Most likely the cause of this is your Server API is DSO and not CGI. You can check your Server API on the BPS System Info tab page. If your Server API is DSO then some of the automated features in BPS will not work correctly because of the way ownership permissions are handled on DSO configured Servers. You will unfortunately need to manually perform these steps below using FTP.
To Activate BulletProof Mode for your Root folder – Change permissions of your Root htaccess file to 777 – /your-website-root-folder/.htaccess and Change permissions of the secure.htaccess file to 777 – /wp-content/plugins/bulletproof-security/admin/htaccess/secure.htaccess. To Activate BulletProof Mode for you wp-admin folder – Change permissions of the wp-admin htaccess file to 777 – /your-website-root-folder/wp-admin/.htaccess. Activate The BPS Master htaccess Folder – Change permissions of /wp-content/plugins/bulletproof-security/admin/htaccess folder to 777. Activate The BPS Backup Folder – Change permissions of the /wp-content/bps-backup/htaccess file to 777. Backup Your Currently Active .htaccess Files – Change /bps-backup folder permissions to 777 – /wp-content/bps-backup. Backup Your BPS Master .htaccess Files – Change /master-backups folder permissions to 777 – /wp-content/bps-backup/master-backups.
Once you have completed these installation steps above then change the permissions of both htaccess files to 644 and change all of your folder permissions back to 755 or whatever you previously had for those folder permissions. Another option is just to manually download the secure.htaccess file, wpadmin-secure.htaccess file and the deny-all.htaccess file and then just manually use FTP to upload the files to where they should be.