New BPS Pro install deletes existing root .htaccess file

[Marc]

I just purchased and installed BPS Pro. Started with the “pre-installation Wizard” (or whatever it was called), which complained that my .htacces file access did not work and hence was disabled. I then continued with the “Setup Wizard” and read-up on how to check/fix .htaccess access. In the “BPS System Info page” I saw that BPS complains that none of the three options, “mod_access_compat and/or mod_authz_core or mod_rewrite”, are available.

Maybe I am not understanding the “and/or” here as to what Apache mods are needed. The latter – mod_rewrite – certainly is in active use, as WordPress uses it to provide its access to various pages. I also have lots of manual additions in my root .htaccess file (some hardcoded permanent redirects of old links from a prior site, some plugin specific additions) – some of the plugin-specific changes were actually added automatically by those plugins (hence should not be a permission problem).

Anyway – after I read-up on all the various “must reads” linked from the Wizard, I wanted to verify that mod_rewrite is in fact already used in my root .htaccess file, so I fire up my SFTP client – only to find that my .htaccess file is gone :-O.

Re-reading the text displayed by the pre-installation Wizard, it did say something about “removing BPS Pro .htaccess” file – I guess it failed to actually back up the old file and then simply deleted its own testing file? Anyway, my site is now completely broken, so I deactivate BPS Pro and restore the .htaccess file with only the bare minimum, i.e., the standard WordPress header (see htaccess | WordPress.org). At first, the site seems to work again, yet after a bit of browsing I realized that all images are now broken. I check the Media tab in my Dashboard, to find that none of the Media files are accessible anymore. Takes me a while to hunt down the culprit: BPS Pro left an .htaccess file in my upload folder, which blocked all (legitimate) access to my pictures. Removed this as well, not things seems to work again (modulo the manual changes I did to the root .htaccess file – will need to hunt down a backup somewhere).

Anyway – so my two questions:

1. Why does BPS Pro nuke my existing .htaccess? This clearly should not happen. If this a user error, please let me know what I did wrong.
2. How can I convince BPS Pro that I actually have .htaccess and that mod_rewrite exists? Or are these other two modules, “mod_access_compat and/or mod_authz_core” necessary? I run this off a hosted server, but I’m sure I could ask for enabling these if needed (fingers crossed)

Happy to send in further information, though this means enabling the plugin again and thus, again, breaking my site 😐

Best

-m

[AITpro Admin]

When you run the BPS Pro Setup Wizard a new root .htaccess file is created and your original root .htaccess file is backed up here > /wp-content/bps-backup/master-backups/root.htaccess-{date/timestamp}. Each time you run the Wizards a backup of your root .htaccess file is created/copied/saved in the /wp-content/bps-backup/master-backups/ folder.  BPS has a feature called Custom Code, which allows you to copy and save any existing custom .htaccess code into BPS Custom Code so that your custom .htaccess code is permanently saved and written into/combined into the BPS root htaccess file when you click the Root BulletProof Mode Activate button.

1. Go to the /wp-content/bps-backup/master-backups/ folder and find your original root .htaccess file.
2. Copy and paste your entire original root .htaccess file/code in your forum reply.
3. I will tell you exactly where to save your root .htaccess code in BPS Custom Code.

Regarding the BPS Apache Modules|Directives|Backward Compatibility(Yes|No)|IfModule(Yes|No) checks:
1. Go to the BPS System Info page > copy these Apache Modules checking results below on the BPS System Info page so I can see what results BPS has found for your website/server.

Apache Modules|Directives|Backward Compatibility(Yes|No)|IfModule(Yes|No): View Visual Test
403: mod_access_compat is Loaded|Order, Allow, Deny directives are supported|IfModule: Yes
403: mod_authz_core is Loaded|Order, Allow, Deny directives are supported|BC: Yes|IfModule: Yes
403: mod_authz_host is Loaded|Order, Allow, Deny directives are supported|BC: Yes|IfModule: Yes
200: mod_rewrite Module is Loaded

[Marc]

Dear Admin,

many thanks for the quick reply! Thanks to your post I was able to locate the .htaccess file! I also noted that my custom redirects apparently disappeared previously (they’re not in the backup either). Ooh well, I guess I need to manually recreate these later.

Anyway – so nothing critical in here, just some code that the WP-Optimize plugin added. Plus of course the standard WordPress stuff:

# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

# BEGIN WP-Optimize Gzip compression
<IfModule mod_filter.c>
<IfModule mod_deflate.c>
# Compress HTML, CSS, JavaScript, Text, XML and fonts
AddType application/vnd.ms-fontobject .eot
AddType font/ttf .ttf
AddType font/otf .otf
AddType font/x-woff .woff
AddType image/svg+xml .svg

AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE application/x-font
AddOutputFilterByType DEFLATE application/x-font-opentype
AddOutputFilterByType DEFLATE application/x-font-otf
AddOutputFilterByType DEFLATE application/x-font-truetype
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/x-font-woff
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE font/otf
AddOutputFilterByType DEFLATE font/ttf
AddOutputFilterByType DEFLATE font/woff
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml

# Remove browser bugs (only needed for really old browsers)
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
Header append Vary User-Agent
</IfModule>
</IfModule>
# END WP-Optimize Gzip compression
# BEGIN WP-Optimize Browser Cache
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType text/css "access 28 days"
ExpiresByType text/html "access 28 days"
ExpiresByType image/gif "access 28 days"
ExpiresByType image/png "access 28 days"
ExpiresByType image/jpg "access 28 days"
ExpiresByType image/jpeg "access 28 days"
ExpiresByType image/webp "access 28 days"
ExpiresByType image/x-icon "access 28 days"
ExpiresByType application/pdf "access 28 days"
ExpiresByType application/javascript "access 28 days"
ExpiresByType text/x-javascript "access 28 days"
ExpiresByType application/x-shockwave-flash "access 28 days"
ExpiresDefault "access 28 days"
</IfModule>

<IfModule mod_headers.c>
<filesMatch "\.(ico|jpe?g|png|gif|webp|swf)$">
Header set Cache-Control "public"
</filesMatch>
<filesMatch "\.(css)$">
Header set Cache-Control "public"
</filesMatch>
<filesMatch "\.(js)$">
Header set Cache-Control "private"
</filesMatch>
<filesMatch "\.(x?html?|php)$">
Header set Cache-Control "private, must-revalidate"
</filesMatch>
</IfModule>

#Disable ETag
FileETag None
# END WP-Optimize Browser Cache

[Marc]

Here are the Apache checking results. Again, I suspect that at least the mod_rewrite result is not correct, as I am using mod_rewrite for WordPress (see .htaccess – if I remove the initial IfModule block, my WordPress install does not work anymore, hence my inference that mod_rewrite works ok):

Apache Modules|Directives|Backward Compatibility(Yes|No)|IfModule(Yes|No): View Visual Test
500:500:500: mod_access_compat and mod_authz_core or mod_rewrite is NOT Loaded
500: mod_security Module is not Loaded|Enabled

[AITpro Admin]

The BPS root htaccess file already incorporates the standard default WordPress Rewrite htaccess code, but BPS breaks it up into 2 sections so that the BPS security rules are within the WordPress Rewrite loop. In your website/web host’s case you are going to need to do additional htaccess customizations – See the Web Host Requires IfModule Conditional htaccess code help section below.

Custom redirect htaccess code goes in this BPS Root Custom Code text box:  14. CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE.

Web Host Requires IfModule Conditional htaccess code:
Regarding the IfModule conditional htaccess code. Your web host requires the IfModule conditional htaccess code, which is very rare these days for a web host to require that. So you will need to do additional htaccess code customizations that 99.99% of other people would not have to do.

The simplest solution is to do these steps to customize your root htaccess file for your particular web host:

1. Copy your WP-Optimize htaccess code.
2. Go to the BPS Pro > B-Core > Custom Code tab page.
3. Click the Root htaccess File Custom Code accordion tab/button.
4. Paste your WP-Optimize htaccess code into this BPS Root Custom Code text box:  1. CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE
5.  Type a # sign in this BPS Root Custom Code text box: 2. CUSTOM CODE TURN OFF YOUR SERVER SIGNATURE
6. Type a # sign in this BPS Root Custom Code text box: 3. CUSTOM CODE DO NOT SHOW DIRECTORY LISTING/DIRECTORY INDEX
7. Type a # sign in this BPS Root Custom Code text box: 6. CUSTOM CODE DENY ACCESS TO PROTECTED SERVER FILES AND FOLDERS
8. Type a # sign in this BPS Root Custom Code text box:  7. CUSTOM CODE WP-ADMIN/INCLUDES
9. Copy the standard/default WordPress Rewrite htaccess code from your backed up root htaccess file into this BPS Root Custom Code text box:  8. CUSTOM CODE WP REWRITE LOOP START
10. Type a # sign in this BPS Root Custom Code text box: 9. CUSTOM CODE REQUEST METHODS FILTERED
11. Type a # sign in this BPS Root Custom Code text box: 10. CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES
12. Type a # sign in this BPS Root Custom Code text box: 11. CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
13. Type a # sign in this BPS Root Custom Code text box: 12. CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS
14. Click the Save Root Custom Code button.
15. Go to the Security Modes tab page and click the Root Folder BulletProof Mode Activate button.

Or you can do this:

1. Deactivate Root Folder BulletProof Mode.
2. Go to the htaccess File Editor tab page.
3. Click the default.htaccess tab.
4. Copy your backed up root htaccess file code into the default.htaccess window and overwrite all the existing .htaccess code in the Default htaccess file.

default.htaccess File Exception: You can create a Custom default.htaccess file that will be saved permanently by editing the default.htaccess file using the htaccess File Editor. Your Custom default.htaccess file will be saved permanently to this folder: /bps-backup/master-backups/default.htaccess. If you have created a Custom default.htaccess file then it will be automatically copied from the /bps-backup/master-backups/ folder during a BPS plugin upgrade and will replace the default BPS default.htaccess Master file.

[AITpro Admin]

Also due to your web host’s limitations/restrictions for the IfModule conditional htaccess code you will probably not be able to use the BPS Pro Plugin Firewall feature and will need to deactivate/Turn Off the BPS Pro Plugin Firewall feature.  I would be glad to login to your site and figure out the best custom solution for your particular web host.  I would need a WordPress Administrator login to your website and an FTP login to your hosting account in order to do that. If you want to go that route then send the login information to:  info at ait-pro dot com.

[AITpro Admin]

You might ask why I did not include the IfModule conditions by default in BPS htaccess code/files.  Well years ago using IfModule conditional htaccess code did not work on a number of web hosts and caused website crashes – 500 errors.  Things may have changed since then, but since you are the only person with these particular issues/problems out of 50,000+ users then yeah going the route of NOT using IfModule conditions has been working fine for 9+ years.  😉

[Marc]

I’m not sure if the “IfModule conditional htaccess code” is required. To test, I just uploaded a minimal .htaccess file without the module checks:

# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

Everything still works (if I remove .htaccess completely, anything but the homepage doesn’t work anymore). Should I try activating BPSpro again, now that the IfModule configuration has been removed?

[AITpro Admin]

Well that would be great and changes everything.  Try these steps below and let me know if everything works correctly. Then there must be some other explanation for the 500 errors for the Apache Module tests on the System Info page, which could be a permission or Ownership problem for some of your website folders. Let’s see if we can get your root htaccess file working first and then I will tell you what to do next regarding that issue.

1. Copy your WP-Optimize htaccess code.
2. Go to the BPS Pro > B-Core > Custom Code tab page.
3. Click the Root htaccess File Custom Code accordion tab/button.
4. Paste your WP-Optimize htaccess code into this BPS Root Custom Code text box:  1. CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE
5. Click the Save Root Custom Code button.
6. Go to the Security Modes tab page and click the Root Folder BulletProof Mode Activate button.

[AITpro Admin]

Ok I see why the 500 errors are occurring for the Apache Modules checks.  The error log that you sent to me has this Fatal error log entry below.  What that means is that the apache_get_modules() function is not available on your host server > https://stackoverflow.com/questions/28192628/fatal-error-call-to-undefined-function-apache-get-modules. So the 500 error has to do with that issue and not with any Apache Modules checks. I will need to add an additional conditional check for that in the next BPS Pro version update.

[Mon Dec 14 16:38:43.278955 2020] [fcgid:warn] [pid 8166:tid 140584748513024] [client 37.201.119.194:55088] mod_fcgid: stderr: PHP Fatal error: Uncaught Error: Call to undefined function apache_get_modules() in /var/opt/www/usi_inf_pc/docs/obscure.php:3

[Marc]

So the Pre-Installation Wizard and the Setup Wizard now both run without problems. However, activating the “Root Folder BulletProof Mode” still fails.

My guess is that this is due to the slightly strange setup of my hoster here. There is a script that runs nightly which does a “chown” and “chmod” as follows:

# default owner: nobody:FTP_website_group
# default perms: 575

I can configure the permissions, not the ownership, of individual files and folders in this script. I usually end up giving 775 permissions to all folders, thus allowing both the Web server (which runs as user “nobody”) as well as myself (member of group “FTP_website_group”) write access to the wordpress root folder.

My uploads are of course under my own user ID:group, and by default the SFTP server will only do 644 permissions (i.e., I cannot manually change permissions in my SFTP client). As a result, anything that I upload (like, e.g., an .htaccess file) will be initially owned by me and _not_ be writable for the server process (only read permissions for anybody but myself).

I suspect I will need to wait until the script kicks in and re-owns/re-mods the access permissions on that .htaccess file. Hopefully then BPS Pro will be able to write to it (PS: the wordpress root folder is writeable for the server process, hence the creation of a custom .htaccess file works).

Sorry for the hassle, mostly generated by the very weird particular setup here. Will repot back tomorrow if the .htaccess file re-owning/re-permissioning will have solved the issue!

[Marc]

As for the missing apache_get_modules() function: I’m sure this is a security precaution of the shared hoster… Would be great if there’d be a workaround for this (i.e., I doubt they’d enable this for me). Happy to try though if that’s helping. I guess as these servers are all virtual, they might allow this for my instance – especially as I’m trying to install a security plugin that should as a result _increase_ security…

[AITpro Admin]

Yep, this is a unique host server config/setup.  So this will require some additional BPS tweaks.

“However, activating the “Root Folder BulletProof Mode” still fails” – this could be caused by ModSecurity installed on your host server, which is blocking that Form submission.  Luckily running the BPS Setup Wizard accomplishes the same thing.  Can you save custom htaccess code to BPS Custom Code? If not, then click the Encrypt Custom Code button first before clicking the Save Root Custom Code button. Then run the Wizards, which will create a new root htaccess file.

Don’t worry about the Apache Module issue.  If BPS cannot get your actual Apache Module information then default htaccess code is created that should work on any/all hosts.  So in BPS Pro 15.1 I will create another conditional check for:  function_exists for the apache_get_modules() function and display some find of message such as > “The apache_get_modules() function does not exist on your server. This is not a critical issue/problem and you can disregard this message.”

Now the thing that concerns me next is whether or not AutoRestore|Quarantine (ARQ) is fully working.  In order for ARQ to work correctly these folders all need to have the same Owner:  WordPress root installation folder, wp-admin folder, wp-includes folder and the wp-content folder.  Check the BPS System Info > File|Folder Permissions (CGI or DSO)|Script Owner User ID (UID)|File Owner User ID table > the Script Owner User ID (UID) and File Owner User ID should be the same/identical for all of your website folders except for the WordPress /uploads/ folder based on the email that you sent to me.

[Marc]

I will wait until the cron-script updates the ownership/permissions tonight and then try anew tomorrow! Will report back here!

-m

[AITpro Admin]

Oh wow. I am no longer using the apache_get_modules() function since I did run into a problem with that function many years ago and I had to change the BPS Pro code. So I misread the error log error that you sent to me. The error is not occurring in a BPS plugin file, it is occurring in a server file. I don’t think this error is related to BPS Pro, but it might be somehow.

[Mon Dec 14 16:38:43.278955 2020] [fcgid:warn] [pid 8166:tid 140584748513024] [client 37.201.119.194:55088] mod_fcgid: stderr: PHP Fatal error: Uncaught Error: Call to undefined function apache_get_modules() in /var/opt/www/usi_inf_pc/docs/obscure.php:3

I think what must be happening instead is your host server is not able to process the htaccess file/code in this BPS Pro plugin htaccess code testing folder: /bulletproof-security/admin/mod-test/, which means this BPS Pro option setting below, which is used throughout BPS plugin code is unable to determine the correct htaccess option setting value for this BPS Pro option setting.

// Apache Modules IfModule condition: create IfModule conditions or just Order, Deny, Allow htaccess code
function bulletproof_security_options_validate_apache_modules($input) {
$options = get_option('bulletproof_security_options_apache_modules');
$options['bps_apache_mod_ifmodule'] = wp_filter_nohtml_kses($input['bps_apache_mod_ifmodule']);
$options['bps_apache_mod_time'] = wp_filter_nohtml_kses($input['bps_apache_mod_time']);

return $options;
}

Ok so at least I understand the problem that is occurring. I think the best solution is to create a Setup Wizard Option setting that allows someone to override the Apache Modules testing function and manually choose their correct htaccess file/code option settings.

[Author]

Posts