Title: [Plugin: BulletProof Security] Top Security Issues
Last modified: August 20, 2016

---

# [Plugin: BulletProof Security] Top Security Issues

 *  Resolved [RikkiJ](https://wordpress.org/support/users/rikkij/)
 * (@rikkij)
 * [13 years, 8 months ago](https://wordpress.org/support/topic/plugin-bulletproof-security-top-security-issues/)
 * Curious to find out if the following security issues are handled by BPS?
 * 1. Anti-XST feature
    2. Header outputs removed 3. Proxy login/commenting disabled
   4. WP Database prefix changed 5. Query Strings modified to deny XSS attacks
 * [http://wordpress.org/extend/plugins/bulletproof-security/](http://wordpress.org/extend/plugins/bulletproof-security/)

Viewing 2 replies - 1 through 2 (of 2 total)

 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [13 years, 8 months ago](https://wordpress.org/support/topic/plugin-bulletproof-security-top-security-issues/#post-2997542)
 * 1. Yes, Track and Trace are filtered to prevent HTTP Trace attack (XST)
 *     ```
       # The TRACE, DELETE, TRACK and DEBUG request methods should never be allowed against your website.
       RewriteEngine On
       RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]
       RewriteRule ^(.*)$ - [F,L]
       ```
   
 * 2. The filter above results in a 403 error when a HEAD request is made.
    3. No,
   BPS does not attempt to block by IP, hostname, User Agent or Proxy since these
   are all easily spoofed/faked and instead takes an action approach to security
   instead of a ban approach. 4. No, BPS takes an action approach to security instead
   of a hiding approach to security. SQL Injection filter below in BPS blocks all
   SQL Injection attacks so there is no point in changing or renaming the WP Database
   Table Prefix name because the attack will be blocked no matter what the Table
   Prefix is named.
 *     ```
       RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
       ```
   
 * 5. No, because BPS takes an action approach to security. The malicious Query 
   strings themselves are Forbidden by BPS Security filters so there is no need 
   to attempt to rename them.
 * The BPS Action Security Approach:
    X does bad action Y = Z is the result = Forbidden
 *  Thread Starter [RikkiJ](https://wordpress.org/support/users/rikkij/)
 * (@rikkij)
 * [13 years, 8 months ago](https://wordpress.org/support/topic/plugin-bulletproof-security-top-security-issues/#post-2997545)
 * This is good news. You should make it a product. I would buy.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘[Plugin: BulletProof Security] Top Security Issues’ is closed to new 
replies.

 * ![](https://ps.w.org/bulletproof-security/assets/icon-128x128.png?rev=1731938)
 * [BulletProof Security](https://wordpress.org/plugins/bulletproof-security/)
 * [Support Threads](https://wordpress.org/support/plugin/bulletproof-security/)
 * [Active Topics](https://wordpress.org/support/plugin/bulletproof-security/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/bulletproof-security/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/bulletproof-security/reviews/)

## Tags

 * [xss](https://wordpress.org/support/topic-tag/xss/)

 * 2 replies
 * 2 participants
 * Last reply from: [RikkiJ](https://wordpress.org/support/users/rikkij/)
 * Last activity: [13 years, 8 months ago](https://wordpress.org/support/topic/plugin-bulletproof-security-top-security-issues/#post-2997545)
 * Status: resolved