Support » Plugin: BulletProof Security » [Plugin: BulletProof Security] 301 redirect not working with BPS

  • Resolved rivet0r


    301 redirect is not working with bps. I’ve input custom code in the root .htaccess area, saved it, automagic’d secure .htaccess, and reactivated bulletproof mode. Still no luck.

    I’ve manually checked the code was inputted in the root .htaccess and it’s there, but not functioning.

    When I replace .htaccess with my original .htaccess which only has the redirect code, it works just fine.

    Please help,

Viewing 15 replies - 1 through 15 (of 18 total)
  • Plugin Author AITpro


    Please post the .htaccess redirect code so I can take a look at it. Thanks.

    Using this below:

    RewriteEngine on
    rewritecond %{http_host} ^ [nc]
    rewriterule ^(.*)$$1 [r=301,nc]

    Plugin Author AITpro


    Are you trying to rewrite a non-www URL to www?

    Please explain exactly what you are trying to achieve with your redirect.

    RewriteEngine On
    RewriteCond %{HTTP_HOST} !^$ [NC]
    RewriteRule ^(.*)$$1 [R,NC,L]

    Plugin Author AITpro


    Resolving. If the problem is still occurring please post a reply.

    I’m having a similar issue. I went through the above procedure as well and still have no luck.

    Here is my redirect code:


    Plugin Author AITpro


    Ok first off let me add the answer to the question about rewriting non-www urls to www since i did not specify exactly where that would be done in the BPS root htaccess file.

    You would look for this .htaccess code in your root .htaccess file…

    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    ...and then add the 2 lines of code shown below. And of course you would add your actual domain name.
    RewriteEngine On
    RewriteCond %{HTTP_HOST} ^example\.com$ [NC]
    RewriteRule ^(.*)$$1 [R=301,L]
    RewriteBase /
    RewriteRule ^index\.php$ - [L]

    I see that you are trying to redirect from HTTP to HTTPS. Do you have a valid SSL Certificate for your website? Why are you trying to do the redirect from HTTP to HTTPS?

    Please see this StackOverflow link below. Maybe you do not need to do this redirect?

    Plugin Author AITpro


    Oh ok I checked your website and you do have a valid SSL Certificate and the redirect is already working so i guess you figured it out. Thanks.

    For anyone else who found this thread you MUST have a valid SSL Certificate for this code to work.

    # Rewrite HTTPS GET Requests for robots.txt on PORT 443 to robots_ssl.txt
    RewriteCond %{REQUEST_METHOD} GET
    RewriteCond %{SERVER_PORT} ^443$
    RewriteCond %{REQUEST_URI} (robots\.txt)
    RewriteRule ^robots.txt$ robots_ssl.txt [R,L]
    # Rewrite HTTPS GET Requests for a page or file on PORT 443 to a new location
    RewriteCond %{REQUEST_METHOD} GET
    RewriteCond %{SERVER_PORT} ^443$
    RewriteCond %{REQUEST_URI} (path/to/page/or/file)
    RewriteRule ^path/to/page/or/file$ new-redirect-location [R,L]

    Thanks AITpro. Yeah – we kept playing with it and figured out a solution.

    Plugin Author AITpro


    Cool! Thanks.

    In my case the non-www to www redirect does not work!
    Could anybody help me on this issue?

    Heres my generated .htaccess Configuration:

    #   BULLETPROOF .47.6 >>>>>>> SECURE .HTACCESS     
    # If you edit the  BULLETPROOF .47.6 >>>>>>> SECURE .HTACCESS text above
    # you will see error messages on the BPS Security Status page
    # BPS is reading the version number in the htaccess file to validate checks
    # If you would like to change what is displayed above you
    # will need to edit the BPS /includes/functions.php file to match your changes
    # If you update your WordPress Permalinks the code between BEGIN WordPress and
    # END WordPress is replaced by WP htaccess code.
    # This removes all of the BPS security code and replaces it with just the default WP htaccess code
    # To restore this file use BPS Restore or activate BulletProof Mode for your Root folder again.
    # BEGIN WordPress
    # IMPORTANT!!! DO NOT DELETE!!! - BEGIN WordPress above or END WordPress - text in this file
    # They are reference points for WP, BPS and other plugins to write to this htaccess file.
    # BPS needs to find the - BPSQSE - text string in this file to validate that your security filters exist
    ServerSignature Off
    # If you are using a PHP Handler add your web hosts PHP Handler below
    # If you are getting 500 Errors when activating BPS then comment out Options -Indexes
    # by adding a # sign in front of it. If there is a typo anywhere in this file you will also see 500 errors.
    Options -Indexes
    # Use index.php as default directory index file
    # index.html will be ignored will not load.
    DirectoryIndex index.php index.html /index.php
    # BPS PRO ERROR LOGGING AND TRACKING - Available in BPS Pro only
    # BPS Pro has premade 403 Forbidden, 400 Bad Request and 404 Not Found files that are used
    # to track and log 403, 400 and 404 errors that occur on your website. When a hacker attempts to
    # hack your website the hackers IP address, Host name, Request Method, Referering link, the file name or
    # requested resource, the user agent of the hacker and the query string used in the hack attempt are logged.
    # BPS Pro Log files are added to the P-Security All Purpose File Manager to view them.
    # All BPS Pro log files are htaccess protected so that only you can view them.
    # The 400.php, 403.php and 404.php files are located in /wp-content/plugins/bulletproof-security/
    # The 400 and 403 Error logging files are already set up and will automatically start logging errors
    # after you install BPS Pro and have activated BulletProof Mode for your Root folder.
    # If you would like to log 404 errors you will need to copy the logging code in the BPS Pro 404.php file
    # to your Theme's 404.php template file. Simple instructions are included in the BPS Pro 404.php file.
    # You can open the BPS Pro 404.php file using the WP Plugins Editor or by using the BPS Pro File Manager.
    # NOTE: By default WordPress automatically looks in your Theme's folder for a 404.php template file.
    # ErrorDocument 400 /wp-content/plugins/bulletproof-security/400.php
    # ErrorDocument 403 /wp-content/plugins/bulletproof-security/403.php
    ErrorDocument 404 /404.php
    # DENY ACCESS TO PROTECTED SERVER FILES - .htaccess, .htpasswd and all file names starting with dot
    RedirectMatch 403 /\..*$
    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]
    RewriteEngine On
    #RewriteCond %{HTTP_HOST} ^mydomain\.de$ [NC]
    #RewriteRule ^(.*)$$1 [R=301,L]
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} (wp-comments-post\.php)
    RewriteCond %{HTTP_REFERER} !^.** [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule .* - [F]
    # This filter is for blocking junk bots and spam bots from making a HEAD request, but may also block some
    # HEAD request from bots that you want to allow in certains cases. This is not a security filter and is just
    # a nuisance filter. This filter will not block any important bots like the google bot. If you want to allow
    # all bots to make a HEAD request then remove HEAD from the Request Method filter.
    # The TRACE, DELETE, TRACK and DEBUG request methods should never be allowed against your website.
    RewriteEngine On
    RewriteRule ^(.*)$ - [F,L]
    # IMPORTANT!!! If you add or remove a skip rule you must change S= to the new skip number
    # Example: If RewriteRule S=5 is deleted than change S=6 to S=5, S=7 to S=6, etc.
    # Adminer MySQL management tool data populate
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/adminer/ [NC]
    RewriteRule . - [S=12]
    # Comment Spam Pack MU Plugin - CAPTCHA images not displaying
    RewriteCond %{REQUEST_URI} ^/wp-content/mu-plugins/custom-anti-spam/ [NC]
    RewriteRule . - [S=11]
    # Peters Custom Anti-Spam display CAPTCHA Image
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/peters-custom-anti-spam-image/ [NC]
    RewriteRule . - [S=10]
    # Status Updater plugin fb connect
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/fb-status-updater/ [NC]
    RewriteRule . - [S=9]
    # Stream Video Player - Adding FLV Videos Blocked
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/stream-video-player/ [NC]
    RewriteRule . - [S=8]
    # XCloner 404 or 403 error when updating settings
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/xcloner-backup-and-restore/ [NC]
    RewriteRule . - [S=7]
    # BuddyPress Logout Redirect
    RewriteCond %{QUERY_STRING} action=logout&redirect_to=http%3A%2F%2F(.*) [NC]
    RewriteRule . - [S=6]
    # redirect_to=
    RewriteCond %{QUERY_STRING} redirect_to=(.*) [NC]
    RewriteRule . - [S=5]
    # Login Plugins Password Reset And Redirect 1
    RewriteCond %{QUERY_STRING} action=resetpass&key=(.*) [NC]
    RewriteRule . - [S=4]
    # Login Plugins Password Reset And Redirect 2
    RewriteCond %{QUERY_STRING} action=rp&key=(.*) [NC]
    RewriteRule . - [S=3]
    # TimThumb Forbid RFI By Host Name But Allow Internal Requests
    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    RewriteRule .* index.php [F,L]
    RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    RewriteCond %{HTTP_REFERER} ^.**
    RewriteRule . - [S=1]
    # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
    # Good sites such as W3C use it for their W3C-LinkChecker.
    # Add or remove user agents temporarily or permanently from the first User Agent filter below.
    # If you want a list of bad bots / User Agents to block then scroll to the end of this file.
    RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
    RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]
    RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
    RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
    RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
    RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
    RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
    RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR]
    RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    RewriteCond %{QUERY_STRING} http\: [NC,OR]
    RewriteCond %{QUERY_STRING} https\: [NC,OR]
    RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|%3c|%3e|%5b|%5d).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x5b|\x5d|\x7f).* [NC,OR]
    RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR]
    RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
    RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F,L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    # wp-config.php, bb-config.php, php.ini, php5.ini, readme.html
    # Replace Allow from with your current IP address and remove the
    # pound sign # from in front of the Allow from line of code below to access these
    # files directly from your browser.
    <FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|readme\.html|bb-config\.php)">
    Order allow,deny
    Deny from all
    #Allow from
    # IMPORTANT!!! DO NOT DELETE!!! the END WordPress text below
    # END WordPress
    # To Test that your Hotlinking protection is working visit
    #RewriteEngine On
    #RewriteCond %{HTTP_REFERER} !^https?://(www\.)?add-your-domain-here\.com [NC]
    #RewriteCond %{HTTP_REFERER} !^$
    #RewriteRule .*\.(jpeg|jpg|gif|bmp|png)$ - [F]
    # This is a better approach to blocking Comment Spammers so that you do not
    # accidentally block good traffic to your website. You can add additional
    # Comment Spammer IP addresses on a case by case basis below.
    # Searchable Database of known Comment Spammers
    <FilesMatch "^(wp-comments-post\.php)">
    Order Allow,Deny
    Deny from 46.119.35.
    Deny from 46.119.45.
    Deny from 91.236.74.
    Deny from 93.182.147.
    Deny from 93.182.187.
    Deny from 94.27.72.
    Deny from 94.27.75.
    Deny from 94.27.76.
    Deny from 193.105.210.
    Deny from 195.43.128.
    Deny from 198.144.105.
    Deny from 199.15.234.
    Allow from all
    # If you would like to block more bad bots you can get a blacklist from
    # You should monitor your site very closely for at least a week if you add a bad bots list
    # to see if any website traffic problems or other problems occur.
    # Copy and paste your bad bots user agent code list directly below.
    Plugin Author AITpro


    Plugin Author AITpro


    You need to add your actual domain name and not use the example domain name ( If your website domain is then you would do this:

    RewriteEngine On
    #RewriteCond %{HTTP_HOST} ^fubar\.com$ [NC]
    #RewriteRule ^(.*)$$1 [R=301,L]
    RewriteBase /
    RewriteRule ^index\.php$ - [L]

    Your actual domain name is:

    RewriteEngine On
    #RewriteCond %{HTTP_HOST} ^green-mama\.de$ [NC]
    #RewriteRule ^(.*)$$1 [R=301,L]
    RewriteBase /
    RewriteRule ^index\.php$ - [L]

    I did use the Domain, it didnt work!

    it gives me a redirect loop….:(

    Plugin Author AITpro


    Have you already made the correct changes to your WordPress Settings? You need to change your URL structure too. Have you cleared your plugins cache?

    Settings >>> General >>> WordPress Address (URL) and Site Address (URL)

    If that does not work then put your .htaccess code outside of the WordPress rewriting loop.

    After any caching plugin .htaccess code

    Your non-www to www rewriting code here

    Before the beginning of the WordPress rewriting loop

Viewing 15 replies - 1 through 15 (of 18 total)
  • The topic ‘[Plugin: BulletProof Security] 301 redirect not working with BPS’ is closed to new replies.