Plugin Directory

BulletProof Security

WordPress Website Security Protection: Firewall Security, Login Security, Database Security... Effective, Reliable, Easy to use...


  • BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
  • Setup & Overview Video Tutorial Created|Added: Link to video tutorial is posted on BPS plugin Description page and htaccess Core Security Modes page.
  • DB Backup: Backup Files Download|Delete Form scrollable table added and additional Read Me help information added.
  • Inpage Status Display: Condition added to only load the Inpage Status Display on BPS plugin pages.
  • WP Toolbar Functionality In BPS Plugin Pages: Default Network/Multisite menu items (nodes) added.
  • Security Status: Inpage Status Display Turn On|Off Form action link correction to #bps-tabs-2 tab page.


  • BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
  • Inpage Status Display Turn On|Off code correction.
  • System Info page conditional check added for: gc_enabled & gc_collect_cycles functions.
  • Read Me help text added for: Inpage Status Display and Reset|Recheck Dismiss Notices options.
  • Link to Security Modes page added to wp-admin htaccess file alert.


  • Summary Only: See the BPS plugin Whats New tab page for full descriptions and details
  • New Feature|Visual Enhancement: Inpage Status Display
  • New Features|Options|Visual Enhancements: UI|UX|Theme Skin | Processing Spinner | WP Toolbar
  • New Feature|Option: Turn On|Off The Processing Spinner
  • New Feature|Option: WP Toolbar Functionality In BPS Plugin Pages
  • New Feature: Memory Usage and Script Completion Time Check|Display
  • New Features|Options|Visual Enhancements: DB Backup & Security
  • New Feature|Option: Create Backup Jobs: Rename|Create|Reset Tool
  • System Info: New Check Added | Changes
  • htaccess Core: Security Status Page Changes
  • BPS Submenu Name Change: UI Theme Skin submenu name has been changed to: UI|UX|Theme Skin | Processing Spinner | WP Toolbar
  • BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
  • Dismiss Notices button/link reload current page based on Request URI or Query String.
  • Optimization|Performance: All BPS pages and functions.
  • Obsolete functions/code removed/deleted.
  • BPS plugin register scripts|styles | Enqueue scripts|styles | Dequeue plugin|theme scripts|styles loading in BPS plugin pages combined into one function. Additionally eliminated bloated individual load settings page code.
  • Additional variable check for conflicting|contradictory Automatic Update message/alert issue.
  • WordPress Plugins page|BulletProof Security plugin "Settings" link name change to "Setup Steps".
  • Maintenance Mode menu page will not be displayed if wp-admin BulletProof Mode has been disabled.


  • Maintenance Mode Network/Multisite Subdomain Completion:
  • Maintenance Mode coding work has been completed for Network/Multisite subdomain site types. Maintenance Mode now works for every/all WordPress site types, BuddyPress and bbPress site types.
  • BugFixes/Code Corrections/Misc/CSS/Visual/Other:
  • master-backups folder creation fix for unusual scenarios.
  • Automatic correction during upgrade for any existing timthumb RFI filter duplicate Referer lines.


  • WordPress 4.1 jQuery UI Compatibility Code Correction:
  • Bug: BPS jQuery UI Dialog Read Me help window position not centered in WordPress 4.1.
  • Fix: Corrected the BPS jQuery UI Dialog Position Method code by adding the appropriate "my" and "at" options.
  • Note: For anyone else experiencing this issue see this Forum Topic for the solution: jQuery UI Dialog window position not centered
  • Help Link Corrections:
  • Special thanks to WordPress Member: mrppp for finding and reporting invalid help links in BPS.


  • Significant Root and wp-admin htaccess File Changes:
  • See the BPS plugin Whats New page for more details.
  • Root htaccess File/Code Fix: Removal of additional instances of "BEGIN WordPress" and "END WordPress" text from the root htaccess file which caused multiple instances of the default wp htaccess code to be created in the root htaccess file when the WP flush_rewrite_rules function was executed by other plugins and themes.
  • htaccess Help Text Improvement Overall: The help text throughout both the root and wp-admin htaccess files was very dated and was in need of updating. Better/clearer examples have been created in the help text. Overall the htaccess files are more streamlined and less cluttered looking visually.
  • Structure/Order Code Changes: Several blocks of htaccess code has been structured differently as far as the general order/sequence of code goes in the root htaccess file and more importantly what code will remain in the root htaccess file in the event that the WP flush_rewrite_rules function is executed by another plugin or theme. There are several technical reasons for making these structure/order changes, which I will not bore you with. Basically things are structured/ordered much better for any/every possible scenario that may occur.
  • Note: This is a one-time BPS Update that requires manual steps to be performed. All future versions of BPS will do the normal/typical automatic update of the BPS htaccess files. Overall we felt that creating a Notice about these significant changes vs just doing a normal automatic update was the best route to take for the primary reasons stated above and some additional reasons not stated here.
  • New Custom Code Text Boxes Added:
  • BugFixes/Code Corrections/Misc/CSS/Visual/Other:
  • Custom Code accordion is now using tables vs CSS divs for cross Browser visual compatibility and obsolete CSS code has been removed for the CSS divs.
  • Overall inpage Custom Code help text information/example improvements.
  • Network/Multisite Net Correction code/check removed. No longer needed and is now obsolete.
  • Remote Address IP check added in the 403.php Security logging template. Will display current IP address for troubleshooting purposes.


  • Obsolete File Deletion:
  • Special thanks to Pietro Oliva for finding and reporting Form code sanitization issues in the stand-alone bpsunlock.php file/Form code. The bpsunlock.php stand-alone Login Security user account unlock file/Form has been removed/deleted from BPS. After review of the usefulness of this Form it was decided that instead of spending the time to sanitize the Form code the bpsunlock.php file/Form has instead been removed/deleted from BPS.


  • BugFix/Code Correction:
  • System Info page HTTP_HOST variable fallback for SERVER_ADDR IP address retrieval code correction. Missing gethostbyname function has been added to the HTTP_HOST variable IP address fallback and is now returning an IP address correctly.
  • Code Correction/Sanitization:
  • System Info page Check Headers Tool Form code sanitization. Special thanks to Benjamin Kunz Mejri for finding and reporting this Form code sanitization issue that needed to be corrected.


  • System Info Enhancements/Improvements/Additions:
  • DNS Name Server checking code performance improvement and conditional checking added based on domain labels. Network/Multisite subdirectory/subdomain site type check added and changes to existing conditional checks. output_buffering directive variable check changed and text correction. Additional conditional checks for PHP Actual Configuration Memory Limit. Will display color coded recommendations and/or memory limits. Various naming/text changes.
  • htaccess Core Structural Core Changes:
  • Reduction in size of large Options Core file by creating additional conditional supporting files with require. Deny All htaccess file is created in the new /core/ folder on init to protect the options.php core file. Other internal Core stuff.
  • Security Log Design/Visual/Enhancement Changes:
  • Auto-Locking added to Security Log Turn On/Off Forms. The root .htaccess file is automatically locked again if it was locked. Cross Browser compatibility visual display issues/problems with Email Alerts and Log files Form. Forms are now using tables instead of individual CSS properties.
  • Login Security Visual/Design Change:
  • Cross Browser compatibility visual display issues/problems with Option/Settings & Email Alerts and Log files Form. Forms are now using tables instead of individual CSS properties.
  • DB Backup Log Visual/Design Change:
  • Cross Browser compatibility visual display issues/problems with Email Alerts and Log files Form. Forms are now using tables instead of individual CSS properties.
  • Custom Code Network/Multisite Additional Text Box:
  • CUSTOM CODE WP REWRITE LOOP END: Add WP Rewrite Loop End code here. This is a Special Network/Multisite Custom Code text box that should ONLY be used if the correct WP REWRITE LOOP END code is not being created in your root .htaccess file by AutoMagic. This Custom Code text box and Read Me help text is ONLY displayed if you have a Network/Multisite website.
  • BugFixes/Code Corrections/Misc/CSS/Visual/Other:
  • Backend Maintenance Mode causing crashes due to newline not being generated in some cases. Additional newline added to wp-admin backend MMode htaccess writing code base
  • Removal/Deletion of obsolete usage of bps_DNS_NS() function.


  • Quickie BugFix Release - released 1 hour after release of .50.7:
  • Network/Multisite BPS plugin Network Activation correction:
  • Conditional wrap added for blog_id 1


  • htaccess Core Security Modes AutoMagic Buttons:
  • BPS automatically detects your site type and displays the correct AutoMagic buttons for your site type. Other site type AutoMagic buttons are no longer displayed on the Security Modes page.
  • Network/Multisite One Time Code Correction:
  • If you have a Network/Multisite website/installation of WordPress you will see a one time htaccess code correction Notice message displayed to you with steps to perform the one time code correction when you upgrade BPS.
  • Go Daddy Managed WordPress Hosting:
  • If you have Go Daddy Managed WordPress Hosting see the BPS Whats New tab page within the BPS plugin.
  • BugFixes/Code Corrections/Misc/CSS/Visual/Other:
  • Maintenance Mode countdown timer email website link correction for subdirectory websites.
  • Maintenance Mode CSS visual improvements/changes/corrections.
  • WordPress 4.0 RC1 final testing completed - no issues or problems.
  • Delete old BPS bulletproof-security_info transient content on upgrade.
  • Enjoy!


  • New Option: Login Security & Monitoring Sort DB Rows:
  • The Ascending Show Oldest Login First option displays logins from the oldest logins to your site to the newest logins to your site. The Descending Show Newest Login First option displays logins from the newest logins to your site to the oldest logins to your site. Example usage: Enter 50 for the Max DB Rows To Show option, which will show a maximum of 50 database rows/logins to your site and set Sort DB Rows option to Descending Show Newest Login First. You will see the last 50 most current/newest logins to your site in descending order.
  • Enhancements: Login Security & Monitoring:
  • CSS max-height changed from 1000px to 600px for the scrollable Dynamic DB table. 600px is a much better/more manageable viewing area.
  • Lock, Unlock and Delete labels for individual checkboxes in Dynamic DB search form and standard form.
  • DB Query improvement for the Dynamic DB standard form.
  • New Option: htaccess Core wp-admin BulletProof Mode Enable/Disable wp-admin BulletProof Mode:
  • This option is ONLY for Hosts that do not allow .htaccess files in the wp-admin folder. Go Daddy Managed WordPress Hosting (not standard Go Daddy Hosting) is the only known hosting account type where this option should be set to: Disable wp-admin BulletProof Mode. For everyone else you do not need to use this option. The default setting is already set to: Enable wp-admin BulletProof Mode.
  • Improvement: htaccess Core root domain label retrieval/writing:
  • Improvement to htaccess Core code when retrieving & writing domain labels. Impact: Folks with 3+ domain label naming conventions such as: http://www.label1.label2.label3.
  • Enjoy!


  • Login Security Password Reset BugFix & New Option:
  • BugFix: The Lost your password link was not being displayed when Login Security was turned Off.
  • New Option: Turn Off Login Security/Use Password Reset Option ONLY.
  • Enjoy!


  • BugFixes/Code Corrections/Misc/CSS/Visual/Other:
  • DB Backup: backticks added to DB Backup Query to allow for hyphenated or other special characters in DB naming conventions.
  • DB Backup dynamic DB table: max-height CSS change
  • Login Security CSS auto-scroll: max-height CSS change
  • DB Table Prefix Changer: Additional check for writable files for DSO server types.
  • Root and wp-admin filter change
  • Log timestamps synchronized to GMT: All log timestamps are now synchronized to GMT time.
  • Enjoy!


  • Correction/BugFix/Improvement: root and wp-admin .htaccess filters/rules change/correction/improvement. See the BPS Whats New tab page for more details.
  • Thanks goes to aselektor for spotting and reporting this.
  • Enjoy!


  • New Feature: DB Backup. Manual or scheduled (Hourly, Daily, Weekly and Monthly) database backups. Send DB Backups via email etc.
  • New Feature: DB Backup Log. The Backup Job Completion Time, Zip Backup File Name, timestamp. etc. is logged. Backup Job Settings are logged.
  • New Feature: DB Table Prefix Changer.
  • New Feature: UI Theme Skin. 3 UI Theme Skins: Blue Gel Classic UI Theme, Light Grey jQuery UI Theme, Dark Black WP UI Theme.
  • Root .htaccess Security Filters Change: See the BPS Whats New tab page for more details.
  • Login Security New Option/Option Change & Misc: Disable Password Reset Frontend Only, Disable Password Reset Frontend & Backend.
  • System Info page: added MySQL Extension, MySQLi Extension check.
  • Login Security email message text change when user account is locked.
  • Whitelist the Debug Bar plugin debug-bar css and js scripts.
  • Enjoy!


  • Security Logging major changes/improvements to logging template files/code & start of Phase 1 Security Log Solution Targeting: The Security Logging code has been significantly improved in BPS .50.1. Logging is more streamlined, performance optimized & faster than in previous BPS versions, even with the new general conditional pattern checking code added.
  • As of BPS .50.1 two new Security Log Fields have been added to Security Logging: Event Code and Solution. In Phase 1 of Security Log Solution Targeting the primary focus is on detecting possible Plugin Skip/Bypass rules & wp-admin Skip/Bypass Rules issues that need/require a one-time solution. Since 99.99% of the Security Log entries are blocked/forbidden hackers, spammers, scrapers, harvesters, miners, bad bots, etc. then the Security Log checking conditions can and should be streamlined/performance optimized by only looking at pattern matches in a broad scope.
  • Maintenance Mode Accordion: Maintenance Mode Accordion created for better functionality/usability. Code correction: Maintenance Mode website name not displayed in the reminder email. Code correction: Maintenance Mode Apostrophes/single quote code character displayed with an escape backslash.
  • New Bonus Custom Code/Dismiss Notice: WordPress XML-RPC DDoS Protection: Special Thanks goes to Gary Gordon for reporting the recent WordPress XML-RPC exploits/attacks. The XML-RPC DDoS PROTECTION Bonus Custom Code .htaccess code completely turns off/disables IXR-RPC Client/Server capabilities on a website by protecting the WordPress xmlrpc.php file from being publicly accessible, which prevents the IXR XML-RPC Client/Server connection. Using this Bonus Custom Code will turn off/disable remote posting capability from Weblog Clients (A Weblog Client is software you run on your local machine (desktop) that lets you post to your blog via XML-RPC), unless you add (whitelist) your IP address in the XML-RPC DDoS PROTECTION Bonus Code.
  • New Dismiss Notice Added: WordPress Firewall 2 plugin check The WordPress Firewall 2 plugin contains a coding mistake and has not been updated in over 3 years. The wp-admin area is supposed to be whitelisted by default, but that code is not working correctly, which breaks several things in the BPS plugin. The Dismiss Notice will alert users to this existing problem.
  • New/Updated Help & FAQ Help Links: Help & FAQ tab pages have updated links, old/outdated links removed, etc.
  • Enjoy!


  • Bugfix/Code Correction: Maintenance Mode str_replace has been changed to dirname for GWIOD site types to get the site root index.php file path
  • Special Thanks go to Eddy Estevez for reporting this bug.
  • Enjoy!


  • New Feature: Maintenance Mode - FrontEnd/BackEnd Maintenance Mode Maintenance Mode Guide The previous Maintenance Mode feature in BPS has been completely removed/replaced with the new Maintenance Mode feature in BPS .49.9. This is a completely new BPS feature. The new BPS Maintenance Mode design includes 20 background images, 15 center images (text box image), allows you to embed image files and YouTube videos, FrontEnd Maintenance Mode, BackEnd Maintenance Mode or both FrontEnd & BackEnd Maintenance Modes and most importantly is fast and simple to use so that you can switch in and out of Maintenance mode quickly and easily. Background image files/options and Center images (text box image) are independent of each other so that you can mix and match different background images with different Center images (text box image).
  • New Headers check tool added to the System Info page: Check your website Headers or another website's Headers by making a GET Request. Both GET and HEAD Headers checking is now available on the System Info page.
  • New System Info checks: Standard/GWIOD Site Type, BuddyPress and bbPress. If GWIOD site type display WordPress Address (URL) and Site Address (URL).
  • BPS Plugin/Theme Script Dequeue function added: Dequeue any/all other plugin or theme scripts that attempt to load in BPS plugin pages: A new BPS function has been added that Dequeues any/all other plugin or theme scripts on/in BPS plugin pages ONLY, which causes a wide variety of problems for BPS , such as broken plugin functionality, broken menus and pages not displaying visually correct. This new BPS Dequeue function only runs on/in BPS plugin pages and does not run anywhere else or affect anything else on a website. The BPS Dequeue function is only designed to prevent any other plugins or themes from loading their scripts in BPS plugin pages and does not do or affect anything else on a website.
  • Security Log Code Correction/Enhancement: Security Log User Agent/Bot filter auto-updated during BPS upgrade: T

Requires: 3.0 or higher
Compatible up to: 4.2
Last Updated: 2015-2-24
Active Installs: 100,000+


4.8 out of 5 stars


33 of 37 support threads in the last two months have been resolved.

Got something to say? Need help?


Not enough data

0 people say it works.
0 people say it's broken.

86,7,6 100,3,3 100,11,11 100,1,1 100,4,4 92,13,12
100,1,1 100,1,1
100,4,4 100,2,2 67,3,2 63,8,5 100,2,2
100,1,1 75,4,3 100,1,1
100,2,2 100,1,1 100,1,1
100,3,3 90,10,9 100,2,2
100,3,3 100,1,1
100,2,2 100,9,9 100,5,5 100,6,6
89,9,8 100,1,1
83,6,5 95,20,19 100,12,12 100,1,1 100,2,2 100,1,1
100,6,6 86,7,6 100,1,1
67,6,4 83,6,5 89,27,24 100,2,2 100,1,1
100,3,3 93,15,14 78,18,14 100,4,4 100,1,1 100,1,1
0,1,0 100,14,14 100,2,2
100,7,7 67,3,2 90,10,9 100,5,5 88,8,7 100,2,2 100,1,1 100,2,2 100,4,4 100,2,2 100,1,1 100,1,1
100,1,1 50,2,1
100,7,7 100,1,1
100,4,4 100,3,3 100,2,2 100,1,1 100,2,2 100,1,1
100,1,1 100,2,2 100,1,1 100,2,2
100,1,1 100,2,2 100,3,3 100,2,2
100,4,4 0,1,0 100,4,4
100,1,1 100,1,1
100,2,2 100,1,1 100,1,1 100,1,1 100,1,1
100,1,1 100,1,1 100,1,1
100,2,2 75,4,3