WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] Just to double-check (7 posts)

  1. fotofashion
    Member
    Posted 3 years ago #

    For WP there is many plug-in's that do (or claim to do) the same thing. Over the past couple of month I developed some kind of a strategy to select candidates for testing. This sounds off-topick, but I am mentioning it, because one key element of this strategy is the developer's support. And from what I can see in this forum, Ed's support is really exceptional and that's why I feel confident to try BPS - although some of the comments are rather scary.

    But before to go ahead, I'd appreciate if you could confirm my understanding:

    1) Once the proper .htaccess files are created BPS does actually nothing, right? That's hypothetic, but I could uninstall the plug-in itself and my blog would still be functional AND protected.

    2) If anything goes wrong, all I have to do is to replace the .htaccess files that BPS created with the ones I am using now and everything would be back to what it was before. BPS does not change any other files or settings, right?

    3) The secure.htaccess file contains the directive "Deny from all" and "Allow from XX.XX.XX.XX", the latter one being my IP address. If XX.XX.XX.XX does not match my IP address, I'll be logged out. If so, how can I determine 'my range'? I don't have a static address...

    Thanks,
    Andreas

    http://wordpress.org/extend/plugins/bulletproof-security/

  2. AITpro
    Member
    Plugin Author

    Posted 3 years ago #

    ha ha ha yeah i have to agree with you that some of the comments are pretty scary. LOL :) Thanks for the support compliment. My motto is if you create something you better be ready to support it 100%. ;)

    1. Yes once you have created the Master .htaccess files and activated all BulletProof Modes your website is completely protected even if you delete the BPS plugin files entirely from your site (excluding the htaccess files that were added of course). Deleting the BPS plugin does not delete the htaccess files.

    2. Yes BPS does not change anything about your site in any way except for adding new .htaccess files. BPS also has built-in backup and restore so if you make a mistake you can just restore your backed up htaccess files. If you are unable to access your site you would use the old fashioned method of either FTP or your Web Host CP to manually edit your htaccess files.

    3. Yep i just picked a random IP address to add there as an example. ;) Your Current Public IP Address is displayed on the System Info page in BPS. Your ISP generates your public IP address using DHCP and typically your IP address changes every time you disconnect and reconnect to the Internet.

    Very Welcome,
    Ed

  3. fotofashion
    Member
    Posted 3 years ago #

    Re. 3: But isn't the frequently changing address an issue? I mean, I enter my IP address into the secure .htaccess file today, but tomorrow I will have a different one. Will I still have access? My understanding is that I will be locked out if the address doesn't match.

    Should I better enter an IP address range instead, e.g. "allow from XXX.XXX.0-255.0-255"? And if so, what is the correct syntax to do that? Wouldn't it be more efficient to query the MAC address?

    You see, that's the part that I don't quite understand and I just don't want to end up in a queue with those people saying that it doesn't work for them. So I better ask before to try it.

    Thanks,
    Andreas

  4. AITpro
    Member
    Plugin Author

    Posted 3 years ago #

    yep you have brought up a valid point. This is my thinking and logic. Really good website security should also protect your site from yourself. Meaning that we are all human and we all make mistakes from time to time. So i actually really like the fact that access to the files specified in the FilesMatch section of the root htaccess file is only temporary. This acts like an automatic door closing behind you. I think you might be interpreting the FilesMatch section of code with too much emphasis or maybe incorrectly. The FilesMatch section protects the specific files specified in that section of code from being edited or opened directly. These files are files that should be locked down and not be able to be allowed to be opened directly or edited. This does not in any way prevent the files from doing their regular functions - the allow from is allowing you direct access to these files to open them and to edit them. These files should be locked down pretty much 100% of the time. it is going to be pretty rare when someone will need to access these files directly and edit them. The BPS File Editor overrides this in a way that only the actual site administrator is automatically granted access to the htaccess files. The files cannot be accessed outside of your WordPress site. There is really only one function that needs more coding work for convenience over security and that is when someone wants to download their currently active root and wp-admin files - they are currenly required to enter their current IP address manually in order to be able to download these files. My personal opinion is security should override convenience in all cases without exception, but in this case it is dealing with something that is not that critical security-wise. So probably in the next version release of BPS i will automate enabling downloading of the currently active htaccess files in the same way that i have done with the backed up and master files. Security comes first - convenience should come second.

    In summary i think you are putting too much emphasis on an area of BPS that will not be used by most users very frequently and most likely never used. I have found that most people do perform backups, but very few of them actually use the additional download feature to download additional backups. The help info hover explains what needs to be done in order to download currently active htaccess files, but if you did get a complaint about this it would be a very simple thing for you to tell them what to do. Click on your System Info tab menu, copy your public IP address and paste it into Your Currently Active root htaccess file. And like i said after they have done what they wanted to do then the door is automatically closed behind them for security reasons.

    Also I think it would be impossible to spoof the IP address in order to gain access to these files, but if i did something more static then the chances of someone gaining access would be greatly increased. Security would be sacrificed over convenience so this is not something that i would ever consider adding to BPS. You are of course free to modify the htaccess code or plugin coding in any way you want. BPS is designed to be a security utility for you to create whatever you want as well as a preset automated website security solution. Thanks.

  5. fotofashion
    Member
    Posted 3 years ago #

    Thanks a lot for taking the time to explain this matter in detail. I indeed did not quite understand the impact of the "deny/allow" directive. Now it's pretty clear to me.

    Thanks a lot!
    Andreas

  6. lauren du toit
    Member
    Posted 2 years ago #

    Okay so I have installed BPS 46.8 and it works but every time my internet connection goes down and my IP changes I can't access my site. All I get is this....

    Your IP Address is: xxx.xxx.xxx.xxx

    Which does not match the IP addresses in my root .htaccess files or any of the other BPS .htaccess files.

    I have tried to correct this manually through editing the files but nothing has helped... with exception of just deleting everything.

    Also my BPS is under maintenance mode, I can still enter my dashboard and my site is http://healthandbeautyguide.co.za

    Any ideas???

  7. AITpro
    Member
    Plugin Author

    Posted 2 years ago #

    Yes your IP Address changes because the IP address your ISP gives you temporarily is dynamic using the Dynamic Host Control Protocol (DHCP). If you are in Maintenance Mode and your IP address changes you will have to edit the maintenance mode .htaccess file each time your IP address changes. To get out of Maintenance Mode you can just delete the .htaccess file and log back into your website. If you put your website back in Maintenance Mode again then the dynamic IP address that you are given by your ISP will only be good temporarily - usually until you break your Internet Connection.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic