WordPress.org

Plugin Directory

BulletProof Security

WordPress Website Security Protection: Firewall Security, Login Security, Database Security... Effective, Reliable, Easy to use...

How do the BulletProof Security Plugin htaccess Core (Firewalls) work?

The BulletProof Security Plugin allows you to create and activate .htaccess website security with one-click (figuratively) for your website without having to know anything about .htaccess files. The Master .htaccess files are pre-made and BPS writes additional .htaccess code that is customized to each specific website when you run the Setup Wizard or if you use the Manual Controls. There is nothing to figure out or to configure. Either run the Setup Wizard or use the Manual Setup Controls: Click the AutoMagic buttons (creates customized Master .htaccess files) and Activate BulletProof Modes (copies the customized Master .htaccess files to your root and wp-admin folders). BPS has built-in Backup and Restore and an .htaccess File Editor for full manual editing control as well. BPS Custom Code allows you to add additional custom .htaccess code or BPS Bonus Custom Code and save it permanently so that your saved code is always written too/included in your htaccess files.

Does BulletProof Security Have Built-in Troubleshooting|Diagnostic|Logging|Whitelisting Capability?

Yes. Troubleshooting|Diagnostic|Logging|Whitelisting is built-in to BulletProof Security. The Setup Wizard performs Pre-Installation Checks to check for any pre-existing issues that could cause any issues or problems and displays exactly what needs to be done to fix the issue. The primary troubleshooting feature in BulletProof Security is the BPS Security Log. The primary whitelisting feature in BulletProof Security is BPS Custom Code. The BPS Security Log logs blocked hackers, spammers, bad bots, etc. and also logs anything else that is blocked by BPS. If something legitimate is being blocked in another plugin or theme that needs to be allowed/whitelisted then the BPS Security Log entry will contain all the information about what exactly is being blocked so that a whitelist rule can then be created in BPS Custom Code. The BPS Security Log also logs all other 403 errors that occur on your website whether or not they are related to or caused by BPS. Turning Off BPS Security Logging will allow your server to handle error logging and display your server error message instead of BPS displaying the standard 403 template file error message. This is also considered a troubleshooting method to determine if an error is actually coming from your server and not the BPS plugin.

Do I need to understand .htaccess code in order to use BulletProof Security?

No. We use a paint by numbers approach, have extensive documented help and fixes on our Forum site and provide exact steps to perform any tasks that need to be done such as adding whitelist rules or other custom code. ie do Step 1, Step 2, Step 3. BPS creates customized .htaccess files for your website by either running the Setup Wizard or clicking the AutoMagic buttons and activating BulletProof Modes. You do not need to know anything about .htaccess website security files or code in order to use the BulletProof Security plugin. Extensive help information can be found in the Read Me help buttons in BPS. The Help & FAQ tab pages in BulletProof Security contain links to BulletProof Security Forum help topics and video tutorials. The process of adding Custom Code or adding whitelisting rules is automated - See the Custom Code Read Me help button for Custom Code steps.

Will BulletProof Security or .htaccess files or .htaccess code cause my website to run slower?

No. BulletProof Security or .htaccess files/code in general will not cause a website to run slower. BulletProof Security is website performance optimized and uses very little/low website resources and very little Server memory. BulletProof Security uses a finite number of security rules/filters/code in all .htaccess files. Note: Both W3 Total Cache and WP Super Cache use .htaccess code to speed up website performance.

Can BulletProof Security speed up my website and make it run faster?

Yes. BulletProof security can speed up your website and make it run faster if you use the Speed Boost Cache Bonus Code and add it to BPS Custom Code. See the BulletProof Security Bonus Custom Code section on the BulletProof Security plugin Description page for a link to the Speed Boost Cache Bonus Code.

How does BulletProof Security Plugin Login Security & Monitoring work?

BulletProof Security Login Security & Monitoring allows you to choose whether you want to Log All User Account Logins or Log Only User Account Lockouts. The Dynamic DB Logging Form has 3 checkbox options: Lock, Unlock or Delete database rows. The Login Security database table is hooked into the WordPress Users database table, but they are 2 completely separate database tables. If you lock a User Account then BPS will enforce that lock on that User Account and the User will not be able to log in. If you unlock a User Account then the User will be able to login. Deleting database rows in the Login Security database table does NOT delete the User Account from the WordPress Users database table. When you delete a User Account it is pretty much the same thing as unlocking a User Account. To delete actual User Accounts you would go to the WordPress Users page and delete that User Account.

What to do if your User Account is locked by Login Security out and you are unable to login?

Use FTP or your web host control panel file manager and rename the /bulletproof-security/ plugin folder name to /_bulletproof-security and login to your website. After logging into your website, rename the /_bulletproof-security/ plugin folder name back to /bulletproof-security/. Unlock your User Account on the BPS Login Security and Monitoring page.

What to do if you cannot log back into my website due to an htaccess file/code problem?

If you accidentally activated BulletProof Modes without first running the Setup Wizard or clicking the AutoMagic buttons or you added additional invalid custom htaccess code to BPS Custom Code or your web host does not allow you to lock your root .htaccess file and your htaccess file was locked: Use FTP or your Web Host Control Panel File Manager and delete the .htaccess files that BPS creates in your website root folder and your wp-admin folder. Deleting the .htaccess files in your website root folder & wp-admin folder will allow you to log back in to your website. If your web host does not allow locking the root .htaccess file then go to htaccess File Editor tab page and click the Turn Off AutoLock button. Either run the Setup Wizard again or click the AutoMagic buttons and activate BulletProof Modes again. If the problem was caused by invalid custom htaccess code added to BPS Custom Code then remove/delete the invalid custom htaccess code from BPS Custom Code before activating BulletProof Modes again.

Do Idle Session Logout (ISL) or Auth Cookie Expiration (ACE) affect all website visitors to your website?

The Idle Session Logout (ISL) javascript code is only loaded if a User is logged into your website (depends on your ISL option settings for User Accounts/Roles) and is specific to only that User's Browser/Client Browser and Login Session. Auth Cookie Expiration (ACE) is a WordPress Authentication Cookie that is set when a User logs into your website. Visitors that visit your website that are not logged into your website are not affected in any way by ISL or ACE.

Can Idle Session Logout (ISL) be used to log all Users out of a site?  Can ISL be used to prevent anyone from logging into a site?

Yes. If you set the Idle Session Logout Time in Minutes to 0 then this will logout all logged in Users and also logout a User as soon as they login. CAUTION: If you do NOT enter your User Account name in the ISL User Account Exceptions text box then you will also be logged out of the site and will not be able to login to the site. If you accidentally lock yourself out of your site then use the BPS Pro XTF tools Turn Off|Deactivate Idle Session Logout (ISL) XTF Form option if you have BPS Pro installed. For BPS free, use FTP your web host control panel file manager and edit the /bulletproof-security/bulletproof-security.php file and change: if ( $BPS_ISL_options['bps_isl'] == 'On' ) {  to: if ( $BPS_ISL_options['bps_isl'] == '0' ) { (you are changing the value from "On" to "0"). Log into your site, go to the ISL page and change/fix your ISL settings.

Can the Idle Session Logout Time be changed while Users are logged in or after a User has already logged in?

Yes. ISL is Client Browser based and the Idle Session Logout Time is a variable that has a value that can be changed "on the fly". Example: If UserA and UserB login to your site and the Idle Session Logout Time was 60 minutes when they logged in and you change the Idle Session Logout Time to 1 minute while UserA and UserB are logged into your site then UserA and UserB and all other Users that are logged into your site (depending on your ISL option settings) will be automatically logged out after being idle/inactive for 1 minute.

Can the Auth Cookie Expiration Time be changed while Users are logged in or after a User has already logged in?

Yes and No. Yes, you can change the Auth Cookie Expiration Time option setting for all Users (depending on your ACE option settings), but the WordPress Authentication Cookie Expiration time is set when Users log into your site and cannot be changed "on the fly". So if you change the Auth Cookie Expiration Time while UserA and UserB are already logged into your site then the new Auth Cookie Expiration Time that you choose will not take effect until after UserA and UserB logout and log back into your site. The WordPress Authentication Cookie Expiration time can only be set/reset at login. This is the default functionality of the WordPress Authentication Cookie.

How does BulletProof Security FrontEnd|BackEnd Maintenance Mode work?

FrontEnd Maintenance Mode creates template files based on the options you choose and save. When you Turn On Maintenance Mode those template files are copied to the root directory of your website. When you Turn Off Maintenance Mode those template files are deleted from the root directory of your website. Maintenance Mode works by allowing the IP addresses that you enter & save to view the site normally. All other IP addresses will see the Maintenance Mode template page. BackEnd Maintenance Mode writes directly to your wp-admin .htaccess file and adds a deny all block of .htaccess code with the IP addresses the you enter & save when you enable BackEnd Maintenance Mode. When you disable/uncheck BackEnd Maintenance Mode that deny all block of .htaccess code is removed/deleted from your wp-admin .htaccess file. For more extensive help info or CSS Code, Image & Video Embed examples to add in the Maintenance Mode Text, CSS Style Code, Images, Videos Displayed To Website Visitors text area click this Maintenance Mode Guide Forum Topic link: Maintenance Mode Guide.

BPS Alert! Your site does not appear to be protected by BulletProof Security. What does the Alert mean?

The alert means that the currently active root htaccess file that is in use on your website does not contain BPS htaccess security code. You can either run the Setup Wizard again or do the manual setup steps on the htaccess Core Security Modes page to fix this.

Where can I find BulletProof Security additional troubleshooting steps & support?

Please see the BulletProof Security Forum.

BulletProof Security Server Compatibilty

  • The Setup Wizard Inpage Pre-Installation Checks perform and display compatibility checking results
  • Compatible with Apache CGI configured Servers
  • Compatible with Apache DSO configured Servers (May require CHOWN Ownership change or file/folder permission changes)
  • DSO Help Info
  • Compatible with Nginx frontend Server with Apache backend Server
  • Compatible with LiteSpeed Servers
  • Compatible with Windows IIS Servers - Windows Hosting - See IMPORTANT NOTES below.
  • If your IIS Server has ISAPI_Rewrite installed then you CAN use .htaccess files/BulletProof Modes.
  • IMPORTANT NOTES: If you have an IIS Server you may or may not be able to use .htaccess files and can only use Login Security & Monitoring. If your IIS Server is using the URL Rewrite Module then you can probably use .htaccess files/BulletProof Modes. If you activate BulletProof Modes and your website crashes then FTP to your website and delete the root .htaccess file and the wp-admin .htaccess file. You will not be able to use .htaccess files on your Server/website and can only use Login Security and the other features in BPS.

Additional BulletProof Security Server Compatibilty Info

BulletProof Security uses .htaccess website security files, which are specific to Apache Linux Servers. BPS is compatible with Apache Linux Servers, LiteSpeed Servers, Nginx Servers (if the Nginx Server is the frontend Server and Apache Linux Server is the backend Server). If you do not know what type of Server you have you can check your Server Type and Operating System on the BPS System Info page. You can install BulletProof Security if you have a Windows IIS hosted website to use the additional features in BPS, but may or may not be able to Activate BulletProof Modes depending on what your IIS Server does and does not have installed/configured. Please see this WordPress Codex Permalinks without mod_rewrite for additional information regarding IIS Servers and ISAPI_Rewrite see the Helicon Tech website.

Does BulletProof Security Work on ALL Nginx Servers/Server Configurations?

If you are using both Apache and Nginx together and Nginx is the frontend webserver and Apache is the backend Server used to process PHP then BulletProof Security will work on this type of combined Server Configuration. If you are only using Nginx then an .htaccess file will not work. Nginx has its own rewrite module - HttpRewriteModule and the mod_rewrite equivalent of an .htaccess file has similar, but different coding and is added to an Nginx Server config file. Note: If you are not familiar with Nginx, then it should be noted that Nginx does not have a PHP module like Apache's mod_php, instead you either need to build PHP with FPM (ie: php-fpm/fastcgi), or you need to pass the request to something that can handle PHP.

Are there any known issues or conflicts with other WordPress Plugins or Themes?

Occasionally issues or conflicts do occur with other plugins, but they are always quickly resolved. BulletProof Security is compatible with all other Plugins and Themes. If BulletProof Security is blocking something legitimate in another plugin or theme a whitelist rule can be created in BPS Custom Code to allow/whitelist whatever was being blocked by BPS. Please check the BulletProof Security Plugin Compatibility page for the steps to search for documented plugin or theme whitelist rules.

Does BulletProof Security Work On All Web Hosts?

BulletProof Security works on all web hosts except for these 3 web hosts: Incompatible Hosts. If you have Go Daddy "Managed WordPress" hosting, which is special type of hosting account and is not a regular/standard Go Daddy hosting account then click this link for more information: Go Daddy Managed WordPress Hosting. BPS works fine on Go Daddy "Managed WordPress" Hosting.

I am seeing Security Log entries in my BulletProof Security Log. What do they mean?

Your Security Log will log 400, 403 and 404 (requires copying the BPS 404 logging code to your Theme's 404.php Template) Errors. The Security Log logs all 400 and 403 HTTP Response Status Codes by default. You can also log 404 HTTP Response Status Codes by opening this BPS 404 Template file - /bulletproof-security/404.php and copying the logging code into your Theme's 404 Template file. When you open the BPS 404.php file you will see simple instructions on how to add the 404 logging code to your Theme's 404 Template file. 99.99% of what is logged in the Security Log is blocked hackers, spammers, bad bots, scrapers, miners, etc. The Security Log is also a troubleshooting tool. If BPS is blocking something legitimate in another plugin or theme then exactly what is being blocked in another plugin or theme by BPS will be logged in the Security Log. A whitelist rule can be created to allow anything legitmate that is being blocked in another plugin or theme.

HTTP Status Codes (Internet Standard)

  • 400 Bad Request - The request could not be understood by the Server due to malformed syntax.
  • 401 Unauthorized - The request requires user authentication. By default BPS redirects Auth Requests to the correct URI to avoid 404 errors.
  • 403 Forbidden - The Server understood the request, but is refusing to fulfill it.
  • 404 Not Found - The Server has not found anything matching the Request-URI/URL. No indication is given to whether the condition is temporary or permanent.
  • 410 Gone - The requested resource is no longer available at the Server/site and no forwarding address is known. This condition is expected to be considered permanent.
  • 503 Service Unavailable - The Server/site is temporarily performing maintenance. Used in BPS MMode with Retry-After header to indicate when the Server/site will be available again.

Is BulletProof Security Network/Multisite Compatible?

Yes. BulletProof Security works on Network/Multisite site types. Both subdirectory and subdomain .htaccess code is written/created for your specific Network/Multisite site based on your WordPress installation version (pre 3.5 or 3.5+). The BulletProof Security plugin can be Network Activated or you can allow BulletProof Security to be activated individually on each Network/Multisite subsite or of course you can choose not to Network Activate BulletProof Security or allow the BPS plugin on subsites. Super Admins will see BPS Dashboard Alerts and other Status displays on the Primary Site only. Administrators can activate or deactivate BulletProof Security on subsites if you allow this on your Network/Multisite website. The BPS Primary Site Menus will display all BPS menus. The BPS Subsite Menus will display: Login Security, Maintenance Mode, System Info & UI|UX Theme Skin menus. All BulletProof Security features are not available on subsites since Network/Multisite subsites are virtual and do not have physical website folders. All BulletProof Security features work sitewide and affect all other virtual subsites. Login Security and Maintenance Mode work independently on each subsite.

  • Login Security works individually for each specific subsite. Login Security has all the same functionality on Network/Multisite subsites with these exceptions: Login Security email alerting is not available for subsites.
  • Maintenance Mode works individually for each specific subsite. MMode has all the same functionality on Network/Multisite subsites with these exceptions: BackEnd Maintenance is not available on subsites & these Primary site options are not available on subsites: Put The Primary Site And All Subsites In Maintenance Mode & Put All Subsites In Maintenance Mode, But Not The Primary Site.
  • System Info has all the same functionality on Network/Multisite subsites with these exceptions: MySQL Database information is not displayed on subsites.
  • BulletProof Security also works with Network/Multisite Domain Mapping.

Is BulletProof Security BuddyPress/bbPress Compatible?

Yes. BulletProof Security works with all BuddyPress/bbPress site types.

Is BulletProof Security Compatible with subdomain websites and subdirectory websites?

Yes. BulletProof Security works on all types of WordPress installations including "Giving WordPress Its Own Directory" (GWIOD) websites.

Can I add my own .htaccess code to the BulletProof Security .htaccess files?

Yes. Add any additional custom htaccess security code to BulletProof Security Custom Code. Your custom .htaccess code will be saved permanently or until you delete it. Please view the Read Me Help button in Custom Code for specific details and Custom Code setup steps.

Does BulletProof Security automatically create or write .htaccess files?

Yes. BulletProof Security automatically creates customized .htaccess website security files for your specific website with either the Setup Wizard or the Manual AutoMagic controls on the htaccess Core Security Modes page. BulletProof Security also offers full manual control of editing .htaccess files using the built-in .htaccess File Editor. The BPS Master .htaccess files are pre-made. When you run the Setup Wizard or click the AutoMagic buttons your .htaccess Master files are created with specific code for your specific website. You can add additional code to BPS Custom Code or edit the .htaccess files directly or create completely new .htaccess master files from within the WordPress Dashboard using the built-in BPS File Editor or Custom Code - no FTP required - no Web Host Control Panel required. Automation is great, but also having full manual editing control makes BulletProof Security very versatile.

Security Log File Automation - Automatically Zipped, Emailed and Replaced

Security Log files are automatically zipped, emailed and replaced with a new blank Security Log file when the log file reaches the maximum file size setting that you choose. By Default BulletProof Security sets this DB option to zip, email and replace the Security Log file when it reaches 500KB. The Security Log file is checked once per hour with a WordPress Cron. The optimum recommended file size setting is 500KB.

DB Backup Log File Automation - Automatically Zipped, Emailed and Replaced

DB Backup Log files are automatically zipped, emailed and replaced with a new blank DB Backup Log file when the log file reaches the maximum file size setting that you choose. By Default BulletProof Security sets this DB option to zip, email and replace the Security Log file when it reaches 500KB. The DB Backup Log file is checked once per hour with a WordPress Cron. The optimum recommended file size setting is 500KB.

BulletProof Security Fast and Simple with No Manual Configuration or FTP Required

The BulletProof Security WordPress plugin is a one-click security solution that creates, copies, renames, moves or writes to the provided BulletProof Security .htaccess master files. BulletProof Security protects both your Root website folder and wp-admin folder with .htaccess website security protection, as well as providing other additional website security protection. BulletProof Security allows you to add .htaccess website security protection from within the WordPress Dashboard so that you do not have to access your website via FTP or your Web Host Control Panel in order to add website security protection for your WordPress site.

Does BulletProof Security work with Git distributed version control system?

Yes. BulletProof Security works with Git, but does require some additional set up steps. Please see this thread for the setup steps Git distributed version control system setup steps

Requires: 3.0 or higher
Compatible up to: 4.2.2
Last Updated: 2015-6-24
Active Installs: 100,000+

Ratings

4.8 out of 5 stars

Support

48 of 51 support threads in the last two months have been resolved.

Got something to say? Need help?

Compatibility

+
=
Not enough data

0 people say it works.
0 people say it's broken.

100,3,3
86,7,6 100,3,3 100,11,11 100,1,1 100,4,4 92,13,12
100,1,1
100,2,2
100,1,1 100,1,1
100,4,4 100,2,2 67,3,2 63,8,5 100,2,2
100,1,1 75,4,3 100,1,1
100,2,2 100,1,1 100,1,1
100,3,3 90,10,9 100,2,2
100,3,3 100,1,1
100,2,2 100,9,9 100,5,5 100,6,6
89,9,8 100,1,1
83,6,5 95,20,19 100,12,12 100,1,1 100,2,2 100,1,1
100,6,6 86,7,6 100,1,1
100,7,7
67,6,4 83,6,5 89,27,24 100,2,2 100,1,1
100,3,3 93,15,14 78,18,14 100,4,4 100,1,1 100,1,1
0,1,0 100,14,14 100,2,2
100,7,7 67,3,2 90,10,9 100,5,5 88,8,7 100,2,2 100,1,1 100,2,2 100,4,4 100,2,2 100,1,1 100,1,1
100,1,1 50,2,1
100,7,7 100,1,1
100,4,4 100,3,3 100,2,2 100,1,1 100,2,2 100,1,1
100,1,1 100,2,2 100,1,1 100,2,2
100,2,2
100,1,1 100,2,2 100,3,3 100,2,2
100,1,1
100,1,1
100,1,1
100,4,4 0,1,0 100,4,4
100,1,1 100,1,1
100,2,2 100,1,1 100,1,1 100,1,1 100,1,1
100,1,1 100,1,1 100,1,1
100,2,2
100,2,2 75,4,3
100,1,1
100,2,2 100,2,2