Support » Plugin: BulletProof Security » Can't log out, 403 forbidden

  • Resolved jcervantes28



    Since the new BPS update, I can’t log out of my site when BPS security mode is active.

    My WP is installed in a subfolder root/example/

    I tried to log out while in default mode and still get 403 code telling me to go back and try again.

    I delete .htaccess and poof, I log out np.

    With BPS active, it adds a nonceXXXXXX to the end of logout=true link.

    Not sure how all this connects, but I want BPS active. I tried going into the code to see what new things were added with the update, removed some buddypress logout code in there, deleted it, that didn’t work.

    I also tried saving permalinks again after activating.

    The BPS .htaccess does have the correct rewrite rule for my subfolder /root/example.

    Please let me know your thoughts.

    thank you,

Viewing 15 replies - 1 through 15 (of 39 total)
  • Plugin Author AITpro


    To get the correct RewriteBase in your root .htaccess file click the AutoMagic buttons before activating Root folder BulletProof Mode. Let me know if doing this solves the issue.

    Plugin Author AITpro


    Also are you using any other Login protection or CAPTCHA plugins? If so, then they are probably competing with each other since they are calling the same WordPress hooks – actions/filters. Are you using any additional custom .htaccess code? If so, post that custom .htaccess code.

    Same here, I cant log in or out unless I delete the .htaccess file, what can I do?

    I have used the buttons, it worked yesterday but today is not working,



    I create the secure access through automagic and enabled it in root of install and in wp-admin, and I get the same issue.

    I do have other plugins: Wordfence security plugin which I believe also monitors logging attempts…but this was the case before and it was all working just fine?

    I also have a plugin that makes you input a pin in the beginning, but it’s not a complicated plugin–that’s all it does. And this was also there before so not sure what changed?

    One thing I feel could be an issue is just the fact that I have the blog installed on a subfolder. This just seems to complicate things.

    One big question I have is:

    if I have the install in root/example, then what should the rewrite base be on the root folder? Should it be:

    RewriteBase /example


    RewriteBase /

    And similar question for the htaccess in the example folder (which BPS creates). Should the rewrite be:

    RewriteBase /blog/


    RewriteBase /

    Should they be the same, or does the example folder have /blog and the root folder not?

    I feel this creates an issue.

    Thank you for your help,


    I just turned off BPS login protection so that only wordfence could stay active, did automagic buttons again for secure access, and same problem. cant log out.

    The issue is not logging in for me, it is logging out. I get:

    403 Forbidden Error Page

    If you arrived here due to a search or clicking on a link click your Browser’s back button to return to the previous page. Thank you.

    Plugin Author AITpro


    If this is a WordPress subfolder/subdirectory site named
    RewriteBase /example/

    If this is a subdomain site named
    RewriteBase /
    subdomain folder: /example
    DNS A or CNAME record pointing to the example folder/WP installation

    I am not clear about all the other things you stated?

    Plugin Author AITpro


    For your second Post/Question do this:

    FTP to your site and rename the /bulletproof-security plugin folder to /bulletproof-security-hold.

    log in and out of your site – does the same problem occur or not?

    It didnt work, “page not found” when I tried to login… Also the plugin was deactivated and caused a fatal error to the site when I tried to activate it…

    It was working fine before the update…

    Plugin Author AITpro


    We have over 10,000 confirmed successful upgrades to BPS .49.3 so it is not an issue with anything in BPS .49.3.

    Do the standard WordPress troubleshooting steps:

    deactivate all plugins. Activate only BPS and test.
    switch your Theme to the WordPress 2013 Theme and test.

    Plugin Author AITpro


    Also do the standard BPS setup steps again.

    Click the AutoMagic buttons and activate Root and wp-admin BulletProof Modes. Lock your root .htaccess file on the htaccess File Editor tab page to ensure these common problems are not occurring:
    Broken cPanel HotLink Protection tool problem.
    flush_rewrite_rules problem.

    BPS Free Read Me First – General Troubleshooting

    Thanks, will see what I can do…


    So if I have my site installed in

    then the htaccess rewrite rule for both the htaccess in and should be:

    RewriteBase /example/


    Well, this is what I did:

    I went into the brute login options in BPS and turned it OFF. Then I did automagic buttons again for secure htaccess and activated in root and wpadmin.

    I then opened the root htaccess file created and it still had the information about the brute login attempts, so I deleted that code.

    I also deleted the code about a redirect for BuddyPress plugin which I don’t have installed anyway.

    I also deleted the “Head” from request before “trace”

    Then I saved it and changed permissions to 404 to keep it that way.

    And boom! I can log out now and BPS is activated along with the other plugins I mentioned.

    It had to do something with that code. My guess is the BuddyPress code which specifically has a redirect for logging out, which is what was happening.

    I hope that i am still protected well by taking those things out.

    Also, currently, both rewritebase rules (in root and in install subfolder) point to:

    RewriteBase /example/

    Plugin Author AITpro


    First question: Nope, because a root site will have a RewriteBase of just /.

    A subdirectory/subfolder site will have a RewriteBase of /whatever-that subfolder-name-is/

    The RewriteBase directive means do rewriting from this “base”. What this directive is designed to do is to keep .htaccess rules compartmentalized to each site so that each site’s .htaccess files to do not interfere with each other.

    Let’s say your Hosting account has this website setup as the primary website domain for you hosting account…

    WebsiteA is the primary domain for this hosting account.

    You then create additional websites/domains and put them in folders.

    These domains are considered aliased or add-on domains. They would also be considered as root website installations and would have a RewriteBase of /.

    Now if you install a WordPress site in a subfolder and there is NOT a separate website/domain involved then this is a WordPress subdirectory/subfolder installation.


    These subfolder sites would have a RewriteBase of…

    RewriteBase /subfolderA/

    RewriteBase /subfolderB/

    BPS already creates the correct RewriteBase when you click the AutoMagic buttons so you really do not need to know this, but this is the basic hosting account structure.

    Plugin Author AITpro


    Second Post/Question: please isolate the exact code that is causing the problem so that we can make a determination on what needs to happen next. Thanks.

Viewing 15 replies - 1 through 15 (of 39 total)
  • The topic ‘Can't log out, 403 forbidden’ is closed to new replies.