WordPress.org

How does the BulletProof Security Plugin htaccess Core work?

The BulletProof Security Plugin allows you to instantly create and activate .htaccess website security with one click (ok maybe a few clicks) for your website without having to know anything about .htaccess files. The Master .htaccess files are pre-made and BPS writes .htaccess code that is customized for your website. There is nothing to figure out or to configure. Click the AutoMagic buttons (creates customized Master .htaccess files) and Activate BulletProof Modes (copies the customized Master .htaccess files to your root and wp-admin folders). BPS has built-in Backup and Restore and an .htaccess File Editor for full manual editing control as well. BulletProof Website Security fast and simple. Enjoy!

How does the BulletProof Security Plugin Login Security & Monitoring work?

BulletProof Security Login Security & Monitoring allows you to choose whether you want to Log All User Account Logins or Log Only User Account Lockouts. The Dynamic DB Logging For has 3 options: Lock, Unlock or Delete database rows. The Login Security database table is hooked into the WordPress Users database table, but they are 2 completely separate database tables. If you lock a User Account then BPS Pro will enforce that lock on that User Account and the User will not be able to log in. If you unlock a User Account then the User will be able to login. Deleting database rows in the Login Security database table does NOT delete the User Account from the WordPress Users database table. When you delete a User Account it is pretty much the same thing as unlocking a User Account. To delete actual User Accounts you would go to the WordPress Users page and delete that User Account.

What do I do if my User Account is locked out?

A stand alone Login Security Unlock User Account Form has been created that allows you to Unlock locked User Accounts outside of your WordPress Dashboard. To use this stand alone script download it from this BulletProof Security Pro plugin folder - /wp-content/plugins/bulletproof-security/admin/htaccess/bpsunlock.php and then upload it to your website root folder. Then type in the path to the bpsunlock.php file in your Browser. Example: http://www.example.com/bpsunlock.php. The stand alone script displays step by step instructions on how to use it.

Do I need to understand .htaccess code in order to use the BulletProof Security Plugin htaccess Core?

No, The .htaccess file creation is automated in BulletProof Security. Everything is automatically done for you. You do not need to know or understand anything about .htaccess website security files in order to use the BulletProof Security plugin. Extensive help information can be found in the Blue Read Me help buttons in BPS.

What do I do if I cannot log back into my website due to an htaccess file problem?

If you accidentally activated BulletProof Modes without first clicking the AutoMagic buttons or if you put your website in Maintenance Mode and your IP address has been changed by your ISP and you cannot log back into your website then you will need to use FTP or your Web Host Control Panel File Manager and delete the .htaccess file that BPS created in your website root folder. BPS website security is done purely with .htaccess website security and nothing else is modified on your website. So simply deleting the .htaccess file in your website root folder removes BPS website security and will allow you to log back in, use the AutoMagic buttons and activate BulletProof Mode again to protect your website again.

Will BulletProof Security cause my website to run slower?

No, BulletProof Security will not cause a website to run slower. BulletProof Security is website performance optimized and uses very little/low website resources and very little Server memory. If you would like to check your plugins to check how much website resource and Server memory each of your plugins is using install the P3 (Plugin Performance Profiler) plugin.

When I upgraded/updated BulletProof Security I saw an Alert. What does the Alert mean?

When upgrading/updating the BulletProof Security plugin you will see this WP Dashboard Alert. BPS Alert! Your site does not appear to be protected by BulletProof Security. As of BulletProof Security .47.2 WP Dashboard Alerts have been added to check your Root and wp-admin .htaccess files to ensure that your website is protected. During the upgrade your .htaccess files will be automatically updated and any new .htaccess security filters will be automatically added to your .htaccess files. In order for BPS to automatically update your htaccess files you will need to stay current with BPS plugin updates and install the latest BPS plugin updates when they are available. Any custom htaccess code or modifications that you have made to your htaccess files will not be altered, modified or changed. Activating BulletProof Modes again after upgrading BPS is no longer necessary.

Where can I find BulletProof Security troubleshooting steps & support?

Please see the BulletProof Security Forum.

BulletProof Security Server Compatibilty - Linux Hosting

• Compatible with Apache CGI configured Servers
• Compatible with Apache DSO configured Servers (May require file/folder permission and/or Ownership changes)
• Compatible with Nginx frontend Server with Apache backend Server
• Compatible with LiteSpeed Servers
• NOT Compatible with Windows IIS Servers - Windows Hosting

BulletProof Security uses .htaccess website security files, which are specific to Apache Linux Servers. BPS is compatible with Apache Linux Servers, LiteSpeed Servers, Nginx Servers (if the Nginx Server is the frontend Server and Apache Linux Server is the backend Server). If you do not know what type of Server you have you can check your Server Type and Operating System on the BPS System Info page.

Will BulletProof Security Work at all on Windows IIS Servers/Windows Hosting?

Yes and No. .htaccess files are only used on Linux based hosting. You can install BulletProof Security if you have a Windows IIS hosted website to use the additional features in BPS, but you cannot Activate BulletProof Modes and use .htaccess files on Windows Hosting. Please see this WordPress Codex Permalinks without mod_rewrite for more information.

Does BulletProof Security Work on Nginx Servers?

If you are using both Apache and Nginx together and Nginx is the frontend webserver and Apache is the backend Server used to process PHP then BulletProof Security will work on this type of combined Server Configuration. If you are only using Nginx then an .htaccess file will not work. Nginx has its own rewrite module - HttpRewriteModule and the mod_rewrite equivalent of an .htaccess file has similar, but different coding and is added to an Nginx Server config file. Note: If you are not familiar with Nginx, then it should be noted that Nginx does not have a PHP module like Apache's mod_php, instead you either need to build PHP with FPM (ie: php-fpm/fastcgi), or you need to pass the request to something that can handle PHP.

Are there any known issues or conflicts with other WordPress Plugins or Themes?

Occasionally issues or conflicts do occur with other plugins, but they are always quickly resolved. BPS is compatible with all other Plugins and Themes. An .htaccess bypass / skip rule is all that is required to allow a plugin or theme to do something that is blocked by BPS. Please check the BulletProof Security Plugin Compatibility Testing and Fixes page for the latest plugin bypass / skip rules.

I am seeing Security Log entries in my BulletProof Security Log. What do they mean?

Your Security Log will log 400, 403 and 404 (requires copying the BPS 404 logging code to your Theme's 404.php Template) Errors. The Security Log logs 400 and 403 HTTP Response Status Codes by default. You can also log 404 HTTP Response Status Codes by opening this BPS 404 Template file - /bulletproof-security/404.php and copying the logging code into your Theme's 404 Template file. When you open the BPS Pro 404.php file you will see simple instructions on how to add the 404 logging code to your Theme's 404 Template file.

HTTP Response Status Codes

• 400 Bad Request - The request could not be understood by the server due to malformed syntax.
• 403 Forbidden - The Server understood the request, but is refusing to fulfill it.
• 404 Not Found - The server has not found anything matching the Request-URI / URL. No indication is given to whether the condition is temporary or permanent.

What is the difference between BulletProof Security free and BulletProof Security Pro?

BulletProof Security

• .htaccess Website Security Protection
• Security Logging
• HTTP Error Logging
• Login Security & Monitoring

BulletProof Security Pro Feature Highlights

• AutoRestore - Automatic File Restore
• Quarantine - Automatic File Quarantine
• Real-time File Monitor (ARQ Infinity)
• Plugin Firewall (true IP Based Firewall)
• Uploads Folder Anti-Exploit Guard
• .htaccess Website Security
• Custom php.ini Website Security
• Login Security & Monitoring w/Dashboard Alerting and Status Display
• F-Lock - Read Only File Locking
• Security Logging
• HTTP Error Logging
• PHP Error Logging
• Email Alerts
• Versatile Set of Pro-Tools...
• Base64 Decoder / Encoder...
• View All BulletProof Security Pro Feature Details

Is BulletProof Security Network / Multisite Compatible?

Yes. BulletProof Security contains AutoMagic buttons for Network / Multisite websites. Both sub-directory and sub-domain Master .htaccess code is written / created for your specific Network / Multisite site. BulletProof Modes should ONLY be Activated on the Primary site to automatically protect all sub sites. Sub sites are virtual. DO NOT Activate BulletProof Modes on sub sites. BPS allows only Super Admins to see the BPS menus in sub sites. BulletProof Security also works with Network / Multisite Domain Mapping.

Is BulletProof Security BuddyPress Compatible?

Yes. BulletProof Security works with all BuddyPress site types.

Is BulletProof Security Compatible with subdomain websites and subdirectory websites?

Yes, BulletProof Security works on all types of WordPress installations including "Giving WordPress Its Own Directory" websites.

Is BulletProof Security automatically setup already?

Yes and No. You must be using a WordPress Custom Permalink structure for BPS to work correctly (every WordPress site should be anyway). If you are not using a custom Permalink structure then you will get a warning message that Custom Permalinks need to be enabled when you access the BulletProof Security Options page. BulletProof Security includes AutoMagic Master .htaccess file creation so that only one click is required to automatically create your Master .htaccess security files for your website, which you then Activate - BulletProof Mode. BulletProof Security also offers full manual control of editing the .htaccess files using the built-in File Editor. BulletProof Security is designed with everyone in mind: regular folks, Designers, Developers and Coders. BulletProof Security is designed to work with every type of WordPress installation: Single websites, subfolder websites, subdomain websites, "Giving WordPress its Own Directory" websites, Network / Multisite subdirectory websites and Network / Multisite subdomain websites. BulletProof Security will automatically create the correct Master .htaccess files for your website when you click the AutoMagic buttons. If you prefer to do everything manually then you would edit your .htaccess using the built-in .htaccess File Editor instead of using Automagic to automatically create your .htaccess files.

Can I add my own .htaccess code to the BulletProof Security .htaccess files?

Yes. Of course. The secure.htaccess and wpadmin-secure.htaccess Master .htaccess files already contain .htaccess security code that protects your website against XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking attempts. Add any additional security filters or other .htaccess code to your Master .htaccess files or your currently active .htaccess files using the built-in .htaccess File Editor. The BulletProof Security Master .htaccess files contain help info and additional options within the .htaccess files themselves. htaccess files can do a lot of neat things besides just providing website security protection. As of version .46.9 you can now also add any custom code to the Custom Code feature. Your custom .htaccess code will be saved to your WP DB permanently until you delete it. Please view the Read Me Help button in Custom Code for specific details.

Does the BulletProof Security Plugin create or write the .htaccess files?

Yes, BulletProof Security creates customized .htaccess website security files with AutoMagic. BulletProof Security also offers full manual control of editing both the BPS Master .htaccess files and your currently active .htaccess files using the built-in .htaccess File Editor. The BPS Master .htaccess files have already been pre-made. When you click the AutoMagic buttons your .htaccess Master files are created with specific code for your specific website with the correct RewriteRule and RewriteBase automatically added to your .htaccess files. You can add additional code to the master .htaccess files, edit the .htaccess files or create completely new .htaccess master files from within the WordPress Dashboard using the built-in BPS File Editor - no FTP required - no Web Host Control Panel required. BPS could also just be used simply as an online .htaccess file editor and manager. AutoMagic is great, but having both AutoMagic and full manual editing control makes BulletProof Security a very versatile website security protection tool.

Does BulletProof Security work with Git distributed version control system?

Yes, BulletProof Security works with Git, but does require some additional set up steps. Please see this thread for the setup steps Git distributed version control system setup steps