Support » Plugins » BulletProof Security plugin – does htaccess need these lines?

  • Resolved orpheus_emerges


    I installed BPS free to a new site that has some plugins installed but NONE are activated.

    I’m getting a
    403 Permission denied
    You do not have permission for this request /wp/wp-admin/plugins.php?…

    when I attempt to delete unwanted plugins.

    I used BPS to backup my wp folder htaccess file, which is one directory below my root, which has its own htaccess file, placed there in my WordPress install modification for “Giving WP its own directory.”

    The root htaccess file is unchanged:

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    # END WordPress

    The wp folder htaccess file, one level below the root, contains numerous modifications by BPS.

    However one thing I notice is that the line <IfModule mod_rewrite.c> under # BEGIN WordPress and the line </IfModule> just before # END WordPress in my root htaccess file are NOT included in the BPS modified htaccess file in my wp install folder, one level below my root.

    Are these lines necessary?

    Could the 403 error attempting to delete plugins be the result of this missing code?

    If so, where should I insert it in BPS modified htaccess?

Viewing 7 replies - 1 through 7 (of 7 total)
  • It sounds like you have not done all the necessary steps correctly for a Giving WordPress it’s Own Directory (GWIOD) setup. You would need to manually copy the .htaccess file created by BPS to your website root folder for a GWIOD setup and change the RewriteBase and RewriteRules to RewriteBase / and RewriteRule . /index.php [L]

    Have you also done the other required steps for a WordPress GWIOD setup?

    What does this mean? Please explain this more clearly with exact specific details.

    The wp folder htaccess file, one level below the root, contains numerous modifications by BPS.

    The ifModule lines of code are not necessary.

    I have installed, removed, and reinstalled at least 6 WP GWIOD installs over the last two months, each following the instructions on that page:

    I had yet to receive any 403, 404, etc, or any other errors until just after my BPS install when I tried to delete unused plugins.

    Specifically I followed – as far as I know, each time, the following:

    Using a pre-existing subdirectory install

    If you already have WordPress installed in its own folder (i.e. then the steps are as follows:

    Go to the General panel.
    In the box for Site address (URL): change the address to the root directory’s URL. Example:
    Click Save Changes. (Do not worry about the error message and do not try to see your blog at this point! You will probably get a message about file not found.)
    Copy (NOT MOVE!) the index.php and .htaccess files from the WordPress directory into the root directory of your site (Blog address). The .htaccess file is invisible, so you may have to set your FTP client to show hidden files. If you are not using pretty permalinks, then you may not have a .htaccess file. If you are running WordPress on a Windows (IIS) server and are using pretty permalinks, you’ll have a web.config rather than a .htaccess file in your WordPress directory. As stated above, copy (don’t move) the index.php file to your root directory, but MOVE (DON’T COPY) the web.config file to your root directory.
    Open your root directory’s index.php file in a text editor
    Change the following and save the file. Change the line that says:
    to the following, using your directory name for the WordPress core files:
    Login to your site. It should still be
    If you have set up Permalinks, go to the Permalinks panel and update your Permalink structure. WordPress will automatically update your .htaccess file if it has the appropriate file permissions. If WordPress can’t write to your .htaccess file, it will display the new rewrite rules to you, which you should manually copy into your .htaccess file (in the same directory as the main index.php file.)

    My hosting is with Bluehost and Apache/Linux AFAIK, not Windows.

    As such, the only other change instructed above is the change to the index.php:


    which for both of my WP installs was changed to


    And you are correct, I did not copy the new BPS rewrite of .htaccess in my root/wp/ directory to my root directory. I have done that now, but I still can’t delete any plugins.

    As for the above Permalinks reference, with WP 3.3.1, I would get that notice about the rewrite rules – I don’t recall what it was exactly.

    But now, with my WP 3.3.2 GWIOD installs, the Permalinks page just reports “Permalink structure updated.” at the top.

    Before starting this reply, I copied the BPS rewritten .htaccess file in my root/wp/ directory to my root.

    And I still can’t delete any plugins: 403, etc.

    I just clicked Save Changes on that Permalinks page just now – I didn’t change anything, I just clicked Save Changes because I wanted to see what it would say now with the new BPS copy of .htaccess – “Permalink structure updated.” at the top – and it deleted a lot of the material in the copy of the BPS changed .htaccess file in my root/wp/ directory.

    So, I’ve re-copied the original BPS rewrite of .htaccess in my root/wp/ directory back over that Permalinks rewrite that just occurred.

    The size of the file had changed from 11k to 2k approx, and is now the same size as the copy in root/wp.

    The addition of RewriteBase, etc, under the GWIOD section “Pointing your home site’s URL to a subdirectory” had never seemed necessary, since everything always worked as long as I differentiated the url for my domain and for my WP install in the Dashboard General Settings page.

    And that section “Pointing your home site’s URL to a subdirectory” begins with “In some cases…” and I have had no problems with any content or plugins in any of my WP GWIOD installs until BPS.

    If you believe that I need to add some RewriteBase, etc code to my BPS rewritten .htaccess, then I suggest that you tell me exactly where in that, now, large file to put the code.

    I presumed nothing special was required because other than this from the WP/BPS FAQ “BulletProof Security works on all types of WordPress installations including “Giving WordPress Its Own Directory” websites.”, I didn’t notice any other instructions, although it is certainly possible that I missed something.

    Finally, I wrote and you replied:

    What does this mean? Please explain this more clearly with exact specific details.

    The wp folder htaccess file, one level below the root, contains numerous modifications by BPS.

    I don’t know how to explain it. The file is 11k now, with lots of BPS comments and code.

    I don’t know what details you want me to extract from that. When I wrote “The wp folder htaccess file…” I’m referring to the root/wp/.htaccess file, now significantly larger and edited by BPS.

    Do you want me to send you a copy as an attachment?


    Well I am not sure what to tell you to try next.
    I have BPS and BPS Pro installed on these WP site types for testing:

    Standard WordPress sites
    Network / MU subdirectory and subdomain sites
    GWIOD sites

    BPS and BPS Pro do not have coding that intentionally blocks deleting plugins. There used to be an old issue years ago where if you did not activate BulletProof Mode for your wp-admin folder then this problem would occur. Are you doing anything unusual / special with your wp-admin folder? Did you activate BulletProof Mode for your wp-admin folder?

    The only manual thing you need to do differently for GWIOD installations of WP is to manually copy the BPS .htaccess file to the actual root of your website (and change the RewriteBase and RewriteRules if necessary to match your folder structure), which you have already done. After that you would do everything the same as a typical standard WordPress installation.

    1. Click on the AutoMagic buttons.
    2. Activate All BulletProof Modes.

    I am not aware of having done anything with the wp-admin folder. The only folders I’m working with are the wp-content/plugins and a wp-content/themes/twentyeleven-child, other than performing the minimum requirements for setting up GWOID and copying the .htaccess file, which, as I said, after using BPS, I forgot to recopy that modified .htaccess, which I said earlier I had already corrected.

    I’m almost certain that I didn’t activate BulletProof Mode for my wp-admin folder – though anything is possible, I guess – because I was significantly aware that something was a bit unusual, if not potentially problematic, because when I used the AutoMagic to generate the default and secure .htaccess files, there was a red notice that an .htaccess file was not found in wp-admin.

    Up to that point in my three or four month introduction to WP, It had never occurred to me, or I had never read anything about conditions that might warrant an .htaccess file in the wp-admin folder.

    Is there some tell tale evidence somewhere that I can evaluate that would indicate if I had activated BulletProof Mode for my wp-admin folder?

    And since this 403/delete plugin problem exists with two different GWIOD, I would have had to make that mistake twice, and having seen that red notice after using AutoMagic, notifying me that an .htaccess file was not created for the wp-admin, I was well aware that there was some distinction occuring, at least as far as BPS was concerned.

    One thing that I hadn’t checked until about half-way through this exploration was whether or not I could activate an inactive plugin and that appears to work ok, in case that means anything to you.


    You need to activate all BulletProof Modes including the wp-admin BulletProof Mode.

    The Security Status tab page tells you what your security status is and if all .htaccess files have been activated. You will see either Green or Red security status messages.

    The Read Me buttons throughout BPS are clickable and contain help info about each page in BPS.

    My guess then at this point is that you have not activated all BulletProof Modes.

    What is interesting is that on some web hosts you do not have to have the wp-admin .htaccess file activated and on others you do and for that reason i have informed folks that this is a mandatory requirement. Also the wp-admin .htaccess does add additional website security protection so it should be activated to increase your overall website security.

    That solves the plugin delete problem!

    Was there some self-evident instruction that I overlooked that it is necessary to activate all Security modes, even if there was no wp-admin.htaccess file?

    Thank you so much for helping me with this and improving my BulletProof Security. All of my sites are focused in different ways on attempts to improve our lives and our societies, and perhaps the most important of these domains will ‘go live’ tomorrow.


    Glad you got it all worked out.

    The Read Me help buttons on the Security Modes page do contain info about what needs to be done to set up BPS, but to be honest with you i usually click first and ask questions later myself. LOL

    — Click the Create default.htaccess File button.
    — Click the Create secure.htaccess File button.
    — If you would like to view, edit or add any additional .htaccess code to your new secure.htaccess Master file. Click on the Edit/Upload/Download menu tab, click on the secure.htaccess menu tab and make your changes before you Activate BulletProof Mode for your Root folder.
    — Activate BulletProof Mode for your Root folder.
    — Activate BulletProof Mode for your wp-admin folder.
    — Activate BulletProof Mode for the BPS Master htaccess folder.
    — Activate BulletProof Mode for the BPS Backup folder.

    If you activate BulletProof Mode for your Root folder you must also activate BulletProof Mode for your wp-admin folder.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘BulletProof Security plugin – does htaccess need these lines?’ is closed to new replies.