General question

[Zac]

First thing I do is backup the .htaccess, but I get a returned error message saying that it is available, but the wp-admin .htaccess does not exist. And then it looks like it quiets there and does nothing.

√ An .htaccess file was found in your root folder
An .htaccess file was NOT found in your /wp-admin folder

Your Root .htaccess file is NOT backed up either because you have not done a Backup yet, an .htaccess file did NOT already exist in your root folder or because of a file copy error. Read the “Current Backed Up .htaccess Files Status Read Me” button for more specific information.

Your wp-admin .htaccess file is NOT backed up either because you have not done a Backup yet, an .htaccess file did NOT already exist in your /wp-admin folder or because of a file copy error. Read the “Current Backed Up .htaccess Files Status Read Me” button for more specific information

√ The default.htaccess Master file is backed up.
√ The secure.htaccess Master file is backed up.
√ The wpadmin-secure.htaccess Master file is backed up.
√ The maintenance.htaccess Master file is backed up.
√ The bp-maintenance.php Master file is backed up.
√ The bps-maintenance-values.php Master file is backed up.

[AITpro Admin]

Complete these setup steps:
1. Activate Root and wp-admin BulletProof Modes on the Security Modes page.
2. Go to the Login Security page and choose your Login Security options and click the Save Options buttons.
3. Setup complete.

You can disregard these 2 checks.  they are incorrect and will be fixed in the next BPS version.

http://wordpress.org/support/topic/wp-admin-htaccess-backup?replies=15

Your Root .htaccess file is NOT backed up either because you have not done a Backup yet, an .htaccess file did NOT already exist in your root folder or because of a file copy error. Read the “Current Backed Up .htaccess Files Status Read Me” button for more specific information.

Your wp-admin .htaccess file is NOT backed up either because you have not done a Backup yet, an .htaccess file did NOT already exist in your /wp-admin folder or because of a file copy error. Read the “Current Backed Up .htaccess Files Status Read Me” button for more specific information

[Zac]

I dont see a Login Security page tab.

What I was doing is what you mentioned, but first I would run the backup. And when I had a plugin that needed .htaccess I would go to ht access file editor, unlock .htaccess and do the plugin setup. Then repeat, backup, create new magic files, activate..

It seemed to be working except today, there was a new patch and it reported that my .htaccess was not secured by bp.

So I activated both and .htaccess no errors, but wp-admin .htaccess caused this: WP Super Cache is activated, but either you are not using WPSC mod_rewrite to serve cache files or the WPSC .htaccess code was NOT found in your root .htaccess file.

So I unlocked, bla bla repeated everything.. updated wp super cache and when I go to activate wp-admin .htaccess, it resets and gives the same error message for wp super cache.

[AITpro Admin]

Here are some screenshots of what you should be seeing.  Do you see Login Security under the BPS Security Menu?

http://wordpress.org/plugins/bulletproof-security/screenshots/

Do these 2 things.

Copy your WP Super Cache .htaccess code to BPS Custom Code (disregard any BPS Pro steps):  http://forum.ait-pro.com/forums/topic/where-is-the-log/#post-2715

Lock your root .htaccess file on the htaccess File Editor tab page and turn on AutoLock

[Zac]

Are there any settings I should turn off from Better WP Security? “server tweaks” That may conflict, or are already being applied.

[Zac]

I put in the custom code as directed, and no change. I find this odd because it appeared to be working fine for 5 days since I installed it but after updating it today i get that error.

WP Super Cache is activated, but either you are not using WPSC mod_rewrite to serve cache files or the WPSC .htaccess code was NOT found in your root .htaccess file.
If you are not using WPSC mod_rewrite then just add this commented out line of code in anywhere in your root htaccess file – # WPSuperCache. If you are using WPSC mod_rewrite and the WPSC htaccess code is not in your root htaccess file then click thisUpdate WPSC link to go to the WPSC Settings page and click the Update Mod_Rewrite Rules button. If your root .htaccess file is locked then you will need to unlock it to allow WPSC to write its htaccess code to your root htaccess file. BPS Lock and Unlock buttons are on the htaccess File Editor page. Refresh your browser to perform a new htaccess file check after updating WPSC mod_rewrite.

BulletProof Security Root Folder Protection Activated. Your website Root folder is now protected with BulletProof Security.
IMPORTANT!  BulletProof Mode for the wp-admin folder MUST also be activated when you have BulletProof Mode activated for the Root folder.”

 

[AITpro Admin]

Yeah all of them and delete Better WP Security.  ha ha ha  Only kidding of course.  I believe that plugin does have some value, but we have not checked it in at least 8 months so I really cannot tell you exactly what is recommended and not recommended.  In the past, the problem area between the 2 plugins has mainly been the Server Tweaks options in Better WP Security.  The Better WP Security .htaccess code is very raw/crude and BPS already has this code only it is much better designed in a way that does not cause problems for other plugins and WordPress in general.  When there are issues or conflicts BPS has the Custom Code system, which allows you to quickly and easily add custom skip/bypass/whitelist rules as needed.   So basically do not use/enable Server Tweaks in Better WP Security and use only the settings in Better WP Security that do NOT use .htaccess code.

Make sure you are doing all the Custom Code steps.

Add your Custom Code to the appropriate Custom Code text box
Save your Custom Code by clicking the Save Custom Code button
Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

[Zac]

I like Better WP Security because it has a list of things that from what I have read should be addressed, also this list of items are not common on other security plugins I have seen.

#11 Your .htaccess file is partially secured.  ..click to fix.
#16 Better WP Security is not allowed to write to wp-config.php and .htaccess.  ..click to fix.
#17 wp-config.php and .htacess are writeable.  ..click to fix.

(Does your plugin disable write access to wp-config.php? I know that it addresses .htaccess.)

Also I disabled the above rules and still does not work. Prior to the patch I did not have to do custom code, or disable anything.

[AITpro Admin]

Yep, it has some neat gimmicks going on, but you must realize that these are only “feel good” gimmicks.  I am not negating the value of the Better WP Security plugin, but yep the “gimmick” factor is done extremely well in that plugin – Kudos on the sales pitch. 😉

Regarding locking the wp-config.php file – yes that is a silly thing that BPS Pro does, but we are trying to phase out those useless things in BPS Pro.  It is childs play to get around file/folder permissions for hackers, but most folks do not deal with this stuff day in and day out so how would they know that right. 😉  So yes there is a real benefit in locking the root .htaccess file because it protects the file from problematic issues (the flush_rewrite_rules function, cPanel HotLink Protection, etc), but not hackers of course since getting around file or folder permissions is childs play for hackers.

Not sure what you are saying below.  Can you be more specific?  Thanks.

Also I disabled the above rules and still does not work. Prior to the patch I did not have to do custom code, or disable anything.

[Zac]

“Also I disabled the above rules and still does not work. Prior to the patch I did not have to do custom code, or disable anything.”

I disabled those rules.. #11, #16, #17. And all of the server tweaks. It looked like it was about to work, but after few page refreshes it gives the same error.

[AITpro Admin]

Oh ok got it.  This does not change the recommended best methods regarding BPS and Custom Code.

The reason it is recommended that you copy any custom code (other plugin cache code, your own personal .htaccess code, etc) to BPS Custom Code is so that you have full control of what .htaccess code is or is not added/included automatically in your root and wp-admin .htaccess files when you activate BulletProof Modes.

The general idea is you want 100% consistency and not random writing to your root .htaccess file or unexpected changes to your root .htaccess file.  You want to have ultimate control of these things and that is what BPS Custom Code is designed to do – Custom Code allows you to create/design your Master .htaccess files with the code that you want created in your .htaccess files without that possibility of allowing or including random code at any given point.

To simplify this statement above.  You are creating your own Master .htaccess files with BPS Custom Code so add whatever code that you want to be created when you use the Activate buttons and ensure that you lock the root .htaccess file.  Once again this serves the primary purpose of preventing other plugins from writing inappropriate .htaccess code randomly, etc, etc etc.

[Bea]

Recieved what appears to be a post overwrite – hacked for fun with a graphic.

Cannot see anything unexpected in files or database  – appears as if one post has been overlayed with a graphic and text.

Can revert back to the previous post but concerned. 🙂

BPS installed from site creation:
Recommended permissions

[AITpro Admin]

Are you saying you had a text injection occur due to the WP 4.7 > 4.7.1 security vulnerabilities?

[Bea]

Apologies, am unsure why the post has been overlayed.
BPS (is my protection) is active and can see no other unexpected files etc in the database and could revert back to the original post – just unsure what is the best proceedure, if there has been some other injection that I have not found.

 

[AITpro Admin]

@ Bea – Most likely just restoring your WP database from a recent backup will take care of the issue.  If you want to be extra cautious then do a complete restore of your database and files from a recent backup just to make sure that all your files are ok.  In general the hack that occurred recently was a massive defacement hack, but you probably want to take the extra cautious route and restore your entire site – WP DB and all files. 😉

[Author]

Posts