WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] Updates are changing permissions (9 posts)

  1. leejosepho
    Member
    Posted 1 year ago #

    The Automatic htaccess file updating Alert goes away after my browser is refreshed, but permissions for .htaccess are 644 after the update rather than at 404 where I had them. Has that always been the case, or is that something I have just discovered now that I am watching and using BPS recommendations for permissions settings?

    http://wordpress.org/extend/plugins/bulletproof-security/

  2. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    For some reason on certain Servers/Hosts/WordPress installation types or some other unknown factor the autolock does not kick in and lock the root .htaccess file again. This is rare so I am still gathering all the information to try and figure out why this occurs on some sites.

    Which web Host do you have?
    What WordPress installation type do you have? Single/Standard, Network/Multisite, BuddyPress (single or Network) or Giving WordPress its own Directory?
    What permission setting do you have for your website root folder? You will find this on the Security Status page under Permissions.

  3. leejosepho
    Member
    Posted 1 year ago #

    I have three sites hosted at BlueHost. Each site is unique (completely separate and having its own htaccess) inside its own folder inside public_html.

    What permission setting do you have for your website root folder? You will find this on the Security Status page under Permissions.

    By "website root", I assume you mean each site's own folder inside public_html, and BPS (also unique at each site) shows that as being 705...and I have just now realized I had visually switched "current" and "recommended" when looking through all of those settings yesterday. So, I will change each site's 705 back to 750 in the morning, but I am pretty sure 750 was there at the time of the BPS update.

    Question: What permissions would you recommend for the public_html folder containing all three sites?

  4. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    There seems to be a new trend with web hosts using 705 permissions for the root folder, which is excellent. 705 is safer than 750. If your root folder permissions are currently 705 then leave them at 705. If you change them to 750 you may see a Forbidden error or 500 error so I do not recommend changing permissions to something less secure for both reasons.

    BPS can still automatically update files if your root folder permission is set to 705 so that would not be the issue/problem.

  5. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    I believe what is happening in some cases is that when the function that writes new .htaccess code gets to the final SAPI check there is some condition/factor that causes this to not fire at the right time. I believe the SAPI check is firing prematurely in that write function so the file does not get locked after writing is completed.

    If this theory is correct then doing something like rerunning the SAPI check again based on X conditions/factors should fix this issue in all cases.

  6. Speculator
    Member
    Posted 1 year ago #

    Along this same line, my question is:

    I did a fresh install of wordpress and added your plugin last after I configured my .htaccess file with several customizations. Apparently this was a bad idea because all my customizations disappeared. If this is the case, then this should be stated in the upfront language for this plugin installation: Warning, installing Bulletproof Security will remove any custom .htaccess changes you have made...

    So,

    Why does your plugin (overwrite,strip out, or delete these)...I assume this is what is happening because I had three security related codes in mine that are no longer in the file. And on your screen the following statement is made about my .htaccess file:
    # If you edit the line of code above you will see error messages on the BPS Security Status page
    # WARNING!!! THE default.htaccess FILE DOES NOT PROTECT YOUR WEBSITE AGAINST HACKERS
    # This is a standard generic htaccess file that does NOT provide any website security
    # The DEFAULT .HTACCESS file should be used for testing and troubleshooting purposes only
    First of all, if this is true, then why is it every security blog out there makes security recommendations that one should add to this file?

    And if I am not to add code to this file, which of the .htaccess files should I add it to(admin, secure, or root?)...such as compression rewrite rules, etc.,

    Here are the choices:
    File Open and Write test successful! The secure.htaccess file is writable.
    File Open and Write test successful! The default.htaccess file is writable.
    File Open and Write test successful! The maintenance.htaccess file is writable.
    File Open and Write test successful! The wpadmin-secure.htaccess file is writable.
    File Open and Write test successful! Your currently active root .htaccess file is writable.
    File Open and Write test successful! Your currently active wp-admin .htaccess file is writable.

    Do I unlock the file prior to adding and then relock? It seems that I can write from your admin screen without doing unlocking.

    Now, I added compression code the secure .htaccess file after being advised on the google pagespeed insights website that it is an urgent problem. After adding this code I go back and it tells me it is still a problem. If something in your plugin preventing this file from being read?

    I would appreciate your help with this.

  7. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    The Setup steps help information states this in Bold text:

    Backup your existing htaccess files if you have any first by clicking on the Backup & Restore menu tab - click on the Backup htaccess files radio button to select it and click on the Backup Files button to back up your existing htaccess files.

    If you would like to add your custom .htaccess code and have it saved permanently and always have it be written to your root .htaccess file then use the BPS Custom Code feature.

    BPS .htaccess code cannot be used as stand-alone .htaccess code - it must be integrated into the WordPress Rewrite Loop in order for it to work correctly at all URL rewriting levels higher than the base URL or RewriteBase.

    You are misinterpreting the help text. There is a secure.htaccess file and a default.htaccess file. The secure.htaccess file has security coding and the default .htaccess file is a standard WordPress Default .htaccess file. The DEFAULT .HTACCESS file should be used for testing and troubleshooting purposes only - this is simply a warning that you are not using the secure.htaccess file/have no security applied to your website.

    For the rest of your questions you can either click on the Blue Read Me help buttons that contain extensive help information throughout BPS or you can check out the BulletProof Security Forum: http://forum.ait-pro.com/forums/topic/read-me-first-free/

    In general I try to keep reponses in the WordPress Forum as short and sweet as possible. The main reason for this is I end up answering the same exact questions over and over. The BulletProof Security Forum is using the BuddyPress Global/Sitewide Unified Search plugin which produces accurate and relevant search results so typically I only have to answer a question once. ;)

  8. Speculator
    Member
    Posted 1 year ago #

    It's funny that you dodged my main questions telling me to read your documentation. I just unplugged your plugin and it left behind a bunch of your code. What gives? Do you play dirty with people that unplug you? Now I get a bunch of 404 errors with missing pages, so why don't you email me personally at thelastpaper@yahoo.com so we can sort this out...I dont appreciate having my site broken by crap left behind by your plugin.

  9. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    I did not dodge your questions.
    Please remove the BPS plugin from your website using these steps below. Thank you.

    BPS removal steps:

    1. Activate Default Mode on the Security Modes page.
    2. Use the Delete wp-admin .htaccess feature on the Security Modes page.
    3. Deactivate and delete BPS on the WP Plugins page.

    Unable to login into your website:

    1. Use FTP or your Web Host Control Panel File Manager and delete the .htaccess file in your website root folder and the .htaccess file in your wp-admin folder.
    2. Log into your website, click the BPS AutoMagic Buttons and Activate all BulletProof Modes.

    If you have already deleted the BPS plugin then manually delete the .htaccess file in your website root folder and the .htaccess file in your wp-admin folder. Thank you.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.