BulletProof Security Pro ~ Zip Installation & Backup
|
Built-in Zip Backup ~ Zip Upload ~ Zip Download ~ Zip Install
|
The WordPress Upload Zip Installer is nice, but we wanted to include Zip Backup so we went ahead and just added a Zip Upload Installer to BPS with some other bennies too. If you are installing BPS Pro using the WordPress PCLZIP Upload Zip installer then rename the existing /plugins/bulletproof-security folder to something like /old-bulletproof-security first. otherwise a number will be appended to the /bulletproof-security folder on installation. Example: /bulletproof-security2, /bulletproof-security3, etc. |
|
|
B-Core ~ Htaccess Core Security
|
New Menu Tabs / Pages Added to B~Core & New S-Monitor AutoRestore Status Display
|
You will see 2 new menu tabs / pages in B-Core: AutoRestore CM and Custom Code – shown in this screenshot. Screenshots of the 2 new pages in BPS Pro 5.1.5 B-Core have also been added. A new S-Monitor option to display the AutoRestore Status. The AutoRestore Status is shown displayed with this new S-Monitor option set to display in the WP Dashboard.
As of BPS Pro 5.1.6 AutoRestore now has its own Menu link and designated options page.
|
|
|
BulletProof Security Modes
|
BPS Pro 5.1 now has AutoMagic buttons for Standard WordPress Single Sites, Network / MU Sub-directory Sites and Network / MU Sub-domain sites. BPS Pro detects what type of WordPress installation you have and tells you which AutoMagic buttons you should use for your WordPress site. Create your site’s Master .htaccess with AutoMagic and then Activate all BulletProof Modes (activate your Master .htaccess files that you created with AutoMagic). It is recommended that after you create your Master .htaccess files with AutoMagic that you take a quick look at your new Master .htaccess files using the BPS Pro .htaccess File Editor first before Activating them. If you have additional .htaccess code that you want to add to the Master .htaccess files then you can add it with the File Editor and then Activate BulletProof Modes. HTTP Error logging / 403 Error logging is enabled by default and custom 403.php. 404.php and 400.php logging files are included with BPS Pro. |
|
|
BulletProof Security Status
|
Security Status displays information about what is set up or not set up or what might be set up incorrectly. Security Status also displays your current file and folder permissions and will detect your Server API. If your SAPI is CGI you will see file and folder permission recommendations for CGI. If your SAPI is DSO – Apache mod_php you will see file and folder permission recommendations for DSO. Security Status displays additional security status info and finally displays general file checks for your website files and for BPS plugin files. |
|
|
System Info
|
System Info provides extensive information about your WordPress site, Server and your Environment. |
|
|
BulletProof Security Backup & Restore
|
Built-in Backup and Restore for all your .htaccess files. Backup and Restore can be used when upgrading BPS Pro and for first time installations of BPS Pro. When you install BPS Pro nothing has changed on your website regarding .htaccess files – Only BPS Pro plugin files are installed. Perform a Backup first to backup any existing .htaccess files before Activating BulletProof Modes. |
|
|
BulletProof Security File .htaccess File Editing / Uploads – Downloads
|
BPS Pro has a built-in .htaccess File Editor so that you can edit your BPS Master .htaccess files and your currently active .htaccess files. Upload and download is provided as additional options to handle your backed up .htaccess files and your Master .htaccess files. A file locking and unlocking option has been added to the BPS File Editor so that you can quickly Lock or Unlock your currently active Root .htaccess file. If you forget to lock your Root .htacces file BPS will let you know that it is not locked. A Server API check is performed so if you have PHP running as a CGI you will see the Lock and Unlock buttons. If you have DSO – mod_php you will not see the Lock and Unlock buttons. DSO file permissions should be set to 644 and 644 allows writing so there is no need for file locking if you have DSO. |
|
|
BulletProof Security AutoRestore CM
|
This new website security feature is a countermeasure security approach to Brute Force FTP Password Cracking attacks against your Web Host Server directly that lead to code injection into the WP Core Root files. BPS already protects your website from direct hacking attempts against your website, but BPS cannot protect your Web Host Server directly. There are 3 monitoring and alerting options for AutoRestore CM. 1. Display the AutoRestore Status in your WP Dashboard or BPS pages Only. 2. Send an email alert if a file is restored. 3. AutoRestore Log – logs the filename, date and time it was automatically restored and the contents of the file that was restored. NOTE: The BPS Root .htaccess file is also protected with AutoRestore and if you edit your Root .htaccess file while AutoRestore is on your new edited Root .htaccess file is automatically backed up to the AutoRestore folder so that it is current and identical. NOTE: If a Host Server is compromised / hacked it is even possible to bypass F-Lock and still write to a file that is locked with Read-Only permissions. You may never need AutoRestore, but it is nice to know that if your Host Server is compromised and code is injected into your WP Core Root files they will be automatically restored with good backup files.
As of BPS Pro 5.1.6 AutoRestore now has its own Menu link and designated options page.
|
|
BulletProof Security Custom Code
|
Custom Code and AutoMagic Any custom .htaccess code that you save here will be saved to your WP Database permanently and automatically be created in your Root .htaccess file when you click the Create secure.htaccess File AutoMagic button. You can add a php.ini handler or any other custom .htaccess code that you want to automatically created with AutoMagic. |
|
|
BulletProof Security Maintenance Mode
|
Maitenance Mode allows you to create a custom Website Under Maintenance page on the fly and put your site in HTTP 503 Status. You can continue to work on your site while everyone else sees a Website Under Maintenance page displayed. BPS creates a new Master .htaccess file based on your current IP address and when you click Activate that Master file is activated for your website. To exit Maintenance Mode and open your site to visitors you simply Activate BulletProof Mode again. |
|
|
My Notes
|
This is a handy feature to store any notes you may have about your particular .htaccess files. You may have custom .htaccess code that you want to save here that is specific to your particular Web Host. You may have an additional step or two that you want to remind yourself about in-between upgrades or you could just copy your entire Root .htacces file into My Notes. The general idea is this a place for your to store reminders permanently. |
|
|
B-Core Help & FAQ
|
Each component of BPS Pro has a Help and FAQ page with help links provided that open in a new browser window. |
|
|
P-Security ~ php.ini Security & Performance
|
PHP.ini Options – php.ini Finder, php.ini Creator and php.ini File Manager / All Purpose File Manager
|
Search for existing php.ini files. Create a Master php.ini file with a couple of clicks. Create a new custom php.ini file for your website based on the Master php.ini file. Add the path to a file in an available File Manager Slot to open, view and edit those files using the php.ini File Editor / All Purpose File Editor. Your Label is automatically added to the drop down select list for the All Purpose File Editor. The php.ini master file maker and creator are using the same general creation methods that is done with B-Core .htaccess file creation. |
|
|
PHP.ini File Editor ~ All Purpose File Editor / Viewer
|
You can open, view and edit any type of file including Server Protected files using the All Purpose File Editor. php.ini files, .php files, .htaccess files, log files, etc. The custom Labels that you add in the File Manager Slots will be displayed in the drop down select list. |
|
|
All Purpose File Editor / Viewer – HTTP Error Log / 403 Error Log
|
The BPS HTTP 403 Error Log is shown below opened with the All Purpose File Editor. |
|
|
All Purpose File Editor / Viewer – Base64 Decoder Log
|
The Base64 Decoder Log Text File used for the Online Base64 Decoder is shown below opened with the All Purpose File Editor. |
|
|
PHP Error Log – .htaccess Protected
|
The PHP Error Log has its own dedicated page as PHP errors are a common thing for most websites. Set the folder path location for your PHP error log. The default BPS Pro location is .htaccess protected so that only you can view your php error log. BPS will alert you each time a new php error occurs on your website and you can quickly check what the error is and then click Reset Last Modified in DB to synchronize the last modified time of your error log file with the last modified time in your DB. |
|
|
PHP Error Log – php error log check and displayed php error alert
|
|
|
PHP Info Viewer / Multi Viewer – htaccess Protected
|
Allows you to view your PHP Server Configuration file safely and securely with .htaccess protection. Use the PHP Info Viewer to view your phpinfo file for your entire site or you can create phpinfo files for specific folders with the Multi Viewer. |
|
|
Phpinfo File – htaccess Protected
|
A standard PHP Server Configuration file is shown below using the PHP Info Viewer. |
|
|
Php.ini Security Status
|
Displays the Primary Security and Performance features added by your BPS Pro custom php.ini file. If a problem exists with your php.ini file BPS Pro will automatically alert you of the problem and provide help info and links to fix the issue. The Security Status page displays your individual php.ini directive settings in your custom php.ini file in real time to ensure that they are all set with the optimum php.ini directive settings for WordPress sites. A green or red status indicator lets you know visually if each directive has an optimum setting for Security and Performance with a full description of what each individual php.ini directive does. By default when you create your custom php.ini file all status indicators should display green as the optimum php.ini directive settings have already been configured for WordPress in the BPS Pro Master php.ini files. |
|
|
P-Security Help & FAQ
|
Each component of BPS Pro has a Help and FAQ page with help links provided that open in a new browser window. |
|
|
S-Monitor ~ Security Monitoring and Alerting
|
Monitoring and Alerting Options – Displayed and Email Alerts
|
S-Monitor allows you to choose how you want want warning and error alerts displayed to you. You can choose to have warnings and alerts displayed in your WP Dashboard, BPS Pro pages only or turn alerts and warnings off for individual options. S-Monitor monitors every aspect of BPS Pro itself for problems and errors as well as external alerts like PHP errors that occur on your website or files in an unlocked status. Additional monitoring and alerting options will be added to each new version release of BPS Pro. |
|
|
S-Monitor ~ Whats New
|
The Whats New page displays significant improvements to each new version release of BPS Pro and any other important information for each new version release of BPS Pro. Whats New also explains some general things about BPS Pro, such as what is affected and not affected when upgrading BPS Pro. |
|
|
S-Monitor Help & FAQ
|
Each component of BPS Pro has a Help and FAQ page with help links provided that open in a new browser window. |
|
|
BulletProof Security Pro ~ Pro Tools
|
Online Base64 Decoder / Decompression
|
The Online Base64 Decoder allows you to safely and securely decode known hackers scripts. When you install BPS Pro 5.1 your site automatically starts tracking hacking attempts on your website and you find lots of hackers scripts to decode. 😉 The Online Base64 Decoder has 13 of the most common base64 and compression functions used by hackers to disguise (encode / decode) their hacking scripts. The way the Online Base64 Decoder works is that you enter the hackers script into the text window, decode it and the decoded code is written to a text file, which you can then Zip and download to your computer. This is not the most convenient method of decoding hackers scripts, but it is 100% safe. Outputting dangerous hackers code to your browser window could cause you to be kicked out of your own website with a malicious script detected warning. Browsers now look for certain PHP functions or hackers “tags” and will generate this warnings even when you are viewing a text file Online. The Offline Base64 Decoder will output decoded code directly to the browser window. It is very convenient, but use this tool with extreme caution. It is recommended that you ONLY use it Offline. Offline use would be installing XAMPP or MAMPP and installing WordPress and BPS Pro on your computer to decode known hackers scripts. |
|
|
Offline Base64 Decoder / Encoder / Decompression / Compression
|
The Offline Base64 Decoder / Encoder has 13 Decoding options and 13 Encoding options. The decoding and encoding options are numbered. Encoding with the #1 options can be decoded with decoding option #1, encoding with option #2 can be decoded with decoding option #2, etc, etc, etc. The Offline Base64 Decoder is very convenient to use, but use it with caution. It will output decoded code directly to your browser window. Most browsers nowadays are designed to look for PHP functions and hackers “tags” and if these functions and “tags” are seen you will see a malicious script warning alert by your browser and you will get kicked out of your own website. The outputted code is outputted in Raw code and IS NOT PROCESSED OR EXECUTED, but just viewing the Raw code output in your browser window is enough to cause a malicious script detected warning. It is recommended that you ONLY use it Offline. Offline use would be installing XAMPP or MAMPP and installing WordPress and BPS Pro on your computer to decode known hackers scripts. Obviously if you encoding or decoding known good scripts or scripts, text or code that you created then you can use this tool safely Online. |
|
|
Mycrypt ~ Decrypt / Encrypt
|
The Mycrypt tool allows you to encript or decrypt code, text or scripts with the mcrypt decrypt and encrypt functions. |
|
|
Crypt – Crypt Encryption – One Way string hashing
|
Thee Crypt tools allows you to choose from several different crypt options. This tool can be used to test what crypt functions are allowed on your Host Server and has some other possible practical uses. |
|
|
Scheduled Cron Jobs
|
Scheduled Crons displays all Cron jobs that are scheduled to run on your website. |
|
|
String / Function Finder – Find Strings, Code, Functions, etc. in Files Sitewide
|
Allows you to find any string in files throughout your website or websites. The output of the string search example shown in the screenshot shows that string search term was “base64_decode”, the string search term was found 128 times in files. The URL to the file is displayed, the code line where the string was found and code or text before and after the string search result is shown. |
|
|
String Replacer / Remover ~ Preview Mode & Write Mode – Replace / Remove Strings, Code, Functions, etc. in Files Sitewide
|
Allows you to find any string in files throughout your website or websites and replace or remove those strings. Due to Web Host load constraints it is advised that you search by specific folders (Example: /wp-content/plugins/) rather then using this tool to do a sitewide search (Example: /public_html). The output of the string search and replace example shown in the screenshot shows that the string search term “Bad JuJu Test” was found 2 times in files and replaced 2 times with the new string “My New String”. This example is showing a replace string search and replace in Preview Mode. Preview Mode is strictly visual string replacement and not permanent string replacement. To permanently perform a string replacement or removal you would use Write Mode. Preview Mode is a safe way to test your string replacement or removal before actually really performing this action (a dry run test). The URL to the file is displayed, the code line where the string was found and replaced with the new string, and code or text before and after the string replacement result is shown. |
|
|
DB String Finder – Search Entire WP Database in one shot for Strings, Code, etc.
|
Searching your WordPress Database is not a big deal. Being able to search your entire WordPress DB in one shot is another thing entirely and is big deal. Typically you have to specify a table or row to search with a query or else it will not return results. The DB String Finder does not have this limitation and will search your entire WP DB in one shot for strings, code or text, etc. The DB String Finder will display all occurrences of your search string and if found in multiple tables will display all of the tables with your search string highlighted. Currently the text formatting needs some work, but in order to display a very large amount of database search results with all relevant surrounding table data, the current font size has been reduced to a very small font size. We are working on this visual issue, but the most important thing is that the maximum amount of search data is returned and that all search strings are returned in the search results. |
|
Search performed for “password” results in several Database Tables returned in the search. |
|
DB Table Cleaner / Remover
|
Drop and Delete Top level tables from your WordPress Database. This is a bonus item that was “borrowed” from the WP-DBManager plugin. This tool will most likely be removed in BPS Pro 5.2. |
|
|
Pro-Tools Help & FAQ
|
Each component of BPS Pro has a Help and FAQ page with help links provided that open in a new browser window. |
|
|
BulletProof Security Pro ~ AutoRestore
|
|
AutoRestore Root
|
This new website security feature is a countermeasure security approach to Brute Force FTP Password Cracking attacks and other attacks directed at your Web Host Server directly that lead to code injection into the WP Core Root files. BPS already protects your website from direct hacking attempts against your website, but it is not possible for BPS Pro to protect your Web Host Server directly. AutoRestore is countermeasure website security that will automatically restore your WP Core Root Files if a hacker has compromised your Web Host Server and injected code into your WP Core Root files. The most vulnerable files in this type of direct attack on a Web Host Server are the WP Core Root files.
There are 4 monitoring and alerting options for AutoRestore. 1. Display the AutoRestore Status in your WP Dashboard or BPS pages Only. 2. Send an email alert if a file is restored. 3. AutoRestore Log – logs the file name, file path, date and time a file was automatically restored and the entire contents of the file that was restored. 4. WP Dashboard AutoRestore Alert – if a file is restored with AutoRestore you will see an AutoRestore Alert!!! warning alert in your WordPress Dashboard. To clear the AutoRestore Alert message click on the Click Here link contained in the AutoRestore Alert message, which will take you to AutoRestore page. Click on the Reset Last Modified Time in DB button to clear the AutoRestore Alert message.
|
|
|
AutoRestore Log
|
If any files have been restored using AutoRestore the file name, file path, timestamp and the entire contents of the file that was restored are logged. |
|
|
BulletProof Security Pro ~ F-Lock
|
|
F-Lock ~ CGI SAPI
|
F-Lock detects whether your Server API is CGI or DSO and displays your SAPI and either a CGI File Permissions & Status Table or a DSO Permissions & Status Table depending on which SAPI your Web Host is using. The CGI File Permissions & Status Table is shown below. F-Lock allows you to lock your WordPress Mission Critical files on the fly. Mass Code Injection attacks on Web Hosts target these specific files for code injection. Allowing Read (yep not even Write permissions) Group Permissions files makes these WordPress Mission Critical files vulnerable to mass code injection hacking attempts. If a file is unlocked BPS Pro immediately alerts you that a particular file is unlocked. Locked permissions for .htaccess files is 404, locked permissions for WordPress Mission Critical files is 400. |
|
|
F-Lock ~ DSO SAPI
|
F-Lock detects whether your Server API is CGI or DSO and displays your SAPI and either a CGI File Permissions & Status Table or a DSO Permissions & Status Table depending on which SAPI your Web Host is using. The DSO File Permissions & Status Table is shown below. DSO / Apache mod_php file permissions work differently then CGI file permissions. DSO file permissions should be 644. If you set file permissions anymore restrictive (400, 404, etc) in DSO environments then your site will not function correctly, be down and most likely you will see 500 Internal Server Errors. |
|
|
F-Lock ~ Help & FAQ
|
Each component of BPS Pro has a Help and FAQ page with help links provided that open in a new browser window. |
|
|
BulletProof Security Pro ~ Activation
|
Activation is required in BPS Pro 5.1. BPS Pro will not function correctly until you have completed the simple 3 step activation process. BPS Pro Activation Keys are website specific. If you have several websites use the Get Key button on each website to get your Activation Key for each website. This ensures that your Activation Key is unique to your website and cannot be used on another website, as well as preventing piracy.
The BulletProof Security Pro license does not have a limitation on the number of websites, website domains and website hosting accounts that you can install BulletProof Security Pro on, as long as these websites, website domains and website hosting accounts are either owned directly by you, supported directly by you or managed directly by you.
|
|
|
|
|