WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] bulletproof-security.0.47.5 not working (64 posts)

  1. bsp2012
    Member
    Posted 1 year ago #

    The new version 0.47.5 Bullet Proof Security seemed to be not working or the download file is corrupted. When I updated to the new version manually, I encountered errors and warnings like secure.htaccess on public_html/wp-content/plugins/bulletproof-security/admin/htaccess is not found or not re-writable. When I tried uploading the secure.htaccess again on that folder, the file is not seen though it was upload correctly. And, when I tried creating the file, secure.htaccess disappears on that folder after saving the code in the editor.
    I also tried automatic update but the same error occurs. So, I reverted to version 0.47.4 and everything turns back to normal. No more errors or warnings.
    The settings on my website's server and database are fine and correct and my website uses CGI.
    I noticed that the download file of version 0.47.5 (around 500 kb) is smaller compared to version 0.47.4 (around 800 kb).

    http://wordpress.org/extend/plugins/bulletproof-security/

  2. damian5000
    Member
    Posted 1 year ago #

    getting the same error...

    Also, wordpress reporting .47.5 , however in .htaccess and within the plugin itself, reporting as Pro 5.D ... Just a hunch this may be the source of the problem.

  3. sbbn
    Member
    Posted 1 year ago #

    Same or similar problem on fuzzyskeletonian.com (NSFW) -- front page worked, none of the other pages could be found, all 404'd. BPS wouldn't create a new .htaccess file, though it would try and create an empty .htaccess but cough up an error saying "secure.htaccess on public_html/wp-content/plugins/bulletproof-security/admin/htaccess is not found or not re-writable"

    Within Cpanel, the file was both there and writable, so the error didn't make much sense.

    This only happened on update, no other changes were made.

    ETA: Installed the previous version and the blog is back, thank goodness -- thank you bsp2012 for the suggestion!

    What a mess, though. Something is clearly wrong with this update -- I have a feeling that as morning breaks in the U.S., BPS is going to have a TON of complaint posts to deal with.

  4. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Overall the .47.5 upgrade is working fine for most folks so I need to isolate the common denominator with you guys to figure out why the upgrade is not working correctly on your websites/Hosts/Servers. Or of course these could all be separate isolated problems/incidents. Or just the same old common problems that resurface over and over again on upgrades such as the cPanel Broken HotLink Protection Tool problem sigh >>> http://wordpress.org/support/topic/plugin-bulletproof-security-broken-cpanel-hotlink-tool-404-errors-unable-to-edit-htaccess-files?replies=7

    So first let me explain some things that changed just to get some facts on the page. They may be relevant or they may not be relevant. At this point there have been 2,600 upgrade installations so far and only you guys are having issues/problems with the .47.5 upgrade so logically this appears to be an isolated problem or separate isolated problems and not an overall coding problem/issue in .47.5.

    1. The BPS plugin files were resaved in UNIX LF Code Format as they were incorrectly saved in CR LF Windows Code Format in .47.4 - this is most likely not relevant and this issue would only affect Mac based Servers by displaying Control M characters in .htaccess files on those Mac based Servers (Mountain Lion, BSD, etc) in .47.4. The .47.5 release fixes that Code Format issue for those particular folks.

    2. plugins_url and WP_PLUGIN_DIR Constants were added to replace several WP_CONTENT_DIR Contants - this also is probably not relevant, unless of course the problem is symlink related, but i seriously doubt that is the issue.

    3. BPS now does a DNS Host Name check so it is possible that this coding check does not work on your particular websites/Hosts/Server - this is actually something that could be a problem on a larger scale, but so far it does not appear to be an issue or problem on a larger scale so most likely this change is also irrelevant to the problems/issues you guys are experiencing.

    I am leaning more toward that these are all isolated incidents since the ratio of reported problems is actually very low 3 out of 2,600 downloads/installations and literally only you guys so far - lucky you right. :)

    @ bsp2012 - The plugin overall size decreased because the screenshot image files were moved to the SVN Assets folder. This helps make the zip installations faster and of course reduces Bandwidth and resource cost for WordPress.org.

    This is an important clue to the problem that is occurring on your website/Host/Server - "When I tried uploading the secure.htaccess again on that folder, the file is not seen though it was upload correctly. And, when I tried creating the file, secure.htaccess disappears on that folder after saving the code in the editor."

    The file has to exist if you are uploading it so you would need to turn on "Show Hidden Files" to see the .htaccess file since on some Hosts these files are hidden by default. Or another problem could be a file permission/ownership problem - do you see file or folder permissions that show 0000 (4 zeros) instead of 644 or 755?

    @ bsp2012 - Please do these troubleshooting steps.
    1. Make a backup of your .htaccess files using BulletProof Security built-in Backup.
    2. Click the AutoMagic buttons and activate BulletProof Modes for both your Root folder and wp-admin folder.
    3. Deactivate all your plugins except for BPS.
    4. install the BPS automatic update to .47.5

    let me know what happens at this point.

    @damian500 - please also try the troubleshooting steps above.

    @sbbn - This is a great clue - "secure.htaccess on public_html/wp-content/plugins/bulletproof-security/admin/htaccess is not found or not re-writable"

    ...and indicates that the .htaccess file is either being deleted or damaged during the BPS upgrade, which sounds like the classic cPanel Broken HotLink Protection Tool problem.

    Please also follow the troubleshooting steps above and let me know what happens at this point.

  5. Heartwood
    Member
    Posted 1 year ago #

    I ran into the same problem -- the root .htaccess and secure.htaccess files both disappearing and being "not found or nor re-writable" by BPS. Neither were they visible in Filezilla and Cpanel but NOT because of being hidden files: the wp-admin folder's .htaccess file was visible.

    I uploaded a basic .htaccess file to the root and duplicated it as secure.htaccess in the BPS admin/htaccess directory, and then painstakingly copied over each portion of the code, one at a time, to see which part was making it break. This is the only one that triggered the problem:

    # REQUEST METHODS FILTERED
    # This filter is for blocking junk bots and spam bots from making a HEAD request, but may also block some
    # HEAD request from bots that you want to allow in certains cases. This is not a security filter and is just
    # a nuisance filter. This filter will not block any important bots like the google bot. If you want to allow
    # all bots to make a HEAD request then remove HEAD from the Request Method filter.
    # The TRACE, DELETE, TRACK and DEBUG request methods should never be allowed against your website.
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F,L]

    So I removed that part of the code and it works fine again. Hope this helps figure out why, and how to accomplish the intended goal in some other way that's not as problematic.
    :-)

  6. Heartwood
    Member
    Posted 1 year ago #

    I spoke too soon -- getting 404 errors for all but the homepage. But at least the .htaccess files are staying put...

  7. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    The problem you are describing sounds exactly like the cPanel Broken HotLink Protection Tool problem. do you have cPanel for your web host control panel?

    Oh never mind i see you already said you have cPanel. LOL

    ok look at this post and let me know if this is the problem. This problem has been occurring for over 10 years and i assume will continue to happen to the end of time. ugh.

    cPanel Broken HotLink Protection Tool problem
    http://wordpress.org/support/topic/plugin-bulletproof-security-broken-cpanel-hotlink-tool-404-errors-unable-to-edit-htaccess-files?replies=7

    And logically i am getting a clearer picture of what might be happening thanks to you isolating the new coding area that the broken HotLink Protection Tool is now seeing to break everything in even more ways. sigh. The broken cPanel HotLink Protection Tool will scan your root .htaccess file and it looks for code like this - RewriteCond %{HTTP_REFERER} ^.*example.com.* so that it can automatically incorporate that .htaccess code into its own cPanel options. this is really neat, but unfortunately it does not work correctly and ends up destroying the valid htaccess code and generates either 403, 404 or 500 errors and does anywhere from breaking your site URL's to crashing your entire website.

    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    # Only Allow Internal File Requests From Your Website
    # To Allow Additional Websites Access to a File Use [OR] as shown below.
    # RewriteCond %{HTTP_REFERER} ^.*YourWebsite.com.* [OR]
    # RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*
    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    RewriteRule .* index.php [F,L]
    RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    RewriteCond %{HTTP_REFERER} ^.*example.com.*
    RewriteRule . - [S=1]
  8. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Also to all who have posted in this thread please list your web hosts. BPS now has new DNS Name Server coding that will detect your web host and not automatically lock your root .htaccess file if your particular Host does not allow this. This may or may not be relevant to the problem, but it is worth gathering that information and eliminating that possibility. Also please check the current file permissions for your root .htaccess file and then test changing the file permissions from 644 to 404 if the root .htaccess file permissions are not already 404 permissions. Please post whether or not changing the root .htaccess file permissions to 404 causes a problem for your particular website. Also please list your Server API type - you will find this information under the BPS System Info tab page. Thanks.

    http://wordpress.org/support/topic/plugin-bulletproof-security-403-error-after-upgrade-htaccess-file-permission-issue?replies=1

  9. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Ok i now have 3 confirmed people who are using Namecheap hosting that are having both BPS files being incorrectly quarantined and also BPS .htaccess files that are being incorrectly quarantined. It appears that Namecheap has a malfunctioning scanner that is incorrectly scanning files or scanning files in a too general way and quarantining these legitimate files.

    For all people who posted in this thread please post your web host name.

    I will be posting a sticky post to the top of the BPS Forum for folks who have Namecheap hosting until i have a chance to contact Namecheap and alert them to this problem.

    Thank you.

  10. vm90
    Member
    Posted 1 year ago #

    Getting the same error too. My webhost is Stablehost and also using cPanel. Previous versions worked fine but this new version 0.47.5 Bullet Proof Security not working correctly. :/

  11. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Yep i think there are 2 problems going on here - the Namecheap incorrect quarantining of BPS .htaccess files and then the good old cPanel Broken HotLink Protection Tool problem. Woohoo! LOL

    Please see this post regarding the cPanel Broken HotLink Protection Tool for the steps you can take to fix the problem >>> http://wordpress.org/support/topic/plugin-bulletproof-security-broken-cpanel-hotlink-tool-404-errors-unable-to-edit-htaccess-files?replies=7

  12. Heartwood
    Member
    Posted 1 year ago #

    Okay, I got the 404 errors to disappear by also removing this part of the code:

    # FORBID EMPTY REFFERER SPAMBOTS
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} (wp-comments-post\.php)
    #RewriteCond %{HTTP_REFERER} !^.*demo5.local.* [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule .* - [F]

    Web host is EthicalHost.ca
    Server API is CGI
    Attempting to change permissions to 404 resulted in them being changed to 604 (server override).

    Locking the root .htaccess within BPS after editing resulted in some of the code disappearing -- not the end of the code being truncated, but all the code for PLUGINS AND VARIOUS EXPLOIT FILTER SKIP RULES, TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE, and BPSQSE BPS QUERY STRING EXPLOITS. I'd already removed FORBID EMPTY REFFERER SPAMBOTS and REQUEST METHODS FILTERED.

    I've left it "unlocked" in BPS, with permissions set to 604.

    Clicking the Update File button sent me to
    [website URL]/#bps-tabs-5
    instead of
    [website URL]/wp-admin/admin.php?page=bulletproof-security/admin/options.php#bps-tabs-5
    but using the browser's Back button enabled me to get back to the BPS tabs.

  13. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Also it is looking like a couple other hosts are also using the same scanner or scanning script that is misinterpreting valid htaccess code as malicious code. So this may not be isolated to only one host. i will try to find the source of that scanner script or application to isolate it and find out its name so that i can identify why it is misinterpreting valid code.

  14. Heartwood
    Member
    Posted 1 year ago #

    I just got some alerts from the WordPress Firewall 2 plugin, concerning my edits of the .htaccess files, so maybe that's where some of the problems are from when trying to save the edits. I'll have to remember to disable the firewall temporarily next time.

  15. The Hack Repair Guy
    Member
    Posted 1 year ago #

    Or just save a lot of hardship for a lot of folks and just say sayonara to that "misinterpreted valid code" and move on...
    :)

  16. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Well that would be going backwards instead of moving forward. The .htaccess code has value and is working on most web hosts. So instead of throwing the baby out with the bath water i would like to isolate the source of these problems since this is only occurring on a very small scale relatively. Out of 3,370 upgrade installations of BPS .47.5 the number of folks experiencing problems is very low. So i would like to keep moving forward on this one. If even 1% of the upgrade installations were failing then i would quickly revert back to .47.4, but we are well below that mark.

  17. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    @Heartwood - i think that Firewall 2 is just seeing some code that it is interpreting as malicious so this is just a false alarm, but thanks for that input. There are several things that Firewall 2 sees in BPS Pro that it considers possible malicious code and those folks just tell Firewall 2 to ignore those false alarms. Thanks.

  18. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    @Heartwood - ok then this host does have file permission restrictions in place so this host will be added to the DNS Name Server DO NOT AUTOMATICALLY LOCK the root .htaccess file coding. Thanks.

    I am still analyzing why the FORBID EMPTY REFFERER SPAMBOTS code would cause a 404 error on your particular website/Host. This is not occurring on most hosts.

    The last thing you mentioned is related to URL's being broken so it is a 404 issue of some kind.

  19. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Also in general there could be several isolated problems going on here so i want to be very careful here about not lumping isolated incidents under 1 umbrella. ;) The fact still remains the most upgrade installations to BPS .47.5 are working perfectly fine with the exception of a handful of folks.

  20. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    @Heartwood - Please do these steps below.

    1. Download your root .htaccess file to your computer.
    2. Click the Create secure.htaccess AutoMagic button.
    3. Go to the BPS Edit/Upload/Download tab page.
    4. Click on the secure.htaccess tab and copy all the contents of that file.
    5. Paste the contents of that file and overwrite all the contents of the .htaccess file that you downloaded to your computer and save the file.
    6. upload that .htaccess file and overwrite your root .htaccess file in your website root folder.
    7. change the root .htaccess file permissions to 644.

    Please post the results of doing these steps above. Thanks.

  21. Heartwood
    Member
    Posted 1 year ago #

    Do you mean try to put the original secure.htaccess back first? That's what kept disappearing and I had to edit it to make it stop doing that.

    The downloaded root .htaccess was missing most of the code I thought I'd managed to put back in. I replaced it first with the version on my computer that I had thought was working:

    # BEGIN WordPress
    
    <IfModule mod_rewrite.c>
    
    RewriteEngine On
    
    RewriteBase /
    
    RewriteRule ^index\.php$ - [L]
    
    RewriteCond %{REQUEST_FILENAME} !-f
    
    RewriteCond %{REQUEST_FILENAME} !-d
    
    RewriteRule . /index.php [L]
    
    </IfModule>
    
    # END WordPress
    
    #   BULLETPROOF .47.5 >>>>>>> SECURE .HTACCESS
    
    # If you edit the  BULLETPROOF .47.5 >>>>>>> SECURE .HTACCESS text above
    
    # you will see error messages on the BPS Security Status page
    
    # BPS is reading the version number in the htaccess file to validate checks
    
    # If you would like to change what is displayed above you
    
    # will need to edit the BPS /includes/functions.php file to match your changes
    
    # If you update your WordPress Permalinks the code between BEGIN WordPress and
    
    # END WordPress is replaced by WP htaccess code.
    
    # This removes all of the BPS security code and replaces it with just the default WP htaccess code
    
    # To restore this file use BPS Restore or activate BulletProof Mode for your Root folder again.
    
    # BEGIN WordPress
    
    # IMPORTANT!!! DO NOT DELETE!!! - BEGIN WordPress above or END WordPress - text in this file
    
    # They are reference points for WP, BPS and other plugins to write to this htaccess file.
    
    # IMPORTANT!!! DO NOT DELETE!!! - BPSQSE BPS QUERY STRING EXPLOITS - text
    
    # BPS needs to find the - BPSQSE - text string in this file to validate that your security filters exist
    
    # TURN OFF YOUR SERVER SIGNATURE
    
    ServerSignature Off
    
    # ADD A PHP HANDLER
    
    # If you are using a PHP Handler add your web hosts PHP Handler below
    
    # DO NOT SHOW DIRECTORY LISTING
    
    # If you are getting 500 Errors when activating BPS then comment out Options -Indexes 
    
    # by adding a # sign in front of it. If there is a typo anywhere in this file you will also see 500 errors.
    
    Options -Indexes
    
    # DIRECTORY INDEX FORCE INDEX.PHP
    
    # Use index.php as default directory index file
    
    # index.html will be ignored will not load.
    
    DirectoryIndex index.php index.html /index.php
    
    # BPS PRO ERROR LOGGING AND TRACKING - Available in BPS Pro only
    
    # BPS Pro has premade 403 Forbidden, 400 Bad Request and 404 Not Found files that are used 
    
    # to track and log 403, 400 and 404 errors that occur on your website. When a hacker attempts to
    
    # hack your website the hackers IP address, Host name, Request Method, Referering link, the file name or
    
    # requested resource, the user agent of the hacker and the query string used in the hack attempt are logged.
    
    # BPS Pro Log files are added to the P-Security All Purpose File Manager to view them.
    
    # All BPS Pro log files are htaccess protected so that only you can view them. 
    
    # The 400.php, 403.php and 404.php files are located in /wp-content/plugins/bulletproof-security/
    
    # The 400 and 403 Error logging files are already set up and will automatically start logging errors
    
    # after you install BPS Pro and have activated BulletProof Mode for your Root folder.
    
    # If you would like to log 404 errors you will need to copy the logging code in the BPS Pro 404.php file
    
    # to your Theme's 404.php template file. Simple instructions are included in the BPS Pro 404.php file.
    
    # You can open the BPS Pro 404.php file using the WP Plugins Editor or by using the BPS Pro File Manager.
    
    # NOTE: By default WordPress automatically looks in your Theme's folder for a 404.php template file.
    
    # ErrorDocument 400 /wp-content/plugins/bulletproof-security/400.php
    
    # ErrorDocument 403 /wp-content/plugins/bulletproof-security/403.php
    
    ErrorDocument 404 /404.php
    
    # DENY ACCESS TO PROTECTED SERVER FILES - .htaccess, .htpasswd and all file names starting with dot
    RedirectMatch 403 /\..*$
    
    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]
    
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    
    # PLUGINS AND VARIOUS EXPLOIT FILTER SKIP RULES
    # IMPORTANT!!! If you add or remove a skip rule you must change S= to the new skip number
    # Example: If RewriteRule S=5 is deleted than change S=6 to S=5, S=7 to S=6, etc.
    
    # Adminer MySQL management tool data populate
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/adminer/ [NC]
    RewriteRule . - [S=12]
    # Comment Spam Pack MU Plugin - CAPTCHA images not displaying
    RewriteCond %{REQUEST_URI} ^/wp-content/mu-plugins/custom-anti-spam/ [NC]
    RewriteRule . - [S=11]
    # Peters Custom Anti-Spam display CAPTCHA Image
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/peters-custom-anti-spam-image/ [NC]
    RewriteRule . - [S=10]
    # Status Updater plugin fb connect
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/fb-status-updater/ [NC]
    RewriteRule . - [S=9]
    # Stream Video Player - Adding FLV Videos Blocked
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/stream-video-player/ [NC]
    RewriteRule . - [S=8]
    # XCloner 404 or 403 error when updating settings
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/xcloner-backup-and-restore/ [NC]
    RewriteRule . - [S=7]
    # BuddyPress Logout Redirect
    RewriteCond %{QUERY_STRING} action=logout&redirect_to=http%3A%2F%2F(.*) [NC]
    RewriteRule . - [S=6]
    # redirect_to=
    RewriteCond %{QUERY_STRING} redirect_to=(.*) [NC]
    RewriteRule . - [S=5]
    # Login Plugins Password Reset And Redirect 1
    RewriteCond %{QUERY_STRING} action=resetpass&key=(.*) [NC]
    RewriteRule . - [S=4]
    # Login Plugins Password Reset And Redirect 2
    RewriteCond %{QUERY_STRING} action=rp&key=(.*) [NC]
    RewriteRule . - [S=3]
    
    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    # Only Allow Internal File Requests From Your Website
    # To Allow Additional Websites Access to a File Use [OR] as shown below.
    # RewriteCond %{HTTP_REFERER} ^.*YourWebsite.com.* [OR]
    # RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*
    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    RewriteRule .* index.php [F,L]
    RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    #RewriteCond %{HTTP_REFERER} ^.*demo5.local.*
    RewriteRule . - [S=1]
    
    # BPSQSE BPS QUERY STRING EXPLOITS
    # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
    # Good sites such as W3C use it for their W3C-LinkChecker.
    # Add or remove user agents temporarily or permanently from the first User Agent filter below.
    # If you want a list of bad bots / User Agents to block then scroll to the end of this file.
    RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
    RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]
    RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
    RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
    RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
    RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
    RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
    RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR]
    RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    RewriteCond %{QUERY_STRING} http\: [NC,OR]
    RewriteCond %{QUERY_STRING} https\: [NC,OR]
    RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|%3c|%3e|%5b|%5d).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x5b|\x5d|\x7f).* [NC,OR]
    RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
    RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR]
    RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
    RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F,L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    
    # DENY BROWSER ACCESS TO THESE FILES
    # wp-config.php, bb-config.php, php.ini, php5.ini, readme.html
    # Replace Allow from 88.77.66.55 with your current IP address and remove the
    # pound sign # from in front of the Allow from line of code below to access these
    # files directly from your browser.
    
    <FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|readme\.html|bb-config\.php)">
    Order allow,deny
    Deny from all
    #Allow from 88.77.66.55
    </FilesMatch>
    
    # IMPORTANT!!! DO NOT DELETE!!! the END WordPress text below
    # END WordPress

    The secure.htaccess was also incomplete, so I replaced that first too.

    Then I followed your instructions. At step 4, the secure.htaccess was back to the original version rather than what I thought I had just uploaded -- it had the FORBID EMPTY REFFERER SPAMBOTS and REQUEST METHODS FILTERED code back in it. However, I followed your directions exactly, and copy-pasted it into the downloaded root .htaccess and re-uploaded that, overwriting the one that was on the server. I changed the permissions to 644. The file immediately disappeared and the 404 errors were back.

    I've re-uploaded the file that has the above code, both in the root as .htaccess with 604 permissions, and in the BPS admin/htaccess folder as secure.htaccess with 644 permissions, and all is working again.

    [Moderator Note: Please use the pastebin for large blocks of code. 250 lines of .htaccess directives is just a little excessive.]

  22. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Ok yep that is what i thought would happen. Either this is because of the Broken cPanel HotLink Protection Tool problem or because your Host is stripping out .htaccess code automatically.

    You are in a catch 22 situation on this host if it is the Broken cPanel HotLink Protection Tool that is doing this because you cannot lock your root .htaccess file to stop it from doing the damage that it does. The only way i have found to block this broken tool is by locking the root .htaccess file with 404 permission, which your Host does not allow.

    So take a look in your cPanel and look for the HotLink Protection Tool and post the gibberish code that you see in the text boxes for that tool in your reply.

    If you do not see gibberish code in the HotLink Protection Tool windows then your Host is doing this automatically to the root .htaccess file.

  23. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Also at the very top of the file you have standard WordPress htaccess code? this will of course cause things not to work correctly. Was this added automatically to your root .htaccess file?

    The top of your root .htaccess file should start from:
    # BULLETPROOF .47.5 >>>>>>> SECURE .HTACCESS

  24. Heartwood
    Member
    Posted 1 year ago #

    I didn't think I had enabled Hotlink Protection throughout that whole process, but sure enough it said it was enabled:

    URLs to allow access:

    (%0A|%0D|%27|%3C|%3E|%00)
    \.opendirviewer\.
    users\.skynet\.be.*

    Block direct access for these extensions (separate by commas):
    .*

    I clicked the Disable button and now it's back to what it had been when I originally checked (which I did for the first time in response to your mention of it in your first post to this thread). So now it just has the list of the site's domain names as URLs, and the list of extensions in the second box are now back to saying
    jpg,jpeg,gif,png,bmp
    but says it's disabled.

  25. Heartwood
    Member
    Posted 1 year ago #

    No, the WordPress code was the basic code I used to get the .htaccess file to stop disappearing, and I just didn't remove it. It didn't get added automatically. I've removed it now, and re-uploaded the two files.

  26. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Yep this is the classic gibberish coding that is created by the broken cPanel HotLink Protection Tool so yep it is the broken cPanel HotLink Protection Tool that is causing the problems for your website.

    It does not matter whether you enable the broken cPanel HotLink Protection Tool because both enable and disable are also broken - it runs automatically whether you like it or not and like i said the only way i have found to successfully prevent it from causing 404, 403 and 500 errors and breaking your website is to lock the root .htaccess file which prevents the broken cPanel HotLink Protection Tool from destroying your .htaccess file coding. Unfortunately, your host does not allow you to lock your .htaccess file - catch22. And i hate to tell you this, but the problem will occur over and over again - there is only one way to stop it and that is to lock your root .htaccess file.

  27. Heartwood
    Member
    Posted 1 year ago #

    ... and then I got the 404 errors again. So I've put back the one with the WordPress code at the top, and it all seems to be working again.

    Does that give you any clues?

  28. Heartwood
    Member
    Posted 1 year ago #

    Aaaargh! I re-downloaded it to check that it was still intact, and now it doesn't have the WordPress code in it. I'm not getting the 404 errors but the Hotlink Protection has enabled itself again and is again showing the

    (%0A|%0D|%27|%3C|%3E|%00)
    \.opendirviewer\.
    users\.skynet\.be.*

    code
    ???

  29. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    yep you have the classic broken cPanel HotLink Protection Tool problem that has been going on now for over 10 years. Since your Host does not allow you to lock your root .htaccess file then what i recommend is that you contact them to permanently remove this broken tool from your cPanel. I am getting pretty tired of having to deal with this same problem year after year so i am going to see if it is possible to kill this broken junk tool from within BPS itself. It is absolutely ridiculous to me that a problem could go on as long as it has - 10+ years really? My god.

  30. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Yep the broken cPanel HotLink Protection Tool will continue to break your website until the end of time since you are unable to block it by using 404 file permissions on your htaccess file.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic