and I cant activate secure wp-admin. See report below.
I also now cant access settings or deactivate, or restore. Can you help? If not I’m going to have to delete the site and reload it from a clone. Major pain. Peter
The .htaccess file that is activated in your root folder is:
BULLETPROOF .46.8 >>>>>>> SECURE .HTACCESS
√ wp-config.php is .htaccess protected by BPS
√ php.ini and php5.ini are .htaccess protected by BPS
Deny All protection NOT activated for BPS Master /htaccess folder
Deny All protection NOT activated for /wp-content/bps-backup folder
An .htaccess file was NOT found in your wp-admin folder.
BulletProof Mode for the wp-admin folder MUST also be activated when you have BulletProof Mode activated for the Root folder.
Personally i think what is the cause of all these problems is your php.ini file. I suspect that it has invalid or missing directive settings. What i recommend is that you find out from your host what can / cannot / should / should not go in your custom php.ini file. Please take a look at this post to get an idea of some of the possible requirements that your Web Host could have for php.ini files. http://www.ait-pro.com/aitpro-blog/3576/bulletproof-security-pro/custom-php-ini-faq/#web-hosts-list.
To make things easier for you and your Host to understand each other, you could send that link above to them and ask them to tell you what all of your Host’s requirements are for php.ini files based on the Host table. I cannot tell you what you should do with your php.ini file until i know what your particular Host requires. Every single Web Host has their own specific requirements for php.ini files on their Servers.
Ok Thanks. Have contacted HostNine with your comments. You might like to add them to your list of hosting companies? http://www.hostnine.com. Weekend now so this might get protracted.
I wish I’d known what I was getting into when I installed this plugin. Anyone on fiverr offer an installation gig that you know of?
I can only add a Host to the list once we have confirmed a 100% successful installation of BPS Pro. There are many factors involved here because every single Web Host has a unique Server Environment – no two Web Hosts are exactly alike – and we are not planning on doing this for the BPS free version.
Well what you are experiencing is not normal for a BPS free installation. We rarely ever get asked questions anymore because BPS free is so automated and the typical installation is completely trouble free and goes flawlessly on 100’s of Web Hosts. I have never heard of this Web Host before so maybe they have some Server php.ini issues that need to be worked out or maybe this is all due to your custom php.ini file. I suspect that the cause of the problem is an incorrect or an invalid custom php.ini file.
Hi,
After installing your plugin, i can no longer see all my posts, the message is page not found. On the backend i can see it. Everything seems distorted from the backend and its really bad, so i deleted it. But still i can’t see my posts now. HELP!
Hello,
Can you be more specific about the problem that is occurring?
Is this Apache Linux Hosting?
Did you use AutoMagic to create your master .htaccess files first before activating them?
Please send screenshots.
Hi !
Ive just installed BulletProof Security free version in my wordpress to test it.
After intstalled and do the first process. Do the 2 backs ups.
Now i can access my page neither my wp-admin.
can you help wit this please ?
is there something i can do through ftp to get my site back ?
tks
Your website is currently hacked. It appears that this is a javascript hack in your gallery plugin or a typical timthumb hack. Your link has been removed. BPS is designed to protect your website from being hacked. If it was already hacked prior to installing BPS then BPS will not automatically remove the hackers code / scripts. Please restore your website from a backup – both files and your WordPress Database. Thank you.
outra-cena.com/wp-content/plugins/lightbox-gallery/js/jquery.lightbox.js
On closer inspection it looks like all your js files have had code injected into them. This usually indicates a mass code injection attack. At the bottom of all your js files you will see injected code starting with…
Contact your web host to have them run a cleaner script on your site. You should always notify your web host any time your site was hacked by mass code injection as this can indicate that the web host’s server was hacked.
This form of malware attack is documented here >>> http://sucuri.net/malware/malware-entry-mwjs69693
For some reason my BPS htaccess file is constantly rewritten, wondering if anyone knows the solution aside from re-enabling BPS every few days. Thx.
That should not be happening of course. The next time your .htaccess file is overwritten, download the file and send it to info[at]ait-pro[dot]com. Thanks.
Hi,
I’m checking the security plugin of your’s
and it looks great.
Only one problem, for security reasons I changed the default wp-content folder to a different name.
The thing is, that your plugin does’nt detect it as you don’t use the global variable but hard code the paths in the source code. for example in this file: bulletproof-security/admin/options.php
So as the backup function fails, I’m afraid to use any other function…
Please advice.
It would be great to receive an email concerning this issue as I can’t subscribe to the comments here…
Thank you,
Simon
Hmm Ok well i might consider changing this. I will have to look at all the possible ramifications of doing this mod. In general I am not a real big fan of trying to hide things. You can hide things from human visitors, but you’re not going to able to hide from a bot. 😉 I hate spam and subscriptions are spam-like so i don’t bother with them. Thanks.
Thank you for your prompt reply!
It would be great if you decide to make the change.
As programmers w also know it’s cleaner code 🙂
Cheers,
Simon
Yep as soon as i confirm that this will not have a negative impact, cause any other conflicts or create any sort of vulnerability, which this simple change should not cause for any reason i can think of off the top of my head, then I will implement this change. Testing, debugging, then more testing, then more debugging, then more testing…right? LOL BPS .46.7 is tentatively scheduled for release sometime between January 3rd to January 8th. Thanks. Merry X-Mas!
Thank you,
and Merry X-Mas!
I am currently in a world of pain.
I have a domain and 5 subdomains all of which will require websites. These will be for primary schools and a UK version of a School District. These sites are all in various stages of being built and configured.
I have a massive performance issue for which the resolution is to move the db’s to a different server. I am new to wordpress but have picked it up fast. WP-Migrate-DB was a huge help.
The main domain db has been moved over and is now running fine (only a holding page for now with very few widgets and was pre-BPS.
Then I seem to have swallowed a stupid-pill.
Without disabling BPS or anything else, I moved the second db over to the new server. The db migrated without issue but I cannot get into either the site or the wp-admin console despite changing the wp-config.php server name. I can only put this down to BPS which was already enabled.
I presume the fix is to do with .htaccess files in the root and wp-admin directories. I have put defaults here and have had no success.
Can you offer any advice (other than not being so stupid in future) I need to fix this site and migrate another 4 db’s! I also presume that my mistake was not disabling/uninstalling BPS before I started?
BPS does not affect your WordPress DB directly. The only reason BPS would not allow you back into your website would be if your RewriteBase and RewriteRule are incorrect in your root .htaccess file. So if the folder path to your site has changed then you simply just need to delete the root .htaccess file and then create a new root .htaccess file (AutoMagic secure.htaccess) and activate it.
I have never tried the plugin that you used, but usually when you can’t get back into your site after migrating it has something to do with your old URL address not being changed to your current URL address in your DB. In your case you were not changing any URL paths and just migrating a DB to another Server so BPS would not have anything to do with the problem. I think you should probably contact the DB migration plugin author as he / she probably is familiar with all the things that can go wrong in a DB migration.
Thanks.
Thanks so much for your prompt response. Truly impressive.
I did try removing and also replacing the root .htaccess file but with the same lack of response. I’ll contact the WP-Migrate-DB people and ask them as you suggest and will let you know the fix when I have one.
Can I confirm that you’re saying that I don’t have to disable the BPS plugin before migration
Yes, you are correct. The only time you would need to take BPS out of the equation prior to doing a migration would be for a website migration where you are going to be changing the folder path where WordPress is going to be located. Example: migrating site1/blog-folder to site1/new-blog-folder. If the folder path is not going to change anywhere in your migration procedures (just doing a DB migration) then BPS would not interfere with this in any way. Thanks.
Fault traced to some garbage in the wp-config.php file. Garbage removed and all now working.
Thanks for listening. I’m going for a beer!
Hi, I’m having a terrible issue, and my host has instructed me to seek advice. I would like to I cannot conditionally redirect my RSS feed to google feedburner. I am not sure how to do this properly, without error. Instruction would be most appreciated.
Google instructs:
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} !FeedBurner
RewriteRule ^index\.xml$ http://feeds.feedburner.com/YOURFEEDADDRESS [R,L]
I should note that I have no clue what I’m doing, and you’ve helped me before which is super awesome. I am a novice, and am so freaked out I’m gonna mess it all up. 🙂
I also don’t know that the [R,L] thing there is.
Thanks.
Wow, and I didn’t even proof read. Yikes. I meant to say I would like to but cannot conditionally redirect.
Is this for the BPS Pro plugin or the BPS Free plugin? Thanks.
The free one. 🙂
Ok cool. The .htaccess rule is saying if the user agent is NOT Feedburner. This means that ANY user agent would follow the RewriteRule. I don’t think that you need that part of the rule. You should just be able to directly redirect to Feedburner by adding only the RewriteRule. Which plugin is this exactly? Please post the link to the plugin in the WP plugin repository. And you can either place this RewriteRule at the top of Plugin rules and give it a Skip rule # or you could place it outside of the Query string filters – i don’t think that feedburner would need to be filtered for any security reasons. Thanks.
I’m not exactly sure what you mean. Do I post that code directly underneath your existing code in the htaccess file? Where, below which line? And I don’t know what a plugin repository is, and what link you want. I hope that’s not frustrating to you, it is to me. 🙂
That makes 2 of us. LOL I don’t use a Feedburner so is this a built in WP thing or is this a plugin? I need a starting point before i can even begin to try and help you. Where you get all WP plugins is called the WP plugin Repository. Thanks.
You access feedburner from your google account dashboard, and impliment it into your blog. You have your original feed address, then they give you a feedburner address for it to use for redirect, for consolidating all your feeds to this one. Not a plugin. There is a plugin that’s supposed to redirect, but it is useless. Didn’t work.
Oh ok i understand what you are trying to do now. You can put the Feedburner RewriteRule anywhere in your Root .htaccess file. Do not put it within the Query String Filters. If Google has given you the .htaccess code you need then you can trust it. Thanks.
I’ll try that. Hope it works. 🙂
Before I do this, I logged into file manager according to host personnel instructions. I found the .htaccess file. Once opened, it says BULLETPROOF .46.6 >>>>>>> SECURE .HTACCESS across the top and then all the code. This is it?
Yes that is your Root .htaccess file. You can add your Google Feedburner .htaccess code anywhere near the top of that file. If this was my .htaccess file i would add it right before – # BEGIN WordPress. Thanks.
Nope, didn’t work. We tried, right? 🙂 Thanks.
I would experiment with this, but i don’t want to screw up my feeds. I have all my feeds set up directly in Google Webmaster Tools. I looked at Google Feedburner and it would change what i have already got going on so when i have some time i will mess around with this on a testing site. That will not be for quite a while though. I have my hands full these days. 😉 Thanks.
I understand. I appreciate that you took time to try to help. If you ever do come up with a fix, please drop me an email and let me know. In the meantime, thanks for this fantastic plugin.
Yep i gave all my guys the day off. They have been working 12 hour days for months now. I’m still doing 18 hour days, but at some point all of that will settle down…or i will be dead from exhaustion. LOL Glad ur diggin’ BPS! Thanks.
Hello,
I am having some file access permission issues with BPS-FREE 46.6, specifically accessing theme’s regular “style.css” is forbidden (403).
I thought the problem was with the TimThumb.php, which I updated to the latest version and modified .htaccess line to allow THUMBNAILERS: “141. RewriteRule . – [S=1]”, but that didn’t solve the problem.
Since the previous version BPS .htaccess file worked well (46.4 was OK, but not 46.5), I took my time to update the old file with new one line by line.
I narrowed it down to one rule that is present in 46.4, but MISSING from the 46.6 version (I’m sure it’s missing for some good reason). Adding that rule just ABOVE the “190. RewriteRule ^(.*)$ – [F,L]” line allows the css file to be accessed OK (both with direct URL call and by the wordpress theme), thus the theme displays correctly.
The magic line is:
RewriteCond %{QUERY_STRING} ^.*(execute|exec|sp_executesql|request|select|insert|union|declare|drop|delete|create|alter|update|order|char|set|cast|convert|meta|script|truncate).* [NC]Please advise how to correct this in the most secure manner. Thanks.
Chris
P.S. See my email’s domain for the URL of my blog.
I am not really following your modifications, but there is a known 403 Forbidden problem with a security filter in BPS. It is not happening on all Hosts, but it is a problem rule that will be corrected in .46.7 – see this post >>> http://www.ait-pro.com/aitpro-blog/3429/wordpress-tips-tricks-fixes/bulletproof-security-403-forbidden-errors-troubleshooting/
I have successfully installed BP Pro on a number of sites but am stumped at getting it to activate it on two new installs.
I can save my email address on the activation screen but when I click on the ‘Get Key’ button it does not give me the usual message about an email being sent and no key is sent.
I even went so far as to do a complete new install on one of the sites to see if maybe something was not installed correctly but nothing seems to work. Any thoughts or assistance would be greatly appreciated. Thanks!
Please send your info via email using the Contact form.
We will need the URL for the website you are trying to activate and also the PayPal email address that you are using. Thank you.
First off i LOVE BPS but unfortunately if i cannot resolve this issue i may have to junk it. I am using wordpress version 3.2.1 with Buddypress version 1.5.1 and the Buddy Boss theme version 2.0 all with BulletProof Security version.46.5
With Buddy boss there is an automatically installed photo gallery with the option to post directly to the wall or activity stream. But when i use the BPS .htaccess files that option to upload stops working. I can click up load and select a picture but it just sits there loading and loading. If i however create a default .htaccess file and shut off BPS i can then upload images as usual.
Any suggestions? feel free to sign up for our site and have a look.
Cool that you love it and a fix is going to be simple – they always are with BPS. And i can’t resist saying this jokingly – BPS is not for everyone, it is just for those people who don’t want their websites to get hacked. 🙂 LOL
I think i have that BuddyPress Theme in stock for testing. First off does this photo gallery do anything with thumbnailer script to do what is being blocked? If so, BPS now blocks ALL thumbnailer scripts by default until you explicitly allow them in your root .htaccess file by changing the thumbnailer Forbid rule. Previous versions of BPS did not block thumbnailer scripts by default. Those people who did not update their thumbnailer scripts like they should have got their websites hacked 100% of the time. So now BPS is forcing you to make a conscious choice to allow thumbnailer scripts on your site in the hopes that you have done the steps to ensure that they are not hackable versions of the timthumb script.
Nope i just checked and i do not have this Theme in stock to test it. i will need the name of the Plugin that is bundled with thisTheme so that i can test it, but before even going that far just try adding a simple .htaccess Skip rule for it. What i need to know in order to provide that simple Skip rule is the folder name where this bundled Plugin is located. Another option is to just copy a default.htaccess file to where this Plugin is located and rename it to just .htaccess. CAUTION and you are WARNED. By doing this you are telling BPS not to protect this folder or your site from this Plugin. BPS usually only blocks things that are considered a threat to your website and simulate a hacking attempt against your website. So you want to be sure that what you allowing will not end up getting your website hacked. If BPS is blocking something it is for a good reason 99.99% of the time. Thanks.
WOW Thorough reply, Quick to respond, Great answers and good dialog! Man i’m impressed!
As for the plugin Bundled with Buddyboss i’m not sure at all, as it is default in the theme now. I downloaded the updated version of BuddyBoss and it came default with the option to turn the Picture Gallery Component on.
I put the site in to maintenance mode with BPS and now i cant get access to my Dashboard, i am receiving a Forbidden 403 error. The only way to get back to my dashboard now is to delete the .htaccess files created by BPS and refresh , but when i try to recreate them, i can create the Default & Secure htaccess files and turn on the root protection but then when i try to enable the wp-admin folder protection it goes back to the Forbidden 403 error.
I even uninstalled the BPS plugin entirely and re installed and i am still getting this error now. And so before i can even troubleshoot the buddyboss Picture Gallery Component issue i need to gte this resolved now lol
As for the Buddyboss situation i will dig around and find out if it is a plugin they created or not.
any suggestions?
Maintenance Mode does not generate a Forbidden 403 error and is only designed to display a 503 HTTP Status Website Under Maintenance page so i don’t know what you could have done to see that???
The Root BulletProof Modes and wp-admin BulletProof Mode need to Activated together and deactivated together – you cannot have one activated without the other being activated or vice versa.
What i recommend then is deleting both .htaccess files – 1 in your root folder and the 1 in your wp-admin folder so that you can log back into your site. then either start all over or just do a BPS restore of your .htaccess files if you had everything set up and working correctly before.
Just give me the name of the folder where this plugin is located and i can provide the .htaccess Skip rule for you or like i said just copy a default.htaccess file to that folder and rename it to just .htaccess. Thanks.
Oh yeah i have seen this on a couple of other sites though – the sites where already hacked (without being obvious and giving anything away) and by activating BulletProof Modes the hackers Shell scripts where no longer masked (hiding) and a 403 Forbidden Error messages all of a sudden were displaying. If you had or have any old versions of the timthumb scripts in use on your website that were not patched or replaced then your website is already hacked – this is 100% guaranteed.
Since you only have the free version of BPS you should get this plugin – TimThumb Vulnerability Scanner and check for any bad timthumb.php files. BPS Pro has a built-in string finder to find bad timthumb.php files and also hackers Shell scripts and anything else you want to search for.
Thanks
are the timthumb scripts just a plugin? if so i have never installed or used this. If not how would i check to see if it is being used?
All i know now is i had to re install BPS, back up my default .htaccess files, recreate the default .htaccess file and the secure.htaccess file through the BPS interface, Activate Website Root Folder .htaccess Security Mode, which worked fine, but now as soon as i Activate Website wp-admin Folder .htaccess Security Mode BAM Forbidden error across the dashboard.
So what do you think i Fubard up to cause this issue? Is there a way to start completely from scratch with BPS? remove database information, generated php files, and generated htaccess files? Im stumped, as for now to ensure my site is working i have to leave just the root protection turned on without turning on the WP-admin protection, because again as soon as i do activate it i am “forbidden” Which of course means im not protected lol.
I know this must be something i have done Gah! what a talent to have eh? Screwing things up lol
Timthumb scripts come bundled with Themes and Plugins. The Timthumb.php scirpt has been the standard thumbnailer script used in WP Themes and Plugins for quite a while now. I estimate that since last July several million WordPress websites have been hacked because either these old thumbnailer scripts were never patched or replaced by website owners. there has been a massive epidemic for months now. Do a little Googling and I’m sure your hair will stand up. If your Theme or any of your Plugins have this old timthumb.php script in them then your website is hacked – this is 100% guarenteed. No maybe i got lucky here – your site would be hacked for sure.
Then you must have some sort of folder permssions or directory protection on your wp-admin folder. There is no reason you should be seeing a 403 Forbidden error when activating wp-admin BulletProof Mode in a normal situation, unless your website is already hacked and there is a hackers Shell script installed on your website. Get the Timthumb Vulnerability Scanner plugin first before anything else. It will tell you whether or not your site is already hacked. it does not have the capability to find hackers scripts, but if you find any bad timthumb files on your site then there is no doubt that your website is already hacked.
Alright i will try switching my permissions and such and dealing with the timthumb issue and get back to you.
I replied here because i no longer get the reply button after this message on your site.
alright no i am really confused.
Like i said before, i can back up & restore my old .htaccess files, and create the default and secure htaccess files, enable the root protection but i get the 403 error when i enable the wp-admin protection , even though my Folders permissions on the server are CHMOD 755.
I also used the Timthumb Vulnerability Scanner and scanned and it returned “No instances of timthumb were found on your server.”
So now i just don’t know what to do, I cant seem to even use BPS anymore on my server.
Excellent on the timthumb scan!!!! You have no idea how many people got nailed on this one. Massive!
I am not sure why you are having such a difficult time here. this is a new problem that no one has ever asked me about before. Lucky you. ha ha. Can you manually add an .htaccess file to your wp-admin folder? try downloading the wpadmin-secure.htaccess file then upload it to your wp-admin folder and rename it to just .htaccess. Thanks.
Alright i have had to reset everything to defaults for my htaccess files, as BPS, even after i have removed it and re-installed still gives me forbidden errors site wide when i try to activate the security modes after backing up my old htaccess and creating the new bps generated ones.
do you think that there are any leftover settings buried in my DB or php files, or changes to any of my php files that BPS may have made that is causing this issue. I noticed a backup folder for bps as well as a bps-maintenance-values.php file still on my server could these be the culprits?.
I desperately want to use BPS, and am even considering Pro , if i cold only get it working with my site again and working around that image issue i first had LOL
Figures try to fix one issue and create more! 8P
Let me know your thoughts, ideas, suggestions etc, I really appreciate you taking the time to sift through all my messages , even though i tend to ramble lol
Nope there are not any settings in your DB for BPS – it is all front end with no Settings Options stored in the DB. BPS does not change any files on your website besides just .htaccess files. BPS is very simple and it does something complex, but the plugin itself is very, very simple. Not really sure what to tell you to try next except for manually uploading the wpadmin-secure.htaccess file to your wp-admin folder and then rename it to just .htaccess. Thanks.
To me the problem seems to have something to do with strictly you wp-admin folder and nothing deeper. Do you have any other plugins that are protecting this folder? Are you protecting this folder in your Control Panel? Look at the obvious problem with the wp-admin folder and think simple and you will figure it out. Thanks.
HA Oh Man your gonna love this one. Ok so i tried you method now to, and now even when i try to turn o the root security it gves me the following
Forbidden
You don’t have permission to access /cgi-bin/php5-cgi/wp-admin/edit-comments.php on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
across the site. I am going to talk with my Hosting provider now see if there is something on their end.
hmm that is a very odd path? cgi path to wp-admin folder what the heck – never seen that before? Did your old .htaccess file have any .htaccess code with a PHP handler? Did you have php_flags in your old .htaccess file? Are you using a CDN? Do you have W3TC installed and are using eaccelerator? Someone else mentioned that there is an issue here. I have not looked into that yet. It also might be possible that your .htaccess file is corrupted.
Alright I’m uninstalling BPS for today , will try again soon . Honestly our hosting provider ripped apart our site to and we couldn’t find anything.
If you happen to have any epiphany or ideas let me know i really love this plugin, just suddenly it hates me lol.
i even tried to do as you suggested and copy over the htaccess file manually, still 403 forbidden error. gah! I are defeated.
In your particular specific case it looks like you have an invalid PHP handler in your root .htaccess file. something like this .htaccess code below. If you see PHP handlers in your root .htaccess file then comment them out and test.
AddType application/x-httpd-php .php
Action application/x-httpd-php /cgi-bin/php5.cgi
Ok so after looking around the Internet for a while there are several common things that can cause this 403 Forbidden problem:
Your particular specific Web host may require that you add a PHP handler – check with your Web Host to see if they require this. This is a general example of a php handler below. All web hosts have their own specific handlers – DO NOT just use this example php handler – check with your Web Host.
You have set directory password protection on your wp-admin folder. The .htaccess code that your web host automatically wrote to your .htaccess file in your wp-admin folder has been overwritten when you activated BulletProof Mode for your wp-admin folder. Within the wp-admin .htaccess file you will see code examples – one of them is adding directory protection for your wp-admin folder – uncomment that .htaccess code. CAUTION!!! ONLY uncomment this code if you have set up directory protection for your wp-admin folder in your web host control panel first.
Folder permissions are not set to 755 for your WordPress folders. In BPS File and Folder permissions checking there are recommendations to set your folder and file permissions to more strict permissions – CAUTION!!! If your particular host does not allow this then these recommendations will not work for your site and could cause 403 Forbidden Errors or worse. Check with your Web Host first to see if they allow more restrictive File and Folder Permissions.
You have invalid .htaccess code in your root .htaccess file or there is a typo somewhere or the root .htaccess file is corrupted – create a new Master .htaccess file using the AutoMagic buttons and Activate BulletProof Modes again.
This is a long shot possibility and will cause 500 errors and you site will be down if you add this. Check first with your web host before adding this .htaccess code to your root .htaccess file. ONLY use this .htaccess code if your particular Web Host is using mod_security.
Hi,
I’ve posted this question by mistake on the Pro section. Can you please delete it there?
The question:
after updating the plugin to the latest version, I’m getting a blank screen to our site (even administrative WP back end). Any suggestion? The previous version was working fine, and still is in another site we run at the same server/account.
Thanks!
Double check the “basics” to ensure that when you create your Master .htaccess files using the AutoMagic buttons that your Master .htaccess files are being created correctly, then compare your old .htaccess files with the new Master .htaccess files to see if you have added any additional settings in your old .htaccess code like php handlers or any other custom .htaccess code. If have have additional .htaccess code then add it to the new Master .htaccess files before activating them with BulletProof Modes. Then be sure when you do Activate BulletProof Modes that you are activating both the Root and wp-admin BulletProof Modes. The new .htaccess code filters in BPS may have new conflicts with plugins that are doing something in your wp-admin dashboard like adding menus or controlling menus, but before looking too deep at this just look at all the basics first. If all the basics look good then I will go deeper on this. So far in general not too many people are experiencing problems with the new .htaccess code so just rule out the basics and then we can take it from there. Thanks.
Thanks for the reply and suggestion.
As I’ve mentioned, right now I don’t have access to the site, and don’t have access to WP Dashboard (I’m getting a blank page when I try the login page). So I’ll have to work via ftp.
Can you recomment procedures or a tutorial for this? Which files should I check, or even replace with the previous one?
And as far as I’m aware, we didn’t have any custom rule in our previous installation.
Thanks again.
Oh ok then there is a mistake / typo in your root .htaccess file then or the RewriteRule and RewriteBase are incorrect. FTP or use your Control panel and delete the .htaccess file that is in the root directory of your website. This will enable you to get back into your WP Dashboard. Then try the basics again.
I deleted it, and still get a blank page for the wp-login.php page. Thanks…
Ok then try adding a WordPress default .htaccess file to your root folder. At this point BPS is not active or in use on your website, but depending on how you have your site architecture set up and what you are doing with Permalinks then your site set up may require that you have a WP default .htaccess file in your root folder to gain access to your WP Dashboard. Use the default.htaccess file that comes with BPS >>>> /wp-content/plugins/bulletproof-security/admin/htaccess/default.htaccess. download it then add your site’s correct RewriteBase and RewriteRule to that file, then upload it to the correct folder (where WordPress is really installed) and rename that file to just .htaccess by removing “default” from in front of the file name.
Many, many thanks for your attention.
I’ve just realized what’s the problem. The symptom was pointing to this, I should have noticed before. In fact there’s an additional rule to the htaccess file, and it wasn’t kept with the update:
php_flag eaccelerator.enable 0
php_flag eaccelerator.optimizer 0
It seems that W3 Total Cache plugin with CDN enabled in a LiteSpeed environment has some incompatibility with eAccelerator — so one gets only blank pages. So we had added this rule and I absolutely missed it was lacking from the new htaccess file.
Many thanks again!
So the main issue here was not noticing this.
Great and for now you can use the My Notes feature in BPS to save this permanently as a reminder for you in-between upgrades. Hopefully by the next version release of BPS we will have figured out a way to write new .htaccess code to the existing .htaccess file, retain any old .htaccess code in the old .htaccess file, somehow figure out how to change the BPS version info and then magically jump to and write to other pointers in the .htaccess file. Every attempt at creating such a magical writing feature like this has resulted in working for some conditions and not working for other conditions. The issue is always trying to figure out what will work in a million different scenarios and possible combinations and then magically working for the combinations or scenarios that you would never think of. LOL
I’m curious about what Server API is being displayed to you. Do you see CGI or DSO on the System Info page with your LiteSpeed SAPI?
Thanks,
Ed
The info provided by BPS may not be so helpful: “Server API: litespeed – Your Host Server is using DSO or another SAPI type.” 🙂
Well it tells me that LiteSpeed is not configured to run PHP as a CGI and is instead using the Apache Module mod_php to handle PHP. LiteSpeed can be configured to work for suPHP and suExec and run PHP as CGI as well as using mod_php. It is either a set up that your Host will force upon you or they may offer you the option of choosing your PHP handling method. And also that the correct DSO File and Folder Permissions table will be displayed to you and the File Lock and Unlock buttons will not be displayed to you because they should not be. Thanks.
What makes the scenario more absurd, in a sense, is that having W3TC enabled with self-hosted CDN or with no CDN works perfectly without the rules. But if used for a third party CDN, there’s this problem.
My guess would be that the BPS filters are seeing a simulated RFI then. I would have to look at it to know exactly why that is, but my first instinct is that something is seen as an external threat in the BPS filters when choosing a 3rd party CDN configuration. Thanks.
Followed up –
After updating to the latest version today the wp that are installed in subfolder and subdomain are working. Thanks
Are you using “Giving WordPress Its Own Directory” by any chance? BPS .46.5 now detects this type of WordPress installation and writes the true folder name to the .htaccess RewriteBase and RewriteRule where your site is actually truly located (Site address URL) and not what is visually displayed to visitors (WordPress address URL). Thanks.
After updating, the images on the homepage are not showing. But when I view the complete article, the images are showing. I don’t know how to make the images showing….
I downloaded the latest version of timbthump.php and change the [F,L] to [S=1] in .htaccess
The images are showing… Thanks
Excellent, Excellent, EXCELLENT!!!!! Not too many people bother looking at the all the Help info included in BPS. I want to give you my sincere thanks for reading the help info and applying the necessary changes. All the hours and hours of creating help info within BPS have not been wasted after all. 😉 Thank you for this feedback – Very, very much appreciated!!!.
Sincere Thanks,
Ed
Hi,
You mentioned. The new root .htaccess file rules and filters will affect the entire site. I am having issues.
403 Forbidden
You don’t have permission to access /wp-admin/admin.php
I installed 2 wordpress one my subfolder and in my subdomain. When I log on to admin panels and go the widgets (I click them and drag – not working) ; some plugins when I click the setting button I get the 403 error, when I click the “privacy” under settings – I get same warning.
The WordPress in my main root folder works fine – its the subfolder and subdomain.
How can I fix this?
Under Edit/Upload/Download there are 6 .htaccess (please let me know which one if I ever have to add some code)
I contacted the hosting support and their advises are not solving the issues.
Please advise.
Thanks.
You are describing exactly what happens when BulletProof Mode for the wp-admin folder has not been activated. Have you activated BulletProof Mode for your wp-admin folder? Both Root and wp-admin BulletProof Modes must be activated together. Have you used the AutoMagic buttons to create your Master .htaccess files for your sites? You have 2 tabs that say “currently active…” those are your currently active .htaccess files and the other tabs are the Master .htaccess files. Thanks.
I’ve installed your plugin and have had no problems with the set up – and it shows green checks across the board as far as security for my blog. So, imagine my surprise this morning when I signed in and found a stranger had somehow accessed my admin – not only that – sent out an article to my subscriber list! As you can imagine I’m kind of freaking out about this so any advice will be greatly appreciated.
BPS does not provide Authentication Security. Authentication security is handled by WordPress itself. BPS protects against hackers scripts from being run against your website and hacking your site with their hacking scripts. If a hacker has cracked your WordPress Admin password then you will need to change all of your WordPress passwords including your WP MySQL Database password in your web host control panel as well as your wp-config.php file. Have you checked that all of your thumbnailer scripts are security patched or new versions of the thumbnailer scripts – timthumb.php, thumb.php, thumbs.php and phpthumb.php? The current version of BPS automatically allows these thumbnailer script file requests to be allowed. The next version release of BPS automatically forbids these thumbnailer scripts unless you explicitly want to allow them on your website.
What i recommend is you put your site in Maintenance Mode immediately. Then check your Theme or Themes for thumbnailer scripts, check all your plugins for thumbnailer scripts and replace them with the new Timthumb.php file version that can be downloaded here >>> http://code.google.com/p/timthumb/ Or you can check with your Theme author or plugin authors for the latest patched versions of Themes or Plugins. Then change all of your passwords.
Thanks.
Thanks for the quick response – I’ve changed all the passwords and a few other things, etc., – would love to put blog on maintenance mode so I can keep working to make sure I really get it cleaned up but maintenance mode doesn’t seem to be working. By that I mean I can’t get the information to change from the default form. I’ve refreshed, started over, refreshed at least 4 times now and it still comes up with only the default information – which shows my site coming back up in April.
Thoughts?
The form has text examples to the right of the text fields of what you could enter into the text fields. You can copy that example text to the text fields, change AITpro to your site’s name, click Save Form Settings, click Create Form, click Preview Form to see what you site will look like to visitors. If everything looks good click Create .htaccess file and then click Activate Maintenance Mode. If you have entered text into the text fields and you cannot save it then either the bps-maintenance-values.php and / or bp-maintenance.php files are missing and not in the BPS /htaccess folder, you have some sort of folder permissions writing problem or your database is damaged. Check the simple stuff first then go deeper if the problem is deeper. Thanks.
Hi,
I downloaded your plugin and I used the checker server header tool. I got this results –
HTTP/1.1 403 Forbidden Date: Sun, 06 Nov 2011 08:54:02 GMT Server: Apache/2.2.3 (CentOS) Connection: close Content-Type: text/html; charset=iso-8859-1
I am new to WordPress and I am wondering if it will affect my Google search engine rankings. Will search engines index my pages with the 403 forbidden? How can I fix this?
I already uploaded the BPS forbidden.html page in my root folder. BOTH BulletProof Modes are activated – Root .htaccess protection and wp-admin .htaccess protection
2nd —
My website domain is http://ait-pro.com and I want to change to http://www.ait-pro.com.
I don’t know how to modify domain via the .htaccess – I may get some errors. Please advise. Thank you.
If you want to allow junk bots and spam bots to grab your Header info then comment out the Filter Request Methods Rule. This is only blocking undesirable bots. I block these request methods and some more on my sites and as you can see i have an Alexa traffic rank under 100,000 so this is not affecting any good or legitimate bots like Alexa, Google, etc.
# FILTER REQUEST METHODS RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC] RewriteRule ^(.*)$ - [F,L]You don’t need to change the www prefix in your .htaccess file. WordPress already has a setting that will do this for you. Go to your WP Settings panel >>> click on General and add the URL prefix you want under >>> WordPress address (URL) and Site address (URL).
Thanks.
Thanks for telling me. I will just leave as it is.
I had a problem where the count shown by my Twitter share button on the main site URL (a static front page) would not update and stayed at 0. The counts on my posts updated fine.
It turns out the Twitter bot does a HEAD request when checking tweeted URLs. Since it was getting a 403 status code instead of 200, it decided the URL was invalid, so the tweet count never updated. I removed HEAD from the Filter Request Methods rule, which fixed the problem.
So I’m wondering now, what advantage is there to disallowing HEAD requests only on the main site URL and not on any of the posts/pages? Would junk bots not bother with the rest of the site if they couldn’t do HEAD requests for the main URL?
Anyway, if anyone using BPS is seeing no updates of tweet counts on the main page, that’s the reason why. Hope it helps someone, it drove me nuts for awhile. 😉
The new root .htaccess file rules and filters will affect the entire site. Major changes have been made to all .htaccess files and a massive amount of new Security Exploit filters have been added. We are way behind schedule with getting BPS Pro 5.1 released, but it looks like it will be released either today or tomorrow. The BPS Free version containing these new .htaccess files should be released in a week or so.
Several people have wanted to allow the HEAD Request Method to be allowed on their sites for all bots so i will add this additional info within the new .htaccess files about what this filter blocks to make it easier for people to figure out what they want to do or not do with it.
# REQUEST METHODS FILTERED # This filter is for blocking junk bots and spam bots from making a HEAD request, but may also block some # HEAD requests from bots that you want to allow in certain cases. This is not a security filter and is just # a nuisance filter. This filter will not block any important bots like the google bot. If you want to allow # all bots to make a HEAD request then remove HEAD from the Request Method filter. # The TRACE, DELETE, TRACK and DEBUG request methods should never be allowed against your website. RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC] RewriteRule ^(.*)$ - [F,L]Also i want to point out that blocking the HEAD request does not negatively affect your website traffic, the google bot or Alexa Ranking. Without really making any effort at all AITpro is ranked in the top 100,000 sites in the World by Alexa and we have 100’s of #1 ranking posts in the World. When we do make an effort to achieve higher World ranking I imagine that getting into the top 10,000 ranked sites in the World will not require much of an effort on our part.
Thanks for the great input. 😉
I installed your plugin and all worked fine on my first website.
I tried to install on the second site, and when I was trying to activate one of the setting it went to a blank white screen. Now when I get to the admin page, it takes my username and password like normal, but just shows a blank white screen and not the default dashboard. I don’t know how to fix this as I can’t login to wordpress, but I can get into ftp. Can you please help me?
Thanks in Advance
Mike
FTP to your site or use your Control Panel and delete the .htaccess file in the root folder for that website. This will allow you to log back in. Thanks.
I love your plugin first of all. It has kept my site safe so far. I do have one question: I want to move my site from the root public folder to a subfolder so I can run multiple websites on my hosting account (I use Bluehost). Each new site will be in a subfolder and will use your plugin. What, if any, changes should I make to enable me to do this.
Thanks
If you actually doing a true site migration then you would simply start by creating a good naming convention site architecture / structure and move your files to the appropriate folder.
starting with good folder naming conventions
/website1.com
/website2.com
/website3.com
See this WordPress Codex for your options >>> http://codex.wordpress.org/Moving_WordPress
Now as far as BPS goes you would install BPS in each site, click the AutoMagic buttons to create your master .htaccess files for each site and Activate all BulletProof Modes for each site. thanks.
I added BulletProof to my WordPress site which is using the Thesis theme. I tried bullet proofing my site by clicking on your software buttons. I found too late that your product is over my head in complexity, however, and now I’d like to return my site to the status it was in before I tried to install BulletProof. Right now I’m getting 401 errors when I try to use the Thesis plugin to add pages to the site. I’m also getting 401 errors when trying to delete or update plugins. I restored the WordPress database from a back up, hoping to return all files to their pre-BulletProof status. But this didn’t work either. Please help. I cannot afford to lose all this functionality in my site.
HTTP 401 Status code means “Unauthorized”. Have you set up directory protection via your web host control panel or with an .htaccess file manually? The typical HTTP errors that people will see if BPS is not set up correctly are 404 and 403. In any case in order to restore your site back to it’s original status then you need to modify these 2 .htaccess files – 1 in your website root folder and 1 in your /wp-admin folder. Or you can try and just delete them and then generate a new default WordPress .htaccess file by clicking Settings > Permalinks > Update Permalinks. BPS does not add anything to your DB that will affect the security of your site, the BPS plugin files themselves do not add security to your site directly – only indirectly by processing the plugin’s php code to generate the .htaccess files.
Thank you for providing these suggestions. In my version of WordPress 3.2.1, there’s not an “Update Permalinks” button. There is a “Save Changes” button. So if I manually delete the two .htaccess files as you suggest, then do I simply go to Permalinks and click on Save Changes? I intend to leave my Permalink “Common Settings” the same, which is “Month and Name.”
Yep you are correct. I was just telling you generally what needed to be done. Not a literal step by step. 😉 When you click “Save Changes” WordPress generates an .htaccess file in your website root folder, but ONLY if you are using a custom permalink structure. If you are not using a custom permalink structure then URL rewriting is performed internally via WP php code URL rewriting. So in your case if you leave Common Settings then click Save Changes will obviously not create an .htaccess file. So if you don’t want to use BPS then just delete the .htaccess files and that is all you need to do. Then you can leave the plugin installed or delete it.
Ok well that explains why BPS is probably not working correctly and most likely the HTTP error messages were 404 or 403. Using BPS requires that you use a custom permalink structure as all WordPress websites should be using a custom permalink structure. See this post for general and basic reasons for why and how to do this >>> http://www.ait-pro.com/aitpro-blog/2304/wordpress-tips-tricks-fixes/permalinks-wordpress-custom-permalinks-wordpress-best-wordpress-permalinks-structure/. What this post does not explain is that if you use common settings or pretty permalinks then your URL rewriting is being performed via WP internal rewriting instead of .htaccess rewriting. This works of course, but there are many reasons why you should not do this – security, performance, etc. You can achieve the exact same thing by using the Permalink Structure Tags ( /%monthnum%/%postname%/ ) that you want to use for your URL’s and creating a custom permalink structure that you want to use. Thanks.
I found an .htaccess file in the root directory but not in the wp-admin directory. Does this change anything? Should I simply delete the current .htaccess file in the root directory and then click on “Save Changes” in the Settings>Permalinks section of the dashboard? I would prefer to leave the current permalinks selection of “Month and name” the same. But I could temporarily select another settings option, say “Day and name,” save that change, and then later restore the setting to “Month and name.”
See my previous comment reply. Also in order for BPS to work correctly BOTH BulletProof Modes must be activated – Root .htaccess protection and wp-admin .htaccess protection, otherwise you will get 404 and 403 errors. Thanks.
Thank you. I really appreciate your excellent support and follow up. I built the website from scratch myself with no training. So sometimes I run into my limitations. I have much experience in marketing but very limited experience in manipulating code. As I become more adept, I plan to add BulletProof back, but this time I’ll read and watch everything you provide. I just don’t want to lose update functionality in the meantime. Again, much appreciated.
Sure no problem. If you are not planning on using any security on your site at this point then be sure to make daily backups of your WordPress Database in addition to the daily backups that GD does for your files. GD backup and restore is great, but it is primarily designed to backup files and not your DB. For quick disaster recovery i recommend using the XCloner backup plugin – i have tested this plugin and it is very secure. The last thing you want to happen is to lose all the work you have done so far and have to start all over. 😉 Thanks.
Installation on website has gone fine and all seems to be working OK. I just need to now if its OK to add page 301 redirections for pages with changed url to the htaccess file and where the should be placed.
Are you sure you really need to add .htaccess 301 redirects? WordPress already has this built into it and should automatically add 301 redirects for you. If this is for something else or just a specific URL or a few URL’s then you would add this right after the #Begin WordPress .htaccess code in your root .htaccess file. What are you trying to redirect exaclty?
Getting many permission errors:
Warning: copy(/home/usernamehere/public_html//.htaccess) [function.copy]: failed to open stream: Permission denied in /home/usernamehere/public_html/wp-content/plugins/bulletproof-security/admin/options.php on line 42
Warning: chmod() [function.chmod]: Operation not permitted in /home/usernamehere/public_html/wp-content/plugins/bulletproof-security/admin/options.php on line 43
Warning: copy(/home/usernamehere/public_html//.htaccess) [function.copy]: failed to open stream: Permission denied in /home/usernamehere/public_html/wp-content/plugins/bulletproof-security/admin/options.php on line 44
–and–
These are all chmoded 644 but I still get this error:
Cannot write to the secure.htaccess file. Minimum file permission required is 600.
Cannot write to the default.htaccess file. Minimum file permission required is 600.
Cannot write to the maintenance.htaccess file. Minimum file permission required is 600.
Cannot write to the wpadmin-secure.htaccess file. Minimum file permission required is 600.
It seems like every task I try, I get a permissions error even when I chmod the files in ftp. What am I doing wrong?
Most likely your web host is using mod_php also known as DSO. Ask them to switch you to suPHP. This is something that you will have to check with your web host ServerBeach for the answer. I googled this and see that other people have also had CHMOD issues with ServerBeach hosting. This is not a good and safe solution, but it appears that people have had success by using SH and CHMOD to 777. I DO NOT recommend doing this. Please check with your host to find out why this problem is occurring. Once the permissions issue is resolved on your hosting account then BPS should automatically work normally.
Also i noticed that an image was not displaying correctly on your site. The path to the image file includes this folder name ” /new ” in the path. Thanks.
My WordPress site is in the root (public) directory. I would like to change the allow_url_fopen setting in php.ini to off. The master for my server is set to on, so I put my own in the same root folder with allow_url_fopen set to off and set the configuration for my server to use php5 single php.ini (the one in the root directory). The problem is that activating BPS Security not only denies access to php.ini forcing the use of the server master php.ini but also seems (not sure how) to force the server setting for php5 single php.ini back to php5 using the server master php.ini. I have tried editing out php.ini and php5.ini from the deny access line in the .htaccess file for both the secure.htaccess and my current htaccess and the results are the same. This is the line I edited to remove php.ini and php5.ini:
Any ideas how I can make allow_url_fopen Off?
Is this for the Free version of BPS or do you have BPS Pro?
php5.ini is a naming convention for a custom php.ini file that is used for only 1 web host, which is GoDaddy.
The php.ini and php5.ini FilesMatch files are only blocked from being directly accessed via a browser and this would not affect the php.ini setup itself. This is just to protect the files from being opened by someone other than yourself.
The URL link in your comment points to a website on BlueHost hosting.
It sounds like you have not added the BlueHost required .htaccess code (the handler .htaccess code) to your root .htaccess file so that your custom php.ini file will be recognized by the server as your website’s Loaded Configuration file (php.ini). Please see this post for the steps that you need to do in order to use a custom php.ini file on BlueHost. http://www.ait-pro.com/aitpro-blog/2853/bulletproof-security-pro/php-ini-general-and-host-specific-php-ini-information-for-bps-pro#bluehost-hostmonster-fastdomain
If this is for BPS Pro then we will be glad to set this up for you if you want. Thank you.
I’m getting this message:
You do not have sufficient permissions to access this page.
Would your plugin cause this issue in any way? I keep finding comments in other forums that reference .htaccess with this issue, but I’m not able to find a resolution. The issue I’m having is admin has access to the wp-admin, but if I add a new user and give them access to the wp-amin other than admin they get this message and are not able to contributor, editor or author.
If you have any suggestions, that would be great. I have the current version of WordPress. I only have akismet, your plugin and constant contact api. I’ve tried turning them off, but it’s still not working.
Thank you for your time.
Dana
Maybe or maybe not. I can’t really tell you anything without seeing or knowing what the actual URL link is. BPS does not affect WordPress User Roles so it is not a Role issue. It must be related to whatever the URL is. Please reply with the specific details about what the problem is. If you want to keep your info confidential then send that info using the AITpro Contact form. Thanks.
I get a 403 (forbidden) error on one plugin when I activate. The plugin is SimpleMap Store Locator.
It blocks the map from being fully loaded: http://www.oregonfirst.org/teams/findateam/
How can I code around this in the .htaccess:
/wp/?sm-xml-search=1&lat=45.518786&lng=-122.679343&radius=&namequery=45.518786,%20-122.679343&query_type=all&limit=&sm_category=&sm_tag=&address=&city=&state=&zip=Failed to load resource: the server responded with a status of 403 (Forbidden)
I commented out this:
#RewriteCond %{QUERY_STRING} tag\= [NC,OR]
And it now works. I try to google how the tag\= works and I cannot find any docs.
Is this the right way to fix this?
Funny but i cant even remember why i added that now. Even funnier when i do a search all i find are a billion copies of my .htaccess security filters all over the Internet. LOL Logically it would have something to do with RFI (Remote File Inclusion) hacks, but I think that this is now completely obsolete so I will most likely just get rid of this in the next release of BPS. So yeah just delete that line of code. I think i might have added this because there was a particular hacker that was using this in his query strings years ago??? Thanks.
I noticed that too!
Thanks for the quick response.
I have a fancy customizable theme that allows me to tweak many settings and then export a text file with those settings as a backup. However, the export feature does not work so long as this is in my htaccess:
RewriteCond %{QUERY_STRING} ^.*(execute|exec|sp_executesql|request|select|insert|union|declare|drop|delete|create|alter|update|order|char|set|cast|convert|meta|script|truncate).* [NC]
RewriteRule ^(.*)$ - [F,L]
It turns out, specifically, the “set” feature is the problem. I temporarily removed it, but anyone know what it is, and why it is preventing my theme from exporting?
Thanks!
The SET MySQL command is used to set values for one or more configuration attributes. Attributes can be set on either the process level or instance level. SET is used in combination with the UPDATE command. Because of the way your internal script is being executed / processed it is being seen as an external script execution and not an internal script execution, which is causing the SQL Injection filter to block it. This is actually a fairly common issue with Themes and Plugins that are using MySQL command names in particular coding functions / scripts that perform some sort of redirection or some type of read or write outside of the script’s original directory. In plain English: If the word / command SET was replaced with “choose” in particular coding functions then you would not have this issue. This would be for only scripts that are seen as a threat by BPS. You would not have to change “set” throughout all coding, just for the coding that is performing a function that is interpreted as a threat by BPS. A typical example is a Theme or Plugin includes a MySQL command in a URL string /blah&set=foo&bar.
You can safely remove the “set” command from the SQL Injection filter because it is used in combination with “update”. So as long as “update” is still being blocked then no one can inject code into your WordPress Database. Thanks.
Thank you for this explanation!
Hello after I installed the plugin on my wordpress site and then went to my site I can see the main page little-leo.com/liveblog/ and then when I click on a blog it goes to my old original site. None of my blog posts are showing up I dont know what to do please help me fix my 8 year old’s family website!! its up for all our family around usa to view. thanks
OHHHH the same thing happens when I hit one of the pages it goes to the old index.php in the www/public_html directory my blog is now in a different directory I hope this is an easy fix because I sat and worked my butt off converting his site from old regular pages I created in php/html to this blog manually adding every post all the way back to 2003 ughhh I am so upset I hope this is fixable do I need to chmod something to be readable/writeable
Did you use the AutoMagic buttons to create your .htaccess files? Did you activate BulletProof Mode for both your Root and wp-admin folders? Something does not appear to be correct with your Permalinks. Double check your WordPress custom permalink structure. Double check your General Settings – Site URL and Address URL. To take BPS out of the equation put your site in Default Mode and use the delete wp-admin .htaccess file option.
Are you using the “giving wordpress its own directory” method? If so you need an .htaccess file in the root folder that rewrites to just /index.php and you would modify the index.php file to point to require(‘./liveblog/wp-blog-header.php’);
The .htaccess file for the liveblog subfolder installation of BPS needs to be rewriting to /liveblog/
Most likely the problem is an incorrect permalink setting issue so check that first. Thanks.
I just did change the permalinks to default and i”ll be danged lmao it showed up Phew I must admit I was scared lol Thanks for fast reply I did active everything under mods page I think but i want to uninstall this and use it on another account thats not as important till I know how to use it completely can I deactivate this with no problems?
Well by enabling / using a default permalink structure you have overwritten the BPS .htaccess file so you don’t have any website security protection right now except for the wp-admin .htaccess file if that was created. So you can go ahead and remove / uninstall the BPS plugin files as well. the BPS plugin files only affect the plugin itself and have nothing to do with providing or not providing website security. That is all handled by the 2 .htaccess files – 1 in your root folder and 1 in your wp-admin folder. thanks.
See you can change them
Default little-leo.com/liveblog/?p=123
Day and name little-leo.com/liveblog/2011/09/16/sample-post/
Month and name little-leo.com/liveblog/2011/09/sample-post/
Numeric little-leo.com/liveblog/archives/123
Custom Structure BLANK
I Like my links to have the name in the link like month and name or day and name I prefer them like that
ok then use either of these custom permalink structures:
/%year%/%monthnum%/%postname%/
or
/%year%/%monthnum%/%day%/%postname%/
in order to use BPS you must be using a custom permalink structure. If you use a default “Pretty Permalinks” setting BPS will not work correctly. Thanks.
Hello, I use Theme My Login plugin and I keep getting a 403 error.
When I try to login it takes me to domain.com/login/ and I usually get a 404 error. When I am logged in, I can visit the page and it shows my profile with the address domain.com/login/?action=profile
However, when I try to update my profile and save it, I am taken to domain.com/login/?action=profile&updated=true and am given a 403 error.
Do I need to add details to my .htaccess to allow this address to be used?
This only seems to happen on sites that use BPS.
Many thanks
I checked your site and It appears that you have already fixed the problem. When i test your TML login links i am redirected correctly. There are no conflicts with Theme My Login and BPS. Thanks.
My old .htaccess in wp-admin had the restriction
order deny,allow
deny from all
# whitelist IP address
allow from xx.xx.xxx.xxx
The new .htaccess does not have this. Does it need it? Should I include it in the new file?
Well if you want to keep this .htaccess code you can add it to the wp-admin .htaccess file if you want. I don’t really think you need it, but if you want to restrict access to your wp-admin folder for only certain IP addresses then yep go ahead and add it to your wp-admin .htaccess file.
Just installed BPS and when trying to create both default and secure .htaccess files I receive an error as follows:
NOTE: the double slash after v2 directory.
Is this a misconfiguration somewhere in wordpress or a problem with BPS?
Thanks
The double forward slash is fine and is not a problem. Single and double forward slashes are interpreted the same as a single forward slash. Most likely what is occurring is that you have a permissions problem. Check your folder permissions – they should be 755 for the bulletproof-security folder and actually all of your WordPress folders (/wp-content, /wp-admin, etc). Your file permissions should be 644. And in some cases you can use 444 Read Only, but only in very selective cases where you are aware of every single file that has 444 permissions applied to it / them. The other possibility is that your web host is blocking the php copy and file_get_contents functions. Check folder and file permissions first as this is most likely the issue and if it is a web host configuration issue this will be a more complex issue and will require deeper troubleshooting by checking your phpinfo file and you php.ini file. Thanks.
I think I have a bigger problem! The script will work (except chmod functions) if I set all the .htaccess file permission to 666, but nothing less. Presumably this is a setup problem with my hosting provider, they have previously denied that the wp-config file should have 640 permission and stated that it had to be set at 644 for wordpress to work.
Well 666 permissions is not safe – that gives write permissions to Owner, Group and Public – meaning anyone can write to the file. 666 is really the same thing as 777. Well that just does not make any sense about them telling you the wp-config.php file needs 644 for WordPress to work. You could make it 444, which is read-only for Owner, Group and Public and WordPress will work perfectly fine. The wp-config.php file only needs to be read (most of the time with maybe a plugin writing to it by choice in admin options) – no writing should be occurring to this file obviously. So they are giving you bad information. Now if you set the permissions to 400 then yeah you would have a problem because that means only the Owner can read the file. Someone else mentioned to me a while back that their host required certain permissions on .htaccess file and that CHMOD had to be 644. This was either for suPHP or suExec, I can’t remember which it was. If chmod is causing a problem then just comment out those lines of code. There are 3 total code lines in the top of the options.php file and they look like this >>> chmod($new1, 0644); just put two forward slashes in front of the code like this // chmod($new1, 0644); to comment it out. Then you want to check the actual file permissions of your .htaccess files. If they are 666 you should not leave them with this permission and try and manually make them 644. Thanks.
Changing the permissions for wp-config to anything 640, 740, 440 etc on my host does indeed break wordpress. For some reason it needs read access for world to work (ie. 644). Wp-config doesn’t need write, but does seem to need read by world else it breaks.
I had to set the .htaccess files to write access temporarily (666) for BPS to function, making me think it all has to do with ownership of files or perhaps the userspace/group the site runs in. ie. If I can change the files then I must be owner or in the group, but if wordpress can’t then wordpress must be running under different credentials. (does this sound correct?)
I managed to get BPS to work (mostly) by changing the file permissions temporarily, let BPS do its thing, ignoring the chmod errors, then setting the permissions on .htaccess files back to 644.
Yes you are correct because 640, 740 and 440 do not have read permissions for Public so WordPress will not load correctly. 444 does work because it does include read for Public. Group write is 664. And 666 is everybody under the sun write permissions. LOL So yeah you could experiment with 664 permissions then you will definitely know that it is a Group permissions issue. WordPress itself in your hosting environment is probably classified under Group then. thanks.
Hello,
I havea quick question I was hoping you could help me with.
I am not very technically minded and a friend said I should make sure my site is protected against attacks such as SQL Injection and Cross-site Scripting. Does BulletProof Security plugin on WordPress do this?
Many thanks for your time.
Sue
Yes BPS blocks SQL Injection and XSS – Cross-site scripting hacking attempts. Thanks.
Thanks so much for your quick response. Great website you have here 🙂
Hi, Ed…
I am very glad using your BPS plugin. Recommended for all WordPress blogger. 🙂
I want to ask you if I edit (add) something to .htaccess file. Where do I have to add the new code?
1) secure.htaccess ONLY?
2) Your Current Root htaccess File ONLY?
3) or both of them?
Thank you for your support.
Regards,
Dhetan
Cool glad your diggin it!
The secure.htaccess file is a BPS Master .htaccess file.
Your Current Root htaccess File is your currently active root htaccess file.
So yes you could edit both of them, but really you only need to edit your currently active .htaccess files.
It is of course up to you. If you activate BulletProof Mode for your root folder again then the secure.htaccess file is renamed to just .htaccess and copied to your root folder and overwrites your existing root .htaccess file so if you are worried about overwriting your root .htaccess file then you can copy all the code from the root file to your secure.htaccess master file.
Thanks.
Thank you, Ed…
Yes, I have added the new code to both of “secure.htaccess” and “Your Current Root htaccess File”. It works! 🙂
Yes, Ed, I also activate “BulletProof Mode” for my root folder.
So what about that, after I edit (add) new htaccess code to both Master htaccess and my active root htaccess…, will that harm my blog or make it “more unsecured”? Or maybe I will get other problems someday, like “slow loading” or future error?
I hope will not. 🙂
By the way, for all WordPress bloggers, do not wait, even do not think again, to use BPS plugin. It’s powerful and … FREE! 😉
Thanks again to Ed for his great job for us.
The .htaccess security filters work independently so as long as you do not change them or add some additional .htaccess code to your root .htaccess file that would cancel them out then your site will not be any less secure. You could even add more security rules to increase your website security. .htaccess files / rules are processed in milliseconds. You could have 1000 lines of .htaccess code and they would still be processed in milliseconds. Now if you added some .htaccess coding that performed some sort of redirection that was problematic then you might lose some website performance, but most likely even that will not affect your website load speeds / performance. Thanks.
You are so kind, Ed…
Not too many free-plugin developers do what you do: to support their users patiently.
Thanks again, Ed.