BPS Free Read Me First – General Troubleshooting

[AITpro Admin]

This Forum is for Posting BulletProof Security Free Questions & Comments.  If your Question or Comment is regarding BulletProof Security Pro then please post in the BulletProof Security Pro Forum.

Troubleshooting Steps: BulletProof Security Plugin Conflict vs Actively Blocking Terminology

Plugin conflict:  A plugin conflict would be a scenario where you are using 2 plugins or plugin features that do the exact or a very similar thing.  Example:  You are using 2 Login Security features on your website.  If both Login Security features are calling the same WordPress Hooks (actions and/or filters) then the 2 plugins will compete with each other and 1 plugin will always override the other plugin.  The solution is to choose whichever Login Security feature you want to use in either Plugin and then turn off the Login Security feature in the other plugin.

Actively Blocking:  BPS is a security plugin that checks for and blocks malicious attack strings as well as a number of other potentially malicious things that could be an attack against your website.  If BPS blocks something legitimate in another Plugin or Theme because it matches a hacking attack or other malicious attack against your website then a whitelist (exclude) rule can be quickly and easily created using BPS Custom Code to allow (whitelist) whatever is being blocked in another Plugin or Theme.

The BPS Security Log is a Primary Troubleshooting Tool:  Your BPS Security Log logs blocked hackers, spammers, etc. & also logs anything else that BPS may be blocking in another Plugin or Theme. To confirm or eliminate that BPS is blocking something legitimate in another Plugin or Theme, check your BPS Security Log for any log entries with that Plugin or Theme name. If you have confirmed that BPS is blocking something in another Plugin or Theme, search the forum using that Plugin or Theme name for a solution.  If no search results are returned for that Plugin or Theme name then create a new Forum Topic and post the Security Log entry from your BPS Security Log that shows exactly what is being blocked in that Plugin or Theme. A whitelist (exclude) rule can then be created to allow whatever is being blocked by BPS.  The BPS Security Log logs all 403 errors whether or not BPS is related to or causing the 403 error.  Example:  Something installed on your server is causing a 403 error.  That 403 error will be logged in the BPS Security Log.

The BPS plugin has built-in troubleshooting capability and should not be deactivated for troubleshooting.  Deactivating BPS removes the built-in troubleshooting tools/capabilities.  You can turn all BPS security features On or Off for troubleshooting to isolate exactly which BPS security feature is causing an issue/problem or to confirm or eliminate BPS as the cause of an issue/problem.

Note:  After doing each troubleshooting step, test whatever is not working to see if it is now working.  It could also be possible that 2 things are causing a problem.  Example scenario:  Doing step 1 and step 2 allow whatever was not working to start working.  That would mean both the root .htaccess file and the wp-admin .htaccess file are blocking something legitimate.

1. On the Security Modes page, click the Root Folder BulletProof Mode Deactivate button. See Custom Code Note if doing this step works.
2. On the Security Modes page, click the wp-admin Folder BulletProof Mode Deactivate button. See Custom Code Note if doing this step works.
3. If an issue/problem is related to Login Security turn Off Login Security on the Login Security & Monitoring page.
4. If an issue/problem is related to JTC-Lite, uncheck the Login Form checkbox on the JTC-Lite page.
5. If an issue/problem is related to ISL or ACE see this forum topic: https://forum.ait-pro.com/forums/topic/idle-session-logout-isl-and-authentication-cookie-expiration-ace/

htaccess Files Note: Both Root BulletProof Mode and wp-admin BulletProof Mode should be activated together. If you only activate Root BulletProof Mode and do not activate wp-admin BulletProof Mode then some wp-admin Dashboard functions (configuring Widgets, etc.) may not work correctly on some web hosts.

Custom Code Note: If you have isolated a problem to the root or wp-admin .htaccess file and you have added additional custom .htaccess code or additional .htaccess code from another plugin to BPS Custom Code then you can either use the Custom Code Export|Import|Delete Tools or manually cut (not Copy) all of your additional custom .htaccess code out of all BPS Custom Code text boxes and save that custom .htaccess code to a Notepad or Notepad++ text file, click the Save Root Custom Code button (or the wp-admin Custom Code button), go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button (and/or the wp-admin Folder BulletProof Mode Activate button). You can then further isolate which custom .htaccess code is the problem by adding only 1 block of additional custom code back to a BPS Custom Code text box at a time.

Login Security Note:  If you are unable to login to your website due to an issue/problem with Login Security, rename the /wp-content/plugins/bulletproof-security/ plugin folder to /_bulletproof-security/, log back into your website, rename the /_bulletproof-security/ plugin folder back to /bulletproof-security/ and correct the issue/problem.

WordPress Network/Multisite Help Information:
The BPS plugin can be Network Activated or you can allow the BPS plugin to be activated individually on each Network|Multisite subsite or of course you can choose not to Network Activate BPS or allow the BPS plugin on subsites.  Super Admins will see BPS Dashboard Alerts on the Primary Site only.  Administrators can activate or deactivate BPS on subsites if you allow this on your Network|Multisite website.

Additional BulletProof SecurityTroubleshooting Information

Automated Setup Steps
1. Click the Setup Wizard button on the BPS Setup Wizard page.

Optional Features:
1. Idle Session Logout (ISL)
2. Auth Cookie Expiration (ACE)
3. DB Table Prefix Changer
4. Maintenance Mode
5. UI|UX Settings

Uninstall Options
1. An Uninstall Options link is located on the WordPress Plugins page under the BulletProof Security plugin.
2. Clicking the Uninstall Options link loads a jQuery UI Dialog Form with 2 BPS plugin uninstall options.
3. If you are upgrading to BPS Pro, select the BPS Pro Upgrade Uninstall option and click the Save Option button or just click the Close button below and do a normal plugin uninstall.
4. If you want to completely delete the BPS plugin, all files, Custom Code and BPS database settings, select the Complete BPS Plugin Uninstall option and click the Save Option button.

Manual Setup Steps
htaccess Core htaccess Files Manual Setup Steps:
1. Click the Root Folder BulletProof Mode Activate button on the Security Modes page.
2. Click the wp-admin Folder BulletProof Mode Activate button on the Security Modes page.
3. Turn On the Hidden Plugin Folders|Files Cron (HPF) by clicking the Save HPF Cron Options button.
4. Click the Master htaccess Folder BulletProof Mode Activate button.
5. Click the BPS Backup Folder BulletProof Mode Activate button.

Note: It is recommended that use a Custom Permalink Structure:https://codex.wordpress.org/Using_Permalinks#Choosing_your_permalink_structure

htaccess Core htaccess Files Manual Removal Steps:
1. Click the Root Folder BulletProof Mode Deactivate button on the Security Modes page.
2. Click the wp-admin Folder BulletProof Mode Deactivate button on the Security Modes page.
3. Deactivate and delete the BPS plugin on the WordPress Plugins page.
4. Go to WordPress Settings >>> Permalinks and resave your Permalink Settings.

htaccess File Troubleshooting Steps: Unable to Login to Your Website:
1. Use FTP or your Web Host Control Panel File Manager and delete the .htaccess file in your website root folder and the .htaccess file in your wp-admin folder.  If you do not see the root and wp-admin htaccess files then select “Show Hidden Files” in your FTP application or in your web host control panel file manager.
See Custom Code Note
2. Log into your website and Activate all BulletProof Modes.

Note: These steps above apply to issues/problems that are directly related to your root .htaccess file. If your are unable to login to your site due to an issue/problem with Login Security, rename the /bulletproof-security plugin folder to /_bulletproof-security, log back into your website, rename the /_bulletproof-security/ plugin folder to /bulletproof-security/ and correct the issue/problem. For additional troubleshooting steps for BulletProof Security see: https://forum.ait-pro.com/forums/topic/read-me-first-free/#bps-free-general-troubleshooting
Note:  Some web hosts require that you have a WordPress default htaccess file in your website root folder in order to be able login to your website.  If you are unable to login to your site after deleting the .htaccess file in your website root folder then download this file:  /bulletproof-security/admin/htaccess/default.htaccess, upload the default.htaccess file to your website root folder and rename it to .htaccess.

htaccess File Requirements and Compatibility:
https://wordpress.org/plugins/bulletproof-security/faq/

Login Security & Monitoring Manual Setup Steps
1. Click the Login Security & Monitoring Save Options button to use & save the BPS default Login Security settings or choose your own settings.
2. Click the Login Security: Send Login Security Email Alert When… Save Options button to use and save BPS default Email Alerts and Log File settings or choose your own settings.

Idle Session Logout (ISL) Setup Steps
1. Choose the ISL option settings you want to use.
2. Click the Save Options button.

Auth Cookie Expiration (ACE) Setup Steps
1. Choose the ACE option settings you want to use.
2. Click the Save Options button.

DB Backup & Security Setup Steps
1. Click the Create Backup Jobs accordion tab.
2. Enter a Description|Backup Job Name and select the Form option choices that you want.
3. Click the Create Backup Job|Save Settings button to save your Form option choices and create your Backup Job.
4. Click the Backup Jobs – Manual|Scheduled accordion tab, click on the Run checkbox for the Backup Job that you want to run and click the Run Job|Delete Job button.
5. Your Backup files are displayed under the Backup Files – Download|Delete accordion tab.
6. You can Download Backup files to your computer by clicking the Download link for that Backup file.
7. You can delete Backup files by clicking the checkbox for the Backup file that you want to delete and then click the Delete Files button.

Maintenance Mode Usage: Display an Under Maintenance page
1. Choose the Maintenance Mode settings you want to use.
2. Use one of the BPS pre-created Background Images & Center Images or create your own unique Under Maintenance page.
3. Click the Save Options button.
4. Click the Preview button.
5. Click the Turn On button.

UI|UX Settings Usage
1. Select and Save a Theme Skin.
2. Turn On|Off The Inpage Status Display.
3. Turn On|Off The Processing Spinner.
4. Turn On|Off jQuery ScrollTop Animation.
5. Choose WP Toolbar Functionality In BPS Plugin Pages.
6. Choose On|Off for Script|Style Loader Filter (SLF) In BPS Plugin Pages.
7. BPS UI|UX Debug: Turn On for debugging.

BulletProof Security Network|Multisite Subsite Menus
Login Security and System Info menus/pages are available on Network|Multisite subsites to Super Admins and Administrators

Login Security has all the same functionality on Network|Multisite subsites with these exceptions:
Login Security email alerting is not available for subsites.

JTC-Lite has all the same functionality on Network|Multisite subsites

Maintenance Mode has all the same functionality on Network|Multisite subsites with these exceptions:
BackEnd Maintenance is not available on subsites & these Primary site options are not available on subsites: Put The Primary Site And All Subsites In Maintenance Mode & Put All Subsites In Maintenance Mode, But Not The Primary Site.

System Info has all the same functionality on Network|Multisite subsites with these exceptions:
MySQL Database information is not displayed on subsites.

BulletProof Security Single Site & Network|Multisite Primary Site Menus
All other BulletProof Security features are not available on subsites since Network|Multisite subsites are virtual and do not have separate website folders or files of their own.  All of the other standard BulletProof Security features work sitewide and affect all other virtual subsites with the exception of Login Security and JTC-Lite, which work individually for each specific website – Primary or virtual subsites and therefore should only be available to and controlled by the Super Admin with Network Admin capabilities for the Network|Multisite website.

 

 

 

 

 

 

 

 

 

 

Web Host Compatibility Check
BPS and BPS Pro are compatible with most Web Hosts worldwide (350,000+), but are not compatible with these 3 Web Hosting Companies (Landis Holdings, NTT Communications & Yahoo Hosting – Due to Custom Server Configurations and/or Server Restrictions) 
Symptoms of the problem:  The htaccess Core page will not fully load and is “chopped off”.
Hostingzoom (Landis Holdings)
Resellerzoom (Landis Holdings)
Modvps (Landis Holdings)
WowVPS.com (Landis Holdings)
JaguarPC (Landis Holdings)
Verio (NTT Communications)
NTT America (NTT Communications)
NTT Europe (NTT Communications)
Yahoo Hosting

cPanel Hotlink Protection Tool – No Longer an Issue/Problem:  BulletProof Security AutoMagic Not Working, Unable to Edit .htaccess Files, 404 Errors, 403 Errors, 500 Errors, Quarantine Not Working, Permalinks broken, menus broken, WordPress is broken in general

Solution: No Longer an Issue/Problem:  The cPanel HotLink Protection Tool problem causes a large variety of problems.  If you are unable to activate .htaccess files or edit .htaccess files with the built-in htaccess file editor or you are seeing 404 errors, 403 errors, 500 errors, permalinks are broken, menus are broken or WordPress is broken in general then most likely this is caused by the cPanel HotLink Protection Tool.

BulletProof Security Alert will not go away – “BPS Alert! Your site does not appear to be protected by BulletProof Security”

This issue/problem can be caused by the Broken cPanel HotLink Protection Tool problem or if another plugin or theme is using the WordPress flush_rewrite_rules() function incorrectly or also if your Server API type is DSO (see DSO Server Type help information below).  You can check/find your Server API type on the BPS System Info page.Try refreshing your Browser first to see if the BPS alerts go away. These alerts could be left over from the previous check / last function check.

Important Note:  The Lock htaccess File button not only locks the root .htaccess file for protection, but this also protects BPS / your website from plugins that are using the WordPress function – flush_rewrite_rules() incorrectly.  This particular WordPress function is very misunderstood and is used incorrectly in a lot of plugins and of course causes a lot of problems for other plugins that create or write .htaccess code such as BPS, BPS Pro, W3 Total Cache, WP Super Cache, etc etc etc.  The WordPress flush_rewrite_rules() function should ONLY be used in plugin deactivation and plugin activation functions.

Eliminating the possibility of a plugin conflict (flush_rewrite_rules() function used incorrectly):
1. Deactivate all of your plugins except for BPS.
2. Activate BulletProof Modes again.
3. Refresh your Browser.

If the problem IS still occurring at this point then it is NOT being caused by another plugin using the WordPress flush_rewrite_rules() function incorrectly.

If the problem is NOT occurring again then be sure to lock your root .htaccess file and turn on AutoLock on the htaccess File Editor page before activating your plugins again or the same problem will occur again and your root .htaccess file code will be deleted again by the WordPress flush_rewrite_rules() function in whatever plugin or theme that is using this function incorrectly.

If you lock your root .htaccess file and your Host does not allow locking the Root .htaccess file with 404 file permissions then your website will crash or your Host will automatically change the locked (404 file permissions) root .htaccess file to unlocked (644 file permissions).  If your website crashes then FTP to your website root folder and change the root .htaccess file permissions from 404 file permissions to 444 file permissions.  Some Hosts allow 444 file permissions, which is more secure than 644 file permissions and your root .htaccess file will be locked to prevent the WordPress flush_rewrite_rules() function problem from occurring repeatedly.  If 444 file permissions are not allowed on your Host then unfortunately you will have to activate BulletProof Modes again each time this problem reoccurs or try contacting the plugin or theme author regarding this issue or modify the code in that plugin or theme.

NOTE:  If your Root .htaccess file is unlocked and you go to the WordPress Permalinks page your Root .htaccess file code will be deleted.  You will need to activate Root folder BulletProof Mode again.

500 Internal Server Error After Activating BulletProof Mode for your Root Folder

Some Web Hosts do not allow you to use the “Options” Directive in .htaccess files. If you see a 500 Internal Server Error then comment out the “Options” Directive by adding a pound sign (#) in front of Options -Indexes in your Root .htaccess file as shown below.

# DO NOT SHOW DIRECTORY LISTING
# If you are getting 500 Errors when activating BPS then comment out Options -Indexes
# by adding a # sign in front of it. If there is a typo anywhere in this file you will also see 500 errors.
#Options -Indexes

Some Web Hosts do not allow you to use the “DirectoryIndex” Directive in .htaccess files. If you see a 500 Internal Server Error then comment out the “DirectoryIndex” Directive by adding a pound sign (#) in front of DirectoryIndex in your Root .htaccess file as shown below.  Known Hosts with this issue:  NordNet

# DIRECTORY INDEX FORCE INDEX.PHP
# Use index.php as default directory index file
# index.html will be ignored will not load.
#DirectoryIndex index.php index.html /index.php

500 Internal Server Error After Adding New custom .htaccess Code To BPS Custom Code

If you have added custom .htaccess code to BPS Custom Code, saved it, clicked the AutoMagic buttons and activated BulletProof Modes and there is either invalid .htaccess code in that custom .htaccess code or your particular Server/Host does not allow something in that custom .htaccess code then your site will crash with a 500 Internal Server Error.

1.  Use FTP or your web host control panel file manager and delete your root .htaccess file (or the wp-admin .htaccess file if the custom .htaccess code was added to wp-admin Custom Code).
2.  After you have deleted the .htaccess file or files, login to your site, go to BPS Custom Code, cut (NOT copy) the custom .htaccess code you added to any BPS Custom Code text boxes and paste that custom .htaccess code to a Notepad text file (use Notepad or Notepad++ – do NOT use Word or WordPad) and save it on your computer.
3.  After cutting all custom .htaccess code that you have added to any BPS Custom Code text boxes, click the Save Root Custom Code button (and/or Save wp-admin Custom Code button), go to the Security Modes page and click the Root folder BulletProof Mode (and/or wp-admin Folder BulletProof Mode) Activate button.

Your site should not crash at this point with a 500 Error.  You can then check and test your custom .htaccess code individually.  ONLY add one section of your custom .htaccess code at a time to BPS Custom Code text boxes (and do ALL the Custom Code steps) to isolate which custom .htaccess code is causing the 500 error.  Either correct whatever needs to be corrected or just do not use the custom .htaccess code on your website if it does not work / is not allowed on your particular Host/Server.

DSO Server Type:  BulletProof Security AutoMagic Not Working/built in .htaccess File Editor Not Working, Unable to Backup or Restore Files

If your Server API type is DSO and your WP Filesystem API Method is NOT “direct” then you will need to do some additional setup steps for a DSO Server.  You can check your Server API and WP Filesystem API Method on the BPS System Info page.  If you see that your Server API is DSO and your WP Filesystem API Method is NOT “direct” then you will need to do these additional installation steps for DSO.

BulletProof Security WP Error: “no input file specified”- Permalink Problems/404 Errors – using the .html permalink hack is causing 404 Errors

If you see a “no input file specified” error then there is something wrong with your WordPress custom permalink structure.  Another cause of 404 Errors is using the .html Permalink hack.  Using .html in your WordPress Permalink Structure is considered a hack and is not a standard WordPress Custom Permalink Structure.  Example Permalink .html Hack:  /%postname%.html.  Many years ago this supposedly increased page ranking and SEO.  If that was ever really true it is definitely not true now.  Using this permalink hack will only cause your website problems and BulletProof Security will not work with this permalink hack.  You will need to change your custom permalink to a standard WordPress custom permalink structure in order to be able to use BulletProof Security.

403 Forbidden Error or 500 Internal Server Error when updating/upgrading BPS

Some web hosts (approximately 6 Hosts out of 1000’s of Hosts) have a strict policy that .htaccess files can ONLY have 644 permissions and do not allow you to change your .htaccess file permissions to 404.  During the BPS automatic update/upgrade process your Server API is detected and if it is a typical SAPI that should allow your .htaccess file to be locked with 404 permissions then BPS will automatically lock the file.  To see if this is the problem that is occuring FTP to your website and change the .htaccess file permissions in your website root folder to 644.  If the 403 error goes away then please let us know which Host you have by posting a comment here so that we can add them to the below of Hosts that do not allow 404 file permissions for .htaccess files.

If your Web Host does not allow locking of your Root .htaccess file (404 file permissions for your Root .htacces file) and your site has crashed then FTP to your website and manually change the root .htaccess file permissions to 444.  If your site is still crashed/not loading then change the root .htaccess file permissions to 644.  After your site is back up go to the BPS htaccess File Editor tab page and click on the Turn Off AutoLock button.  This will prevent your Root .htaccess file from being automatically locked when you upgrade BPS, which will prevent a 403 Error from occurring on your website.

List of Web Hosts that require 644 .htaccess file permissions – 404 permissions are not allowed on these Hosts and will cause a 403 Error and or 500 Internal Server Error – 444 file permissions may be allowed on these Hosts

If your Web Host does not allow locking of your Root .htaccess file/404 file permissions for your Root .htacces file, then go to the BPS htaccess File Editor tab page and click on the Turn Off AutoLock button.  This will prevent your Root .htaccess file from being automatically locked when you upgrade BPS, which will prevent a 403 Error from occurring on your website.

webmasters.com
LiquidWeb.com
iPower
iPage
Fatcow
Strato

[Andrewxcode]

Another host to add to the list of those not allowing changes to .htaccess file permissions is Webline Services http://webline-services.com/. To be fair, I haven’t tried asking them, as I am about to move my http://www.propertyforsalespain.co.uk/ website to a new host anyway.  I have for the moment got around the 404 error by deactivating root folder bullet proof mode and wp-admin folder via BPS Security/htaccess Core in Admin.

Regards
Andrew

[Author]

Posts