BPS Changelog|Whats New

Home Forums BulletProof Security Free BPS Changelog|Whats New

This topic contains 4 replies, has 3 voices, and was last updated by  AITpro Admin 4 months, 4 weeks ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #25152

    AITpro Admin
    Keymaster

    2.9
    Enhancement: New System Info check: Mod Security Module Loaded|Enabled check. Displays whether or not the mod_security or mod_security2 Modules are loaded or displays that Mod Security is not Loaded|Enabled.

    Improvement: The BPS bpsPro_apache_mod_directive_check() function now includes new BPS Mod Security DB options that are updated on BPS upgrades and new installations of BPS when running the Setup Wizard. The new BPS Mod Security DB options are used in the new Mod Security Module Loaded|Enabled Dismiss Notice.

    New Dismiss Notice: Mod Security Module Loaded|Enabled: This new Dismiss Notice checks if Mod Security is Loaded|Enabled and provides a link to this forum topic: Mod Security Common Known Problems that explains the Mod Security SecRules and SecFilters issue/problem in detail and has information on how to fix problems caused by Mod Security SecRules and SecFilters. Mod Security SecRules and/or SecFilters are known to break some features in the BPS and BPS Pro plugins as well as some features in WordPress, other plugins and themes.

    Procedural Change: MScan: The MScan pattern matching code has been removed from the mscan-ajax-functions.php file and a new file: mscan-pattern-match.php has been created that will automatically be copied to the /bps-backup/mscan/ folder on BPS upgrades and new installations. Some web hosts see the MScan pattern matching code as malicious and will either delete or make the mscan-pattern-match.php file unreadable or the /mscan/ folder unreadable. In previous BPS versions deleting or making the mscan-ajax-functions.php file unreadable caused BPS not to function normally or other various problems. In BPS 2.9+ and BPS Pro 13.4.1+ versions, if a web host does delete the /bps-backup/mscan/mscan-pattern-match.php file or make the file or folder unreadable then BPS and BPS Pro will still function normally, but MScan will of course not be usable on your particular website/server/web host. An MScan error message is displayed on the MScan page if the /bps-backup/mscan/mscan-pattern-match.php file does not exist or is unreadable or if the /bps-backup/mscan/ folder does not exist or is unreadable.

    Procedural Change: The MScan Automatically Delete /tmp Files option setting is known to cause website/server crashes on SiteGround and Cyon Hosting. The MScan Automatically Delete /tmp Files default option setting has been changed to Off. A new warning message is displayed when the MScan Automatically Delete /tmp Files option setting is set to On.

    New Option Setting Functionality: JTC-Lite: The JTC ToolTip can now be hidden/not displayed by entering a blank space in the JTC ToolTip text box.

    New Option: JTC-Lite: New text box option created for custom CAPTCHA error messages for the Login form. Allows someone to create a customized JTC CAPTCHA error message instead of displaying the default JTC CAPTCHA error message.

    Improvement: DB Backup accordion tabs now display relevant Active accordion Tab when processing all DB Backup Forms. DB Backup Form processing code has been moved hierarchically in the db-backup-security.php file so that “Refresh” buttons are no longer needed.

    BugFix: DB Backup: Closing “strong” code tag missing forward slash in the Download|Delete Backup Files Form processing causing the Create Backup Jobs accordion tab to display broken when deleting a DB Backup Zip file.

    Improvement: Login Security & Monitoring Form processing code has been moved hierarchically in the login.php file so that “Refresh” buttons are no longer needed. Memory usage and Completion time checks have also been removed.

    BugFix: Login Security: Attempts Remaining countdown fix after user account is locked, the lockout time has expired and the user attempts to login again. The Attempts Remaining countdown now displays attempts remaining countdown correctly.

    Procedural Improvement: Setup Wizard: create additional root htaccess file backup with timestamp filename format on each Setup Wizard run. Root htaccess file backups are stored in the /wp-content/bps-backups/master-backups/ folder.

    Improvement: MScan: Additional cleanup help steps added for Pharma Hack cleanup.

    Improvement: bps-ui-accordion.js file: New accordion options added.

    New Dismiss Notice: Plugin review/rating request. This Dismiss Notice is displayed 30 days after someone upgrades BPS or on new installations of BPS.

    2.8
    New Feature Dismiss Notice: JTC-Lite: As of BPS 2.8 JTC-Lite is no longer automatically setup by default when upgrading BPS. A new feature Dismiss Notice is displayed instead with setup steps to enable/turn On JTC-Lite. For new BPS installations JTC-Lite is setup automatically by the BPS Setup Wizard.
    BugFix: Login Security: Attempts Remaining value has been corrected for first time user account logins to display the correct number of Attempts Remaining value.
    BugFix: MScan: mscan-stop.txt file variable path correction in admin.php.
    Text Correction: MScan delete log file message correction.
    Procedural Change: Inline CSS changed for various BPS buttons to allow button text wrapping for i18n language translation button text.
    Enhancement: New System Info check: PHP Disable Functions and Suhosin Function Blacklist.
    Procedural Update: Setup Wizard AutoFix whitelist rule update for WooCommerce.

    2.7
    Procedural Fix: BPS Pro MU Tools must-use plugin: nonce verification failing for Toggle links on SSL sites. SECURE_AUTH_COOKIE defined condition added.
    Revert Visual Improvements: Problem: BPS jQuery Accordion tabs are not visible/displayed due to poorly coded plugins and themes loading their js and CSS scripts in BPS plugin pages and breaking js functionality and CSS visual display. Solution: revert the newer advanced/sophisticated BPS js initialization and CSS code and return to using dumbed down js and CSS code in order for BPS to function somewhat normally when other poorly coded plugins and themes are installed on a site that load their scripts in BPS plugin pages and break BPS plugin functionality and visual appearance.
    Dev Note: The only realistic approach/method left to take is to create inline js and CSS code at this point. That will ensure that BPS js and CSS code is loaded in BPS plugin pages instead of other poorly coded plugins and themes js and CSS code being loaded in BPS plugin pages and overriding and breaking BPS plugin code. Since this problem occurs in many poorly coded plugins and themes for many years it is not realistic to expect that those poorly coded plugins and themes will ever fix their bad code.

    2.6
    Procedural Fix: open_basedir conditions added to MScan to accommodate folks who use open_basedir. Note: open_basedir causes MScan scanning to take 6 times longer than a regular/normal scan. Pending: Additional scan time estimate calculations specifically for open_basedir will need to be created in the next BPS plugin version.  Currently estimated scan times for folks who use open_basedir are off by 6 times.  This only affects folks who is using open_basedir, which is probably around 1% to 5% of folks.

    2.5
    BugFix: Added Network|Multisite subsite menu link code for JTC-Lite.

    2.4
    New Feature: MScan Malware Scanner: Scans website files for hacker files or code and scans the WordPress database for hacker code. For more information about the BPS Pro MScan Malware Scanner click the MScan Malware Scanner Guide link below. For troubleshooting help or to post suspicious code for help determining whether or not the code is actually malicious or safe click the MScan Troubleshooting & Code Posting link below. MScan scans can be scheduled to run automatically (BPS Pro Only) or MScan scans can be run manually.
    MScan Malware Scanner Guide
    MScan Troubleshooting & Code Posting

    New Feature:  JTC-Lite:  JTC-Lite is a limited version of BPS Pro JTC Anti-Spam|Anti-Hacker that protects the WP Login form from constant Bot Brute Force Login attacks that repeatedly lock user accounts. JTC-Lite provides anti-lock Login Form protection only.  If you would like to protect all of your WP forms that capability is available in BPS Pro JTC Anti-Spam|Anti-Hacker.

    Prodedural Change: The Login Security “Enable Login Security for WooCommerce” option is now disabled by default in BPS free and cannot be enabled. The reason for that is JTC-Lite does not offer anti-lock protection for the WooCommerce custom login form and only provides anti-lock protection for the standard WP login form.

    Procedural Removal: WooCommerce Enable LSM option Dismiss Notice deleted. BPS free no longer offers Login Security protection for the WooCommerce custom login form.  The reason for that is JTC-Lite does not offer anti-lock protection for the WooCommerce custom login form and only provides anti-lock protection for the standard WP login form.

    New Page|Menu:  Email|Log Settings: Email Alerting and Log file options have been moved from the Login Security page, Security Log & DB Backup Log pages to the new Email|Log Settings page.

    New Option:  Email|Log Settings:  MScan Malware Scanner Email|Delete Log File option for automated log file processing/handling.

    Improvements:  UI|UX CSS and jQuery visual improvements. Do not display jQuery Dialog Read Me help button text until jQuery Dialog is initialized. Do not display jQuery Accordions until jQuery Accordions are initialized. Note: This improvement also prevents Dialog Read Me help text from being displayed inpage when another plugin is loading its js scripts in BPS plugin pages and breaking BPS plugin pages visually.

    Improvement: CSS button width uniformity changes throughout BPS plugin pages.

    Security Improvement: Added CSRF Nonce verification in BPS MU Tools must-use plugin Toggle GET Request links.  Special thanks to Mohamed A. Baset, Founder and CyberSecurity Advisor at Seekurity SAS de C.V. http://www.seekurity.com for reporting this security issue.

    Procedural Change:  Login Security:  Change default Automatic Lockout Time option setting from 60 minutes to 15 minutes. This only affects new BPS installations and does not affect BPS upgrades.

    Improvement:  BPS Status Display:  Display hover tooltip icon question mark status message for new BPS installations that have not run a DB Backup yet.

    Enhancement: New System Info check: Zend OPcache enabled or disabled. Zend OPcache version if enabled.

    Improvement: Add RegEx file extension matching pattern for 403 & 405 Security Logging templates. Usage: Security Log Event Codes.

    Setup Wizard AutoFix: New AutoFix added for the PowerPress Podcasting plugin.

    Setup Wizard AutoFix: New AutoFix added for the Flatsome theme.

    BugFix: HPF replace hard coded plugins folder path name dynamic plugins folder path.

    2.3
    Improvement: UI|UX HTML and CSS changes. Cleaner/simpler visual look for Blue, Black and Grey Skins. CSS Nick nack cleanup.
    Improvement: Add Must-Use plugin check on System Info page. Get total number of Must-Use plugins installed and display Must-Use plugins in the Get Plugins List jQuery Dialog popup window.
    Improvement: Setup Wizard AutoFix: trim extra whitespace from Custom Code whitelist rules.
    Change: Minimum WP Version required for the BPS and BPS Pro plugins has been changed from WP 3.7 to WP 3.8. All WP 3.7 conditional code and files have been removed.
    Revert: Root htaccess file|Custom Code: The R flag causes duplicate Security Log entries for 405 HEAD Requests made on some web hosts. Remove R from 405 HEAD Request RewriteRule in REQUEST METHODS FILTERED code block and other areas. Automatically fixed on BPS upgrade in Root htaccess file and Root Custom Code.
    Procedural Fix: Delete the BPS Pro MU Tools must-use file in cases where BPS Pro is manually deleted and the BPS free plugin is installed.
    Procedural Fix: Update the BPS MU Tools timestamp to +5 minutes during BPS plugin upgrades to prevent email alerts being sent during the WP plugin update for the BPS plugin.
    Procedural Fix: Login Security php errors displayed and logged when WP_DEBUG is turned On.
    BugFix: Setup Wizard AutoFix Notice: Do not display the Setup Wizard AutoFix Notice on Network/Multisite subsites.
    BugFix: Setup Wizard root htaccess file automatic backup fatal error. Fixes Fatal error: Class ‘ZipArchive’ not found in wizard-backup.php on line 112.
    BugFix: Enable Login Security for WooCommerce option being reset to 1/On on BPS upgrade and Setup Wizard rerun. Only enable once if the option does not exist.
    BugFix: Only set/reset “Do Not Log POST Request Body Data (0KB)” as default option setting for new BPS installations or BPS upgrades if POST Request Body Data options have not been previously saved.

    2.2
    BugFix: Renamed the $woocommerce variable in login-security.php to something unique to avoid collisions/conflicts with this common variable name being declared a Global.

    2.1
    BugFix: The old bps-plugin-autoupdate.php file was not being deleted in time before the new bps-mu-tools.php file was created.

    2.0
    • New Option & Feature: Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup): This option is turned On by default and can be turned Off on the BPS Setup Wizard Options page. Setup Wizard AutoFix checks which plugins and themes you currently have installed and will display a BPS Setup Wizard AutoFix Notice to run the BPS Setup Wizard if any currently installed plugins or themes require Custom Code whitelist rules or AutoSetup. The BPS Setup Wizard automatically creates BPS Custom Code whitelist rules for known issues with any plugins and themes that need Custom Code whitelist rules. Setup Wizard AutoFix also automatically sets up and cleans up caching plugin’s htaccess code for these WordPress caching plugins: WP Super Cache, W3 Total Cache, Comet Cache Plugin (free & Pro), WP Fastest Cache Plugin (free & Premium), Endurance Page Cache and WP Rocket. Notes: These caching plugins were also tested, but do not require AutoSetup by the BPS Setup Wizard: Cache Enabler plugin and the Hyper Cache plugin. The Cachify plugin was tested, but could not be added to BPS Setup Wizard AutoFix due to a problem with the Cachify plugin creating invalid htaccess code. The Cachify plugin will be added at a later time once the problem is fixed in the Cachify plugin.

    Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) Automation:
    List of plugins and themes that have AutoFixes: Setup Wizard AutoFix

    AutoWhitelist: The Setup Wizard AutoFix feature automatically creates Custom Code whitelist rules for 100+ known issues with plugins and themes. Previous versions of BPS and BPS Pro required doing a manual copy and paste solution to manually add Custom Code whitelist rules to BPS Custom Code.

    AutoSetup: The Setup Wizard AutoFix feature automatically gets htaccess caching code from caching plugins (WP Super Cache, W3 Total Cache, Comet Cache Plugin (free & Pro), WP Fastest Cache Plugin (free & Premium), Endurance Page Cache and WP Rocket) and saves caching plugin’s htaccess code in BPS Custom Code. Previous versions of BPS and BPS Pro required doing a manual copy and paste solution to manually add caching plugin’s htaccess code to BPS Custom Code.

    AutoCleanup: The Setup Wizard AutoFix feature automatically removes any existing caching plugin’s htaccess code in BPS Custom Code and the Root htaccess file if the caching plugin is no longer activated or installed. Example scenario: You have Plugin X Caching plugin installed and decide to try Plugin Y Caching plugin. Setup Wizard AutoFix (AutoCleanup) will automatically remove any existing htaccess code from BPS Custom Code and the Root htaccess file for Plugin X Caching plugin. At the same time Setup Wizard AutoFix (AutoSetup) will automatically create Plugin Y’s Caching code in BPS Custom Code and the Root htaccess file. So instead of having to manually add or remove any caching plugin’s htaccess code in BPS Custom Code, the Setup Wizard AutoFix feature will automatically do that when you run the BPS Setup Wizard.

    AutoFix Debugging: BPS UI|UX Settings page > BPS UI|UX|AutoFix Debug: Turning On the BPS UI|UX|AutoFix Debug option will display: plugin or theme names and the BPS Custom Code text box where plugins or themes should be creating Custom Code whitelist rules. Usage: If the BPS Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) Notice is still being displayed after running the Setup Wizard then the BPS UI|UX|AutoFix Debug option should be turned On to find the exact plugin or theme and the Custom Code text box where the problem is occurring. Example Debug Displayed message: CC Root Text Box 10: WooCommerce Plugin. This option could also be used generally to see which plugins and themes BPS AutoFix is creating Custom Code whitelist rules for and which Custom Code text boxes the AutoFix whitelist rules will be created in.

    Dev Note: Existing HUD error checks & message changes: WP Super Cache, W3 Total Cache, WooCommerce, Jetpack changed. New help text/links for the new Setup Wizard AutoFix feature. New HUD BPS AutoFix checking function created for 100+ plugins and themes (combined into one function).

    Dev Note: New conditions added to the EPC plugin dismiss notice: check if EPC version .9 is enabled and Cache level is 1,2,3,4.

    Removal: HUD Dismiss Notices: Jetpack, WooCommerce & Broken Link Checker plugins. Now handled by Setup Wizard AutoFix.

    • Change|Addition|Improvement: New AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) section has been added to the Setup Wizard Checks|Scans|Settings results. Additional section dividers added for Compatibility & Basic Checks, etc to make the Setup Wizard results visually easier to read. Hover ToolTip icons added for results that contain “extra” result data.

    • Option Name & Functionality Change: BPS UI|UX Debug option name change to BPS UI|UX|AutoFix Debug. Turning On the BPS UI|UX|AutoFix Debug option will display: plugin or theme names and the BPS Custom Code text box where plugins or themes should be creating Custom Code whitelist rules. Usage: If the BPS Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) Notice is still being displayed after running the Setup Wizard then the BPS UI|UX|AutoFix Debug option should be turned On to find the exact plugin or theme and the Custom Code text box where the problem is occurring. Example Debug Displayed message: CC Root Text Box 10: WooCommerce Plugin. This option could also be used generally to see which plugins and themes BPS AutoFix is creating Custom Code whitelist rules for and which Custom Code text boxes the AutoFix whitelist rules will be created in.

    • Improvement: BPS Speed Boost Cache Dismiss Notice: Additional conditional checks added to check if BPS Speed Boost Browser Cache code exists in BPS Custom Code as well as other caching plugins Browser caching code. The check can be overridden by using a Marker: BPS NOCHECK. Using duplicate or redundant Browser caching code will not improve website performance and may actually cause your website to perform/load slower.

    • Improvement: BPS MU Tools must-use plugin Enable|Disable Action Links created to disable or enable the BPS MU Tools options. Enable|Disable BPS Plugin AutoUpdates, Enable|Disable BPS Folder|Deactivation Checks. Enable|Disable BPS Plugin AutoUpdates: Clicking this link enables or disables BPS Plugin automatic updates for the BPS plugin only. Enable|Disable BPS Folder|Deactivation Checks: Clicking this link enables or disables checks for whether the /bulletproof-security/ plugin folder has been renamed or deleted. Checks for whether the BPS plugin has been deactivated. Email alerts are sent every 5 minutes when the BPS plugin folder has been renamed or deleted or the BPS plugin has been deactivated. To disable these checks and the email alerts click the Disable BPS Folder|Deactivation Checks link. Note: When you click disable links you will then see enable links and vice versa.

    • Removal: UI|UX Option: BPS Plugin AutoUpdate has been removed. BPS plugin Automatic Updates enable or disable is now handled directly in the BPS MU Tools must-use plugin.

    • New Security Log Options: Security Log: POST Request Body Data option: 2 new checkbox options: Do Not Log POST Request Body Data (0KB) and Log Maximum POST Request Body Data (250KB). POST Request Body Data option name change from: Limit POST Request Body Data to: Log Minimum POST Request Body Data (5KB). The new default POST Request Body Data option setting is: Do Not Log POST Request Body Data (0KB), which will be automatically set on this BPS plugin upgrade only and new first run Setup Wizard installations. Some web hosts falsely interpret the BPS Security Log text file as malicious since hacker code used to attack your website can be captured/logged in the Security Log text file depending on your POST Request Body Data option settings. This change only affects logging or not logging data in the REQUEST BODY Security Log field and does not affect anything else about Security Log entries. Security Logging template files affected: 403.php, 404.php and 405.php.

    • Improvement: Replace: $_SERVER['QUERY_STRING'] superglobal with parse_url() PHP_URL_QUERY component to get Query String logging field values in all logging templates and logging code.
    • Dev Note: Files affected: 400.php, 403.php, 404.php, 405.php, 410.php, Isl-logout.php, bps-maintenance.php.

    • Procedural: Root and wp-admin htaccess file security rule modifications. On BPS upgrade automatically add additional https scheme conditions to 3 htaccess security rules and combine 2 rules into 1 rule for the currently active Root and wp-admin htaccess files. On BPS upgrade automatically update any existing BPS htaccess code to the new BPS htaccess code that is saved in Root and wp-admin Custom Code.

    • BugFix: Root htaccess file|Custom Code: Add R to 405 RewriteRule to REQUEST METHODS FILTERED code block. Automatically fixed on BPS upgrade in Root htaccess file and Root Custom Code.

    • Change: wp-admin master htaccess file: Remove Request Methods Filtered block of htaccess code in wp-admin Master htaccess file and Live wp-admin htaccess file on BPS upgrade.

    • Procedural: Setup Wizard: wp-admin htaccess file added to automated root htaccess file backup and zip download.

    • Procedural: New error check for the Oxygen plugin. The Oxygen plugin interferes with BPS MMode. An inpage check and error message is displayed on the BPS MMode page.

    • Procedural: MMode: Add additional condition to check if wp_mail() function exists. Prevents PHP Fatal error: Call to undefined function wp_mail() error.

    • Procedural: file exists check for all BPS log files. Fixes: PHP Warning: filesize(): stat failed for /xxxxx/public_html/wp-content/bps-backup/logs/http_error_log.txt, etc.

    1.1
    BugFix:  New BPS version numbering convention not successfully replacing the old BPS version numbering convention in the Root htaccess file for some scenarios.

    1.0
    New BPS version numbering convention: BPS plugin version numbers are no longer using the gimmicky “bullet caliber” version numbering convention (.44, .45, etc) due to causing issues/problems for the new WordPress Plugin Directory Nginx server. BPS plugin version numbers are now using a standard version numbering convention (1.0, 2.0, etc).
    New System Info Checks: cURL version, cURL OpenSSL Version (Used by PayPal, etc.) and DISABLE_WP_CRON constant check: Checks if Standard WP Crons are disabled using the DISABLE_WP_CRON constant.
    Procedural: New Dismiss Notice created for the Endurance Page Cache (EPC) must-use plugin.
    Forum Topic for EPC Plugin: https://forum.ait-pro.com/forums/topic/endurance-page-cache-infinite-redirect-loop-css-and-js-broken/.
    Change|Update: Sucuri plugin Restrict wp-content access Hardening Option Dismiss Notice conditional check changed to match newer Sucuri htaccess file changes.
    Dev Note: Setup Wizard PHP Configuration Memory limit check. Do not display a message if server configuration does not allow getting the PHP Memory limit value.
    Dev Note: BPS plugin asset banner changed for new WP Plugin site design.

    .54.5
    Enhancement: WP version number added in all Security logging code/text to aid in troubleshooting possible version issues/problems. Files affected: 400.php, 403.php, 404.php, 405.php, 410.php, isl-logout.php and bps-maintenance.php.
    Change: Numbering system added to Custom Code. Custom Code text boxes can be identified via numbers as well as Titles.
    BugFix: CSS Additional spacing added before Security Log Limit POST Request Body Data checkbox form.

    .54.4
    BugFix: WooCommerce Dismiss Notice function added to BPS HUD admin_notices function.

    .54.3
    New Option:  Enable Login Security for WooCommerce:  Check this checkbox if you have the WooCommerce plugin installed if you would like to use BPS Login Security on the WooCommerce custom login page. BPS Login Security will still continue to work normally on the standard WordPress Login page when you check this checkbox. This checkbox option setting is not for turning Login Security On or Off if you are using WooCommerce. Use the Login Security Turn On|Turn Off option to turn Login Security On or Off.

    Dev Note: LSM protects the Standard WordPress Forms: Login, Register, Lost Password, Comment, BuddyPress Register Form and BuddyPress Sidebar Login Forms and the WooCommerce custom Login page/Form. If WooCommerce is deactivated or WooCommerce is not installed and the Enable Login Security for WooCommerce checkbox option is checked then LSM will still work normally on the Standard WordPress Forms. M&A Core: LSM, SW, SWNO, BUF.

    New Dismiss Notice:  BPS Pro WooCommerce Options Notice:  Enable Login Security for WooCommerce
    BPS Pro Login Security & Monitoring (LSM) can be enabled/disabled for the WooCommerce custom login page by checking or unchecking the Enable Login Security for WooCommerce checkbox option setting. The LSM WooCommerce option is automatically enabled during the BPS upgrade if you already had WooCommerce installed before upgrading BPS Pro. If you just installed WooCommerce you can either run the Setup Wizard to enable the LSM WooCommerce option or you can enable this option manually by going to the BPS LSM plugin page if you want to enable LSM for WooCommerce.

    I18n:  Login Security frontend:  text domain tags created for Login Security frontend and email text messages.
    Change:  CSS and HTML changes for Form elements, div positions/spacing & jQuery UI Accordion widget for i18n language translations.
    Change:  Login Security email alert text changes:
    Old:  A User Account Has Been Locked.  New: A User Account has been locked on website:  example.com
    Old:  A User Has Logged in.  New:  A User has logged in on website: example.com
    Old:  An Administrator Has Logged in.  New:  An Administrator has logged in on website: example.com
    New System Info Checks: WP Temp Dir, PHP Temp Dir, PHP Upload Temp Dir, Session Save Path and WP_TEMP_DIR constant value check.
    Checks display either the directory path if it exists and is writable or Not set/defined or directory is not writable.
    Change:  Security Logging templates: Changed negative offset -1 to 0 for POST Request Body capture for PHP7.1.x compatibility. Fixes PHP error: PHP Warning:  file_get_contents(): Failed to seek to position -1 in the stream. Templates affected:  403.php, 404.php & 405.php.
    BugFix:  Custom User Roles:  Pre-save and correct Custom User Roles db option values during BPS upgrade. Fixes problem with ISL and ACE not allowing users with a Custom User Role to login if ISL or ACE is turned On.

    .54.2
    New Options: Custom User Roles: All BPS Form User Roles options now include custom user roles. If no custom user roles exist the standard WP User Roles will be displayed: Administrator, Editor, Author, Contributor & Subscriber. If Custom User Roles exist the User Roles will be displayed in a scrollable box.
    Features affected: WordPress Authentication Cookie Expiration (ACE) & Idle Session Logout (ISL).

    New Option: Auth Cookie Expiration (ACE): Enable|Disable Remember Me Checkbox:  Checking the Disable & do not display the Remember Me checkbox option will disable and not display the Remember Me checkbox for everyone including you. If you want to set and control the WordPress Remember Me setting then use the Remember Me Auth Cookie Expiration Time in Minutes option setting instead and choose an amount of time you would like to use for the Cookie expiration time.

    Enhancement: Security Log Event Code: HPR: Hacker Probe/Recon changed to: HPRA: Hacker Probe/Recon/Attack. Security Log 403 and 405 logging template files change.
    Enhancement: BPS Pro version number is now added in all Security logging code/text to aid in troubleshooting possible version issues/problems.
    Dev Note: All AITpro.com http help links changed to https links.

    .54.1
    New Option: Idle Session Logout Exclude URLs|URIs: This option allows you to exclude any pages or posts that you do not want ISL to check/monitor. Important: The URI path is everything after the root portion or your domain URL. Example: If the page/post you want to exclude is here: http://www.example.com/some-post/ then the URI Exclusion that you would use/enter is: /some-post/. If the page/post you want to exclude is here: http://www.example.com/category/some-post/ then the URI Exclusion that you would use/enter is: /category/some-post/.
    UI|UX: Mobile friendly Responsive design: CSS3 Media Queries created in all stylesheets. Viewport size range: 300px to Infinity.
    Change: Idle Session Logout (ISL): Changed instances of deprecated user_level to Roles.
    Change: Auth Cookie Expiration (ACE): Changed instances of deprecated user_level to Roles.
    Improvement: Hidden Plugin Folder|Files (HPF) Cron: Additional displayed message field “HPF Ignore Rule:”, which displays the exact ignore rule that is needed. The displayed HPF Ignore Rule can be copied and pasted into the Ignore Hidden Plugin Folders & Files text area.
    New UI|UX Option: BPS Plugin AutoUpdate: BPS Plugin AutoUpdate is set to Off by default. Choosing the AutoUpdate On option setting will allow the BPS plugin to automatically update itself when a new BPS plugin version is available. A must-use file is created in the /mu-plugins/ folder when you choose the AutoUpdate On option setting. The must-use file is deleted when you choose the AutoUpdate Off option setting or if you delete the BPS plugin.
    New Dismiss Notice: BPS Plugin Automatic Update Notice: Displays a dismissible notification about how to turn On BPS Plugin Automatic updates.
    TypoFix: mmod_rewrite Inconclusive > mod_rewrite Inconclusive.
    Dev Note: BPS Asset Banner redesigned.
    Dev Note: New Screenshot for Login Security.

    .54
    New Setup Wizard Option: Zip File Download Fix (Incapsula, Proxy, Other Cause)
    This new option allows these Zip files to be downloaded: Custom Code Export Zip file, Login Security Table Export Zip file or the Setup Wizard Root htaccess file backup Zip file if 403 errors are occurring when trying to download zip files due to an IP address problem with Incapsula, other Proxies or some other cause.

    Other|Misc:
    • Procedural: WordPress 4.6 Beta 4 testing completed.
    • WP 4.6 CSS Changes: CSS property changes for WP 4.6.
    • Enhancement: System Info page PHP Configuration File (php.ini) path check added. Displays the path to the currently loaded php.ini file if available.
    • Enhancement: Once daily cron option added to HPF Cron Check Frequency option.
    • Enhancement: File contents displayed in Hidden Plugin Folder|Files (HPF) Alert.
    • Improvement: JavaScript disabled check added for BPS plugin pages. Displays a warning message if JavaScript is disabled in the Browser.
    • BugFix: Hidden Plugin Folders|Files Cron alert displayed on Network|Multisite subsites correction.
    • BugFix: DB Table Prefix Changer Network|Multisite subsite Site options [DB Table Prefix]_[Site ID]_user_roles DB row update correction.
    • BugFix: MMode Network|Multisite subdomain site type: PHP Strict Standards: Only variables should be passed by reference fix.
    • Change: DB Backup Log: Old Zip Backup File(s) Automatic Deletion hourly log entries will only be logged if a DB Backup zip file was deleted.
    • Change: HUD Safe Mode Static check changed to a Dismiss Notice.

    .53.9
    New Feature: Save Customized default.htaccess file permanently for use in RBM Deactivation
    If the default.htaccess file is edited and customized using the htaccess Core > htaccess File Editor, the customized default.htaccess file will be saved to the /bps-backup/master-backups/ folder permanently. When Root Folder BulletProof Mode is deactivated the Custom default.htaccess file will be used instead of the default BPS generic WordPress htaccess file. If you have created a Custom default.htaccess file then it will be automatically copied from the /bps-backup/master-backups/ folder during a BPS plugin upgrade and will replace the default BPS default.htaccess Master file.

    Other|Misc:
    • BugFix|Correction: MMode Network|Multisite replace subsite site name variable name with dash/hyphen to underscore.
    • BugFix|Correction: Incorrect option name used in Cron Schedule conditions 15, 30 and 60. Fixes Notice: Undefined index php error.
    • Improvement: MMode additional conditional check if Countdown Timer checkbox is checked for Maintenance Mode Time Text Box error check.

    .53.8
    htaccess Core UI|UX Redesign:
    The htaccess Core UI|UX design has been simplified visually and functionally. Forms have been combined to reduce total overall number of clicks required to perform tasks. Features and Options have been moved to locations that make the most logical sense for ease of use, visual flow and functionality.
    • Removal: htaccess Core > Security Status page.
    • Removal: htaccess Core > Backup & Restore page.
    • Removal: Security Status: Various Additional Website Security Measures checks deleted. Redundant and obsolete.
    • Change|Move: Backup & Restore htaccess Files Form moved to Security Modes page.
    • Change|Move: Enable|Disable wp-admin BulletProof Mode option moved from WBM to Setup Wizard Options page.
    • Change|Move: Change|Move: Inpage Status Display option settings moved from Security Status to UI|UX page.
    • Change|Move: Reset|Recheck Dismiss Notices option Form moved from Security Status to Custom Code.
    • Change|Move: DB Show Errors check moved from Security Status to System Info page.
    • Change|Enhancement: Master htaccess Folder BulletProof Mode (MBM) new section created. Deactivate Form created.
    • Change|Enhancement: BPS Backup Folder BulletProof Mode (BBM) new section created. Deactivate Form created.

    Dev Note htaccess Core UI|UX:
    Core Error checking/messaging uses POST value true real-time value checking. Success|Error messages have been simplified. Form “confirm” messaging has been simplified. All Form code moved to includes as this provides an additional level of security protection against the Remote POST attack vector. Future Planned|Scheduled pending UI|UX Redesign for all BPS pages, features, etc. in stages (TL’s see Task List UI|UX Redesign Schedule). htaccess Core UI|UX Redesign Cu Score: 98% positive|2% negative.

    New Feature: Hidden Plugin Folders|Files (HPF) Cron
    Special Thanks to Alex Stamatellos at Webcentrix LLC: http://webcentrex.us/ for this new feature idea in BPS.
    A hidden or empty plugin folder is a plugin the exists in your /plugins/ folder, but is not displayed on the WordPress Plugins page. A hidden plugin can be used as a hacker backdoor to gain access to your WP Dashboard, hosting account, create user accounts, completely control your website and hosting account, etc. A non-standard WP file or modified/altered file in your /plugins/ folder can also do all of the things a hidden plugin can do. The HPF Cron is setup automatically when upgrading BPS and by running the Setup Wizard. The HPF Cron checks the WordPress /plugins/ folder for hidden or empty plugin folders and any non-standard WP files or altered files in the /plugins/ folder. This is a lightweight Cron check that uses an insignificant amount of resources/memory. So 4 checks per hour (check every 15 minutes) will not cause any significant resource/memory issues whatsoever. Even choosing Run Check Every 1 Minute would not cause any significant resource/memory issues whatsoever.

    HPF Dashboard Alerts & Email Alerts:
    If a hidden or empty plugin folder is detected or a non-standard WP file is detected then a BPS Dashboard Alert will be displayed and Email Alert will be sent to you. BPS Pro Only: The HPF Email Alert setting is in S-Monitor: HPF: Hidden Plugin Folders|Files (HPF) Cron and the option settings are: Send Email Alerts or Do Not Send Email Alerts.

    New Feature: System Info > Get Plugins List
    Clicking the System Info Get Plugins List button displays a list of all plugins installed, the version number of the plugin, activated or deactivated status and the URI path to the plugin in a jQuery Dialog popup window.

    New Feature|Option: BPS UI|UX Debug
    BPS UI|UX Debug is set to Off by default. Turning On the BPS UI|UX Debug option will display: plugin or theme Scripts that were Dequeued (prevented) from loading in BPS plugin pages, plugin or theme Scripts that were Nulled (prevented) from loading in BPS plugin pages by the Script|Style Loader Filter (SLF) In BPS Plugin Pages option and WP Toolbar nodes|menu items that were Removed in BPS plugin pages by the WP Toolbar Functionality In BPS Plugin Pages option. The Debugger will also display any SLF js or css Scripts that were Not Nulled|Allowed to load in BPS plugin pages.

    New Dismiss Notice: New Improved BPS Speed Boost Cache Code HUD Dismiss Notice
    Checks this BPS Custom Code text box: CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE for older BPS Speed Boost Cache Code and if older BPS Speed Boost Cache Code is found displays a link to get the newer BPS Speed Boost Cache Code, which should improve website load speed performance even more.

    New System Info Page Check: OpenSSL Extension/Version
    Checks if the OpenSSL extension is loaded and displays the OpenSSL version.

    New Idle Session Logout (ISL) Options: Idle Session Logout Page URL, Idle Session Logout Page Custom Message & Idle Session Logout Page Custom CSS Style
    • Idle Session Logout Page URL: Option to choose to redirect idle/inactive logged out users to any URL that you want to redirect them to by entering the URL in this text box. Example: If you enter the URL path to your WP Login page then users will be redirected to your WP Login page instead of the default BPS Idle Session Logout Page.
    • Idle Session Logout Page Custom Message: Option to choose to either use the default BPS ISL message/text by leaving the textarea box blank or you can enter your own custom ISL message/text in this textarea box that you want displayed to logged out users.
    • Idle Session Logout Page Custom CSS Style: Option to choose to either use the default BPS CSS Style code or enter your own custom CSS Style customizations.
    • Enhancement: Idle Session Logout > Idle Session Logout Page Login URL: Choose to display or not display a Login URL on the ISL Logout page.

    Other|Misc:
    • BugFix: Remove “default” from TEXT Type Create Table SQL code. Special Thanks to Max Fein: https://wp-networks.com for finding and reporting a bug in the BPS Create Table SQL code.
    • BugFix|Change: Apache Modules|Directives: mod-test index.php file HTML image name correction. mod_rewrite Module htaccess Status checking code changed to check both http and https internal image rewriting vs image redirection to Google. Additional 404 Status condition added.
    • BugFix|Correction: Network|Multisite: network_admin_notices Action Hook added to display Login Security password reset disabled notification on Network Edit Users page.
    • BugFix|Correction: wp_register_script|wp_enqueue_script and wp_register_style|wp_enqueue_style handles & dependencies code correction.
    • Enhancement: Register scripts and styles: Added: ver Query Strings & load scripts in footer.
    • Enhancement: Network|Multisite: Added Setup Wizard Action Link on Network Admin Dashboard Plugins page.
    • Enhancement: jQuery icon circle triangle CSS added to accordions.
    • Correction|Addition: Login Security Login by email address capability added. Technically this is a correction since this feature should have already been available in Login Security.
    • Nav Removal: Logs & Info Menu > Security Status Menu link.
    • Nav Change: UI|UX menu name change to UI|UX Settings.
    • Removal: System Info page: Custom Permalinks and PHP Version Check – redundant.
    • Security: Static HUD check/message for BPS Backup Folder BulletProof Mode (BBM) deactivated.
    • Change: Network|Multisite: Do not display BPS jQuery UI Dialog Pop up Form Uninstaller Options Action Link for Network|Multisite sites.
    • Dev Note: Setup Wizard db options update changed to ternary conditions.

    .53.7
    BugFix: Comment out Script|Style Dequeued debugging/testing code in admin.php.

    .53.6
    New Setup Wizard Options Option: Enable|Disable htaccess Files:
    Setup Wizard Enable|Disable htaccess Files Forum Topic
    The BPS Apache Modules and Directives testing code checks if mod_access_compat and/or mod_authz_core or mod_rewrite are loaded or can be processed (converted/translated) by your server by using a testing htaccess file and then checking the responses from your server. If BPS detects that your website/server cannot use htaccess files/code based on the responses from your website/server then BPS will automatically save/set the Setup Wizard Option > Enable|Disable htaccess Files setting to > htaccess Files Disabled. Automation Compatibility: htaccess features and files are automatically disabled if the Apache server does not have the necessary/required Modules loaded to use htaccess code/files. If the server type is Windows, Nginx or LiteSpeed and the server does not have the necessary conversion/translation configuration to use htaccess code/files then htaccess features and files are automatically disabled. Manual Usage: The Enable|Disable htaccess Files Option can be used to manually override the automated BPS Apache Modules and Directives checking code to manually disable or enable all BPS htaccess features. See the Setup Wizard Enable|Disable htaccess Files Forum Topic link above for details.

    New System Info Page Checks:
    GD Library Extension/Version – ImageMagick Extension/Version:
    Checks if the GD Library extension is loaded and displays the version. Checks if the ImageMagick extension is loaded and displays the version.

    New Dismiss Notice: Wordfence WAF Firewall HUD Dismiss Notice:
    Detects Wordfence htaccess code problems and displays help info with a forum link for solutions.

    Compatibility|Enhancement|Improvement: Apache Modules|Directives|Backward Compatibility(Yes|No)|IfModule(Yes|No): Additional checks for compatibility with server configurations that do not have the necessary standard modules or directives loaded/configured to use htaccess files. Improved test/checking results accuracy: expected: 99%|hopeful: 100%. Displays conclusive Modules and Directives status response results. Function called in: Setup Wizard, BPS Upgrade, System Info & Core In-page check. Creates|Updates new DB option for Enable|Disable htaccess Files Setup Wizard Option. Displays: mod_access_compat, mod_authz_core, mod_authz_host and mod_rewrite checking/testing status results.
    Enhancement: Delete and Run text added under individual DB Backup dynamic form checkboxes.
    Enhancement: jQuery icon circle triangle CSS added to accordions.
    Improvement: System Info PHP Version Check displays PHP version.
    Improvement: System Info table title change from: SQL Database|Permalink Structure|WP Installation Folder|Site Type to: SQL Database Info|WordPress Site Info|Misc Checks.
    Improvement: System Info WordPress Site Info checks order changed.
    Improvement: Form option naming convention changes from Turn On|Turn Off to X On|X Off for: Login Security, ISL, ACE, UI|UX, Inpage Status Display and DB Backup All Scheduled Backups form option names. Special thanks to Laughter On Water: http://low.li/ for this excellent idea.
    BugFix: Duplicate MIME-Version email headers sent in BPS automated emails. Using standard wp_mail headers array vs concatenation and duplicate MIME-Version header removed.
    BugFix: wp_clear_scheduled_hook() added for bpsPro_DBB_check and bpsPro_email_log_files Cron job Hooks in bulletproof_security_deactivation().
    BugFix: Black UI Theme Skin broken by extra CSS curly bracket in updatedinner class.
    BugFix: Dashboard Status Display div broken when ISL and ACE are turned on in S-Monitor, but are not actually turned on in ISL or ACE. Error Check/Message: ISL: Settings have not been saved yet. ISL is not turned On and/or ACE: Settings have not been saved yet. ACE is not turned On.
    BugFix|AutoFix: DB Backup Zip Download 403 error. Overwrite/replace older htaccess file versions on page load.
    BugFix|Form Sanitization|Validation: Special thanks to Kacper Szurek: http://security.szurek.pl/ for finding and reporting 2 Form Sanitization|Validation bugs in BPS DB Backup that needed to be fixed. We appreciate the time and effort Kacper Szurek put into finding these bugs in BPS and reporting them to us. These Form Sanitization|Validation bugs are valid Security Vulnerabilities. In order to exploit these bugs you would need to be logged in as an Administrator to your website and visit a phishing site or click a phishing email link while you are logged into your website. The phishing site could capture your WordPress Session Cookie, but the Session Cookie cannot be reused by another Browser Session and the WordPress Cookies are hashed (encrypted) so your WordPress password could not be “unhashed” (decrypted). See this WordPress Cookies Codex page for more details: https://codex.wordpress.org/WordPress_Cookies#Non-Version-Specific_Data
    BugFix|Form Sanitization: Special thanks to Colette Chamberland: http://cjchamberland.com for finding and reporting a Form Sanitization bug in BPS DB Backup that needed to be corrected/fixed. We appreciate the time and effort Colette Chamberland put into finding this Form Sanitization bug in BPS and reporting it to us.
    Obsolete Removal: Security Status: WordPress Meta Generator Tag Removed and WordPress Version Removed checks.
    Change|Update: Deprecated function get_currentuserinfo replaced with wp_get_current_user().
    Update|Correction: Maintenance Mode Read Me help text formatting corrections.
    Assets: New screenshots for DB Backup, Maintenance Mode and System Info.
    Dev Note: Add isset condition for settings-updated checks. Fixes Undefined index: settings-updated error.
    Dev Note: Undefined variable: plugin_var variable name change and check: $plugin_var_w3tc and $plugin_var_wpsc.
    Dev Note: Moved and consolidated all HUD Dismiss admin_notices into 1 function with 1 admin_notice action. In-page call to functions removed.
    Dev Note: New BPS Installation & Setup Video Tutorial created.
    Dev Note: readme.txt updated with new Compatible Hosting/Host Server/WordPress Site Types info.

    .53.5
    New Security Log Feature: Total # of Security Log Entries by Type:
    Displays the total number of each type of Security Log Entry in your Security Log file. The Total # of Security Log Entries by Type is also added to each Security Log file when it is zipped and emailed to you and also added directly in the automated Security Log email. There are a total of 11 different Security Log Entry Types in BPS. A complete list of all BPS Security Log Entry Types can be found in the Security Log Read Me help button.

    New Maintenance Mode Option: Enable Visitor Logging:
    Checkbox option to enable visitor logging. If enabled, logs all visitors to your site while your site is in Maintenance Mode. Log entries are created in the BPS Security Log file.

    New Inpage Status Display Idle Session Logout (ISL):
    Displays On or Off status for Idle Session Logout in BPS Pages Only. ISL is an optional feature so ISL is not displayed in your BPS Inpage Status Display by default. To display ISL in your BPS Inpage Status Display choose the settings you would like to use for ISL and save your ISL settings.

    New Inpage Status Display Auth Cookie Expiration (ACE):
    Displays On or Off status for Auth Cookie Expiration in BPS Pages Only. ACE is an optional feature so ACE is not displayed in your BPS Inpage Status Display by default. To display ACE in your BPS Inpage Status Display choose the settings you would like to use for ACE and save your ACE settings.

    New WP_DEBUG Admin Notice:
    Checks if WP_DEBUG and/or WP_DEBUG_LOG are On/set to true in the wp-config.php file. Displays Admin Notice to alert someone that either of these WP_DEBUG constants are set to true/On in the wp-config.php file. Note: The default is “true” for WP_DEBUG_DISPLAY which shows errors and warnings as they are generated so a check has not been created for this constant value.

    New WooCommerce Dismiss Notice:
    New Dismiss Notice created for WooCommerce plugin users. Checks for existing older htaccess whitelisting code methods and displays a link to a forum topic that contains new WooCommerce whitelisting htaccess code for whitelisting WooCommerce shop, cart, checkout & wishlist URI’s and whitelisting the WooCommerce “order” & “wc-ajax=get_refreshed_fragments” Query Strings.

    New System Info Page Checks: Total Plugins Installed & Total Plugins Activated
    Displays Total Plugins Installed & Total Plugins Activated. Usage: Troubleshooting issues/problems where excessive plugins are installed and/or are out of memory issues/problems that appear to be plugin conflicts instead of out of memory problems.

    BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
    Procedural: WordPress 4.5 RC2 testing completed.
    Assets: New BPS plugin screenshots.
    Enhancement: Jetpack Dismiss Notice independent conditional button display.
    Enhancement: System Info PHP Version Check displays PHP version.
    Change: System Info table title change from: SQL Database|Permalink Structure|WP Installation Folder|Site Type to: SQL Database Info|WordPress Site Info|Misc Checks.
    Change: System Info WordPress Site Info checks order changed.
    Dev Note: Relevant general-functions.php code moved to 2 new files: hud-dismiss-functions.php & zip-email-cron-functions.php.
    Dev Note: Obsolete function bps_email_alerts_log_file_options removal. Code move to BPS plugin automatic upgrade function.

    .53.4
    BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
    Procedural: WordPress 4.5 Beta 4 testing completed.
    WP 4.5 CSS Change: New CSS property for Refresh Status pseudo button links.
    BugFix Form Validation: Special thanks to Onur Yilmaz & Robert Abela: https://www.netsparker.com/ for reporting a Form Validation bug in the BPS Security Log Add User Agents Form that needed to be corrected/fixed. We appreciate the time and effort put into finding this bug in BPS and reporting it to us. The Form Validation bug could loosely be considered a Security Vulnerability, but due to the fact that this Form Validation bug can only be exploited by an Administrator logged into a website and not by a non-Administrator that is not logged into the website then this bug appropriately falls under the specific category of: Form Validation bug instead of the very broad term/wording of Security Vulnerability.  Note: Security Vulnerability is a broad general term that is very misunderstood. It can mean a bug exists that is insignificant, which cannot result in a successful hack to a bug exists that is critical/serious, which can result in a successful hack. In the majority of cases most Security Vulnerabilities are insignificant and cannot result in a successful hack.
    Update: HUD BLC Dismiss Notice: Update root htaccess code checking conditions for newer Request Methods Filtered HEAD Request nuisance filter htaccess code.
    BugFix: WP_DEBUG Suppress error: Undefined index: Submit-DBB-Reset in \wp-content\plugins\bulletproof-security\admin\includes\admin.php on line 405
    BugFix: WP_DEBUG Suppress error: Undefined variable: lock in \wp-content\plugins\bulletproof-security\admin\wizard\wizard.php on line 580
    BugFix: WP_DEBUG Suppress error: Undefined variable: lock in \wp-content\plugins\bulletproof-security\admin\wizard\wizard.php on line 584
    BugFix: WP_DEBUG Suppress error: Undefined variable: lock in \wp-content\plugins\bulletproof-security\admin\wizard\wizard.php on line 622

    .53.3
    BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
    Assets: New Setup Wizard and System Info screenshots added to assets folder.
    New Dismiss Notice: New Dismiss Notice created for Jetpack plugin users. Checks for existing older htaccess whitelisting code methods and displays links to forum topics that contain new custom Jetpack whitelisting htaccess code for allowing HEAD Requests and XML-RPC Bonus Custom Code.
    Form Sanitization: Special thanks to Erin Germ: http://eringerm.com/ for reporting several Form Sanitization problems in BPS that needed to be corrected/fixed. We appreciate the time and effort Erin put into finding these Form Sanitization problems in BPS and reporting them to us. These Form Sanitization problems could loosely be considered Security Vulnerabilities, but due to the fact that these Form Sanitization problems can only be exploited by an Administrator logged into a website and not by a non-Administrator that is not logged into the website then these problems appropriately fall under the specific category of: Form Sanitization Input|Output instead of the very broad term/wording of Security Vulnerability.  Note: Security Vulnerability is a broad general term that is very misunderstood. It can mean a bug exists that is insignificant, which cannot result in a successful hack to a bug exists that is critical/serious, which can result in a successful hack. In the majority of cases most Security Vulnerabilities are insignificant and cannot result in a successful hack.

    .53.2
    Root Htaccess File Changes:
    Root Htaccess File: Significant Root htaccess File Changes Forum Topic
    Depending on your web host the BPS Root htaccess file Request Methods Filtered code will be either one of the example code blocks below. Either block of code does the exact same thing and the whitelisting method to allow HEAD Request is the same: Comment out the last 2 lines of code with a # sign as shown below.

     # REQUEST METHODS FILTERED
     # If you want to allow HEAD Requests use BPS Custom Code and copy 
     # this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code 
     # text box: CUSTOM CODE REQUEST METHODS FILTERED.
     # See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
     RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
     RewriteRule ^(.*)$ - [F]
     #RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
     #RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]
     # REQUEST METHODS FILTERED
     # If you want to allow HEAD Requests use BPS Custom Code and copy
     # this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
     # text box: CUSTOM CODE REQUEST METHODS FILTERED.
     # See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
     RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
     RewriteRule ^(.*)$ - [F]
     #RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
     #RewriteRule ^(.*)$ - [R=405,L]

    System Info:
    CSS Work for visual uniformity.
    Dashboard|Inpage: Messages, Alerts, HUD, Dismiss Notices CSS changes:
    CSS changes for yellow background color to light blue background color. Added box shadow and corner rounding.
    Dashboard Status Display: i18n function correction
    Timestamps code correction fixed to display accurate date time based on WordPress General Timezone/Date Format.

    BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
    Change: The .json file type has been added to all logging templates.
    CSS: Replace old AITpro logo with new AITpro logo in mod-test folder.
    CSS: Text Area boxes resize horizontally again.
    BugFix: WP_DEBUG Suppress error: Undefined variable: matches in /bulletproof-security/includes/db-security.php on line 486.
    BugFix: WP_DEBUG Suppress error: Undefined variable: matches in //bulletproof-security/includes/login-security.php on line 1143.
    BugFix: WP_DEBUG Suppress error: Undefined variable: matches in /bulletproof-security/includes/login-security.php on line 1251.
    BugFix: WP_DEBUG Suppress error: Undefined variable: matches in /bulletproof-security/includes/login-security.php on line 1441.
    BugFix: WP_DEBUG Suppress error: Undefined variable: matches in /bulletproof-security/includes/login-security.php on line 1654.
    BugFix: WP_DEBUG Suppress error: stat(): stat failed for ../wp-config.php in /bulletproof-security/includes/general-functions.php on line 320.

    .53.1
    New Feature: 405 Method Not Allowed Security Logging Template
    A new 405.php Security Logging template has been created to specifically handle and log HEAD Request errors as HTTP 405 Method Not Allowed Security Log entries. Previously HEAD Request errors were logged as 403 Security Log entries. Note: If HEAD Requests are currently being allowed with customized htaccess code on a website then HEAD Requests will still continue to be allowed and will not be blocked or logged by BPS.

    New Root htaccess Code: ERROR LOGGING AND TRACKING & REQUEST METHODS FILTERED
    ErrorDocument 405 /wp-content/plugins/bulletproof-security/405.php code is created automatically in the root htaccess file during BPS upgrades. The new ErrorDocument 405 directive htaccess code logs HEAD Requests as HTTP 405 Method Not Allowed Security Log entries. The root htaccess file Request Methods Filtered code has been changed so that HEAD Requests checking has its own individual condition and RewriteRule to handle HEAD Requests specifically and redirect them as 405 Method Not Allowed Requests, which in turn is handled by the ErrorDocument 405 redirect to redirect 405 HEAD Request to the Security Logging template. Note: If HEAD Requests are currently being allowed with customized htaccess code on a website then HEAD Requests will still continue to be allowed and will not be blocked or logged by BPS.

    BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
    Visual Change: Login Security and htaccess Core Reset Dismiss Notices display loop messages on single lines with single Refresh button.
    CSS: Text Area boxes resize horizontally again.
    Dev Note: Core upgrade autoupdate function does literal DB option checks and saves default pre-set value or resave existing value. Resolves an issue with BPS upgrades from very old versions to newest version without having to re-run the Wizard.
    Dev Note: Security Log Read Me help text update. 410 Gone and 405 Method Not Allowed help text created.

    .53
    BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
    CSS Change: New CSS code changes for visual compatibility with WP 4.4.
    Sanitization|Validation Audit: Sanitization and Validation coding work performed throughout all BPS code to avoid false reports of security vulnerabilities that are not actually any sort of vulnerability or threat. Mostly overkill, but some actual beneficial stuff.  Note: Security Vulnerability is a broad general term that is very misunderstood. It can mean a bug exists that is insignificant, which cannot result in a successful hack to a bug exists that is critical/serious, which can result in a successful hack. In the majority of cases most Security Vulnerabilities are insignificant and cannot result in a successful hack.
    Enhancement: Automatically unlock, delete invalid standard WP Rewrite code and relock root htaccess file.
    Correction: Prevent creating duplicate or new POST Request Attack Protection code correction during BPS upgrades if someone has commented out the wp-admin Request URI whitelist rule.
    Correction: htmlspecialchars added to Custom Code error checks for invalid BPS Query String Exploits code and invalid standard WP Rewrite code.
    Correction|BugFix: ob_end_flush(); added to 403.php logging template.
    Correction|BugFix: ob_start(); and ob_end_flush(); added to the 400.php and 410.php logging templates.
    Enhancement: $_SERVER[‘SERVER_PROTOCOL’] condition added to header functions in Security Logging templates.
    Improvement: The Setup Wizard no longer has a 15 minute Apache Module ifModule check time restriction so that new BPS Core folder self-protection htaccess files are created if needed in real-time.
    Change: Security Logging check for On|Off. Only checks if 403 Logging is On or Off and no longer checks if other ErrorDocument directives are On|Off.
    BugFix: Suppress various insignificant php errors when WP_DEBUG is enabled.

    .52.9
    Enhancement: Setup Wizard Check for Pre-existing Custom Code & Zip Backup
    The Setup Wizard checks your current root htaccess file for any existing custom or additional htaccess code that is not standard WordPress htaccess code or BPS standard htaccess code. This is a one-time event that occurs the first time you install BPS. If the Setup Wizard detects any existing custom or additional htaccess code in your root htaccess file, a message is displayed to you with a “Download Root htaccess File” button to download your root-htaccess-file.zip file to your computer as a backup.

    BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
    BugFix: Additional conditional check added for standard WP rewrite code block removal. Only remove the standard WP rewrite block of code if the root htaccess file is a standard BPS root htaccess file.
    BugFix: Suppress PHP Notice: Undefined index: HTTP_ACCEPT_ENCODING error on System Info page.
    Correction|Addition: Automated BPS upgrade correction|addition for POST Request Attack Protection Bonus Custom Code. WP Theme Customizer blank/403 error. New whitelist rule created. Special Thanks to: Mike Harrison for reporting this.

    .52.8
    BugFix: Security Log: Fixed duplicate visual content displayed.

    .52.7
    New Option: Security Log Limit POST Request Body Data
    The default Security Log Request Body Data capture/log limit is 250000 maximum characters, which is roughly about 250KB in size. The new Limit POST Request Body Data checkbox option limits the maximum number of Request Body Data characters captured/logged in the Request Body logging field to 500 characters, which is roughly 5KB in size. You can capture/log entire hacking scripts if you do not check the Limit POST Request Body Data checkbox (See Note below), but that means your log file size could increase dramatically and you could receive more automated Security Log zip file emails. Note: To capture/log all POST Request Attacks against your website you will need to add the POST Request Attack Protection Bonus Custom Code: POST Request Attack Protection Bonus Custom Code

    Enhancement: Security Log 403 Logging Template
    The Security Log 403 Logging template has a new logging field: REQUEST BODY that captures/logs POST Request Body data/content if the POST Request Body is not empty. To maximize POST Request security protection for your website and capture/log entire hacker scripts use the new POST Request Attack Protection Bonus Custom Code: POST Request Attack Protection Bonus Custom Code

    New Bonus Custom Code Dismiss Notice: POST Request Attack Protection
    Long|Extensive Help Info: POST Request Attack Protection Forum Topic
    Short|Simplified Description:
    The BPS POST Request Attack Protection Bonus Custom Code filters all POST Requests made to your website. Each RewriteCond line of code in the POST Request Attack Protection Bonus Custom Code is a whitelist rule that says to allow all POST Requests to that file or URL|URI the contains a POST Form. To whitelist additional files, URL’s, POST Forms on your website you would add a line of code that has the name of the file or the URL|URI to allow/whitelist all POST Requests to that file, URL, POST Form. If you choose to add this Bonus Custom Code to BPS Custom Code, check your BPS Security Log for a few days for any 403 POST Request Log entries to make sure that you have whitelisted/allowed all POST Forms on your website that need to be whitelisted/allowed.

    BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
    Security Enhancement: Security Log content is now filtered to display only ASCII printable characters.
    Removal: Defunct/obsolete Block Referer Spammers Bonus Custom Code Dismiss Notice removed.
    Dev Note: REMOTE_ADDR variable check replaced with “get real IP address” function for inpage IP whitelisting on MMode page.
    Dev Note: PHP error Undefined index: HTTP_USER_AGENT suppressed in the 403 Security Logging template.

    .52.6
    BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
    WordPress Language Packs Prep: All BPS plugin .po and .mo language translation files have been deleted in preparation for new plugin Language Packs creation by the WordPress PolyGlots Team.
    Removal: Obsolete BPS automated .po and .mo language translation file deletion function removed.
    Visual Enhancement: BPS Plugin Logo: New logo – pulsing animated GIF image.
    Visual Enhancement: jQuery :odd Selector alternate table row color for Forms in the Blue UI Theme Skin.
    Core Enhancement: Apache Module Forward|Backward Compatibility fallback added for various scenarios where the Live test is blocked/ignored/rejected by Hosts.
    Correction: Add Apache Module conditions to Activate Master htaccess BulletProof Mode and Activate BPS Backup BulletProof Mode Forms.
    Change|Improvement: The BPS Changelog and Whats New page have been moved to BulletProof Security Forum website.
    Reasons for this Changelog|Whats New page change: The BPS Changelog|Whats New page will not have to be translated by the WordPress PolyGlots Language Packs Team for each new version release of BPS, the Changelog|Whats New page will be much easier to maintain, the readme.txt file size will be much smaller in the BPS plugin, a complete history of all BPS version changes through the years and other beneficial reasons.

    .52.5
    Core Enhancement: Apache Module Forward|Backward Compatibility:
    BPS automatically checks which Apache Modules are loaded on your server: mod_access_compat, mod_authz_core and mod_authz_host and checks availability|forward|backward compatibility and also IfModule conditions support to automatically create the correct htaccess code and files for your website|server. All BPS htaccess writing|updating|upgrading|new installations|creation|ip whitelisting, etc. htaccess code is automatically created based on Live BPS Apache Module and IfModule tests that are performed in BPS during BPS plugin upgrades and new installations to determine and create the correct htaccess code for each individual server|website. A new System Info feature has been added that performs Live tests with results and also includes a Visual Test – see New Feature: System Info page: for details. Dev Note: Live Apache Module check and automation performed in-page on htaccess Core page.

    Apache Module Compatibility List of Features|Files|htaccess Code Affected:
    htaccess Core: Root and wp-admin htaccess code|files creation. Custom Code in-page automated IP whitelisting.
    Core: BPS plugin directory self-protection htaccess files.
    Login Security: in-page automated IP whitelisting.
    DB Backup: in-page automated IP whitelisting.
    Maintenance Mode: in-page automated IP whitelisting, BackEnd MMode IP whitelisting.
    Setup Wizard: automated htaccess code|files creation.

    New Feature: System Info page: Apache Modules|Directives|Backward Compatibility(Yes|No)|IfModule(Yes|No): View Visual Test
    The System Info Apache Modules|Directives check checks mod_access_compat, mod_authz_core and mod_authz_host availability|forward|backward compatibility and also IfModule conditions support. A visual test page (Click the View Visual Test link) has also been created to see the Apache Module|htaccess code and checks visually for troubleshooting purposes. BPS automatically detects which Apache Modules are loaded|available on your host server and creates the correct htaccess code for you particular website|server throughout all BPS htaccess files.

    Apache Modules|Directives|Backward Compatibility(Yes|No)|IfModule(Yes|No): View Visual Test
    mod_access_compat is Loaded|Order, Allow, Deny directives are supported|IfModule: Yes
    mod_authz_core is Loaded|Order, Allow, Deny directives are supported|BC: Yes|IfModule: Yes
    mod_authz_host is Loaded|Order, Allow, Deny directives are supported|BC: Yes|IfModule: Yes

    BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
    BugFix: Network/Multisite Rewrite Loop End Custom Code Form name field correction.
    BugFix|Correction: DB Table Prefix Changer: Only allow entering numbers, lowercase letters and underscores in the Randomly Generated DB Table Prefix Form text box. Special thanks to Sathish from: Cyber Security Works Pvt Ltd for reporting a bug/security vulnerability in the DB Table Prefix Changer tool Form. Notes: You MUST be an Administrator and logged into the site as an Administrator in order to enter/test XSS html testing code in the Randomly Generated DB Table Prefix Form text box. Please do NOT actually try this test if you are using a version of BPS that is below .52.5. BPS .52.5 and above versions will only allow entering numbers, lowercase letters, and underscores for the DB Table Prefix name. If you have a BPS version below .52.5 then entering an invalid DB Table Prefix name will crash your website.  Note: Security Vulnerability is a broad general term that is very misunderstood. It can mean a bug exists that is insignificant, which cannot result in a successful hack to a bug exists that is critical/serious, which can result in a successful hack. In the majority of cases most Security Vulnerabilities are insignificant and cannot result in a successful hack.
    Dev Note: New condition added for Apache Module /mod-test/ folder in 403.php logging template to prevent 403 errors from being logged when Live Apache Module tests are performed|processed.
    Dev Note: admin.php obsolete code removal for deny all htaccess file creation for BPS Backup and Master Backups folders.

    .52.4
    Submenu Name Change|Addition:
    UI|UX Submenu name has been changed to: UI|UX|Theme Skin Spinner|ScrollTop WP Toolbar|SLF

    Feature Improvement|Enhancement: jQuery ScrollTop Animation:
    The jQuery ScrollTop Animation code now performs a conditional Browser User Agent|Rendering Engine check and uses customized jQuery ScrollTop Animation code for each Browser individually for best visual animation/appearance in each Browser. New jQuery ScrollTop animation code has been created that has much better/smoother animation overall.

    New Option: Turn On|Off jQuery ScrollTop Animation:
    jQuery ScrollTop Animation can be turned On or Off on the UI|UX menu/page. The jQuery ScrollTop Animation is the scrolling animation that you see after submitting BPS Forms, which automatically scrolls to the top of BPS plugin pages to display success or error messages. The jQuery ScrollTop animation code is conditional based on your Browser User Agent|Rendering Engine.

    BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
    BugFix: jQuery ScrollTop Animation 404 image error correction. Special Thanks to: Mike Harrison for reporting this bug.
    Dev Note: Structural Core options.php file renamed to core.php and all related URI’s are now pointing to this new page.
    Dev Note: HTML Structural and related CSS changes to Core pages: bps-container div and WP wrap class moved and combined.

    .52.3
    New Feature: Login Security & Monitoring Export|Download Login Security Table Tool:
    The Export|Download Login Security Table tool exports (copies) the Login Security Table into the lsm-master.zip file, which you can then download to your computer. The lsm-master.zip file contains the lsm-master.csv file. The CSV (Comma Separated Values) file format can be opened with Microsoft Excel or other applications that can open/use CSV files.

    Core Enhancement|Improvement: jQuery ScrollTop animation:
    jQuery ScrollTop animation has been added to all BPS plugin pages to animate scrolling pages to top 0 after Forms are submitted so that all displayed success/error messages are visible/viewable with the exception of Forms that should display data and/or messages inpage. All major Browsers tested working fine. IE Issue: IE ScrollTop animation is not fluid/smooth.

    BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
    BugFix: Pre-save Custom Code DB options (if they do not exist) for use in the Custom Code Export|Import Tools. New Installations: Pre-saved in Setup Wizard. Upgrades: Pre-saved in the BPS upgrade function.
    BugFix: Login Security Search Form button unclickable due to div problem.
    Improvement: Descriptive success/error message created for all Log File Logging Form code, My Notes Form, Custom Code Forms and other various Forms where a descriptive message is important vs using a general/standard WP “Settings Saved” message.
    Improvement: BPS Changelog: Special Thanks to: Krzysztof Trynkiewicz – Sukces Strony for improvements to the BPS Changelog format for better readability.
    Enhancement: System Info – Website Headers Check Tool display Headers result at top of page instead of inpage.
    Enhancement: System Info – System checks are not performed when Website Headers Check Tool Forms are submitted.
    Dev Note: Custom Code Forms now using standard Form processing code instead of WP options.php Form code.
    Dev Note: New Core File: core-forms.php. New LSM Files: lsm-export.php, lsm-help-text.php.

    .52.2
    Setup Wizard Automation Enhancement|Improvement:
    The Setup Wizard Pre-Installation Checks automatically detects php/php.ini handler htaccess code in an existing root htaccess file and creates/saves that php/php.ini handler code in BPS Custom Code and the new root htaccess file that is automatically created by the Wizard. Prior to BPS .52.2, php/php.ini handler htaccess code required additional manual steps to complete this task.

    HUD Check Enhancement|Improvement: php/php.ini handler htaccess code check:
    The php/php.ini handler htaccess code HUD check now displays a link to the Setup Wizard page. Clicking the link and visiting the Setup Wizard page automatically creates/saves that php/php.ini handler code in BPS Custom Code.

    New Feature: Custom Code Export|Import|Delete Tools:
    Export Tool: The Custom Code Export tool exports (copies) all of your Root and wp-admin custom htaccess code into the cc-master.zip file, which you can then download to your computer.

    Import Tool: The Custom Code Import tool imports all of your Root and wp-admin Custom Code from the cc-master.zip file on your computer into the Custom Code text boxes and saves your imported custom htaccess code to your WordPress Database. You can unzip the cc-master.zip file on your computer to extract the cc-master.txt file for editing to add/change any custom htaccess code in the cc-master.txt file.

    Delete Tool: The Custom Code Delete tool deletes all of your Root and wp-admin Custom Code from all of the Custom Code text boxes and your WordPress Database. The Delete tool can be used for troubleshooting possible invalid/bad custom htaccess code issues/problems or simply just to delete all custom htaccess code in all of the Custom Code text boxes.

    New Option: Setup Wizard Options: Network|Multisite Sitewide Login Security Settings:
    Network|Multisite Sitewide Login Security Settings: This option is for Network|Multisite sites ONLY. This is an independent option Form that creates and saves Login Security DB option settings for all Network sites when you click the Save Network LSM Options Sitewide button. If Login Security option settings have already been setup and saved for any Network site then those Login Security option settings will NOT be changed. If Login Security options settings have NOT already been setup and saved for any Network site then those Login Security option settings will be created and saved with default settings.

    BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
    Correction: Displayed message text correction for W3TC and WP Super Cache htaccess code error check.
    Enhancement: General Help and info section added to Whats New page.
    Enhancement: BPS Plugin Uninstall Options on WordPress Plugins page – Uninstaller CSS class name added for modal display problem.
    Dev Note: htaccess Core tab page structure/order change.
    Dev Core: WP Plugins page BPS plugin description changes.
    DB Backup: Additional help info regarding Export|Import of Backup Jobs DB Table.
    readme.txt: Requires at least: 3.0 changed to Requires at least: 3.7

    .52.1
    Submenu Name Change|Addition:
    BPS Main Menu > UI|UX Submenu name has been changed to: UI|UX|Theme Skin Processing Spinner WP Toolbar|SLF

    Feature Name Change: RSK naming convention changed to Script|Style Loader Filter (SLF):
    RSK is a bit too aggressive and is a somewhat offensive naming convention. Cool, but not cool at the same time. Script|Style Loader Filter (SLF) is a logical naming convention and is non-offensive. See the SLF Mod|Description below for additional info.

    SLF Mod|Description:
    In some cases, filtering other plugin and theme scripts from loading in BPS plugin pages causes the BPS plugin pages to hang severely, which means that a new issue/problem is created that is worse than the original issue/problem that SLF was designed to fix/solve. Original problem: BPS plugin pages not displaying visually correct due to other plugin or theme scripts loading in BPS plugin pages. SLF is set to Off by default. SLF has an On|Off setting under the UI|UX menu/page. See the UI Theme Skin|Processing Spinner|WP Toolbar|SLF Read Me help button for additional information.

    Bonus Custom Code Dismiss Notice Enhancement|Improvement:
    An additional Dismiss All Notices link|feature has been added to dismiss all Bonus Custom Code notices at the same time. Displayed message: Click the links below to get Bonus Custom Code or click the Dismiss Notice links or click this Dismiss All Notices link. To Reset Dismiss Notices click the Reset|Recheck Dismiss Notices button on the Security Status page.

    BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
    Cosmetic: Undefined index PHP error suppressed for ISL and ACE User Role checkboxes when WP_DEBUG is turned On.

    .52
    New Menu|Page:
    Idle Session Logout|Auth Cookie Expiration

    New Feature: Idle Session Logout (ISL)
    ISL|ACE Forum Topic: Automatically logout idle/inactive Users. ISL uses javascript Event Listeners to monitor Users activity for these ISL events: keyboard key is pressed, mouse button is pressed, mouse is moved, mouse wheel is rolled up or down, finger is placed on the touch surface/screen and finger already placed on the screen is moved across the screen. Option Settings: Turn On|Off, Idle Session Logout Time in Minutes, Idle Session Logout Page URL, User Account Exceptions, Enable|Disable Idle Session Logouts For These User Roles: Administrator, Editor, Author, Contributor, Subscriber and Enable|Disable Idle Session Logouts For TinyMCE Editors. Click the Idle Session Logout|Auth Cookie Expiration Read Me help button for full details.

    New Feature: Auth Cookie Expiration (ACE)
    ISL|ACE Forum Topic: Change the WordPress Authentication Cookie Expiration time. The default WordPress Authentication Cookie Expiration time is 2880 Minutes/2 Days and 20160 Minutes/14 Days if a User checks the Remember Me checkbox when they login. You can change the WordPress Authentication Cookie Expiration time to whatever expiration time setting that you choose. Option Settings: Turn On|Off, Auth Cookie Expiration Time in Minutes, Remember Me Auth Cookie Expiration Time in Minutes, User Account Exceptions, Enable|Disable Auth Cookie Expiration Time For These User Roles: Administrator, Editor, Author, Contributor, Subscriber. Click the Idle Session Logout|Auth Cookie Expiration Read Me help button for full details.

    New Feature & Root htaccess File Addition: 410 ErrorDocument root htaccess code and template logging file
    410 Gone Usage Info: A 410.php template logging file has been created to handle 410 Gone Requests. 410 Gone Requests are logged in the BPS Security Log file. See the 410 Gone Usage Info link above for full details on usage.

    BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
    Enhancement: jQuery Custom Classes added to all BPS jQuery code.
    Mod: CSS and js file name changes: -ui- used in naming convention.
    Enhancement: jQuery UI Dialog Read Me Help button hide effect changed from explode to blind.

    .51.9
    Login Security & Monitoring Automated Email Alert Enhancement|Improvement:
    Special Thanks to: mewkazoid for pointing out this useful improvement to BPS Login Security & Monitoring automated email alerts. The Login Security & Monitoring Automated Email Alert now contains additional help information about what to do if your User Account is being repeatedly locked.

    Brute Force Attack General Info:
    Automated Brute Force Login attacks by spambots and hackerbots are a regular and ongoing type of website attack. The volume and frequency of Brute Force Login attacks are steadily increasing and will continue to increase. Brute Force attacks make up somewhere in the neighborhood of 85 percent (probably more like 90 percent to 95 percent) of the total of all types of ongoing website attacks these days. BPS Login Security & Monitoring protects the WordPress Login page from Brute Force attacks, but if your username is publicly known/displayed or can be harvested by automated bots then your user account may get locked very frequently. Check the BPS plugin Whats New page for some additional things you can do to prevent your user account from being locked repeatedly.

    BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
    BugFix: File Permissions cache issue: Root htaccess file not being re-locked when AutoLock is turned On. Special Thanks to: Mike Harrison for reporting this bug.

    .51.8
    Summary Only: See the BPS plugin Whats New tab page for full descriptions and details

    New Feature: Setup Wizard:
    The BPS plugin can be setup with literally only 1 click now on the new Setup Wizard page. Setup Wizard Pre-Installation Checks are automatically performed and displayed on the Setup Wizard page. You can re-run the Setup Wizard again at any time.

    New Feature: jQuery UI Dialog Form BPS Uninstall Options:
    An Uninstall Options link has been created on the WordPress Plugins page under the BulletProof Security plugin. Clicking the Uninstall Options link loads a jQuery UI Dialog Form with 2 uninstall options: BPS Pro Upgrade Uninstall option – If you are upgrading to BPS Pro, select the BPS Pro Upgrade Uninstall option and click the Save Option button or just click the Close button below and do a normal plugin uninstall. Complete BPS Plugin Uninstall option – If you want to completely delete the BPS plugin, all files, Custom Code and BPS database settings, select the Complete BPS Plugin Uninstall option and click the Save Option button.

    New Option: Login Security Attempts Remaining option and Core Functionality Improvements:
    New Option Attempts Remaining: You can choose to display a “Login Attempts Remaining X” message when an incorrect password is entered. This new option is enabled by default during BPS upgrades and new installations. Core Functionality Improvements: When a User Account is locked out and previous User Account logins were logged|stored in the DB, those previously logged logins and data for those DB Rows is not changed|updated and instead a new DB Row is inserted. This allows for better chronological login tracking and monitoring. Affects both Logging Options – Log All Account Logins and Log Only Account Lockouts options and allows for switching between these Logging Options without affecting functionality or causing issues/problems.

    New Bonus Custom Code|Bonus Custom Code Dismiss Notice function Consolidation:
    Bonus Custom Code Dismiss Notice Consolidation: Combined|consolidated all Bonus Custom Code Notices into 1 Bonus Custom Code Notice function with 1 displayed Notice message instead of having several different displayed Notices. Each Bonus Custom Code contains a link to the Bonus Custom Code and a Dismiss Notice link. Referer Spammers|Phishing Protection, Mime Sniffing, Data Sniffing, Content Sniffing, Drive-by Download Attack Protection, External iFrame and Clickjacking Protection.

    BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
    New BPS Setup & Overview Video tutorial created: BPS Setup & Overview Video Tutorial – link added on the Setup Wizard page and htaccess Core Security Modes page.
    WP 4.2 Bug Reported|Ticket created with PoC (Proof of Concept) and solution provided: WP 4.2 hash anchor Bug Hash anchors were being stripped of URI’s. Solution provided to WP folks. Solution implemented by WP folks. No other issues or problems found with WP 4.2 and BPS Pro versions.
    Enhancement: WP flush_rewrite_rules function added to BPS complete plugin uninstall function. Creates new default generic WP root htaccess file on BPS complete plugin uninstall.
    BugFix: Dismiss Notice link correction when basename wp-admin on first Dashboard login.
    Enhancement: Custom Code inpage check for default WordPress Rewrite code added in Custom Code text boxes.

    .51.7
    BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
    Setup & Overview Video Tutorial Created|Added: Link to video tutorial is posted on BPS plugin Description page and htaccess Core Security Modes page.
    DB Backup: Backup Files Download|Delete Form scrollable table added and additional Read Me help information added.
    Inpage Status Display: Condition added to only load the Inpage Status Display on BPS plugin pages.
    WP Toolbar Functionality In BPS Plugin Pages: Default Network/Multisite menu items (nodes) added.
    Security Status: Inpage Status Display Turn On|Off Form action link correction to #bps-tabs-2 tab page.

    .51.6
    BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
    Correction: Inpage Status Display Turn On|Off code correction.
    Addition: System Info page conditional check added for: gc_enabled & gc_collect_cycles functions.
    Read Me help text added for: Inpage Status Display and Reset|Recheck Dismiss Notices options.
    Addition: Link to Security Modes page added to wp-admin htaccess file alert.

    .51.5
    Summary Only: See the BPS plugin Whats New tab page for full descriptions and details

    New Feature|Visual Enhancement: Inpage Status Display
    New Features|Options|Visual Enhancements: UI|UX|Theme Skin | Processing Spinner | WP Toolbar
    New Feature|Option: Turn On|Off The Processing Spinner
    New Feature|Option: WP Toolbar Functionality In BPS Plugin Pages
    New Feature: Memory Usage and Script Completion Time Check|Display
    New Features|Options|Visual Enhancements: DB Backup & Security
    New Feature|Option: Create Backup Jobs: Rename|Create|Reset Tool
    System Info: New Check Added | Changes
    htaccess Core: Security Status Page Changes
    BPS Submenu Name Change: UI Theme Skin submenu name has been changed to: UI|UX|Theme Skin | Processing Spinner | WP Toolbar

    BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
    BugFix: Dismiss Notices button/link reload current page based on Request URI or Query String.
    Optimization|Performance: All BPS pages and functions.
    Removal: Obsolete functions/code removed/deleted.
    Dev Core: BPS plugin register scripts|styles | Enqueue scripts|styles | Dequeue plugin|theme scripts|styles loading in BPS plugin pages combined into one function. Additionally eliminated bloated individual load settings page code.
    BugFix: Additional variable check for conflicting|contradictory Automatic Update message/alert issue.
    Enhancement: WordPress Plugins page|BulletProof Security plugin “Settings” link name change to “Setup Steps”.
    Enhancement: Maintenance Mode menu page will not be displayed if wp-admin BulletProof Mode has been disabled.

    .51.4
    Maintenance Mode Network/Multisite Subdomain Completion:
    Maintenance Mode coding work has been completed for Network/Multisite subdomain site types. Maintenance Mode now works for every/all WordPress site types, BuddyPress and bbPress site types.

    BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
    BugFix: master-backups folder creation fix for unusual scenarios.
    BugFix: Automatic correction during upgrade for any existing timthumb RFI filter duplicate Referer lines.

    .51.3
    WordPress 4.1 jQuery UI Compatibility Code Correction:
    BugFix: BPS jQuery UI Dialog Read Me help window position not centered in WordPress 4.1. Fix: Corrected the BPS jQuery UI Dialog Position Method code by adding the appropriate “my” and “at” options. Note: For anyone else experiencing this issue see this Forum Topic for the solution: jQuery UI Dialog window position not centered
    Help Link Corrections: Special thanks to WordPress Member: mrppp for finding and reporting invalid help links in BPS.

    .51.2
    Significant Root and wp-admin htaccess File Changes: See the BPS plugin Whats New page for more details.

    Root htaccess File/Code Fix:
    Removal of additional instances of “BEGIN WordPress” and “END WordPress” text from the root htaccess file which caused multiple instances of the default wp htaccess code to be created in the root htaccess file when the WP flush_rewrite_rules function was executed by other plugins and themes.

    htaccess Help Text Improvement Overall:
    The help text throughout both the root and wp-admin htaccess files was very dated and was in need of updating. Better/clearer examples have been created in the help text. Overall the htaccess files are more streamlined and less cluttered looking visually.

    Structure/Order Code Changes:
    Several blocks of htaccess code has been structured differently as far as the general order/sequence of code goes in the root htaccess file and more importantly what code will remain in the root htaccess file in the event that the WP flush_rewrite_rules function is executed by another plugin or theme. There are several technical reasons for making these structure/order changes, which I will not bore you with. Basically things are structured/ordered much better for any/every possible scenario that may occur.

    Note: This is a one-time BPS Update that requires manual steps to be performed.
    All future versions of BPS will do the normal/typical automatic update of the BPS htaccess files. Overall we felt that creating a Notice about these significant changes vs just doing a normal automatic update was the best route to take for the primary reasons stated above and some additional reasons not stated here.

    New Custom Code Text Boxes Added:
    CUSTOM CODE TURN OFF YOUR SERVER SIGNATURE and CUSTOM CODE DENY ACCESS TO PROTECTED SERVER FILES AND FOLDERS.

    BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
    Enhancement: Custom Code accordion is now using tables vs CSS divs for cross Browser visual compatibility and obsolete CSS code has been removed for the CSS divs.
    Improvement: Overall inpage Custom Code help text information/example improvements.
    Improvement: Network/Multisite Net Correction code/check removed. No longer needed and is now obsolete.
    Enhancement: Remote Address IP check added in the 403.php Security logging template. Will display current IP address for troubleshooting purposes.

    .51.1
    Obsolete File Deletion:
    Special thanks to Pietro Oliva for finding and reporting Form code sanitization issues in the stand-alone bpsunlock.php file/Form code. The bpsunlock.php stand-alone Login Security user account unlock file/Form has been removed/deleted from BPS. After review of the usefulness of this Form it was decided that instead of spending the time to sanitize the Form code the bpsunlock.php file/Form has instead been removed/deleted from BPS.

    .51
    BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
    BugFix: System Info page HTTP_HOST variable fallback for SERVER_ADDR IP address retrieval code correction. Missing gethostbyname function has been added to the HTTP_HOST variable IP address fallback and is now returning an IP address correctly.
    Code Correction|BugFix|Sanitization: System Info page Check Headers Tool Form code sanitization. Special thanks to Benjamin Kunz Mejri for finding and reporting this Form code sanitization issue that needed to be corrected.  Note:  This fixes a “security vulnerability” that was reported in BPS version .50.8, but the security vulnerability report is incorrect/not accurate so technically this does not qualify as legtimate security vulnerability, but does qualify as a bug so credit for reporting a bug has been given.  We are very appreciative when bugs are reported to us in BPS, but we also have to maintain 100% accuracy and facts in the changelog.  Note: Security Vulnerability is a broad general term that is very misunderstood. It can mean a bug exists that is insignificant, which cannot result in a successful hack to a bug exists that is critical/serious, which can result in a successful hack. In the majority of cases most Security Vulnerabilities are insignificant and cannot result in a successful hack.

    .50.9
    System Info Enhancements/Improvements/Additions:
    DNS Name Server checking code performance improvement and conditional checking added based on domain labels. Network/Multisite subdirectory/subdomain site type check added and changes to existing conditional checks. output_buffering directive variable check changed and text correction. Additional conditional checks for PHP Actual Configuration Memory Limit. Will display color coded recommendations and/or memory limits. Various naming/text changes.

    htaccess Core Structural Core Changes:
    Reduction in size of large Options Core file by creating additional conditional supporting files with require. Deny All htaccess file is created in the new /core/ folder on init to protect the options.php core file. Other internal Core stuff.

    Security Log Design/Visual/Enhancement Changes:
    Auto-Locking added to Security Log Turn On/Off Forms. The root .htaccess file is automatically locked again if it was locked. Cross Browser compatibility visual display issues/problems with Email Alerts and Log files Form. Forms are now using tables instead of individual CSS properties.

    Login Security Visual/Design Change:
    Cross Browser compatibility visual display issues/problems with Option/Settings & Email Alerts and Log files Form. Forms are now using tables instead of individual CSS properties.

    DB Backup Log Visual/Design Change:
    Cross Browser compatibility visual display issues/problems with Email Alerts and Log files Form. Forms are now using tables instead of individual CSS properties.

    Custom Code Network/Multisite Additional Text Box:
    CUSTOM CODE WP REWRITE LOOP END: Add WP Rewrite Loop End code here. This is a Special Network/Multisite Custom Code text box that should ONLY be used if the correct WP REWRITE LOOP END code is not being created in your root .htaccess file by AutoMagic. This Custom Code text box and Read Me help text is ONLY displayed if you have a Network/Multisite website.

    BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
    Backend Maintenance Mode causing crashes due to newline not being generated in some cases. Additional newline added to wp-admin backend MMode htaccess writing code base
    Removal/Deletion of obsolete usage of bps_DNS_NS() function.

    .50.8
    BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
    Quickie BugFix Release – released 1 hour after release of .50.7:
    Network/Multisite BPS plugin Network Activation correction:  Conditional wrap added for blog_id 1

    .50.7
    htaccess Core Security Modes AutoMagic Buttons:
    BPS automatically detects your site type and displays the correct AutoMagic buttons for your site type. Other site type AutoMagic buttons are no longer displayed on the Security Modes page.

    Network/Multisite One Time Code Correction:
    If you have a Network/Multisite website/installation of WordPress you will see a one time htaccess code correction Notice message displayed to you with steps to perform the one time code correction when you upgrade BPS.

    Go Daddy Managed WordPress Hosting:
    If you have Go Daddy Managed WordPress Hosting see the BPS Whats New tab page within the BPS plugin.

    BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
    Maintenance Mode countdown timer email website link correction for subdirectory websites.
    Maintenance Mode CSS visual improvements/changes/corrections.
    WordPress 4.0 RC1 final testing completed – no issues or problems.
    Delete old BPS bulletproof-security_info transient content on upgrade.

    .50.6
    New Option: Login Security & Monitoring Sort DB Rows:
    The Ascending Show Oldest Login First option displays logins from the oldest logins to your site to the newest logins to your site. The Descending Show Newest Login First option displays logins from the newest logins to your site to the oldest logins to your site. Example usage: Enter 50 for the Max DB Rows To Show option, which will show a maximum of 50 database rows/logins to your site and set Sort DB Rows option to Descending Show Newest Login First. You will see the last 50 most current/newest logins to your site in descending order.

    Enhancements: Login Security & Monitoring:
    CSS max-height changed from 1000px to 600px for the scrollable Dynamic DB table. 600px is a much better/more manageable viewing area.
    Lock, Unlock and Delete labels for individual checkboxes in Dynamic DB search form and standard form.
    DB Query improvement for the Dynamic DB standard form.

    New Option: htaccess Core wp-admin BulletProof Mode Enable/Disable wp-admin BulletProof Mode:
    This option is ONLY for Hosts that do not allow .htaccess files in the wp-admin folder. Go Daddy Managed WordPress Hosting (not standard Go Daddy Hosting) is the only known hosting account type where this option should be set to: Disable wp-admin BulletProof Mode. For everyone else you do not need to use this option. The default setting is already set to: Enable wp-admin BulletProof Mode.

    BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
    Improvement: htaccess Core root domain label retrieval/writing:
    Improvement to htaccess Core code when retrieving & writing domain labels. Impact: Folks with 3+ domain label naming conventions such as: http://www.label1.label2.label3.

    .50.5
    Login Security Password Reset BugFix & New Option:
    BugFix: The Lost your password link was not being displayed when Login Security was turned Off.
    New Option: Turn Off Login Security/Use Password Reset Option ONLY.

    .50.4
    BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
    DB Backup: backticks added to DB Backup Query to allow for hyphenated or other special characters in DB naming conventions.
    DB Backup dynamic DB table: max-height CSS change
    Login Security CSS auto-scroll: max-height CSS change
    DB Table Prefix Changer: Additional check for writable files for DSO server types.
    Root and wp-admin filter change
    Log timestamps synchronized to GMT: All log timestamps are now synchronized to GMT time.

    .50.3
    BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
    Correction|Improvement: root and wp-admin .htaccess filters/rules change/correction/improvement. See the BPS Whats New tab page for more details.
    Thanks goes to aselektor for spotting and reporting this.

    .50.2
    New Feature: DB Backup. Manual or scheduled (Hourly, Daily, Weekly and Monthly) database backups. Send DB Backups via email etc.

    New Feature: DB Backup Log. The Backup Job Completion Time, Zip Backup File Name, timestamp. etc. is logged. Backup Job Settings are logged.

    New Feature: DB Table Prefix Changer.

    New Feature: UI Theme Skin. 3 UI Theme Skins: Blue Gel Classic UI Theme, Light Grey jQuery UI Theme, Dark Black WP UI Theme.

    BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
    Root .htaccess Security Filters Change: See the BPS Whats New tab page for more details.
    Login Security New Option/Option Change & Misc: Disable Password Reset Frontend Only, Disable Password Reset Frontend & Backend.
    System Info page: added MySQL Extension, MySQLi Extension check.
    Login Security email message text change when user account is locked.
    Whitelist the Debug Bar plugin debug-bar css and js scripts.

    .50.1
    Security Logging major changes/improvements to logging template files/code & start of Phase 1 Security Log Solution Targeting:
    The Security Logging code has been significantly improved in BPS .50.1. Logging is more streamlined, performance optimized & faster than in previous BPS versions, even with the new general conditional pattern checking code added.
    As of BPS .50.1 two new Security Log Fields have been added to Security Logging: Event Code and Solution. In Phase 1 of Security Log Solution Targeting the primary focus is on detecting possible Plugin Skip/Bypass rules & wp-admin Skip/Bypass Rules issues that need/require a one-time solution. Since 99.99% of the Security Log entries are blocked/forbidden hackers, spammers, scrapers, harvesters, miners, bad bots, etc. then the Security Log checking conditions can and should be streamlined/performance optimized by only looking at pattern matches in a broad scope.

    Maintenance Mode Accordion:
    Maintenance Mode Accordion created for better functionality/usability. Code correction: Maintenance Mode website name not displayed in the reminder email. Code correction: Maintenance Mode Apostrophes/single quote code character displayed with an escape backslash.

    New Bonus Custom Code/Dismiss Notice: WordPress XML-RPC DDoS Protection:
    Special Thanks goes to Gary Gordon for reporting the recent WordPress XML-RPC exploits/attacks. The XML-RPC DDoS PROTECTION Bonus Custom Code .htaccess code completely turns off/disables IXR-RPC Client/Server capabilities on a website by protecting the WordPress xmlrpc.php file from being publicly accessible, which prevents the IXR XML-RPC Client/Server connection. Using this Bonus Custom Code will turn off/disable remote posting capability from Weblog Clients (A Weblog Client is software you run on your local machine (desktop) that lets you post to your blog via XML-RPC), unless you add (whitelist) your IP address in the XML-RPC DDoS PROTECTION Bonus Code.

    New Dismiss Notice Added: WordPress Firewall 2 plugin check
    The WordPress Firewall 2 plugin contains a coding mistake and has not been updated in over 3 years. The wp-admin area is supposed to be whitelisted by default, but that code is not working correctly, which breaks several things in the BPS plugin. The Dismiss Notice will alert users to this existing problem.

    New/Updated Help & FAQ Help Links:
    Help & FAQ tab pages have updated links, old/outdated links removed, etc.

    .50
    BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
    Bugfix|Code Correction: Maintenance Mode str_replace has been changed to dirname for GWIOD site types to get the site root index.php file path
    Special Thanks go to Eddy Estevez for reporting this bug.

    .49.9
    New Feature: Maintenance Mode – FrontEnd/BackEnd Maintenance Mode
    Maintenance Mode Guide
    The previous Maintenance Mode feature in BPS has been completely removed/replaced with the new Maintenance Mode feature in BPS .49.9. This is a completely new BPS feature. The new BPS Maintenance Mode design includes 20 background images, 15 center images (text box image), allows you to embed image files and YouTube videos, FrontEnd Maintenance Mode, BackEnd Maintenance Mode or both FrontEnd & BackEnd Maintenance Modes and most importantly is fast and simple to use so that you can switch in and out of Maintenance mode quickly and easily. Background image files/options and Center images (text box image) are independent of each other so that you can mix and match different background images with different Center images (text box image).

    New Headers check tool added to the System Info page:
    Check your website Headers or another website’s Headers by making a GET Request. Both GET and HEAD Headers checking is now available on the System Info page.

    New System Info checks:
    Standard/GWIOD Site Type, BuddyPress and bbPress. If GWIOD site type display WordPress Address (URL) and Site Address (URL).

    BPS Plugin/Theme Script Dequeue function added: Dequeue any/all other plugin or theme scripts that attempt to load in BPS plugin pages:
    A new BPS function has been added that Dequeues any/all other plugin or theme scripts on/in BPS plugin pages ONLY, which causes a wide variety of problems for BPS , such as broken plugin functionality, broken menus and pages not displaying visually correct. This new BPS Dequeue function only runs on/in BPS plugin pages and does not run anywhere else or affect anything else on a website. The BPS Dequeue function is only designed to prevent any other plugins or themes from loading their scripts in BPS plugin pages and does not do or affect anything else on a website.

    Security Log Code Correction/Enhancement: Security Log User Agent/Bot filter auto-updated during BPS upgrade:
    The BPS 403.php Security Log template file is replaced during BPS plugin updates/upgrades, which is normal WordPress plugin update/upgrade procedure. The BPS 403.php Security Logging template is now auto-updated during BPS plugin upgrades/updates and automatically adds any previously added/saved User Agent/Bot filters to the new 403.php template file if any User Agents/Bots to Ignore/Not Log were previously added/saved.

    W3TC and WPSC Error checking/messages modified to reflect current version error checking:
    Several things have changed in BPS .49.9 relating to W3TC and WPSC and related error messages.

    DB Table datatype Issue/problem affects SQL Server (not MySQL) only:
    CREATE TABLE Query id column datatype has been changed from mediumint(9) to bigint(20).

    Backup & Restore page/other misc pages:
    Master File backups and checks are obsolete and have been removed from BPS .49.9.

    htaccess Core Security Modes page:
    Descriptive titles added to Radio buttons for BulletProof Modes: Root Folder BulletProof Mode, wp-admin Folder BulletProof Mode, Master htaccess BulletProof Mode and BPS Backup BulletProof Mode.

    Feature Request by Daedalon: Unused po & mo Language files automatically deleted:
    Unused po & mo Language files are automatically deleted on page access for these BPS pages: htaccess Core, Login Security, Security Log and Maintenance Mode.

    .49.8
    BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
    Custom Code Code Correction: ENT_QUOTES flag added to Custom Code AutoMagic variables to convert Single Quote HTML entities stored in the DB back to characters during AutoMagic File writing.

    .49.7
    Network/Multisite Plugin Network Activation or Single subsite Plugin Activation:
    As of BulletProof Security .49.7, the BPS plugin can be Network Activated or you can allow the BPS plugin to be activated individually on each Network/Multisite subsite or of course you can choose not to Network Activate BPS or allow the BPS plugin on subsites.

    New AutoMagic WP 3.5+ Network/Multisite .htaccess code:
    BPS AutoMagic buttons automatically write the correct Network/Multisite root .htaccess code for your site based on your WordPress version.

    Network/Multisite New Feature Notice: BPS can now be Network Activated on Multisite:
    This Network/Multisite New Feature Dismiss Notice displays on Network/Multisite only to alert Network/Multisite site
    owners about the new Network Activation capability in BPS.

    CSS Visual Style Changes for WP 3.8+ MP6 & Pre 3.8 WP Versions:
    WordPress 3.8 is using the new MP6 GUI. A BPS 3.8 CSS stylesheet has been created to visually display things correctly
    in WordPress 3.8. BPS will automatically load the correct CSS stylesheet for your WordPress version. CSS visual
    enhancements were also created for pre WordPress 3.8 versions.

    .49.6
    Bonus Code Dismiss Notice Added: Author ID|User ID|Username BOT Probe Protection Code:
    Protects against hacker Bot Probes looking for WordPress author enumeration (a numbered list of Author ID’s/User ID’s) to exploit.
    Generates a standard WordPress 404 Error instead of displaying Author ID’s/User ID’s/Usernames.

    Root .htaccess File code modifications/changes:

    OLD: RedirectMatch 403 /\..*$
    NEW: RedirectMatch 403 \.(htaccess|htpasswd|errordocs|logs)$
    
    BPS Query String Exploits Code Changes
    OLD: RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR]
    NEW: RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
    
    OLD: RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR]
    NEW: RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
    
    OLD: RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
    NEW: RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [NC,OR]
    
    OLD: RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
    NEW: RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]

    .49.5
    BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
    Reverting: Brute Force Login Protection code is now optional/Bonus Code again
    BPS will not automatically add this code as standard code in the root .htaccess file
    The Brute Force Login Protection Custom Code text box will remain for folks who can use this code on their websites.
    See the BPS Whats New page for more details

    .49.4
    BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
    Code Mod to Brute Force Login Protection code to allow for the widest possible range of compatibility
    This affected a small number of folks
    MOD: RewriteCond %{HTTP_USER_AGENT} ^(|-?)$ [NC,OR] to RewriteCond %{HTTP_USER_AGENT} ^$ [OR]

    .49.3
    New Feature – Security Log zip, email and delete/replace option:
    Security Log files are automatically zipped, emailed and replaced with a new blank security log file when they reach the maximum file size setting on the Security Log page. During the BPS upgrade this is automatically set to zip and email log files when they reach 500KB in size.

    Structural/Menu Changes:
    The Security Log & System Info tab pages have been moved out of htaccess Core and now have their own separate pages/menu links.
    New standard root .htaccess code added:
    Server Protocol HTTP/1.0 and blank User Agent htaccess BRUTE FORCE LOGIN PAGE PROTECTION code is now standard .htaccess code in the BPS root .htaccess file.

    New BPS Custom Code Text box added:
    A new Custom Code Text box has been added: CUSTOM CODE BRUTE FORCE LOGIN PAGE PROTECTION.

    Check Headers Tool added to the System Info page:
    This tool Allows you to check your website Headers or another website’s Headers remotely.

    New System Info page check – Public IP/X-Forwarded-For check:
    If you are using CloudFlare on your website then you will see Proxy X-Forwarded-For IP Address: instead of Public ISP IP/Your Computer IP Address: displayed to you. This additional check is for troubleshooting issues with CloudFlare, CDN, Proxy or VPN.

    PHP mysqli_get_client_info function additional check:
    Additional function checking code has been added in cases where the mysqli_get_client_info function is not available on a Host Server.

    .49.2
    BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
    Dismiss Notice text corrections: S-Monitor page text changed to Security Status page
    W3TC & WPSC Alerts text corrections: Edit/Upload/Download page text changed to htaccess File Editor page
    Several BPS functions renamed for uniqueness/no-conflict assurance
    PHP 5.5.x Deprecated function replacement file options.php: mysql_get_client_info replaced with mysqli_get_client_info
    PHP 5.5.x Deprecated function replacements file bpsunlock.php: New code using MySQLi instead of MySQL

    .49.1
    * Backup folder path correction on Backup & Restore page
    * WP Filesystem API Method will display the WordPress Filesystem Method in use. For DSO Server troubleshooting additional fields will be displayed if the Script Owner and File Owner ID’s do not match.
    * Custom Code help text changes
    * Custom Code additional error checking
    * htaccess auto-writing additions
    * Additional root htaccess file placeholders/markers added
    * New Dashboard Dismiss Notices: Sucuri 1-click Hardening, Broken Link Checker, phpini handler, Speed Boost Custom Code, Custom Permalinks check
    * Dashboard Alerts are now only displayed to Administrators. Editors, Authors, etc will no longer see Alerts
    * The htaccess Core Edit/Upload/Download tab page has been renamed to htaccess File Editor.
    * The File Upload & Download features have been removed from the new htaccess File Editor page since these features/options are obsolete.
    * Visual Enhancements: AutoMagic font size increased, etc.

    .49
    * Security Vulnerability/Bug Fix/Patch: HTML rendered in Security Log file via Logged Header Fields
    * Special Thanks go to Jacek Sowinski via Secunia SVCRP for discovering this vulnerability.
    * Solution/Fix: Security Log logged Header Fields are now HTML escaped

    .48.9
    * 2 New Login Security Options Added:
    * Error Messages: Choose to display Standard WP Login Error Messages or Generic Error Messages.
    * Password Reset: Enable or Disable Login Password Reset capability. This option also includes additionl Stealth Mode capabilities. Please read the Blue Read Me help button on the BPS Login Security page for a full description and additional help information.
    * Login Security Bug Fix/Code Correction: Using the /wp-login.php URL no longer generates an initial login error.
    * New Dismiss Notice – Brute Force Login Protection Code: At some point the Brute Force Login Protection code will be standard in BPS .htaccess files. For now a dismiss notice has been added with a link to the Brute Force Login Protection code.
    * Additional error checking & Overall Code Improvements: Really too many things to list so in general BPS .48.9 is more streamlined, has better/additional error checking and overall code improvements throughout BPS.

    .48.8
    * Code/Help Text Corrections
    * Corrected Help Text typos in Custom Code. Code Correction for the Network/Multisite menus/pluggable.php issue

    .48.7
    * Auto-update now displays ONLY – The BPS Automatic htaccess File Update Completed Successfully!
    * The old Dashboard Alert has caused a lot of confusion so it is now history

    .48.6
    * Custom Code Additions: Custom Code now includes additional Text Areas/Text Boxes for every possible section of code in the Root and wp-admin .htaccess files
    * A jQuery Accordian has been added to Custom Code to ensure that the correct Custom Code Text Areas/Text Boxes are being used, better functionality and visual enhancement.
    * Windows IIS check/dismiss notice. Displays a dismissable alert for folks who have Windows IIS Servers that allow .htaccess rewriting or have ISAPI_Rewrite installed which allows/converts .htaccess rewriting.
    * Reset/Recheck Dismiss Notices added to Security Status page
    * Lots of other improvements

    .48.5
    * Bug fix: Conditional wrap added to /includes/login-security.php

    .48.4
    * Login Security & Monitoring
    * Log All User Account Logins or Log Only User Account Lockouts
    * Logged DB Fields: User ID, Username, Display Name, Email, Role, Login Time, Lockout Expires, IP Address, Hostname, Request URI
    * Email Alerting Options: User Account is locked out, An Administrator Logs in, An Administrator Logs in and when a User Account is locked out, Any User logs in when a User Account is locked out, Do Not Send Email Alerts
    * Login Security Additional Options: Max Login Attempts, Automatic Lockout Time, Manual Lockout Time, Max DB Rows To Show, Turn On/Turn Off
    * Dynamic DB Form: Lock, Unlock, Delete
    * Enhanced Search: Allows you to search all of the Login Security database rows/Fields
    * Stand-alone Unlock Form bpsunlock.php: Unlock User Accounts without having to be logged into the WP Dashboard
    * Please click the Login Security Blue Read Me help button for full descriptions of all features and options.

    .48.3
    * jQuery Code changes for the new jQuery version in WordPress 3.6

    .48.2
    * Bug fix: Turn On/Off Error logging pattern match correction to include all possible scenarios
    * Bug fix: ErrorDocument 401 default added/removed on Turn Error Logging On/Off

    .48.1
    * Security Log – Add/Remove User Agents/Bots to Ignore/Not Log or Allow/Log
    * New htaccess code – ErrorDocument 401 default
    * General Coding Improvements & Enhancements

    .48
    * facebook externalhit_uatext.php script/error log fix
    * 400, 403 and 404 Error Logging templates modified
    * General Coding Improvements & Enhancements

    .47.9
    * Security Logging/ HTTP Error Logging On/Off buttons added
    * Turn Security Logging/HTTP Error Logging On or Off on the Security Log page
    * Russian Translation by EyeFinity
    * General Coding Improvements & Enhancements

    .47.8
    * Security Logging/HTTP Error Logging – Log 400, 403 and 404 Errors
    * Security Logging/HTTP Error Logging Dashboard Alert – log file size
    * IMPORTANT: NEW root .htacess file code automatically created/modified on upgrade
    * Additional System Info Check Added: cURL Extension
    * General Coding Improvements & Enhancements

    .47.7
    * IMPORTANT UPDATE: .htaccess FILE UPDATE FOR WordPress 3.5
    * 3.5 BUG FIX: visual and text editor display blank boxes
    * Problem: Square Bracket filters are blocking the visual and text editor
    * Solution: Square Brackets are automatically removed from .htaccess files/filters on upgrade to .47.7

    .47.6
    * BPS Master htaccess Folder Deny All .htaccess security protection automated
    * BPS Backup Folder Deny All .htaccess security protection automated
    * Turn On AutoLock/Turn Off AutoLock options/buttons added
    * General Coding Improvements & Enhancements
    * Visual Improvements/Enhancements

    .47.5
    * General Coding Improvements & Enhancements:
    * WordPress 3.5 pre-release coding added
    * Visual Improvements/Enhancements
    * jQuery coding Improvements/Enhancements
    * .htaccess code Additions and Improvements
    * Anti-Comment Spam .htaccess coding added
    * DNS Host Name Check for htaccess file auto-lock
    * Screenshot image files moved to the assets folder to reduce plugin size speedier upgrades

    .47.4
    * Improved and Extended Automatic htaccess File Upgrading
    * No need to reactivate BulletProof Modes when upgrading
    * Automatic updating from .46.9 to the current version of BPS
    * Additional System Info Checks Added:
    * Zend Engine Version, Zend Guard/Optimizer, ionCube Loader, Suhosin, APC, eAccelerator, XCache, Varnish, Memcache and Memcached
    * System Info Checks: check if extensions are installed, loaded, enabled or disabled
    * Additional Memory Limit Checks: WordPress Admin Memory Limit, WordPress Base Memory Limit and PHP Actual Configuration Memory Limit

    .47.3
    * .47.2 Automatic .htaccess file updating on upgrade installation added
    * No need to reactivate BulletProof Modes when upgrading
    * .47.2 New htaccess security filter added automatically during upgrade
    * .47.3 New htaccess security filter added automatically during upgrade
    * .47.3 Deny All protection automatically activated for BPS Master /htaccess folder
    * WP Dashboard Alerts – Root and wp-admin htaccess file checks

    .47.2
    * Automatic .htaccess file updating on upgrade installation
    * No need to reactivate BulletProof Modes when upgrading
    * New htaccess security filter added automatically during upgrade
    * WP Dashboard Alerts – Root and wp-admin htaccess file checks
    * Lithuanian Language Translation by Vincent G from Host1Free.com

    .47.1
    * A very minor coding mistake – A superglobal did not have html entities escaped
    * No reported problems or issues
    * Sincere thanks to SiNA Rabbani for discovering this coding mistake
    * Sincere thanks to Jon and Mark from WordPress.org as well for assistance

    .47
    * View the Whats New page in BPS for the latest changes to BPS
    * No changes have been made to either the Root or wp-admin .htaccess files
    * i18n Language Translation Coding Added
    * Language Translation Tutorial link added to the Whats New page in BPS
    * Coding improvements/enhancements

    .46.9
    * Significant changes to both the Root and wp-admin .htaccess files
    Create new Master .htaccess files with AutoMagic and activate all BulletProof Modes.
    * NEW Custom Code feature added to BPS
    * Coding improvements/enhancements

    .46.8
    * New TimThumb .htaccess code allows internal image requests but Forbids RFI hacking attempts
    * BPS is no longer Forbidding TimThumb thumbnailer scripts by default
    * DNS Name Server check on System Info page
    * Coding improvements/enhancements
    * WP Rating and Download Stats added to BPS
    * CSS nick nacks

    .46.7
    * New jQuery Dialog Read Me Help buttons have been created to replace the old Hover ToolTips
    * WP_CONTENT_DIR replaces ABSPATH path for sites that have moved wp-content to another location
    * .htaccess Return Carriage filter modified
    * .htaccess Slash-Jack filter modified
    * Several new pop up confirm messages have been added throughout BPS for forms that perform critical operations
    * Several new SAPI types have been added to CGI and DSO checking
    * AutoMagic for Network/Multisite sub domain sites is no longer writing the wp-admin forbid coding
    * Link to Sucuri Malware Website Scanner added
    * BPS is Forbidding Thumbnailer Scripts by Default
    * To enable Thumbnailer Scritps see root .htaccess file

    .46.6
    * Cookie filter removed from BPS QUERY STRING EXPLOITS
    * Explicit “exec” and “execute” filter removed from BPS QUERY STRING EXPLOITS
    * non-GPL Javascript Countdown Timer removed
    * BPS is Forbidding Thumbnailer Scripts by Default
    * To enable Thumbnailer Scritps see root .htaccess file

    .46.5
    * Massive amount of new security filters
    * Complete restructuring of how .htaccess Rewriting is processed to work with WP
    * Network/Multisite AutoMagic buttons added
    * Network/Multisite code added for Super Admins – display BPS menus to Super Admins only
    * New System Info information added
    * File permission checking and recommendations for CGI or DSO – SAPI detection
    * File Lock/Unlock buttons – Read Only root .htaccess – CGI/DSO SAPI detection
    * Help info updated
    * Updated Whats New
    * Lots of other stuff

    .46.4
    * Network/Multisite detect with additional help info
    * chmod 0644 added to copy function for default, secure and wp-admin htaccess files
    * Fixed CSS display issues for WP versions 3.2+
    * Replaced PP donate link with BPS Pro Upgrade link
    * Replaced BPS Pro Modules page with BPS Pro Features page
    * Security Status print output instead of var_dump
    * Help info updated
    * Other CSS changes
    * Updated Whats New

    .46.3
    * BPS Security Top Level Menu added
    * Whats New page was added – Read the new Whats New page for details about the latest changes to BPS
    * BPS Master htaccess file changes
    * Maintenance Mode page changes – Form settings saved to the WP DB
    * HUD, W3TC and WPSC – Heads Up Display checks/messages changes/additions
    * wp-admin htaccess file removal added
    * My Notes page was added

    .46.2
    * Additional new .htaccess security coding and modifications added to the BPS master .htaccess files
    * New plugin conflict permanent fixes added to the secure.htaccess Master file
    * BulletProof Security is now fully AutoMagic and still offers full manual control

    .46.1
    * Additional new .htaccess coding and modifications added to the BPS master .htaccess files
    * New plugin conflict permanent fixes added to the secure.htaccess Master file
    * Maintenance Mode is AutoMagic – Completed the Maintenance Mode page …finally
    * Create the Maintenance Mode Under Maintenance page from within the Dashboard
    * Preview your Website Under Maintenance page from within the Dashboard
    * New System Information Displayed – WordPress Installation Folder, WordPress Installation Type and
    * WP Permalink Structure Checks and displayed info
    * Heads Up Display (HUD) created
    * Improved Error and Warning messages
    * Major Core code improvements
    * nick nack core code fixes and improvements
    * New Help and FAQ links – new help pages created on AIT-pro

    .46
    * New File Uploader code written – no longer using Uploadify code
    * New File Downloader code written – no longer using Zubrag code
    * File Uploader is AutoMagic – no setup required
    * File Downloader is one-click – no setup required
    * Major overhaul of the core BPS coding
    * !!! Special Thanks to Jon Cave!!!
    * for finding a CSRF security vulnerability in BPS .45.9
    * that has now been eliminated in BPS .46 with new coding
    * And also excellent coding advice to improve BPS even more
    * and making the entire WordPress Community a safer and better place
    * New permanent plugin conflict fixes added to master .htaccess files

    .45.9
    Security Patch Release

    .45.8
    * Permanent Backup and Restore options added – permanent online backup and restore
    * Permanent Backup and Restore for all .htaccess files
    * Permanent Backup and Restore for File Uploader and File Downloader setup settings
    * Additional new .htaccess coding and modifications added to the BPS master .htaccess files
    * New plugin conflict permanent fixes added to the secure.htaccess Master file
    * WordPress readme.html and /wp-admin/install.php are now protected by BulletProof Security
    * Improved Success/Error messaging – more detailed success/error messages displayed
    * New Help and FAQ links added – New detailed Help and Info pages created

    .45.7
    * Additional .htaccess coding filters added to the BPS master .htaccess files
    * File Editor added – Edit the BPS .htaccess files from within the WP Dashboard
    * File Uploader added – Upload files from within the WP Dashboard
    * File Downloader added – Download files from within the WP Dashboard
    * Deny All BulletProof Security Modes added for the /htaccess folder and /backup folder
    * Nick Nacks, etc.

    .45.6
    * New SQL Injection hacking method blocked – New code added to master .htaccess files
    * This update protects against this latest new SQL Injection hacking method
    * Installing BPS does not activate the new BPS .45.6 .htaccess files
    * After installation please activate the BPS .45.6 BulletProof modes
    * Please download your current htaccess files first before activating BPS .45.6 Security Modes

    .45.5
    * SVN DB problem for BPS was fixed by some awesome person at WP!
    * WP ROCKS!!! BPS .45.5 will install successfully now. 😉
    * Bug fixes: W3 Total Cache, Simple Facebook Connect, Ozh’ Admin Drop Down Menu, ComicPress
    * Permanent coding fixes incorporated into master htaccess files to replace workarounds
    * Additional mission critical PHP Info checks added
    * Php.ini and php5.ini files are now protected by BulletProof Security
    * Updated BPS help files – AITpro.com site help files pending
    * nick nacks here and there

    .45.4
    * Bug fixes: W3 Total Cache, Simple Facebook Connect, Ozh’ Admin Drop Down Menu, ComicPress
    * Permanent coding fixes incorporated into master htaccess files to replace workarounds
    * Additional mission critical PHP Info checks added
    * Php.ini and php5.ini files are now protected by BulletProof Security
    * Updated BPS help files – AITpro.com site help files pending

    .45.3
    * More Query String Exploit Filters added to BPS Master .htaccess files
    * Options -Indexes added to BPS Master .htaccess files at user requests
    * Added IP address display to maintenance mode javascript countdown timer display
    * No need to click Update Permalinks anymore for Maintenance Mode – RewriteRule override added

    .45.2
    * New Apache Directives for PHP5 added to the .htaccess master files
    * Maintenance mode master .htaccess code modified – RewriteCond to load new background png
    * Maintenance Mode log in/log out issue fixed – Log in/out of your Dashboard in Maintenance Mode
    * Website Under Maintenance coding modifcations and visual design enhancements
    * Background Graphic for Website Under Maintenance page created and added in the installation
    * Minor cosmetic nicks nacks fixed here and there
    * Help files and hover tool tips help info updated
    * Tested on WordPress 3.1-alpha – no issues or problems

    .45.1
    * Bug fix for version check of BPS .htaccess master file
    * Bug fix for wp-config.php check based on BPS .htaccess version
    * Fix – BPS plugin uninstall issue fixed
    * Fix – BPS Widget configuration issue fixed
    * Completely recoded with WordPress 3.0 coding enhancements and improvements
    * Completely new sophisticated visual design and look
    * jQuery UI Tabbed Menu with CSS Hover Menu Buttons – see screenshot
    * New Messaging Display System added
    * .htaccess code added to master files to .htaccess protect wp-config.php
    * WordPress DB error on/off checking and verification status display
    * WordPress version is not displayed – remove_action(‘wp_head’, ‘wp_generator’);
    * WP generator meta tag removed – remove_action(‘wp_head’, ‘wp_generator’);
    * Administrator username “admin” check
    * System information page displays PHP, MySQL, Server Info, etc. – see screenshot
    * Security Status page added – see screenshot
    * Help & FAQ page added
    * BPS Pro Modules page added – BPS Pro Modules are installed separately
    * New BPS .45.1 Guide created @ AIT-pro.com

    .45
    * Completely recoded with WordPress 3.0 coding enhancements and improvements
    * Completely new sophisticated visual design and look
    * jQuery UI Tabbed Menu with CSS Hover Menu Buttons – see screenshot
    * New Messaging Display System added
    * .htaccess code added to master files to .htaccess protect wp-config.php
    * WordPress DB error on/off checking and verification status display
    * WordPress version is not displayed – remove_action(‘wp_head’, ‘wp_generator’);
    * WP generator meta tag removed – remove_action(‘wp_head’, ‘wp_generator’);
    * Administrator username “admin” check
    * System information page displays PHP, MySQL, Server Info, etc. – see screenshot
    * Security Status page added – see screenshot
    * Help & FAQ page added
    * BPS Pro Modules page added – BPS Pro Modules are installed separately
    * New BPS .45.1 Guide created @ AIT-pro.com

    .44.1
    * If you are upgrading from .44 to .44.1 download the /htaccess folder first
    * before upgrading and upload it back to the back to the BulletProof plugin folder
    * after you have upgraded to .44.1.
    * Added Backup form function – backs up users original existing htaccess files
    * Added Restore form function – restores users original existing htaccess files
    * Backup folder added for backed up original htaccess files
    * Removed links from all ToolTips except for the top Read Me! hover ToolTip

    .44
    * First version release of BulletProof Security
    * Extensive Read Me! help hover ToolTips added to the BulletProof plugin page
    * Visual and coding Enhancements made to the BulletProof Maintenance page
    * Function check_perm redeclare conflict fixed

    #25737

    Cristian Balan
    Participant

    Is the

    Removal: Defunct/obsolete Block Referer Spammers Bonus Custom Code Dismiss Notice removed.

    about to http://forum.ait-pro.com/forums/topic/block-referer-spammers-semalt-kambasoft-ranksonic-buttons-for-website/ ?

    #25738

    AITpro Admin
    Keymaster

    Yes.  We are no longer displaying a Bonus Custom Code Dismiss Notice for that.  Why?  When we originally created that Referer Spammer code it blocked about 90% of Referer Spammers.  Now/currently 80% of all Referer Spammers are sending fake tracking calls directly to your Google Analytics Tracking ID (This is a completely random and automated thing).  So since the Referer Spammer domain is not actually visiting your website then the Referer Spammer Bonus Custom Code cannot do anything to stop those Referer Spammers since they are not actually visiting your website.  That leaves you with filtering out Referer Spam domains/hostnames in Google Analytics Metrics.

    #34198

    Jeff Rivett
    Participant

    There’s no entry for BPS 2.7 yet. When are we likely to see that?

    #34199

    AITpro Admin
    Keymaster

    @ Jeff Rivett – Thanks for letting me know that.  The 2.7 changelog info has been added.

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.