WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] htaccess files keep losing Bulletproof Security code (13 posts)

  1. amfm
    Member
    Posted 2 years ago #

    Hello,
    Using BPS, I activated all of the modes and backed up all of the htaccess and master files. Things work well. I check back in later get this message:

    "Either a BPS .htaccess file was NOT found in your root folder or you have not activated BulletProof Mode for your Root folder yet, Default Mode is activated, Maintenance Mode is activated or the version of the BPS Pro htaccess file that you are using is not .46.8 or the BPS QUERY STRING EXPLOITS code does not exist in your root .htaccess file. Please read the Read Me button above.

    wp-config.php is NOT .htaccess protected by BPS"

    I've run into this numerous times and have tried a variety of things: re-running bulletproof mode, restoring from htaccess backups, manually editing htaccess. It all works, but only briefly. I check back in and the BPS code between "BEGIN WORDPRESS" and "END WORDPRESS" is edited out. Usually with (multiple copies of) WordPress permalinks code:

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>

    # END WordPress

    I am not editing permalink structure, this seems to be happening automatically. I fixed it yesterday and this morning the htaccess is different. I am not sure what could be causing the code to be written out, or for increasing duplicates of WP code to take its place. (Once I didn't check for a while and there were 5 or 6 duplicates of the WP code.) I checked BPS's site for incompatible plugins, and I am not using any that are listed as a problem. I do have several other security plugins active that aren't evaluated on their list. I would appreciate any suggestions for possible causes of my htaccess problems. Thanks in advance for any help!

    http://wordpress.org/extend/plugins/bulletproof-security/

  2. AITpro
    Member
    Plugin Author

    Posted 2 years ago #

    The only time i have seen this particular problem is when another plugin was automatically writing to the root .htaccess file and wiping out the BPS code and creating multiple instances of the default WP code. I do not currently know of any plugins that are doing this (the only one i was aware of has been fixed), but it sounds like one of your plugins is using this WP function >>> http://codex.wordpress.org/Function_Reference/flush_rewrite_rules

    This was the function that the other plugin was using that was malfunctioning and doing this exact same problem that you are describing. So if you have any plugins that are writing .htaccess code or doing anything with .htaccess code then you will need track down the flush_rewrite_rules function in that plugin and notify the plugin author about it.

    I would also like to know what plugin it is so post back here once you find out which one it is. Thanks.

  3. AITpro
    Member
    Plugin Author

    Posted 2 years ago #

    Actually i just came across something else that does something like you are describing. There is a very poorly coded tool / utility in cPanel called HotLink Protection. It is deadly. It is supposed to add HotLink .htaccess code to your root .htaccess file, but more than likely it will break your website and also BPS. It is very poorly coded and cannot correctly interpret the contents of the root .htaccess file and generates some gibberish code. Luckily you can keep / copy the initial code this tool generates then create a new .htaccess file that is not destroyed by this tool and then immediately block this malfunctioning tool by locking your root .htaccess file. This prevents this malfunctioning tool from writing to your .htaccess file, scrambling or deleting your .htaccess code, keeps your website from crashing and prevents having broken links.

  4. amfm
    Member
    Posted 2 years ago #

    Wow! Thank you for researching this and getting back to me so quickly! Of the two possibilities you've presented it looks to be cPanel's hotlink feature. I see there is a disable option, but I'm guessing it's not that simple. I'm not able to understand the steps you've recommended to fix this (I blame my lack of experience, not your explanation.) Would you mind walking me through the steps with more detail?

    Thank you so much!

  5. AITpro
    Member
    Plugin Author

    Posted 2 years ago #

    This is exactly what is wrong with the cPanel HotLink tool.
    It will generate the correct .htaccess code when you first use it, but what the person who coded this tool forgot to do was to write reference points with the code that is written to the .htaccess file and ONLY look for those reference points. What is happening now because that coding was NOT added to this tool is this: The HotLink tool looks at the contents of the .htaccess file and cannot find it's own code because no reference points were created when it created its code. So what happens is the HotLink tool can no longer find its own code in the .htaccess file and it looks at the first instance of BPS code that has similar code and of course displays the wrong code because this tool needs additional coding corrections made to correct this malfunction. Apparently there is another coding problem with the disable option - it does not really work / does not disable itself. Another thing i noticed is that it adds whitespace before all [NC] code lines that it writes to the Root .htaccess file - not critical, but that whitespace should be removed.

    What you can do to work around this broken tool is: You copy the .htaccess code that the HotLink tool creates initially to your Root .htaccess file. In BPS .46.9 there will be a new feature called Custom Code that will allow you to add custom .htaccess code that will be saved permanently to your DB and will automatically be written to your Root .htaccess file when you use the AutoMagic buttons. For now you will need to do this copy and paste manually. Then you will need to lock your Root .htaccess file. If you do not lock your Root .htaccess file this broken tool will still be able to write to the Root .htaccess file and continue to cause problems. Locking the root .htaccess prevents the HotLink Tool from being able to write to your Root .htaccess file.

  6. AITpro
    Member
    Plugin Author

    Posted 2 years ago #

    Or maybe just by removing anything you have added to the HotLink Protection tool and just using the example Hotlink code already provided in the root .htaccess file in BPS, maybe it would stop this tool from doing what it is doing. Without being able to look at the HotLink Protection tool coding i do not know the full extent of the coding problems. ;)

    # BLOCK HOTLINKING TO IMAGES
    # To Test that your Hotlinking protection is working visit http://altlab.com/htaccess_tutorial.html
    #RewriteEngine On
    #RewriteCond %{HTTP_REFERER} !^https?://(www\.)?add-your-domain-here\.com [NC]
    #RewriteCond %{HTTP_REFERER} !^$
    #RewriteRule .*\.(jpeg|jpg|gif|bmp|png)$ - [F]
  7. amfm
    Member
    Posted 2 years ago #

    Thanks for your responses. I actually didn't activate cPanel's Hotlink Feature, nor do I want it active. I wasn't aware of the option until this conversation. It either came already enabled or activated itself. From reading a few things online, it sounds like it might activate itself from responding to code that I (or my plugins) manually inserted into my .htaccess file.

    This article sounds like it describes the problem:
    http://perishablepress.com/major-problem-with-cpanel-hotlink-protection-and-htaccess/

    and this forum topic refers to how cPanel's hotlink protection enables itself and whitelists things that it shouldn't:
    http://forums.cpanel.net/f34/hotlink-protection-feature-interfering-htaccess-223691.html

    Since I didn't activate the tool, I have no idea what code it has installed (or is trying to install) in my htaccess, so I am unable to copy it. I would love to disable the tool, but it sounds like trying to do that could break my site, cause problems with permalinks, or not work. It is frustrating to have it messing up my site without my permission. I have hotlink protection already in my htaccess from non-cPanel sources, I would love to turn cPanel's protection off. Any idea if that is possible without it making a mess?

    Thanks again!

  8. AITpro
    Member
    Plugin Author

    Posted 2 years ago #

    Ahh yep the coding problem / mistakes in that cPanel HotLink tool is worse than i thought. It does not matter if you enable or disable it - it is broken and it enables itself automatically if it sees that you have an .htaccess file and that you have .htaccess code in that file and you cannot disable it because of whatever bad coding it has in it. The only thing that i have found that works to block / stop this tool from wreaking havoc is to lock your root .htaccess file with 404 file permissions (Read Only permissions). If your SAPI is DSO then you are screwed because you cannot block the tool by changing your file permissions. If your Host does not allow you to change file permissions to 404 then you are screwed. If your SAPI is CGI and your Host allows you to change file permissions to 404 then you can block this tool by clicking the Lock .htaccess file in BPS or manually changing your root .htaccess file permissions to 404 via FTP.

    OMFG - that is not a new post on the Perishable Press site - the cPanel HotLink Protection tool has been broken for years.

  9. amfm
    Member
    Posted 2 years ago #

    I locked htaccess, it seems to be working! I'll keep an eye out for changes. I am tempted to try to turn off cpanel's hotlink feature to see what happens... but I also don't want to mess up my pretty permalinks (a known side effect of disabling it.) Urg. So annoying. I will leave it for now to see if the 404 lock does the trick.

    Thank you so much for your help! I absolutely never would've thought to look for the source of the problem in cPanel for a feature I never activated. Totally unbelievable! I was so sad to see the Perishable Press post was from 2007... so this bug has been on cPanel's books for at least five years with no correction.

  10. AITpro
    Member
    Plugin Author

    Posted 2 years ago #

    Cool. ;)

    I actually tried to turn it off - it does not turn off. ;) What i didn't try was removing all entries / text / data in all of the windows (leaving all windows blank). The coding may do a check like "if this window is not blank then destroy the root .htaccess file code and break the website". LOL

    Yeah this is a very obscure problem that I think has been the cause of several "unsolved BPS mysteries" through the years, but now knowing what i know about this broken cPanel HotLink Protection tool it is obvious that the broken cPanel HotLink Protection tool was the culprit. That would also explain why after i added .htaccess file locking protection to BPS that these strange types of problems diminished down to a trickle. Kind of scary to think that you have to block your own Host Control panel in order to protect your website. LOL

  11. monkseo
    Member
    Posted 2 years ago #

    Hi, I am having a terrible time with this - my htaccess file keeps getting the same thing rewritten - I tried deleting all the extra times, and then resaving it and changing the permissions to 444, then apply.

    But it still keeps getting re-written and then double check in file manager and permissions were set back to 644 - what can I do this keeps caching my site and I just don't know what to do, it is driving me crazy and creating more grey hairs - I have been battling this and my site crashing for a week and we are behind on launch date due to this.

  12. monkseo
    Member
    Posted 2 years ago #

    I also tried to set to 404 permissions and it auto changed to 604

  13. AITpro
    Member
    Plugin Author

    Posted 2 years ago #

    444 is not a locked / Read Only file permission. 404 is a locked / Read Only file permission and is the most restrictive permissions setting that you can apply to an .htaccess file. If your host does not allow you to use 404 file permissions or if your Host Server is using DSO then there is probably not anything you can do about this unless you move to another Server with CGI. In both of these cases your Host will force 644 permissions, which will NOT lock the file down. If you are changing the file permissions and they are automatically being changed to 644 or 604 then you will need to contact your web host and explain the problem and ask them if it is possible to stop automatically changing your file permissions to 644 or move you to a Server that is configured with CGI instead of DSO.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic