WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] BPS Alert: what to do? (32 posts)

  1. Justanother WordPressbeginner
    Member
    Posted 1 year ago #

    I have updated the BPS plugin and since that I receive the “BPS Alert! Your site does not appear to be protected by BulletProof Security” message, recommending fix it through the Security Status page. I’ve read the Read Me’s in that section and it’s getting me even more confused. All my recommended permissions are updated, except root folder. Could somebody tell me, in simple words, what I must exactly do to put things in order?

    http://wordpress.org/extend/plugins/bulletproof-security/

  2. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Does the Automatic htaccess file updating Alert go away after you refresh your Browser?

    If not, then go the System Info page and post this information below:
    DNS Name Server:
    Server Type:
    Operating System:
    Server API:

  3. davesyntax
    Member
    Posted 1 year ago #

    Same issue here, here is my info:

    DNS Name Server:
    Public IP / Your Computer IP Address: 86.179.221.91
    Server Type: Apache
    Operating System: Linux
    Server API: cgi-fcgi - Your Host Server is using CGI.

  4. davesyntax
    Member
    Posted 1 year ago #

    Background info:
    Fresh install of WP.
    Install BPS
    Create htaccess files
    protect root
    protect admin
    refresh, everything looks fine.
    click on another WP tab, go back to BPS and get BPS alert.

    Permissions issue?

  5. Justanother WordPressbeginner
    Member
    Posted 1 year ago #

    No, the alert doesn't go away after refreshing the browser.
    My information on the System Info page is:
    DNS Name Server: ns1.bluehost.com
    Server Type: Apache
    Operating System: Linux
    Server API: cgi-fcgi-Your Host Server is using CGI.

  6. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Ok since the System Info is good to go for both of you then that eliminates any sort of compatibility issues/problems.

    @davesyntax - These are the 2 most likely causes of the issue/problem.

    1. You have another plugin or your Theme is using the WordPress flush_rewrite_rules function. This function removes/deletes "flushes" your root .htaccess file code when clicking on links, clicking on settings pages and I have also seen this function used in a way that it just randomly deletes/flushes your website security/root .htaccess code.

    2. The broken cPanel HotLink Protection Tool problem.

    Both of these common problems can be prevented from occurring over and over by locking your root .htaccess file.
    1. Deactivate all plugins.
    2. Activate Root folder BulletProof Mode.
    3. Go to the BPS Edit/Upload/Download tab page and click the Lock htaccess File button.
    4. Activate all your plugins again.

    Let me know what happens after doing the steps above.

    @Justanother... - BlueHost has started a new Cloud service that uses .htaccess code that has some issues with both BPS and W3TC and possibly, but not confirmed yet - WP Super Cache. So what I need to know first is if you are using the new BlueHost Cloud service. Thanks.

  7. Justanother WordPressbeginner
    Member
    Posted 1 year ago #

    Thank you AIT. I use the basic Bluehost one year subscription. I don't use the BlueHost cloud service.

  8. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Ok do these steps:

    1. First go to the Security Status page and post what you see there.
    2. Next go to the Edit/Upload/Download page and post all of the file write checks that you see - "File Open and Write test successful!..."

  9. davesyntax
    Member
    Posted 1 year ago #

    Hi AIT - thanks for getting back - and dealing with 2 different issues at once:

    I got past step 3 - lock down htaccess. and now the whole site is Error 403 forbidden.

    I have shell access, so let me know what to edit/delete.
    thanks

  10. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Ok then your Host/Server does not allow you to lock the root .htaccess file with 404 file permissions. Change the root .htaccess file permission back to what it was - probably 644 so that you can log back into your site.

    With all your plugins still deactivated at this point. Do you see the BPS Alert or is it gone?
    Does your Host use cPanel? This issue/problem may be caused by the cPanel HotLink Protection tool so you may or may not see the BPS Alert at this point.
    If you do not see the BPS Alert then next activate plugins one by one until you find the one that is causing the issue/problem, which will most likely be the flush_rewrite_rules problem.

  11. davesyntax
    Member
    Posted 1 year ago #

    Changing the htaccess file to 644 gave me control.
    All plugins disabled apart from BPS.
    No error warning now!

    I'm running a dedicated server, controlled through Plesk.
    Here are the results,

    Issues with 2 plugins:

    WordPress SEO - v1.4.4
    WooCommerce - v2.0.5

  12. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Yep, both of these plugins use the WordPress flush_rewrite_rules function so what this means for you is that if you activate or deactivate these plugins or click on any of these plugins settings pages then you will need to activate Root BulletProof Mode again after you click or update either of these plugins settings. Unfortunately, since your Host does not allow you to lock your root .htaccess file you cannot prevent this from happening each time you click or update settings for these plugins.

  13. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    hmm I have never experimented with this before, but try changing your root .htaccess file permissions to 444. Most likely this will not work, but its worth a try anyway.

  14. davesyntax
    Member
    Posted 1 year ago #

    That seems fine - .htaccess is set 444.
    I can access site and BPS seems fine. Will these plugins now fail? I suppose there is only 1 way to find out

  15. davesyntax
    Member
    Posted 1 year ago #

    Both plugins are now active and seem to be working fine :)
    Great support.

  16. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    wow no way. I should have thought of this a long time ago. Jeez.

  17. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Double check this and click on some settings in one of these plugins and save your changes to make sure this actually really works. Thanks.

    And no this will not interfere with the other plugins in any way. The flush_rewrite_rules function is a helper function (I believe) to automatically fix odd/invalid/unexpected .htaccess file issues/problems. It is not essential or critical to the functionality of plugins.

  18. davesyntax
    Member
    Posted 1 year ago #

    I've sent you my email address via your contact form. Not for support, but if you would like to test some more :)

  19. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    I don't really like logging into other folks sites unless it is absolutely necessary. Had a bad experience years ago with the classic "you were the last person who logged in so it is your fault..." thing. ;)

    Anyway an absolute 100% sure fire thumbs up is if you deactivate and activate these plugins and you do not see the BPS Alert then 444 root .htaccess file permissions is a winner. ;)

  20. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    hmm flush_rewrite_rules is doing more then I thought it was doing. In any case, since valid .htaccess code already exists in the case of BPS being installed with a another plugin that uses flush_rewrite_rules then there would not be an issue/problem/conflict. In other words, a moot issue since the purpose of flush_rewrite_rules is to ensure that valid .htaccess code exists. And looking at /wp-includes/rewrite.php This appears to possibly do something with WP internal rewriting, but BPS would not interfere with that in any way.

    Source: http://wpengineer.com/2044/custom-post-type-and-permalink/

    Since WordPress 3.0 you can use Custom Post Types and you can define your own types of content - it's more like pages than posts! Thereby you can use automatically the Permalink structure of your WordPress installation. That means, if you create a new post type, you can use Permalinks.

    But the Permalinks only work if you recreate the Rewrite Rules of WordPress - that's why many users initially have problems with it. If you create a new post type you probably get a 404 if you open this page because WordPress doesn't know the URL-structure in your Permalinks since you didn't create the Rewrite Rules again.

    The easiest way is to safe the Permalink structure in your settings again. Alternatively you can include in your Plugin or Theme the function flush_rewrite_rules(). This enables to create the Rewrite Rules again. Important: Flush rules only on activation or deactivation. Don't do it on any other hook.

  21. davesyntax
    Member
    Posted 1 year ago #

    Fab - it was only to fresh WP install with a few plugins. I was testing what was causing my issues on other installs.

    My 1st thought was my permissions/ownership settings were wrong, but thanks for getting to the bottom of this.

  22. Justanother WordPressbeginner
    Member
    Posted 1 year ago #

    Hello AIT, here are your two requests:

    1. Security status:
    Activated BulletProof Security .htaccess Files
    The htaccess file that is activated in your root folder is:
    BULLETPROOF .47.8 >>>>>>> SECURE .HTACCESS
    Either a BPS htaccess file was NOT found in your root folder or you have not activated BulletProof Mode for your Root folder yet, Default Mode is activated, Maintenance Mode is activated or the version of the BPS Pro htaccess file that you are using is not the most current version or the BPS QUERY STRING EXPLOITS code does not exist in your root htaccess file. Please view the Read Me Help button above.
    wp-config.php is NOT htaccess protected by BPS
    √ Deny All protection activated for BPS Master /htaccess folder
    √ Deny All protection activated for /wp-content/bps-backup folder
    The htaccess file that is activated in your wp-admin folder is:
    BULLETPROOF .48.2 WP-ADMIN SECURE .HTACCESS

    Additional Website Security Measures
    √ WordPress DB Show Errors Function Is Set To: false
    √ WordPress Database Errors Are Turned Off
    √ WordPress Meta Generator Tag Removed
    √ WordPress Version Is Not Displayed / Not Shown
    √ The Default Admin username "admin" is not being used
    The WP readme.html file is not .htaccess protected
    √ The WP /wp-admin/install.php file is .htaccess protected

    File and Folder Permissions - CGI or DSO
    CGI File and Folder Permissions / Recommendations
    .htaccess 404 404.
    wp-config.php 400 400.
    index.php 400 400.
    wp-blog-header.php 400 400.
    root folder 750 755.
    wp-admin/ 705 705.
    wp-includes/ 705 705.
    wp-content/ 705 705.
    wp-content/bps-backup/ 755 755.

    General BulletProof Security File Checks
    √ An .htaccess file was found in your root folder
    √ An .htaccess file was found in your /wp-admin folder
    √ A default.htaccess file was found in the /htaccess folder
    √ A secure.htaccess file was found in the /htaccess folder
    √ A maintenance.htaccess file was found in the /htaccess folder
    √ A bp-maintenance.php file was found in the /htaccess folder
    √ A bps-maintenance-values.php file was found in the /htaccess folder
    √ A wpadmin-secure.htaccess file was found in the /htaccess folder
    √ Your Current Root .htaccess File is backed up
    √ Your Current wp-admin .htaccess File is backed up
    √ Your BPS Master default.htaccess file is backed up
    √ Your BPS Master secure.htaccess file is backed up
    √ Your BPS Master wpadmin-secure.htaccess file is backed up
    √ Your BPS Master maintenance.htaccess file is backed up
    √ Your BPS Master bp-maintenance.php file is backed up
    √ Your BPS Master bps-maintenance-values.php file is backed up

    2.File write checks:
    File Open and Write test successful! The secure.htaccess file is writable.
    File Open and Write test successful! The default.htaccess file is writable.
    File Open and Write test successful! The maintenance.htaccess file is writable.
    File Open and Write test successful! The wpadmin-secure.htaccess file is writable.
    Your root .htaccess file is Locked with Read Only Permissions.
    Use the Lock and Unlock buttons below to Lock or Unlock your root .htaccess file for editing.
    File Open and Write test successful! Your currently active wp-admin .htaccess file is writable.

  23. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    @Justanother... - You have the same issue/problem as davesyntax.

    1. You have another plugin or your Theme is using the WordPress flush_rewrite_rules function. This function removes/deletes "flushes" your root .htaccess file code when clicking on links, clicking on settings pages and I have also seen this function used in a way that it just randomly deletes/flushes your website security/root .htaccess code.

    Do these steps:

    1. Deactivate all plugins.
    2. Activate Root folder BulletProof Mode.
    3. Go to the BPS Edit/Upload/Download tab page and click the Lock htaccess File button. If you see a 403 error after locking your root .htaccess file then you will need to FTP to your website and change the root .htaccess file permission from 404 permissions to 444 permissions. If you still see a 403 error then change the root .htaccess file permission to 644.
    4. Activate all your plugins again.

    Let me know what happens after doing the steps above.

  24. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    oops your root .htaccess file is already locked so disregard step 3.

  25. Justanother WordPressbeginner
    Member
    Posted 1 year ago #

    1. Done.
    2. It's the first radio button in Security Modes, right?

  26. Justanother WordPressbeginner
    Member
    Posted 1 year ago #

    4. Done. I had a warning message before activating the BulletProof Mode, asking about AutoMagic buttons, backup of .htaccess files and custom .htaccess code. And an other one after saying that BulletProof Mode must also be activated for the wp-admin folder. Then I activated the plugins as you said and all went well, no alert anymore. Is that all? Thank you very much for your help!

  27. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Yep, that should do it. If down the road you run into this issue again then you would not have to click the AutoMagic buttons again and can just activate root folder BulletProof Mode. Click the Blue Read help button for Setup Steps & AutoMagic - Create Your htaccess Master Files for additional help info.

    AutoMagic - BPS Creates Customized .htaccess Master Files For Your Website Automatically
    BPS detects what type of WordPress installation you have and will display which AutoMagic buttons to use for your website in Green font.

    Setup Steps:
    -- Click the Create default.htaccess File button.
    -- Click the Create secure.htaccess File button.
    -- Activate BulletProof Mode for your Root folder.
    -- Activate BulletProof Mode for your wp-admin folder.

    BPS Master and BPS Backup folder steps below are done Automatically unless your Server does not allow this then you will have to activate the Deny All BulletProof Modes manually:
    -- Activate BulletProof Mode for the BPS Master htaccess folder.
    -- Activate BulletProof Mode for the BPS Backup folder.

    NOTE: If you would like to view, edit or add any additional .htaccess code to your new secure.htaccess Master file. Click on the Edit/Upload/Download tab page, click on the secure.htaccess menu tab and make your editing changes before you Activate BulletProof Mode for your Root folder.

    NOTE: If you activate BulletProof Mode for your Root folder you must also activate BulletProof Mode for your wp-admin folder.

  28. Justanother WordPressbeginner
    Member
    Posted 1 year ago #

    So in the case I run into this issue again, I will just have to activate Root folder, and not wp-admin folder ? Right now I have to change the permission for .htaccess, so please stay tuned for a while.

  29. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    You should not have to change the permissions for the .htaccess files manually and can use the Lock button. Activating the wp-admin .htaccess file should be a one time thing that does not need to be done again.

    Your root .htaccess file is Locked with Read Only Permissions.
    Use the Lock and Unlock buttons below to Lock or Unlock your root .htaccess file for editing.

  30. Justanother WordPressbeginner
    Member
    Posted 1 year ago #

    I had done it already manually, so next time I can go on the Edit/Upload/Download page and use the Lock button to change permissions.
    Now I have the following message in blue fonts:
    Your root .htaccess file is Locked with Read Only Permissions.
    Use the Lock and Unlock buttons below to Lock or Unlock your root .htaccess file for editing.
    Cannot write to file: /home3/website/public_html/wp-admin/.htaccess.
    Is it OK?

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic