[Plugin: BulletProof Security] Changing login url disables BPS

Resolved jglefler
(@jglefler)

11 years, 8 months ago

Hello,

I have been using BulletProof Security along side a plugin called Better WP Security with no problems for several months. I use Better WP Security to change the database name and WP Admin login url for security reasons. When I upgraded to BulletProof Security 0.47.3 I started getting the “BPS Alert! Your site does not appear to be protected by BulletProof Security” message. My server API says, “Server API: cgi-fcgi – Your Host Server is using CGI.” I had no problem re-creating the htaccess files and bullet proofing them which made the alert message go away.

After making new htaccess files and bullet proofing them, however, my custom login url was changed back to the default http://www.blog-name.com/wp-admin again. When I used Better WP Security to change the login url from the default http://www.blog-name.com/wp-admin to the custom url, which never gave any problems before the BPS upgrade, I once again got the “BPS Alert! Your site does not appear to be protected by BulletProof Security” message again. I don’t know why these plugins worked so well together before and now I am getting this error every time I try to use the costom WP-admin login url which worked fine before the upgrade.

Any help would be much appreciated.

Thanks

http://wordpress.org/extend/plugins/bulletproof-security/

Viewing 14 replies - 1 through 14 (of 14 total)

Plugin Author AITpro
(@aitpro)

11 years, 8 months ago

I think that plugin adds some .htaccess code to either your root or wp-admin htaccess file. I have not looked at it in the last 6 months or so, so i have no idea what it is doing these days. I will download the most recent version and look at what it is doing. It must be overwriting/removing/deleting the BPS security filters when it adds its code and most likely this was probably happening before, but you were just not aware of it before.

And actually this was one of the primary reasons to create the WP Dashboard alert because I have come across some plugins that are removing/overwriting/deleting the BPS security filters.

So what you can do is combine the .htaccess code by using the BPS Custom Code feature or if that plugin has a similar capability/feature then you could do the same thing from that plugin. So in order to combine the .htaccess code you will need to get the .htaccess code that each plugin creates and then combine that code. If you post the .htaccess code that that plugin adds then i can tell you which BPS Custom Code text box it should go in.

In order for BPS to protect your entire website the .htaccess coding is intertwined/combined into the WordPress default .htaccess coding and rewrite loop. For that reason the BPS .htaccess code cannot just be added to a root .htaccess file and actually needs to be incorporated/encompass the entirety of WordPress .htaccess Rewrite loop coding.

Also i just wanted to mention that i am not a real big fan of trying to hide things. You can easily hide from a human, but Bots don’t have eyes and work by searching for bits of code or some other search parameters so trying to hide your login page does not really work against hacker Bots – they will still find your login page. 😉

Thread Starter jglefler
(@jglefler)

11 years, 8 months ago

Thanks so much for the prompt reply. The file that Better WP Security modifies is the Root .htaccess file. I tried leaving the BPS root .htaccess file as is and then added the custom code Better WP Security generates to the Root .htaccess File Custom Code feature in BPS. After saving the Root .htaccess File Custom Code I tried to log in to the WP Admin dashboard via the custom url indicated in the Root .htaccess File Custom Code feature in BPS but the login url still points to WP-Admin instead of the custom url specified in the Root .htaccess File Custom Code feature.

For some reason the custom code feature doesn’t seem to merge the two bits of htaccess code.

Plugin Author AITpro
(@aitpro)

11 years, 8 months ago

After adding the Custom Code and saving it (saves the code to your database) you will need to click the AutoMagic buttons (creates new Master .htaccess files) and then activate BulletProof Mode for your Root folder (copies the new Master .htaccess file to your Root folder) again.

Thread Starter jglefler
(@jglefler)

11 years, 8 months ago

BRILLIANT! Thank you SO much. That worked. I truly appreciate your help. I love BulletProof Security and am thrilled that I can now continue using it. Thank you.

Plugin Author AITpro
(@aitpro)

11 years, 8 months ago

Excellent! And good job on getting it done and also confirming that it worked. 🙂 Very much appreciated. Thanks.

gn.ozdemir
(@gnozdemir)

11 years, 8 months ago

I did the same, follow the same steps before I found this thread. Then repeat few times after. However the result is: It does not work for me :S

It enters some kind of endless loop. the CustomUrl forwards 404 (BPS)
And the wp-admin forwards to /not_found –> 404 again.

Plugin Author AITpro
(@aitpro)

11 years, 8 months ago

are you using the wp better security plugin? If so, first make a backup copy of your root .htaccess file and wp-admin .htaccess file and then delete them. Then log back into your site, deactivate wp better security, go to the BPS options page, click the AutoMagic buttons and activate BulletProof Modes for your root and wp-admin folder. After you have done these steps let me know if the endless loop problem is still happening or not.

Also if you have added any wp better security .htaccess code to the BPS Custom Code text boxes then delete it before using AutoMagic and activating BulletProof Modes.

gn.ozdemir
(@gnozdemir)

11 years, 8 months ago

Wow you are really fast 😀 Thank you for quick response.

Yes and I want mainly use the both. The injection-proof structure you got is very good and I want to combine it with the url hiding. I am in the same opinion with you that it could take as short as 6 secs to discover real url by an hacker. But the hiding thing is not for the hackers, it is mainly for common people 🙂

So about the problem: it does exits the loop if I delete custom code created by Better WP Security (additional to the steps above). So the whole url hiding thing blows.

The code I combined with yours is:
# BEGIN Better WP Security
Options -Indexes

<files .htaccess>
Order allow,deny
Deny from all
</files>

<files readme.html>
Order allow,deny
Deny from all
</files>

<files readme.txt>
Order allow,deny
Deny from all
</files>

<files install.php>
Order allow,deny
Deny from all
</files>

<files wp-config.php>
Order allow,deny
Deny from all
</files>

<IfModule mod_rewrite.c>
RewriteEngine On

RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteCond %{SCRIPT_FILENAME} !^(.*)wp-includes/ms-files.php
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]

RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC]
RewriteRule ^(.*)$ – [F,L]

RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} ^(.*)wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !^(.*).*
RewriteCond %{HTTP_REFERER} !^http://jetpack\.wordpress\.com/jetpack-comment/ [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule ^(.*)$ – [F,L]

RewriteRule ^login-the-site/?$ /my-website-root/wp-login.php?ivqpurjtbs422uawzih0y [R,L]

RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
RewriteRule ^manage/?$ /my-website-root/wp-login.php?ivqpurjtbs422uawzih0y&redirect_to=/my-website-root/wp-admin/ [R,L]

RewriteRule ^manage/?$ /my-website-root/wp-admin/?ivqpurjtbs422uawzih0y [R,L]

RewriteRule ^register/?$ /my-website-root/wp-login.php?ivqpurjtbs422uawzih0y&action=register [R,L]

RewriteCond %{SCRIPT_FILENAME} !^(.*)admin-ajax\.php
RewriteCond %{HTTP_REFERER} !^(.*)/my-website-root/wp-admin
RewriteCond %{HTTP_REFERER} !^(.*)/my-website-root/wp-login\.php
RewriteCond %{HTTP_REFERER} !^(.*)/my-website-root/login-the-site
RewriteCond %{HTTP_REFERER} !^(.*)/my-website-root/manage
RewriteCond %{HTTP_REFERER} !^(.*)/my-website-root/register
RewriteCond %{QUERY_STRING} !^ivqpurjtbs422uawzih0y
RewriteCond %{QUERY_STRING} !^action=logout
RewriteCond %{QUERY_STRING} !^action=rp
RewriteCond %{QUERY_STRING} !^action=register
RewriteCond %{QUERY_STRING} !^action=postpass
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
RewriteRule ^.*wp-admin/?|^.*wp-login\.php /my-website-root/not_found [R,L]

RewriteCond %{QUERY_STRING} ^loggedout=true
RewriteRule ^.*$ /my-website-root/wp-login.php?ivqpurjtbs422uawzih0y [R,L]
</IfModule>
# END Better WP Security
Plugin Author AITpro
(@aitpro)

11 years, 8 months ago
A lot of the .htaccess code that wp better security creates is a very simplified version of the BPS .htaccess code and much less streamlined so what i recommend is just using the portions of .htaccess code from wp better security that pertain to specific things like hiding your login. Do not use any of the Server Tweaks in wp better security because BPS does this much better and in a much more advanced way. So unselect all Server tweak options in wp better security and save your changes. This will eliminate a lot of unnecessary code.

Then you want to cut all of the remaining .htaccess code that wp better security creates and add it to the BPS Custom Code Bottom Text for your Root .htaccess file (not the wp-admin .htaccess file) there are 3 Root .htaccess file text boxes and 2 wp-admin text boxes.

I hope this is not going to be a regular problem with the wp better security plugin. it looks like they made several changes in the last version that are going to cause a lot of headaches for BPS. I may need to create a general all purpose troubleshooting help post for this plugin – Why i am answering questions and providing fixes for someone else’s bad coding work? jeez.

If they would just add all their htaccess code to the bottom of the root .htaccess file (appended) then it would not interfere and create problems for BPS, WPSC and W3TC. Grr.

And i am not completely sure if you were just saying that the infinite loop problem goes away when removing the wp better security hide login coding, but here is another solution that can actually fix infinite loops and it may fix whatever problem is wrong with the wp better security coding. in general the coding is not very streamlined so i see several potential problems with it.

but try this code in your root .htaccess file and see if it fixes that looping problem with the wp better security coding. unless of course the problem with looping is occurring because the wp better security htaccess coding is outside of the wordpress rewrite loop. this is a very good possibility when looking at the wp better security code you posted.
```
# .htaccess Fix for Infinite Loops
RewriteEngine On
RewriteCond %{ENV:REDIRECT_STATUS} 200
RewriteRule .* - [L]
```
Plugin Author AITpro
(@aitpro)

11 years, 8 months ago

I have a very similar if not exact problem occurring in the thread below and i believe the cause of the problem is because wp better security is not incorporating their login hiding coding into the WordPress Rewrite loop and instead dumping it into the root .htaccess file as stand alone code.
http://wordpress.org/support/topic/plugin-bulletproof-security-forbidden-access-wp-loginphp-on-this-server?replies=16#post-3089852

gn.ozdemir
(@gnozdemir)

11 years, 8 months ago

I just finally disabled Better WP Security. I should have forseen this situation by looking the repeated explanations written under nearly all options: ‘Warning: This feature is known to cause conflicts with some plugins and themes.’

Then I put a single line of code at the top of the .htaccess created by BPS. It did the trick and the rest seem to be working fine. After the user writes the custom url it redirets to the login page. That was the single important thing for me.

I don’t know how secure it is but it serves well for know.
RewriteEngine on
RewriteRule ^dashboard(.*)$ wp-admin$1 [L,NC]
(http://wordpress.org/support/topic/rename-wp-admin?replies=9)
This is doing the simply hiding for me.

The looping link problem solved simply by hiding the line:
RewriteRule ^.*wp-admin/?|^.*wp-login\.php /my-website-root/not_found [R,L]

Later I tried the link you suggested above. However it does not work for me. And I decided to quit digging up the case. I have spent nearly 20 hours for solving just this
issue in total.

What if WordPress give us the ability to redefine root urls just line Opencart. Argh.

Plugin Author AITpro
(@aitpro)

11 years, 8 months ago

Yeah i have to be honest here. The php coding in the wp better security plugin looks ok, but i don’t think they really know .htaccess coding all that well. 😉

I like your very nice simple solution!

When you posted the wp better security .htaccess coding i was thinking to myself – wtf. why is so much coding used to do something this simple. 😉

I did not actually try that code and only posted the link as a quick example. I guess i should have tested it first. 😉
Thanks.

gn.ozdemir
(@gnozdemir)

11 years, 8 months ago

I am the one who should be thanking, You answered my first question nearly in 6 miutes 😀 (Ok this may be out of the thread rules but I wanted to appeciate the performance)

Thanks you for your nice plugin.

By the way I sent an e-mail through your sites contact form. I hope ıt reach you.

Plugin Author AITpro
(@aitpro)

11 years, 8 months ago

I think its totally within the thread rules to say nice things and not only allowing ranting and bitching in threads. LOL just a joke.

Very much appreciated. 🙂 Have a great one.

Viewing 14 replies - 1 through 14 (of 14 total)

The topic ‘[Plugin: BulletProof Security] Changing login url disables BPS’ is closed to new replies.