Home › Forums › BulletProof Security Free › BPS Changelog|Whats New
- This topic has 7 replies, 4 voices, and was last updated 1 year, 11 months ago by AITpro Admin.
-
AuthorPosts
-
AITpro AdminKeymaster
6.9
Procedural Change: Changed the DB creation code to be compatible with some web hosts which could not process the BPS DB creation code.PHP Error Fix: Multisite: Undefined variable $check_string_values in general-functions.php on line 349.
6.8
BugFix: Setup Wizard AutoFix: W3TC autofix code missing the root htaccess file unlock code after the last modification of the W3TC Setup Wizard AutoFix code.6.7
Security Fix: MScan: Added nonce and capabilities protection to MScan AJAX functions. Prevents anyone except for Administrators from being able to run a scan.Typo Fix: MScan help text typo correction.
6.6
BPS Pro Sale: BPS Pro 25% Off Sale September 26 – October 6
One-time Purchase Price: $52.50. No Recurring Yearly Costs Or Subscriptions. Unlimited installations. Free Upgrades For Life. Free Technical Support For Life.6.5
Procedural Change: MScan Tmp File Scanning: mysql.sock, .s.PGSQL.5432 and .per-user tmp files are now excluded from being scanned by default and excluded from being deleted by default. Dev Note: Scanning these files can generate nuisance php errors.Procedural Fix: Changed a few incorrect instances of wp_is_writable to PHP is_readable.
6.4
New Option: Alerts|Logs|Email Options: HPF: Hidden Plugin Folders|Files (HPF) Cron option allows you to choose whether or not you want HPF email alerts sent to you. The HPF email alert now contains a link to the BPS Alerts|Logs|Email Options page.6.3
Setup Wizard AutoFix: New Setup Wizard AutoFix whitelist rules added for the Gmail SMTP, WP Mail SMTP, Bit Integrations, Post SMTP Mailer, Piotnetforms and Product Feed Manager for WooCommerce (free & Pro) plugins.Procedural Change: MScan: tmp folder scanning generates a php error if the /tmp folder is not readable. Changed wp_is_writable() to is_readable() and added directory Owner condition. Dev Note: PHP Warning: scandir(/tmp): failed to open dir: Permission denied in www/wp-content/plugins/bulletproof-security/includes/mscan-ajax-functions.php on line 1927.
Procedural Update: Setup Wizard: Additional help information added to the “Error: The wpadmin-secure.htaccess wp-admin Master htaccess file and wp-admin .htaccess file cannot be created” error message. Dev Note: The new help info contains a solution for Managed WordPress Hosting.
Procedural Update: Alerts|Logs|Email Options: Pre-save the email to and from DB options in the Setup Wizard with the default admin email address. Dev Note: HPF email alerts were not being sent due to not pre-saving the email to and from DB options.
Procedural Update: Setup Wizard Options: Go Daddy Managed WordPress Hosting option: New condition created to prevent the BPS MU Tools plugin from being created for Managed Hosting account types. Dev Note: Prevents this php warning error from occurring: copy(/var/www/wp-content/mu-plugins/bps-mu-tools.php): failed to open stream: Permission denied in /var/www/wp-content/plugins/bulletproof-security/admin/includes/admin.php on line 377
Procedural Update: Hidden Plugin Folders|Files Cron (HPF): Additional conditions added to prevent and catch php errors when a plugin file or directory is not readable. Dev Note: Prevents PHP Fatal error: Uncaught UnexpectedValueException: RecursiveDirectoryIterator.
BugFix: Hidden Plugin Folders|Files Cron (HPF): HPF Dashboard alert not displayed in some scenarios.
PHP Error Fix: file_get_contents(): Passing null to parameter #2 ($use_include_path) of type bool is deprecated in 403.php on line 99.
6.2
BugFix: MScan: PHP Warning error: in_array() expects parameter 2 to be array, null given in mscan.php on line 1765 displayed under the View|Ignore|Delete Suspicious Files accordion tab Form. Dev Note: In PHP 8.1.1 the php error was a Fatal Error.Procedural Update: Login Security|JTC: Condition added to Login Security & JTC Anti-Spam|Anti-Hacker code to disable these features on Tutor LMS Forms due to a known issue with how Tutor LMS uses the WP Login login_form Action. All standard WP Forms will still be protected by Login Security & JTC.
6.1
Procedural Change: JTC-Lite: Login Form: CAPTCHA Error message option is now a BPS Pro only feature. Dev Note: This option setting will now only display the default CAPTCHA error message in BPS free: ERROR: Incorrect CAPTCHA Entered.6.0
Procedural Update: MScan: Safety precaution filter added for these WP Core root files: wp-config.php, wp-settings.php, wp-load.php, wp-login.php, wp-blog-header.php and index.php. These critical WP Core root files can no longer be deleted using the “View|Ignore|Delete Suspicious Files” Form.Procedural Update: HUD Script|File Owner User ID Mismatch Notice: This Dismiss Notice now displays the Folder|File and UID mismatch to make troubleshooting simpler.
Procedural Fix: jQuery Dialog links and buttons no longer display a blue outline on Dialog window load.
Removal: Setup Wizard AutoSetup: The WP Super Cache plugin has been removed from the Setup Wizard AutoSetup feature. WPSC AutoSetup is no longer necessary for the WPSC plugin. Dev Note: The default caching option settings in WPSC no longer creates htaccess code. If you choose the WPSC Advanced > Expert option setting then use these manual setup steps to add WPSC htaccess code in BPS Root Custom Code: Copy the WPSC Mod Rewrite Rules htaccess code into this BPS Root Custom Code text box: 1. CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE, click the save Root Custom Code button and activate Root Folder BulletProof Mode.
5.9
New Feature: JTC-Lite: A color picker has been added to change the text color for the JTC Title|Text option text and for a new added option: JTC Title|Text After. New options have also been added to make the JTC Title|Text bold. This allows someone to match WooCommerce Form text or customize their JTC Title|Text any way they would like. Dev Note: The color pickers for the JTC Title|Text and JTC Title|Text After text options are independent of each other to allow different text colors for each text option. Examples: Hover or click the text box below *, Hover or click the text box below Required *, Hover or click the text box below *.Procedural Update: MScan: Fixed several known false positive File Hash mismatch issues. Dev Notes: WP Default Themes create these files after theme installation: .stylelintignore, .stylelintrc-css.json and .stylelintrc.json. These files are now whitelisted. index.php files with
define('WP_USE_THEMES', true);
code in the file were falsely detected as a WP Core file and scanned using file hash comparison scanning. These index.php files are now unset from the file hash comparison array and scanned using pattern matching.Procedural Update: MScan: File Hash Maker Completed and Scan Completed status window visual improvements.
BugFix: DB Backup: The new JavaScript filter added in BPS 5.8 prevented the Rename|Create|Reset Tool from resetting/updating the DB Backup Folder Location and DB Backup File Download Link|URL text boxes/DB option settings. Dev Note: Running the Setup Wizard works as an alternative method of resetting these DB Backup DB options.
5.8
MScan Significant Improvements: Many changes were made to stabilize scanning for scenarios which previously caused scanning to hang or loop. MScan now performs very consistently in every server environment and also when known problems exist. When WP Core, Plugin or Theme zip files need to be download, extracted and file hashes created the MScan Status display window with display: File Hash Maker Time Remaining: 00:00:00 : Downloading and extracting zip files. After the file hash maker has completed the total number of WP Core, Plugin or Theme file zip downloads will be displayed. When the File Hash Maker is processing zip files, file scanning is aborted. This will prevent the previous problem where false positive file hash mismatches were detected due to file scanning occurring simultaneously with zip processing within the same initial scan. File scanning no longer occurs while zip files are being processed. After the File Hash Maker has finished processing zip files the next new scan will scan files.MScan CR LF vs LF Issue: MScan now automatically fixes the known problem with WP Default Themes Windows CR LF vs Linux LF formatting issue. WP Default Themes bundled into the WP Core zip files (5.9, etc.) have Linux LF formatting. WP Default Themes in the WP Themes Repository have Windows CR LF formatting. This issue creates false positive file hash mistmatch scan results. All WP Default Themes are now automatically converted to Linux LF format during the MScan file hash making process.
MScan Additional Functionality: The host server’s /tmp folder is now scanned by MScan if the /tmp folder is readable.
MScan Dev Notes: When using the Plugin or Theme zip uploader forms the File Hash Maker popup status will display 0 for plugins or themes. This is normal and does not cause any problems. New FailSafe error checking has been added for zip download problems. Zip file Request timeouts or Request delays and folder permissions or Ownership problems.
New Dismiss Notice: MScan Significant Improvements Notice.
Dismiss Notice Removal: MScan Rebuild Notice.
Procedural Update: MScan: Additional checks added to MScan in page error checks for the Query Monitor plugin is activated and WP_DEBUG is in use. Dev Note: The Query Monitor plugin and WP_DEBUG cause problems for the MScan scanning process. Debugging should only be done when you are actually performing debugging. Debugging should not be left on permanently.
Security Fixes: Low threat level: All reported low threat level security fixes that were fixed required WordPress Administrator capabilities/privileges and that an Administrator was logged into the WP Dashboard (wp-admin) in order to successfully execute the threats (PoC): Escaped echoed output for: htaccess File Editor textareas, JTC-Lite text boxes and DB Backup text boxes. Additional sanitization added as needed. Dev Note: Thorough analysis and testing has been performed on all BPS code. Any code that needed updating has been updated/escaped/sanitized and additional validation and error checking added as needed. One additional low threat level security issue was found and fixed. Credit to: Mika and WPScan for reporting the low threat level security issues in BPS.
Procedural Update: Setup Wizard: Setup Wizard hangs and displays this js popup “changes you made may not be saved”. This was caused by accessing the W3TC plugin option settings page to retrieve W3TC plugin option settings in order to AutoSetup W3TC htaccess code with BPS htaccess code. This method has been changed and AutoSetup will successfully setup W3TC htaccess code in the root htaccess file and BPS Custom Code.
Addition: System Info: MySQL Database Info: DB max_allowed_packet. This check is useful if this php error occurs when running MScan: WordPress database error Got a packet bigger than max_allowed_packet bytes for query. This php error will most likely will only occur on XAMPP, MAMP, WAMP and LAMP Local Dev servers and not hosted servers.
Procedural Update: BPS MU Tools plugin: Reduced the Description text so that the GET links in the left column display correctly.
PHP Error Fix: PHP Warning: gethostbyaddr(): Address is not in a.b.c.d form fixed.
5.7
PHP Error Fixes: Various php errors fixed.Procedural Update: PHP 8.1.1 procedural changes. Dev Note: Some procedural changes are pending changes in WP 6.0 for PHP 8.1.x deprecated features.
Procedural Update: WP 5.9 procedural changes.
CSS Fix: Custom Code: CSS Responsive fixes for viewport sizes.
5.6
Procedural Update: System Info: OPcache info check changed. Previous checking conditions were problematic. Dev Note: Displays either OPcache: Zend OPcache x.x.x is Enabled or OPcache: OPcache is Not Enabled or OPcache: opcache_get_status and/or opcache_get_configuration functions are disabled or OPcache: opcache.restrict_api directive is in use.Additions: System Info: MySQL Database Info: DB Storage Engine, DB Hostname (Local), DB Hostname (Server), DB Hostname IP (Server), DB Port and DB Connect Timeout.
BugFix: Maintenance Mode: Network|Multisite GWIOD site type: site root index file path correction.
BugFix: Maintenance Mode: Network|Multisite only: Maintenance menu and page not accessible for Subsites due to the GDMW option setting not being saved in Subsite DB options. The Setup Wizard now automatically saves the GDMW option setting for Subsites. An additional independent Form has also been created on the Setup Wizard Options page > Network|Multisite Sitewide GDMW Settings > Save MU GDMW Options Sitewide.
PHP Error Fix: Maintenance Mode: Network|Multisite only: Trying to access array offset on value of type bool error fix.
Text Corrections: 20 text corrections for > Email|Log Settings to Alerts|Logs|Email Options, 7 text corrections for > UI|UX Settings to UI|UX Options, 3 text corrections for > htaccess Core to htaccess File Options and 4 text corrections for > MScan 2.0 to MScan.
5.5
UI|UX Redesign: Simplify overall design: Remove unnecessary page help text (visual clutter), add question mark hover tooltips in place of page help text, remove unnecessary redundant page text, remove unnecessary borders, remove unnecessary table cells, remove star rating images and links, increase whitespace, replace Read Me help buttons with Question Mark buttons, fix any/all old/pending CSS issues, menu name changes: htaccess Core => htaccess File Options, Email|Log Settings => Alerts|Logs|Email Options UI|UX Settings => UI|UX Options. Reset|Recheck Dismiss Notices option setting has been moved from the Custom Code page to the Alerts|Logs|Email Options page. Note: You may need to clear your Browser cache to clear any old cached CSS or image files.Setup Wizard AutoFix: New Setup Wizard AutoFix whitelist rules added for the Constant Contact Forms and Constant Contact + WooCommerce plugins.
Update: BPS Plugin Logo: Increased the size of the staggered letters. Minor color adjustments to the logo background.
Update: Maintenance Mode: The Preview feature was being blocked by Browsers built-in popup blocker. Added wp_safe_redirect() fallback.
Update: Disable the Rank Math plugin htaccess file editor using the Rank Math filter for disabling htaccess file editing. Disabling the Rank Math htaccess editor prevents ModSecurity 403 errors when trying to save Rank Math option settings. The BPS htaccess File Editor has an encryption feature to bypass/evade ModSecurity so that ModSecurity will not block saving htaccess file/code edits.
Update: Remove any round brackets from require and include code throughout BPS code. Remove any old @ symbols (php error suppression) throughout BPS code. Dev Note: All BPS code is 100% code correct to PHP 8.0.12 standards.
BugFix: Reload BPS Pro Status Display button: Button was loading behind the BPS logo on certain form submits. Dev Note: clear div added to clear float in js code.
PHP Error Fix: Login Security: Attempt to read property “ID” on bool.
PHP Error Fix: ISL: Trying to access array offset on value of type bool.
Addition: System Info: Database Info: Add/Display Table Prefix, Database charset and Database collation.
Removal: wp-content htaccess file HUD Dismiss Notice: BPS now automatically creates a whitelist rule for the BPS plugin folder in wp-content htaccess files created by other WP security plugins. Dev Note: A new option may be created in BPS in the future to allow folks to whitelist other plugins and themes that are broken by wp-content htaccess files created by other WP security plugins.
5.4
Setup Wizard AutoFix: New Setup Wizard AutoFix whitelist rules added for the Bloom Email Opt-in and Convert Pro plugins.New Dismiss Notice: Script|File Owner User ID Mismatch Notice: Checks if any folders or files have different Owner UID’s and displays a dismissible notice.
Update: Updated BPS plugin logo added to BPS plugin pages.
Update: HUD AutoFix Caching Plugins Alerts: Condition added for nginx to not display the HUD AutoFix Caching Plugins Alerts if the server type is nginx.
Update: MScan Report: If an error occurs display red font text for the value of: Total Files Scanned. If plugin or theme hash files were being created and a scan was not performed display blue font text for the value of: Total Files Scanned.
Update: System Info: File|Folder Permissions & Script|File Owner User ID: 2 new folders added: plugin-hashes, theme-hashes. 2 files removed: index.php, wp-blog-header.php.
Update: MScan: FireFox Browser check added. Displays an inpage warning. FireFox has a security measure that prevents the MScan scan progress popup window from working correctly, which in turn breaks MScan scanning. All other Browsers work fine.
PHP Error Fix: Login Security: WordPress database error Column ‘role’ cannot be null. PHP error occurs BuddyPress if a new user tries to login before activating their new user account. Note: This php error may also have occurred on Multisite.
PHP Error Fix: Undefined variable $check_string php error for real-time IP address updated htaccess files: MScan, LSM, Custom Code, MMode & Setup Wizard.
PHP Error Fix: BPS MU Tools: Trying to access array offset on value of type bool in bps-mu-tools.php.
PHP Error Fix: MScan: PHP errors occur on a first time scan when plugin and theme files are being downloaded, extracted and hash files created.
PHP Error Fix: Encrypt/Decrypt htaccess code feature: Uncaught Error: abs(): Argument #1 ($num) must be of type int|float, string given php error has been fixed. Affected PHP versions: 8.0.10, 8.0.11.
PHP Error Fix: Multisite: Warning Trying to access array offset on value of type bool general-functions.php:959.
PHP Error Fix: HPF: Warning Undefined array key “Hidden-Plugins-Ignore-Submit” hidden-plugin-folders-cron.php:310.
5.3
PHP 8.0.10 Testing: BPS has been tested up to PHP 8.0.10. No issues or problems found.Update: Log file automation: Zipped log files now use a timestamp naming convention – log-zip-file-name-timestamp.zip. The log files in the zip file are also named using the same naming convention.
BugFix: Setup Wizard Options: Enable|Disable htaccess Files option automatically enabled (if disabled) due to a bug in the Apache Module checking conditions.
Help Text Addition: htaccess Files Disabled Notice: “The Setup Wizard needs to be run again after disabling or enabling htaccess files.” help text added.
Procedural Update: Add new $wpdb collate variable to all dbDelta functions.
Procedural Fix: Create default WP root .htaccess file for Multisite on BPS plugin uninstallation.
Procedural Update: SiteGround Security plugin added to the wp-content .htaccess file check Dismiss Notice.
PHP Error Fix: Login Security & Monitoring: Undefined array key and Undefined variable php errors fixed.
PHP Error Fix: Setup Wizard Options: Enable|Disable htaccess Files: PHP Errors fixed when disabling and enabling htaccess files.
PHP Error Fix: MScan: foreach() argument must be of type array|object, null given. Plugin hash version check and Theme hash version check DB options. Check if is_array() and is_null() before processing foreach().
PHP Error Fix: System Info: mb_stripos(): Empty delimiter in system-info.php on line 440.
5.2
New Feature: Email|Log Settings: Send email alerts when new Plugin or Theme updates are available. Options: 1 Hour, 12 Hours or 1 Day. Do not send email alerts (default setting), Send Email Alerts for All Plugins, Send Email Alerts for Active Plugins Only, Send Email Alerts for All Themes and Send Email Alerts for Active Theme Only. Location: BPS Security > Email|Log Settings.Reload BPS Status Display: Changed from PHP to JavaScript. Clicking the Reload BPS Status Display button reloads the fragment/named anchor tab page instead of loading the main tab page in BPS plugin pages.
BugFix: Log File Zip & Email: Switch break conditions fixed.
TypoFix: 2 help text typos fixed.
MScan Log|DB Monitor Log: Logging fields changed: Full path to files has been changed to relative paths to files. DB Table Prefix removed from logging field: Table Name. Reason: htaccess files are not processed on nginx server types, which would leave the MScan and DB Monitor Logs unprotected by the /bps-backup/.htaccess file.
DB Backup Log: Logging fields removed: Zip Backup File Name, DB Backup Folder Location and DB Backup File Download Link|URL. DB Table Prefix removed from logging field: Table Name. Reason: htaccess files are not processed on nginx server types, which would leave the DB Backup Log unprotected by the /bps-backup/.htaccess file. The DB Backup Log is deleted on BPS upgrade if the log file contains the file paths to DB Backup zip files and replaced with a new blank DB Backup Log file.
DB Backup: PHP error fixed: Undefined variable $mailed.
wp-admin .htaccess Change: The wp-admin/widgets.php file is whitelisted by default in the wp-admin .htaccess file. Resolves issues with the new Widgets Block Editor in WP 5.8.
Setup Wizard: SAPI conditional check added for DSO server types to not display the Root htaccess file lock recommendation text.
System Info: PHP error fix: opcache_get_configuration() has been disabled for security reasons.
System Info: PHP error fix: Zend OPcache API is restricted by “restrict_api”.
System Info: Zend OPcache conditional corrections.
5.1
Setup Wizard AutoSetup|HUD AutoFix Setup: WP Fastest Cache changes due to WPFC code changes. WPFC plugin option settings can no longer be used to check if WPFC Browser caching is enabled. Causes PHP Fatal errors in Setup Wizard AutoSetup and HUD AutFix Setup. Fixed: Setup Wizard AutoSetup and HUD AutoFix Setup no longer check any WPFC option settings.5.0
Setup Wizard AutoFix: New Setup Wizard AutoFix whitelist rule added for the Business Directory plugin.System Info: New checks added for the WordPress get_home_path() URL, Server Port and Server Protocol. Useful for troubleshooting and support.
Procedural Fix: MScan: Delete /tmp files nick nack php error fixed.
4.9
Procedural Change: MScan: New scan status display using a popup Browser window vs the previous problematic iframe method.4.8
MScan Rebuild: MScan 2.0: MScan 2.0 now uses file hash comparisons for all WP files (WP Core, Plugins and Themes). File hash comparisons are 100% accurate, which means no false positives will occur for any WP files. All other non-WP files are scanned using standard conventional pattern matching. Now that WP Files are all scanned with file hash comparisons this allowed increasing the detection sensitivity for pattern matching scanning. Additional pattern matching rules have been added to MScan 2.0.4.7
BugFix: Apache Modules check incorrectly determining that htaccess files cannot be used.4.6
Procedural Change: MScan: The MScan Pattern matching code is now automatically saved to the DB on BPS upgrades and new installations. Previously the MScan pattern matching code was saved to a file in the /bps-backup/ folder. Some web hosts scanners flagged the MScan pattern matching code as malicious.MScan Rebuild Status: The MScan rebuild is 80% completed. Due to higher priority tasks (PHP 8 compliance|WP 5.7 procedural updates) taking precedence the finalization of the MScan rebuild has been pushed back to BPS Pro 15.4/BPS 4.7.
Procedural Update: PHP 8.0.2 compliance: Fixed any issues with BPS in PHP 8.0.2.
New Feature: Force Strong Passwords (FSP): Set password requirements for strong passwords. FSP works on standard single WordPress site types, Network|Multisite site types and BuddyPress. WooCommerce already has strong password requirements by default. The FSP option settings do not affect WooCommerce Forms. Notes: FSP option settings are pre-saved with default settings on BPS plugin upgrade and in the Setup Wizard. FSP is Turned Off by default. Select FSP On to turn FSP On.
New Option: Setup Wizard Options: Network|Multisite Sitewide Force Strong Passwords Settings. Create/update FSP option settings on all Network|Multisite subsites. Note: FSP option settings are also created/updated when running the Setup Wizard.
Setup Wizard AutoFix: New Setup Wizard AutoFix whitelist rule added for the Link Whisper and Link Whisper Premium plugins.
Procedural Update: System Info: Added Themes to the Get Plugins List form. Form is now named Get Plugins|Themes List.
Procedural Change: System Info: Removed green and red font text colors from the PHP Server|PHP.ini Info section.
Procedural Update: IPv4/IPv6 translation IP address matching condition added for use in the self-protection htaccess files that are updated in real-time in BPS plugin folders.
Procedural Fix: jQuery Dialog Read Me help buttons: Remove the additional “Close” text displayed below the X button.
BugFix: BPS Status Display: MScan hover tooltip PHP Notice error fixed.
4.5
Procedural Update: Apache Modules|Directives tests: New condition added for mod_access_compat tests. All htaccess testing code is now wrapped in IfModule conditional code. The View Visual Test link and page has been removed from the BPS System Info page.Setup Wizard: Network|Multisite Sitewide Login Security Settings and Network|Multisite Sitewide JTC-Lite Settings option settings are now included and processed in the Setup Wizard. These option settings will still remain as individual option settings on the Setup Wizard Options page.
Setup Wizard: WP_DEBUG check message: Additional message text added: Turn Off WordPress Debugging before running the Setup Wizard.
Setup Wizard AutoFix: New Setup Wizard AutoFix whitelist rule added for the Restrict Content Pro plugin.
Procedural Update: Added the new WP 5.6 htaccess RewriteRule:
RewriteRule .* – [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
to BPS htaccess code writing functions. Dev Note: Sets the HTTP Authorization header variable for cases where the WP REST API encounters a problem with REST Authentication headers not being accepted.Procedural Fix: Condition added to the BPS admin_notices Master function to prevent BPS admin_notices from displaying on the Web Stories plugin pages.
Custom Code: Link added for the BPS HTTPS/SSL Rewrite htaccess code above Custom Code text box: 8. CUSTOM CODE WP REWRITE LOOP START.
Procedural Fix: Filter WP Site Health site_status_tests for only BPS Cron jobs that display “A scheduled event is late” error message and remove (unset) only the BPS Cron test result.
System Info: Removed recommended permissions for /tmp folder.
BugFix: Get the client IP address for HTTP_X_FORWARDED_FOR for use in the self-protection htaccess files that are updated in real-time in BPS plugin folders.
BugFix: htaccess File Editor: Additional htaccess files disabled condition added for the htaccess File Editor root htaccess file permissions check.
4.4
New Option: MScan: Exclude /tmp Files: Allows you to exclude tmp files by file name from being deleted by MScan. Usage: Some web hosts store files such as, mysql.sock, .s.PGSQL.5432 and .per-user in the /tmp folder. These files cannot be deleted by MScan, but attempting to delete these files will generate php errors. To prevent php errors from occurring you would exclude files such as these using the MScan Exclude /tmp files option setting.New Addition: Setup Wizard AutoSetup: LiteSpeed Cache caching plugin added to the Setup Wizard AutoSetup feature. LiteSpeed Cache htaccess code is now automatically setup by the Setup Wizard.
Setup Wizard AutoFix: New Setup Wizard AutoFix whitelist rule added for the Nextend Social Login plugin.
Setup Wizard AutoFix: New Setup Wizard AutoFix whitelist rule added for the WP Reset and WP Reset Pro plugins.
Setup Wizard AutoFix: New Setup Wizard AutoFix whitelist rule added for the Jetpack plugin SSO feature.
BugFix: WP Rocket AutoFix: Change WP Rocket Marker for the skip/bypass rule so that it is not detected by the HUD AutoFix function.
BugFix: HUD AutoFix: PHP fatal error caused for the Beaver Builder plugin/theme AutoFix check due to a coding mistake.
Procedural Change: Email Alerts: URL’s/links in BPS email alerts have been changed from site root URL’s/links to direct links to BPS pages. Dev Note: WordPress handles the redirect_to automatically if someone is not already logged into their website.
Procedural Change: PHP Configuration Memory Limit: Parsing phpinfo() to get the PHP memory_limit Local Value instead of using get_cfg_var(‘memory_limit’) to get the PHP memory_limit value. Dev Note: If the phpinfo() function has been disabled on a host server the return value is error text.
Procedural Update: RESS: New WP scripts whitelisted in the RESS function.
Procedural Update: Setup Wizard: BPS plugin upgrade function is processed in the Setup Wizard in cases where htaccess files have been disabled.
Procedural Update: Setup Wizard: Updated the htaccess Files Disabled Notice with additional help text.
CSS Fix: All BPS Core pages: Force scrollbar to display on BPS plugin pages. Dev Note: Resolves a problem with WP Nav menus not being visible/accessible on BPS plugin jQuery UI Tab pages where the content of the BPS page is not displayed at 100% page height.
4.3
New Feature: Setup Wizard Export|Import: This new feature exports and imports all BPS Pro plugin option settings. Usage: All BPS Pro plugin option settings can be exported from a website and imported into a new website. Location: BPS Pro > Setup menu > Setup Wizard page > Setup Wizard Export|Import tab page.BPS Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) Notice: Additional help text and link to the BPS UI|UX|AutoFix Debug tool added in the BPS AutoFix Notice.
Procedural Change: Setup Wizard Options: Pre-save DB option settings during BPS upgrades and new installations to avoid PHP 7.4.9 Notice errors.
Procedural Change: UI|UX Settings: Pre-save DB option settings during BPS Pro upgrades and new installations to avoid PHP 7.4.9 Notice errors.
Procedural Change: Setup Wizard: PHP Configuration Memory Limit help text recommendation update.
Procedural Change: Setup Wizard: Root htaccess file recommendation to lock the Root htaccess file if it is not currently locked and to Turn On AutoLock.
Procedural Change: BPS Upgrade function: DB option check changed to isset().
Procedural Change: BPS GDPR Compliance Notice: Display the GDPR Compliance Notice after the Setup Wizard has been run on first time installations of BPS.
Procedural Change: Logging/Error pages: Added an additional line of text: “BPS Plugin [400, 403, 405, 410] Error Page” and “BPS Plugin Idle Session Logout Page” on all BPS Logging/Error pages. If a website visitor ends up on any BPS Error pages they will see that the Error page is created by the BPS Plugin. Logging/Error pages affected: 400.php, 403.php, 405.php, 410.php and isl-logout.php.
Setup Wizard AutoFix: New Setup Wizard AutoFix whitelist rule added for the Beaver Builder|Ultimate Addons Contact Form plugin.
Procedural Update: System Info: Read Me help text updated. File permissions recommendation updated.
Procedural Fix: Removed the SGML comment delimiters for JTC-Lite to prevent the Clearfy plugin from stripping out JTC CSS code on the Login page, which caused the JTC Tooltip to display incorrectly.
Removal: BPS Plugin Automatic Update Notice: WP Core now handles all plugin automatic updates.
CSS Fix: Custom Code: Delete button relative position CSS fix.
Procedural Fix: PHP 7.4.9 PHP Notice array offset php errors fixed.
4.2
BPS MU Tools Must-Use Plugin: WP Automatic Update options/filters have been created in the BPS MU Tools Must-Use plugin. The BPS MU Tools Must-Use plugin is located on the WordPress Plugins page > click the Must-Use link at the top of the WordPress Plugins page. There are 6 available WP Automatic Update options/filters: Disable all Updates: On|Off, Disable all Core Updates: On|Off, Enable all Core Updates: On|Off, Enable Development Updates: On|Off, Enable Minor Updates: On|Off and Enable Major Updates: On|Off. For additional help information see the WordPress Automatic Update Help Forum Topic.BPS MU Tools Must-Use Plugin: Removed the Enable|Disable BPS Plugin AutoUpdates option/link since WP now has Plugin auto-updates. Removed the Enable|Disable BPS Folder|Deactivation Checks option/link.
New Dismiss Notice: The “BPS wp-config.php file WP Automatic Update constants detected” Dismiss Notice checks if WP Automatic Update constants exist in the wp-config.php file if BPS MU Tools WP Automatic Update options/filters are enabled.
MScan: Disclaimer help text added directly on the top of the MScan Scanner page.
Register|Enqueue scripts and styles & SLF: Whitelist the Query Monitor plugin js and CSS scripts/styles in BPS plugin pages.
BugFix: PHP Notice errors fixed.
BugFix: Script|Style Loader Filter (SLF) In BPS Plugin Pages Form: Missing a hidden input value for the bps_slf_filter_new option. Added a hidden input value for the bps_slf_filter_new option.
Procedural Fix: GDPR and ISL options pre-installation checking conditions added instead of using suppression.
Procedural Change: System Info and Setup Wizard: Changed PHP Configuration Memory Limit recommendation help text.
4.1
Procedural Fix: Various PHP Notice errors fixed.Procedural Fix: Fixed 2 php errors that occur on manual file/folder copy BPS installations prior to running the Setup Wizard.
BugFix: DB Backup: Condition modification to quote all PayPal numeric transaction codes. Some PayPal transaction codes are interpreted as exponential or scientific notation.
CSS fixes: Last Modified Time in File timestamp CSS fix. Pages affected: MScan Log.
4.0
BugFix: Network|Multisite: JTC Anti-Spam|Anti-Hacker CAPTCHA Error displayed when adding a new user on the Network Admin Screen > Users > Add New User page and Individual Sites > Users > Add New User page.BugFix: HUD PHP/php.ini handler htaccess code check: File contents displaying outside of pre tags. Added CSS overflow and white-space properties to pre tag style.
3.9
BugFix: Root Custom Code: Request Methods Filtered custom code was being removed during BPS upgrades due to an invalid condition.Removal: ModSecurity Dismiss Notice: This Dismiss Notice has been removed since it causes unnecessary confusion. BPS now includes Encryption and Decryption options to fix problems caused by ModSecurity. So there is no longer any need to display a warning message that ModSecurity is installed on the Host server.
Removal: Bonus Custom Code Dismiss Notice: This Dismiss Notice has been removed since it causes unnecessary confusion and problems. Bonus Custom Code is optional htaccess code that can be found by clicking the Bonus Custom Code tag on the forum site’s sidebar or by using this URL: https://forum.ait-pro.com/forums/topic-tag/bonus-custom-code/.
3.8
HUD Dismiss Notice: wp-content htaccess file check: Additional help info added.BugFix: PHP Notice Undefined variable errors fixed.
Help Text Update: View Log Files help text added to log file open and write test help message.
3.7
Major Redesign|ModSecurity CRS Proofing Continued: JTC-Lite and Idle Session Logout Encrypt and Decrypt buttons created. ModSecurity CRS falsely sees legitimate CSS code Form data as a threat. JavaScript Encryption|Decryption and PHP openssl_encrypt|openssl_decrypt used to encrypt and decrypt CSS code submitted in the JTC-Lite and ISL Forms. Form data is encrypted in POST Form submission to evade/bypass ModSecurity CRS detection and decrypted in the Form processing code. A full detailed list of broken/fixed/pending Forms/Features/Pages can be found here: ModSecurity CRS ProofingBugFix: DB Backup: % characters were intentionally being replaced with placeholder strings by WP when using esc_sql(). Added the WP remove_placeholder_escape() function to correct this issue.
BugFix: DB Backup: Condition added to quote PayPal numeric transaction codes. Note: Most PayPal transaction codes are alphanumeric.
BugFix: Hidden Plugin Folders|Files Cron (HPF): File contents displaying outside of pre tags. Added CSS overflow and white-space properties to pre tag style.
Procedural Change: PHP7.2|7.3 PHP Warning: Use of undefined constant assumed this will throw an Error in a future version of PHP): Newer versions of PHP check for any unquoted strings and will log php warning errors. All unquoted strings have now been quoted in BPS.
HUD wp-content htaccess File Check: Updated the HUD wp-content htaccess file detection message to include new additional updated help information.
Procedural Change: Root htaccess File: Error check for BPS version line of code in the Root htaccess file changed to a Dismiss Notice.
3.6
Major Redesign|ModSecurity CRS Proofing: Major Redesign|ModSecurity CRS Proofing: The OWASP ModSecurity CRS Core Rule Set installed on web hosts in cPanel breaks numerous Forms/Features/Pages and other things in the BPS and BPS Pro plugins. A full detailed list of broken/fixed/pending Forms/Features/Pages can be found here: ModSecurity CRS Proofing In order to speed up the process of getting new BPS and BPS Pro versions released as quickly as possible we are fixing the most critical broken BPS/BPS Pro Forms/Features/Pages first and will then release another BPS/BPS Pro version that fixes any remaining ModSecurity CRS problems.Important Note: Some people will experience more ModSecurity CRS problems than other people. That will depend on the particular ModSecurity CRS configuration settings that each web host chooses to use. Some web hosts may choose more restrictive ModSecurity CRS configuration settings than other web hosts.
Solution Methods used:
JavaScript Encryption|Decryption and PHP openssl_encrypt|openssl_decrypt: ModSecurity CRS falsely sees legitimate htaccess code Form data as a threat. JavaScript Encryption|Decryption and PHP openssl_encrypt|openssl_decrypt to encrypt and decrypt htaccess code submitted in various BPS Forms that save and submit htaccess code. Form data is encrypted in POST Form submission to evade/bypass ModSecurity CRS detection and decrypted in the Form processing code.
View Log Buttons: ModSecurity CRS falsely sees some log file data as a threat. View Log buttons added to BPS Plugin pages with log files to allow BPS Plugin Page loading instead of loading Log files in an open state when loading BPS Plugin pages that contain log files. Pending additional log file data encryption|decryption redesign work for some BPS Plugin log file pages.
Pending – Body Response/Source Code: ModSecurity CRS falsely sees BPS Plugin page Body Response/Source Code as a threat. BPS Plugin page Body Response design for various BPS Plugin pages due to ModSecurity CRS detecting help text and BPS Plugin option setting names in the page Body/Source Code as malicious and blocking BPS Plugin pages from loading. Limiting the amount of false positives that ModSecurity CRS Anomaly Scoring sees in the Body Response/Source Code by breaking up BPS Plugin pages so that limited Response Body data/Source Code is outputted should allow the broken BPS Plugin pages to load by falling under the ModSecurity CRS Anomaly Scoring threshold number that blocks BPS Plugin pages from loading.
Obsolete|Removed: BPS Plugin Download Count has been removed from the top of BPS Plugin pages.
3.5
Improvement: The BPS Script|Style Loader Filter (SLF) has been recoded to significantly improve BPS plugin page performance. The BPS Script|Style Loader Filter (SLF) feature prevents other Plugin and Theme js and CSS scripts from loading in BPS plugin pages. Resolves visually broken BPS plugin pages, js and CSS conflicts with BPS js and CSS scripts and page load performance problems caused by other Plugin and Theme scripts loading their scripts in BPS plugin pages. Notes: SLF is automatically set to On as the default when upgrading BPS or when installing BPS for the first time. The BPS Script|Style Loader Filter (SLF) feature only affects BPS plugin pages.Improvement: Setup Wizard: Additional plain text root and wp-admin file backups created in cases where a website/server has issues/problems with creating zip backups and/or allowing the htaccess zip backup file to be downloaded. Additional help information displayed on Setup Wizard completion with file paths to backed up htaccess files.
Improvement: htaccess Files Disabled Notice: Simplified help text message and link added to forum topic for detailed help information.
Removal: MMode: Oxygen plugin error check removed.
CSS Fix: System Info: Force word break and max width for mobile CSS for extremely long lists of disabled PHP functions.
Error Check Mod: wp-content .htaccess file check modification. Checks if a known wp-content .htaccess files exists that breaks BPS Pro Security Logging, Plugin Firewall, Uploads Anti-Exploit Guard & other things in BPS Pro and displays a message on how to fix the problem.
3.4
Procedural Change: Explicitly added the global keyword for all existing global variables in BPS for WP_CLI compatibility. WP_CLI loads WordPress as a function and requires that all global variables outside of functions must explicitly use the global keyword.Procedural Change: MScan > fopen() method used to download the WordPress zip file changed to download_url() due to issues/problems with fopen() being disabled by the allow_url_fopen php.ini directive.
3.3
Procedural Change: MScan > cURL GET zip download code changed to simple fopen() code to download the WordPress zip file. Dev Note: WP HTTP API method is not necessary for something as simple as an automatic remote zip file download and extraction.Procedural Change|Removal: System Info > Website Headers Check Tool > HEAD Request Headers Check tool removed. The GET Request Headers Check tool still remains.
Text Correction: Dashboard Status Display > MScan hover tooltip text typo correction.
Bugfix: DB Backup > Automatically create new DB Backup folder if it has been manually deleted.
3.2
New Setup Wizard Option: Multisite Hide|Display System Info Page for Subsites. Allows someone to choose whether or not to display the BPS System Info menu link and page for Subsites.Change: Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) Automation no longer includes the EPC plugin. The old manual setup steps for the EPC plugin will need to be performed to setup the EPC plugin’s htaccess code: https://forum.ait-pro.com/forums/topic/endurance-page-cache-infinite-redirect-loop-css-and-js-broken/
Change: The BPS Pro MU Tools must-use plugin functions have been disabled, but the must-use plugin will remain for possible future usage to perform other tasks.
BugFix: System Info: System Info: memcache and memcached Get version checks removed due to not working consistently across different servers/web hosts. The memcache and memcached extension loaded checks still remain.
BugFix: Suppress minor undefined index php errors for the GDPR Compliance IP address logging.
3.1
New Setup Wizard Options setting: GDPR Compliance: Allows someone to turn IP address logging On or Off throughout all BPS plugin features by choosing the GDPR Compliance On option setting on the Setup Wizard Options page: BPS Features affected: Security Logging, Login Security Logging, and Maintenance Mode Logging. Note: For simplicity and ease of use there is only one option setting that needs to be set instead of creating individual option settings in all BPS features that perform IP address logging.New Dismiss Notice: GDPR Compliance Notice: This Dismiss Notice will alert folks about the new Setup Wizard GDPR Compliance option that turns off all IP address logging throughout BPS Pro plugin features.
Enhancement: New System Info check: Folder permissions and Ownership check for the /wp-content/mu-plugins/ folder.
Procedural Fix: MariaDB 10.2+ versions did not successfully process BPS DB Query code that was worked for many years. We suspect this is some sort of Bug in MariaDB 10.2+ versions. Features affected and now fixed: DB Backup, DB Table Prefix Changer, MScan Database Scan and MScan database size time estimate. Note: The existing DB Query code was changed to use the Variable Name instead of the Variable Rows, which apparently is some kind of bug in MariaDB 10.2+ versions since the BPS DB Query code has worked for many years prior to MariaDB 10.2.
BugFix: Setup Wizard AutoFix: WP Rocket htaccess code and Custom Code check and code removal fix. Remove/delete the WP Rocket plugin skip/bypass rule htaccess code from Custom Code text box: 10. CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES when the WP Rocket plugin is deactivated or deleted.
BugFix: Setup Wizard AutoFix: Variable value fixed for the Setup Wizard AutoFix check for the Subscribe To Comments Reloaded plugin. Fixes PHP error: Call to undefined function bpsPro_autofix_message().
3.0
New Option: JTC Anti-Spam|Anti-Hacker: Multisite Register Form option. Adds the JTC CAPTCHA on the Network|Multisite Register Form (wp-signup.php). Note: This new option is only available in BPS Pro.Enhancement: New System Info check: Folder permissions check for the /tmp folder. Dev Note: An additional folder permissions check is added for XAMPP, WAMP, MAMP local development servers. Local Dev servers use both the PHP tmp and local machine Temp folders.
Enhancement: New System Info check: Folder permissions check for the /bps-backup/mscan and /bps-backup/wp-hashes folders.
CSS Fix: System Info: Garbage Collector check CSS fix.
Improvement: Additional help info added for Mod Security tests on the Apache Modules Testing visual test page.
Setup Wizard AutoFix: New Setup Wizard AutoFix whitelist rule added for the Subscribe To Comments Reloaded plugin.
2.9
Enhancement: New System Info check: Mod Security Module Loaded|Enabled check. Displays whether or not the mod_security or mod_security2 Modules are loaded or displays that Mod Security is not Loaded|Enabled.Improvement: The BPS bpsPro_apache_mod_directive_check() function now includes new BPS Mod Security DB options that are updated on BPS upgrades and new installations of BPS when running the Setup Wizard. The new BPS Mod Security DB options are used in the new Mod Security Module Loaded|Enabled Dismiss Notice.
New Dismiss Notice: Mod Security Module Loaded|Enabled: This new Dismiss Notice checks if Mod Security is Loaded|Enabled and provides a link to this forum topic: Mod Security Common Known Problems that explains the Mod Security SecRules and SecFilters issue/problem in detail and has information on how to fix problems caused by Mod Security SecRules and SecFilters. Mod Security SecRules and/or SecFilters are known to break some features in the BPS and BPS Pro plugins as well as some features in WordPress, other plugins and themes.
Procedural Change: MScan: The MScan pattern matching code has been removed from the mscan-ajax-functions.php file and a new file: mscan-pattern-match.php has been created that will automatically be copied to the /bps-backup/mscan/ folder on BPS upgrades and new installations. Some web hosts see the MScan pattern matching code as malicious and will either delete or make the mscan-pattern-match.php file unreadable or the /mscan/ folder unreadable. In previous BPS versions deleting or making the mscan-ajax-functions.php file unreadable caused BPS not to function normally or other various problems. In BPS 2.9+ and BPS Pro 13.4.1+ versions, if a web host does delete the /bps-backup/mscan/mscan-pattern-match.php file or make the file or folder unreadable then BPS and BPS Pro will still function normally, but MScan will of course not be usable on your particular website/server/web host. An MScan error message is displayed on the MScan page if the /bps-backup/mscan/mscan-pattern-match.php file does not exist or is unreadable or if the /bps-backup/mscan/ folder does not exist or is unreadable.
Procedural Change: The MScan Automatically Delete /tmp Files option setting is known to cause website/server crashes on SiteGround and Cyon Hosting. The MScan Automatically Delete /tmp Files default option setting has been changed to Off. A new warning message is displayed when the MScan Automatically Delete /tmp Files option setting is set to On.
New Option Setting Functionality: JTC-Lite: The JTC ToolTip can now be hidden/not displayed by entering a blank space in the JTC ToolTip text box.
New Option: JTC-Lite: New text box option created for custom CAPTCHA error messages for the Login form. Allows someone to create a customized JTC CAPTCHA error message instead of displaying the default JTC CAPTCHA error message.
Improvement: DB Backup accordion tabs now display relevant Active accordion Tab when processing all DB Backup Forms. DB Backup Form processing code has been moved hierarchically in the db-backup-security.php file so that “Refresh” buttons are no longer needed.
BugFix: DB Backup: Closing “strong” code tag missing forward slash in the Download|Delete Backup Files Form processing causing the Create Backup Jobs accordion tab to display broken when deleting a DB Backup Zip file.
Improvement: Login Security & Monitoring Form processing code has been moved hierarchically in the login.php file so that “Refresh” buttons are no longer needed. Memory usage and Completion time checks have also been removed.
BugFix: Login Security: Attempts Remaining countdown fix after user account is locked, the lockout time has expired and the user attempts to login again. The Attempts Remaining countdown now displays attempts remaining countdown correctly.
Procedural Improvement: Setup Wizard: create additional root htaccess file backup with timestamp filename format on each Setup Wizard run. Root htaccess file backups are stored in the /wp-content/bps-backups/master-backups/ folder.
Improvement: MScan: Additional cleanup help steps added for Pharma Hack cleanup.
Improvement: bps-ui-accordion.js file: New accordion options added.
New Dismiss Notice: Plugin review/rating request. This Dismiss Notice is displayed 30 days after someone upgrades BPS or on new installations of BPS.
2.8
New Feature Dismiss Notice: JTC-Lite: As of BPS 2.8 JTC-Lite is no longer automatically setup by default when upgrading BPS. A new feature Dismiss Notice is displayed instead with setup steps to enable/turn On JTC-Lite. For new BPS installations JTC-Lite is setup automatically by the BPS Setup Wizard.
BugFix: Login Security: Attempts Remaining value has been corrected for first time user account logins to display the correct number of Attempts Remaining value.
BugFix: MScan: mscan-stop.txt file variable path correction in admin.php.
Text Correction: MScan delete log file message correction.
Procedural Change: Inline CSS changed for various BPS buttons to allow button text wrapping for i18n language translation button text.
Enhancement: New System Info check: PHP Disable Functions and Suhosin Function Blacklist.
Procedural Update: Setup Wizard AutoFix whitelist rule update for WooCommerce.2.7
Procedural Fix: BPS Pro MU Tools must-use plugin: nonce verification failing for Toggle links on SSL sites. SECURE_AUTH_COOKIE defined condition added.
Revert Visual Improvements: Problem: BPS jQuery Accordion tabs are not visible/displayed due to poorly coded plugins and themes loading their js and CSS scripts in BPS plugin pages and breaking js functionality and CSS visual display. Solution: revert the newer advanced/sophisticated BPS js initialization and CSS code and return to using dumbed down js and CSS code in order for BPS to function somewhat normally when other poorly coded plugins and themes are installed on a site that load their scripts in BPS plugin pages and break BPS plugin functionality and visual appearance.
Dev Note: The only realistic approach/method left to take is to create inline js and CSS code at this point. That will ensure that BPS js and CSS code is loaded in BPS plugin pages instead of other poorly coded plugins and themes js and CSS code being loaded in BPS plugin pages and overriding and breaking BPS plugin code. Since this problem occurs in many poorly coded plugins and themes for many years it is not realistic to expect that those poorly coded plugins and themes will ever fix their bad code.2.6
Procedural Fix: open_basedir conditions added to MScan to accommodate folks who use open_basedir. Note: open_basedir causes MScan scanning to take 6 times longer than a regular/normal scan. Pending: Additional scan time estimate calculations specifically for open_basedir will need to be created in the next BPS plugin version. Currently estimated scan times for folks who use open_basedir are off by 6 times. This only affects folks who is using open_basedir, which is probably around 1% to 5% of folks.2.5
BugFix: Added Network|Multisite subsite menu link code for JTC-Lite.2.4
New Feature: MScan Malware Scanner: Scans website files for hacker files or code and scans the WordPress database for hacker code. For more information about the BPS Pro MScan Malware Scanner click the MScan Malware Scanner Guide link below. For troubleshooting help or to post suspicious code for help determining whether or not the code is actually malicious or safe click the MScan Troubleshooting & Code Posting link below. MScan scans can be scheduled to run automatically (BPS Pro Only) or MScan scans can be run manually.
MScan Malware Scanner Guide
MScan Troubleshooting & Code PostingNew Feature: JTC-Lite: JTC-Lite is a limited version of BPS Pro JTC Anti-Spam|Anti-Hacker that protects the WP Login form from constant Bot Brute Force Login attacks that repeatedly lock user accounts. JTC-Lite provides anti-lock Login Form protection only. If you would like to protect all of your WP forms that capability is available in BPS Pro JTC Anti-Spam|Anti-Hacker.
Prodedural Change: The Login Security “Enable Login Security for WooCommerce” option is now disabled by default in BPS free and cannot be enabled. The reason for that is JTC-Lite does not offer anti-lock protection for the WooCommerce custom login form and only provides anti-lock protection for the standard WP login form.
Procedural Removal: WooCommerce Enable LSM option Dismiss Notice deleted. BPS free no longer offers Login Security protection for the WooCommerce custom login form. The reason for that is JTC-Lite does not offer anti-lock protection for the WooCommerce custom login form and only provides anti-lock protection for the standard WP login form.
New Page|Menu: Email|Log Settings: Email Alerting and Log file options have been moved from the Login Security page, Security Log & DB Backup Log pages to the new Email|Log Settings page.
New Option: Email|Log Settings: MScan Malware Scanner Email|Delete Log File option for automated log file processing/handling.
Improvements: UI|UX CSS and jQuery visual improvements. Do not display jQuery Dialog Read Me help button text until jQuery Dialog is initialized. Do not display jQuery Accordions until jQuery Accordions are initialized. Note: This improvement also prevents Dialog Read Me help text from being displayed inpage when another plugin is loading its js scripts in BPS plugin pages and breaking BPS plugin pages visually.
Improvement: CSS button width uniformity changes throughout BPS plugin pages.
Security Improvement: Added CSRF Nonce verification in BPS MU Tools must-use plugin Toggle GET Request links. Special thanks to Mohamed A. Baset, Founder and CyberSecurity Advisor at Seekurity SAS de C.V. http://www.seekurity.com for reporting this security issue.
Procedural Change: Login Security: Change default Automatic Lockout Time option setting from 60 minutes to 15 minutes. This only affects new BPS installations and does not affect BPS upgrades.
Improvement: BPS Status Display: Display hover tooltip icon question mark status message for new BPS installations that have not run a DB Backup yet.
Enhancement: New System Info check: Zend OPcache enabled or disabled. Zend OPcache version if enabled.
Improvement: Add RegEx file extension matching pattern for 403 & 405 Security Logging templates. Usage: Security Log Event Codes.
Setup Wizard AutoFix: New AutoFix added for the PowerPress Podcasting plugin.
Setup Wizard AutoFix: New AutoFix added for the Flatsome theme.
BugFix: HPF replace hard coded plugins folder path name dynamic plugins folder path.
2.3
Improvement: UI|UX HTML and CSS changes. Cleaner/simpler visual look for Blue, Black and Grey Skins. CSS Nick nack cleanup.
Improvement: Add Must-Use plugin check on System Info page. Get total number of Must-Use plugins installed and display Must-Use plugins in the Get Plugins List jQuery Dialog popup window.
Improvement: Setup Wizard AutoFix: trim extra whitespace from Custom Code whitelist rules.
Change: Minimum WP Version required for the BPS and BPS Pro plugins has been changed from WP 3.7 to WP 3.8. All WP 3.7 conditional code and files have been removed.
Revert: Root htaccess file|Custom Code: The R flag causes duplicate Security Log entries for 405 HEAD Requests made on some web hosts. Remove R from 405 HEAD Request RewriteRule in REQUEST METHODS FILTERED code block and other areas. Automatically fixed on BPS upgrade in Root htaccess file and Root Custom Code.
Procedural Fix: Delete the BPS Pro MU Tools must-use file in cases where BPS Pro is manually deleted and the BPS free plugin is installed.
Procedural Fix: Update the BPS MU Tools timestamp to +5 minutes during BPS plugin upgrades to prevent email alerts being sent during the WP plugin update for the BPS plugin.
Procedural Fix: Login Security php errors displayed and logged when WP_DEBUG is turned On.
BugFix: Setup Wizard AutoFix Notice: Do not display the Setup Wizard AutoFix Notice on Network/Multisite subsites.
BugFix: Setup Wizard root htaccess file automatic backup fatal error. Fixes Fatal error: Class ‘ZipArchive’ not found in wizard-backup.php on line 112.
BugFix: Enable Login Security for WooCommerce option being reset to 1/On on BPS upgrade and Setup Wizard rerun. Only enable once if the option does not exist.
BugFix: Only set/reset “Do Not Log POST Request Body Data (0KB)” as default option setting for new BPS installations or BPS upgrades if POST Request Body Data options have not been previously saved.2.2
BugFix: Renamed the $woocommerce variable in login-security.php to something unique to avoid collisions/conflicts with this common variable name being declared a Global.2.1
BugFix: The old bps-plugin-autoupdate.php file was not being deleted in time before the new bps-mu-tools.php file was created.2.0
• New Option & Feature: Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup): This option is turned On by default and can be turned Off on the BPS Setup Wizard Options page. Setup Wizard AutoFix checks which plugins and themes you currently have installed and will display a BPS Setup Wizard AutoFix Notice to run the BPS Setup Wizard if any currently installed plugins or themes require Custom Code whitelist rules or AutoSetup. The BPS Setup Wizard automatically creates BPS Custom Code whitelist rules for known issues with any plugins and themes that need Custom Code whitelist rules. Setup Wizard AutoFix also automatically sets up and cleans up caching plugin’s htaccess code for these WordPress caching plugins: WP Super Cache, W3 Total Cache, Comet Cache Plugin (free & Pro), WP Fastest Cache Plugin (free & Premium), Endurance Page Cache and WP Rocket. Notes: These caching plugins were also tested, but do not require AutoSetup by the BPS Setup Wizard: Cache Enabler plugin and the Hyper Cache plugin. The Cachify plugin was tested, but could not be added to BPS Setup Wizard AutoFix due to a problem with the Cachify plugin creating invalid htaccess code. The Cachify plugin will be added at a later time once the problem is fixed in the Cachify plugin.Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) Automation:
List of plugins and themes that have AutoFixes: Setup Wizard AutoFixAutoWhitelist: The Setup Wizard AutoFix feature automatically creates Custom Code whitelist rules for 100+ known issues with plugins and themes. Previous versions of BPS and BPS Pro required doing a manual copy and paste solution to manually add Custom Code whitelist rules to BPS Custom Code.
AutoSetup: The Setup Wizard AutoFix feature automatically gets htaccess caching code from caching plugins (WP Super Cache, W3 Total Cache, Comet Cache Plugin (free & Pro), WP Fastest Cache Plugin (free & Premium), Endurance Page Cache and WP Rocket) and saves caching plugin’s htaccess code in BPS Custom Code. Previous versions of BPS and BPS Pro required doing a manual copy and paste solution to manually add caching plugin’s htaccess code to BPS Custom Code.
AutoCleanup: The Setup Wizard AutoFix feature automatically removes any existing caching plugin’s htaccess code in BPS Custom Code and the Root htaccess file if the caching plugin is no longer activated or installed. Example scenario: You have Plugin X Caching plugin installed and decide to try Plugin Y Caching plugin. Setup Wizard AutoFix (AutoCleanup) will automatically remove any existing htaccess code from BPS Custom Code and the Root htaccess file for Plugin X Caching plugin. At the same time Setup Wizard AutoFix (AutoSetup) will automatically create Plugin Y’s Caching code in BPS Custom Code and the Root htaccess file. So instead of having to manually add or remove any caching plugin’s htaccess code in BPS Custom Code, the Setup Wizard AutoFix feature will automatically do that when you run the BPS Setup Wizard.
AutoFix Debugging: BPS UI|UX Settings page > BPS UI|UX|AutoFix Debug: Turning On the BPS UI|UX|AutoFix Debug option will display: plugin or theme names and the BPS Custom Code text box where plugins or themes should be creating Custom Code whitelist rules. Usage: If the BPS Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) Notice is still being displayed after running the Setup Wizard then the BPS UI|UX|AutoFix Debug option should be turned On to find the exact plugin or theme and the Custom Code text box where the problem is occurring. Example Debug Displayed message: CC Root Text Box 10: WooCommerce Plugin. This option could also be used generally to see which plugins and themes BPS AutoFix is creating Custom Code whitelist rules for and which Custom Code text boxes the AutoFix whitelist rules will be created in.
Dev Note: Existing HUD error checks & message changes: WP Super Cache, W3 Total Cache, WooCommerce, Jetpack changed. New help text/links for the new Setup Wizard AutoFix feature. New HUD BPS AutoFix checking function created for 100+ plugins and themes (combined into one function).
Dev Note: New conditions added to the EPC plugin dismiss notice: check if EPC version .9 is enabled and Cache level is 1,2,3,4.
Removal: HUD Dismiss Notices: Jetpack, WooCommerce & Broken Link Checker plugins. Now handled by Setup Wizard AutoFix.
• Change|Addition|Improvement: New AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) section has been added to the Setup Wizard Checks|Scans|Settings results. Additional section dividers added for Compatibility & Basic Checks, etc to make the Setup Wizard results visually easier to read. Hover ToolTip icons added for results that contain “extra” result data.
• Option Name & Functionality Change: BPS UI|UX Debug option name change to BPS UI|UX|AutoFix Debug. Turning On the BPS UI|UX|AutoFix Debug option will display: plugin or theme names and the BPS Custom Code text box where plugins or themes should be creating Custom Code whitelist rules. Usage: If the BPS Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) Notice is still being displayed after running the Setup Wizard then the BPS UI|UX|AutoFix Debug option should be turned On to find the exact plugin or theme and the Custom Code text box where the problem is occurring. Example Debug Displayed message: CC Root Text Box 10: WooCommerce Plugin. This option could also be used generally to see which plugins and themes BPS AutoFix is creating Custom Code whitelist rules for and which Custom Code text boxes the AutoFix whitelist rules will be created in.
• Improvement: BPS Speed Boost Cache Dismiss Notice: Additional conditional checks added to check if BPS Speed Boost Browser Cache code exists in BPS Custom Code as well as other caching plugins Browser caching code. The check can be overridden by using a Marker: BPS NOCHECK. Using duplicate or redundant Browser caching code will not improve website performance and may actually cause your website to perform/load slower.
• Improvement: BPS MU Tools must-use plugin Enable|Disable Action Links created to disable or enable the BPS MU Tools options. Enable|Disable BPS Plugin AutoUpdates, Enable|Disable BPS Folder|Deactivation Checks. Enable|Disable BPS Plugin AutoUpdates: Clicking this link enables or disables BPS Plugin automatic updates for the BPS plugin only. Enable|Disable BPS Folder|Deactivation Checks: Clicking this link enables or disables checks for whether the /bulletproof-security/ plugin folder has been renamed or deleted. Checks for whether the BPS plugin has been deactivated. Email alerts are sent every 5 minutes when the BPS plugin folder has been renamed or deleted or the BPS plugin has been deactivated. To disable these checks and the email alerts click the Disable BPS Folder|Deactivation Checks link. Note: When you click disable links you will then see enable links and vice versa.
• Removal: UI|UX Option: BPS Plugin AutoUpdate has been removed. BPS plugin Automatic Updates enable or disable is now handled directly in the BPS MU Tools must-use plugin.
• New Security Log Options: Security Log: POST Request Body Data option: 2 new checkbox options: Do Not Log POST Request Body Data (0KB) and Log Maximum POST Request Body Data (250KB). POST Request Body Data option name change from: Limit POST Request Body Data to: Log Minimum POST Request Body Data (5KB). The new default POST Request Body Data option setting is: Do Not Log POST Request Body Data (0KB), which will be automatically set on this BPS plugin upgrade only and new first run Setup Wizard installations. Some web hosts falsely interpret the BPS Security Log text file as malicious since hacker code used to attack your website can be captured/logged in the Security Log text file depending on your POST Request Body Data option settings. This change only affects logging or not logging data in the REQUEST BODY Security Log field and does not affect anything else about Security Log entries. Security Logging template files affected: 403.php, 404.php and 405.php.
• Improvement: Replace:
$_SERVER['QUERY_STRING']
superglobal with parse_url() PHP_URL_QUERY component to get Query String logging field values in all logging templates and logging code.
• Dev Note: Files affected: 400.php, 403.php, 404.php, 405.php, 410.php, Isl-logout.php, bps-maintenance.php.• Procedural: Root and wp-admin htaccess file security rule modifications. On BPS upgrade automatically add additional https scheme conditions to 3 htaccess security rules and combine 2 rules into 1 rule for the currently active Root and wp-admin htaccess files. On BPS upgrade automatically update any existing BPS htaccess code to the new BPS htaccess code that is saved in Root and wp-admin Custom Code.
• BugFix: Root htaccess file|Custom Code: Add R to 405 RewriteRule to REQUEST METHODS FILTERED code block. Automatically fixed on BPS upgrade in Root htaccess file and Root Custom Code.
• Change: wp-admin master htaccess file: Remove Request Methods Filtered block of htaccess code in wp-admin Master htaccess file and Live wp-admin htaccess file on BPS upgrade.
• Procedural: Setup Wizard: wp-admin htaccess file added to automated root htaccess file backup and zip download.
• Procedural: New error check for the Oxygen plugin. The Oxygen plugin interferes with BPS MMode. An inpage check and error message is displayed on the BPS MMode page.
• Procedural: MMode: Add additional condition to check if wp_mail() function exists. Prevents PHP Fatal error: Call to undefined function wp_mail() error.
• Procedural: file exists check for all BPS log files. Fixes: PHP Warning: filesize(): stat failed for /xxxxx/public_html/wp-content/bps-backup/logs/http_error_log.txt, etc.
1.1
BugFix: New BPS version numbering convention not successfully replacing the old BPS version numbering convention in the Root htaccess file for some scenarios.1.0
New BPS version numbering convention: BPS plugin version numbers are no longer using the gimmicky “bullet caliber” version numbering convention (.44, .45, etc) due to causing issues/problems for the new WordPress Plugin Directory Nginx server. BPS plugin version numbers are now using a standard version numbering convention (1.0, 2.0, etc).
New System Info Checks: cURL version, cURL OpenSSL Version (Used by PayPal, etc.) and DISABLE_WP_CRON constant check: Checks if Standard WP Crons are disabled using the DISABLE_WP_CRON constant.
Procedural: New Dismiss Notice created for the Endurance Page Cache (EPC) must-use plugin.
Forum Topic for EPC Plugin: https://forum.ait-pro.com/forums/topic/endurance-page-cache-infinite-redirect-loop-css-and-js-broken/.
Change|Update: Sucuri plugin Restrict wp-content access Hardening Option Dismiss Notice conditional check changed to match newer Sucuri htaccess file changes.
Dev Note: Setup Wizard PHP Configuration Memory limit check. Do not display a message if server configuration does not allow getting the PHP Memory limit value.
Dev Note: BPS plugin asset banner changed for new WP Plugin site design..54.5
Enhancement: WP version number added in all Security logging code/text to aid in troubleshooting possible version issues/problems. Files affected: 400.php, 403.php, 404.php, 405.php, 410.php, isl-logout.php and bps-maintenance.php.
Change: Numbering system added to Custom Code. Custom Code text boxes can be identified via numbers as well as Titles.
BugFix: CSS Additional spacing added before Security Log Limit POST Request Body Data checkbox form..54.4
BugFix: WooCommerce Dismiss Notice function added to BPS HUD admin_notices function..54.3
New Option: Enable Login Security for WooCommerce: Check this checkbox if you have the WooCommerce plugin installed if you would like to use BPS Login Security on the WooCommerce custom login page. BPS Login Security will still continue to work normally on the standard WordPress Login page when you check this checkbox. This checkbox option setting is not for turning Login Security On or Off if you are using WooCommerce. Use the Login Security Turn On|Turn Off option to turn Login Security On or Off.Dev Note: LSM protects the Standard WordPress Forms: Login, Register, Lost Password, Comment, BuddyPress Register Form and BuddyPress Sidebar Login Forms and the WooCommerce custom Login page/Form. If WooCommerce is deactivated or WooCommerce is not installed and the Enable Login Security for WooCommerce checkbox option is checked then LSM will still work normally on the Standard WordPress Forms. M&A Core: LSM, SW, SWNO, BUF.
New Dismiss Notice: BPS Pro WooCommerce Options Notice: Enable Login Security for WooCommerce
BPS Pro Login Security & Monitoring (LSM) can be enabled/disabled for the WooCommerce custom login page by checking or unchecking the Enable Login Security for WooCommerce checkbox option setting. The LSM WooCommerce option is automatically enabled during the BPS upgrade if you already had WooCommerce installed before upgrading BPS Pro. If you just installed WooCommerce you can either run the Setup Wizard to enable the LSM WooCommerce option or you can enable this option manually by going to the BPS LSM plugin page if you want to enable LSM for WooCommerce.I18n: Login Security frontend: text domain tags created for Login Security frontend and email text messages.
Change: CSS and HTML changes for Form elements, div positions/spacing & jQuery UI Accordion widget for i18n language translations.
Change: Login Security email alert text changes:
Old: A User Account Has Been Locked. New: A User Account has been locked on website: example.com
Old: A User Has Logged in. New: A User has logged in on website: example.com
Old: An Administrator Has Logged in. New: An Administrator has logged in on website: example.com
New System Info Checks: WP Temp Dir, PHP Temp Dir, PHP Upload Temp Dir, Session Save Path and WP_TEMP_DIR constant value check.
Checks display either the directory path if it exists and is writable or Not set/defined or directory is not writable.
Change: Security Logging templates: Changed negative offset -1 to 0 for POST Request Body capture for PHP7.1.x compatibility. Fixes PHP error: PHP Warning: file_get_contents(): Failed to seek to position -1 in the stream. Templates affected: 403.php, 404.php & 405.php.
BugFix: Custom User Roles: Pre-save and correct Custom User Roles db option values during BPS upgrade. Fixes problem with ISL and ACE not allowing users with a Custom User Role to login if ISL or ACE is turned On..54.2
New Options: Custom User Roles: All BPS Form User Roles options now include custom user roles. If no custom user roles exist the standard WP User Roles will be displayed: Administrator, Editor, Author, Contributor & Subscriber. If Custom User Roles exist the User Roles will be displayed in a scrollable box.
Features affected: WordPress Authentication Cookie Expiration (ACE) & Idle Session Logout (ISL).New Option: Auth Cookie Expiration (ACE): Enable|Disable Remember Me Checkbox: Checking the Disable & do not display the Remember Me checkbox option will disable and not display the Remember Me checkbox for everyone including you. If you want to set and control the WordPress Remember Me setting then use the Remember Me Auth Cookie Expiration Time in Minutes option setting instead and choose an amount of time you would like to use for the Cookie expiration time.
Enhancement: Security Log Event Code: HPR: Hacker Probe/Recon changed to: HPRA: Hacker Probe/Recon/Attack. Security Log 403 and 405 logging template files change.
Enhancement: BPS Pro version number is now added in all Security logging code/text to aid in troubleshooting possible version issues/problems.
Dev Note: All AITpro.com http help links changed to https links..54.1
New Option: Idle Session Logout Exclude URLs|URIs: This option allows you to exclude any pages or posts that you do not want ISL to check/monitor. Important: The URI path is everything after the root portion or your domain URL. Example: If the page/post you want to exclude is here: http://www.example.com/some-post/ then the URI Exclusion that you would use/enter is: /some-post/. If the page/post you want to exclude is here: http://www.example.com/category/some-post/ then the URI Exclusion that you would use/enter is: /category/some-post/.
UI|UX: Mobile friendly Responsive design: CSS3 Media Queries created in all stylesheets. Viewport size range: 300px to Infinity.
Change: Idle Session Logout (ISL): Changed instances of deprecated user_level to Roles.
Change: Auth Cookie Expiration (ACE): Changed instances of deprecated user_level to Roles.
Improvement: Hidden Plugin Folder|Files (HPF) Cron: Additional displayed message field “HPF Ignore Rule:”, which displays the exact ignore rule that is needed. The displayed HPF Ignore Rule can be copied and pasted into the Ignore Hidden Plugin Folders & Files text area.
New UI|UX Option: BPS Plugin AutoUpdate: BPS Plugin AutoUpdate is set to Off by default. Choosing the AutoUpdate On option setting will allow the BPS plugin to automatically update itself when a new BPS plugin version is available. A must-use file is created in the /mu-plugins/ folder when you choose the AutoUpdate On option setting. The must-use file is deleted when you choose the AutoUpdate Off option setting or if you delete the BPS plugin.
New Dismiss Notice: BPS Plugin Automatic Update Notice: Displays a dismissible notification about how to turn On BPS Plugin Automatic updates.
TypoFix: mmod_rewrite Inconclusive > mod_rewrite Inconclusive.
Dev Note: BPS Asset Banner redesigned.
Dev Note: New Screenshot for Login Security..54
New Setup Wizard Option: Zip File Download Fix (Incapsula, Proxy, Other Cause)
This new option allows these Zip files to be downloaded: Custom Code Export Zip file, Login Security Table Export Zip file or the Setup Wizard Root htaccess file backup Zip file if 403 errors are occurring when trying to download zip files due to an IP address problem with Incapsula, other Proxies or some other cause.Other|Misc:
• Procedural: WordPress 4.6 Beta 4 testing completed.
• WP 4.6 CSS Changes: CSS property changes for WP 4.6.
• Enhancement: System Info page PHP Configuration File (php.ini) path check added. Displays the path to the currently loaded php.ini file if available.
• Enhancement: Once daily cron option added to HPF Cron Check Frequency option.
• Enhancement: File contents displayed in Hidden Plugin Folder|Files (HPF) Alert.
• Improvement: JavaScript disabled check added for BPS plugin pages. Displays a warning message if JavaScript is disabled in the Browser.
• BugFix: Hidden Plugin Folders|Files Cron alert displayed on Network|Multisite subsites correction.
• BugFix: DB Table Prefix Changer Network|Multisite subsite Site options [DB Table Prefix]_[Site ID]_user_roles DB row update correction.
• BugFix: MMode Network|Multisite subdomain site type: PHP Strict Standards: Only variables should be passed by reference fix.
• Change: DB Backup Log: Old Zip Backup File(s) Automatic Deletion hourly log entries will only be logged if a DB Backup zip file was deleted.
• Change: HUD Safe Mode Static check changed to a Dismiss Notice..53.9
New Feature: Save Customized default.htaccess file permanently for use in RBM Deactivation
If the default.htaccess file is edited and customized using the htaccess Core > htaccess File Editor, the customized default.htaccess file will be saved to the /bps-backup/master-backups/ folder permanently. When Root Folder BulletProof Mode is deactivated the Custom default.htaccess file will be used instead of the default BPS generic WordPress htaccess file. If you have created a Custom default.htaccess file then it will be automatically copied from the /bps-backup/master-backups/ folder during a BPS plugin upgrade and will replace the default BPS default.htaccess Master file.Other|Misc:
• BugFix|Correction: MMode Network|Multisite replace subsite site name variable name with dash/hyphen to underscore.
• BugFix|Correction: Incorrect option name used in Cron Schedule conditions 15, 30 and 60. Fixes Notice: Undefined index php error.
• Improvement: MMode additional conditional check if Countdown Timer checkbox is checked for Maintenance Mode Time Text Box error check..53.8
htaccess Core UI|UX Redesign:
The htaccess Core UI|UX design has been simplified visually and functionally. Forms have been combined to reduce total overall number of clicks required to perform tasks. Features and Options have been moved to locations that make the most logical sense for ease of use, visual flow and functionality.
• Removal: htaccess Core > Security Status page.
• Removal: htaccess Core > Backup & Restore page.
• Removal: Security Status: Various Additional Website Security Measures checks deleted. Redundant and obsolete.
• Change|Move: Backup & Restore htaccess Files Form moved to Security Modes page.
• Change|Move: Enable|Disable wp-admin BulletProof Mode option moved from WBM to Setup Wizard Options page.
• Change|Move: Change|Move: Inpage Status Display option settings moved from Security Status to UI|UX page.
• Change|Move: Reset|Recheck Dismiss Notices option Form moved from Security Status to Custom Code.
• Change|Move: DB Show Errors check moved from Security Status to System Info page.
• Change|Enhancement: Master htaccess Folder BulletProof Mode (MBM) new section created. Deactivate Form created.
• Change|Enhancement: BPS Backup Folder BulletProof Mode (BBM) new section created. Deactivate Form created.Dev Note htaccess Core UI|UX:
Core Error checking/messaging uses POST value true real-time value checking. Success|Error messages have been simplified. Form “confirm” messaging has been simplified. All Form code moved to includes as this provides an additional level of security protection against the Remote POST attack vector. Future Planned|Scheduled pending UI|UX Redesign for all BPS pages, features, etc. in stages (TL’s see Task List UI|UX Redesign Schedule). htaccess Core UI|UX Redesign Cu Score: 98% positive|2% negative.New Feature: Hidden Plugin Folders|Files (HPF) Cron
Special Thanks to Alex Stamatellos at Webcentrix LLC: http://webcentrex.us/ for this new feature idea in BPS.
A hidden or empty plugin folder is a plugin the exists in your /plugins/ folder, but is not displayed on the WordPress Plugins page. A hidden plugin can be used as a hacker backdoor to gain access to your WP Dashboard, hosting account, create user accounts, completely control your website and hosting account, etc. A non-standard WP file or modified/altered file in your /plugins/ folder can also do all of the things a hidden plugin can do. The HPF Cron is setup automatically when upgrading BPS and by running the Setup Wizard. The HPF Cron checks the WordPress /plugins/ folder for hidden or empty plugin folders and any non-standard WP files or altered files in the /plugins/ folder. This is a lightweight Cron check that uses an insignificant amount of resources/memory. So 4 checks per hour (check every 15 minutes) will not cause any significant resource/memory issues whatsoever. Even choosing Run Check Every 1 Minute would not cause any significant resource/memory issues whatsoever.HPF Dashboard Alerts & Email Alerts:
If a hidden or empty plugin folder is detected or a non-standard WP file is detected then a BPS Dashboard Alert will be displayed and Email Alert will be sent to you. BPS Pro Only: The HPF Email Alert setting is in S-Monitor: HPF: Hidden Plugin Folders|Files (HPF) Cron and the option settings are: Send Email Alerts or Do Not Send Email Alerts.New Feature: System Info > Get Plugins List
Clicking the System Info Get Plugins List button displays a list of all plugins installed, the version number of the plugin, activated or deactivated status and the URI path to the plugin in a jQuery Dialog popup window.New Feature|Option: BPS UI|UX Debug
BPS UI|UX Debug is set to Off by default. Turning On the BPS UI|UX Debug option will display: plugin or theme Scripts that were Dequeued (prevented) from loading in BPS plugin pages, plugin or theme Scripts that were Nulled (prevented) from loading in BPS plugin pages by the Script|Style Loader Filter (SLF) In BPS Plugin Pages option and WP Toolbar nodes|menu items that were Removed in BPS plugin pages by the WP Toolbar Functionality In BPS Plugin Pages option. The Debugger will also display any SLF js or css Scripts that were Not Nulled|Allowed to load in BPS plugin pages.New Dismiss Notice: New Improved BPS Speed Boost Cache Code HUD Dismiss Notice
Checks this BPS Custom Code text box: CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE for older BPS Speed Boost Cache Code and if older BPS Speed Boost Cache Code is found displays a link to get the newer BPS Speed Boost Cache Code, which should improve website load speed performance even more.New System Info Page Check: OpenSSL Extension/Version
Checks if the OpenSSL extension is loaded and displays the OpenSSL version.New Idle Session Logout (ISL) Options: Idle Session Logout Page URL, Idle Session Logout Page Custom Message & Idle Session Logout Page Custom CSS Style
• Idle Session Logout Page URL: Option to choose to redirect idle/inactive logged out users to any URL that you want to redirect them to by entering the URL in this text box. Example: If you enter the URL path to your WP Login page then users will be redirected to your WP Login page instead of the default BPS Idle Session Logout Page.
• Idle Session Logout Page Custom Message: Option to choose to either use the default BPS ISL message/text by leaving the textarea box blank or you can enter your own custom ISL message/text in this textarea box that you want displayed to logged out users.
• Idle Session Logout Page Custom CSS Style: Option to choose to either use the default BPS CSS Style code or enter your own custom CSS Style customizations.
• Enhancement: Idle Session Logout > Idle Session Logout Page Login URL: Choose to display or not display a Login URL on the ISL Logout page.Other|Misc:
• BugFix: Remove “default” from TEXT Type Create Table SQL code. Special Thanks to Max Fein: https://wp-networks.com for finding and reporting a bug in the BPS Create Table SQL code.
• BugFix|Change: Apache Modules|Directives: mod-test index.php file HTML image name correction. mod_rewrite Module htaccess Status checking code changed to check both http and https internal image rewriting vs image redirection to Google. Additional 404 Status condition added.
• BugFix|Correction: Network|Multisite: network_admin_notices Action Hook added to display Login Security password reset disabled notification on Network Edit Users page.
• BugFix|Correction: wp_register_script|wp_enqueue_script and wp_register_style|wp_enqueue_style handles & dependencies code correction.
• Enhancement: Register scripts and styles: Added: ver Query Strings & load scripts in footer.
• Enhancement: Network|Multisite: Added Setup Wizard Action Link on Network Admin Dashboard Plugins page.
• Enhancement: jQuery icon circle triangle CSS added to accordions.
• Correction|Addition: Login Security Login by email address capability added. Technically this is a correction since this feature should have already been available in Login Security.
• Nav Removal: Logs & Info Menu > Security Status Menu link.
• Nav Change: UI|UX menu name change to UI|UX Settings.
• Removal: System Info page: Custom Permalinks and PHP Version Check – redundant.
• Security: Static HUD check/message for BPS Backup Folder BulletProof Mode (BBM) deactivated.
• Change: Network|Multisite: Do not display BPS jQuery UI Dialog Pop up Form Uninstaller Options Action Link for Network|Multisite sites.
• Dev Note: Setup Wizard db options update changed to ternary conditions..53.7
BugFix: Comment out Script|Style Dequeued debugging/testing code in admin.php..53.6
New Setup Wizard Options Option: Enable|Disable htaccess Files:
Setup Wizard Enable|Disable htaccess Files Forum Topic
The BPS Apache Modules and Directives testing code checks if mod_access_compat and/or mod_authz_core or mod_rewrite are loaded or can be processed (converted/translated) by your server by using a testing htaccess file and then checking the responses from your server. If BPS detects that your website/server cannot use htaccess files/code based on the responses from your website/server then BPS will automatically save/set the Setup Wizard Option > Enable|Disable htaccess Files setting to > htaccess Files Disabled. Automation Compatibility: htaccess features and files are automatically disabled if the Apache server does not have the necessary/required Modules loaded to use htaccess code/files. If the server type is Windows, Nginx or LiteSpeed and the server does not have the necessary conversion/translation configuration to use htaccess code/files then htaccess features and files are automatically disabled. Manual Usage: The Enable|Disable htaccess Files Option can be used to manually override the automated BPS Apache Modules and Directives checking code to manually disable or enable all BPS htaccess features. See the Setup Wizard Enable|Disable htaccess Files Forum Topic link above for details.New System Info Page Checks:
GD Library Extension/Version – ImageMagick Extension/Version:
Checks if the GD Library extension is loaded and displays the version. Checks if the ImageMagick extension is loaded and displays the version.New Dismiss Notice: Wordfence WAF Firewall HUD Dismiss Notice:
Detects Wordfence htaccess code problems and displays help info with a forum link for solutions.Compatibility|Enhancement|Improvement: Apache Modules|Directives|Backward Compatibility(Yes|No)|IfModule(Yes|No): Additional checks for compatibility with server configurations that do not have the necessary standard modules or directives loaded/configured to use htaccess files. Improved test/checking results accuracy: expected: 99%|hopeful: 100%. Displays conclusive Modules and Directives status response results. Function called in: Setup Wizard, BPS Upgrade, System Info & Core In-page check. Creates|Updates new DB option for Enable|Disable htaccess Files Setup Wizard Option. Displays: mod_access_compat, mod_authz_core, mod_authz_host and mod_rewrite checking/testing status results.
Enhancement: Delete and Run text added under individual DB Backup dynamic form checkboxes.
Enhancement: jQuery icon circle triangle CSS added to accordions.
Improvement: System Info PHP Version Check displays PHP version.
Improvement: System Info table title change from: SQL Database|Permalink Structure|WP Installation Folder|Site Type to: SQL Database Info|WordPress Site Info|Misc Checks.
Improvement: System Info WordPress Site Info checks order changed.
Improvement: Form option naming convention changes from Turn On|Turn Off to X On|X Off for: Login Security, ISL, ACE, UI|UX, Inpage Status Display and DB Backup All Scheduled Backups form option names. Special thanks to Laughter On Water: http://low.li/ for this excellent idea.
BugFix: Duplicate MIME-Version email headers sent in BPS automated emails. Using standard wp_mail headers array vs concatenation and duplicate MIME-Version header removed.
BugFix: wp_clear_scheduled_hook() added for bpsPro_DBB_check and bpsPro_email_log_files Cron job Hooks in bulletproof_security_deactivation().
BugFix: Black UI Theme Skin broken by extra CSS curly bracket in updatedinner class.
BugFix: Dashboard Status Display div broken when ISL and ACE are turned on in S-Monitor, but are not actually turned on in ISL or ACE. Error Check/Message: ISL: Settings have not been saved yet. ISL is not turned On and/or ACE: Settings have not been saved yet. ACE is not turned On.
BugFix|AutoFix: DB Backup Zip Download 403 error. Overwrite/replace older htaccess file versions on page load.
BugFix|Form Sanitization|Validation: Special thanks to Kacper Szurek: http://security.szurek.pl/ for finding and reporting 2 Form Sanitization|Validation bugs in BPS DB Backup that needed to be fixed. We appreciate the time and effort Kacper Szurek put into finding these bugs in BPS and reporting them to us. These Form Sanitization|Validation bugs are valid Security Vulnerabilities. In order to exploit these bugs you would need to be logged in as an Administrator to your website and visit a phishing site or click a phishing email link while you are logged into your website. The phishing site could capture your WordPress Session Cookie, but the Session Cookie cannot be reused by another Browser Session and the WordPress Cookies are hashed (encrypted) so your WordPress password could not be “unhashed” (decrypted). See this WordPress Cookies Codex page for more details: https://codex.wordpress.org/WordPress_Cookies#Non-Version-Specific_Data
BugFix|Form Sanitization: Special thanks to Colette Chamberland: http://cjchamberland.com for finding and reporting a Form Sanitization bug in BPS DB Backup that needed to be corrected/fixed. We appreciate the time and effort Colette Chamberland put into finding this Form Sanitization bug in BPS and reporting it to us.
Obsolete Removal: Security Status: WordPress Meta Generator Tag Removed and WordPress Version Removed checks.
Change|Update: Deprecated function get_currentuserinfo replaced with wp_get_current_user().
Update|Correction: Maintenance Mode Read Me help text formatting corrections.
Assets: New screenshots for DB Backup, Maintenance Mode and System Info.
Dev Note: Add isset condition for settings-updated checks. Fixes Undefined index: settings-updated error.
Dev Note: Undefined variable: plugin_var variable name change and check: $plugin_var_w3tc and $plugin_var_wpsc.
Dev Note: Moved and consolidated all HUD Dismiss admin_notices into 1 function with 1 admin_notice action. In-page call to functions removed.
Dev Note: New BPS Installation & Setup Video Tutorial created.
Dev Note: readme.txt updated with new Compatible Hosting/Host Server/WordPress Site Types info..53.5
New Security Log Feature: Total # of Security Log Entries by Type:
Displays the total number of each type of Security Log Entry in your Security Log file. The Total # of Security Log Entries by Type is also added to each Security Log file when it is zipped and emailed to you and also added directly in the automated Security Log email. There are a total of 11 different Security Log Entry Types in BPS. A complete list of all BPS Security Log Entry Types can be found in the Security Log Read Me help button.New Maintenance Mode Option: Enable Visitor Logging:
Checkbox option to enable visitor logging. If enabled, logs all visitors to your site while your site is in Maintenance Mode. Log entries are created in the BPS Security Log file.New Inpage Status Display Idle Session Logout (ISL):
Displays On or Off status for Idle Session Logout in BPS Pages Only. ISL is an optional feature so ISL is not displayed in your BPS Inpage Status Display by default. To display ISL in your BPS Inpage Status Display choose the settings you would like to use for ISL and save your ISL settings.New Inpage Status Display Auth Cookie Expiration (ACE):
Displays On or Off status for Auth Cookie Expiration in BPS Pages Only. ACE is an optional feature so ACE is not displayed in your BPS Inpage Status Display by default. To display ACE in your BPS Inpage Status Display choose the settings you would like to use for ACE and save your ACE settings.New WP_DEBUG Admin Notice:
Checks if WP_DEBUG and/or WP_DEBUG_LOG are On/set to true in the wp-config.php file. Displays Admin Notice to alert someone that either of these WP_DEBUG constants are set to true/On in the wp-config.php file. Note: The default is “true” for WP_DEBUG_DISPLAY which shows errors and warnings as they are generated so a check has not been created for this constant value.New WooCommerce Dismiss Notice:
New Dismiss Notice created for WooCommerce plugin users. Checks for existing older htaccess whitelisting code methods and displays a link to a forum topic that contains new WooCommerce whitelisting htaccess code for whitelisting WooCommerce shop, cart, checkout & wishlist URI’s and whitelisting the WooCommerce “order” & “wc-ajax=get_refreshed_fragments” Query Strings.New System Info Page Checks: Total Plugins Installed & Total Plugins Activated
Displays Total Plugins Installed & Total Plugins Activated. Usage: Troubleshooting issues/problems where excessive plugins are installed and/or are out of memory issues/problems that appear to be plugin conflicts instead of out of memory problems.BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
Procedural: WordPress 4.5 RC2 testing completed.
Assets: New BPS plugin screenshots.
Enhancement: Jetpack Dismiss Notice independent conditional button display.
Enhancement: System Info PHP Version Check displays PHP version.
Change: System Info table title change from: SQL Database|Permalink Structure|WP Installation Folder|Site Type to: SQL Database Info|WordPress Site Info|Misc Checks.
Change: System Info WordPress Site Info checks order changed.
Dev Note: Relevant general-functions.php code moved to 2 new files: hud-dismiss-functions.php & zip-email-cron-functions.php.
Dev Note: Obsolete function bps_email_alerts_log_file_options removal. Code move to BPS plugin automatic upgrade function..53.4
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
Procedural: WordPress 4.5 Beta 4 testing completed.
WP 4.5 CSS Change: New CSS property for Refresh Status pseudo button links.
BugFix Form Validation: Special thanks to Onur Yilmaz & Robert Abela: https://www.netsparker.com/ for reporting a Form Validation bug in the BPS Security Log Add User Agents Form that needed to be corrected/fixed. We appreciate the time and effort put into finding this bug in BPS and reporting it to us. The Form Validation bug could loosely be considered a Security Vulnerability, but due to the fact that this Form Validation bug can only be exploited by an Administrator logged into a website and not by a non-Administrator that is not logged into the website then this bug appropriately falls under the specific category of: Form Validation bug instead of the very broad term/wording of Security Vulnerability. Note: Security Vulnerability is a broad general term that is very misunderstood. It can mean a bug exists that is insignificant, which cannot result in a successful hack to a bug exists that is critical/serious, which can result in a successful hack. In the majority of cases most Security Vulnerabilities are insignificant and cannot result in a successful hack.
Update: HUD BLC Dismiss Notice: Update root htaccess code checking conditions for newer Request Methods Filtered HEAD Request nuisance filter htaccess code.
BugFix: WP_DEBUG Suppress error: Undefined index: Submit-DBB-Reset in \wp-content\plugins\bulletproof-security\admin\includes\admin.php on line 405
BugFix: WP_DEBUG Suppress error: Undefined variable: lock in \wp-content\plugins\bulletproof-security\admin\wizard\wizard.php on line 580
BugFix: WP_DEBUG Suppress error: Undefined variable: lock in \wp-content\plugins\bulletproof-security\admin\wizard\wizard.php on line 584
BugFix: WP_DEBUG Suppress error: Undefined variable: lock in \wp-content\plugins\bulletproof-security\admin\wizard\wizard.php on line 622.53.3
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
Assets: New Setup Wizard and System Info screenshots added to assets folder.
New Dismiss Notice: New Dismiss Notice created for Jetpack plugin users. Checks for existing older htaccess whitelisting code methods and displays links to forum topics that contain new custom Jetpack whitelisting htaccess code for allowing HEAD Requests and XML-RPC Bonus Custom Code.
Form Sanitization: Special thanks to Erin Germ: http://eringerm.com/ for reporting several Form Sanitization problems in BPS that needed to be corrected/fixed. We appreciate the time and effort Erin put into finding these Form Sanitization problems in BPS and reporting them to us. These Form Sanitization problems could loosely be considered Security Vulnerabilities, but due to the fact that these Form Sanitization problems can only be exploited by an Administrator logged into a website and not by a non-Administrator that is not logged into the website then these problems appropriately fall under the specific category of: Form Sanitization Input|Output instead of the very broad term/wording of Security Vulnerability. Note: Security Vulnerability is a broad general term that is very misunderstood. It can mean a bug exists that is insignificant, which cannot result in a successful hack to a bug exists that is critical/serious, which can result in a successful hack. In the majority of cases most Security Vulnerabilities are insignificant and cannot result in a successful hack..53.2
Root Htaccess File Changes:
Root Htaccess File: Significant Root htaccess File Changes Forum Topic
Depending on your web host the BPS Root htaccess file Request Methods Filtered code will be either one of the example code blocks below. Either block of code does the exact same thing and the whitelisting method to allow HEAD Request is the same: Comment out the last 2 lines of code with a # sign as shown below.# REQUEST METHODS FILTERED # If you want to allow HEAD Requests use BPS Custom Code and copy # this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code # text box: CUSTOM CODE REQUEST METHODS FILTERED. # See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps. RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC] RewriteRule ^(.*)$ - [F] #RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC] #RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]
# REQUEST METHODS FILTERED # If you want to allow HEAD Requests use BPS Custom Code and copy # this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code # text box: CUSTOM CODE REQUEST METHODS FILTERED. # See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps. RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC] RewriteRule ^(.*)$ - [F] #RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC] #RewriteRule ^(.*)$ - [R=405,L]
System Info:
CSS Work for visual uniformity.
Dashboard|Inpage: Messages, Alerts, HUD, Dismiss Notices CSS changes:
CSS changes for yellow background color to light blue background color. Added box shadow and corner rounding.
Dashboard Status Display: i18n function correction
Timestamps code correction fixed to display accurate date time based on WordPress General Timezone/Date Format.BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
Change: The .json file type has been added to all logging templates.
CSS: Replace old AITpro logo with new AITpro logo in mod-test folder.
CSS: Text Area boxes resize horizontally again.
BugFix: WP_DEBUG Suppress error: Undefined variable: matches in /bulletproof-security/includes/db-security.php on line 486.
BugFix: WP_DEBUG Suppress error: Undefined variable: matches in //bulletproof-security/includes/login-security.php on line 1143.
BugFix: WP_DEBUG Suppress error: Undefined variable: matches in /bulletproof-security/includes/login-security.php on line 1251.
BugFix: WP_DEBUG Suppress error: Undefined variable: matches in /bulletproof-security/includes/login-security.php on line 1441.
BugFix: WP_DEBUG Suppress error: Undefined variable: matches in /bulletproof-security/includes/login-security.php on line 1654.
BugFix: WP_DEBUG Suppress error: stat(): stat failed for ../wp-config.php in /bulletproof-security/includes/general-functions.php on line 320..53.1
New Feature: 405 Method Not Allowed Security Logging Template
A new 405.php Security Logging template has been created to specifically handle and log HEAD Request errors as HTTP 405 Method Not Allowed Security Log entries. Previously HEAD Request errors were logged as 403 Security Log entries. Note: If HEAD Requests are currently being allowed with customized htaccess code on a website then HEAD Requests will still continue to be allowed and will not be blocked or logged by BPS.New Root htaccess Code: ERROR LOGGING AND TRACKING & REQUEST METHODS FILTERED
ErrorDocument 405 /wp-content/plugins/bulletproof-security/405.php code is created automatically in the root htaccess file during BPS upgrades. The new ErrorDocument 405 directive htaccess code logs HEAD Requests as HTTP 405 Method Not Allowed Security Log entries. The root htaccess file Request Methods Filtered code has been changed so that HEAD Requests checking has its own individual condition and RewriteRule to handle HEAD Requests specifically and redirect them as 405 Method Not Allowed Requests, which in turn is handled by the ErrorDocument 405 redirect to redirect 405 HEAD Request to the Security Logging template. Note: If HEAD Requests are currently being allowed with customized htaccess code on a website then HEAD Requests will still continue to be allowed and will not be blocked or logged by BPS.BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
Visual Change: Login Security and htaccess Core Reset Dismiss Notices display loop messages on single lines with single Refresh button.
CSS: Text Area boxes resize horizontally again.
Dev Note: Core upgrade autoupdate function does literal DB option checks and saves default pre-set value or resave existing value. Resolves an issue with BPS upgrades from very old versions to newest version without having to re-run the Wizard.
Dev Note: Security Log Read Me help text update. 410 Gone and 405 Method Not Allowed help text created..53
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
CSS Change: New CSS code changes for visual compatibility with WP 4.4.
Sanitization|Validation Audit: Sanitization and Validation coding work performed throughout all BPS code to avoid false reports of security vulnerabilities that are not actually any sort of vulnerability or threat. Mostly overkill, but some actual beneficial stuff. Note: Security Vulnerability is a broad general term that is very misunderstood. It can mean a bug exists that is insignificant, which cannot result in a successful hack to a bug exists that is critical/serious, which can result in a successful hack. In the majority of cases most Security Vulnerabilities are insignificant and cannot result in a successful hack.
Enhancement: Automatically unlock, delete invalid standard WP Rewrite code and relock root htaccess file.
Correction: Prevent creating duplicate or new POST Request Attack Protection code correction during BPS upgrades if someone has commented out the wp-admin Request URI whitelist rule.
Correction: htmlspecialchars added to Custom Code error checks for invalid BPS Query String Exploits code and invalid standard WP Rewrite code.
Correction|BugFix: ob_end_flush(); added to 403.php logging template.
Correction|BugFix: ob_start(); and ob_end_flush(); added to the 400.php and 410.php logging templates.
Enhancement: $_SERVER[‘SERVER_PROTOCOL’] condition added to header functions in Security Logging templates.
Improvement: The Setup Wizard no longer has a 15 minute Apache Module ifModule check time restriction so that new BPS Core folder self-protection htaccess files are created if needed in real-time.
Change: Security Logging check for On|Off. Only checks if 403 Logging is On or Off and no longer checks if other ErrorDocument directives are On|Off.
BugFix: Suppress various insignificant php errors when WP_DEBUG is enabled..52.9
Enhancement: Setup Wizard Check for Pre-existing Custom Code & Zip Backup
The Setup Wizard checks your current root htaccess file for any existing custom or additional htaccess code that is not standard WordPress htaccess code or BPS standard htaccess code. This is a one-time event that occurs the first time you install BPS. If the Setup Wizard detects any existing custom or additional htaccess code in your root htaccess file, a message is displayed to you with a “Download Root htaccess File” button to download your root-htaccess-file.zip file to your computer as a backup.BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
BugFix: Additional conditional check added for standard WP rewrite code block removal. Only remove the standard WP rewrite block of code if the root htaccess file is a standard BPS root htaccess file.
BugFix: Suppress PHP Notice: Undefined index: HTTP_ACCEPT_ENCODING error on System Info page.
Correction|Addition: Automated BPS upgrade correction|addition for POST Request Attack Protection Bonus Custom Code. WP Theme Customizer blank/403 error. New whitelist rule created. Special Thanks to: Mike Harrison for reporting this..52.8
BugFix: Security Log: Fixed duplicate visual content displayed..52.7
New Option: Security Log Limit POST Request Body Data
The default Security Log Request Body Data capture/log limit is 250000 maximum characters, which is roughly about 250KB in size. The new Limit POST Request Body Data checkbox option limits the maximum number of Request Body Data characters captured/logged in the Request Body logging field to 500 characters, which is roughly 5KB in size. You can capture/log entire hacking scripts if you do not check the Limit POST Request Body Data checkbox (See Note below), but that means your log file size could increase dramatically and you could receive more automated Security Log zip file emails. Note: To capture/log all POST Request Attacks against your website you will need to add the POST Request Attack Protection Bonus Custom Code: POST Request Attack Protection Bonus Custom CodeEnhancement: Security Log 403 Logging Template
The Security Log 403 Logging template has a new logging field: REQUEST BODY that captures/logs POST Request Body data/content if the POST Request Body is not empty. To maximize POST Request security protection for your website and capture/log entire hacker scripts use the new POST Request Attack Protection Bonus Custom Code: POST Request Attack Protection Bonus Custom CodeNew Bonus Custom Code Dismiss Notice: POST Request Attack Protection
Long|Extensive Help Info: POST Request Attack Protection Forum Topic
Short|Simplified Description:
The BPS POST Request Attack Protection Bonus Custom Code filters all POST Requests made to your website. Each RewriteCond line of code in the POST Request Attack Protection Bonus Custom Code is a whitelist rule that says to allow all POST Requests to that file or URL|URI the contains a POST Form. To whitelist additional files, URL’s, POST Forms on your website you would add a line of code that has the name of the file or the URL|URI to allow/whitelist all POST Requests to that file, URL, POST Form. If you choose to add this Bonus Custom Code to BPS Custom Code, check your BPS Security Log for a few days for any 403 POST Request Log entries to make sure that you have whitelisted/allowed all POST Forms on your website that need to be whitelisted/allowed.BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
Security Enhancement: Security Log content is now filtered to display only ASCII printable characters.
Removal: Defunct/obsolete Block Referer Spammers Bonus Custom Code Dismiss Notice removed.
Dev Note: REMOTE_ADDR variable check replaced with “get real IP address” function for inpage IP whitelisting on MMode page.
Dev Note: PHP error Undefined index: HTTP_USER_AGENT suppressed in the 403 Security Logging template..52.6
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
WordPress Language Packs Prep: All BPS plugin .po and .mo language translation files have been deleted in preparation for new plugin Language Packs creation by the WordPress PolyGlots Team.
Removal: Obsolete BPS automated .po and .mo language translation file deletion function removed.
Visual Enhancement: BPS Plugin Logo: New logo – pulsing animated GIF image.
Visual Enhancement: jQuery :odd Selector alternate table row color for Forms in the Blue UI Theme Skin.
Core Enhancement: Apache Module Forward|Backward Compatibility fallback added for various scenarios where the Live test is blocked/ignored/rejected by Hosts.
Correction: Add Apache Module conditions to Activate Master htaccess BulletProof Mode and Activate BPS Backup BulletProof Mode Forms.
Change|Improvement: The BPS Changelog and Whats New page have been moved to BulletProof Security Forum website.
Reasons for this Changelog|Whats New page change: The BPS Changelog|Whats New page will not have to be translated by the WordPress PolyGlots Language Packs Team for each new version release of BPS, the Changelog|Whats New page will be much easier to maintain, the readme.txt file size will be much smaller in the BPS plugin, a complete history of all BPS version changes through the years and other beneficial reasons..52.5
Core Enhancement: Apache Module Forward|Backward Compatibility:
BPS automatically checks which Apache Modules are loaded on your server: mod_access_compat, mod_authz_core and mod_authz_host and checks availability|forward|backward compatibility and also IfModule conditions support to automatically create the correct htaccess code and files for your website|server. All BPS htaccess writing|updating|upgrading|new installations|creation|ip whitelisting, etc. htaccess code is automatically created based on Live BPS Apache Module and IfModule tests that are performed in BPS during BPS plugin upgrades and new installations to determine and create the correct htaccess code for each individual server|website. A new System Info feature has been added that performs Live tests with results and also includes a Visual Test – see New Feature: System Info page: for details. Dev Note: Live Apache Module check and automation performed in-page on htaccess Core page.Apache Module Compatibility List of Features|Files|htaccess Code Affected:
htaccess Core: Root and wp-admin htaccess code|files creation. Custom Code in-page automated IP whitelisting.
Core: BPS plugin directory self-protection htaccess files.
Login Security: in-page automated IP whitelisting.
DB Backup: in-page automated IP whitelisting.
Maintenance Mode: in-page automated IP whitelisting, BackEnd MMode IP whitelisting.
Setup Wizard: automated htaccess code|files creation.New Feature: System Info page: Apache Modules|Directives|Backward Compatibility(Yes|No)|IfModule(Yes|No): View Visual Test
The System Info Apache Modules|Directives check checks mod_access_compat, mod_authz_core and mod_authz_host availability|forward|backward compatibility and also IfModule conditions support. A visual test page (Click the View Visual Test link) has also been created to see the Apache Module|htaccess code and checks visually for troubleshooting purposes. BPS automatically detects which Apache Modules are loaded|available on your host server and creates the correct htaccess code for you particular website|server throughout all BPS htaccess files.Apache Modules|Directives|Backward Compatibility(Yes|No)|IfModule(Yes|No): View Visual Test mod_access_compat is Loaded|Order, Allow, Deny directives are supported|IfModule: Yes mod_authz_core is Loaded|Order, Allow, Deny directives are supported|BC: Yes|IfModule: Yes mod_authz_host is Loaded|Order, Allow, Deny directives are supported|BC: Yes|IfModule: Yes
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
BugFix: Network/Multisite Rewrite Loop End Custom Code Form name field correction.
BugFix|Correction: DB Table Prefix Changer: Only allow entering numbers, lowercase letters and underscores in the Randomly Generated DB Table Prefix Form text box. Special thanks to Sathish from: Cyber Security Works Pvt Ltd for reporting a bug/security vulnerability in the DB Table Prefix Changer tool Form. Notes: You MUST be an Administrator and logged into the site as an Administrator in order to enter/test XSS html testing code in the Randomly Generated DB Table Prefix Form text box. Please do NOT actually try this test if you are using a version of BPS that is below .52.5. BPS .52.5 and above versions will only allow entering numbers, lowercase letters, and underscores for the DB Table Prefix name. If you have a BPS version below .52.5 then entering an invalid DB Table Prefix name will crash your website. Note: Security Vulnerability is a broad general term that is very misunderstood. It can mean a bug exists that is insignificant, which cannot result in a successful hack to a bug exists that is critical/serious, which can result in a successful hack. In the majority of cases most Security Vulnerabilities are insignificant and cannot result in a successful hack.
Dev Note: New condition added for Apache Module /mod-test/ folder in 403.php logging template to prevent 403 errors from being logged when Live Apache Module tests are performed|processed.
Dev Note: admin.php obsolete code removal for deny all htaccess file creation for BPS Backup and Master Backups folders..52.4
Submenu Name Change|Addition:
UI|UX Submenu name has been changed to: UI|UX|Theme Skin Spinner|ScrollTop WP Toolbar|SLFFeature Improvement|Enhancement: jQuery ScrollTop Animation:
The jQuery ScrollTop Animation code now performs a conditional Browser User Agent|Rendering Engine check and uses customized jQuery ScrollTop Animation code for each Browser individually for best visual animation/appearance in each Browser. New jQuery ScrollTop animation code has been created that has much better/smoother animation overall.New Option: Turn On|Off jQuery ScrollTop Animation:
jQuery ScrollTop Animation can be turned On or Off on the UI|UX menu/page. The jQuery ScrollTop Animation is the scrolling animation that you see after submitting BPS Forms, which automatically scrolls to the top of BPS plugin pages to display success or error messages. The jQuery ScrollTop animation code is conditional based on your Browser User Agent|Rendering Engine.BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
BugFix: jQuery ScrollTop Animation 404 image error correction. Special Thanks to: Mike Harrison for reporting this bug.
Dev Note: Structural Core options.php file renamed to core.php and all related URI’s are now pointing to this new page.
Dev Note: HTML Structural and related CSS changes to Core pages: bps-container div and WP wrap class moved and combined..52.3
New Feature: Login Security & Monitoring Export|Download Login Security Table Tool:
The Export|Download Login Security Table tool exports (copies) the Login Security Table into the lsm-master.zip file, which you can then download to your computer. The lsm-master.zip file contains the lsm-master.csv file. The CSV (Comma Separated Values) file format can be opened with Microsoft Excel or other applications that can open/use CSV files.Core Enhancement|Improvement: jQuery ScrollTop animation:
jQuery ScrollTop animation has been added to all BPS plugin pages to animate scrolling pages to top 0 after Forms are submitted so that all displayed success/error messages are visible/viewable with the exception of Forms that should display data and/or messages inpage. All major Browsers tested working fine. IE Issue: IE ScrollTop animation is not fluid/smooth.BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
BugFix: Pre-save Custom Code DB options (if they do not exist) for use in the Custom Code Export|Import Tools. New Installations: Pre-saved in Setup Wizard. Upgrades: Pre-saved in the BPS upgrade function.
BugFix: Login Security Search Form button unclickable due to div problem.
Improvement: Descriptive success/error message created for all Log File Logging Form code, My Notes Form, Custom Code Forms and other various Forms where a descriptive message is important vs using a general/standard WP “Settings Saved” message.
Improvement: BPS Changelog: Special Thanks to: Krzysztof Trynkiewicz – Sukces Strony for improvements to the BPS Changelog format for better readability.
Enhancement: System Info – Website Headers Check Tool display Headers result at top of page instead of inpage.
Enhancement: System Info – System checks are not performed when Website Headers Check Tool Forms are submitted.
Dev Note: Custom Code Forms now using standard Form processing code instead of WP options.php Form code.
Dev Note: New Core File: core-forms.php. New LSM Files: lsm-export.php, lsm-help-text.php..52.2
Setup Wizard Automation Enhancement|Improvement:
The Setup Wizard Pre-Installation Checks automatically detects php/php.ini handler htaccess code in an existing root htaccess file and creates/saves that php/php.ini handler code in BPS Custom Code and the new root htaccess file that is automatically created by the Wizard. Prior to BPS .52.2, php/php.ini handler htaccess code required additional manual steps to complete this task.HUD Check Enhancement|Improvement: php/php.ini handler htaccess code check:
The php/php.ini handler htaccess code HUD check now displays a link to the Setup Wizard page. Clicking the link and visiting the Setup Wizard page automatically creates/saves that php/php.ini handler code in BPS Custom Code.New Feature: Custom Code Export|Import|Delete Tools:
Export Tool: The Custom Code Export tool exports (copies) all of your Root and wp-admin custom htaccess code into the cc-master.zip file, which you can then download to your computer.Import Tool: The Custom Code Import tool imports all of your Root and wp-admin Custom Code from the cc-master.zip file on your computer into the Custom Code text boxes and saves your imported custom htaccess code to your WordPress Database. You can unzip the cc-master.zip file on your computer to extract the cc-master.txt file for editing to add/change any custom htaccess code in the cc-master.txt file.
Delete Tool: The Custom Code Delete tool deletes all of your Root and wp-admin Custom Code from all of the Custom Code text boxes and your WordPress Database. The Delete tool can be used for troubleshooting possible invalid/bad custom htaccess code issues/problems or simply just to delete all custom htaccess code in all of the Custom Code text boxes.
New Option: Setup Wizard Options: Network|Multisite Sitewide Login Security Settings:
Network|Multisite Sitewide Login Security Settings: This option is for Network|Multisite sites ONLY. This is an independent option Form that creates and saves Login Security DB option settings for all Network sites when you click the Save Network LSM Options Sitewide button. If Login Security option settings have already been setup and saved for any Network site then those Login Security option settings will NOT be changed. If Login Security options settings have NOT already been setup and saved for any Network site then those Login Security option settings will be created and saved with default settings.BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
Correction: Displayed message text correction for W3TC and WP Super Cache htaccess code error check.
Enhancement: General Help and info section added to Whats New page.
Enhancement: BPS Plugin Uninstall Options on WordPress Plugins page – Uninstaller CSS class name added for modal display problem.
Dev Note: htaccess Core tab page structure/order change.
Dev Core: WP Plugins page BPS plugin description changes.
DB Backup: Additional help info regarding Export|Import of Backup Jobs DB Table.
readme.txt: Requires at least: 3.0 changed to Requires at least: 3.7.52.1
Submenu Name Change|Addition:
BPS Main Menu > UI|UX Submenu name has been changed to: UI|UX|Theme Skin Processing Spinner WP Toolbar|SLFFeature Name Change: RSK naming convention changed to Script|Style Loader Filter (SLF):
RSK is a bit too aggressive and is a somewhat offensive naming convention. Cool, but not cool at the same time. Script|Style Loader Filter (SLF) is a logical naming convention and is non-offensive. See the SLF Mod|Description below for additional info.SLF Mod|Description:
In some cases, filtering other plugin and theme scripts from loading in BPS plugin pages causes the BPS plugin pages to hang severely, which means that a new issue/problem is created that is worse than the original issue/problem that SLF was designed to fix/solve. Original problem: BPS plugin pages not displaying visually correct due to other plugin or theme scripts loading in BPS plugin pages. SLF is set to Off by default. SLF has an On|Off setting under the UI|UX menu/page. See the UI Theme Skin|Processing Spinner|WP Toolbar|SLF Read Me help button for additional information.Bonus Custom Code Dismiss Notice Enhancement|Improvement:
An additional Dismiss All Notices link|feature has been added to dismiss all Bonus Custom Code notices at the same time. Displayed message: Click the links below to get Bonus Custom Code or click the Dismiss Notice links or click this Dismiss All Notices link. To Reset Dismiss Notices click the Reset|Recheck Dismiss Notices button on the Security Status page.BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
Cosmetic: Undefined index PHP error suppressed for ISL and ACE User Role checkboxes when WP_DEBUG is turned On..52
New Menu|Page:
Idle Session Logout|Auth Cookie ExpirationNew Feature: Idle Session Logout (ISL)
ISL|ACE Forum Topic: Automatically logout idle/inactive Users. ISL uses javascript Event Listeners to monitor Users activity for these ISL events: keyboard key is pressed, mouse button is pressed, mouse is moved, mouse wheel is rolled up or down, finger is placed on the touch surface/screen and finger already placed on the screen is moved across the screen. Option Settings: Turn On|Off, Idle Session Logout Time in Minutes, Idle Session Logout Page URL, User Account Exceptions, Enable|Disable Idle Session Logouts For These User Roles: Administrator, Editor, Author, Contributor, Subscriber and Enable|Disable Idle Session Logouts For TinyMCE Editors. Click the Idle Session Logout|Auth Cookie Expiration Read Me help button for full details.New Feature: Auth Cookie Expiration (ACE)
ISL|ACE Forum Topic: Change the WordPress Authentication Cookie Expiration time. The default WordPress Authentication Cookie Expiration time is 2880 Minutes/2 Days and 20160 Minutes/14 Days if a User checks the Remember Me checkbox when they login. You can change the WordPress Authentication Cookie Expiration time to whatever expiration time setting that you choose. Option Settings: Turn On|Off, Auth Cookie Expiration Time in Minutes, Remember Me Auth Cookie Expiration Time in Minutes, User Account Exceptions, Enable|Disable Auth Cookie Expiration Time For These User Roles: Administrator, Editor, Author, Contributor, Subscriber. Click the Idle Session Logout|Auth Cookie Expiration Read Me help button for full details.New Feature & Root htaccess File Addition: 410 ErrorDocument root htaccess code and template logging file
410 Gone Usage Info: A 410.php template logging file has been created to handle 410 Gone Requests. 410 Gone Requests are logged in the BPS Security Log file. See the 410 Gone Usage Info link above for full details on usage.BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
Enhancement: jQuery Custom Classes added to all BPS jQuery code.
Mod: CSS and js file name changes: -ui- used in naming convention.
Enhancement: jQuery UI Dialog Read Me Help button hide effect changed from explode to blind..51.9
Login Security & Monitoring Automated Email Alert Enhancement|Improvement:
Special Thanks to: mewkazoid for pointing out this useful improvement to BPS Login Security & Monitoring automated email alerts. The Login Security & Monitoring Automated Email Alert now contains additional help information about what to do if your User Account is being repeatedly locked.Brute Force Attack General Info:
Automated Brute Force Login attacks by spambots and hackerbots are a regular and ongoing type of website attack. The volume and frequency of Brute Force Login attacks are steadily increasing and will continue to increase. Brute Force attacks make up somewhere in the neighborhood of 85 percent (probably more like 90 percent to 95 percent) of the total of all types of ongoing website attacks these days. BPS Login Security & Monitoring protects the WordPress Login page from Brute Force attacks, but if your username is publicly known/displayed or can be harvested by automated bots then your user account may get locked very frequently. Check the BPS plugin Whats New page for some additional things you can do to prevent your user account from being locked repeatedly.BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
BugFix: File Permissions cache issue: Root htaccess file not being re-locked when AutoLock is turned On. Special Thanks to: Mike Harrison for reporting this bug..51.8
Summary Only: See the BPS plugin Whats New tab page for full descriptions and detailsNew Feature: Setup Wizard:
The BPS plugin can be setup with literally only 1 click now on the new Setup Wizard page. Setup Wizard Pre-Installation Checks are automatically performed and displayed on the Setup Wizard page. You can re-run the Setup Wizard again at any time.New Feature: jQuery UI Dialog Form BPS Uninstall Options:
An Uninstall Options link has been created on the WordPress Plugins page under the BulletProof Security plugin. Clicking the Uninstall Options link loads a jQuery UI Dialog Form with 2 uninstall options: BPS Pro Upgrade Uninstall option – If you are upgrading to BPS Pro, select the BPS Pro Upgrade Uninstall option and click the Save Option button or just click the Close button below and do a normal plugin uninstall. Complete BPS Plugin Uninstall option – If you want to completely delete the BPS plugin, all files, Custom Code and BPS database settings, select the Complete BPS Plugin Uninstall option and click the Save Option button.New Option: Login Security Attempts Remaining option and Core Functionality Improvements:
New Option Attempts Remaining: You can choose to display a “Login Attempts Remaining X” message when an incorrect password is entered. This new option is enabled by default during BPS upgrades and new installations. Core Functionality Improvements: When a User Account is locked out and previous User Account logins were logged|stored in the DB, those previously logged logins and data for those DB Rows is not changed|updated and instead a new DB Row is inserted. This allows for better chronological login tracking and monitoring. Affects both Logging Options – Log All Account Logins and Log Only Account Lockouts options and allows for switching between these Logging Options without affecting functionality or causing issues/problems.New Bonus Custom Code|Bonus Custom Code Dismiss Notice function Consolidation:
Bonus Custom Code Dismiss Notice Consolidation: Combined|consolidated all Bonus Custom Code Notices into 1 Bonus Custom Code Notice function with 1 displayed Notice message instead of having several different displayed Notices. Each Bonus Custom Code contains a link to the Bonus Custom Code and a Dismiss Notice link. Referer Spammers|Phishing Protection, Mime Sniffing, Data Sniffing, Content Sniffing, Drive-by Download Attack Protection, External iFrame and Clickjacking Protection.BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
New BPS Setup & Overview Video tutorial created: BPS Setup & Overview Video Tutorial – link added on the Setup Wizard page and htaccess Core Security Modes page.
WP 4.2 Bug Reported|Ticket created with PoC (Proof of Concept) and solution provided: WP 4.2 hash anchor Bug Hash anchors were being stripped of URI’s. Solution provided to WP folks. Solution implemented by WP folks. No other issues or problems found with WP 4.2 and BPS Pro versions.
Enhancement: WP flush_rewrite_rules function added to BPS complete plugin uninstall function. Creates new default generic WP root htaccess file on BPS complete plugin uninstall.
BugFix: Dismiss Notice link correction when basename wp-admin on first Dashboard login.
Enhancement: Custom Code inpage check for default WordPress Rewrite code added in Custom Code text boxes..51.7
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
Setup & Overview Video Tutorial Created|Added: Link to video tutorial is posted on BPS plugin Description page and htaccess Core Security Modes page.
DB Backup: Backup Files Download|Delete Form scrollable table added and additional Read Me help information added.
Inpage Status Display: Condition added to only load the Inpage Status Display on BPS plugin pages.
WP Toolbar Functionality In BPS Plugin Pages: Default Network/Multisite menu items (nodes) added.
Security Status: Inpage Status Display Turn On|Off Form action link correction to #bps-tabs-2 tab page..51.6
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
Correction: Inpage Status Display Turn On|Off code correction.
Addition: System Info page conditional check added for: gc_enabled & gc_collect_cycles functions.
Read Me help text added for: Inpage Status Display and Reset|Recheck Dismiss Notices options.
Addition: Link to Security Modes page added to wp-admin htaccess file alert..51.5
Summary Only: See the BPS plugin Whats New tab page for full descriptions and detailsNew Feature|Visual Enhancement: Inpage Status Display
New Features|Options|Visual Enhancements: UI|UX|Theme Skin | Processing Spinner | WP Toolbar
New Feature|Option: Turn On|Off The Processing Spinner
New Feature|Option: WP Toolbar Functionality In BPS Plugin Pages
New Feature: Memory Usage and Script Completion Time Check|Display
New Features|Options|Visual Enhancements: DB Backup & Security
New Feature|Option: Create Backup Jobs: Rename|Create|Reset Tool
System Info: New Check Added | Changes
htaccess Core: Security Status Page Changes
BPS Submenu Name Change: UI Theme Skin submenu name has been changed to: UI|UX|Theme Skin | Processing Spinner | WP ToolbarBugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
BugFix: Dismiss Notices button/link reload current page based on Request URI or Query String.
Optimization|Performance: All BPS pages and functions.
Removal: Obsolete functions/code removed/deleted.
Dev Core: BPS plugin register scripts|styles | Enqueue scripts|styles | Dequeue plugin|theme scripts|styles loading in BPS plugin pages combined into one function. Additionally eliminated bloated individual load settings page code.
BugFix: Additional variable check for conflicting|contradictory Automatic Update message/alert issue.
Enhancement: WordPress Plugins page|BulletProof Security plugin “Settings” link name change to “Setup Steps”.
Enhancement: Maintenance Mode menu page will not be displayed if wp-admin BulletProof Mode has been disabled..51.4
Maintenance Mode Network/Multisite Subdomain Completion:
Maintenance Mode coding work has been completed for Network/Multisite subdomain site types. Maintenance Mode now works for every/all WordPress site types, BuddyPress and bbPress site types.BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
BugFix: master-backups folder creation fix for unusual scenarios.
BugFix: Automatic correction during upgrade for any existing timthumb RFI filter duplicate Referer lines..51.3
WordPress 4.1 jQuery UI Compatibility Code Correction:
BugFix: BPS jQuery UI Dialog Read Me help window position not centered in WordPress 4.1. Fix: Corrected the BPS jQuery UI Dialog Position Method code by adding the appropriate “my” and “at” options. Note: For anyone else experiencing this issue see this Forum Topic for the solution: jQuery UI Dialog window position not centered
Help Link Corrections: Special thanks to WordPress Member: mrppp for finding and reporting invalid help links in BPS..51.2
Significant Root and wp-admin htaccess File Changes: See the BPS plugin Whats New page for more details.Root htaccess File/Code Fix:
Removal of additional instances of “BEGIN WordPress” and “END WordPress” text from the root htaccess file which caused multiple instances of the default wp htaccess code to be created in the root htaccess file when the WP flush_rewrite_rules function was executed by other plugins and themes.htaccess Help Text Improvement Overall:
The help text throughout both the root and wp-admin htaccess files was very dated and was in need of updating. Better/clearer examples have been created in the help text. Overall the htaccess files are more streamlined and less cluttered looking visually.Structure/Order Code Changes:
Several blocks of htaccess code has been structured differently as far as the general order/sequence of code goes in the root htaccess file and more importantly what code will remain in the root htaccess file in the event that the WP flush_rewrite_rules function is executed by another plugin or theme. There are several technical reasons for making these structure/order changes, which I will not bore you with. Basically things are structured/ordered much better for any/every possible scenario that may occur.Note: This is a one-time BPS Update that requires manual steps to be performed.
All future versions of BPS will do the normal/typical automatic update of the BPS htaccess files. Overall we felt that creating a Notice about these significant changes vs just doing a normal automatic update was the best route to take for the primary reasons stated above and some additional reasons not stated here.New Custom Code Text Boxes Added:
CUSTOM CODE TURN OFF YOUR SERVER SIGNATURE and CUSTOM CODE DENY ACCESS TO PROTECTED SERVER FILES AND FOLDERS.BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
Enhancement: Custom Code accordion is now using tables vs CSS divs for cross Browser visual compatibility and obsolete CSS code has been removed for the CSS divs.
Improvement: Overall inpage Custom Code help text information/example improvements.
Improvement: Network/Multisite Net Correction code/check removed. No longer needed and is now obsolete.
Enhancement: Remote Address IP check added in the 403.php Security logging template. Will display current IP address for troubleshooting purposes..51.1
Obsolete File Deletion:
Special thanks to Pietro Oliva for finding and reporting Form code sanitization issues in the stand-alone bpsunlock.php file/Form code. The bpsunlock.php stand-alone Login Security user account unlock file/Form has been removed/deleted from BPS. After review of the usefulness of this Form it was decided that instead of spending the time to sanitize the Form code the bpsunlock.php file/Form has instead been removed/deleted from BPS..51
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
BugFix: System Info page HTTP_HOST variable fallback for SERVER_ADDR IP address retrieval code correction. Missing gethostbyname function has been added to the HTTP_HOST variable IP address fallback and is now returning an IP address correctly.
Code Correction|BugFix|Sanitization: System Info page Check Headers Tool Form code sanitization. Special thanks to Benjamin Kunz Mejri for finding and reporting this Form code sanitization issue that needed to be corrected. Note: This fixes a “security vulnerability” that was reported in BPS version .50.8, but the security vulnerability report is incorrect/not accurate so technically this does not qualify as legtimate security vulnerability, but does qualify as a bug so credit for reporting a bug has been given. We are very appreciative when bugs are reported to us in BPS, but we also have to maintain 100% accuracy and facts in the changelog. Note: Security Vulnerability is a broad general term that is very misunderstood. It can mean a bug exists that is insignificant, which cannot result in a successful hack to a bug exists that is critical/serious, which can result in a successful hack. In the majority of cases most Security Vulnerabilities are insignificant and cannot result in a successful hack..50.9
System Info Enhancements/Improvements/Additions:
DNS Name Server checking code performance improvement and conditional checking added based on domain labels. Network/Multisite subdirectory/subdomain site type check added and changes to existing conditional checks. output_buffering directive variable check changed and text correction. Additional conditional checks for PHP Actual Configuration Memory Limit. Will display color coded recommendations and/or memory limits. Various naming/text changes.htaccess Core Structural Core Changes:
Reduction in size of large Options Core file by creating additional conditional supporting files with require. Deny All htaccess file is created in the new /core/ folder on init to protect the options.php core file. Other internal Core stuff.Security Log Design/Visual/Enhancement Changes:
Auto-Locking added to Security Log Turn On/Off Forms. The root .htaccess file is automatically locked again if it was locked. Cross Browser compatibility visual display issues/problems with Email Alerts and Log files Form. Forms are now using tables instead of individual CSS properties.Login Security Visual/Design Change:
Cross Browser compatibility visual display issues/problems with Option/Settings & Email Alerts and Log files Form. Forms are now using tables instead of individual CSS properties.DB Backup Log Visual/Design Change:
Cross Browser compatibility visual display issues/problems with Email Alerts and Log files Form. Forms are now using tables instead of individual CSS properties.Custom Code Network/Multisite Additional Text Box:
CUSTOM CODE WP REWRITE LOOP END: Add WP Rewrite Loop End code here. This is a Special Network/Multisite Custom Code text box that should ONLY be used if the correct WP REWRITE LOOP END code is not being created in your root .htaccess file by AutoMagic. This Custom Code text box and Read Me help text is ONLY displayed if you have a Network/Multisite website.BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
Backend Maintenance Mode causing crashes due to newline not being generated in some cases. Additional newline added to wp-admin backend MMode htaccess writing code base
Removal/Deletion of obsolete usage of bps_DNS_NS() function..50.8
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
Quickie BugFix Release – released 1 hour after release of .50.7:
Network/Multisite BPS plugin Network Activation correction: Conditional wrap added for blog_id 1.50.7
htaccess Core Security Modes AutoMagic Buttons:
BPS automatically detects your site type and displays the correct AutoMagic buttons for your site type. Other site type AutoMagic buttons are no longer displayed on the Security Modes page.Network/Multisite One Time Code Correction:
If you have a Network/Multisite website/installation of WordPress you will see a one time htaccess code correction Notice message displayed to you with steps to perform the one time code correction when you upgrade BPS.Go Daddy Managed WordPress Hosting:
If you have Go Daddy Managed WordPress Hosting see the BPS Whats New tab page within the BPS plugin.BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
Maintenance Mode countdown timer email website link correction for subdirectory websites.
Maintenance Mode CSS visual improvements/changes/corrections.
WordPress 4.0 RC1 final testing completed – no issues or problems.
Delete old BPS bulletproof-security_info transient content on upgrade..50.6
New Option: Login Security & Monitoring Sort DB Rows:
The Ascending Show Oldest Login First option displays logins from the oldest logins to your site to the newest logins to your site. The Descending Show Newest Login First option displays logins from the newest logins to your site to the oldest logins to your site. Example usage: Enter 50 for the Max DB Rows To Show option, which will show a maximum of 50 database rows/logins to your site and set Sort DB Rows option to Descending Show Newest Login First. You will see the last 50 most current/newest logins to your site in descending order.Enhancements: Login Security & Monitoring:
CSS max-height changed from 1000px to 600px for the scrollable Dynamic DB table. 600px is a much better/more manageable viewing area.
Lock, Unlock and Delete labels for individual checkboxes in Dynamic DB search form and standard form.
DB Query improvement for the Dynamic DB standard form.New Option: htaccess Core wp-admin BulletProof Mode Enable/Disable wp-admin BulletProof Mode:
This option is ONLY for Hosts that do not allow .htaccess files in the wp-admin folder. Go Daddy Managed WordPress Hosting (not standard Go Daddy Hosting) is the only known hosting account type where this option should be set to: Disable wp-admin BulletProof Mode. For everyone else you do not need to use this option. The default setting is already set to: Enable wp-admin BulletProof Mode.BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
Improvement: htaccess Core root domain label retrieval/writing:
Improvement to htaccess Core code when retrieving & writing domain labels. Impact: Folks with 3+ domain label naming conventions such as: http://www.label1.label2.label3..50.5
Login Security Password Reset BugFix & New Option:
BugFix: The Lost your password link was not being displayed when Login Security was turned Off.
New Option: Turn Off Login Security/Use Password Reset Option ONLY..50.4
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
DB Backup: backticks added to DB Backup Query to allow for hyphenated or other special characters in DB naming conventions.
DB Backup dynamic DB table: max-height CSS change
Login Security CSS auto-scroll: max-height CSS change
DB Table Prefix Changer: Additional check for writable files for DSO server types.
Root and wp-admin filter change
Log timestamps synchronized to GMT: All log timestamps are now synchronized to GMT time..50.3
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
Correction|Improvement: root and wp-admin .htaccess filters/rules change/correction/improvement. See the BPS Whats New tab page for more details.
Thanks goes to aselektor for spotting and reporting this..50.2
New Feature: DB Backup. Manual or scheduled (Hourly, Daily, Weekly and Monthly) database backups. Send DB Backups via email etc.New Feature: DB Backup Log. The Backup Job Completion Time, Zip Backup File Name, timestamp. etc. is logged. Backup Job Settings are logged.
New Feature: DB Table Prefix Changer.
New Feature: UI Theme Skin. 3 UI Theme Skins: Blue Gel Classic UI Theme, Light Grey jQuery UI Theme, Dark Black WP UI Theme.
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
Root .htaccess Security Filters Change: See the BPS Whats New tab page for more details.
Login Security New Option/Option Change & Misc: Disable Password Reset Frontend Only, Disable Password Reset Frontend & Backend.
System Info page: added MySQL Extension, MySQLi Extension check.
Login Security email message text change when user account is locked.
Whitelist the Debug Bar plugin debug-bar css and js scripts..50.1
Security Logging major changes/improvements to logging template files/code & start of Phase 1 Security Log Solution Targeting:
The Security Logging code has been significantly improved in BPS .50.1. Logging is more streamlined, performance optimized & faster than in previous BPS versions, even with the new general conditional pattern checking code added.
As of BPS .50.1 two new Security Log Fields have been added to Security Logging: Event Code and Solution. In Phase 1 of Security Log Solution Targeting the primary focus is on detecting possible Plugin Skip/Bypass rules & wp-admin Skip/Bypass Rules issues that need/require a one-time solution. Since 99.99% of the Security Log entries are blocked/forbidden hackers, spammers, scrapers, harvesters, miners, bad bots, etc. then the Security Log checking conditions can and should be streamlined/performance optimized by only looking at pattern matches in a broad scope.Maintenance Mode Accordion:
Maintenance Mode Accordion created for better functionality/usability. Code correction: Maintenance Mode website name not displayed in the reminder email. Code correction: Maintenance Mode Apostrophes/single quote code character displayed with an escape backslash.New Bonus Custom Code/Dismiss Notice: WordPress XML-RPC DDoS Protection:
Special Thanks goes to Gary Gordon for reporting the recent WordPress XML-RPC exploits/attacks. The XML-RPC DDoS PROTECTION Bonus Custom Code .htaccess code completely turns off/disables IXR-RPC Client/Server capabilities on a website by protecting the WordPress xmlrpc.php file from being publicly accessible, which prevents the IXR XML-RPC Client/Server connection. Using this Bonus Custom Code will turn off/disable remote posting capability from Weblog Clients (A Weblog Client is software you run on your local machine (desktop) that lets you post to your blog via XML-RPC), unless you add (whitelist) your IP address in the XML-RPC DDoS PROTECTION Bonus Code.New Dismiss Notice Added: WordPress Firewall 2 plugin check
The WordPress Firewall 2 plugin contains a coding mistake and has not been updated in over 3 years. The wp-admin area is supposed to be whitelisted by default, but that code is not working correctly, which breaks several things in the BPS plugin. The Dismiss Notice will alert users to this existing problem.New/Updated Help & FAQ Help Links:
Help & FAQ tab pages have updated links, old/outdated links removed, etc..50
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
Bugfix|Code Correction: Maintenance Mode str_replace has been changed to dirname for GWIOD site types to get the site root index.php file path
Special Thanks go to Eddy Estevez for reporting this bug..49.9
New Feature: Maintenance Mode – FrontEnd/BackEnd Maintenance Mode
Maintenance Mode Guide
The previous Maintenance Mode feature in BPS has been completely removed/replaced with the new Maintenance Mode feature in BPS .49.9. This is a completely new BPS feature. The new BPS Maintenance Mode design includes 20 background images, 15 center images (text box image), allows you to embed image files and YouTube videos, FrontEnd Maintenance Mode, BackEnd Maintenance Mode or both FrontEnd & BackEnd Maintenance Modes and most importantly is fast and simple to use so that you can switch in and out of Maintenance mode quickly and easily. Background image files/options and Center images (text box image) are independent of each other so that you can mix and match different background images with different Center images (text box image).New Headers check tool added to the System Info page:
Check your website Headers or another website’s Headers by making a GET Request. Both GET and HEAD Headers checking is now available on the System Info page.New System Info checks:
Standard/GWIOD Site Type, BuddyPress and bbPress. If GWIOD site type display WordPress Address (URL) and Site Address (URL).BPS Plugin/Theme Script Dequeue function added: Dequeue any/all other plugin or theme scripts that attempt to load in BPS plugin pages:
A new BPS function has been added that Dequeues any/all other plugin or theme scripts on/in BPS plugin pages ONLY, which causes a wide variety of problems for BPS , such as broken plugin functionality, broken menus and pages not displaying visually correct. This new BPS Dequeue function only runs on/in BPS plugin pages and does not run anywhere else or affect anything else on a website. The BPS Dequeue function is only designed to prevent any other plugins or themes from loading their scripts in BPS plugin pages and does not do or affect anything else on a website.Security Log Code Correction/Enhancement: Security Log User Agent/Bot filter auto-updated during BPS upgrade:
The BPS 403.php Security Log template file is replaced during BPS plugin updates/upgrades, which is normal WordPress plugin update/upgrade procedure. The BPS 403.php Security Logging template is now auto-updated during BPS plugin upgrades/updates and automatically adds any previously added/saved User Agent/Bot filters to the new 403.php template file if any User Agents/Bots to Ignore/Not Log were previously added/saved.W3TC and WPSC Error checking/messages modified to reflect current version error checking:
Several things have changed in BPS .49.9 relating to W3TC and WPSC and related error messages.DB Table datatype Issue/problem affects SQL Server (not MySQL) only:
CREATE TABLE Query id column datatype has been changed from mediumint(9) to bigint(20).Backup & Restore page/other misc pages:
Master File backups and checks are obsolete and have been removed from BPS .49.9.htaccess Core Security Modes page:
Descriptive titles added to Radio buttons for BulletProof Modes: Root Folder BulletProof Mode, wp-admin Folder BulletProof Mode, Master htaccess BulletProof Mode and BPS Backup BulletProof Mode.Feature Request by Daedalon: Unused po & mo Language files automatically deleted:
Unused po & mo Language files are automatically deleted on page access for these BPS pages: htaccess Core, Login Security, Security Log and Maintenance Mode..49.8
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
Custom Code Code Correction: ENT_QUOTES flag added to Custom Code AutoMagic variables to convert Single Quote HTML entities stored in the DB back to characters during AutoMagic File writing..49.7
Network/Multisite Plugin Network Activation or Single subsite Plugin Activation:
As of BulletProof Security .49.7, the BPS plugin can be Network Activated or you can allow the BPS plugin to be activated individually on each Network/Multisite subsite or of course you can choose not to Network Activate BPS or allow the BPS plugin on subsites.New AutoMagic WP 3.5+ Network/Multisite .htaccess code:
BPS AutoMagic buttons automatically write the correct Network/Multisite root .htaccess code for your site based on your WordPress version.Network/Multisite New Feature Notice: BPS can now be Network Activated on Multisite:
This Network/Multisite New Feature Dismiss Notice displays on Network/Multisite only to alert Network/Multisite site
owners about the new Network Activation capability in BPS.CSS Visual Style Changes for WP 3.8+ MP6 & Pre 3.8 WP Versions:
WordPress 3.8 is using the new MP6 GUI. A BPS 3.8 CSS stylesheet has been created to visually display things correctly
in WordPress 3.8. BPS will automatically load the correct CSS stylesheet for your WordPress version. CSS visual
enhancements were also created for pre WordPress 3.8 versions..49.6
Bonus Code Dismiss Notice Added: Author ID|User ID|Username BOT Probe Protection Code:
Protects against hacker Bot Probes looking for WordPress author enumeration (a numbered list of Author ID’s/User ID’s) to exploit.
Generates a standard WordPress 404 Error instead of displaying Author ID’s/User ID’s/Usernames.Root .htaccess File code modifications/changes:
OLD: RedirectMatch 403 /\..*$ NEW: RedirectMatch 403 \.(htaccess|htpasswd|errordocs|logs)$ BPS Query String Exploits Code Changes OLD: RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR] NEW: RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR] OLD: RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR] NEW: RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR] OLD: RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR] NEW: RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [NC,OR] OLD: RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR] NEW: RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
.49.5
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
Reverting: Brute Force Login Protection code is now optional/Bonus Code again
BPS will not automatically add this code as standard code in the root .htaccess file
The Brute Force Login Protection Custom Code text box will remain for folks who can use this code on their websites.
See the BPS Whats New page for more details.49.4
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
Code Mod to Brute Force Login Protection code to allow for the widest possible range of compatibility
This affected a small number of folks
MOD: RewriteCond %{HTTP_USER_AGENT} ^(|-?)$ [NC,OR] to RewriteCond %{HTTP_USER_AGENT} ^$ [OR].49.3
New Feature – Security Log zip, email and delete/replace option:
Security Log files are automatically zipped, emailed and replaced with a new blank security log file when they reach the maximum file size setting on the Security Log page. During the BPS upgrade this is automatically set to zip and email log files when they reach 500KB in size.Structural/Menu Changes:
The Security Log & System Info tab pages have been moved out of htaccess Core and now have their own separate pages/menu links.
New standard root .htaccess code added:
Server Protocol HTTP/1.0 and blank User Agent htaccess BRUTE FORCE LOGIN PAGE PROTECTION code is now standard .htaccess code in the BPS root .htaccess file.New BPS Custom Code Text box added:
A new Custom Code Text box has been added: CUSTOM CODE BRUTE FORCE LOGIN PAGE PROTECTION.Check Headers Tool added to the System Info page:
This tool Allows you to check your website Headers or another website’s Headers remotely.New System Info page check – Public IP/X-Forwarded-For check:
If you are using CloudFlare on your website then you will see Proxy X-Forwarded-For IP Address: instead of Public ISP IP/Your Computer IP Address: displayed to you. This additional check is for troubleshooting issues with CloudFlare, CDN, Proxy or VPN.PHP mysqli_get_client_info function additional check:
Additional function checking code has been added in cases where the mysqli_get_client_info function is not available on a Host Server..49.2
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
Dismiss Notice text corrections: S-Monitor page text changed to Security Status page
W3TC & WPSC Alerts text corrections: Edit/Upload/Download page text changed to htaccess File Editor page
Several BPS functions renamed for uniqueness/no-conflict assurance
PHP 5.5.x Deprecated function replacement file options.php: mysql_get_client_info replaced with mysqli_get_client_info
PHP 5.5.x Deprecated function replacements file bpsunlock.php: New code using MySQLi instead of MySQL.49.1
* Backup folder path correction on Backup & Restore page
* WP Filesystem API Method will display the WordPress Filesystem Method in use. For DSO Server troubleshooting additional fields will be displayed if the Script Owner and File Owner ID’s do not match.
* Custom Code help text changes
* Custom Code additional error checking
* htaccess auto-writing additions
* Additional root htaccess file placeholders/markers added
* New Dashboard Dismiss Notices: Sucuri 1-click Hardening, Broken Link Checker, phpini handler, Speed Boost Custom Code, Custom Permalinks check
* Dashboard Alerts are now only displayed to Administrators. Editors, Authors, etc will no longer see Alerts
* The htaccess Core Edit/Upload/Download tab page has been renamed to htaccess File Editor.
* The File Upload & Download features have been removed from the new htaccess File Editor page since these features/options are obsolete.
* Visual Enhancements: AutoMagic font size increased, etc..49
* Security Vulnerability/Bug Fix/Patch: HTML rendered in Security Log file via Logged Header Fields
* Special Thanks go to Jacek Sowinski via Secunia SVCRP for discovering this vulnerability.
* Solution/Fix: Security Log logged Header Fields are now HTML escaped.48.9
* 2 New Login Security Options Added:
* Error Messages: Choose to display Standard WP Login Error Messages or Generic Error Messages.
* Password Reset: Enable or Disable Login Password Reset capability. This option also includes additionl Stealth Mode capabilities. Please read the Blue Read Me help button on the BPS Login Security page for a full description and additional help information.
* Login Security Bug Fix/Code Correction: Using the /wp-login.php URL no longer generates an initial login error.
* New Dismiss Notice – Brute Force Login Protection Code: At some point the Brute Force Login Protection code will be standard in BPS .htaccess files. For now a dismiss notice has been added with a link to the Brute Force Login Protection code.
* Additional error checking & Overall Code Improvements: Really too many things to list so in general BPS .48.9 is more streamlined, has better/additional error checking and overall code improvements throughout BPS..48.8
* Code/Help Text Corrections
* Corrected Help Text typos in Custom Code. Code Correction for the Network/Multisite menus/pluggable.php issue.48.7
* Auto-update now displays ONLY – The BPS Automatic htaccess File Update Completed Successfully!
* The old Dashboard Alert has caused a lot of confusion so it is now history.48.6
* Custom Code Additions: Custom Code now includes additional Text Areas/Text Boxes for every possible section of code in the Root and wp-admin .htaccess files
* A jQuery Accordian has been added to Custom Code to ensure that the correct Custom Code Text Areas/Text Boxes are being used, better functionality and visual enhancement.
* Windows IIS check/dismiss notice. Displays a dismissable alert for folks who have Windows IIS Servers that allow .htaccess rewriting or have ISAPI_Rewrite installed which allows/converts .htaccess rewriting.
* Reset/Recheck Dismiss Notices added to Security Status page
* Lots of other improvements.48.5
* Bug fix: Conditional wrap added to /includes/login-security.php.48.4
* Login Security & Monitoring
* Log All User Account Logins or Log Only User Account Lockouts
* Logged DB Fields: User ID, Username, Display Name, Email, Role, Login Time, Lockout Expires, IP Address, Hostname, Request URI
* Email Alerting Options: User Account is locked out, An Administrator Logs in, An Administrator Logs in and when a User Account is locked out, Any User logs in when a User Account is locked out, Do Not Send Email Alerts
* Login Security Additional Options: Max Login Attempts, Automatic Lockout Time, Manual Lockout Time, Max DB Rows To Show, Turn On/Turn Off
* Dynamic DB Form: Lock, Unlock, Delete
* Enhanced Search: Allows you to search all of the Login Security database rows/Fields
* Stand-alone Unlock Form bpsunlock.php: Unlock User Accounts without having to be logged into the WP Dashboard
* Please click the Login Security Blue Read Me help button for full descriptions of all features and options..48.3
* jQuery Code changes for the new jQuery version in WordPress 3.6.48.2
* Bug fix: Turn On/Off Error logging pattern match correction to include all possible scenarios
* Bug fix: ErrorDocument 401 default added/removed on Turn Error Logging On/Off.48.1
* Security Log – Add/Remove User Agents/Bots to Ignore/Not Log or Allow/Log
* New htaccess code – ErrorDocument 401 default
* General Coding Improvements & Enhancements.48
* facebook externalhit_uatext.php script/error log fix
* 400, 403 and 404 Error Logging templates modified
* General Coding Improvements & Enhancements.47.9
* Security Logging/ HTTP Error Logging On/Off buttons added
* Turn Security Logging/HTTP Error Logging On or Off on the Security Log page
* Russian Translation by EyeFinity
* General Coding Improvements & Enhancements.47.8
* Security Logging/HTTP Error Logging – Log 400, 403 and 404 Errors
* Security Logging/HTTP Error Logging Dashboard Alert – log file size
* IMPORTANT: NEW root .htacess file code automatically created/modified on upgrade
* Additional System Info Check Added: cURL Extension
* General Coding Improvements & Enhancements.47.7
* IMPORTANT UPDATE: .htaccess FILE UPDATE FOR WordPress 3.5
* 3.5 BUG FIX: visual and text editor display blank boxes
* Problem: Square Bracket filters are blocking the visual and text editor
* Solution: Square Brackets are automatically removed from .htaccess files/filters on upgrade to .47.7.47.6
* BPS Master htaccess Folder Deny All .htaccess security protection automated
* BPS Backup Folder Deny All .htaccess security protection automated
* Turn On AutoLock/Turn Off AutoLock options/buttons added
* General Coding Improvements & Enhancements
* Visual Improvements/Enhancements.47.5
* General Coding Improvements & Enhancements:
* WordPress 3.5 pre-release coding added
* Visual Improvements/Enhancements
* jQuery coding Improvements/Enhancements
* .htaccess code Additions and Improvements
* Anti-Comment Spam .htaccess coding added
* DNS Host Name Check for htaccess file auto-lock
* Screenshot image files moved to the assets folder to reduce plugin size speedier upgrades.47.4
* Improved and Extended Automatic htaccess File Upgrading
* No need to reactivate BulletProof Modes when upgrading
* Automatic updating from .46.9 to the current version of BPS
* Additional System Info Checks Added:
* Zend Engine Version, Zend Guard/Optimizer, ionCube Loader, Suhosin, APC, eAccelerator, XCache, Varnish, Memcache and Memcached
* System Info Checks: check if extensions are installed, loaded, enabled or disabled
* Additional Memory Limit Checks: WordPress Admin Memory Limit, WordPress Base Memory Limit and PHP Actual Configuration Memory Limit.47.3
* .47.2 Automatic .htaccess file updating on upgrade installation added
* No need to reactivate BulletProof Modes when upgrading
* .47.2 New htaccess security filter added automatically during upgrade
* .47.3 New htaccess security filter added automatically during upgrade
* .47.3 Deny All protection automatically activated for BPS Master /htaccess folder
* WP Dashboard Alerts – Root and wp-admin htaccess file checks.47.2
* Automatic .htaccess file updating on upgrade installation
* No need to reactivate BulletProof Modes when upgrading
* New htaccess security filter added automatically during upgrade
* WP Dashboard Alerts – Root and wp-admin htaccess file checks
* Lithuanian Language Translation by Vincent G from Host1Free.com.47.1
* A very minor coding mistake – A superglobal did not have html entities escaped
* No reported problems or issues
* Sincere thanks to SiNA Rabbani for discovering this coding mistake
* Sincere thanks to Jon and Mark from WordPress.org as well for assistance.47
* View the Whats New page in BPS for the latest changes to BPS
* No changes have been made to either the Root or wp-admin .htaccess files
* i18n Language Translation Coding Added
* Language Translation Tutorial link added to the Whats New page in BPS
* Coding improvements/enhancements.46.9
* Significant changes to both the Root and wp-admin .htaccess files
Create new Master .htaccess files with AutoMagic and activate all BulletProof Modes.
* NEW Custom Code feature added to BPS
* Coding improvements/enhancements.46.8
* New TimThumb .htaccess code allows internal image requests but Forbids RFI hacking attempts
* BPS is no longer Forbidding TimThumb thumbnailer scripts by default
* DNS Name Server check on System Info page
* Coding improvements/enhancements
* WP Rating and Download Stats added to BPS
* CSS nick nacks.46.7
* New jQuery Dialog Read Me Help buttons have been created to replace the old Hover ToolTips
* WP_CONTENT_DIR replaces ABSPATH path for sites that have moved wp-content to another location
* .htaccess Return Carriage filter modified
* .htaccess Slash-Jack filter modified
* Several new pop up confirm messages have been added throughout BPS for forms that perform critical operations
* Several new SAPI types have been added to CGI and DSO checking
* AutoMagic for Network/Multisite sub domain sites is no longer writing the wp-admin forbid coding
* Link to Sucuri Malware Website Scanner added
* BPS is Forbidding Thumbnailer Scripts by Default
* To enable Thumbnailer Scritps see root .htaccess file.46.6
* Cookie filter removed from BPS QUERY STRING EXPLOITS
* Explicit “exec” and “execute” filter removed from BPS QUERY STRING EXPLOITS
* non-GPL Javascript Countdown Timer removed
* BPS is Forbidding Thumbnailer Scripts by Default
* To enable Thumbnailer Scritps see root .htaccess file.46.5
* Massive amount of new security filters
* Complete restructuring of how .htaccess Rewriting is processed to work with WP
* Network/Multisite AutoMagic buttons added
* Network/Multisite code added for Super Admins – display BPS menus to Super Admins only
* New System Info information added
* File permission checking and recommendations for CGI or DSO – SAPI detection
* File Lock/Unlock buttons – Read Only root .htaccess – CGI/DSO SAPI detection
* Help info updated
* Updated Whats New
* Lots of other stuff.46.4
* Network/Multisite detect with additional help info
* chmod 0644 added to copy function for default, secure and wp-admin htaccess files
* Fixed CSS display issues for WP versions 3.2+
* Replaced PP donate link with BPS Pro Upgrade link
* Replaced BPS Pro Modules page with BPS Pro Features page
* Security Status print output instead of var_dump
* Help info updated
* Other CSS changes
* Updated Whats New.46.3
* BPS Security Top Level Menu added
* Whats New page was added – Read the new Whats New page for details about the latest changes to BPS
* BPS Master htaccess file changes
* Maintenance Mode page changes – Form settings saved to the WP DB
* HUD, W3TC and WPSC – Heads Up Display checks/messages changes/additions
* wp-admin htaccess file removal added
* My Notes page was added.46.2
* Additional new .htaccess security coding and modifications added to the BPS master .htaccess files
* New plugin conflict permanent fixes added to the secure.htaccess Master file
* BulletProof Security is now fully AutoMagic and still offers full manual control.46.1
* Additional new .htaccess coding and modifications added to the BPS master .htaccess files
* New plugin conflict permanent fixes added to the secure.htaccess Master file
* Maintenance Mode is AutoMagic – Completed the Maintenance Mode page …finally
* Create the Maintenance Mode Under Maintenance page from within the Dashboard
* Preview your Website Under Maintenance page from within the Dashboard
* New System Information Displayed – WordPress Installation Folder, WordPress Installation Type and
* WP Permalink Structure Checks and displayed info
* Heads Up Display (HUD) created
* Improved Error and Warning messages
* Major Core code improvements
* nick nack core code fixes and improvements
* New Help and FAQ links – new help pages created on AIT-pro.46
* New File Uploader code written – no longer using Uploadify code
* New File Downloader code written – no longer using Zubrag code
* File Uploader is AutoMagic – no setup required
* File Downloader is one-click – no setup required
* Major overhaul of the core BPS coding
* !!! Special Thanks to Jon Cave!!!
* for finding a CSRF security vulnerability in BPS .45.9
* that has now been eliminated in BPS .46 with new coding
* And also excellent coding advice to improve BPS even more
* and making the entire WordPress Community a safer and better place
* New permanent plugin conflict fixes added to master .htaccess files.45.9
Security Patch Release.45.8
* Permanent Backup and Restore options added – permanent online backup and restore
* Permanent Backup and Restore for all .htaccess files
* Permanent Backup and Restore for File Uploader and File Downloader setup settings
* Additional new .htaccess coding and modifications added to the BPS master .htaccess files
* New plugin conflict permanent fixes added to the secure.htaccess Master file
* WordPress readme.html and /wp-admin/install.php are now protected by BulletProof Security
* Improved Success/Error messaging – more detailed success/error messages displayed
* New Help and FAQ links added – New detailed Help and Info pages created.45.7
* Additional .htaccess coding filters added to the BPS master .htaccess files
* File Editor added – Edit the BPS .htaccess files from within the WP Dashboard
* File Uploader added – Upload files from within the WP Dashboard
* File Downloader added – Download files from within the WP Dashboard
* Deny All BulletProof Security Modes added for the /htaccess folder and /backup folder
* Nick Nacks, etc..45.6
* New SQL Injection hacking method blocked – New code added to master .htaccess files
* This update protects against this latest new SQL Injection hacking method
* Installing BPS does not activate the new BPS .45.6 .htaccess files
* After installation please activate the BPS .45.6 BulletProof modes
* Please download your current htaccess files first before activating BPS .45.6 Security Modes.45.5
* SVN DB problem for BPS was fixed by some awesome person at WP!
* WP ROCKS!!! BPS .45.5 will install successfully now. 😉
* Bug fixes: W3 Total Cache, Simple Facebook Connect, Ozh’ Admin Drop Down Menu, ComicPress
* Permanent coding fixes incorporated into master htaccess files to replace workarounds
* Additional mission critical PHP Info checks added
* Php.ini and php5.ini files are now protected by BulletProof Security
* Updated BPS help files – AITpro.com site help files pending
* nick nacks here and there.45.4
* Bug fixes: W3 Total Cache, Simple Facebook Connect, Ozh’ Admin Drop Down Menu, ComicPress
* Permanent coding fixes incorporated into master htaccess files to replace workarounds
* Additional mission critical PHP Info checks added
* Php.ini and php5.ini files are now protected by BulletProof Security
* Updated BPS help files – AITpro.com site help files pending.45.3
* More Query String Exploit Filters added to BPS Master .htaccess files
* Options -Indexes added to BPS Master .htaccess files at user requests
* Added IP address display to maintenance mode javascript countdown timer display
* No need to click Update Permalinks anymore for Maintenance Mode – RewriteRule override added.45.2
* New Apache Directives for PHP5 added to the .htaccess master files
* Maintenance mode master .htaccess code modified – RewriteCond to load new background png
* Maintenance Mode log in/log out issue fixed – Log in/out of your Dashboard in Maintenance Mode
* Website Under Maintenance coding modifcations and visual design enhancements
* Background Graphic for Website Under Maintenance page created and added in the installation
* Minor cosmetic nicks nacks fixed here and there
* Help files and hover tool tips help info updated
* Tested on WordPress 3.1-alpha – no issues or problems.45.1
* Bug fix for version check of BPS .htaccess master file
* Bug fix for wp-config.php check based on BPS .htaccess version
* Fix – BPS plugin uninstall issue fixed
* Fix – BPS Widget configuration issue fixed
* Completely recoded with WordPress 3.0 coding enhancements and improvements
* Completely new sophisticated visual design and look
* jQuery UI Tabbed Menu with CSS Hover Menu Buttons – see screenshot
* New Messaging Display System added
* .htaccess code added to master files to .htaccess protect wp-config.php
* WordPress DB error on/off checking and verification status display
* WordPress version is not displayed – remove_action(‘wp_head’, ‘wp_generator’);
* WP generator meta tag removed – remove_action(‘wp_head’, ‘wp_generator’);
* Administrator username “admin” check
* System information page displays PHP, MySQL, Server Info, etc. – see screenshot
* Security Status page added – see screenshot
* Help & FAQ page added
* BPS Pro Modules page added – BPS Pro Modules are installed separately
* New BPS .45.1 Guide created @ AIT-pro.com.45
* Completely recoded with WordPress 3.0 coding enhancements and improvements
* Completely new sophisticated visual design and look
* jQuery UI Tabbed Menu with CSS Hover Menu Buttons – see screenshot
* New Messaging Display System added
* .htaccess code added to master files to .htaccess protect wp-config.php
* WordPress DB error on/off checking and verification status display
* WordPress version is not displayed – remove_action(‘wp_head’, ‘wp_generator’);
* WP generator meta tag removed – remove_action(‘wp_head’, ‘wp_generator’);
* Administrator username “admin” check
* System information page displays PHP, MySQL, Server Info, etc. – see screenshot
* Security Status page added – see screenshot
* Help & FAQ page added
* BPS Pro Modules page added – BPS Pro Modules are installed separately
* New BPS .45.1 Guide created @ AIT-pro.com.44.1
* If you are upgrading from .44 to .44.1 download the /htaccess folder first
* before upgrading and upload it back to the back to the BulletProof plugin folder
* after you have upgraded to .44.1.
* Added Backup form function – backs up users original existing htaccess files
* Added Restore form function – restores users original existing htaccess files
* Backup folder added for backed up original htaccess files
* Removed links from all ToolTips except for the top Read Me! hover ToolTip.44
* First version release of BulletProof Security
* Extensive Read Me! help hover ToolTips added to the BulletProof plugin page
* Visual and coding Enhancements made to the BulletProof Maintenance page
* Function check_perm redeclare conflict fixed- This topic was modified 5 years, 1 month ago by AITpro Admin.
- This topic was modified 1 year, 11 months ago by AITpro Admin.
Cristian BalanParticipantIs the
Removal: Defunct/obsolete Block Referer Spammers Bonus Custom Code Dismiss Notice removed.
about to http://forum.ait-pro.com/forums/topic/block-referer-spammers-semalt-kambasoft-ranksonic-buttons-for-website/ ?
AITpro AdminKeymasterYes. We are no longer displaying a Bonus Custom Code Dismiss Notice for that. Why? When we originally created that Referer Spammer code it blocked about 90% of Referer Spammers. Now/currently 80% of all Referer Spammers are sending fake tracking calls directly to your Google Analytics Tracking ID (This is a completely random and automated thing). So since the Referer Spammer domain is not actually visiting your website then the Referer Spammer Bonus Custom Code cannot do anything to stop those Referer Spammers since they are not actually visiting your website. That leaves you with filtering out Referer Spam domains/hostnames in Google Analytics Metrics.
Jeff RivettParticipantThere’s no entry for BPS 2.7 yet. When are we likely to see that?
AITpro AdminKeymaster@ Jeff Rivett – Thanks for letting me know that. The 2.7 changelog info has been added.
pankajParticipantIn the flows of the MX104, the bps/pps are really low, sometimes less than 1Mb/s where, in same condition, … Quote reply ….. Whats your ….. With that
AITpro AdminKeymaster@ pankaj – Are you referring to the Juniper MX104 Router? I do not understand your question.
AITpro AdminKeymasterBumping Sticky Topic
-
AuthorPosts
- You must be logged in to reply to this topic.