First I want to express thanks to the author for his efforts for the WP community.
I installed BPS 0.46.3 today on three WP 3.1.3 blogs of different ages and of different amounts of other plugins installed. The steps I did for each were to create backups, then "create secure .htaccess file" by AutoMagic, then activate BulletProof mode for each folder: root, wp-admin, BPS master htaccess and BPS backup, in that order.
Two of the three blogs started giving me 403 Forbidden for all pages under /wp-admin/ instantly after clicking to activate the BulletProof mode for BPS master htaccess folder. Admin dashboard is now inaccessible for those two.
Interestingly the blogs were the oldest and the newest one, which had virtually no plugins installed. If it had any, the other two blogs both had them as well. Since one of the blogs encountered no problems, I believe that a plugin conflict is not the cause.
I'm very surprised that the feature supposedly for copying and renaming a .htaccess file to wp-content/plugins/bulletproof-security/admin/htaccess/ can block access to wp-admin/. Happening on two blogs at the exact same point - but not done at the exact same time - closes out most server configuration based causes that I can think of.
1. What might be the cause of this error? Could it be something in my server or directory permission configuration?
2. Suggestion: Make all changes done by BulletProof Security to require a user confirmation that the following page loads occurred correctly, and if the confirmation is not given in a reasonable time (e.g. 5 minutes), reverse the change. Optionally make it even more automatic: if any pages under wp-admin/ manage to be completely loaded during the next 5 minutes, keep the change, otherwise reverse it.
This will avoid the admins being locked out of their admin panels in case anything goes wrong, for any reason, by any change.