BulletProof Security Forum

Thanks!

@ait-pro – thanks. Understand it better now. And seems to be working fine without the wwwtoo so redirecting as expected, and without security warnings. Phew!

The php error has to do with BPS Pro plugin upgrade checks for a new BPS Pro plugin version.  Someone else recently got this same php error.  We are not sure what is causing it as this point and are trying to reproduce the php error.  It is not a critical php error.  So nothing to worry about.

Yep, the WordPress Virtual Robots text “file” will be displayed in your Browser.  Example > The WordPress Virtual robots.txt file that you see in your Browser by clicking this link:  https://forum.ait-pro.com/robots.txt is a Virtual Robots text file for this forum website.

Many thanks for your reply. I think I must be seeing the WP ‘virtual’ one! As definitly none in the root.

I did search the forum for solutions but obviously missed that one.

Cheers.

In order for a robots.txt file to work correctly it MUST be in the Hosting Account root folder.  BPS does not do anything with the robots.txt file.  Also WordPress has it’s own Virtual “robots.txt file”.  There is not an actual file and instead you hook into the WordPress Virtual Robots text function > https://forum.ait-pro.com/forums/topic/wordpre…[Read more]

1. You can use both the IP Address code and the Server Protocol code together.  They are not a “one or the other” thing. They are different things.
2. You would whitelist your IP address and if the Proxy IP address is the same IP address (depends on how your Proxy server is configured) as your IP address then you would not need to add the Proxy…[Read more]

No, other users don’t need to access wp-admin. I would like to limit login to Wordpress for others except myself. So what about these other questions? Could you please recommend?

1. If I am using the IP Address based code then I do not need to add the Server Protocol code? Or is it better to use both?
2. I am using Cloudflare. As I understand, in…[Read more]

Since you have a website where other people need to be able to register, login and access wp-admin then you do not want to use either the IP address protection on your login page or block access to your wp-admin area and wp-admin files such as /wp-admin/admin-ajax.php.  BPS LSM and JTC are enough protection for login security, brute force…[Read more]

Hello,

I am planning to add the code to protect login page from Brute Force Login Attacks and I have several questions.

1. If I am using the IP Address based code then I do not need to add the Server Protocol code? Or is it better to use both?
2. I am using Cloudflare. As I understand, in order for this code and Cloudflare to work, I need to…[Read more]

@ jenni101 – HTTP_HOST is the entire Host header field.  Your WordPress URL settings on the WordPress General Settings page – WordPress Address (URL) and Site Address (URL) – set the Host header field.  Site Address (URL) is your actual Host header field.  So as long as your Site Address (URL) includes www then if someone types in the non-www UR…[Read more]

many thanks – so the
{HTTP_HOST}
is now used instead of the actual site url?

Give it a try.  705 and 755 directory permissions should work exactly the same as far as WordPress is concerned.

I just heard back from our hosting company (SiteGround). I described the issue to them and they offered the following as a potential solution:

“As you can see, the permissions of the folder /wp-content are 705, which means that the cPanel user can read, write and execute it, but the group has 0 permissions. You can consider updating them to the…

[Read more]

Intermittent problems or problems that start happening all of a sudden are typically going to be related to things like: php memory/cache/caching plugins/CDN’s/VPN’s/Proxy’s/Load Balancers/Host server problems (new security measures added on Host server (Mod Security, etc.), DNS server/DNS configuration problem, MySQL server timeout, server overl…[Read more]

Thank you very much for the info, much appreciated.

Agreed, interference from a plugin is possible, especially since we use the same plugins across a large number of our sites (and we’ve been seeing the “temp” file problem across many of our sites). Probably difficult to pinpoint in that case though since the issue seems very unpredictable (e.g.,…[Read more]

Here is the description help text for the WordPress get_filesystem_method() function. I see that plugins can define a custom transport handler so maybe one of your plugins is interfering with the WP filesystem check?
/**
* Determines which method to use for reading, writing, modifying, or deleting
* files on the filesystem.
*
* The priority of…[Read more]

Here is the relevant section of the WP code in the /wp-admin/includes/file.php file below.  The code checks the WP file system method and writes a temp file in the wp-content folder if the $method cannot be found/detected.  The errors are “normal” errors that are used to check for ModSecurity installed on a web host. The errors are not related t…[Read more]