Support » Plugin: BulletProof Security » .htaccess permissions changing and 403 error

Viewing 15 replies - 1 through 15 (of 15 total)
  • Plugin Author AITpro


    ok i read through the other thread. it is very unlikely that your Host is locking the root .htaccess file with 404 permissions. Typically hosts go the other direction and try to unlock / change file permissions to 644.

    I see you are using the Yoast SEO plugin. That plugin incorrectly wipes out the root .htaccess code because the WordPress flush_rewrite_rules function is being used inappropriately/incorrectly.

    Another person has reported to me that this line of code – RewriteCond %{HTTP_USER_AGENT} ^$ causes a problem for Network/Multisite specifically and not single standard WordPress sites. Comment out the line of code as shown below with a pound sign. And you also need to remove the [OR] flag as shown below for the HTTP_REFERER.

    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} (wp-comments-post\.php)
    RewriteCond %{HTTP_REFERER} !^.**
    #RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule .* - [F]

    But with that said you need to isolate the plugin that is changing the root .htaccess file permissions automatically. Or another possibility is that BPS has been Network Activated. BPS should not be Network Activated and ONLY activated on the Primary site.


    Thanks for the swift reply. BPS is only activated on the primary domain.

    I’ve had the Yoast SEO plugin for a few months without problems, but it has been updated several times recently.

    I updated the .htaccess as you show above. Should I try removing Yoast (it has just stopped working since I updated to 3.5) and using the automagic buttons to see if that helps?

    Any suggestions as to how I can find the plugin changing the file permissions? I would think this is outside the remit of most plugins, so not sure which it could be.

    Plugin Author AITpro


    Well first try deactivating the Yoast SEO plugin and then use AutoMagic and activate your Root Folder BulletProof Mode and see what happens at that point. Do you have any other plugins that write .htaccess code?

    Plugin Author AITpro


    I just tested installing the WordPress SEO by Yoast plugin on a Multisite installation and Network Activating it and the flush_rewrite_rules issue does not occur. I am not sure if this plugin is supposed to be Network Activated or not, but it seems to work correctly.

    Plugin Author AITpro


    I just thought of something to test. Use the AutoLock Off button and turn AutoLock Off. Then check if the root .htaccess file is still being locked.

    I don’t know of any plugins that would write to .htaccess, except maybe the domain mapping plugin.

    I removed Yoast SEO for now, automagic’d for root and secure .htaccess files, and then activated Root BP Mode and wp-admin BP Mode (as the plugin warned me it must to be done).

    I meant to ask about AutoLock after seeing it in your link too. I’ve now set that to Off as well.

    Then I’ve commented out the HTTP_USER_AGENT line again and the [OR] flag. I changed the htaccess permissions only once previously and it changed back to 0404 only once too, so not sure when/how it would happen, but it hasn’t happened yet. Do you think any of it (the 0404 file permission) could be causing 403’s for comments on my site tho?

    Plugin Author AITpro


    I doubt that file permissions are going to be related to 403 errors when posting comments. This is the regular BPS version and not the Pro version correct?

    You are absolutely sure that you are on the Primary site correct and not a subsite?

    Have you done these troubleshooting steps to see if the BPS htaccess code is causing the comment post errors?

    1. Make a backup of your .htaccess files using BulletProof Security built-in Backup.
    2. Activate Default Mode on the Security Modes page.
    3. Use the Delete wp-admin .htaccess feature on the Security Modes page.
    4. Test your plugin or theme.
    5. Restore your .htaccess files using BulletProof Security built-in Restore.

    Plugin Author AITpro


    BPS has not been activated on any of the subsites and is ONLY activated on the Primary site correct?

    Plugin Author AITpro


    Try commenting out the entire block of # FORBID EMPTY REFFERER SPAMBOTS htaccess code and also check that you have not blocked your IP address in this code

    <FilesMatch "^(wp-comments-post\.php)">
    Order Allow,Deny
    Deny from 46.119.35.
    Deny from 46.119.45.
    Deny from 91.236.74.
    Deny from 93.182.147.
    Deny from 93.182.187.
    Deny from 94.27.72.
    Deny from 94.27.75.
    Deny from 94.27.76.
    Deny from 193.105.210.
    Deny from 195.43.128.
    Deny from 198.144.105.
    Deny from 199.15.234.
    Allow from all

    Hey again,

    Thanks for all the help.

    BPS is definitely only on the primary site and no others.

    Deleting the htaccess files to troubleshoot as you suggested meant that I could comment again, so it looks like there is something in there causing a problem.

    Restoring them started giving me 403 Permission Denied again, but the file permission remained 0644 so its unlikely to be file permissions related.

    My IP is not included in the list, and the problem was reported to me by people in different countries too.

    And lastly, I commented out the whole # FORBID EMPTY REFFERER SPAMBOTS code
    and comments are now working!!!

      You are a legend

    , thank you so much.

    Is that code generated by BPS and how much of a problem is it leaving it commented out?

    Plugin Author AITpro


    LOL yep Legend in my own mind that is me. ha ha ha.

    I grabbed that Spambot code from WP and to tell you the truth it did not do the trick on my site because I was having epedemic Spam Comment problems to the tune of 60,000 spam comments per month. So I created another solution for myself, but it is not ready for public use/release. I have been testing it for the last 3 months and 4 Spam comments have gotten through my new “thing” instead of the 180,000 spam comments that i would have had to deal with. 😉

    So you can ditch that code altogether. Spam commenters have already figured out how to beat it. 😉 And even the IP address thing I tried was also not effective. I am not a big fan of trying to block by IP Addresses and that test was just a reminder of why i never bother with that route/direction/method – it is easily beaten. My new “thing” on the other hand is basically unbeatable because it uses the only method that i have ever found to work – an Action approach – dummy X does bad action Y and Z is the result = Forbidden.

    Great stuff, I’m just happy to have comments back on my site again and I have no chance of your spam comment levels anytime in the near future 🙂

    Look forward to seeing the new thing in a future update then! Cheers again for the help (and the plugin!).

    I did mean to ask tho – was I the only one having this problem?

    Plugin Author AITpro


    You are the second person with Network/Multisite to mention this to me and i went looking for the other solution and never heard back from that person. I told them to try commenting out the entire spambot block of code so since i never heard back from them then i guess it worked. You have confirmed this so now i know that i will have to remove this code from AutoMagic for Network/Multisite folks. I also want to ditch the IP address code, but people really love this IP thing. it is useless, but they want it anyway. 😉



    I will verify the same problem, and same solution – thankyou.

    I’m running:

    WP Network (since WPMU)
    WordPress MU Domain Mapping

    and plenty other plugins…

Viewing 15 replies - 1 through 15 (of 15 total)
  • The topic ‘.htaccess permissions changing and 403 error’ is closed to new replies.