Title: [Plugin: BulletProof Security] 403 Forbidden Error Last modified: August 20, 2016 --- # [Plugin: BulletProof Security] 403 Forbidden Error * Resolved [ramkumaritrvs](https://wordpress.org/support/users/ramkumaritrvs/) * (@ramkumaritrvs) * [13 years, 8 months ago](https://wordpress.org/support/topic/plugin-bulletproof-security-403-forbidden-error/) * hello, i got the same error.i installed bulletproof security plugin. * i have installed (wordpress)www.taywolt.com. my sub domain is [http://www.demo.taywolt.com](http://www.demo.taywolt.com).( html) * while i tried to access my subdomain it shows 403 error. * how can i give solve this? * Exact Error is : Forbidden * You don’t have permission to access / on this server. * Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request. * [http://wordpress.org/extend/plugins/bulletproof-security/](http://wordpress.org/extend/plugins/bulletproof-security/) Viewing 8 replies - 1 through 8 (of 8 total) * Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/) * (@aitpro) * [13 years, 8 months ago](https://wordpress.org/support/topic/plugin-bulletproof-security-403-forbidden-error/#post-2995629) * First fix your subdomain naming convention and see if that solves the problem. You have a double subdomain prefix. It should be just demo.taywolt.com without the www prefix. * Thread Starter [ramkumaritrvs](https://wordpress.org/support/users/ramkumaritrvs/) * (@ramkumaritrvs) * [13 years, 8 months ago](https://wordpress.org/support/topic/plugin-bulletproof-security-403-forbidden-error/#post-2995899) * actually if i uninstall BPS plugin and removed the .htaccess my sub domain was working fine. * problem with .htaccess only. how to allow my subdomain by .htaccess ? like allow demo.taywolt.com[L] like… root has gone to 403? * please reply * Thread Starter [ramkumaritrvs](https://wordpress.org/support/users/ramkumaritrvs/) * (@ramkumaritrvs) * [13 years, 8 months ago](https://wordpress.org/support/topic/plugin-bulletproof-security-403-forbidden-error/#post-2995900) * my .htaccess on root: * ``` # BULLETPROOF .47.3 >>>>>>> SECURE .HTACCESS # If you edit the BULLETPROOF .47.3 >>>>>>> SECURE .HTACCESS text above # you will see error messages on the BPS Security Status page # BPS is reading the version number in the htaccess file to validate checks # If you would like to change what is displayed above you # will need to edit the BPS /includes/functions.php file to match your changes # If you update your WordPress Permalinks the code between BEGIN WordPress and # END WordPress is replaced by WP htaccess code. # This removes all of the BPS security code and replaces it with just the default WP htaccess code # To restore this file use BPS Restore or activate BulletProof Mode for your Root folder again. # BEGIN WordPress # IMPORTANT!!! DO NOT DELETE!!! - BEGIN WordPress above or END WordPress - text in this file # They are reference points for WP, BPS and other plugins to write to this htaccess file. # IMPORTANT!!! DO NOT DELETE!!! - BPSQSE BPS QUERY STRING EXPLOITS - text # BPS needs to find the - BPSQSE - text string in this file to validate that your security filters exist # TURN OFF YOUR SERVER SIGNATURE ServerSignature Off # ADD A PHP HANDLER # If you are using a PHP Handler add your web hosts PHP Handler below # DO NOT SHOW DIRECTORY LISTING # If you are getting 500 Errors when activating BPS then comment out Options -Indexes # by adding a # sign in front of it. If there is a typo anywhere in this file you will also see 500 errors. Options -Indexes # DIRECTORY INDEX FORCE INDEX.PHP # Use index.php as default directory index file # index.html will be ignored will not load. DirectoryIndex index.php index.html /index.php # BPS PRO ERROR LOGGING AND TRACKING - Available in BPS Pro only # BPS Pro has premade 403 Forbidden, 400 Bad Request and 404 Not Found files that are used # to track and log 403, 400 and 404 errors that occur on your website. When a hacker attempts to # hack your website the hackers IP address, Host name, Request Method, Referering link, the file name or # requested resource, the user agent of the hacker and the query string used in the hack attempt are logged. # BPS Pro Log files are added to the P-Security All Purpose File Manager to view them. # All BPS Pro log files are htaccess protected so that only you can view them. # The 400.php, 403.php and 404.php files are located in /wp-content/plugins/bulletproof-security/ # The 400 and 403 Error logging files are already set up and will automatically start logging errors # after you install BPS Pro and have activated BulletProof Mode for your Root folder. # If you would like to log 404 errors you will need to copy the logging code in the BPS Pro 404.php file # to your Theme's 404.php template file. Simple instructions are included in the BPS Pro 404.php file. # You can open the BPS Pro 404.php file using the WP Plugins Editor or by using the BPS Pro File Manager. # NOTE: By default WordPress automatically looks in your Theme's folder for a 404.php template file. # ErrorDocument 400 /wp-content/plugins/bulletproof-security/400.php # ErrorDocument 403 /wp-content/plugins/bulletproof-security/403.php ErrorDocument 404 /404.php # DENY ACCESS TO PROTECTED SERVER FILES - .htaccess, .htpasswd and all file names starting with dot RedirectMatch 403 /\..*$ RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] # REQUEST METHODS FILTERED # This filter is for blocking junk bots and spam bots from making a HEAD request, but may also block some # HEAD request from bots that you want to allow in certains cases. This is not a security filter and is just # a nuisance filter. This filter will not block any important bots like the google bot. If you want to allow # all bots to make a HEAD request then remove HEAD from the Request Method filter. # The TRACE, DELETE, TRACK and DEBUG request methods should never be allowed against your website. RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC] RewriteRule ^(.*)$ - [F,L] # PLUGINS AND VARIOUS EXPLOIT FILTER SKIP RULES # IMPORTANT!!! If you add or remove a skip rule you must change S= to the new skip number # Example: If RewriteRule S=5 is deleted than change S=6 to S=5, S=7 to S=6, etc. # Adminer MySQL management tool data populate RewriteCond %{REQUEST_URI} ^/wp-content/plugins/adminer/ [NC] RewriteRule . - [S=12] # Comment Spam Pack MU Plugin - CAPTCHA images not displaying RewriteCond %{REQUEST_URI} ^/wp-content/mu-plugins/custom-anti-spam/ [NC] RewriteRule . - [S=11] # Peters Custom Anti-Spam display CAPTCHA Image RewriteCond %{REQUEST_URI} ^/wp-content/plugins/peters-custom-anti-spam-image/ [NC] RewriteRule . - [S=10] # Status Updater plugin fb connect RewriteCond %{REQUEST_URI} ^/wp-content/plugins/fb-status-updater/ [NC] RewriteRule . - [S=9] # Stream Video Player - Adding FLV Videos Blocked RewriteCond %{REQUEST_URI} ^/wp-content/plugins/stream-video-player/ [NC] RewriteRule . - [S=8] # XCloner 404 or 403 error when updating settings RewriteCond %{REQUEST_URI} ^/wp-content/plugins/xcloner-backup-and-restore/ [NC] RewriteRule . - [S=7] # BuddyPress Logout Redirect RewriteCond %{QUERY_STRING} action=logout&redirect_to=http%3A%2F%2F(.*) [NC] RewriteRule . - [S=6] # redirect_to= RewriteCond %{QUERY_STRING} redirect_to=(.*) [NC] RewriteRule . - [S=5] # Login Plugins Password Reset And Redirect 1 RewriteCond %{QUERY_STRING} action=resetpass&key=(.*) [NC] RewriteRule . - [S=4] # Login Plugins Password Reset And Redirect 2 RewriteCond %{QUERY_STRING} action=rp&key=(.*) [NC] RewriteRule . - [S=3] # TimThumb Forbid RFI By Host Name But Allow Internal Requests RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR] RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC] RewriteRule .* index.php [F,L] RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC] RewriteRule . - [S=1] # BPSQSE BPS QUERY STRING EXPLOITS # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too. # Good sites such as W3C use it for their W3C-LinkChecker. # Add or remove user agents temporarily or permanently from the first User Agent filter below. # If you want a list of bad bots / User Agents to block then scroll to the end of this file. RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR] RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR] RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR] RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR] RewriteCond %{THE_REQUEST} etc/passwd [NC,OR] RewriteCond %{THE_REQUEST} cgi-bin [NC,OR] RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR] RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR] RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR] RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR] RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR] RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR] RewriteCond %{QUERY_STRING} ftp\: [NC,OR] RewriteCond %{QUERY_STRING} http\: [NC,OR] RewriteCond %{QUERY_STRING} https\: [NC,OR] RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR] RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR] RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR] RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|%3c|%3e|%5b|%5d).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x5b|\x5d|\x7f).* [NC,OR] RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR] RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR] RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR] RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR] RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR] RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR] RewriteCond %{QUERY_STRING} (sp_executesql) [NC] RewriteRule ^(.*)$ - [F,L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] # DENY BROWSER ACCESS TO THESE FILES # wp-config.php, bb-config.php, php.ini, php5.ini, readme.html # Replace Allow from 88.77.66.55 with your current IP address and remove the # pound sign # from in front of the Allow from line of code below to access these # files directly from your browser. Order allow,deny Deny from all #Allow from 88.77.66.55 # IMPORTANT!!! DO NOT DELETE!!! the END WordPress text below # END WordPress # BLOCK HOTLINKING TO IMAGES # To Test that your Hotlinking protection is working visit http://altlab.com/htaccess_tutorial.html #RewriteEngine On #RewriteCond %{HTTP_REFERER} !^https?://(www\.)?add-your-domain-here\.com [NC] #RewriteCond %{HTTP_REFERER} !^$ #RewriteRule .*\.(jpeg|jpg|gif|bmp|png)$ - [F] # BLOCK MORE BAD BOTS RIPPERS AND OFFLINE BROWSERS # If you would like to block more bad bots you can get a blacklist from # http://perishablepress.com/press/2007/06/28/ultimate-htaccess-blacklist/ # You should monitor your site very closely for at least a week if you add a bad bots list # to see if any website traffic problems or other problems occur. # Copy and paste your bad bots user agent code list directly below. ``` * Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/) * (@aitpro) * [13 years, 8 months ago](https://wordpress.org/support/topic/plugin-bulletproof-security-403-forbidden-error/#post-2995901) * is your subdomain site a WordPress site? is the subdomain site in a folder called/ demo? does the subdomain site have a DNS A record * Example api subdomain setup for a folder that does not have a WordPress site installed/installation. * api.somewebsite.com The A record points to folder named /api The site structure is /api at the root of the domain the /api folder has a rewritebase of / You would upload an individual .htaccess file to the /api folder with the security filters that you want to use. * If a WordPress site is installed in the /demo folder then you would just need to install BPS on that site and use AutoMagic and activate all BulletProof Modes. * Thread Starter [ramkumaritrvs](https://wordpress.org/support/users/ramkumaritrvs/) * (@ramkumaritrvs) * [13 years, 8 months ago](https://wordpress.org/support/topic/plugin-bulletproof-security-403-forbidden-error/#post-2995903) * demo was just html. yes sub domain folder is demo. yes sub domain have DNS A record. /demo laid under /public-html folder. * how to rewrite in .htaccess? * Thread Starter [ramkumaritrvs](https://wordpress.org/support/users/ramkumaritrvs/) * (@ramkumaritrvs) * [13 years, 8 months ago](https://wordpress.org/support/topic/plugin-bulletproof-security-403-forbidden-error/#post-2995904) * i have found. * #Options -Indexes * now it’s working good. * is there is any security issues? * Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/) * (@aitpro) * [13 years, 8 months ago](https://wordpress.org/support/topic/plugin-bulletproof-security-403-forbidden-error/#post-2995905) * If your Host does not allow you to use the Options Directive in an .htaccess file then it will cause a 500 error. Options -Indexes is used to tell the Server not to display the files in an indexed list or Directory Listing. * Below is the optimum way that you should secure websites that are mixed – HTML mixed with PHP. * Ok since you have both an HTML site and a PHP site then what i recommend is that you create an .htaccess file for the HTML site. Copy and paste the BPS HTML . htaccess file code below into a NotePad doc (not Word and not WordPad) and save the file with this name – html.htaccess. Then upload this html.htaccess file to the /demo folder and rename it to just .htaccess. * ``` # BULLETPROOF PRO 5.1.8 SECURE .HTACCESS FOR HTML WEBSITES # This file is created for HTML websites and HTML websites that are in a root website folder # if you HTML website is in a subfolder then you will need to change the RewriteBase and RewriteRules # to match that subfolder name/path # Example: If an HTML website is in a folder called /example-html-website then the RewriteBase and # RewriteRule in this file need to be changed using these examples below: # RewriteBase /example-html-website/ # RewriteRule ^/example-html-website/index\.html$ - [L] # RewriteRule . /example-html-website/index.html [L] # TURN OFF YOUR SERVER SIGNATURE ServerSignature Off # ADD A PHP HANDLER # If you are using a PHP Handler add your web hosts PHP Handler below # CUSTOM CODE TOP - Your Custom .htaccess code will be created here with AutoMagic # HOST SPECIFIC HTACCESS CODE FOR CUSTOM PHP.INI FILES # Not all web hosts require .htaccess code for custom php.ini files. # To see a complete list of web hosts that BPS is detecting, hosts that do not # require .htaccess code for custom php.ini files and Help and FAQ for custom php.ini files # Go to the AITpro Custom php.ini FAQ and Help page link shown below. # http://www.ait-pro.com/aitpro-blog/3576/bulletproof-security-pro/custom-php-ini-faq/ # DO NOT SHOW DIRECTORY LISTING # If you are getting 500 Errors when activating BPS then comment out Options -Indexes # by adding a # sign in front of it. If there is a typo anywhere in this file you will also see 500 errors. Options -Indexes # DIRECTORY INDEX FORCE INDEX.HTML # Use index.php as default directory index file # index.html will be ignored will not load. DirectoryIndex index.php index.html /index.html # DENY ACCESS TO PROTECTED SERVER FILES - .htaccess, .htpasswd and all file names starting with dot RedirectMatch 403 /\..*$ RewriteEngine On RewriteBase / RewriteRule ^index\.html$ - [L] # REQUEST METHODS FILTERED # This filter is for blocking junk bots and spam bots from making a HEAD request, but may also block some # HEAD requests from bots that you want to allow in certain cases. This is not a security filter and is just # a nuisance filter. This filter will not block any important bots like the google bot. If you want to allow # all bots to make a HEAD request then remove HEAD from the Request Method filter. # The TRACE, DELETE, TRACK and DEBUG request methods should never be allowed against your website. RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC] RewriteRule ^(.*)$ - [F,L] # PLUGINS AND VARIOUS EXPLOIT FILTER SKIP RULES # IMPORTANT!!! If you add or remove a skip rule you must change S= to the new skip number # Example: If RewriteRule S=5 is deleted than change S=6 to S=5, S=7 to S=6, etc. # CUSTOM CODE PLUGIN FIXES - Your plugin fixes .htaccess code will be created here with AutoMagic # TIMTHUMB FORBID RFI BY HOST NAME BUT ALLOW INTERNAL REQUESTS RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR] RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC] RewriteRule .* index.html [F,L] RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC] RewriteRule . - [S=1] # BPSQSE BPS QUERY STRING EXPLOITS # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too. # Good sites such as W3C use it for their W3C-LinkChecker. # Add or remove user agents temporarily or permanently from the first User Agent filter below. # If you want a list of bad bots / User Agents to block then scroll to the end of this file. RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR] RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR] RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR] RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR] RewriteCond %{THE_REQUEST} etc/passwd [NC,OR] RewriteCond %{THE_REQUEST} cgi-bin [NC,OR] RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR] RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR] RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR] RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR] RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR] RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR] RewriteCond %{QUERY_STRING} ftp\: [NC,OR] RewriteCond %{QUERY_STRING} http\: [NC,OR] RewriteCond %{QUERY_STRING} https\: [NC,OR] RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR] RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR] RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR] RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|%3c|%3e|%5b|%5d).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x5b|\x5d|\x7f).* [NC,OR] RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR] RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR] RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR] RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR] RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR] RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR] RewriteCond %{QUERY_STRING} (sp_executesql) [NC] RewriteRule ^(.*)$ - [F,L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.html [L] # DENY BROWSER ACCESS TO THESE FILES # wp-config.php, bb-config.php, php.ini, php5.ini, readme.html # Replace Allow from 88.77.66.55 with your current IP address and remove the # pound sign # from in front of the Allow from line of code below to access these # files directly from your browser. Order allow,deny Deny from all #Allow from 88.77.66.55 # IMPORTANT!!! DO NOT DELETE!!! the END WordPress text below # END WordPress # CUSTOM CODE BOTTOM - Your Custom .htaccess code will be created here with AutoMagic # BLOCK HOTLINKING TO IMAGES # To Test that your Hotlinking protection is working visit http://altlab.com/htaccess_tutorial.html #RewriteEngine On #RewriteCond %{HTTP_REFERER} !^https?://(www\.)?add-your-domain-here\.com [NC] #RewriteCond %{HTTP_REFERER} !^$ #RewriteRule .*\.(jpeg|jpg|gif|bmp|png)$ - [F] # BLOCK MORE BAD BOTS RIPPERS AND OFFLINE BROWSERS # If you would like to block more bad bots you can get a blacklist from # http://perishablepress.com/press/2007/06/28/ultimate-htaccess-blacklist/ # You should monitor your site very closely for at least a week if you add a bad bots list # to see if any website traffic problems or other problems occur. # Copy and paste your bad bots user agent code list directly below. ``` * Thread Starter [ramkumaritrvs](https://wordpress.org/support/users/ramkumaritrvs/) * (@ramkumaritrvs) * [13 years, 8 months ago](https://wordpress.org/support/topic/plugin-bulletproof-security-403-forbidden-error/#post-2995906) * Thanks for the code. 🙂 Viewing 8 replies - 1 through 8 (of 8 total) The topic ‘[Plugin: BulletProof Security] 403 Forbidden Error’ is closed to new replies. * ![](https://ps.w.org/bulletproof-security/assets/icon-128x128.png?rev=1731938) * [BulletProof Security](https://wordpress.org/plugins/bulletproof-security/) * [Support Threads](https://wordpress.org/support/plugin/bulletproof-security/) * [Active Topics](https://wordpress.org/support/plugin/bulletproof-security/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/bulletproof-security/unresolved/) * [Reviews](https://wordpress.org/support/plugin/bulletproof-security/reviews/) * 8 replies * 2 participants * Last reply from: [ramkumaritrvs](https://wordpress.org/support/users/ramkumaritrvs/) * Last activity: [13 years, 8 months ago](https://wordpress.org/support/topic/plugin-bulletproof-security-403-forbidden-error/#post-2995906) * Status: resolved