Please post your questions or comments in the new BulletProof Security Forum. When posting questions please provide specific details about the exact problem that is occuring
A BPS free general troubleshooting help page can be found here → BulletProof Security Free Forum
A BPS Pro general troubleshooting help page can be found here → BulletProof Security Pro Forum
Example:
Provide the plugin name if there is an issue or problem with another plugin.
Provide your exact steps in specific detail that led to the error, issue or problem.
Provide the error message that is occurring.
BulletProof Security Version .47.5 >>> Released 10-22-2012
BulletProof Security Version .47.4 >>> Released 9-18-2012
BulletProof Security Version .47.3 >>> Released 8-12-2012
BulletProof Security Version .47.2 >>> Released 8-05-2012
BulletProof Security Version .47.1 >>> Released 5-11-2012
BulletProof Security Version .47 >>> Released 5-10-2012
BulletProof Security Version .46.9 >>> Released 3-14-2012
BulletProof Security Version .46.8 >>> Released 1-16-2012
BulletProof Security Version .46.7 >>> Released 1-04-2012
BulletProof Security Version .46.6 >>> Released 12-01-2011
BulletProof Security Version .46.5 >>> Released 11-21-2011
BulletProof Security Version .46.4 >>> Released 8-09-2011
BulletProof Security Version .46.3 >>> Released 6-09-2011
BulletProof Security Version .46.2 >>> Released 4-24-2011
BulletProof Security Version .46.1 >>> Released 4-09-2011
BulletProof Security Version .46 >>> Released 3-09-2011
BulletProof Security Version .45.9 >>> Released 2-22-2011
BulletProof Security Version .45.8 >>> Releases 1-27-2011
BulletProof Security Version .45.7 >>> Released 12-31-2010
BulletProof Security Version .45.6 >>> Released 11-1-2010
BulletProof Security Version .45.5 >>> Released 10-10-2010
BulletProof Security Version .45.3 >>> Released 9-18-2010
BulletProof Security Version .45.2 >>> Released 8-13-2010
BulletProof Security Version .45.1 >>> Released 7-24-2010
BulletProof Security Version .45 >>> Released 7-22-2010
If you dig it please create a link back to AITpro. Thank you.
Tags: BulletProof Security Comments, BulletProof Security Questions
Categories: BulletProof Security Plugin Support
Hi: I looked through your FAQ’s but I can not seem to fix the following error message I am getting. I just started creating a blog/site and noticed it while I was setting everything up.
ERROR: WP Super Cache is activated, but either you are not using WPSC mod_rewrite to serve cache files or the WPSC .htaccess code was NOT found in your root .htaccess file.
The rest of the displayed alert message says “If you are not using WPSC mod_rewrite then just add this commented out line of code anywhere in your root htaccess file – # WPSuperCache. If you are using WPSC mod_rewrite and the WPSC htaccess code is not in your root htaccess file then click this Update WPSC link to go to the WPSC Settings page and click the Update Mod_Rewrite Rules button. Refresh your browser to perform a new htaccess file check.”
One thing that the displayed alert message does not say that needs to be added to that displayed message is “If your root .htaccess file is locked then you need to unlock it to allow WPSC to write its htaccess code to your root htaccess file”.
Hi, I have installed BPS on my WordPress Site. It is an online store with downloadable products. The downloadable products were added via ftp into the server file system. When people purchase the item, they are then automatically given a link via their email system. For some reason when they click on the link it directs them to an error page on the website. Do you think the htaccess is doing this? How can I restore all my htaccess files to their original state? How can I test to see if Bullet proof is the culprit?
Please go through the troubleshooting steps here >>> http://www.ait-pro.com/aitpro-blog/ >>> and put BPS in Default Mode and check one of the email links that is generating an error
if after you put BPS in Default Mode the link is still generating an error then BPS is not causing this. if the link works fine then post the link here (please post an example link with your domain name replaced with xxxxxx’s – Example: xxxxxx.com/?download_string=blah&blah&blah&foobar) so i can see what in the link is being seen by BPS as a threat or vulnerability to your website. Thanks.
Thanks for providing this great plugin…. but it seems to have failed me!
All sites (both WordPress-based and static) on one of my hosts (Hostmonster) were hacked last week. Major files (the root index.php and the theme’s header.php on WP sites, and all htm files on static sites) were infected with a few lines of javascript which yielded an iframe sending people to a malware site. I cleaned out all the code from all sites, and installed BPS.
I also started installing BPS on all the websites on my other host (1&1), but before I had finished applying it to all sites the hackers struck there too. What surprised me was that even the sites with BPS had suffered – although the root “index.php” had not been changed this time (presumably thanks to BPS), the theme’s “header.php” still had. Can that not be protected, or am I prehaps using BPS wrong? I did implement all the BPS suggestions except for the CHMODs (as the readme suggested that most hosts don’t allow these anyway).
I’m still worried that the infection might come back, because I still have no idea how it arose (I updated all my timthumb.php’s a long time ago to at least v2.0).
Please see this post for some things that BPS cannot protect against >>> http://wordpress.org/support/topic/doesnt-work-all-site-have-code-injections-and-php-backdoors-installed
I updated to your latest version, and no WP Super Cache is apparently restricted. WP Super Cache reports:
A difference between the rules in your .htaccess file and the plugin rewrite rules has been found. This could be simple whitespace differences but you should compare the rules in the file with those below as soon as possible. Click the ’Update Mod_Rewrite Rules’ button to update the rules.
But the Update Mod_Rewrite Rules button is replaced with “View Mod_Rewrite Rules” button, and at the top of the desired rules box, it begins:
I don’t want to do manual fixes on my htaccess files, so I’m hoping you can come out with a new update soon to fix this issue. Thanks!
Is your root .htaccess file locked? You do not have to lock it if you do not want too. That option is completely up to you.
That fixed it. But I should add: the latest update must have defaulted to locking it. I never locked it manually. Might want to note this for WP Super Cache users somewhere. Thanks though!
Yep, the BPS Pro upgrades are designed to automatically lock your root .htaccess file after new .htaccess code has been automatically added to the file. Does this cause a problem on your particular web host. such as your web host does not allow .htaccess files to be locked with 404 permissions. If so, which host do you have? Thanks.
I am moving my WordPress site to a new url, actually from a subdomain to the TLD. Should I disable BPS or anything before changing the WP settings? I know how to move WP, just concerned about BPS.
As long as the URL and rewriting structure/design is the same then you would not have to change anything and could just move the site with .htaccess files intact.
Example:
subdomain.example.com – has an URL / rewrite structure of a root website – the RewriteBase is /
example.com – has an URL / rewrite structure of a root website – the RewriteBase is /
example.com/subdirectory – has an URL /rewrite structure of a subfolder website – the RewriteBase is /subdirectory
So if you change a subdomain site into a standard Top Level Domain site then the RewriteBase is exactly the same – RewriteBase /
Great, thanks. Another guidance question: how should I add 301 redirects to the .htaccess file?
you can use this htaccess code generator >>> http://www.htaccessredirect.net/ and then you would add the redirect code anywhere outside of the BEGIN WordPress to END WordPress htaccess code or you could add it to the bottom Custom Code text box. Read the Read Me help button on the Custom Code page for specific details.
Excellent! Thanks for your help and a fine plugin.
[Comment was Moved]
[Comment was Combined]
Just installed BPS and on my ISP Host: Crazy Domains.com (Australia) the root directory .htaccess file is ‘hidden’ in normal cpanel, any change via FTP is ignored, cannot change it to 404.
Hope this helps others. Cheers Dennis
Hi, thanks for a great FREE plugin, I’m managing a few sites and will be moving to PRO once I get my head around the large amount of info this plugin handles!!
I have just installed on http://grenfellarmouringservice.com.au/ and have the ERROR:
WARNING! BPS has detected that Safe Mode is set to On in your php.ini file.
Have searched your site but cannot locate info to assist me correct this error, any advice appreciated?
Thanks Dennis
Server Type: Apache/2.2.14 (Unix)
Operating System:Linux
Server API:cgi – Your Host Server is using CGI.
Multisite:? it is on shared seerver, is that the info needed??
PHP Version: 5.2.11
[Your comment posts have been combined and moved]
If your Host allows you to create a custom php.ini file for your website then you would create a custom php.ini file and add this directive setting – safe_mode = Off. Or if your Host does not allow you to create a custom php.ini file for your website then you will have to ask them to change this setting for your website.
Hi, what I don’t understand is I have installed BPS Free on 5 sites with this same ISP Host – yet only 2 sites have this ‘safe-mode ON’ warning the others have all installed OK?
Any thoughts on why this may happen?
Cheers Dennis
Some web hosts do not allow you to change .htaccess file permissions to 404 and only allow 644 permissions.
I have this plugin and after I updated I’m getting this warning:
“BPS Alert! Your site does not appear to be protected by BulletProof Security
If you are upgrading BPS – BPS will now automatically update your htaccess files and add any new security filters automatically.
Refresh your Browser to clear this Alert
Any custom htaccess code or modifications that you have made will not be altered/changed. Activating BulletProof Modes again after upgrading BPS is no longer necessary.
In order for BPS to automatically update htaccess files you will need to stay current with BPS plugin updates and install the latest BPS plugin updates when they are available.
If refreshing your Browser does not clear this alert then you will need to create new Master htaccess files with the AutoMagic buttons and Activate All BulletProof Modes.
If your site is in Maintenance Mode your site is protected by BPS and this Alert will remain to remind you to put your site back in BulletProof Mode again.
If your site is in Default Mode then it is not protected by BulletProof Security. Check the BPS Security Status page to view your BPS Security Status information.”
I’ve tried all the magic buttons and activating all the security modes. I’m not sure why it’s still doing this.
Please go to the BPS System Info tab page and copy and paste this information about your website below:
Server Type:
Operating System:
Server API:
Actually i see your Host is BlueHost and this host is using the cPanel the HotLink Protection Tool so my hunch is this problem is being caused by the broken cPanel HotLink Protection Tool. Please see this post for how to “fix” this issue >>> http://wordpress.org/support/topic/plugin-bulletproof-security-broken-cpanel-hotlink-tool-404-errors-unable-to-edit-htaccess-files?replies=7
hi thanks for a great plugin, i have 2 questions
1- before i installed the latest free version of BPS on my WP site i password protected my wp-admin directory in my cpanel to add a extra layer of security. now that i have installed BPS free i checked my wp-admin in cpanel and the protected directory says Password Protected Area”
is this BPS at work, and is this ok as my wp-admin is now accessible without the extra password i added in cpanel.
2- i have 2 websites one a domain like this mywebsitename.com and the other one on a subdomain like this shop.mywebstename.com can i use BPS on both sites?
Thanks
1. You would need to add your wp-admin password protection coding to the wp-admin .htaccess file. What i recommend is that you re-apply password protection to your wp-admin folder. Typically this would be done from your Web Host Control panel. This should write that password protection code to your wp-admin .htaccess file again. Then what you want to do once you have that password protection code is you would want to add that code to the BPS Custom Code wp-admin top box and save it – CUSTOM CODE WPADMIN TOP: Add miscellaneous custom code here . Next go to the BPS Security Modes page and Activate Website wp-admin Folder htaccess Security Mode (BulletProof Mode for your wp-admin folder) again. What this will do is combine your wp-admin password protection coding with the BPS wp-admin .htaccess file coding to make a new file with both your password protection coding and the BPS .htaccess code for the wp-admin .htaccess file.
2. Yep BPS works on any type of WordPress site – subdomain, subdirectory, Network/MU and Giving WordPress Its Own Directory site installations.
Thanks for your reply very helpful
hi i have installed BPS on another WP site and i used the Backup .htaccess Files link and BPS said You do not currently have an .htaccess file in your wp-admin folder to backup.
I then used the create default and secure htaccess links and then i noticed that BPS also said i didnt have permalinks enabled so i set up the permalinks as you recommend but now BPS says Failed to Activate BulletProof Security Root Folder Protection! Your Website is NOT protected with BulletProof Security! when i click the activate Activate Website Root Folder .htaccess Security Mode radio button.
this is what it says in the Activated BulletProof Security .htaccess Files box
Either a BPS htaccess file was NOT found in your root folder or you have not activated BulletProof Mode for your Root folder yet, Default Mode is activated, Maintenance Mode is activated or the version of the BPS Pro htaccess file that you are using is not the most current version or the BPS QUERY STRING EXPLOITS code does not exist in your root htaccess file. Please view the Read Me Help button above.
wp-config.php is NOT htaccess protected by BPS
The WP readme.html file is not .htaccess protected
I have tried to uninstall BPS to reinstall it so it sees the new permalinks but it is not allowing me to, when i use the Default Mode
WP Default htaccess File radio button BPS says Failed to Activate Default .htaccess Mode!
What do i need to do to get it to work.
Please explain in laymans language as i am not very technical.
Thanks
What i suspect is that this website/Server is configured with DSO and not CGI.
Please go to the BPS System Info tab page and post this info in your reply.
Server Type:
Operating System:
Server API:
Server Type: Apache
Operating System: Linux
Server API: cgi-fcgi – Your Host Server is using CGI.
i have installed BPS on 5 or 6 of my sites with no problem and they are all on the same server
Thanks
This is what BPS says
Failed to Restore Your Root .htaccess File! This is most likely because you DO NOT currently have a Backed up Root .htaccess file.
thanks
Ok i was not sure if this was the same Server or not so thanks for clarifying that. 😉
What custom permalink structure or pretty permalink structure are you using on the site?
Also the clues you are giving me is that files are not actually being created and copied at all. is something blocking this on this particular site?
Since BPS is working fine on all the other sites then do this on this particular site.
1. deactivate all plugins except for BPS.
2. click the AutoMagic buttons again.
3. activate BulletProof Mode for your Root folder and wp-admin folder.
ok did all that this is what BPS says when i click the Activate Website Root Folder .htaccess Security Mode link.
Failed to Activate BulletProof Security Root Folder Protection! Your Website is NOT protected with BulletProof Security!
this is what it says when i click the Activate Website wp-admin Folder .htaccess Security Mode link
Thanks
BulletProof Security wp-admin Folder Protection Activated. Your wp-admin folder is now protected with BulletProof Security.
Ok you have now confirmed that something on this particular website is blocking you from being able to copy files. You will need to contact your web host and find out what that is.
how do i uninstall BPS in the mean time as i dont want to be logged out without admin access if its left installed.
the normal way to uninstall it is not working
Thanks
what do you mean by “the normal way to uninstall it is not working”. please be specific with all details. Thanks.
Hi sorry to have been so vague
I have now uinsatlled BPS using cpanel file manager and reinstalled it again.I have spoken to Hostmonster and they say all the file permissions are set ok and there are no issues on my site,but everytime i try to Activate Website Root Folder .htaccess Security Mode link i get this message
Failed to Activate BulletProof Security Root Folder Protection! Your Website is NOT protected with BulletProof Security!
All the other 3 activate security modes options activated fine.
I have gone back to my permalinks page to check my settings and noticed this info at the bottom of the page.
If your .htaccess file were writable, we could do this automatically, but it isn’t so these are the mod_rewrite rules you should have in your .htaccess file. Click in the field and press CTRL + a to select all.
RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L]Does this mean i should change something, not sure what to do with this info.
Thanks
ok this sounds like the classic broken cPanel HotLink Protection Tool problem. See this post for details of what the problem is and how to fix it >>> http://wordpress.org/support/topic/plugin-bulletproof-security-broken-cpanel-hotlink-tool-404-errors-unable-to-edit-htaccess-files
Hi,
I am running my site on MAMP.
I have moved it over to a new computer and now i cant access the admin page.
I have deleted the .htacces file but still no dice.
What else can i try?
Thanks
Scott
Have you deleted both the root .htaccess file and the htaccess file in your wp-admin folder?
Hi Permalinks shows updated but bulletproof does not recognise it as updated and wants it done again. If I delete bulletproof, all works fine except the site is not secure. I then reinstall bulletproof and it still does not work, any ideas?
Can you help please?
Thanks Graeme
Your Comment has been moved to the Questions, Comments and Problems page here >>> http://www.ait-pro.com/aitpro-blog/319/bulletproof-security-plugin-support/bulletproof-security-comments-questions-problems-wishlist/
Which permalinks setting are you choosing/using? You can either use a Pretty permalink setting or create a custom permalink structure. obviously a custom permalink structure is the optimum choice to make for any WordPress website.
The file /home/koaadmin/public_html/wp-content/plugins/bulletproof-security/admin/htaccess/secure.htaccess is not writable or does not exist.
Check that the file is named secure.htaccess and that the file exists in the /bulletproof-security/admin/htaccess master folder. If this is not the problem click here for more help info.
I’ve been running BPS free for over a year on this site, and I run it on 10+ other sites as well. It’s always worked fine. Now since the latest update from yesterday it’s giving me this error, and my host is quarantining my stuff because I keep trying to edit the .htaccess files.
P.S. – I have verified that my problem is none of the ones listed on the troubleshooting page.
Yep this is most likely the old Broken cPanel HotLink Protection Tool problem >>> http://wordpress.org/support/topic/bulletproof-security0475-not-working?replies=7
If you look at the latest comments in that thread the clues are pointing more and more to exactly what the wonderful Broken cPanel HotLink Protection Tool is now doing. ha ha ha. The broken cPanel HotLink Protection Tool has been broken for over 10 years and will probably continue to cause problems until the end of time. I’m not sure if i can block it entirely since it is at the Host Server level, but maybe there is something that i can do to short circuit it before it destroys folks websites – working on it. 😉
Oh wait i just noticed that you said your host is quarantining the .htaccess files. Which web host do you have? When i look up your DNS information it says your host is Namecheap. is this correct? What might be happening is your host scanner is malfunctioning or scanning in a too general way and quarantining legitimate files. I believe another person who has Namecheap hosting has also mentioned this to me so i will include this info in the thread in the BPS plugin forum to see if this is a common denominator.
http://wordpress.org/support/topic/bulletproof-security0475-not-working?replies=7
Yes, this has been confirmed – Namecheap has some new scanner that is incorrectly quarantining BPS files – both plugin files and .htaccess files.
I host several sites with Namecheap, all using WP and BPS and all have the same problem as stated here. Will there be an update to BPS or do I need to contact Namecheap (heaven help if that’s the case!)?
BTW – thanks for a great plug-in!
Yep i am aware of this problem and have contacted them myself to fix this issue on a larger scale, but you should also contact them directly to speed this along. I have several people on Namecheap that have had their root .htaccess file getting quarantined by the Namecheap scanning software. The scanner is seeing valid coding in BPS as malicious coding so this is going to require that they re-calibrate the scanner since it is mistakenly seeing valid code as malicious code. This is also occurring on 1 other host so most likely they are using the same scanner software. 😉 For now you can either revert back to .47.4 until this issue is fixed or have them take care of this right away. One person that contacted me had this issue taken care of by Namecheap in about 15 minutes.
Ok the scanner issue on Namecheap was taken care of today so everything should be fine now. Sorry to get back to you so late. Thanks.
i am trying to update the wordpress page but when i click on the publish button it redirect to homepage and i am unable to update anything?
This problem is usually caused by 1 of these 3 things.
1. you did not click the AutoMagic buttons before activating BulletProof Modes.
2. you did not activate both root BulletProof Mode and wp-admin BulletProof Mode.
3. your host uses the cPanel HotLink Protection tool, which will cause this problem.
Please see the BPS Troubleshooting page for problems and solutions >>> http://www.ait-pro.com/aitpro-blog/297/bulletproof-security-plugin-support/bulletproof-security-wordpress-plugin-support/
And 1 more common problem is your custom permalink structure is invalid or you are not using a custom permalink structure or you are using the index.html permalink hack.
I have a wordpress blog on which I simply post my short stories. I recently discovered that the site went funny with IE telling me that ….to prent cross site scripting….I contacted my hosts and they very kindly restored my site from the backup. After a few days it happend again. All my posts were replaced by a word ‘hacked’. They restored it again for me. Then I hid my site by putting an index.html file in my root folder saying that site is under construction. I checked after a few weeks yesterday by removing the index.html file and my blog is funny again, even though it was not public! Do you think bulletproof can help me. Will merely installing the plugin be enough or do I have to delete the database first and reinstall everything.
thank you
If your backup files have hacker files and code in them then you will be restoring an already hacked website. WordPress has 2 parts. Files and a WordPress database where all your content is stored. Posts are stored in your WordPress database. When you restore website files from backup you are NOT restoring your database. These are 2 separate things. So if the hackers have hacked your database then restoring your files from backup will not change the fact that your database is compromised/hacked.
Since you have already tried restoring files from backup and this did not take care of the problem then i recommend making a backup of all your files and your WordPress Database and saving those backups to your computer. Then delete all your website files and your WordPress database. Install a new WordPress site, which will install a new database and then install all your plugins. Then after this is done you would import these database tables into your new database.
wp_commentmeta
wp_comments
wp_links
wp_postmeta
wp_posts
wp_term_relationships
wp_term_taxonomy
wp_terms
do not import the wp_options database table into your new database
i do not recommend importing these database tables wp_usermeta and wp_users, unless you have a lot of registered users or User accounts. If the hacker created an Administrator login account then it will be in these database tables.
Thank you for your reply. I was just wondering if I am going to instal wordpress database from scratch, do I really need to back it up? When my host restored my site, they had to rely on a backup that I had taken much before the site was hacked for the first time. So, I am assuming that backup (which I still have) should be clean in my pc. Am I right? I took this backup at the time of upgrading the wp version because wp always suggests to back up everything before upgrading. I had followed the procrdure as per codex using phpMyAdmin more than halfway down of this link:
http://codex.wordpress.org/WordPress_Backups
So can you please advise again step by step including installation of security plugin. I am a story writer only and understanding all this is too much for me. I also had a list of all the IP addresses from my admin log of those who visited me during hacking period. I wish all the hackers die tomorrow. Sorry for being sharp. I just wish people like these used their intelligence for good causes but its a shame that they dont.
thank you once again.
If you do not care about your existing content on your current site or you have backup copies of your content/work that you can repost then nope you do not need to do any backups and would just delete everything and install everything clean. If you have less than 50 posts on your current site and you have copies of all your posts then you can just repost them. If someone had 1,000’s of posts then reposting would be a nightmare. So if you feel that you can quickly and easily repost your posts then don’t worry about doing backups and database imports and use that time instead to just repost your posts.
thank you.Yeah I have less than 50 posts. However, some of them have media files attached to them. I have checked and given the size of those files, I am a bit confused as to whether they are also part of my backup. This is because backup file is very small in sql format. I think I will have to upload my media again and attach to my post as before. Am I right.
Once this is done, should I install bulletproof and will that keep me safe?
thank you once again.
Ash
Yes you are correct. You image files are not stored in your database. They are stored in /wp-content/uploads and your database only contains the links that point to those image files in that folder. Go through all of your image files very carefully to make sure they are actually really image files and not a php file disguised as an image file before uploading them to your new /wp-content/uploads folder. As soon as you have installed your new WordPress site you want to install BPS and activate all BulletProof Modes then continue on from there. BPS should be installed immediately as soon as the site is Live.
Hi I have a simple blog on which I write short stories, thats all. However, I recently found out that my site was going funny and my computer also said that IE has stopped…to prevent cross site scripting. I am a layman in these things. I contacted my host and they very kindly restored my site from the backup. But it happended again after a few days. This time all my posts were replaced with the word ‘hacked’. I contacted them again and they sorted it out again. I then changed my root files name from index.php and put an index.html file on temporarily to say that site is under construction. However, my blog, even though was public for this while, I checked it again yesterday after a good few weeks and its funny again. Now, I was wondering if installing the bulletproof security help with this. And also do I have to delete the database or will the plugin take care of any malicious elements in the existing database.
thank you for any help you can provide.
[Comment was moved]
I have a 3rd party backup service that’s supposed to do daily automated backup of my site files and DB, but fails with each attempt. The error message is unable to read wp-config.php.
Is it possible that BPS is in the way?
[Comment was moved]
It is possible that BPS is blocking the backup service. Have you done the standard troubleshooting steps below to check and see if BPS is causing the issue. Can you tell me how the backup service is performing the backups? Using wget or curl? Have you locked your wp-config.php file with 400 permissions?
1. Make a backup of your .htaccess files using BulletProof Security built-in Backup.
2. Activate Default Mode on the Security Modes page.
3. Use the Delete wp-admin .htaccess feature on the Security Modes page.
4. Test your plugin or theme.
5. Restore your .htaccess files using BulletProof Security built-in Restore.
http://www.ait-pro.com/aitpro-blog/297/bulletproof-security-plugin-support/bulletproof-security-wordpress-plugin-support/
So, I think I managed to mess up my site. Migrated from one hosting provider to another, but copies files over without deactivating BPS.
The result, which I’m not sure is due to not deactivating BPS, is that the editor toolbar is missing, and I cannot edit images.
?? What files do I need to copy over from the old host (I did not delete them yet) to restore full functionality of the admin side?
TIA
The simple thing to do here would be to just click the AutoMagic buttons and then activate both Root BulletProof Mode and wp-admin BulletProof Mode again. This will create new htaccess files for your new site.
I did that, even upgraded to .47.5, but mu post editor toolbar is still missing and in general, the post editor is messed up.
Simply can’t blog. Do you thing that copying over an admin folder from a new downloaded WP installer help?
Actually BPS would not have anything to do with your WYSIWYG editing toolbar.
When you say messed up what exactly do you mean?
Have you tried to click on the Show/Hide Kitchen Sink toolbar button shown below circled in green?
Also do you have BPS Pro or BPS free?
I just replaced wp-admin and wp-includes folders with ones from a new download, and the issue is not resolved. And true, this does not appear to have anything to do with BPS.
I have BPS Free, but my objective was to migrate, then upgrade to Pro, using it to replace 2 other plugins that I’m currently using. I’ll still upgrade, because Pro offers more features than the others.
For now, I just want to be able to blog. The post editor tool is completely missing on the mani site. And on another installed in a subdirectory, the toolbar is there, but image/gallery insertion does not work as intended.
Yep fine i just wanted to make sure which BPS plugin you had installed.
Well you can also just do a reinstall of WordPress from within your Dashboard by going to Dashboard >>> Updates >>> Re-install Now button.
Have your checked your User Account under Users to see if you have the correct Role permissions?
Maybe when you migrated your site you did not migrate your WordPress Database completely?
If all else fails you will probably have to install a clean installation of WordPress with a new Database and then import your content into your new database.
My account is the only one of the site. Though WP is the most popular blogging platform, there is no real place to get help when you really need it. The official WP forum is about useless.
I’ve deleted all files and copied them over again from the old site, but my post editor toolbar is still missing. Worst is that when trying to edit a post, parts of the website (public face) is rendered on the right side of the post I’m editing.
This is one migration gone wrong. I have a VPS with 1 GB RAM, but I’m hitting max RAM and CPU, even though I’m running just one website. Top shows php and mysqld are culprits.
I know this is not a help forum for all WP issues, but do you know of a tool that I can use to track down what php scripts are chewing up resources?
See why I said that this is one migration gone wrong. I’v gone from crying about a missing post editor toolbar to complaining about php and mysqld.
Could there be a php extension that not enabled that could be causing the missing toolbar issue?
Btw, I’ve disabled the most likely plugins, switched to WP Super Cache, yet I’m still hitting max RAM and CPU
Well to be honest with you since your editing toolbar is gone and the other things that you mentioned then if it were me there would be only one thing that i would do at this point. Make a backup of everything – all files and the WordPress database and reinstall the entire site again. All the problems you are mentioning indicate major WP Core file problems. WordPress itself is not right at all so don’t even bother with checking plugins, etc. It is your WP Core itself that is messed up.
Then that’s just what I have to do.
I’ve never reinstalled WP before, so one more question on this: During the reinstallation process, will the installer create a new DB, or will it accept the credentials for the existing DB and use it without creating new tables in it?
I think by the time I’m done with this, I’ll be ready to write a long article on my experience. Nothing teaches like real-life experience.
If you are using a automated application installer it will create a new database for you. If you are doing this manually and using the WordPress installer then you only need to create a new database using phpMyAdmin and the WordPress installation will create all the DB Tables. You do not want to keep your old database so just nuke it. Also you will need to add your new DB name and credentials in your wp-config.php file in order to make the DB connection to install WordPress.
This WordPress Installation Codex page has all the info you need to know >> http://codex.wordpress.org/Installing_WordPress
Just an update: Finally did everything that needed to be done – reinstalled WP, even installed a new website in a subdirectory. Same issue.
The error log show entries like this:
error] [client IP] File does not exist: /home6/public_html/wp-admin/wp-content, referer: http://www.site.com/wp-admin/post.php?post=21984&action=edit
You can see that it’s looking for wp-content under wp-admin, which is weird, because WP is not set up in that manner.
My VPS provider finally figured that it was a CPanel/mod_fcgid issue; a bug that sometimes causes FastCGI processes to lock up and not render completely.
So, there it is. It’s not WP Core or any plugin. So far, it has cost me 2 weeks (and counting) of not being able to blog.
Thank you.
ARGH! FastCGI strikes again. FastCGI is a WordPress destroyer >>> http://www.ait-pro.com/aitpro-blog/4349/misc-projects/wordpress-tips-tricks-fixes/php5-3-x-php5-4-x-user-ini-file-does-not-work-known-php5-3-x-user-ini-fastcgi-wordpress-zend-issue/
There is actually a solution available to fix this on a Worldwide scale, but i think that most hosts are not aware of the solution. 😉
Just found out that the problem has nothing to do with any plugin, or apache module, but with the GD library. It was not installed.
Now that it is installed, problem solved.
Thank you plenty.
Will be upgrading to Pro soon.
I would like to know the cost of BP Pro before I commit to buying it. I don’t see a price anywhere on these pages, but I could have missed it.
The cost of BPS Pro is $49 USD: http://affiliates.ait-pro.com/po/
I am attempting to add Outbrain’s (outbrain.com) “you might like these articles” feature at the bottom of my WordPress posts. However, it is being blocked by BPS. I’ve confirmed this by disabling BPS, and seeing it work. So the question is, how do I get them to work together. Outbrain support says their servers are being blocked, so I must whitelist:
69.9.45.32/27
208.68.170.0/27
208.68.171.0/27
204.145.89.32/27
81.218.63.74
80.179.98.219
212.179.245.135
38.107.78.62/28
81.218.35.210/29
User-agent: Mozilla/5.0 (Java) outbrain
But where would I put this for BPS, and in what format?
Thanks!
It is not going to be an IP issue. I looked at the Outbrain site for technical info on how it works and did not find the technical details so i am going to take a logical guess that it is going to be something like this – Outbrain might be using wget or curl to get your site content and do X (not really exactly sure what Outbrain does at this point) with it.
So if my logical guess is correct then commenting out these 2 security filters below will allow Outbrain to do whatever it needs to do. Let me know if commenting out these 2 filters works and then you can narrow down the actual part of the filter that needs to be modified. Example: Remove only curl or remove only wget from the filters, etc.
#RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR] #RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]Another filter that may be interfering with how Outbrain works is this nuisance filter if Outbrain needs to make a HEAD Request.
# This filter is for blocking junk bots and spam bots from making a HEAD request, but may also block some # HEAD request from bots that you want to allow in certains cases. This is not a security filter and is just # a nuisance filter. This filter will not block any important bots like the google bot. If you want to allow # all bots to make a HEAD request then remove HEAD from the Request Method filter. # The TRACE, DELETE, TRACK and DEBUG request methods should never be allowed against your website. RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]Thanks, I’ll try this when I get a chance and report back. Once we isolate this, is there a way to lock it down for sites other than outbrain? By the way, Outbrain is the leading tool for adding icons at the bottom of your blog’s posts that says “If you found that interesting, check out these other posts”
I just noticed that the Outbrain User Agent has “java” in it. User-agent: Mozilla/5.0 (Java) outbrain. So maybe just removing “java” from the security filter will take care of the issue.
“…is there a way to lock it down for sites other than outbrain?”
If you need to make an exception or alter a security filter for your website then you only want to remove or alter a security filter as little as possible. ie just removing “java” etc from the filter and not block out/comment out the entire filter.
Hi there, I apologize if this should have been made into a separate thread.
I am having the same issue with the Outbrain plugin. Outbrain’s tech support sent me the following.
“It looks like your site ‘blocks’ our crawler (and being more technical it blocks our user agent). When accessing the URL using a browser — we get a valid response. But when our crawler tries to access it is being blocked
In order to resolve this, could you please allow our user agent which is “Mozilla/5.0 (Java) outbrain” ? ”
After putting the BPS plugin into default mode, Outbrain worked properly. My site continues to be in default mode at the moment. No other adjustments have been made to BPS (Version .47.4) at this time.
Outbrain is Version 7.0.0.0. They are listed at http://wordpress.org/extend/plugins/outbrain/
I understand there are ways to make exceptions, however, I am not sure what syntax to use or where it should be placed.
Any assistance would be appreciated.
Thank you
Oh i was not aware that they have also created a WordPress plugin. I believe you will only need to remove java from the User Agent filters in your root .htaccess file, but i will test this plugin and verify that that is what is needed.
#RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR] #RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]Ok this plugin is very poorly documented and the help information on the main site has sent me around in circles so i am pretty irate at this point and will not continue testing this plugin due to the poor documentation and instructions. Please try removing java from the security filters in the root .htaccess file and also you may need to remove java from the wp-admin htaccess file User Agent security filter below.
RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]Just as a followup.
The Outbrain plugin requires that the blog be ‘claimed’ in their members panel. This was not working. After disabling site caching and putting BPS into default mode, I was able to successfully ‘claim’ my blog and Outbrain was able to index the site and begin showing results.
At this point I re-enabled BPS and applied the fix for the root htaccess file only. The tech at Outbrain then made a change to fix another issue I was having with duplicate titles. When this fix propagated to my blog, I assumed that the fix for the root htaccess file was all that I needed and so I have not made changes to the wp-admin htaccess file.
As my blog was claimed while BPS was in default mode, I can not say for certain that the fix will work for that part of the Outbrain setup. But I have asked the tech at Outbrain to try to work with the folks here at BPS to see if a permanent fix can not be found. They have responded favorably to this suggestion.
I do want to say how much I appreciate the help that was given despite a lack of documentation. I also want to point out how much I appreciate the Notes tab in the BPS settings, which allowed me to document recommendations and steps taken. The ability to document in this manner is incredibly useful.
Thank you for all your help,
Sherry
Yep I installed it and then was forced to go look around because I had no clue what to do next with the plugin. Then i went to the plugin FAQ page on the WordPress plugin repository and did not find any info there so i clicked on the links and registered and signed up on the Outbrain site. I then hit another dead end and searched around their site for a while and was not finding anything useful. I then gave that up and just tried winging it, which usually works for me, but in the case of this plugin I just kept running into dead ends so i just threw in the towel on testing. 😉
I would be glad to work with them to figure out what needs to be allowed for Outbrain to do what it needs to do and i will also take another stab and figuring out how to set this plugin up and what it actually does after i get BPS Pro 5.2 released (1-2 days) and BPS free .47.5 released (5-6 days). Thanks.
I removed “java” in my htaccess files, after updating to your newest BPS, and it still doesn’t work. Screw it. Like you, I’m annoyed. Outbrain seems like junk, I’m probably just going to remove it unless the other poster gives a working solution.
I have not forgotten about testing Outbrain. It is on the testing list and will soon be tested – most likely tomorrow morning. The BPS .47.5 upgrade went a little rough due to a popular Server scanner mistakenly seeing valid code in BPS plugin files and htaccess files as malicious code. This created a backlog of issues that we now have under control, but it set us back about 4-5 days dealing with that issue. 😉
No worries… I know you hope to have BPS as compatible as possible, but I’m wondering if Outbrain is worth the trouble. Still, quite a few users are using it… But it certainly is clunky, even from the user stand point. I tested removing java from the two lines from “secure .htaccess” and also from “Your current root htaccess file” and outbrain still doesn’t show on my site. I “claimed” my site, like the other poster mentioned, by entirely disabling BPS momentarily. But with BPS up again, I have no outbrain “related posts” appearing at the bottom of my posts, even with the java line removed, so I suspect it is something else.
PS: You need to add a comment subscription feature. I wish I could be pinged when you reply. Presently, I have to remember to come back here, and dig for my comment to see your reply. Given the number of comments on this page, it might be time for a free bulletinboard on your site?
Several issues came up that took precedence over this issue so it got bumped again. BPS Pro 5.2.2 needed to released ASAP as an I18n Language Translation problem was breaking the Quarantine form for folks who use country specific language versions of WordPress. I will get to this next, but i am exhausted after hours of rushing to get a bugfix release of BPS Pro out to folks so i need a sanity break so my head does not explode. I definitely do not want to go on the Outbrain wild goose chase that i know is going to happen after just getting a glimpse at how poor the documentation is. Ugh.
and yep we will be adding a Forum. It has been on the list since June and is almost at the top now. LOL
Ok i am officially done with Outbrain. I completely removed BPS from a website. Spent an hour and half jumping through all the hoops on the Outbrain site and tried to get Outbrain to work and I could not get it to work with BPS not installed at all. I don’t know what to tell you, but one thing is very clear to me they have made a good start and now they just need to follow through and streamline this process. When i first released BPS and BPS Pro they were terribly difficult to install and setup. now the process is so simple anyone can do it. So anyway i cannot afford to waste any more time trying to figure out how to get this plugin to work. it has nothing at all to do with BPS as far as i can tell since i could not get it to work on a site without BPS installed.
One Correction to my statement. I did test Outbrain with BPS initially installed and i did have to take the website out of BulletProof Mode and put it into Default Mode in order to get the Outbrain key. After that since i was having so much trouble getting it to do anything i just removed BPS altogether from the site and tried for another hour to get it to work by doing everything i logically thought would work and no content was ever displayed in the footer so i just deleted Outbrain. i saw on the Outbrain site something about having to wait for content to start showing, but i think an hour and a half is long enough to wait. 😉
Hello:
Is BulletProof capable of hiding the PLUGIN DIRECTORY?
I ask because I have not been able to find this issue addressed on your website.
Thanks in advance for a prompt and detailed response.
Alan
No, BPS does not bother with doing any hiding tactics as they are totally ineffective methods against hacker bots and hackers.
My avatar images are no longer displaying for custom images after installing BPS.
See: http://www.championnews.net/
Image URL: http://www.championnews.net/wp-content/plugins/user-avatar/user-avatar-pic.php?src=http://www.championnews.net/wp-content/uploads/avatars/93/1337189286-bpfull.jpg&w=45&id=93&random=1337189286
But looking at how the URL is being processed (The URL is simulating a hackers RFI hacking attempt against your website) on your website you could try this skip/bypass code and see what happens.
Edit your root .htaccess file with the BPS built-in editor, find the timthumb htaccess code and add the user-avatar-pic.php file to the image thumbnailer (timthumb) skip/bypass rule
# TimThumb Forbid RFI By Host Name But Allow Internal Requests RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR] RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC] RewriteRule .* index.php [F,L] RewriteCond %{REQUEST_URI} (user-avatar-pic\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC] RewriteRule . - [S=1]I made a typo in the original comment code that has now been corrected – check the code skip/bypass rule in the posted comment again. thank you.
That worked, thanks so much….
Hi
I am a BPS free user and thinking to buy BSP Pro but before buy pro version I have a question
Q1 – Can we use BPS Pro Key on Unlimited number of Domain(WebSite) each Hosted on Different WebHosting
Q2 – Single Key used to activate BPS Pro in All site or there are any option to generate specific key for a specific site.
Thank You
Thanks for clear my doubt.
I am new to this so I hope this will help protect against hackers. I am learning a lot didn’t realize we had that many hackers on these little bitty sites.
I hope I got all this correct. I didn’t understand much of it but hope I have it right.
Thank you
thank’s. I am very interested in the product free of bulletproofsecurity good in security. I’ve previously bought from ThemeForest theme “continuum”. when i install on my wordpress run smoothly. but when i want to upload images using standard image wordpress upload feature. always error 404. is there any solution for this? please answer?
Both the standard WordPress Media Library upload options work fine.
Media Library >>> Add New >>> Drop or Select Files — Successful
Media Library >>> Browser Upload — Successful
Please explain in detail the exact steps that you are using to upload images.
Post >>> Add New >> Set featured image
using javasript when uploaded. 404 error when loading occurs. is there any solution?
I tested this and it is working perfectly fine using the WordPress 2011 Theme and several other Themes. Do you have both Root and wp-admin BulletProof Modes activated?
Have you checked the image file URL to make sure that the URL is valid? A 404 error means the URL is not valid – Not Found
Have you done the standard BPS Troubleshooting steps?
1. Make a backup of your .htaccess files using BulletProof Security built-in Backup.
2. Activate Default Mode on the Security Modes page.
3. Use the Delete wp-admin .htaccess feature on the Security Modes page.
4. Test your plugin or theme.
5. Restore your .htaccess files using BulletProof Security built-in Restore.
http://www.ait-pro.com/aitpro-blog/297/bulletproof-security-plugin-support/bulletproof-security-wordpress-plugin-support/
Hi, I cannot find a solution for this problem. Sorry if there is one and I just couldn’t find it.
Clean Install in root directory.
My WordPress installation type is: standard wordpress single type
My Server is using CGI
My WordPress installation / site is installed here http://www.example.com.au
I have used AutoMagic to create my master .htaccess files
I have activated all BulletProof modes
I tried to insert an image in my post/page/ and I got re-routed to the home page.
I tried to insert an image in my site header and the same thing happened.
I can drag and drop into posts, though not into site header config.
Am using Admired Theme By Brad Thomas Version 1.2.1
So far have found compatible plugins.
Thanks
How exactly are you “inserting” the images?
Are you using the standard WordPress Media uploader or are you using some other plugin or is this some image editing feature of your Theme?
Yes, I am using the standard Word Press Media uploader. I don’t have another plug in for this as yet – just going one step at a time.
I tested the Admired Theme and used the built-in Theme editor that comes with this Theme and was able to successfully add images.
Have you checked to make sure you are entering valid paths to valid image files?
Have you done the standard BPS Troubleshooting steps to see if BPS is causing this problem or not?
1. Make a backup of your .htaccess files using BulletProof Security built-in Backup.
2. Activate Default Mode on the Security Modes page.
3. Use the Delete wp-admin .htaccess feature on the Security Modes page.
4. Test your plugin or theme.
5. Restore your .htaccess files using BulletProof Security built-in Restore.
http://www.ait-pro.com/aitpro-blog/297/bulletproof-security-plugin-support/bulletproof-security-wordpress-plugin-support/
Ok, thanks I haven’t done this as yet. I will try this and see what happens and then let you know.
I am using valid paths, images, etc. What confuses me is that I am able to drag and drop images into my posts, just not able to insert them with the media uploader.
Anyway, will try it out.
thanks
I ran through the trouble shooting steps, still had the same problem with the theme – just switched to a new theme as there must be a conflict with a plugin.
Thanks for your help. I love this plug in. 🙂
Hi there, great tool! I’ve a WP 3.4.2 Multisite config with latest (.47.4) BPS installed and for the most part it’s working as advertised. Since installing it there’ve been a few minor glitches however.
Within the Dashboard of any site (logged in as the super user) I cannot perform a bulk delete of files in the media library. I can select the checkbox beside the items and select Delete Permanently from the drop down but as soon as I click Apply I get a 404.
Additionally, WP is installed in the root of the web server (a Linux VPS – path is /home//public_html/), and within a folder in here is a vTiger installation. Since installing BPS there’s some random issues with vTiger. When logging in it seems the post data is stripped from the URL, leaving just a ?, which is generating an error. By simply removing the ? and loading the page I can then get to the vTiger dashboard. Within vTiger it seems none of the AJAX updates work. I’m not really familiar with htaccess syntax but reading through the file I noticed this line – RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR] – and found that if I comment it out the vTiger installation all works properly. Obviously this isn’t a solution however.
Can you make any suggestions on fixing these please?
The bulk delete problem/issue is a known issue (pending posting) that is caused by the square brackets in these security filters below.
To fix the problem…
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|%3c|%3e|%5b|%5d).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x5b|\x5d|\x7f).* [NC,OR] ...modify these filters above and remove the square brackets as shown below RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]For vTiger and other 3rd party apps see this fix >>> http://www.ait-pro.com/aitpro-blog/2252/bulletproof-security-plugin-support/checking-plugin-compatibility-with-bps-plugin-testing-to-do-list/#Custom-PHP-Applications-Outside-WordPress
Brilliant! Thanks 🙂
As recommended I changed my permissions from 755 to 705 on my public_html dir and it then the site said forbidden. (This happened on several other URIs like /wp-admin and other pages on the same domain.) Instantly I changed the permissions back (755) and all went well again.
Note: I previously changed other file permissions, as recommended, one by one.
Hi,
I had set up all my BP settings a few months back & all of a sudden I started logging into a lot of my blogs, & I am getting that message at the top of each blog saying I have to redo all my settings again.
BPS Alert! Your site does not appear to be protected by BulletProof Security
If you are upgrading BPS – BPS will now automatically update your htaccess files and add any new security filters automatically.
Why is this happening?
Michelle
Check this first as it is the cause of the majority of BPS problems worldwide:
Your web host is HostDime, which uses cPanel and has the cPanel HotLink Protection Tool. The HotLink Protection Tool has been broken since 2002 and will break BPS, other plugins, WordPress and your website itself. Please see this post for more details about how to work around the problem – http://wordpress.org/support/topic/plugin-bulletproof-security-broken-cpanel-hotlink-tool-404-errors-unable-to-edit-htaccess-files
The site runs fine
Thanks Harry
Very latest Standard WP installation, using BPS .47.3 with all modes enabled. Root folder installation of WP
A wget of any article URL from my site gives a 403 Forbidden error. Also, when posting articles from my site on fsdaily.com and linuxtoday.com, I get “URL not functioning” or “Invalid URL” error messages.
Any ideas?
wget is explicitly blocked in this security filter in your root .htaccess file. to allow wget you would need to remove wget from this security filter below. A safer alternative to using wget is to use lynx -source.
RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]You may also need to remove wget from this security filter.
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]What will be the net effect of commenting out both lines, rather than just removing wget?
Your website will be easily scraped, mined, mirrored and probed.
thanks.
“403 forbidden” solved.
Do you have any idea why if I try to post an article at http://www.linuxtoday.com/contribute.html, it reports the URL as invalid?
If you are saying that you are posting a link back to your site from another site and the URL back to your website is seen as invalid then the only way that BPS would have anything to do with this (and this is very, very unlikely) is that the website sends a HEAD Request back to your website to check that the URL back to your website is valid. This nuisance filter below would block a nuisance HEAD Request.
# REQUEST METHODS FILTERED # This filter is for blocking junk bots and spam bots from making a HEAD request, but may also block some # HEAD request from bots that you want to allow in certains cases. This is not a security filter and is just # a nuisance filter. This filter will not block any important bots like the google bot. If you want to allow # all bots to make a HEAD request then remove HEAD from the Request Method filter. # The TRACE, DELETE, TRACK and DEBUG request methods should never be allowed against your website. RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC] RewriteRule ^(.*)$ - [F,L]Removing HEAD from the nuisance filter solved the problem. Thanks.
Will be upgrading to Pro.
i have a serious problem with amember plugin is there a fix for that plugin and the payment integration?
Please post the exact name and version of the plugin and the exact problem that is occurring. Example: I do X and then Y is supposed to happen, but Z happens instead.
version of the script 3.2 and the version of the wordpress plugin is 1.4
after active Bulletproof security the payment integration broken after the user pay his account doesn’t actived on the website – Bulletproof security prevent it
hope this is help
waiting for the solution
thank you
What script is version 3.2? Please post the entire name of the plugin with version number: Example: BPS Pro 5.1.9.
What is the name of the wordpress plugin that is version 1.4? Example: Plugin name version #.
What exactly is not working? Please list the exact problem or area of the plugin that is not working – be very specific with details.
Example: I do X and then Y is supposed to happen, but Z happens instead.
Example: On this page/URL this is supposed to happen, but instead an error occurs on this page/URL.
the name of script is Amember 3.2
http://amember.com/
it is membership script come with a
wordpress plugin(v0.4)
http://www.amember.com/p/integration/new-wordpress-plugin/
for integration between the script and wordpress .
Every thing was working just fine until active your plugin the payment integration process broken .
the user after paying in the gateway should redirect to my website and his account should work probably (membership)
but what happen is the payment is done but the membership (user account ) doesn’t active .
i solve it now as you explain in PayPal IPN – PayPal IPN or PDT Scripts – No Known Conflicts Exist
http://www.ait-pro.com/aitpro-blog/2252/bulletproof-security-plugin-support/checking-plugin-compatibility-with-bps-plugin-testing-to-do-list/
but hope that will be another fix than this in the core of bulletproof itself.
Yes, BPS does NOT block PayPal or any other payment processing plugins or scripts. BPS is a website security plugin that ONLY blocks unsafe coding, coding vulnerabilities and coding exploits. If a plugin is simulating a hacking attempt or doing something unsafe then BPS will block whatever unsafe coding thing it is doing to protect the website. If the problem is with an unsafe redirection (simulating an RFI/XSS/CSRF hacking attempt against the website) done by the amember plugin then the unsafe redirection is the real problem and not a conflict with the payment processing script itself. please post the redirection URL.
thanks for reply
Right
but the redirection URL. is the “thank you”page which toke the verification string from payment gateway and active the account .
it is on my website and doesn’t redirect to external domain.
here is the url
http://www.mydomain.com/amember/plugins/payment/gateway/thanks.php
the process is the follows sign up on mydomain–(redirect to)-> payment gate way –(redirect to)–>mydomain/thankyoupage
hope this clear the problem
The problem is going to be in “how” the redirection is done, the actual technique or method, and not the redirect URL itself then (whether or not it is internal or external). Does the payment gateway actually send someone to PayPal and then back to your website? If that is the case then you would typically add the redirect URL in your PayPal account itself, but there are of course other ways to do the redirect. So how is the redirect done? Is it done using a redirect query string? if so, what is that query string? is the redirect done with a wrapper like allow_url_fopen or cURL, etc.? What i would need to see is the actual query string or code that is doing the redirect/processing.
if amember is outside of WordPress then it is considered a 3rd party app and you would use a skip/bypass rule like this below.
Or another approach to take would be to create a skip/bypass rule for the plugin folder itself.
# skip/bypass payment gateway RewriteCond %{REQUEST_URI} ^/wp-content/plugins/payment/ [NC] RewriteRule . - [S=13]And yet another way to not have BPS security filters applied to amember would be to create a RewriteEngine Off .htaccess file and upload it to the amember folder.
Use NotePad (not Word or WordPad) add this one line of text in the file: RewriteEngine Off
and save the file with this name: nosecurity.htaccess. Then upload the file to the /amember folder and rename it to just .htaccess.
great
but the location is as the follows
the script it self locate in wordpress –root level
amember (folder)
wp-admin(folder)
wp-content
–etc
the payment plugin
locate inside amember folder (responsible of payment integration)
this which have the thank youpage
then the amember plugin (which allow integration between amember and wordpress)
locate inside wp-content-plugins
i don’t know how the redirection done if i could send you the files of payment plugin by email so you could know how the redirection done .
Ok then just take the coding examples i gave you and modify them as necessary. Also take a look at this page for other examples of skip/bypass rules to try >>> http://www.ait-pro.com/aitpro-blog/2252/bulletproof-security-plugin-support/checking-plugin-compatibility-with-bps-plugin-testing-to-do-list/
We do not offer that kind of testing service for BPS free and besides that is a premium plugin with licensing restrictions – even testing a premium plugin without purchasing a license or getting permission from the software creator is illegal.
yes i know i have the license of the software
the only solution that come with me as i told you before is to add the default .htaccess file and put it on the amember folder and it works just fine but the question is it safe to do this ? (is it more secure )?
any thing else doesn’t work . 🙁
Well obviously this means that you do not have any security on the amember folder or plugin or scripts so what you can do is download the BPS secure.htaccess and comment out all the security filters and upload it for testing. then uncomment 4 security filters at a time to find out which ones are blocking amember. keep uncommenting 4 security filters until you find the security filter or security filters that will not work with amember for whatever reason.
The general idea is you will at least have as many of the BPS security filters as possible for the amember folder .htaccess file. And maybe you can contact them about the security filters that are blocking amember to find out why the amember code is being blocked. Maybe they can provide a better coding solution. BPS only blocks things that leave your website vulnerable to hacking attempts so whatever BPS is blocking is not good for your entire site and it would be better to just allow it in ONLY the amember folder.
you are right but new issue that comes
after adding no security .httaccess to amember folder the process of amember and wordpress integration broken not suppose to put any .htaccess in amember folder .
so i need to add skip/bypass rule for
amember folder(the whole script)
and the plugin (responsible of integration with wordpress) located in wp-content/plugins
the location is as the follows
the script it self locate in wordpress –root level
amember (folder)
wp-admin(folder)
wp-content
–etc
the payment plugin
locate inside amember folder (responsible of payment integration)
this which have the thank youpage
then the amember plugin (which allow integration between amember and wordpress)
locate inside wp-content-plugins
could you please help me with that
thank you so much this works for me
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/payment/ [NC]
RewriteRule . – [S=13]
should i put it to custom code to be automatic put in the future updates ?
thank you again
Glad to hear a simple skip/bypass rule works. Yes, add the skip/bypass rule to the Root Custom Code text box for plugin fixes, then click the AutoMagic buttons and activate BulletProof Mode for your Root folder again. Thanks.
hey, do you guys offer an affiliate program?
Not yet, but very soon. Thanks.
I just upgraded from WP 3.4.1 to 3.4.2, which appeared to be successful.BPS Free was installed months ago and has worked perfectly until the WP 3.4.2 upgrade today. The admin backend appears fine. All pages are present in admin and editable and no errors are reported by BPS. The navigation menu looks intact, but all links on the menus get an Error 404. I deactivated all of the plugins, including BPS, but that did not stop the 404 errors. In admin, I saved the Appearance > Menus page … and the menu links to all of the articles re-appeared! I reactivated plugins one by one, beginning with those that are purely cosmetic and checked each one from the frontend. The last plugin I reactivated was Bullet Proof Security and all menu 404 errors returned again. I deactivated BPS, but menu links still did not work. So, I reactivated BPS again and set Activate Security Modes to the default setting and everything worked again, so I stopped. I confirmed that .htaccess files were set to 644 permission via my FTP client. No changes were needed. I did not find any of my plugins in the conflict plugins list.
Ok i see that back on 4/28 you also had this same problem. What i suspect is going on is your Host uses cPanel and the problem is being caused by the broken cPanel HotLink Protection Tool – http://www.ait-pro.com/aitpro-blog/297/bulletproof-security-plugin-support/bulletproof-security-wordpress-plugin-support/. If this is not being caused by that then some other plugin is wiping out/deleting the root htaccess code – probably as soon as the root .htaccess file is unlocked. reactivating Root folder BulletProof Mode is creating/copying a new root .htaccess file for your website. So most likely something, either the cPanel HotLink Protection Tool or another plugin, is removing the BPS .htaccess code when the root .htaccess file is unlocked.
The cPanel hotlink protection is disabled, although if it is not working properly that may be meaningless. Is this problem easier to diagnose and correct with BS Pro installed?
I forgot to mention that I have two other sites on the same server with BPS Free installed and they work without problems. Of course, if the Hotlink Protection is wonky, maybe I just got lucky.
Just yesterday I personally fixed a website with the broken hotlink protection tool problem. the hosting account had over 20 websites in it. 19 of the websites were working fine with the exception of one website, which was not working correctly because of the broken HotLink Protection tool. the broken cPanel HotLink Protection tool attempts to automatically create hotlink protection code for your website. this would be great if it actually worked correctly, but it does not and instead creates gibberish code that ends up breaking BPS, other plugins, your website and WordPress itself.
The problem is outside of BPS and is isolated to your cPanel and the broken HotLink Protection Tool itself. These are the steps to fix the problem that work the best. Unlock your root .htaccess file and delete any code that you see in any of the Hotlink boxes, click the disable button (this only works temporarily/one time per event), very quickly lock your root .htaccess file again.
Okay … in cPanel, Hotlink Protection is shown to be disabled, but the boxes are filled in. Deleting the entries in the boxes and hotting submit does not work. When viewing the status of Hotlink Protection, the original entries are restored and the status is indicated as being disabled. It’s broken, it seems. Here’s the contents of the .htaccess files I found:
In site webroot .htaccess:
RewriteEngine On RewriteCond %{HTTP_HOST} ^(www.)?scriptnurse.com$ RewriteRule ^(/)?$ wp [L] RewriteRule .*\.()$ - [F,NC] RewriteRule .*\.()$ - [F,NC] RewriteRule .*\.()$ - [F,NC] RewriteRule .*\.()$ - [F,NC] RewriteRule .*\.()$ - [F,NC] RewriteRule .*\.()$ - [F,NC] RewriteRule .*\.()$ - [F,NC] In /wp/ .htaccess: # BULLETPROOF PRO 5.D DEFAULT .HTACCESS # If you edit the line of code above you will see error messages on the BPS Security Status page # WARNING!!! THE default.htaccess FILE DOES NOT PROTECT YOUR WEBSITE AGAINST HACKERS # This is a standard generic htaccess file that does NOT provide any website security # The DEFAULT .HTACCESS file should be used for testing and troubleshooting purposes only # BEGIN WordPress RewriteEngine On RewriteBase /wp/ RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /wp/index.php [L] # END WordPressI’m still researching to see if there are any workarounds for this problem.
Yes, the cPanel HotLink Protection Tool has been broken since at at least 2002 – 10+ years. These are the only steps i have found that work. http://wordpress.org/support/topic/plugin-bulletproof-security-broken-cpanel-hotlink-tool-404-errors-unable-to-edit-htaccess-files
Maybe you can contact your web host and ask them to remove this tool from cPanel.
Oh also in some cases depending on the Host i have had to also delete all root .htaccess files, then delete the hotlink protection code and then create a new root htaccess file and lock it.
And one of these days i will research this broken tool some more and find out exactly how it works so that i can completely block it with BPS, since it is basically just as malicious and destructive just as if your website was hacked by a hacker.
The problem is outside of BPS and is isolated to your cPanel
and the broken HotLink Protection Tool itself.
These are the steps to fix the problem that works the best:
1. Unlock your root .htaccess file and delete any code that
you see in any of the Hotlink boxes.
I can’t do this as it keeps putting it back.
2. Click the disable button (this only works temporarily/one
time per event).
The service always shows as disabled. I tried enabling it, but it always comes back indicating that it is disabled.
3. Very quickly lock your root .htaccess file again.
When you say “unlock” and “lock” the root .htaccess file, where is this done?
What will happen if the hosting provider removes the cPanel Hotlink Protection Tool before I make any changes?
The cPanel HotLink Protection tool is completely broken – nothing about that tool works as it should, so the only other thing you can try is to delete your root .htaccess file and then quickly activate a new root .htaccess file and lock it. If your host permanently removes this tool then you will never have to fix this problem again.
Hello,
I had your plugin installed, and after only 2 days of being up, I was hacked by “hmei7”. My host said they created another user and injected hacking tools that way. I don’t know if it’s true or not, or exactly how they did it, and I’m not saying your plugin doesn’t offer some protection… I’m just wondering how he might have done it and what else I can do in the future to protect myself further…
I’m using the free version of BPS…cPanel at namecheap… Plugins I had installed were Akismet, bb: Usage Stats, BulletProof, Google XML Sitemaps, NextGen Gallery, nRelate Flyout, Post Teaser, Shareaholic, Slick Contact Forms, Sliderly, Subscribe2
That’s it… Also theme is called Silver Orchard Gazpo. I had some communication with the theme author, he swears it’s a host/server security issue and not a result of his theme.
Anything else you can recommend or suggest appreciated.
Also, is your plugin in direct conflict with Better WP Security….? Is it okay to use them together?
Cheers
Hmei7 is an Indonesian defacement hacker. His method of hacking is to exploit WebDav and FTP. If your host Server is vulnerable to this type of exploit then you need to make sure that Frontpage extensions are not loaded on your website and also change all of your FTP passwords. This hacker also uses Brute Force FTP cracking tools to crack FTP passwords. On a positive note Hmei7 is a young hacker that is just flexing his brain muscles and does not do cyber crime theft and only does defacement hacking.
So to recap make sure you do not have Frontpage extensions loaded on your website from cPanel and change all of your passwords and make the new passwords very strong passwords – especially your FTP password since that is a primary target of this hacker. And this type of hack is outside the range of protection that BPS can offer because it is an exploit against your Host Server and password cracking and not an attack against your individual website.
If you want another good security plugin then install Wordfence with BPS. Thanks.
Hello,
wordpress Standard install.
Server API: apache2handler – Host Server is using DSO or another SAPI type.
Website Root Folder: http://www.np.phy.cam.ac.uk
Document Root Path: /site/htdocs
WP ABSPATH: /site/htdocs/
1. Had to manually copy / rename htaccess files to their final resting place before BPS would work. No amount of file permission editing helped.
2. BPS breaks the settings / general link in the wordpress dashboard.
I would like to buy pro for this and all the other sites I manage but need to see it working without issues first.
Cheers and thanks for your efforts!
Yes, unfortunately the BPS and BPS Pro automation will not work on some DSO configured Servers depending on how ownership permissions are configured. We are working on additional coding to compensate for DSO, but at this time BPS Pro is not compatible with this type of Server configuration. Thanks.
Thank You, I think some of my recent comments had spam. They were very hard to delete.
Since the update to .47.3, I’ve started receiving the alert: “BPS Alert! Your site does not appear to be protected by BulletProof Security”. Checking the htaccess file, it seems to be ok. I’ve tried to create new secure.htaccess files using BPS and activating them, but after some time the warning returns.
The parts in red on the “Security Status” tab are:
Either a BPS .htaccess file was NOT found in your root folder or you have not activated BulletProof Mode for your Root folder yet, Default Mode is activated, Maintenance Mode is activated or the version of the htaccess file that you are using is not .47.3 or the BPS QUERY STRING EXPLOITS code does not exist in your root .htaccess file. Please read the Read Me button above.
wp-config.php is NOT .htaccess protected by BPS
==
and:
The WP readme.html file is not .htaccess protected
==
Everything else is in green. Any tips?
Sounds like the broken cPanel HotLink Protection Tool problem. See this post for details about the problem and the solution: http://wordpress.org/support/topic/plugin-bulletproof-security-broken-cpanel-hotlink-tool-404-errors-unable-to-edit-htaccess-files
Thanks! It doesn’t seem to be the case, as my host use DirectAdmin… Anyway: yesterday I received the message (but I checked the .htaccess file and it included BPS rules), created and activated new secure.htaccess files, and some hours ago received the message again. I did it again and since yesterday it seems to be ok.
Ok if it happens again then use the AITpro contact form and copy the entire contents of your root .htaccess file and send it to us.
I am having a problem with BPS and a plugin Events Made Easy. Up until recently everything was working. Now I get a 403 and a 500 error. I talked with my Hosting service, they checked the permissions on the site, and said there should not be a problem that the permissions have not changed. However the problem still presents. If we disable the BPS plugin everything works. If we restore the original htaccess file everything works. Not sure what information you need, I will be happy to send anything for your review.
I have had this issue several times now, with a 403/500 error when using a form within the Events Made Easy plugin. The first time I uninstalled and reinstalled the plugin. This last time that did not work and I contacted my Hosting Provider, who looked at the site and deactivated BPS, the problem went away. Apon re activation the problem returned. I’m not sure what information you would need, I have used the Events Made Easy plugin for several years and it is a major part of my website.
Let me know what you would need.
Thank You
Please see this comment thread for the cause of this issue and a workaround solution. http://www.ait-pro.com/aitpro-blog/2252/bulletproof-security-plugin-support/checking-plugin-compatibility-with-bps-plugin-testing-to-do-list/comment-page-1/#comment-12887
The Events Made Easy plugin author has been notified about the coding issue that needs to be corrected. thanks.
After updating all my plugins, i then got this BPS error:
“BPS Alert! Your site does not appear to be protected by BulletProof Security
If you are upgrading BPS – BPS will now automatically update your htaccess files and add any new security filters automatically.
Refresh your Browser to clear this Alert
Any custom htaccess code or modifications that you have made will not be altered/changed. Activating BulletProof Modes again after upgrading BPS is no longer necessary.
In order for BPS to automatically update htaccess files you will need to stay current with BPS plugin updates and install the latest BPS plugin updates when they are available.
If refreshing your Browser does not clear this alert then you will need to create new Master htaccess files with the AutoMagic buttons and Activate All BulletProof Modes.
If your site is in Maintenance Mode your site is protected by BPS and this Alert will remain to remind you to put your site back in BulletProof Mode again.
If your site is in Default Mode then it is not protected by BulletProof Security. Check the BPS Security Status page to view your BPS Security Status information.
BPS Alert! A valid BPS htaccess file was NOT found in your wp-admin folder
If you are upgrading BPS this Alert will go away after you Refresh your Browser.
If you still see this Alert after refreshing your Browser then Activate BulletProof Mode for your wp-admin folder.
BulletProof Mode for the wp-admin folder MUST be activated when you have BulletProof Mode activated for the Root folder.
Check the BPS Security Status page to view your BPS Security Status.”
I tried resolving this error by doing the suggested solution, tried creating default .htaccess file and etc. but I still wasn’t successful in resolving this one. HELP! :'(
Is your website hosted on Windows and not Linux. Your URL link points to a Windows Hosted IIS7 Server. .htaccess files can only be used on Apache Linux Servers. Also WordPress is not installed at the URL you posted with. is this for another website with WordPress installed?
Hello,
I successfully installed and enabled Bulletproof but was not using custom permalinks, so I was getting the permalink error at the top. When I navigated to the Permalinks tab to try to change that setting, Bulletproof suddenly turned itself off and I had to return to the Bulletproof tab to turn it on again. I’ve tried it a couple times with the same results.
Am I doing things in the wrong order? Thanks!
What happens when you choose a new custom permalink structure and save it is that you are allowing WordPress to create a new .htaccess file. So after you have chosen your custom permalink structure then you will need to click the AutoMagic Buttons and Activate BulletProof Mode for your Root folder again. You may need to refresh your Browser to make the alert go away. Please see this post on the choosing a custom permalink structure for your website >>> http://www.ait-pro.com/aitpro-blog/2304/misc-projects/wordpress-tips-tricks-fixes/permalinks-wordpress-custom-permalinks-wordpress-best-wordpress-permalinks-structure/
When I install BPS Pro my whole wp-admin folder is inaccessible via the Dashboard/login – the screen is blank. I try view source – but its empty. The only way I can get back in to wp is to rename the BPS plugin folder… help
Do you have Windows Hosting or Linux Hosting?
Also if you have Linux Hosting your Host may require that .htaccess files have 644 permissions and will not allow 404 permissions for .htaccess files on your website. FTP to your website and change the file permission for your root .htaccess file to 644.
Tried that. Its a linux host.
My .htaccess file was 0644.
I even reinstalled the plugin, it didn’t create a new .htaccess in public_html/
The front end is fine, but the dashboard is blank.
Ok at this point take a look at the General Troubleshooting steps here >>> http://www.ait-pro.com/aitpro-blog/297/bulletproof-security-plugin-support/bulletproof-security-wordpress-plugin-support/
And also post your website’s System Information below that you will find on the BPS System Info page.
Server Type:
Operating System:
Server API:
Multisite:
Im on latest wordpress version 3.4.1. and your plugin is working fine. Im just a little confused. I want to put in a 301 redirect on a post and because i have your plugin installed what used to be a simple .htaccess file with a list of 301 redirects is now all scrambled (for security i know) so i don’t know where to put it. Can you advise please. I read all your info but it still confuses me and i dont like messing with my .htaccess file thanks
here is what i have activated:
The .htaccess file that is activated in your root folder is:
BULLETPROOF .47.3 >>>>>>> SECURE .HTACCESS
√ wp-config.php is htaccess protected by BPS
√ php.ini and php5.ini are htaccess protected by BPS
thanks alot
Moray
You would add your 301 Redirect coding in the Custom Code bottom text box – CUSTOM CODE BOTTOM: Add miscellaneous custom htaccess code here – and save it.
Then go to Security Modes, click the AutoMagic buttons and Activate BulletProof Mode for your Root folder.
Thanks alot for the quick response. Just out of interest how do I revert .htaccess file if I wanted to deactivate plugin? In other words can I undo current security?
BPS has built-in troubleshooting capability to quickly revert to Default Mode (no security) and BulletProof Mode (full security) and BPS removal steps can be found here >>> http://www.ait-pro.com/aitpro-blog/297/bulletproof-security-plugin-support/bulletproof-security-wordpress-plugin-support/
Thanks so much- your security plugin is great but I get a bit nervous when I see code encrypted so youve made me feel alot better. Great service thanks
Moray
Your welcome and yep completely understandable – the .htaccess security coding looks a little scary. If you check around the Internet block you will see that we are one of the good guys so you are in good hands with BPS. Have a great day.
Hi,
I have a few basic questions about your excellent security software.
I have posted the questions at
http://wordpress.org/support/topic/bulletproof-security-basic-questions-1?replies=1
Should I post the questions here once again?
Looking forward to your response.
Regards
Roy
Answered on the BPS plugin support page >>> http://wordpress.org/support/topic/bulletproof-security-basic-questions-1?replies=2#post-3098669