BPS Alert! An htaccess file was NOT found in your WordPress wp-admin folder

Home Forums BulletProof Security Free BPS Alert! An htaccess file was NOT found in your WordPress wp-admin folder

This topic contains 16 replies, has 2 voices, and was last updated by  Paul Yun 2 months ago.

Viewing 15 posts - 1 through 15 (of 17 total)
  • Author
    Posts
  • #37556

    Paul Yun
    Participant

    I have this error message, “The BPS version: BULLETPROOF x.x SECURE .HTACCESS line of code was not found at the top of your Root htaccess file”after the installation.   Where can I find the BPS version: BULLETPROOF x.x SECURE?

    #37557

    AITpro Admin
    Keymaster

    Are you seeing 2 different alert messages for both the Root and wp-admin htaccess files?  Are htaccess files enabled or disabled?  You can check that under the Setup Wizard Options > Enable|Disable htaccess Files option setting.  If htaccess files are enabled you will see this option setting value: htaccess Files Enabled.

    If you have another plugin installed that adds htaccess code at the top of the Root htaccess file then you will see the BPS “The BPS version: BULLETPROOF x.x SECURE .HTACCESS line of code was not found at the top of your Root htaccess file” alert message.  What do you see at the top of your Root htaccess file?  You can check that on the htaccess File Editor tab page > Your Current Root htaccess File tab > check the very top of your root htaccess file for any htaccess code and post the htaccess code in your forum reply.

    #37559

    Paul Yun
    Participant

    I see only one alert.  I check the WP-Admin folder and there is .htaccess file.  I don’t know why I got the BP alert saying, “An htaccess file was NOT found in your WordPress wp-admin folder”.  I see these:
    I checked the .htaccess file in wp-admin folder and found the top portion as following:
    I found that this .htaccess file is different from the main one. What is the next step? Please help.

    #   BULLETPROOF 3.4 WP-ADMIN SECURE .HTACCESS     
    
    # DO NOT ADD URL REWRITING IN THIS FILE OR WORDPRESS WILL BREAK
    # RewriteRule ^(.*)$ - [F] works in /wp-admin without breaking WordPress
    # RewriteRule . /index.php [L] will break WordPress
    
    # WPADMIN DENY BROWSER ACCESS TO FILES
    # Deny Browser access to /wp-admin/install.php
    # Use BPS Custom Code to modify/edit/change this code and to save it permanently.
    # To be able to view the install.php file from a Browser, replace 127.0.0.1 with your actual 
    # current IP address. Comment out: #Require all denied and Uncomment: Require ip 127.0.0.1
    # Comment out: #Deny from all and Uncomment: Allow from 127.0.0.1 
    # Note: The BPS System Info page displays which modules are loaded on your server. 
    
    # BEGIN BPS WPADMIN DENY ACCESS TO FILES
    <FilesMatch "^(install\.php)">
    <IfModule mod_authz_core.c>
    Require all denied
    #Require ip 127.0.0.1
    </IfModule>
    
    <IfModule !mod_authz_core.c>
    <IfModule mod_access_compat.c>
    Order Allow,Deny
    Deny from all
    #Allow from 127.0.0.1
    </IfModule>
    </IfModule>
    </FilesMatch>
    # END BPS WPADMIN DENY ACCESS TO FILES
    
    # BEGIN OPTIONAL WP-ADMIN ADDITIONAL SECURITY MEASURES:
    
    # BEGIN CUSTOM CODE WPADMIN TOP
    # Use BPS wp-admin Custom Code to modify/edit/change this code and to save it permanently.
    
    # END CUSTOM CODE WPADMIN TOP
    
    # BEGIN EXAMPLE OF OPTIONAL/ADDITIONAL SECURITY MEASURES
    # EXAMPLE WP-ADMIN DIRECTORY PASSWORD PROTECTION - .htpasswd
    # Use BPS wp-admin Custom Code to modify/edit/change this code and to save it permanently.
    # This code example from BEGIN EXAMPLE to END EXAMPLE is just an example of optional
    # code that you could add to your wp-admin htaccess file in the CUSTOM CODE WPADMIN TOP text box.
    # IMPORTANT: To setup Directory Password Protection use your web host control panel.
    # This example code is just showing you what the code will look like after you setup
    # Directory Password Protection using your web host control panel.
    # NOTES: Adding Directory Password Protection creates an additional password login
    # to gain access to your wp-admin folder/WordPress Login page.
    # Users / visitors to your site will not be able to register or login to your site
    # unless you give them the Directory Password Protection username and password.
    # You can specify a single specific user or use valid-user to allow all valid
    # user accounts to be able to login to your site.
    
    # EXAMPLE:
    #AuthType basic
    #AuthGroupFile /dev/null
    #AuthUserFile /path/to/protected/server/directory/.htpasswd
    #AuthName "Password Protected Area"
    #require user JohnDoe
    #require valid-user
    # END EXAMPLE OF OPTIONAL/ADDITIONAL SECURITY MEASURES
    
    # END OPTIONAL WP-ADMIN ADDITIONAL SECURITY MEASURES
    
    # BPS REWRITE ENGINE
    RewriteEngine On
    
    # BEGIN CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES
    # To add wp-admin plugin skip/bypass rules use BPS wp-admin Custom Code.
    # If a plugin is calling a wp-admin file in a way that it is being blocked/forbidden
    # by BPS you can whitelist that file name by creating a skip rule for that file.
    #
    # Example: skip/bypass rule for the admin-ajax.php file and post.php file
    # RewriteCond %{REQUEST_URI} (admin-ajax\.php|post\.php) [NC]
    # RewriteRule . - [S=2]
    #
    # The [S] flag is used to skip following rules. Skip rule [S=2] will skip 2 following RewriteRules.
    # The skip rules MUST be in descending consecutive number order: 4, 3, 2...
    # If you add a new skip rule above skip rule 2 it will be skip rule 3: [S=3]
    #
    # Example: Multiple skip rules in descending consecutive number order.
    # Yoast Facebook OpenGraph wp-admin plugin skip/bypass rule
    # RewriteCond %{QUERY_STRING} page=wpseo_social&key=(.*) [NC]
    # RewriteRule . - [S=3]
    # skip/bypass rule for the admin-ajax.php file and post.php file
    # RewriteCond %{REQUEST_URI} (admin-ajax\.php|post\.php) [NC]
    # RewriteRule . - [S=2]
    #
    
    # END CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES
    
    #37561

    AITpro Admin
    Keymaster

    I think maybe you added custom htaccess code incorrectly in the BPS Custom Code feature.  Do these steps and let me know if it fixes the error.

    1. Go to the BPS Custom Code tab page.
    2. Click the Delete button to delete all additional custom code that was added to BPS Custom Code text boxes.  Note:  If you want to save any custom htaccess code then save it to a plain text file first before clicking the Delete button.
    3. Go to the Setup Wizard page and run the Setup Wizard again.

    #37562

    Paul Yun
    Participant

    Sorry, I don’t see the BP custom code tab page.  Where can I find?  I see only htaccess core, MScan, Login security, JTC Lite, Idle session Lockout, DB Backup, Security Log, Maintenance Mode, System Info, Email|Log Setting, UI|UX Settings, and Setup Wizard tab

    #37563

    Paul Yun
    Participant

    I think you meant to click here to go to the BPS Custom Code page.  I found it.  When I click the OK, it will delete all of Root and WP-admin Custom code from all of the Custom code text boxes.  How do I save it in plain text file?

    #37564

    Paul Yun
    Participant

    After following your instruction, it still shows the same error, “The BPS version: BULLETPROOF x.x SECURE .HTACCESS line of code was not found at the top of your Root htaccess file.”.  I notice that after I click “set up Wizard”, I see these:
    Is this good sign now?

    #37565

    AITpro Admin
    Keymaster

    Go to the BPS File Editor tab page > Your Current Root htaccess File tab > check the very top of your root htaccess file for any htaccess code and post the htaccess code in your forum reply.  Note:  You want to check your root htaccess file and not the wp-admin htaccess file.

    #37566

    Paul Yun
    Participant

    Thanks for all of your help.

    After I go to “htaccess File Editor>>tab and click “Your Current Root htaccess File” tab. Here is a very top portion of current root htaccess file:

    # BULLETPROOF 3.4 SECURE .HTACCESS
    
    # PHP/PHP.INI HANDLER/CACHE CODE
    # Use BPS Custom Code to add php/php.ini Handler and Cache htaccess code and to save it permanently.
    # Most Hosts do not have/use/require php/php.ini Handler htaccess code
    
    # TURN OFF YOUR SERVER SIGNATURE
    # Suppresses the footer line server version number and ServerName of the serving virtual host
    ServerSignature Off
    
    # DO NOT SHOW DIRECTORY LISTING
    # Disallow mod_autoindex from displaying a directory listing
    # If a 500 Internal Server Error occurs when activating Root BulletProof Mode
    # copy the entire DO NOT SHOW DIRECTORY LISTING and DIRECTORY INDEX sections of code
    # and paste it into BPS Custom Code and comment out Options -Indexes
    # by adding a # sign in front of it.
    # Example: #Options -Indexes
    Options -Indexes
    
    # DIRECTORY INDEX FORCE INDEX.PHP
    # Use index.php as default directory index file. index.html will be ignored.
    # If a 500 Internal Server Error occurs when activating Root BulletProof Mode
    # copy the entire DO NOT SHOW DIRECTORY LISTING and DIRECTORY INDEX sections of code
    # and paste it into BPS Custom Code and comment out DirectoryIndex
    # by adding a # sign in front of it.
    # Example: #DirectoryIndex index.php index.html /index.php
    DirectoryIndex index.php index.html /index.php

    *******

    Please let me know if you need to see more of this Current Root htaccess File.

    #37567

    AITpro Admin
    Keymaster

    Since the “BULLETPROOF 3.4 SECURE .HTACCESS” version line of text does exist at the top of your Root htaccess file then what is happening is that this BPS checking code below is not working correctly due to some issue on your website/server.  Have you added any additional code in your wp-config.php file or somewhere else that would change the value of ABSPATH?  Are you or your web host blocking/disabling any PHP functions?  Do you have any WordPress Plugins installed that “hide” WordPress folders/files?

    Check your wp-config.php file for any code that could cause this problem.
    Deactivate all of your other Plugins and see if the BPS error message goes away or not.

    $filename = ABSPATH . '.htaccess';
    $check_string = @file_get_contents($filename);
    
    ! strpos( $check_string, "BULLETPROOF" ) && ! strpos( $check_string, "DEFAULT" )
    #37568

    Paul Yun
    Participant

    No, I don’t have additional code in WP-Config file. Yes, I have one plugin that hide WP-Admin folder, but when I disable it and check the current Root htaccess file, there is no additional line below. I also disable other plugins and check the “Current Root htaccess file. Still there is no additional line below.”BULLETPROOF 3.4 SECURE .HTACCESS” Is there anything to do with the “Lock htaccess File” tab? or “Unlock htaccess File” tab? Here is wp-confile.php file

    Here are related lines in the wp-config.php file:

    /** Absolute path to the WordPress directory. */
    if ( !defined('ABSPATH') )
    define('ABSPATH', dirname(__FILE__) . '/');
    
    /** Sets up WordPress vars and included files. */
    require_once(ABSPATH . 'wp-settings.php');
    
    /* Destination directory for file streaming */
    define('WP_TEMP_DIR', ABSPATH . 'wp-content/');

    *******

    Wrong path in wp-config.php file?

    #37569

    AITpro Admin
    Keymaster

    Your wp-config.php code looks normal.  You can try locking the Root htaccess file, but I think the problem is being caused by something else.  Logically the problem that is occurring is that something is breaking the BPS error checking code that checks the Root htaccess file to find the “BULLETPROOF 3.4 SECURE .HTACCESS” text.  Since the text does exist then the only logical thing I can think of is something is breaking the BPS error checking code.

    You can try using WP_DEBUG to see if any php errors are displayed that have clues to what is causing the problem > https://codex.wordpress.org/WP_DEBUG
    You can check your PHP error log for clues to what is causing the problem.
    You can check your server error logs for clues to what is causing the problem or have your web host check your server logs for what is causing the problem.

    #37570

    Paul Yun
    Participant

    Locking the root htaccess file did not change the current root htaccess file.

    By using WP-Debug and Debug_Log, it shows a conflct between the theme and pluggable.php.  Here what it showed on the screen:

    Deprecated: Function create_function() is deprecated in /home3/kaffirli/public_html/wp-content/themes/enfold/config-layerslider/LayerSlider/wp/widgets.php on line 4
    
    Warning: Cannot modify header information - headers already sent by (output started at /home3/kaffirli/public_html/wp-content/themes/enfold/config-layerslider/LayerSlider/wp/widgets.php:4) in /home3/kaffirli/public_html/wp-includes/pluggable.php on line 1219.

    I open the pluggable.php file and copy a block of codes related to the line 1219 here:
    [Code deleted by AITpro Admin – the code is not relevant to the problem]
    What should I do now?

    #37571

    AITpro Admin
    Keymaster

    These PHP errors are not related to whatever is causing the problem for BPS.  The “Warning: Cannot modify header information – headers already sent by…” error message happens very commonly because WP_DEBUG sends the headers to do debugging.  So using WP_DEBUG actually causes this PHP error.  The deprecated function error can be ignored.  The Theme author will fix that when they have a chance to fix that.  At this point the only suggestions I have are to check your server logs for any clues and if you cannot find anything then contact your web host support folks to see if they can figure out what is causing the problem.  You can send this link to your web host support folks so they can see which BPS code is being broken by something on your website or something on your server > https://forum.ait-pro.com/forums/topic/bps-alert-an-htaccess-file-was-not-found-in-your-wordpress-wp-admin-folder/#post-37567

    #37572

    Paul Yun
    Participant

    Thanks for your help, AITpro Admin.

    I don’t see anything suspicious in server log and I contacted Hostgator support.  They edited the htaccess file and it caused the “Root htaccess file” looks like this when I checked it: # BEGIN BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS

    # WORDPRESS WILL BREAK IF ALL THE BPSQSE FILTERS ARE DELETED
    # Use BPS wp-admin Custom Code to modify/edit/change this code and to save it permanently.
    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)HTTP(:/|/) [NC,OR]
    RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
    RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
    RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR]

    **************

    They are ll Rewrite conditions.  I told them that is not working.  They suggested to contact the plugin developer and need to know which code they need to add to make it work, instead.

    Any idea to make it work?

Viewing 15 posts - 1 through 15 (of 17 total)

You must be logged in to reply to this topic.