BPS Pro Alert! Your site may not be protected by BulletProof Security

[GR]

I’m on Knownhost, and I’m trying to figure out why I can’t turn on Bulletproof mode for my root .htaccess file.  The admin bulletproof .htaccess goes in without a problem. I can activate root mode, but the root .htaccess file immediately reverts back to WordPress default.  Any suggestions as to what could be happening?

[AITpro Admin]

I assume the BPS Pro alert message you are seeing is the Alert message that I changed the title of this forum topic to?  Try these steps first:

1. Go to the htaccess File Editor tab page.
2. Click the Turn On AutoLock button.
3. Run the Pre-Installation Wizard and Setup Wizard again.

[GR]

Ok, I am on the .htaccess tab, and I see the paragraph discussing the AutoLock button, but I see no actual AutoLock button anywhere.

[AITpro Admin]

Ok that means you have a DSO Server type and not a CGI Server type.  The AutoLock button is only displayed for CGI Server types.  Ok try these steps below and let me know if your root htaccess file is automatically changed again or not.

1. Deactivate all of your other plugins except for BPS Pro.
2. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

[GR]

It still doesn’t work.  Knownhost insists that they are doing nothing to cause this.  The secure access info is not put into the public_html/.htaccess file.

[AITpro Admin]

I see that you installed BPS Pro on this site today.  Was this site hacked in the recent past before you installed BPS Pro?  It could also be a file permission or Ownership problem.  Go to the BPS Pro System Info page and copy and paste the system information in these boxes:  Website|Server|Opcode Cache|Accelerators|IP Info|Apache Modules|Directives, PHP Server|PHP.ini Info and File|Folder Permissions (CGI or DSO)|Script Owner User ID (UID)|File Owner User ID.  Send the System Info in an email to info at ait-pro dot com.

[GR]

There were some modified files injected, yes.  Server AV software and Sucuri.net scans clean now.   File perms and ownership look good.  Info sent.

[AITpro Admin]

All direct email troubleshooting steps did not resolve the problem.  Scheduled for login to this site between 7 and 8am PST tomorrow morning.

[GR]

PLEASE NOTE: If you’re going to do anything that will take the site down for more than 60 seconds, such as turn off installed plugins,  please wait until 3pm PST.

[AITpro Admin]

This site is completely clean of all hacker files and code. Reinstalling WordPress on the Updates page resolved the problem. That either means that hacker code still existed in one or more of the WordPress Core files that was replaced or that there was damage/corruption to one or more WordPress core files – most likely the former.

[GR]

Ok, so after all was said and done, all the usual steps failed to resolve the problem, and all we really know is that sometimes corrupted WordPress core files can cause the .htaccess file to constantly be rolled back to WordPress default.  Is that correct?

[AITpro Admin]

I meant to state “former” and not “latter”.  That has been corrected above.  The explanation that I sent to you via email has been posted below as it may be helpful for someone else in this same situation.

Hackers typically place files and/or code all over the place (in WP Core files and elsewhere under a hosting account) so that when you do something like reinstall WordPress, another file with additional hacker code in it, typically wp-config.php, wp-blog-header.php, index.php, etc. automatically reinfects the site again. So the most logical explanation for why just reinstalling WordPress worked is you already removed the hacker files that automatically reinfect the site and the only hackers files/code left over, existed somewhere in WP Core files. When I used to dehack websites I would first take the site offline to prevent reinfection while finding and removing the hacker files that reinfect the site and then finally replace all standard WP Core files.

[GR]

Okay, that makes sense.  And it has to be said: BPS staff put at least 2 hours into email support and troubleshooting on my site to resolve this issue.   Big thanks to them for going the extra mile.

It’s alarming that code which constantly restores a copy of .htaccess can be injected into core WordPress files, and has no known malware signature, but the good news is, I found the right people to fix it.

[AITpro Admin]

Yep, hackers are creating better code these days unfortunately.  In past years, I used to see mostly slapped together rough hacker code that did not have very good automation coding work done, but that has changed in the past couple of years and I am seeing much better hacker coding work in general and hacker automation coding work (automatically recreate/reinfect sites).  The other thing that I am seeing is much better hacker coding work at making the “hidden” hacker files undetectable to/by any scanners.  That is just the normal evolution of this thing and expected so it is good to always be a couple of steps ahead of what hackers are currently doing.

Thanks for the Kudos!  Very much appreciated.

[Chris Moon]

[Topic merged into this relevant Topic]
I am re-building a site after the DB was corrupted but having problems re-installing BPS Pro. Completely new installation of WP
Themes: Thesis Theme activated – 2015 theme installed
Plugins: Akismet; BPS Pro; Duplicator; MainWP Dashboard
no content

I have tried both with the setup wizard and manually. Error “BPS Pro Alert! Your site may not be protected by BulletProof Security
The BPS version: BULLETPROOF PRO x.x SECURE .HTACCESS line of code was not found at the top of your Root htaccess file.” The new site is installed on my VPS where I have 12 other sites all with BPS Pro, duplicator and MainWP Child they all function perfectly so I don’t think it’s a problem with my server.

regards,
Chris Moon
__________________

It appears the BPS Pro plugin had been corrupted downloading and installing a new copy solved the problem

[Author]

Posts