Some Bulletproof Security Questions & Observations – Reduex

I had posted this outside of the Plugin Forum last night, my bad. So I’m re-posting this here where it belongs…

Questions and Observations:

1. What are the typical minimal file permissions for .htaccess and BPS directories/folders for BPS to work without getting write errors? (Writing WP .htaccess files and backup copies for same, ie – xxx.htaccess, under BPS folders.)

I’m experiencing errors unless I set FILES and FOLDERS to 777. My website belongs to a “user” on the server and the ownership properties of all files and folders (owner & group) for WP are such as “userX userX”. Rarely is setting 777 a good thing (almost always bad), but does BPS overcome that potential risk due to the extensive and indepth use of .htaccess – of and for .htaccess files?

I may need to do some more experimenting, but when in doubt after trying default 644, I then try 777 and work down from there to where it breaks, finding the minimal setting for things to work. I’m hoping you can save me (and others) the time and hassle of trial and error here… lol

UPDATE: Since I’m re-posting, just wanted to mention that to get BPS to Turn On by using the buttons Create xxx.htaccess and Activate Security Modes (Activate) to work without coming back with red warning/error messages, I had to:

A. Figure out which File and Folders to either CREATE or CHMOD to 777.

B. Then click on each different button to run the lockdown process.

C. Then apply CHMOD 644 (Files) and 755 (Folders) to re-secure access.

I believe that the plugin should auto-install those missing directories (bps-backups and master-backups, which by the way, I noticed are outside the plugins folder) and/or the Install Readme clearly state the process and steps to cleanly and easily install the plugin.

Or, on the BPS landing page, provide a checklist (or a link to it) of things that need to be done to ready the plugin before it can be Turned On (by scanning the installation for missing folders or incorrect permissions for true Activation).

Then then scan again after BPS is fully activated to create another Checklist for file permissions cleanup, ie, change any 777 back to 644/755 as appropriate.

I realize BPS is quite comprehensive and there is a lot to know over time, but First Things First – That is to get it installed and running quickly without frustration for first time users.

It’s not that I’m a noob or should buy “WP for Dummies”, as I’ve been in Technology for 35 years wearing many different hats (LAN/WAN admin, network and systems engineer, software QA, webmaster, author of mods, etc., just to name a few). I just get frustrated when something doesn’t go as it should from a “Finished Product” and I have to dig into it to find out why and fix it. Imagine what the uninitiated neophyte feels like… But that’s why I’m posting this – to give a different perspective and some suggestions.

2. Maintenance Mode. While I see the need and usefulness of it FOR CERTAIN CIRCUMSTANCES, I think that if .htaccess can filter on a specific IP address (I have and only use a static IP) to allow all Admin access and functionality without having to go into Maintenance Mode, that would be preferable to having to go into and out of Maint. Mode to add plugins, etc. My Two Cents.

I didn’t see any examples of why and when Maint Mode should be invoked, just guessing here. Hey! Further reading tells me that Maint Mode is just a way to suspend/redirect the website (to a particular page) while working on it extensively so visitors don’t get surprised from weird things happening unexpectedly. Handy, but I would think there are other “Maint Mode” plugins that could or would be easy to turn on/off with more pleasant aesthetics built in, else the redirect page would have to be custom built for a good looking page to match the theme, etc.

Actually, a good “Countdown” plugin would be perfect for giving the estimated time when the site will be back online after maintenance is expected to be done. Just a thought.

3. Firewalls. I just read somewhere on your site that BPS (Pro?) now incorporates a Firewall as of version 5.x – How robust is it and how does it compare with OSE Firewall, another plugin that I’ve come across that is fairly recent and gaining lots of traction in the WP community. Can BPS’s firewall be disabled so another (such as OSE Firewall) can be used instead? (Hmm, is it time for a BPS Firewall vs OSE Firewall comparision article, post, or forum topic?)

4. Finally, what I look for in a good plugin is (A) Does it do what I expect? (B) Does it install and set itself up with minimal input from the user? (C) Does it have really good documentation, links to help, an online Forum, etc. so if I get stuck I can look things up. My first impression of BPS is for:

A: Yes, 100% – Once I read up on what BPS is and does. And does not do.

B: Yes, 85% – For me, it did not really turn itself on after activating the plugin. It has to be turned ON after activating, and there were a lot of (okay, just 2, but they were two large Yellow Message areas) warning of this and that and I had to figure out what it was talking about and there really wasn’t much in the way of help and explanations. Hence my very first question above about file and folder permissions, and that I didn’t know I had to create certain folders and/or set particular permissions.

C: Yes, 75% – While all the inline help and Readme buttons were good, there is a need for a REALLY Good INSTALL doc or readme on Steps to Take or Checklist after activation: This is what you want to do, How to do it, and If you get this error message or warning, this is what it means and this is how to fix it.

Okay, I’m done for now. lol

Just so you know, I think BPS is awesome. Keep up the great work you’re doing here. I’ll be getting the Pro version soon. Thanks for listening.