WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] Bulletproof Security Took Down Main Site (5 posts)

  1. asimj
    Member
    Posted 2 years ago #

    Hi,

    I installed Bulletproof Security (BPS) on 3 different blogs today and all worked great apart from 1 where the blog was installed in sub-directory and was a small part of a larger PHP driven e-commerce site. After activating BPS, the main site became inaccessible and just hung and eventually timed out. This was quite worrying as you can imagine and I had no idea why a WordPress plugin was affecting anything other than WP itself.

    Eventually, after a lot of panicking I found that deleting the .htaccess files in WP root an /wp-admin directories solved the problem. Why were these affecting the root (non WP) directory? Also, are there any other locations inside or outside of WP that I should delete .htaccess files from? I'm worried that even thought everything seems to be running ok that some parts of our main (money) site may still be affected by changes that BPS made...

    Thanks in advance for your advice.

    Regards,
    Asim

    http://wordpress.org/extend/plugins/bulletproof-security/

  2. AITpro
    Member
    Plugin Author

    Posted 2 years ago #

    .htaccess files are not exclusive to WordPress. http://en.wikipedia.org/wiki/Htaccess

    FYI - the disadvantages performance loss info on that Wiki page is incorrect. .htaccess files do not cause a performance loss and whether or not the httpd.conf or the .htaccess file contain the rules it does not make any difference - there is no performance loss when using .htaccess files. Thousands of lines of .htaccess code can be processed in milliseconds. ;)

    "...apart from 1 where the blog was installed in sub-directory and was a small part of a larger PHP driven e-commerce site..."

    If you put an .htaccess file in a folder then all the files in that folder will follow the security rules in that .htaccess file.

    If your other php application or platform requires it's own specific .htaccess rules then you can create those using the BPS built-in .htaccess File Editor. Usually a good site architecture will keep separate apps in separate folder as sharing folders can be problematic when trying to apply website security to each different app. And in general you should have all apps in self contained environments / directories / folders.

    If a Parent folder has an .htaccess file created in it then the subfolders of that parent will also have the .htaccess security rules applied to them.
    If you add an .htaccess file in a Child folder of a Parent folder then the Child folder will follow the security rules of it's own .htaccess file instead of the Parent .htaccess file.

    When you use AutoMagic to create your Master .htacess files and then Activate them with BulletProof Modes. The Master files are copied to the respective folders for that site ONLY >>> 1 .htaccess file is copied to the Root folder for that site and 1 .htaccess file is copied to the /wp-admin folder for that site. The Deny All .htaccess files protect BPS files themselves and are copied to BPS Plugin folders.

  3. AITpro
    Member
    Plugin Author

    Posted 2 years ago #

    Clarification >>> this is what the Apache website is saying verbatim from the Reference link for that statement regarding an .htaccess file causing a performance loss.

    "In general, you should never use .htaccess files unless you don't have access to the main server configuration file. There is, for example, a prevailing misconception that user authentication should always be done in .htaccess files. This is simply not the case. You can put user authentication configurations in the main server configuration, and this is, in fact, the preferred way to do things."

    So what is incorrect about the statement on the Wiki page is that the statement should say specifically that a performance loss will be experienced if you use an .htaccess file for authentication purposes. And I think it is relevant to mention that the performance loss when using an .htaccess file for authentication purposes would be in milliseconds. ;)

    And this is also relevant - W3TC and SuperCache use .htaccess rules to significantly improve website performance. ;) The BPS .htaccess security rules focus only on security, so they neither slow down or speed up website website performance - they ONLY handle website security.

  4. asimj
    Member
    Posted 2 years ago #

    I understand how .htaccess files work. What I don't understand is why BPS would create .htaccess files that affect folders higher in the a hierarchical structure than where WordPress is installed? Our blog is installed in /blog directory and BPS .htaccess files affected / root directory. The offending .htaccess file was actually in /blog/wp-admin/ and now I would like to know if any other .htaccess files were created by BPS that are outside of the WordPress directory?

  5. AITpro
    Member
    Plugin Author

    Posted 2 years ago #

    When you create .htaccess files for a site in the /blog folder then you will have 2 .htaccess files created >>> 1 in /blog/.htaccess and 1 in /blog/wp-admin/.htaccess.

    What you just stated is not possible. Only folders from /blog and below would have .htaccess security rules applied to them. Your Root folder for your Hosting Account / Domain Root cannot be affected by an .htaccess file in a child folder - that is not possible.

    Although if you incorrectly created .htaccess files in your /blog folder that are somehow rewriting to the / root folder then i could see that that could cause problems, but that would only be URL rewriting and not security filter issues.

    BPS only creates the 2 files i mentioned above in the location i mentioned above because that is what the coding is coded to do and it cannot magically do something that it is not coded to do.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic