Random General Questions

[James]

Checked with Bluehost.  They do not reset permissions server-side.  I cannot understand why, when I have all plugin’s off, and the .htaccess is set to AutoLock off, it still locks the .htaccess file.

[AITpro Admin]

Is the root htaccess file permission 404 or 444?

[James]

444

[AITpro Admin]

Ok just wanted to be absolutely sure of that.  BPS uses this code throughout the BPS Plugin:  chmod($RootHtaccess, 0404); So what that means is that BPS ONLY uses 404 file permissions for the root htaccess file and does NOT use 444 file permissions in ANY of the BPS plugin code. I do not want to get you worried, but you should scan your website using the Sucuri SiteCheck Scanner to see if it is hacked. hackers will sometimes automatically lock the root htaccess file to prevent you from modifying it and removing their code. Do any of the plugins you have installed do anything with .htaccess files or code? If so, post the name of the plugin and I will take a look at that plugin’s code to see what it is doing.

Do these troubleshooting steps and let me know what happens:
1. Use FTP and delete the root .htaccess file.
2. Login to your website and turn AutoLock Off.
3. Click the Root Folder BulletProof Mode Activate button.

[James]

I did all those things, then I just clicked on the WordPress ‘Dashboard’ and refreshed my FTP directory.  The .htaccess file reverted back to 444 and it now has the standard permalink settings.  Sucuri scan found nothing, and I’m using nti-Malware from GOTMLS.NET which is a great tool for cleaning malware off the site. Help!

[AITpro Admin]

Hmm sorry I am out of ideas.  BPS does not use 444 file permissions in any of the BPS plugin code so I am not sure what is changing the root htaccess file permissions to 444, but it is not BPS because BPS does not use 444 file permissions anywhere in any of the BPS plugin code.

[Pablo Parrado]

Hello,

I did everything you suggested and didn’t have chance. But I noticed than in my wp-content folder there was a .php file which was a plugin from w3tc… I never installed w3tc so I think it cam with my theme… I deleted that plugin (which again it was under my wp-content folder) and everything is ok since two days, no php error notice.

Thanks You are the best of the best 😉

[b-cat]

Apparently most hacker-bot attacks are remote POST attempts to log-in without actually visiting your site or using your on-site login page or form. To block these remote POST attacks, and to force users to log in from your actual site, this link below recommends adding specific code to the .htaccess file. Does this code look compatible with BPS, and if so, where would you recommend adding this in the custom code? Or does BPS already prevent remote login attempts like this by default?

http://www.inmotionhosting.com/support/website/wordpress/lock-down-wordpress-admin-login-with-htaccess

The code they recommend adding to the .htaccess file is below (note: replace “example\.com” with your actual domain name):

RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?example\.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]

Thanks!

[AITpro Admin]

Hmm interesting.  It is very easy to fake/spoof the Referer so not sure if this would be effective or not.  Give it a try and let me know if it works or not.  You can add that code in this BPS Root Custom Code text box:  CUSTOM CODE BRUTE FORCE LOGIN PAGE PROTECTION

1.  Add whichever Brute Force Login Protection Code you want to use in this BPS Root Custom Code text box:  CUSTOM CODE BRUTE FORCE LOGIN PAGE PROTECTION: 
2.  Click the Save Root Custom Code button
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

[Akhil K A]

Hi.

Because of some special requirements, I have implemented 3 WordPress installation on a single domain. ie,
https://www.mydomain.com
https://www.mydomain.com/blog/
https://www.mydomain.com/kb/

1. I want to install bulletproof on my blogs. How can I install bulletproof without affecting any conflicts?
2. Shall I need to install BPS to all three installations or only on main domain?
3. Is there any special configurations are available for these type of scenarios?
Please help.
Thanks.
Akhil K A

[AITpro Admin]

The BPS plugin should be installed on each/every site so that each site has all of the BPS plugin security features installed:  Login Security, htaccess Firewalls, etc. See the forum topic link below for how to add htaccess code to the root site’s htaccess file so that it does not affect your other subdirectory sites htaccess files/code/rules: blog and kb.

http://forum.ait-pro.com/forums/topic/htaccess-files-for-multiple-website-domains/

Example:

# WP REWRITE LOOP START
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]

# Do not apply rules to other child websites &
# do not log errors for these child sites
RewriteRule ^blog/ - [L]
RewriteRule ^kb/ - [L]

[Ana Pereira]

I installed bulletproof security in some of my websites and now I have the same error message in all of them:
403 Forbidden Error Page
If you arrived here due to a search or clicking on a link click your Browser’s back button to return to the previous page. Thank you.
IP Address: (…) This is making me crazy!!! I tried to uninstall the plugin in my CP, I tried to change the name of the plugin but nothing works! Help please

[AITpro Admin]

Do the standard BPS troubleshooting steps below or do the complete BPS removal steps to delete BPS.
http://forum.ait-pro.com/forums/topic/read-me-first-free/

Note: These steps above apply to issues/problems that are directly related to your root .htaccess file. If your are unable to login to your site due to an issue/problem with Login Security, rename the /bulletproof-security plugin folder, log back into your website and correct the issue/problem. For additional troubleshooting steps for BulletProof Security see: http://forum.ait-pro.com/forums/topic/read-me-first-free/#bps-free-general-troubleshooting

[Josh Polsky]

Team,

Thanks to anyone that takes the time to respond. I am not doing anything special on my site. It’s a brochure site for my marketing business and I just wanted to give it, and any info people send on a contact form, protection. I followed some of the steps in the vid, as far as adding some code, but otherwise I haven’t really touched anything.

Basically I want to protect my site as much as possible. Would you recommend adding all of the bonus custom codes?

I did see the post http://forum.ait-pro.com/forums/topic/wordpress-xml-rpc-ddos-protection-protect-xmlrpc-php-block-xmlrpc-php-forbid-xmlrpc-php/ about adding code against DDoS when uploading content from a remote server, but I’m not performing that activity. Should I add it anyway?

Thanks again

[AITpro Admin]

Completely up to you, which Bonus Custom Code you want to add and use or to use any Bonus Custom Code at all.  The general idea is the Bonus Custom Code is extra protection so since you want to protect your site as much as possible then you probably would want to add as much of the Bonus Custom Code as possible.  The Brute Force Login page protection Bonus Custom Code is overkill and can cause problems on some websites/servers so I would not recommend adding that Bonus Custom Code.

[Author]

Posts