B-Core ~ htaccess Core Security
|
BulletProof Security Modes
|
AutoMagic – Create Your htaccess Files Automatically
|
Backup your existing htaccess files if you have any first by clicking on the Backup & Restore menu tab – click on the Backup htaccess files radio button to select it and click on the Backup Files button to back up your existing htaccess files.
AutoMagic – BPS will create Your Master .htaccess Files For You Automatically BPS detects what type of WordPress installation you have and will tell you which AutoMagic buttons to use for your website.
— Click the Create default.htaccess File button and click the Create secure.htaccess File button — Click on the Edit/Upload/Download menu tab, click on the secure.htaccess menu tab to view you new master .htaccess file, make any changes, edit it or add any additional .htaccess code to it before you activate it. — Activate BulletProof Mode for your Root folder — Activate BulletProof Mode for your wp-admin folder — Activate BulletProof Mode for the BPS Master htaccess folder and the BPS Backup folder
IMPORTANT!!! YOU MUST HAVE BOTH THE ROOT BULLETPROOF MODE AND THE WP-ADMIN BULLETPROOF MODE ACTIVATED If you do not activate both BulletProof Mode for your root folder and BulletProof Mode for your wp-admin folder then BPS and WP will not work correctly.
Explanation Of The Steps Above: If you see error messages when performing a first time backup do not worry about it. BPS will backup whatever files should be or are available to backup for your website. Clicking the Create default.htaccess File button and the Create secure.htaccess File button will create these two master htaccess files for you. The correct RewriteBase and RewriteRule for your website will be automatically added to these files. The default.htaccess file is the master .htaccess file that is copied to your root folder when you activate Default Mode. Default Mode should only be activated for testing and troubleshooting purposes – it does not provide any website security. The secure.htaccess file is the master .htaccess file that is copied to your root folder when you activate BulletProof Mode for your Root folder. The plugin conflict fixes in the secure.htaccess master file will also have your correct WordPress installation folder name automatically added to it. The htaccess file for your wp-admin folder does not require any editing nor do the Deny All htaccess files. This means that once you have created the default.htaccess file and the secure.htaccess file you can go ahead and activate all BulletProof Modes.
Manual Control of htaccess Files Instead of Using AutoMagic If you want manual control and want to edit your htacess files using the built-in BPS File Editor instead of having them automatically created for you then there is no need to click on the AutoMagic create files buttons.
AutoMagic Instruction for WordPress Network (Multisite) Sites BPS will automatically detect whether you have a subdomain or subdirectory Network (Multisite) installation and tell you which AutoMagic buttons to use. BPS menus will only be displayed to Super Admins. BPS only needs to be activated and set up on your Primary site to automatically add protection to all your subsites so DO NOT Network Activate BPS. BPS will not work correctly if you choose Network Activate. There is also no need to activate and set up BPS on any of your other sites. Once BPS is set up on your Primary site it protects all of your sites.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
Activate Website Root Folder .htaccess Security Mode
|
Installing the BulletProof Security plugin does not activate any security modes. If you activate BulletProof Mode for your Root folder you must also activate BulletProof Mode for your wp-admin folder. Perform a backup first before activating any BulletProof Security modes (backs up both currently active root and wp-admin htaccess files at the same time).
What Is Going On here? When you use the AutoMagic buttons you are creating master .htaccess files for your website. Activating Default Mode or BulletProof Mode copies, renames and moves those master .htaccess files default.htaccess or secure.htaccess, depending on what radio button option you choose, from /plugins/bulletproof-security/admin/htaccess/ to your root folder. Default Mode does not have any security protection – it is just a standard generic WordPress .htaccess file that you should only use for testing purposes.
If you are installing BPS for the first time – Help and FAQ links are available on the BPS Help and FAQ page
Info for people who are upgrading BPS Before upgrading or any time you add some additional custom code to your .htaccess files you can save that custom .htaccess code on the My Notes page. This code is saved permanently to your WP database until you edit or delete it. When you upgrade BPS your currently active root and wp-admin .htaccess files are not affected. BPS master .htaccess files are replaced when you upgrade BPS so if you have made changes to your BPS master files that you want to keep make sure they are backed up using Backup and Restore first before upgrading. You can also download copies of the BPS master files to your computer using the BPS File Downloader if you want. When you backup your BPS files this is an online backup so the files will be available to you to restore from if you run into any problems at any point. You should always be using the newest BPS master htaccess files for the latest security protection updates and plugin conflict fixes. Before activating new BPS master files you can use the BPS File Editor to copy and paste any existing htaccess code that you want to keep from your current active htaccess files to the new BPS master htaccess files and save your changes before activating your new BPS htaccess files. You can copy from one .htaccess file editing window to any other window and then save your changes. Or you can copy any new htaccess code from the new BPS master files to your existing currently active htaccess files. If you do this be sure to edit the BPS version number at the top of your currently active htaccess files or you will see BPS error messages. And the My Notes page allows you to save any code you want to save permanently for later use or reminders.
Troubleshooting Error Messages Check the Edit/Upload/Download page to view your .htaccess files. Click on Your Current Root htaccess File menu tab to view your actual root .htaccess file. The top of the file tells you which BPS .htaccess file is activated and the BPS version. Check that BPS QUERY STRING EXPLOITS code does exist in your root .htaccess file. When you update your WordPress Permalinks the BPSQSE BPS QUERY STRING EXPLOITS code is overwritten with the WordPress standard default .htaccess code. You will either need to use Backup and Restore to restore you backed up .htaccess files or activate BulletProof Mode again for your Root Folder. To check your wp-admin .htaccess file click on the Your Current wp-admin htaccess File menu tab.
Testing or Removing / Uninstalling BPS If you are testing BPS to determine if there is a plugin conflict or other conflict then Activate Default Mode and select the Delete wp-admin htaccess File radio button and click the Activate button or you can now just go to the WordPress Permalinks page and update / resave your permalinks. This overwrites all BPS security code with the standard default WP .htaccess code. This puts your site in a standard WordPress state with a default or generic Root .htaccess file and no .htaccess file in your wp-admin folder if you selected Delete wp-admin htaccess file. After testing or troubleshooting is completed reactivate BulletProof Modes for both the Root and wp-admin folders. If you are removing / uninstalling BPS then follow the same steps and then select Deactivate from the WordPress Plugins page and then click Delete to uninstall the BPS plugin.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
Activate Website wp-admin Folder .htaccess Security Mode
|
Installing the BulletProof Security plugin does not activate any security modes. If you activate BulletProof Mode for your wp-admin folder you must also activate BulletProof Mode for your Root folder. Activating BulletProof Mode copies, renames and moves the master .htaccess file wpadmin-secure.htaccess from /plugins/bulletproof-security/admin/htaccess/ to your /wp-admin folder. If you customize or modify the master .htaccess files then be sure to make an online backup and also download backups of these master .htaccess files to your computer using the BPS File Downloader.
For more information click this Read Me button link to view the BulletProof Security Guide.
Testing or Removing / Uninstalling BPS If you are testing BPS to determine if there is a plugin conflict or other conflict then Activate Default Mode and select the Delete wp-admin htaccess File radio button and click the Activate button. This puts your site in a standard WordPress state with a default or generic Root .htaccess file and no .htaccess file in your wp-admin folder. After testing or troubleshooting is completed reactivate BulletProof Modes for both the Root and wp-admin folders. If you are removing / uninstalling BPS then follow the same steps and then select Deactivate from the WordPress Plugins page and then click Delete to uninstall the BPS plugin.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
Activate Deny All htaccess Folder Protection For The BPS Master htaccess Folder
|
Your BPS Master htaccess folder should already be automatically protected by BPS Pro, but if it is not then activate BulletProof Mode for your BPS Master htaccess folder
Activating BulletProof Mode for Deny All htaccess Folder Protection copies and renames the deny-all.htaccess file located in the /plugins/bulletproof-security/admin/htaccess/ folder and renames it to just .htaccess. The Deny All htaccess file blocks everyone, except for you, from accessing and viewing the BPS Master htaccess files.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
Activate Deny All htaccess Folder Protection For The BPS Backup Folder
|
Your BPS Backup Folder is NOT already automatically protected by BPS Pro and requires that you activate BulletProof Mode to htaccess protect it
Activating BulletProof Mode for Deny All BPS Backup Folder Protection copies and renames the deny-all.htaccess file located in the /bulletproof-security/admin/htaccess/ folder to the BPS Backup folder /wp-content/bps-backup and renames it to just .htaccess. The Deny All htaccess file blocks everyone, except for you, from accessing and viewing your backed up htaccess files.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
BulletProof Security Status Page
|
Activated BulletProof Security .htaccess Files
|
Installing the BulletProof Security plugin does not activate any security modes. If you activate BulletProof Mode for your Root folder you must also activate BulletProof Mode for your wp-admin folder. Perform a backup first before activating any BulletProof Security modes (backs up both currently active root and wp-admin htaccess files at the same time).
If you are installing BPS for the first time – Help and FAQ links are available on the BPS Help and FAQ page
Info for people who are upgrading BPS Before upgrading or any time you add some additional custom code to your .htaccess files you can save that custom .htaccess code on the My Notes page. This code is saved permanently to your WP database until you edit or delete it. When you upgrade BPS your currently active root and wp-admin .htaccess files are not affected. BPS master .htaccess files are replaced when you upgrade BPS so if you have made changes to your BPS master files that you want to keep make sure they are backed up using Backup and Restore first before upgrading. You can also download copies of the BPS master files to your computer using the BPS File Downloader if you want. When you backup your BPS files this is an online backup so the files will be available to you to restore from if you run into any problems at any point. You should always be using the newest BPS master htaccess files for the latest security protection updates and plugin conflict fixes. Before activating new BPS master files you can use the BPS File Editor to copy and paste any existing htaccess code that you want to keep from your current active htaccess files to the new BPS master htaccess files and save your changes before activating your new BPS htaccess files. You can copy from one .htaccess file editing window to any other window and then save your changes. Or you can copy any new htaccess code from the new BPS master files to your existing currently active htaccess files. If you do this be sure to edit the BPS version number at the top of your currently active htaccess files or you will see BPS error messages. And the My Notes page allows you to save any code you want to save permanently for later use or reminders.
Troubleshooting Error Messages Check the Edit/Upload/Download page to view your .htaccess files. Click on Your Current Root htaccess File menu tab to view your actual root .htaccess file. The top of the file tells you which BPS .htaccess file is activated and the BPS version. Check that BPS QUERY STRING EXPLOITS code does exist in your root .htaccess file. When you update your WordPress Permalinks the BPSQSE BPS QUERY STRING EXPLOITS code is overwritten with the WordPress standard default .htaccess code. You will either need to use Backup and Restore to restore you backed up .htaccess files or activate BulletProof Mode again for your Root Folder. To check your wp-admin .htaccess file click on the Your Current wp-admin htaccess File menu tab.
Additional Info – Activated BulletProof Security Status window The Text Strings you see listed in the Activated BulletProof Security Status window if you have an active BulletProof .htaccess file (or an existing .htaccess file) is reading and displaying the actual contents of any existing .htaccess files here. This is not just a displayed message – this is the actual first 46 string characters (text) of the contents of your .htaccess files.The BPSQSE BPS QUERY STRING EXPLOITS code check is done by searching the root .htaccess file to verify that the string/text/word BPSQSE is in the file.
To change or modify the Text String that you see displayed here you would use the BPS built in Text Editor to change the actual text content of the BulletProof Security master .htaccess files. If the change the BULLETPROOF SECURITY title shown here then you must also change the coding contained in the /wp-content/plugins/bulletproof-security/includes/functions.php file to match your changes or you will get some error messages. The rest of the text content in the .htaccess files can be modified just like a normal post. Just this top line ot text in the .htaccess files contains version information that BPS checks to do verifications and other file checking. For detailed instructions on modifying what text is displayed here click this Read Me button link.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
File and Folder Permissions – CGI or DSO
|
CGI And DSO File And Folder Permission Recommendations If your Server API (SAPI) is CGI you will see a table displayed with recommendations for file and folder permissions for CGI. If your SAPI is DSO / Apache mod_php you will see a table listing file and folder permission recommendations for DSO. If you Host is using CGI, but they do not allow you to set your folder permissions more restricive to 705 and file permissions more restrictive to 604 then most likely when you change your folder and file permissions they will automatically be changed back to 755 and 644 by your Host. CGI 705 folder permissions have been thoroughly tested with WordPress and no problems have been discovered with WP or with WP Plugins. Changing your folder permissions to 705 helps in protecting against Mass Host Code Injections. CGI 604 file permissions have been thoroughly tested with WordPress and no problems have been discovered with WP or with WP Plugins. Changing your file permissions to 604 helps in protecting your files from Mass Host Code Injections. CGI Mission Critical files should be set to 400 and 404 respectively.
If you have BPS Pro installed then use F-Lock to Lock or Unlock your Mission Critical files. BPS Pro S-Monitor will automatically display warning messages if your files are unlocked.
The wp-content/bps-backup/ folder permission recommendation is 755 for CGI or DSO for compatibility reasons. The /bps-backup folder has a deny all .htaccess file in it so that it cannot be accessed by anyone other than you so the folder permissions for this folder are irrelevant.
Your current file and folder permissions are shown below with suggested file and folder permission settings that you should use for the best website security and functionality.
I recommend using FileZilla to change your file and folder permissions. FileZilla is a free FTP software that makes changing your file and folder permissions very simple and easy as well as many other very nice FTP features. With FileZilla you can right mouse click on your files or folders and set the permissions with a Numeric value like 755, 644, etc. Takes the confusion out of which attributes to check or uncheck.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
General BulletProof Security File Checks
|
This is a quick visual check to verify that you have active .htaccess files in your root and /wp-admin folders and that all the required BPS files are in your BulletProof Security plugin folder. The BulletProof Security .htaccess master files (default.htaccess, secure.htaccess, wpadmin-secure.htaccess, maintenance.htaccess and bp-maintenance.php) are located in this folder /wp-content/plugins/bulletproof-security/admin/htaccess/
For new installations and upgrades of BulletProof Security you will see red warning messages. This is completely normal. These warnings are there to remind you to perform backups if they have not been performed yet. Also you may see warning messages if files do not exist yet.
You can also download backups of any existing .htaccess files using the BPS File Downloader.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
System Info ~ BPS System Information Page
|
No hover tooltips / help file required. Displays: Website / Server / IP Info, PHP Server / PHP.ini Info, SQL Database / Permalink Structure / WP Installation Folder and BPS Pro Security Modules Info. |
|
BulletProof Security Backup & Restore Page
|
Backup Your Currently Active .htaccess Files
|
Back up your existing .htaccess files first before activating any BulletProof Security Modes in case of a problem when you first install and activate any BulletProof Security Modes. Once you have backed up your original existing .htaccess files you will see the status listed in the Current Backed Up .htaccess Files Statuswindow below.
Backup files are stored in this folder /wp-content/bps-backup.
In cases where you install a plugin that writes to your htaccess files you will want to perform another backup of your htaccess files. Each time you perform a backup you are overwriting older backed up htaccess files. Backed up files are stored in the /wp-content/bps-folder.
You could also use the BPS File Downloader to download any existing .htaccess files, customized .htaccess files or other BPS files that you have personally customized or modified just for an additional local backup.
The BPS Master .htaccess files are stored in your /plugins/bulletproof-security/admin/htaccess folder and can also be backed up to the /wp-content/bps-backup/master-backups folder. Backed up files are stored online so they will be available to you after upgrading to a newer version of BPS if you run into a problem. There is no Restore feature for the BPS Master files because you should be using the latest versions of the BPS master .htaccess files after you upgrade BPS. You can manually download the files from this folder /wp-content/bps-backup/master-backups using FTP or your web host file downloader.
When you upgrade BPS your current root and wp-admin htaccess files are not affected. BPS master htaccess files are replaced when you upgrade BPS so if you have made changes to your BPS master files that you want to keep make sure they are backed up first before upgrading. You can also download copies of the BPS master files to your computer using the BPS File Downloader if you want. When you backup your BPS files it is an online backup so the files will be available to you to restore from if you run into any problems at any point. You should always be using the newest BPS master htaccess files for the latest security protection updates and plugin conflict fixes. Before activating new BPS master files you can use the BPS File Editor to copy and paste any existing htaccess code that you want to keep from your current active htaccess files to the new BPS master htaccess files and save your changes before activating the new BPS htaccess files. Or you can copy any new htaccess code from the new BPS master files to your existing currently active htaccess files. If you do this be sure to edit the BPS version number in your currently active htaccess files or you will get error messages.
If something goes wrong in the .htaccess file editing process or at any point you can restore your good .htaccess files with one click as long as you already backed them up.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
Restore Your .htaccess Files From Backup
|
Restores your backed up .htaccess files that you backed up. Your backed up .htaccess files were renamed to root.htaccess and wpadmin.htaccess and copied to the /wp-content/bps-backup folder. Restoring your backed up .htaccess files will rename them back to .htaccess and copy them back to your root and /wp-admin folders respectively.
If you did not have any original .htaccess files to begin with and / or you did not back up any files then you will not have any backed up .htaccess files.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
Backup Your BPS Master .htaccess Files
|
The BPS Master .htaccess files are stored in your /plugins/bulletproof-security/admin/htaccess folder and can also be backed up using this Master Backup feature. The backed up BPS Master .htaccess files are copied to this folder /wp-content/bps-backup/master-backups folder. This way they will be available to you online after upgrading to a newer version of BPS. There is no Restore feature for the BPS Master files because you should be using the latest versions of the BPS master .htaccess files after you upgrade BPS. You can manually download the files from this folder /wp-content/bps-backup/master-backups using FTP or your web host file downloader.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
Current Backed Up .htaccess Files Status
|
General file checks to check which files have been backed up or not.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
BulletProof Security File Editing, Uploading and Downloading Page
|
BulletProof Security File Editing
|
Lock / Unlock .htaccess Files If your Server API is using CGI then you will see Lock and Unlock buttons to lock your Root .htaccess file with 404 Permissions and unlock your root .htaccess file with 644 Permissions. If your Server API is using CLI – DSO / Apache / mod_php then you will not see lock and unlock buttons. 644 Permissions are required to write to / edit the root .htaccess file. Once you are done editing your root .htaccess file use the lock button to lock it with 404 Permissions. 644 Permissions for DSO are considered secure for DSO because of the different way that file security is handled with DSO.
A help link is provided in the Help & FAQ page File Editing Within The Dashboard Help Info. File Editing is also demonstrated and explained in the B-Core htaccess Video Tutorial.BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
Uploading and Downloading Read Me Hover Tooltip
|
File Uploading The file upload location is preset to the /wp-content/plugins/bulletproof-security/admin/htaccess folder and the intended use is just for uploading the BPS Master files: secure.htaccess, default.htaccess, wpadmin-secure.htaccess, maintenance.htaccess, bp-maintenance.php, bps-maintenance-values.php, http_error_log.txt (BPS Pro only) or other files from your computer to the BPS Master htaccess folder.
File Downloading File Downloading is automatically not allowed. Folder permissions must be set to a minimum of 705 for the /htaccess and /bps-backup folders in order to open and download files. Click the Enable Master File Downloading button to enable file downloading. This will write your current IP address to the deny all htaccess file and allow ONLY you access to the /plugins/bulletproof-security/admin/htaccess folder to open and download files. To open and download your Backed up files click the Enable Backed Up File Downloading button. After clicking the Enable File Downloading buttons you can click the download buttons below to open or download files. If your IP address changes which it will do frequently then click the Enable File Downloading buttons again to write a new IP address to the deny all htaccess files.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
BulletProof Security Maintenance Mode Page
|
Website Maintenance Mode Settings
|
Your Maintenance Mode Form data is saved to the WordPress Database and will remain permanently until you delete it. When you upgrade BPS your form data will still be saved in your database.
Maintenance Mode Activation Steps
Filling In The Maintenance Mode Settings Form 1. Fill out the Website Maintenance Mode Form — There are 4 important text fields that must be entered in the exact format shown in the example AIT-pro descriptions to the right of the text form fields in order for the countdown timer to display correctly. They are – Start Date – Start Time – End Date – End Time. Military time must be used, spaces must be used and commas must be used – the format should be identical to the example description. All other text fields do not require following a specific format. — For the Retry-After text field I recommend using 259200. 259200 is 72 hours in seconds. 3600 = 1hr 43200 = 12hrs 86400 = 24hrs — You can copy and paste the example Background Image URL into the Background Image text field if you want to use the background image file that comes with BPS. If you have another background image file that you want to use then just name it with the same name as the example image file and copy it to the /bulletproof-security folder. If you do not want a background image then leave this text field blank. The background color will be white. If you want to customize the Website Under Maintenance template then download this file located in this folder /bulletproof-security/admin/htaccess/bp-maintenance.php. 2. Click the Save Form Settings button to save your form data to your database. 3. Click the Create Form button to create your Website Under Maintenance form. 4. Click the Preview Form button to preview your Website Under Maintenance page. — If you see a 404 or 403 Forbidden message in the popup preview window refresh the popup preview window or just close the popup window and click the Preview button again. — You can use the Preview button at any time to preview how your site will be displayed to everyone else except you when your website is in Maintenance Mode.
Create Your Maintenance Mode .htaccess File After you have finished previewing your Website Under Maintenance page, click the Create htaccess File button. This creates your Maintenance Mode .htaccess file for your website. Your current Public IP address and correct RewriteBase and RewriteRule are included when this new Maintenance Mode .htaccess file is created.
Activate Website Under Maintenance Mode Select the Maintenance Mode radio button and click the Activate Maintenance Mode button. Your website is now in Maintenance Mode. Everyone else will see your Website Under Maintenance page while you can still view and work on your site as you normally would.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
Activate Website Under Maintenance Mode
|
You must click the Create htaccess File button FIRST to create your Maintenance Mode htaccess file before activating Maintenance Mode if you want to be able to continue working on your website while everyone else sees the Website Under Maintenance page After you have created your Maintenance Mode .htaccess file – Select the Maintenance Mode radio button and click Activate.
To switch out of or exit Maintenance Mode just activate BulletProof Security Mode for your Root folder on the Security Modes page. You can see what everyone is seeing except for you by clicking on the Preview Form button at any time.
When you activate Maintenance Mode your website will be put in HTTP 503 Service Temporarily Unavailable status and display a Website Under Maintenance page to everyone except you. Your current Public IP address was automatically added to the Maintenance Mode file as well as the correct .htaccess RewriteRule and RewriteBase for your website when you clicked the Create File button.
To manually add additional IP addresses that are allowed to view your website normally use the BPS File Editor to add them. To view your current Public IP address click on the System Info tab menu.
Your current Public IP address is also displayed on the Website Under Maintenance page itself.
Your SERPs (website or web page ranking) will not be affected by putting your website in Maintenance Mode for several days for existing websites. To manually add additional IP addresses that can view your website you would add them using the BPS File Editor.
If you are unable to log back into your WordPress Dashboard and are also seeing the Website Under Maintenance page then you will need to FTP to your website and either delete the .htaccess file in your website root folder or download the .htaccess file – add your correct current Public IP address and upload it back to your website.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
My Notes Page
|
No hover tooltips or help files required. Editor to save any personal notes or htaccess code about BPS to your WordPress Database |
|
P-Security ~ php.ini Security & Performance
|
PHP.ini Options Page
|
Adding A Custom php.ini File Increases Website Security and Improves Website Performance
|
BPS PHP.ini Overview
|
Adding new php.ini files or changes made in your existing php.ini files may not show up in your PHP server configuration file for up to 15 minutes. Usually new changes or modifications to your php.ini file will be displayed in phpinfo within 5 minutes.
BPS Pro php.ini Options Overview – php.ini Master Files The BPS Pro php.ini Master files have already been pre-made for you. There are 100s of web hosts available to choose from so in order to make the task of pre-making php.ini files reasonable, we chose the top 10 most commonly used web hosts and created custom php.ini files for each of those hosts. The 10 hosts listed in the Php.in File Creator dropdown list provide web hosting for the majority of websites worldwide. We have also provided a standard php.ini file that is almost identical to the php.ini host Master files and just as secure, but may require some additional minimal editing by you to customize the php.ini file for your specific host. php.ini files are standardized so only very minor differences will exist between different web hosts.
Php.ini Option Settings Are Officially Called php.ini Directives Some hosts do not allow certain php.ini directives, while other hosts do. Your specific web host help and FAQ pages should tell you what is allowed, what is not allowed and what is required in regards to php.ini files for your specific host. If your host does not provide the additional information that you are trying to find out about then we will be glad to assist you. Typically what happens if your host does not allow a certain php.ini option setting, which are called php.ini directives, in your custom php.ini file then the directive is just ignored. This means that you will not experience a problem with your website, but this also means that you will not get the benefit of that particular php.ini directive setting. A typo on the other hand in your custom php.ini file will generate a 500 Internal Server Error and your website will not be viewable. Be very careful when editing your custom php.ini files not to make any typos or add invalid text. If you do see a 500 Internal Server Error then you will either need to FTP to your website or login to your web host Control Panel to manually correct the php.ini file or just delete the php.ini file and create a new one with the Php.ini File Creator.
Whats going on here? – Php.ini Overview You can search for existing php.ini files using the Php.ini File Finder. Use the Php.ini File Creator to create new custom php.ini files for your website from the pre-made php.ini Master files. Add and save the folder path to your custom php.ini files to the Php.ini File Manager. Adding and saving the folder path to your php.ini files will enable you to edit the php.ini files using the PHP.ini File Editor. Add and save your own Label or Description for each php.ini folder path that you add. Your Label will be displayed in the Select php.ini file to edit: dropdown list for the PHP.ini File Editor. The BPS php.ini File Editor enables you to make any additional changes or modifications that you would like without having to use FTP or your web host Control Panel.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
Php.ini File Finder
|
Find Existing php.ini Files If you already have existing php.ini files that you would like to search for and add to the Php.ini File Manager list below then click the Find php.ini Files button. The php.ini file finder will search for all files in your website domain with a .ini file extension. This means that files other than just php.ini files may also be listed in the returned search results. The BPS host Master php.ini files will also be returned in your search. These master files are master templates that your custom php.ini file is created from so there is no need to add or edit them, but if you would like to edit a BPS master php.ini file then add it to the Php.ini File Manager list. The search could take as little as 5 seconds or as long as several minutes depending on the amount of files to search in your website domain. Copy and paste the php.ini folder path to the PHP.ini File Manager list and save the folder path to your php.ini file so that you can edit the php.ini file using the PHP.ini Editor. Add and save your own Label or Description for each php.ini folder path that you add. Your Label will be displayed in the Select php.ini file to edit:dropdown list for the PHP.ini File Editor.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
Php.ini File Creator
|
Adding new php.ini files or changes made in your existing php.ini files may not show up in your PHP server configuration file for up to 15 minutes. Usually new changes or modifications to your php.ini file will be displayed in phpinfo within 5 minutes.
Quick Setup By Web Host Name A single custom php.ini file created in your Document root folder is the best choice to use and for most Web Hosts this is required. Some Web Hosts have additional setting requirements or require that additional .htaccess code is added to your root .htaccess file. The examples below show an example folder path and file name that should be used for each Web Host. Be sure to remember to add the php.ini file name to the end of your folder path.
If your Web Host is: GoDaddy: /home/content/xx/xxxxxxx/html/php5.ini – Uncomment the custom php.ini 5.2.x php handler included in your BPS Pro root .htaccess file Network Solutions: /data/21/2/75/152/xxxxxxx/user/xxxxxxx/cgi-bin/php.ini HostGator: /home/xxxxxx/public_html/php.ini – Uncomment the custom php.ini IfModule mod_suphp.c .htaccess code included in your BPS root .htaccess file. BlueHost, HostMonster or FastDomain: /home1/xxxxxxx/public_html/php.ini – Also requires cPanel PHP Config setting and uncommenting the Custom php.ini handler included in your BPS root .htaccess file. Media Temple: /nfs/xxx/mnt/xxxx/etc/php.ini 1and1: /kunden/homepages/xxxxxxxx/htdocs/php.ini DreamHost: /.php/5.3/phprc – Note: requires advanced setup Netfirms: /mnt/web_b/d07/xxx/xxxxxxx/www/php.ini – Note: Netfirms may already have a default php.ini file in the root folder. Back it up first.
Editing a BPS Pro Master Host php.ini First Before Creating Your Custom php.ini file You can use the File Manager first if you want to add the path to a BPS Master Host php.ini file so that you can view and edit the BPS Master php.ini file with the PHP.ini File Editor first before using the Php.ini File Creator to create your custom php.ini file. See the File Manager Read Me hover tooltip for more information.
Creating new custom php.ini Files Use the Php.ini File Creator to create your custom php.ini file from the BPS Master php.ini files. Choose your Host from the dropdown Host select list or choose the Standard php.ini file and then add the folder path where you want your new php.ini file created and saved too. Before clicking the Create php.ini File button copy the folder path you just added and then go ahead and click the Create php.ini File button. Now go to the Php.ini File Manager and paste the php.ini folder path you just copied, to any available text boxes in the Php.ini File Manager, type in a Label or Description for this php.ini files folder path in the Add Your Label / Description text box and click the Save Changes button to save your new php.ini folder path and Label. Your personal Label or Description will be displayed in the Select php.ini file to edit: dropdown list for the PHP.ini File Editor. You can change your labels at any time. The labels are just labels. Example: Label 1 will open whatever php.ini file that is shown in the text box to the right of the Label 1, etc.
Choosing Your Host If your host is listed in the Choose your Host… dropdown select list then you can find out more information about what your specific host allows, disallows or requires regarding using custom php.ini files by clicking on the Help and FAQ tab. If your host is not listed in the dropdown list then choose the Standard php.ini file Master template to create your new custom php.ini file from.
Choosing And Adding Your Folder Path – Document root or Website root Use the Document root folder path for the folder location where your new custom php.ini file will be created. Most hosts require that you use only a single custom php.ini in your Document root folder for your entire hosting account while very few hosts require that you use multiple custom php.ini files, one php.ini file for each specific folder or website folder under your hosting account. By creating your new custom php.ini file in your Document root folder you will be protecting all of your websites under your entire hosting account. Your website Document root folder may be named /public_html, /html, /htdocs or another name. A Document root folder or website Document root folder is also called a website domain root folder. If your WordPress installation is in your Document root folder then your website root folder and Document root folder paths will be either the same or very similar.
All hosts require that your custom php.ini file is named php.ini except for GoDaddy, which requires that your custom php.ini file is named php5.ini. All lowercase letters must be used when naming php.ini or php5.ini files.
BPS Pro allows you to open and view your default web host master php.ini configuration file. If your host is not listed in the dropdown list then this allows you to view or copy the host master php.ini file to the your own custom php.ini file that you created using the Standard php.ini master file. What works the best is to copy your host master php.ini file to your computer and then change all the directive settings in that file to BPS Pro security directive settings from the Standard php.ini file and then copy and paste the new combined file into your custom php.ini file. Please watch the P-Security Video Tutorial for step by step instructions on how to create a custom php.ini file for your website.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
Additional Log Files That You Can Add To The File Manager
|
Adding Log Files To The File Manager Copy the path to a log file to any available empty slot in the File Manager, Add you label and click Save Changes. You can now view the log files using the Php.ini File Editor
HTTP Error Log Add this log file path to any available empty slot in the File Manager and use the Php.ini File Editor to open and view your HTTP Error Log. The HTTP Error Log file contains 400, 403 and 404 (404 error logging requires an additional set up step) errors that occur on your website. Typically 403 errors occur when hackers are running hacking scripts against your website in an attempt to hack it.
String Replacer / Remover Log Add this log file path to your File Manager to view string replacements or removals performed when using the Pro-Tools String Replacer / Remover in Write Mode.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
Php.ini File Manager – All Purpose File Manager
|
Adding new php.ini files or changes made in your existing php.ini files may not show up in your PHP server configuration file for up to 15 minutes. Usually new changes or modifications to your php.ini file will be displayed in phpinfo within 5 minutes.
All Purpose File Manager You can open, edit and delete any type of file located anywhere under your hosting account. You can also open and view Server protected files that would normally require using SSH to open and view them. For Example this allows you to open and view your web hosts Master php.ini file, log files, additional .htaccess files, php files, .htpasswd files and any other types of files. If the file is editable you can edit it using the Php.ini File Editor.
The Php.ini File Manager – All Purpose File Manager Explained The php.ini File Manager allows you to save the folder path to your existing or newly created custom php.ini files so that you can edit your custom php.ini files using the PHP.ini File Editor. The folder path to your php.ini files and your Label or Description is saved to your WordPress Database so that your saved information is saved permanently until you delete it. Your saved information will also remain saved to the database when upgrading BPS Pro. Your personal label or description will be displayed in the Select php.ini file to edit: dropdown list for the PHP.ini File Editor.
The Php.ini File Manager – All Purpose File Manager Explained Continued The php.ini File Manager also allows you to add the path to a BPS Master php.ini file so that you can view and edit the Master php.ini file first before using the Php.ini File Creator to create your custom php.ini file. Example path to the GoDaddy Master php.ini file: /home/content/xx/xxxxxx/html/wp-content/plugins/bulletproof-security/admin/php/godaddy-phpini5.ini. All the host php.ini Master files are located in this folder /wp-content/plugins/bulletproof-security/admin/php/. Use the phpinfo viewer to get your web hosts master php.ini file path. You can add this path to any available empty slot in the File Manager and open it with the File Editor to view your host’s master php.ini file to get your correct specific Zend directives or any other specific directives for your web host / website. Watch the P-Security Video Tutorial for a step by step example.
Web Hosts That Allow Only One php.ini File Per Website Hosting Account If your web host requires or only allows you to use 1 php.ini file for your entire website hosting account then you will only need to use one text box to save your php.ini file folder path.
Reminder: GoDaddy requires that your php.ini file is named php5.ini NOT php.ini.
Web Hosts That Allow or Require Multiple php.ini File Per Website Hosting Account Some hosts require that you use only a single php.ini in your website domain root folder for your entire hosting account, while other hosts require that you use multiple php.ini files, one php.ini file for each specific folder or website folder under your website domain and hosting account where you want to control your PHP configuration. If your host requires or allows that you create multiple php.ini files then you can add up to 10 php.ini files to manage using the Php.ini File Manager. More slots will be added in the next version release of BPS Pro.
XAMPP or MAMPP Info If you are using XAMPP or MAMPP you will need to manually enter double backslashes in your file paths in order for the file path to be seen correctly. Example: Double backslashes after C:, double backslashes after xampp and double backslashes after htdocs.
The Php.ini File Manager and the PHP.ini File Editor allow you to add or edit php.ini files in any folder under your entire website domain and hosting account. This means that if your host requires that you use multiple php.ini files then you can add, edit or manage all of those php.ini files from any WordPress website that has BPS Pro installed for your entire website domain and hosting account. If your host requires that you only use one php.ini file then you will only have one php.ini file in the root of you website domain that will control your PHP configuration for all of your websites hosted under one website hosting account.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
PHP.ini Editor – All Purpose File Editor
|
Editing Php.ini Files
|
Adding new php.ini files or changes made in your existing php.ini files may not show up in your PHP server configuration file for up to 15 minutes. Usually new changes or modifications to your php.ini file will be displayed in phpinfo within 5 minutes.
The All Purpose File Editor will allow you to open and edit any type of file under your entire hosting account and this includes Master configuration files for your host. Please see the P-Security Video Tutorial for a step by step example of how to do this.
Editing Php.ini Files Use the Select php.ini file to edit: dropdown list to select the php.ini file that you want to edit. If the dropdown list does not show any php.ini files to edit then you have not added any php.ini files to manage with the Php.ini File Manager yet. Go to the PHP.ini Options page and add the folder path to your php.ini file and your personal Label or Description in the Php.ini File Manager text boxes for each php.ini file that you want to add for editing. Your Label / Description will be now be shown in the Select php.ini file to edit: dropdown list. If you need to add or create php.ini files first then see the Read Me hover tool tips next to each section on the PHP.ini Options page for whatever task you want to perform – Adding, Finding and Creating php.ini files.
Php.ini File Editing Overview Be very careful not to make any typos when editing your php.ini files. Typos in your php.ini file will cause 500 Internal Server Errors and your site will not load. If you see a 500 Internal Server Error you will either need to FTP to your website or use your web host Control Panel and edit or delete the php.ini file that has the mistake in it. The BPS master php.ini files have been pre-made and pre-tested to ensure that there are no mistakes or typos in them. If your host does not allow a particular php.ini directive to be changed or set to a setting that they do not allow then the directive will be ignored and not cause any problems with your website.
Testing Your php.ini File – disable_functions Test This test will not work by default for the 1and1, DreamHost and MediaTemple Master php.ini files due to additional php.ini modifications required first before using this test. In order for this php.ini test to work correctly you must have either already created a php.ini file for this website or you have an existing php.ini file with the show_source function listed as one of the functions to disable in the disable_functions php.ini directive in your php.ini file. If your host allows or requires that you have custom php.ini files created for each of your websites or specific folders then you must have a php.ini file added for this specific website in order for the php.ini disable_functions test to work correctly and display a php error in your php error log. When you click the Test php.ini File button a popup window will tell you whether or not the php.ini disable_functions test was successful or unsuccessful and the main window will redirect to your PHP Error Log page.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
PHP Error Log Page
|
Htaccess Protected Secure PHP Error Log
|
BPS Pro Htaccess Protected Secure PHP Error Log
Setting Up Your PHP Error Log to Display PHP Errors When you first view the BPS PHP Error Log page you will see a PHP Error Log File Not Found! error message displayed in the PHP Error Log window. Copy the Default BPS Error Log Location: folder path to the PHP Error Log Location Set To: text box window and click the Set Error Log Location button. You should now see a blank PHP error log displayed with BPS Pro htaccess Protected Secure PHP Error Log at the top of the php error log file. A File Open and Write Test successful message should also be displayed above your PHP error log window. If you have not already set up the path to your error log in your custom php.ini file then this is the step that you need to do next. If you have several websites under your hosting account then you will want to use one central location for your PHP Error log. For all of your websites under one hosting account you would want to add the same folder path to the one PHP Error Log for all of your websites. Most hosts do not allow multiple PHP Error logs to be used.
Adding your PHP Error Log Path to Your Custom php.ini File Copy the PHP Error Log Location Set To: folder path that you just added to set the location of your php error log, click the Php.ini File Editor menu tab, open your custom php.ini file to edit it, paste the folder path for your PHP Error Log to the error_log = Directive in your custom php.ini file and click the Update File button to save your changes. See the example below. If you do not see any php.ini files listed in the Select php.ini file to edit: dropdown list then you will need to add your custom php.ini file path to the Php.ini File Manager first.
Example: Adding the error log folder path to your custom php.ini error_log Directive: error_log = /home/content/xx/xxxxxxxx/html/wp-content/plugins/bulletproof-security/admin/php/bps_php_error.log
Troubleshooting and Possible Problems If you have done everything correctly then the Error Log Path Seen by Server: should display the same exact path that you see in the PHP Error Log Location Set To: window. BPS will display an error warning message if a valid path to your BPS PHP error log has not been added to your custom php.ini file by comparing the PHP Error Log Location Set To: path to the Error Log Path Seen by Server: path. If your custom php.ini file is not really being seen by your Web Host Server then you will see that the Error Log Path Seen by Server: path is either blank or is a completely different path then the path in the PHP Error Log Location Set To: window. The BPS custom php.ini Error message that is displayed if a problem is detected with your custom php.ini file provides a link to the AITpro php.ini help page. A php.ini help link is also provided on the P-Security Help and FAQ page – General php.ini Info and Host Specific php.ini Information.
Testing Your PHP Error Log To make sure your PHP Error Log is set up correctly click the Test Error Log button. You should see a 500 Server error in the pop up window, an Error Log Test Performed message and a PHP Parse error should be logged in your PHP error log if it is set up correctly. This test can also be used to test the BPS PHP Error Log Last Modified Time and S-Monitor new PHP Error Alerts.
Multiple Websites and / or Using Multiple PHP Error Logs If you have multiple websites under one hosting account with BPS Pro installed then you would typically want the PHP Error Log file path set up for just one central folder location in your php.ini file. If you have a host that allows or requires that multiple php.ini files be used then I recommend that you use just one central folder location for your PHP Error Log. Some hosts do allow you to set up multiple error log files, but this is probably unnecessary as your one error log file will display errors for all of your websites under your one hosting account with the full path to whichever file is generating a PHP error. In other words, the path displayed in the php error will clearly show you which site the php error is occurring on.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
PHP Error Log Last Modified Time
|
PHP Error Log Last Modified Time Explained The Error Log Last Modified Time in File: text window displays the actual current last modified time for your php error log file. The Error Log Last Modified Time in DB: label displays a database saved Timestamp of the last modified time for your php error log file. Clicking the Reset Last Modified Time in DB button saves a new Timestamp to your database. When the Error Log Last Modified Time in DB: Timestamp does not match the actual last modified time of your error log file the label is displayed in red font for easier quick visual identification. When the Error Log Last Modified Time in DB:Timestamp matches the actual last modified time of your error log file the label is displayed in green font.
Practical Usage Besides just having a quick visual check to see if any new errors are in your PHP error log you can set up the BPS S-Monitor to alert you when new PHP Errors occur. The Alerts can be displayed in BPS pages only or in your WordPress Dashboard or turned off. Example Scenario: You set up the BPS S-Monitor to display BPS alerts in your WordPress Dashboard when new PHP errors are logged to your PHP Error log. The BPS PHP Error Log Alert contains a link to the PHP Error Log page. When you are done checking your PHP Error log you would click the Reset Last Modified Time in DB button to save a new last modified file time to your WordPress Database. This will also remove the BPS PHP Error Log Alert from your WordPress Dashboard. When a new PHP error occurs and is logged to your PHP Error log file you will be alerted again.
Hacking Attempts, Hacker Recon and PHP Errors PHP errors are generated any time a php script fails to execute correctly or as expected. Hackers create and send automated bot programs out searching for code vulnerabilities primarily in forms since forms allow data input. This is referred to as Hacker Recon. If you see php errors in your log for a form script or form page on your site then most likely this is a hacker bot searching for a vulnerability or exploit in the form. A simple way to see if there is an actual problem with a form on your site is to submit a test form. If you do not see an error message then there is nothing wrong with your actual form and this means that the error was caused by a hacker bot looking for a vulnerability in your form. Something about the coding in that form is attracting the bots to it in the first place so it is a good idea to look at the php error and find out what the error message means so you can determine what about your form coding is attracting the hacker bot. A common search parameter in hacker bots would be to search for the php function mysql_pconnect in a form. If a form contains this dangerous php function it is an easy target for hackers to compromise because of the nature of this particular php function. It allows persistent connections to your MySQL database, which allows a hacker to make a brute force connection to your WordPress database. None of your plugins should be using this function. You can use the BPS String Finder to check all of your plugins for the mysql_pconnect function. If you find the function mysql_connect it is perfectly safe and does not allow persistent connections to your WP Database.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
PHP Info Viewer Page
|
View PHP Server Configuration Information Safely And Securely With htaccess Protected phpinfo()
|
Phpinfo Viewer
|
Your BPS Pro PHP folder is already htaccess self protected. The PHP Viewer cannot be accessed or viewed by anyone else except for you. When you click the View PHPINFO button below your current Public IP address will be written to the htaccess file that protects the BPS PHP Info viewer file. When you add, edit or make changes to your php.ini files you can check the results of those changes by clicking the View PHPINFO button. If you see a 403 or 404 error in the pop up window when clicking the View PHPINFO button then refresh the pop up window or just close it and click the View PHPINFO button again.
NOTE: Adding new php.ini files or changes made in your existing php.ini files may not show up in your PHP server configuration file for up to 15 minutes. Usually new changes or modifications to your php.ini file will be displayed in phpinfo within 5 minutes.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
Phpinfo Multi Viewer
|
Some web hosts allow or may require that you add php.ini files to specific folders where you want the php.ini configuration settings to be applied for only those specific folders. The PHP Info Multi Viewer allows you to create and add phpinfo files for those specific folders to view the PHP configuration changes for only those specific folders. The phpinfo file that you create by clicking the Create Phpinfo File button is protected by adding your current IP address to the phpinfo file when it is created. 1. Click the Create Phpinfo File button to create your secure phpinfo file. 2. Add the folder path where you want the phpinfo file to be copied and saved too. 3. Add the URL path to your new phpinfo file and then click the Save Phpinfo File button. 4. Click the View PHPINFO Multi button to view your phpinfo information. NOTE: Adding new php.ini files or changes made in your existing php.ini files may not show up in your PHP server configuration file for up to 15 minutes. Usually new changes or modifications to your php.ini file will be displayed in phpinfo within 5 minutes.
Another Example of How the Multi Viewer Could Be Used This is example is referring to GoDaddy hosting specifically for viewing the phpinfo file for specific website folders. GoDaddy allows you to add a php handler to your .htaccess files in the root of each website to designate what version of PHP to run the websites php files under. So in this example I have added this PHP5.3.x handler – AddHandler x-httpd-php5-3 .php – to the .htaccess file that is in the root folder for /website1. This particular handler says to run PHP5.3.x for this specific website in this specific website folder. Now lets say I have another website and the .htaccess file for that website is in the root folder for the /website2 folder. For that websites htaccess file I have added the PHP handler to run PHP5.2.x on that specific website – AddHandler x-httpd-php5 .php. Now if I create a phpinfo file for the /website1 folder and view the phpinfo file I will see this at the top of the phpinfo page – PHP Version 5.2.17, indicating that PHP5.2.x is being run on the PHP files in this specific website folder. If I create a phpinfo file for the /website2 folder and view the phpinfo file I will see this at the top of the phpinfo page – PHP Version 5.3.6, indicating that PHP5.3.x is being run on the PHP files in this specific website folder. The basic idea here is that if your host allows you to apply different PHP settings for different websites or website folders then you can create phpinfo files to view your PHP information for those specific website folders using the Multi Viewer. Now if you added the PHP5.3.x handler to your root website htaccess file in your hosting account then if you do not have a different PHP handlers in your child website htaccess files then all of your sites below the parent site will have PHP5.3.x handler applied and run on them. In other words if you have several websites under one hosting account and you want all of them to be running PHP5.3.x then you only need to add the PHP handler to your root website .htaccess file. The Multi Viewer allows you to create and view individual phpinfo files anywhere under your entire hosting account.
IMPORTANT!!!: If you have Grid / Shared hosting on GoDaddy and force 5.3.x to run on your websites then the Zend Optimizer code in the pre-made GoDaddy master php.ini file will not work. The Zend Optimizer code in the php.ini master file only works for PHP 5.2.x. This example was purely for example sake. Do not force PHP 5.3.x to run on your websites if you have GoDaddy Grid / Shared hosting – use 5.2.17 until GoDaddy is fully ready to offer and support the Zend Optimizer for 5.3.x on Grid / Shared hosting.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
Phpinfo Master File Creator
|
Click the Create Phpinfo File button to create your new secure phpinfo file. This creates a new Master phpinfo-IP.php file in the BPS /php folder with your current IP address written to the file. Phpinfo File:will display the path to the Master phpinfo-IP.php file if the file was written too successfully.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
Phpinfo File Creator / Copier
|
Add the folder path where you want your new phpinfo file saved. Name your phpinfo file with a .php file extension. Example: myphpinfo.php. File saved to folder: will display the folder path you entered. File saved to URL:will display the URL path you entered.
The phpinfo file that you create is automatically deleted when you click the View PHPINFO Multi button. Your phpinfo file exists just long enough to output your PHP Server configuration information and is automatically deleted to avoid unnecessary file clutter.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
Phpinfo Multi Viewer
|
Click View PHPINFO Multi button to view PHP configuration information for the specific folder where you created and saved your custom phpinfo file too. If you see a blank popup window after clicking the View PHPINFO Multi button then you did not enter a valid URL and / or file name when you created your custom phpinfo file using the Phpinfo File Creator / Copier.
The phpinfo file that you create is automatically deleted when you click the View PHPINFO Multi button. Your phpinfo file exists just long enough to output your PHP Server configuration information and is automatically deleted to avoid unnecessary file clutter.
NOTE: Adding new php.ini files or changes made in your existing php.ini files may not show up in your PHP server configuration file for up to 15 minutes. Usually new changes or modifications to your php.ini file will be displayed in phpinfo within 5 minutes.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
Php.ini Security Status
|
Displays The Primary Security & Performance Features Added By Your BPS Pro Custom php.ini File
|
IMPORTANT CORRECTION:The ouput buffering setting in your custom php.ini file for WordPress should be: output_buffering = 0. Meaning 0 bytes and means the same thing as Off, but the value is an integer not an On / Off value. If the Status is displaying blank for output_buffering this is because output_buffering = Off is being used. The information on the Internet (even PHP.net) about the output_buffering setting is incorrect and we used Off in the BPS Pro 5.0 Master php.ini files. Please correct this by changing Off to 0 in your custom php.ini file.
To view all of your PHP Server Configuration information use the PHP Info Viewer.
Is My Custom phpini File Set up Correctly? Is It Being Seen By My Server? The Status column should display all Green On or Off Status settings. If you see Red On or Off Status settings displayed then your Custom php.ini file is probably not set up correctly and / or is not being seen as the Loaded Configuration php.ini file for your website. It is possible that you may see a couple of Red On or Off Status settings if your Web Host does not allow you to override their default directive settings for some directives. This would mean that your custom php.ini file is set up correctly, but you are not allowed to change a couple of directive settings on your Host Server. You can check the Loaded Configuration File file path in the PHP Info Viewer to ensure that it is showing the path to your custom php.ini file and not your Servers default php.ini file. Some Web Hosts like Network Solutions will still show the Loaded Configuration File path for their default php.ini file, but you will see that your custom php.ini directives settings are being applied to your website and you should see all Green On or Off Status settings or mostly Green On or Off Status settings. For additional help information go to the Help & FAQ Menu Tab and click on the General php.ini Info and Host Specific php.ini Information link to view possible reasons why your custom php.ini file is not being seen as the Loaded Configuration php.ini file for your website.
|
|
S-Monitor ~ Security Monitoring and Alerting
|
Monitoring and Alerting Options
|
Monitoring and Alerting Options Explained
First Install / Launch S-Monitor Notification: is displayed when you first install BPS Pro. This Alert is designed to get you to the S-Monitor page to click the Save Options button the first time you install BPS Pro. After you have selected the Monitoring and Alerting options that you want then turn this Alert Off and click the Save Button.
BPS Pro Upgrade Notification: Displays an Alert when a new version of BPS Pro is available. You can also select Upgrade Notifications to be emailed to you under Email Alerting Options. If you turn off Alerts for BPS Pro Upgrade Notifications in BPS and WordPress you can still recieve email alerts.
BPS Security Status: Currently Active .htaccess File or Alert: You can display which currently active BPS Pro htaccess file is active in BPS pages only, your WordPress Dashboard or turn this alert off.
HUD Alerts: BPS Error, Problem and Warning Alerts: Heads Up Display – HUD Alerts are important and it is recommended that you choose to display these Alerts in your WordPress Dashboard. HUD Alerts will alert you to any serious problems with BPS or any other problem or issues that need to be corrected right away.
PHP Error Log: Check if Folder Location Has Been Set: This is a reminder Alert to remind you to set your BPS php error log file path as soon as possible. A php error log is a good thing to have in general to check for website problems and it is important in website security monitoring as well.
PHP Error Log: New Errors in The PHP Error Log: When new php errors occur on your website they are logged in your php error log and you are alerted by BPS that you have a new php error in your error log. The BPS PHP Error Log Alert contains a link to the P-Security PHP Error Log page. You can also choose to have PHP Error Log Alerts emailed to you under the Email Alerting Options.
Php.ini File: Has Been Created, Valid and Error Checks: Multiple checks displays several possible different warning messages or error messages: A reminder Alert to remind you to create your custom php.ini file as soon as possible – add an existing php.ini file to the P-Security Php.ini File Manager as soon as possible. Checks that your Server is recoginizing your custom php.ini file as the Loaded Configuration php.ini file for your website. Checks that the PHP error log Set To Location matches the error log path seen by the Server. For additional checking of individual directives within your custom php.ini file see the Php.ini Security Status page.
F-Lock: Check File Lock / Unlock Status: Checks your file permissions. If your Host Server is using CGI as the php handler and if your Server API is CGI displayed properly then this check works perfectly to determine your file permissions locked or unlocked status. If your Host is using DSO mod_php you will see error messages that the files are not locked. For now BPS is displaying this error message just in case your Host has named the SAPI display name in phpinfo incorrectly or they are using a new naming convention for your SAPI. If your Host Server is definitely using DSO mod_php then you can turn this S-monitor option off. DSO file permissions should be 644 and cannot be set more restrictive because of the way DSO works. File permissions for CGI and DSO are managed on the F-Lock page. We would appreciate feedback on this if you Host has named your SAPI with something other then CGI but your Host Server is actually using CGI. We will make a list of these Hosts and add custom coding exceptions for these Hosts to make this check more accurate and display warning messages specifically by Host.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
Email Alerting Options
|
Email Alerting Options
These email alerting options work independently of the displayed BPS Alerts so for example you could have the BPS Pro Upgrade Notification display turned off for your website and still receive emails notifying you when a new version of BPS Pro is available.
PHP Error Log: New Errors in The PHP Error Log: Choose whether or not to have email alerts sent when a new php error occurs on your website.
BPS Pro Upgrade Notification: Choose whether or not to have email alerts sent when a new version of BPS Pro is avaiable.
The email address fields To, From, Cc and Bcc can be email addresses for your hosting account, your WordPress Administrator email address or 3rd party email addesses like gmail or yahoo email. If you are sending emails to multiple email recipients then separate the email addresses with a comma. Example: someone@somewhere.com, someoneelse@somewhereelse.com. You can add a space or not add a space after the comma between email addresses.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
Simple Email Test for the PHP mail() Function
|
Simple Email Test to check the PHP mail() Function This Email Test is checking if your Server has the PHP mail() function enabled and set up as a default php mailer on your Server and that your default email settings are already working for the php mail() function. Your WordPress Administrator email address from the WordPress Settings Panel in General Options is displayed in the Send A Test Email window. You can use this email address to send a test email or type in a a different email address and click the Send Test Emailbutton. The email address can be another email address under your hosting account or a gmail, yahoo or other 3rd party email address. The Test Email could take up to 15 minutes to be received by you.
Php.ini mail Directives Testing If you are testing to see if you need to add any mail directives settings in your php.ini file, send a test email and if you receive the BPS Test Email then you do not need to add any mail directives settings to your php.ini file. If you want to find out what your default mail() and php.ini settings are for handling mail on your server then use the BPS Phpinfo viewer to find and view those PHP Server configuration mail settings.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
Pro-Tools
|
BulletProof Security Pro ~ Pro Tools
|
Online Safe – Base64 Decode / Decompress
|
base64_decode, gzinflate, gzuncompress, str_rot13, strrev
|
Safe Online Decoding Help Info
|
Use this Online Base64 Decoder when decoding known hacker scripts on a Live / Online website – DO NOT USE THE OFFLINE BASE64 DECODER WHEN DECODING KNOWN HACKER SCRIPTS ON A LIVE WEBSITE The Offline base64 decoder can be used safely for decoding hackers base64 code if you have XAMPP or MAMPP installed on your computer and have a local installation of WordPress on your computer.
How To Use The Online Base64 Decoder — Paste the base64 code into the Paste Code Here: window. — Select a Decoding Option that matches the type of base64 decode needed to decode the code. — Click the Decode button – the decoded code is written to the bps_b64_decode.txt text file. — Click the Zip File button to zip the text file to the B64.zip Archive file. — Click the Download File button to download the B64.zip Archive file to your computer. — Unzip the B64.zip file and open the text file safely on your computer to view the decoded base64 code.
What Is The Difference Between the Online Base64 Decoder And the Offline Base64 Decoder? The Online Base64 Decoder should be used if you are decoding known hackers base64 code on a Live website. The Online Base64 Decoder is not outputting anything to your browser window. The base64 code is decoded and written to this text file /plugins/bulletproof-security/admin/tools/bps_b64_decode.txt instead of being outputted to your browser window. Some portions of hackers base64 scripts may contain php commands and hackers tags that are blocked by browsers and if you have Internet Protection software installed on your computer then it will block the output and alert you that a malicious script has been detected on your website. The browser and your Internet Protection software is seeing the strings and or patterns in the text file even though it is harmless because it is a text file and not a php file. Hackers code cannot be executed or processed from a .txt text file. The Offline Base64 Decoder is outputting the decoded code directly to your browser window to display it. It is not executing or processing that code and just displaying it, but this may trigger your browser or Internet Protection software to alert you that a malicious script has been detected and kick you out of your own website.
Is It Safe To Use The Online Base64 Decoder On My Live Website? Yes absolutely. The Online Base64 Decoder decodes a hackers script, writes it to a text file then allows you to zip that text file to a zip archive file so that you will then be able to download it and unzip it and view the script safely in Notepad or some other text editor on your computer. The Online Base64 Decoder is less convenient, but absolutely safe to use.
Safety Tips When Decoding Hackers Base64 Code Scripts You should handle all known hackers scripts just like you would handle a poisonous snake – very carefully and cautiously or not at all. You should never try and view known hackers scripts on a LIve website in a browser window. When in doubt use the Online Base64 Decoder instead of the Offline Base64 Decoder.
Error: Decode Failed – What Can Cause This? If you try and decode the entire function instead of just the actual encoded code you will see this error. If you have the base64_decode function disabled in your custom php.ini file then you will see this error. If your Web Host has the base64_decode function disabled by default then you will see this error message.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
Offline Safe – Base64 Decode / Encode ~ Compress / Decompress
|
base64_decode, base64_encode, gzinflate, gzdeflate, gzuncompress, gzcompress, str_rot13, strrev
|
Safe Offline Decoding & Encoding Help Info
|
Use the Online Base64 Decoder when decoding known hacker scripts on a Live / Online website – DO NOT USE THIS OFFLINE BASE64 DECODER WHEN DECODING KNOWN HACKER SCRIPTS ON A LIVE WEBSITE The Offline base64 decoder can be used safely for decoding hackers base64 code if you have XAMPP or MAMPP installed on your computer and have a local installation of WordPress on your computer. If you are decoding and encoding known good scripts, text or code then the the Offline Base64 Decoder / Encoder is quick, easy and handy tool to decode and encode base64 code.
How To Use The Offline Base64 Decoder / Encoder — Paste the base64 code, text or code into the Paste Code or Text Here: window. — Select a Decoding or Encoding Option that matches the type of base64 decode or encode needed to decode or encode the code. — Click the Decode / Encode button – the decoded or encoded code is displayed in the Safe Raw Code Output: window. — You can copy the decoded or encoded code from the Safe Raw Code Output window and paste it to a text file or php file on your computer. — The Decoding and Encoding Options are listed in matching numberered counterpart order. Decoding 1. matches Encoding 1., Decoding 2. matches Encoding 2., etc.
What Is The Difference Between the Online Base64 Decoder And the Offline Base64 Decoder? The Online Base64 Decoder should be used if you are decoding known hackers base64 code on a Live website. The Online Base64 Decoder is not outputting anything to your browser window. The base64 code is decoded and written to this text file /plugins/bulletproof-security/admin/tools/bps_b64_decode.txt instead of being outputted to your browser window. Some portions of hackers base64 scripts may contain php commands and hackers tags that are blocked by browsers and if you have Internet Protection software installed on your computer then it will block the output and alert you that a malicious script has been detected on your website. The browser and your Internet Protection software is seeing the strings and or patterns in the text file even though it is harmless because it is a text file and not a php file. Hackers code cannot be executed or processed from a .txt text file. The Offline Base64 Decoder is outputting the decoded code directly to your browser window to display it. It is not executing or processing that code and just displaying it, but this may trigger your browser or Internet Protection software to alert you that a malicious script has been detected and kick you out of your own website.
Is It Safe To Use The Online Base64 Decoder On My Live Website? Yes absolutely. The Online Base64 Decoder decodes a hackers script, writes it to a text file then allows you to zip that text file to a zip archive file so that you will then be able to download it and unzip it and view the script safely in Notepad or some other text editor on your computer. The Online Base64 Decoder is less convenient, but absolutely safe to use.
Safety Tips When Decoding Hackers Base64 Code Scripts You should handle all known hackers scripts just like you would handle a poisonous snake – very carefully and cautiously or not at all. You should never try and view known hackers scripts on a LIve website in a browser window. When in doubt use the Online Base64 Decoder instead of the Offline Base64 Decoder.
Error: Decode Failed – What Can Cause This? If you try and decode the entire function instead of just the actual encoded code you will see this error. If you have the base64_decode function disabled in your custom php.ini file then you will see this error. If your Web Host has the base64_decode function disabled by default then you will see this error message.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
Mycrypt ~ Decrypt / Encrypt Page
|
Mcrypt ~ Decrypt
|
mcrypt_encrypt and mcrypt_decrypt functions
Mcrypt Cipher: MCRYPT_RIJNDAEL_256 Block Algorithm / Cipher Mode: MCRYPT_MODE_CBC Salt and String: md5 hashed and base64 encoded / decoded
To decrypt paste or type the salt into the salt window and paste mcrypt encrypted code into the Decrypt window and click the Decrypt button to decrypt it. To encrypt text or code paste or type the salt into the salt window and paste or type text or code into the Encrypt window and click the Encrypt button.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
Crypt Encryption Page
|
Crypt one-way string hashing
|
The crypt function
The crypt function will return a hashed string using the algorithms listed in the Choose Encryption Algorithm drop down list. Your system may not support all of the available Algorithms. You will see an error message if your system does not support a particular Algorithm that you have selected. There is no decrypt function for the crypt function. The crypt() function uses a one-way algorithm. Practical uses for crypt would be hashing / encrypting sensitive information like passwords, credit card numbers or creating a key that cannot be decrypted. The hash string can be accessible / viewable publicly and the hashed / encrypted string will match data stored in a private database that is not publicly accessible. Example: When a user creates a password and the password is encrypted with the crypt() function, the encrypted version of this password is saved to the database. The next time the user logs in their password is encrypted again and compared against the already saved (encrypted) password in the database. If the encrypted password is some how intercepted it will be the encrypted version of the password instead of the actual password. The encrypted password will not work to log in with because it will be encrypted again and will not match any encrypted passwords stored in the database.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
Scheduled Crons Page
|
No help file necessary. Displays all scheduled Cron jobs that are scheduled to run on your website by: Next Run Date, Frequency and Hook Name |
|
String Finder Page ~ String / Function Finder
|
String / Function Finder Usage
|
Overview of Hackers Methods A lot of people go looking for and find BPS after their websites have already been hacked. If you are installing BPS Pro after your website has already been hacked then the Finder tool will help you find the hackers code very quickly. Once you have located the hackers code you can use the Replacer / Remover Tool to replace or remove the hackers code. There is no magic function that will automatically fix your website after is has been hacked because the functions that the hackers use are legitmate internal PHP functions. With that said there are functions that hackers are more likely to use such as base64_encode, base64_decodeand PHP functions that deal with or perform remote execution of scripts. Hackers will usually try and place backdoor scripts on your site and hide those scripts by encoding and decoding them with base64 code. The most ideal scenario that a hacker will try to achieve is to be able to remotely control or automate script execution on your website with a backdoor script. This means that there is going to be a string that you can search for that will give away their script. So finding the right string to search for is the key and is something that cannot be magically determined and requires that you use logic to figure out the string to search for. You will need to know the approximate time that your website was hacked so that you can check your server logs for clues. All you need is one string to search for and it will be found in your server log. That string will lead to all of the hackers script or scripts. You will need to have a basic understanding of PHP coding when you find the hackers script to determine exactly what the script is doing. The primary hacking script may be auto-generating or auto-creating additional scripts on your site. If your site was hacked using SQL Injection then a traceable log entry may not show up in your logs depending on how the SQL Injection was achieved on your WordPress Database.
Practical Uses For The String / Function Finder The Finder will find any string anywhere within your hosting account. The Finder will search starting from the folder path you enter and search all subfolders of that folder path. You can search for PHP function names or any string pattern. The Finder is not searching your WordPress Database. Use the DB String Finder if you want to search your database instead of your files. The Finder can search within all of your files on your host server under your hosting account and will display the full paths and the code line numbers where the string you are searching for was found. The string search term is highlighted in the returned search results. The string search is case sensitive so the string you enter must match exactly. Capital and lowercase letters must match exactly. A string search could contain several words in the string you are searching for, but the Finder is not designed to search for different instances of strings such as a search for and/or string searches, it is designed to find an exact string match, whether the string is one word or several words or HTML characters or PHP code or whatever else you are searching for. The Finder is looking for an exact match for whatever string search term you enter into the Search String window. If the search term you enter is part of a word or a longer string then the entire word or string is returned in the search results with your exact string search term highlighted.
Examples: • Search for the base64_encode and base64_decode functions commonly used by hacking scripts to find any instances of these functions in your files. If you find some base64 code that you would like to decode then use the BPS Base64 Decoder to decode it. • Search in your WordPress Plugins folder for functions that your plugins may be using to determine if the function is being used by a plugin or not and can be added to your custom php.ini file under the disable_functions Directive. If a plugin is using a PHP function that is considered dangerous then you will have to make a decision whether or not to block this function. This may cause the plugin to stop working altogether or it may just block a particular function that the plugin is performing, but the plugin itself will continue to work • Another example of searching for a php function that is considered very dangerous and a commonly targeted php function by hackers. Do a search of your Plugins folder for the mysql_pconnect function. You should hopefully see No Results Returned instead of finding this function in any of your plugins. It is very bad news and hackers specifically look for this function to exploit it. If you do find this function in any of your plugins then I recommend that you remove the plugin immediately and delete all the plugin files from your website. • Search for any string pattern such as portions of a known hacking string or identifying word used in mass site hacking injections • As a test, search for the word viagra in your WP Plugins folder and you will find a BPS test file that contains the word viagra and this help info will also be displayed in your search results. An example use for this particular type of search would be if your site was hacked prior to finding and installing BPS and the hacker has added viagra links to your site then the Finder will display all the files and code line numbers where those links have been added. If no instances of the search term viagra was found in any of your files then this would mean that either code is being coded using base64 to hide it or the links are dynamically being pulled from your WordPress Database indicating that the hacker has used SQL Injection to inject the hacking code into your database. You can use the DB String Finder Tool to search your database for strings.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
String Replacer / Remover Page
|
Preview Mode
|
BPS String Replacer / Remover ~ Preview Mode
The String Replacer / Remover Preview Mode allows you to preview the string replacement or string removal you want to perform before you use the Replacer / Remover ~ Write Mode to actually write the new string or remove the string. The string replacement that is performed in Preview Mode is only visually replacing the string and is not actually changing or writing a new string.
Using the Replacer / Remover ~ Preview Mode • Enter the string you want to search for in the Search String: window. The string search is case sensitive so the string you enter must match exactly. Capital and lowercase letters must match exactly. • Enter the string you want to replace your Search String with in the Replacement String: window. • Enter the folder path where you want to search in the Search Path: window. This will search all files in the folder path that you add including all subfolders of this folder path.
There is a test file in the BPS /test folder that you can use for both the Preview Mode and the Write Mode String Replacement testing. Enter bpsBogusString in the Search String: window – The string search is case sensitive so the string you enter must match exactly. Capital and lowercase letters must match exactly, Enter TestString in the Replacement String: window, enter the folder path to your WordPress Plugins folder in the Search Path: window and click the Replace Strings button. You should see that the search string bpsBogusString was found and replaced 9 times with TestString and that will aslo include this help file as well because the string exists in this help file.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
Write Mode
|
BPS String Replacer / Remover ~ Write Mode
The String Replacer / Remover Write Mode allows you to search and replace or remove strings throughout all of your files. Use Preview Mode first to make sure the string replacement you want to do is exactly what you want. The string replacement that is performed in Write Mode is permanent. You could of course reverse the process if you are doing a string replacement, but if you are doing a string removal and you replace a string with a blank space then you will not be able to reverse the string replacement. A log file entry is written to the String Replacer Log file each time you perform a string replacement or removal. See below for more information.
Using the Replacer / Remover ~ Write Mode • Enter the string you want to search for in the Search String: window. The string search is case sensitive so the string you enter must match exactly. Capital and lowercase letters must match exactly. • Enter the string you want to replace your Search String with in the Replacement String: window. If you want to remove or permanently delete a string then leave the Replacement String: window blank. • Enter the folder path where you want to search in the Search Path: window. This will search all files in the folder path that you add including all subfolders of this folder path.
There is a test file in the BPS /test folder that you can use for both the Preview Mode and the Write Mode String Replacement testing. Enter bpsBogusString in the Search String: window – The string search is case sensitive so the string you enter must match exactly. Capital and lowercase letters must match exactly, Enter TestString in the Replacement String: window, enter full path to the BPS Test folder /your-website-root-path-goes-here/wp-content/plugins/bulletproof-security/admin/test/ in the Search Path: window and click the Replace Strings button. You should see that the search string bpsBogusString was found and replaced 4 times with TestString. In Write Mode these strings have been permanently replaced so this test will only work once unless you reverse the process and replace the string TestString with bpsBogusString.
BPS Pro String Replacer / Remover Log Each time you perform a string replacement or removal a log entry is made into the BPS Pro String Replacer Log file. The log file is here /wp-content/plugins/bulletproof-security/admin/tools/string_replacer_log.txt. The log file entry adds a timestamp, the Search Path, the Search String, the Replacement String, the Original Content before being modified and the File Path and Code Line that was modified. You can add the path to the Replacer Log file to an available slot in the Php.ini File Manager and use the Php.ini Editor to view the Log file online or you can download it via FTP. Adding the Log file path to the Php.ini File Manager will allow you to view the Replacer Log file at any time. The Log file is htaccess protected and cannot be viewed using a browser unless you open the file with your browser via FTP.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
DB String Finder Page ~ WordPress Database String Finder
|
DB String Finder
|
BPS DB String Finder Primary Purpose and Usage If your site has already been hacked prior to installing BPS Pro and you suspect or know that the hack was performed by injecting code into your database you can use the DB String Finder Tool to quickly search your database for all or part of the hackers code or a string. There is no magic function or tool that can automatically figure out what is legitimate data and what is not. You must have a starting point in your search and that starting point is an identifying string or word or pattern that the hacker has used and that you can search for. You should check your Server log files around the time your site was hacked for a starting point to look for the string to search for. Also the output of the hackers code gives you a starting point to search for the string that is outputted. Example: If a viagra link is being dynamically generated from your database and the link is not physically located in a file then you would search your WP DB for the search term viagra. If a link or whatever other code a hacker has placed on your site is located physically in files then use the file String Finder Tool to find the files where the hackers code is located. The DB String Finder searches your entire WordPress Database for the string search term you enter in the DB Search String:window. The DB String Finder is not an attempt to replace the phpMyAdmin tool that all web hosts offer and have installed. Instead it is a tool to quickly determine if you need to access and utilize phpMyAdmin to remove any hackers code. Since this DB String Finder tool searches your entire database all in one shot very quickly without having to access phpMyAdmin you will have a guide to follow that will point to exactly what needs to be changed or removed in your database using phpMyAdmin or if nothing is found then you have eliminated that code was injected into your database. A DB String Replacer Tool may be added in a later version of BPS after further debate and testing.
BPS DB String Finder Explained The DB String search searches all DB tables, columns and rows for a string match. The string search is not case sensitive. The string search will return search results for all or part of the search term you enter. If a large amount of data is returned in your search results use the horizontal scroller located at the bottom of the search results window to scroll and view all the table data.
Examples: If you searched for bulletproof_security you would get search results with instances of the string bulletproof_security highlighted and on a separate line using a line break to isolate only your string search term for easier visual identification. If you searched for Bulletproof_security with a capital B then you would get the same exact search results. If you searched for bullet you would get search results with instances of the string bullet highlighted and on a separate line for easier visual identification.
Running a DB search may generate this php warning message in your php error log PHP Warning: Unknown: 1 result set(s) not freed. Use mysql_free_result to free result sets which were requested using mysql_query() in Unknown on line 0. You can disregard this warning. It is a known issue that is common when performing this method of searching your database.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
DB Table Cleaner / Remover Page ~ WordPress Database Table Cleaner/Remover
|
DB Table Cleaner / Remover
|
BPS DB Table Cleaner / Remover
EMPTYING a table means all the rows in the table will be deleted. CAUTION!!! THIS ACTION IS NOT REVERSIBLE.
DROPPING a table means deleting the table.CAUTION!!! THIS ACTION IS NOT REVERSIBLE.
BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
|
|
File Lock
|
Lock / AutoLock Mission Critical Files Help Info
|
|
What is AutoLock? AutoLock is automated file locking. When first installing BPS Pro you need only click on the Save Options button to lock all of your files together at one time. Whatever Lock or Unlock file options are selected for each of your files is automatically applied to your files just by accessing the F-Lock page. Manual control of individual file permissions is done by choosing the file you want to Lock or Unlock, selecting Lock or Unlock for that file and then clicking the Save Options button. AutoLock is used for 2 reasons – to make locking files quick and easy and to display real time file permissions status.
IMPORTANT – Web Host Server API Info – CGI or DSO Info BPS Pro checks your Web Hosts Server API and your Web Hosts Server API is displayed in green font right below this Read Me Hover Tooltip. Most people will have php run as CGI on their Web Hosts and you should see that your Server API is CGI. If your Web Host is using DSO / Apache mod_php instead CGI then file locking and unlocking does not pertain to you. Set your file permissions to DSO – 644 File Permissions and then turn off the S-Monitor F-Lock: Check File Lock / Unlock Status checking option. DSO file permissions are handled in a completely different way then CGI file permissions. The majority of Web Hosts will be using CGI so the rest of this help file pertains to anyone who sees that their Server API is CGI.
Why Lock Mission Critical Files? Hackers specifically target these files in Mass Code Injection attacks on web hosts. This is done by exploiting the Group Permissions on files located in Root folders for hosts that use CGI. By locking these files with Read Only 400 and 404 permissions the Group Permissions are removed and these files are protected against Mass Code Injection attacks. For hosts using DSO – 644 file permissions are secure because php file security is handled using a different type of file security.
Will Locking Files With Read Only Permissions Break WordPress? No. 400 and 404 files permissions have been tested on several different web hosts using suPHP and suEXEC with CGI and WordPress performs normally. DSO file permissions should be the standard 644 file permissions. BPS is checking and displaying your Server API. If you see CGI displayed as your Server API then you can use the regular File Lock and Unlock options. The regular file Lock options should work fine on most if not all web hosts. The majority of web hosts these days are using suPHP or suEXEC and a CGI php handler. If you see that your Server API is DSO then ONLY use the DSO 644 permissions options. There is no need to have an unlock for DSO. 644 permissions are secure for DSO because of the different way that the DSO mod_php Apache module handles php files and security and WordPress and plugins can write to files with 644 permissions. If you see something other than CGI or DSO displayed as your Server API then check with your web host web host to find out what the most restrictive file permissions that you can use are or you can just experiment. If you are experimenting be prepared to FTP to your website and manually change the file permission back to what it was if you see 500 errors. Incorrect file permissions could cause you website to display 500 errors and be down. It is possible but not likely that the Server API could display another interface name such as continuity, embed, isapi, litespeed or other interface names instead of cli or cgi.
Will Locking Files With Read Only Permissions Break Plugins? Locking the files will not interfere with a plugins normal operation but if a plugin needs to write to any of these locked files then the file will temporarily need to be unlocked so that a plugin can write to it. If you are using the B-Core File Editor to edit your root .htaccess file you will need to unlock the root .htaccess file so that BPS can write to it. A Lock / Unlock button has been added to the BPS .htaccess File Editor page. F-Lock allows you to quickly Lock and Unlock files on the fly without having to use FTP or your Control Panel.
What is GWIOD – Lock / Unlock? GWIOD is short for Giving WordPress Its Own Directory. People who are using this type of WordPress site set up will have an additional .htaccess file and index.php file in their Site Root folder. This will allow them to lock both their Site Root .htaccess file and index.php file as well as the .htaccess file and index.php files that exist in their actual WordPress installation folder. If you are not using this type of WordPress set up then these files will either show up as duplicates of your already locked or unlocked files or could generate error messages. If you are not using this type of WordPress set up and you are seeing error messages then turn this check off by selecting the Turn Off Checking & Alerts dropdown list option. If the file does not really exist then you will see …file does not exist under Permissions & Status for that file.
What is DR – Lock / Unlock? DR is short for Document Root. This allows you to lock and unlock an .htaccess file or index.php file in your Document Root folder. If your WordPress installation is already in your Document Root folder then the DR Permissions & Status information will just be duplicated permissions and status information about your already locked or unlocked files. If you have multiple WordPress sites installed and some are subfolder installations and one is a WordPress Document Root installation then you will be able to lock and unlock the Document Root files from any of your WordPress subfolder websites. If you have a single WordPress installation installed in your Document Root folder then these files will show up as duplicates of your already locked or unlocked files. If you are seeing error messages about these files not being locked because they do not really exist then turn this check off by selecting the Turn Off Checking & Alerts dropdown list option. If the file does not really exist then you will see …file does not exist under Permissions & Status for that file. Another possible scenario is that if you have an HTML site in your Document Root folder then you could lock the .htaccess file for that HTML site.
The Wrong Permissions and Status Table Is Displayed If BPS detects CGI then you will see the CGI Permissions & Status Table displayed and you should be able to set permissions to 400 and 404. If BPS detects DSO then you will see the DSO Permissions & Status Table and should only be able to set permissions to 644. BPS looks at the Server API name that your host has configured to display. If your host is using CGI but they are using another interface name then BPS will not be able to detect that your Server is using CGI and will display the DSO Permissions and Status Table. Please let us know about this by sending us an email. We can then add additional coding to BPS to create an exception for your particular host.
Help links are provided on the Help & FAQ page.
BPS Pro 5.2 will have the added capability of allowing you to choose and add any additional files that you want to lock down and monitor.
|
Activation ~ BulletProof Security Pro Activation
|
1. Enter the PayPal email address used to purchase BPS Pro and click Save. 2. Click the Get Key button to get your BPS Pro Activation Key. Your Activation Key will be emailed to your PayPal email address. 3. Enter your BPS Pro Activation Key and click Save Key. Your PayPal email address is deleted when you click Save Key.
|
|
BulletProof Security Pro ~ Zip Installation & Backup
|
Zip Backup & Download Zip
|
|
Zip Backup Click on the Zip & Backup Files button to back up your current installation of BPS Pro. This is a full backup of the entire /bulletproof-security folder. All BPS Pro files will be zipped and backed up to /wp-content/bps-backup/bulletproof-security.zip and if you have added additional files to the /bulletproof-security folder then they will also be backed up in the bulletproof-security.zip file. Backups are zipped and are stored in the /bps-backup folder. Zip Backups are renamed and not overwritten. Each time that you perform a zip backup the previous backup zip file that you created is renamed using a date and time file naming format. Example: August-31-2011–03:54:02–bulletproof-security.zip.
Download Zip Click on the Download Zip File button to download bulletproof-security.zip file to your computer. You will see a popup window that performs 2 checks. 1. If the bulletproof-security.php file exists and 2. If the folder permissions are set correctly for the /bps-backup folder.
Upload Zip Click on the Choose File or Browse button. Navigate / browse / go to the folder on your computer where the bulletproof-security.zip file is located and select it and then click the Open button. You should now see the bulletproof-security.zip file name displayed in the File Upload window. Click the Upload Zip File button and you should see this message – Zip File Upload Successful. Click the Install Now button to install BulletProof Security Pro – when the Zip file upload is completed.
Install Zip Click the Install Zip Now button. You will see a popup warning about performing a Zip backup first before proceeding with the Zip installation. You should always perform a zip backup before performing a Zip installation for good measure. The zip installer is designed to overwrite all the existing BPS Pro plugin files and BPS Pro master files. Your currently active htaccess files and php.ini files are not affected, changed or overwritten and your website security status is not affected or changed when performing an installation. All options settings are saved to your WordPress database and are not affected and changed when performing zip installations. As long as you have performed a zip backup then you can easily download and unzip it and retrieve any BPS files that were backed up. Zip backups are not overwritten and are stored in your /bps-backup folder until you delete them.
|