BulletProof Security
[resolved] 500 errors on update from .47.1 to .47.3. (11 posts)

  1. amfm
    Posted 4 years ago #

    I had BulletProof Security‚Ä® version .47.1 installed and I attempted to update to .47.3. WordPress claimed the update was successful, and on the next page I received the following alerts:

    "BPS Automatic htaccess File Update in Progress. Refresh Your Browser To Clear The BPS Alert.
    BPS .47.1 Upgrade Notice
    Adding new htaccess security filters included in version .47.2. Refresh your Browser to continue adding new security filters for version .47.3.
    BPS Alert! A valid BPS htaccess file was NOT found in your wp-admin folder
    If you are upgrading BPS this Alert will go away after you Refresh your Browser.
    If you still see this Alert after refreshing your Browser then Activate BulletProof Mode for your wp-admin folder.
    BulletProof Mode for the wp-admin folder MUST be activated when you have BulletProof Mode activated for the Root folder.
    Check the BPS Security Status page to view your BPS Security Status."

    The first time this happened I hit refresh on my browser and received 500 errors on my site and my site backend. Disabling/deleting the BPS plugin folder didn't correct. Through SFTP I restored the BPS plugin folder, root htaccess, and wp-admin htaccess from a backup I had (version .47.1.) The site then functioned correctly, but with the older version. I decided to try again and proceeded as above, but when the alerts appeared I clicked the link for the BPS Security Status page within the alert. The same 500 errors and corrections were made. I would love to update to the latest version but I am not sure what is interfering. Thanks in advance for your help.


  2. AITpro
    Plugin Author

    Posted 4 years ago #

    Ok since your host uses cPanel and you posted this other problem (see link below) a while back that was caused because of the broken cPanel HotLink Protection Tool then this problem is most likely also being caused by the broken cPanel HotLink Protection Tool.

    BPS needs to unlock your .htaccess file during the automatic upgrade. The cPanel HotLink Protection tool will destroy your root .htaccess file as soon as your root .htaccess file is unlocked (you cannot disable the broken cPanel HotLink Protection Tool because enable/disable is also broken).

    So what you can do is this. If BPS sees that the version number in your root .htaccess file is .47.3 it will NOT do the automatic .htaccess file update and unlock your root .htaccess file. So you will need to manually change the .htaccess file version number in your root .htaccess file from .47.1 to .47.3. Then do the upgrade to .47.3. After the upgrade installation is completed you will need to use AutoMagic and then Activate BulletProof Mode for your root folder. Your root .htaccess file is unlocked during this process, but only for a split second so there is not enough time for the Broken cPanel HotLink Protection tool to destroy your root .htaccess file.

  3. amfm
    Posted 4 years ago #

    That worked! You are fantastic. And I can't believe how troublesome that damn cpanel hotlink protection continues to be. It keeps sneaking into the unlikeliest of scenarios.

    Thanks once again for your speedy and thorough support!

  4. amfm
    Posted 4 years ago #

    Okay, I reset my browser and all of my images on my site have disappeared since performing this update as you suggested. I also noticed that even the small pics on the create new post page (the tiny mce or whatever those little links are called?) My site is mainly images so I need to get this fixed!

    Any idea what could've happened?

  5. AITpro
    Plugin Author

    Posted 4 years ago #

    Yeah hard to believe that the broken HotLink Protection Tool problem has been going on for over 10 years now. Scary.

    Is this a MU/Network installation, standard single site installation or Giving WordPress its own Directory installation of WordPress?
    Did you click the AutoMagic buttons before activating the Root folder BulletProof Mode?
    Did you have any custom code that you manually added to your old root .htaccess file for a plugin or theme to display image files correctly?
    If you use the BPS Custom Code feature it will save any custom code permanently so that when you click the AutoMagic buttons that custom code is automatically added to your root .htaccess file.

    If you post your full URL to image files on your website then i can tell you exactly why you are not seeing image files. Or if you want your site to remain anonymous just replace your domain name with example.com.

    Also double check the Hotlink Protection Tool again. If there is any code in any of the boxes then delete it. And the problem will continue to happen over and over again if your root .htaccess file is not locked with 404 permissions.

  6. amfm
    Posted 4 years ago #

    So, I reverted my site back to BPS version .47.1 and my images returned. I also noticed when I was trying to correct this that even my image library on the backend was showing up as broken links, as were any images on the dashboard (the small plug image next to "plugins" for example.) (On a much smaller scale, I once had an image not show up because it had the word shadow in the name and it was triggering a security filter in my htaccess that included the word "shadow." In this case I have no idea what would cause every single image site-wide to fail.)

    In answer to your questions:
    -It is a standard single site installation.
    -Yes, I automagic-ed both buttons before activating all bulletproof modes.
    -I have custom code in my root, but all of that was in the BPS custom code feature to include it permanently and as far as I can tell it appeared to transfer correctly. I don't have any special code for displaying image files correctly to the best of my knowledge.

    I thought it could be something in the new BPS htaccess file interfering with some of my custom code... I glanced at the two root htaccess files side by side and the only difference I could see (let me know if I'm missing something) was this code that was in the .47.3 htaccess:

    RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]

    I also noticed that there is a space at the bottom of the page on .47.1 htaccess but not on the .47.3 one.

    No idea. I didn't see a difference between the wp-admin htaccess files. For now I am leaving .47.1 in place until I can iron this out. Thanks again for any help.

  7. AITpro
    Plugin Author

    Posted 4 years ago #

    Ok well to test if this new security filter is causing the problem add it to your current root .htaccess file and see if the problem occurs again. it is a possibility that i could be causing the problem, but unlikely.

    The space at the bottom is ok and will not cause any problems.

    Hmm BPS does not filter out the word "shadow". Are you using another security plugin that is filtering this word out or maybe you are saying that you added that word to a BPS security filter.

    If you post your full URL to image files on your website then i can tell you exactly why you are not seeing image files. Or if you want your site to remain anonymous just replace your domain name with example.com.

  8. amfm
    Posted 4 years ago #

    Issue resolved! User error on my part.

    After successfully updating I noticed that the new htaccess had BPS hotlink protection commented out, so I removed the #'s to activate, failing to notice that the automagic had also stripped my domain from the hotlink code. So, I have since updated to .47.3, corrected and activated the hotlink code, refreshed browser and my site is working great.

    I also thought I would let you know that updating as you instructed left my htaccess unlocked for editing, but I locked it quickly to avoid problems with cpanel.

    Thanks again for your quick and excellent help!

    P.S. the shadow example I gave above was not BPS code, just an unusual example of how htaccess code has effected a site image in the past.

  9. AITpro
    Plugin Author

    Posted 4 years ago #


    Yeah someone else mentioned that the root .htaccess file was not being relocked on automatic update. There must be some condition that i am missing. The code is supposed to CHMOD your root .htaccess file back to 404 after updating it and it works fine on testing sites. Can you imagine how pissed off I'm going to be if i find out the broken cPanel HotLink Protection Tool is also causing this problem? LOL

    Good job in figuring out the problem. :)
    And i guess you know that the BPS HotLink Protection coding really does work since you blocked your own site from being able to view images. ha ha ha.

  10. amfm
    Posted 4 years ago #

    Ha! Yes, BPS hotlink protection worked very well!

    I have no doubt Cpanel hotlink protection will continue to haunt everyone with its horrible, horrible ways. I filed a complaint with my host months ago, but nothing has changed, probably will be around for another decade.

  11. AITpro
    Plugin Author

    Posted 4 years ago #

    Overall i think cPanel is an awesome GUI and everything else in it works fine, but yeah the HotLink Protection Tool will probably be broken until the end of time. ;)

    If there was something in BPS that i could change i would change it, but this is not isolated to BPS. If you google this problem you will see that it was going on long before BPS ever existed. ;) The only thing that i have found that works to stop it from doing damage is to lock your root .htaccess file.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic