Ready to get started?Download WordPress

Plugin Directory

BulletProof Security

WordPress Website Security Protection: Effective...Reliable...Easy to use

How does the BulletProof Security Plugin htaccess Core (Firewalls) work?

The BulletProof Security Plugin allows you to create and activate .htaccess website security with one-click (figuratively) for your website without having to know anything about .htaccess files. The Master .htaccess files are pre-made and BPS writes .htaccess code that is customized to each specific website. There is nothing to figure out or to configure. Click the AutoMagic buttons (creates customized Master .htaccess files) and Activate BulletProof Modes (copies the customized Master .htaccess files to your root and wp-admin folders). BPS has built-in Backup and Restore and an .htaccess File Editor for full manual editing control as well. BPS Custom Code allows you to add additional custom .htaccess code or BPS Bonus Custom Code.

Does BulletProof Security Have Built-in Troubleshooting/Diagnostic/Logging/Whitelisting Capability?

Yes, Troubleshooting/Diagnostic/Logging/Whitelisting is built-in to BulletProof Security. The primary troubleshooting feature in BulletProof Security is the BPS Security Log. The primary whitelisting feature in BulletProof Security is BPS Custom Code. The BPS Security Log logs blocked hackers, spammers, bad bots, etc. and also logs anything else that is blocked by BPS. If something legitimate is being blocked in another plugin or theme that needs to be allowed/whitelisted then the BPS Security Log entry will contain all the information about what exactly is being blocked so that a whitelist rule can then be created in BPS Custom Code. The BPS Security Log also logs all other 403 errors that occur on your website whether or not they are related to or caused by BPS.

How does BulletProof Security Plugin Login Security & Monitoring work?

BulletProof Security Login Security & Monitoring allows you to choose whether you want to Log All User Account Logins or Log Only User Account Lockouts. The Dynamic DB Logging Form has 3 checkbox options: Lock, Unlock or Delete database rows. The Login Security database table is hooked into the WordPress Users database table, but they are 2 completely separate database tables. If you lock a User Account then BPS Pro will enforce that lock on that User Account and the User will not be able to log in. If you unlock a User Account then the User will be able to login. Deleting database rows in the Login Security database table does NOT delete the User Account from the WordPress Users database table. When you delete a User Account it is pretty much the same thing as unlocking a User Account. To delete actual User Accounts you would go to the WordPress Users page and delete that User Account.

How does BulletProof Security FrontEnd/BackEnd Maintenance Mode work?

FrontEnd Maintenance Mode creates template files based on the options you choose and save. When you Turn On Maintenance Mode those template files are copied to the root directory of your website. When you Turn Off Maintenance Mode those template files are deleted from the root directory of your website. Maintenance Mode works by allowing the IP addresses that you enter & save to view the site normally. All other IP addresses will see the Maintenance Mode template page. BackEnd Maintenance Mode writes directly to your wp-admin .htaccess file and adds a deny all block of .htaccess code with the IP addresses the you enter & save when you enable BackEnd Maintenance Mode. When you disable/uncheck BackEnd Maintenance Mode that deny all block of .htaccess code is removed/deleted from your wp-admin .htaccess file. For more extensive help info or CSS Code, Image & Video Embed examples to add in the Maintenance Mode Text, CSS Style Code, Images, Videos Displayed To Website Visitors text area click this Maintenance Mode Guide Forum Topic link: Maintenance Mode Guide.

What do I do if my User Account is locked out?

You can either use FTP and rename the /bulletproof-security plugin folder to login to your site or a stand alone Login Security Unlock User Account Form has been created that allows you to Unlock locked User Accounts outside of your WordPress Dashboard. To use this stand alone script download it from this BulletProof Security Pro plugin folder - /wp-content/plugins/bulletproof-security/admin/htaccess/bpsunlock.php and then upload it to your website root folder. Then type in the path to the bpsunlock.php file in your Browser. Example: http://www.example.com/bpsunlock.php. The stand alone script displays step by step instructions on how to use it.

Do I need to understand .htaccess code in order to use BulletProof Security?

No, customized .htaccess files are created for each specific website by clicking the AutoMagic buttons and activating BulletProof Modes. You do not need to know anything about .htaccess website security files or code in order to use the BulletProof Security plugin. Extensive help information can be found in the Read Me help buttons in BPS. The Help & FAQ tab pages in BulletProof Security contain links to the BulletProof Security Forum. The process of adding Custom Code or adding whitelisting rules is automated - copy, paste & click.

What do I do if I cannot log back into my website due to an htaccess file problem?

If you accidentally activated BulletProof Modes without first clicking the AutoMagic buttons or your web host does not allow you to lock your root .htaccess file. Use FTP or your Web Host Control Panel File Manager and delete the .htaccess files that BPS creates in your website root folder and your wp-admin folder. Deleting the .htaccess files in your website root folder & wp-admin folder will allow you to log back in to your website. Log back into your website. If your web host does not allow locking the root .htaccess file then go to htaccess File Editor tab page and click the Turn Off AutoLock button. Click the AutoMagic buttons and activate BulletProof Modes again.

Will BulletProof Security or .htaccess files or .htaccess code cause my website to run slower?

No, BulletProof Security or .htaccess files or code will not cause a website to run slower. BulletProof Security is website performance optimized and uses very little/low website resources and very little Server memory. BulletProof Security uses a finite amount of security rules/filters/code in all .htaccess files. Note: Both W3 Total Cache and WP Super Cache use .htaccess code to speed up websites.

Can BulletProof Security speed up my website and make it run faster?

Yes, BulletProof security can speed up your website and make it run faster if you use the Speed Boost Cache Bonus Code and add it to BPS Custom Code. See the BulletProof Security Bonus Custom Code section on the BulletProof Security plugin Description page for a link to the Speed Boost Cache Bonus Code.

BPS Alert! Your site does not appear to be protected by BulletProof Security. What does the Alert mean?

When upgrading/updating the BulletProof Security plugin you may see this WP Dashboard Alert. BPS Alert! Your site does not appear to be protected by BulletProof Security. There are 2 very common issues/problems that can cause this. The cPanel HotLink Protection Tool issue or the WordPress flush_rewrite_rules function issue. Click this link Common BPS Issues Note: Any custom htaccess code or modifications that you have made to your htaccess files will not be altered, modified or changed during the auto-update. Activating BulletProof Modes again after upgrading BPS is no longer necessary.

Where can I find BulletProof Security additional troubleshooting steps & support?

Please see the BulletProof Security Forum.

BulletProof Security Server Compatibilty

  • Compatible with Apache CGI configured Servers
  • Compatible with Apache DSO configured Servers (May require CHOWN Ownership change or file/folder permission changes)
  • DSO Help Info
  • Compatible with Nginx frontend Server with Apache backend Server
  • Compatible with LiteSpeed Servers
  • Compatible with Windows IIS Servers - Windows Hosting - See IMPORTANT NOTES below.
  • If your IIS Server has ISAPI_Rewrite installed then you CAN use .htaccess files / BulletProof Modes.
  • IMPORTANT NOTES: If you have an IIS Server you may or may not be able to use .htaccess files and can only use Login Security & Monitoring. If your IIS Server is using the URL Rewrite Module then you can probably use .htaccess files / BulletProof Modes. If you activate BulletProof Modes and your website crashes then FTP to your website and delete the root .htaccess file and the wp-admin .htaccess file. You will not be able to use .htaccess files on your Server/website and can only use Login Security and the other features in BPS.

Additional BulletProof Security Server Compatibilty Info

BulletProof Security uses .htaccess website security files, which are specific to Apache Linux Servers. BPS is compatible with Apache Linux Servers, LiteSpeed Servers, Nginx Servers (if the Nginx Server is the frontend Server and Apache Linux Server is the backend Server). If you do not know what type of Server you have you can check your Server Type and Operating System on the BPS System Info page. You can install BulletProof Security if you have a Windows IIS hosted website to use the additional features in BPS, but may or may not be able to Activate BulletProof Modes depending on what your IIS Server does and does not have installed / configured. Please see this WordPress Codex Permalinks without mod_rewrite for additional information regarding IIS Servers and also the Helicon Tech website for additional information regarding ISAPI_Rewrite.

Does BulletProof Security Work on ALL Nginx Servers / Server Configurations?

If you are using both Apache and Nginx together and Nginx is the frontend webserver and Apache is the backend Server used to process PHP then BulletProof Security will work on this type of combined Server Configuration. If you are only using Nginx then an .htaccess file will not work. Nginx has its own rewrite module - HttpRewriteModule and the mod_rewrite equivalent of an .htaccess file has similar, but different coding and is added to an Nginx Server config file. Note: If you are not familiar with Nginx, then it should be noted that Nginx does not have a PHP module like Apache's mod_php, instead you either need to build PHP with FPM (ie: php-fpm/fastcgi), or you need to pass the request to something that can handle PHP.

Are there any known issues or conflicts with other WordPress Plugins or Themes?

Occasionally issues or conflicts do occur with other plugins, but they are always quickly resolved. BulletProof Security is compatible with all other Plugins and Themes except for the Better WP Security (iThemes Security) plugin. If BulletProof Security is blocking something legitimate in another plugin or theme a whitelist rule can be created in BPS Custom Code to allow/whitelist whatever was being blocked by BPS. Please check the BulletProof Security Plugin Compatibility page for the steps to search for documented plugin or theme whitelist rules.

Does BulletProof Security Work On All Web Hosts?

Yes, BulletProof Security works on all web hosts. There is one known issue with Go Daddy Managed WordPress Hosting (not Go Daddy standard hosting account types) where wp-admin .htaccess files are not allowed to be created or edited due to security restrictions for that hosting account type. As of BPS .50.6 a new option was added for wp-admin BulletProof Mode to enable or disable wp-admin BulletProof Mode. The Enable/Disable wp-admin BulletProof Mode option on the htaccess Core Security Modes page disables wp-admin .htaccess file displayed error messages, automation, updating and creation of wp-admin .htaccess files. Note: Some wp-admin .htaccess file inpage error checking was not changed, such as the inpage check on the Security Status tab page. This may be changed in the future, but it serves a useful troubleshooting purpose for now.

I am seeing Security Log entries in my BulletProof Security Log. What do they mean?

Your Security Log will log 400, 403 and 404 (requires copying the BPS 404 logging code to your Theme's 404.php Template) Errors. The Security Log logs all 400 and 403 HTTP Response Status Codes by default. You can also log 404 HTTP Response Status Codes by opening this BPS 404 Template file - /bulletproof-security/404.php and copying the logging code into your Theme's 404 Template file. When you open the BPS Pro 404.php file you will see simple instructions on how to add the 404 logging code to your Theme's 404 Template file. 99.99% of what is logged in the Security Log is blocked hackers, spammers, bad bots, scrapers, miners, etc. The Security Log is also a troubleshooting tool. If BPS is blocking something legitimate in another plugin or theme then exactly what is being blocked in another plugin or theme by BPS will be logged in the Security Log.

HTTP Response Status Codes

  • 400 Bad Request - The request could not be understood by the server due to malformed syntax.
  • 403 Forbidden - The Server understood the request, but is refusing to fulfill it.
  • 404 Not Found - The server has not found anything matching the Request-URI / URL. No indication is given to whether the condition is temporary or permanent.

Is BulletProof Security Network / Multisite Compatible?

Yes, BulletProof Security contains AutoMagic buttons for Network / Multisite websites. Both sub-directory and sub-domain Master .htaccess code is written / created for your specific Network / Multisite site based on your WordPress version. The BulletProof Security plugin can be Network Activated or you can allow BulletProof Security to be activated individually on each Network / Multisite subsite or of course you can choose not to Network Activate BulletProof Security or allow the BPS plugin on subsites. Only Login Security, System Info & Maintenance Mode menus are available on subsites. Super Admins will see BPS Dashboard Alerts and other Status displays on the Primary Site only. Administrators can activate or deactivate BulletProof Security on subsites if you allow this on your Network / Multisite website. The BPS Primary Site Menus will display all BPS menus. All other BulletProof Security features are not available on subsites since Network/Multisite subsites are virtual and do not have separate website files of their own. All of the other standard BulletProof Security features work sitewide and affect all other virtual subsites with the exception of Login Security which works individually for each specific website - Primary or virtual subsites and therefore should only be available to and controlled by the Super Admin with Network Admin capabilities for the Network/Multisite website. BulletProof Security also works with Network / Multisite Domain Mapping.

Is BulletProof Security BuddyPress/bbPress Compatible?

Yes, BulletProof Security works with all BuddyPress/bbPress site types.

Is BulletProof Security Compatible with subdomain websites and subdirectory websites?

Yes, BulletProof Security works on all types of WordPress installations including "Giving WordPress Its Own Directory" websites. Note: Maintenance Mode may not work correctly on Network/Multisite Subdomain site types. Pending additional testing.

Can I add my own .htaccess code to the BulletProof Security .htaccess files?

Yes, add any additional security code to BulletProof Security Custom Code. Your custom .htaccess code will be saved permanently or until you delete it. Please view the Read Me Help button in Custom Code for specific details.

Does BulletProof Security automatically create or write .htaccess files?

Yes, BulletProof Security automatically creates customized .htaccess website security files for your specific website with AutoMagic and BPS Custom Code. BulletProof Security also offers full manual control of editing .htaccess files using the built-in .htaccess File Editor. The BPS Master .htaccess files are pre-made. When you click the AutoMagic buttons your .htaccess Master files are created with specific code for your specific website. You can add additional code to BPS Custom Code or edit the .htaccess files directly or create completely new .htaccess master files from within the WordPress Dashboard using the built-in BPS File Editor or Custom Code - no FTP required - no Web Host Control Panel required. Automation is great, but having both AutoMagic, Custom Code and full manual editing control makes BulletProof Security very versatile.

Security Log File Automation - Automatically Zipped, Emailed and Replaced

Security Log files are automatically zipped, emailed and replaced with a new blank Security Log file when the log file reaches the maximum file size setting that you choose. By Default BulletProof Security sets this DB option to zip, email and replace the Security Log file when it reaches 500KB. The Security Log file is checked once per hour with a WordPress Cron. The optimum recommended file size setting is 500KB.

DB Backup Log File Automation - Automatically Zipped, Emailed and Replaced

DB Backup Log files are automatically zipped, emailed and replaced with a new blank DB Backup Log file when the log file reaches the maximum file size setting that you choose. By Default BulletProof Security sets this DB option to zip, email and replace the Security Log file when it reaches 500KB. The DB Backup Log file is checked once per hour with a WordPress Cron. The optimum recommended file size setting is 500KB.

BulletProof Security Fast and Simple with No Manual Configuration or FTP Required

The BulletProof Security WordPress plugin is a one-click security solution that creates, copies, renames, moves or writes to the provided BulletProof Security .htaccess master files. BulletProof Security protects both your Root website folder and wp-admin folder with .htaccess website security protection, as well as providing other additional website security protection. BulletProof Security allows you to add .htaccess website security protection from within the WordPress Dashboard so that you do not have to access your website via FTP or your Web Host Control Panel in order to add website security protection for your WordPress site.

Does BulletProof Security work with Git distributed version control system?

Yes, BulletProof Security works with Git, but does require some additional set up steps. Please see this thread for the setup steps Git distributed version control system setup steps

Requires: 3.0 or higher
Compatible up to: 4.0
Last Updated: 2014-8-18
Downloads: 1,233,802


4 stars
4.8 out of 5 stars


32 of 34 support threads in the last two months have been resolved.

Got something to say? Need help?


Not enough data

0 people say it works.
0 people say it's broken.

86,7,6 100,3,3 100,11,11 100,1,1 100,4,4 92,13,12
100,1,1 100,1,1
100,4,4 100,2,2 67,3,2 63,8,5 100,2,2
100,1,1 75,4,3 100,1,1
100,2,2 100,1,1 100,1,1
100,3,3 90,10,9 100,2,2
100,3,3 100,1,1
100,2,2 100,9,9 100,5,5 100,6,6
89,9,8 100,1,1
83,6,5 95,20,19 100,12,12 100,1,1 100,2,2 100,1,1
100,6,6 86,7,6 100,1,1
67,6,4 83,6,5 89,27,24 100,2,2 100,1,1
100,3,3 93,15,14 78,18,14 100,4,4 100,1,1 100,1,1
0,1,0 100,14,14 100,2,2
100,7,7 67,3,2 90,10,9 100,5,5 88,8,7 100,2,2 100,1,1 100,2,2 100,4,4 100,2,2 100,1,1 100,1,1
100,1,1 50,2,1
100,7,7 100,1,1
100,4,4 100,3,3 100,2,2 100,1,1 100,2,2 100,1,1
100,1,1 100,2,2 100,1,1 100,2,2
100,1,1 100,2,2 100,3,3 100,2,2
100,4,4 0,1,0 100,4,4