cPanel Broken HotLink Protection Tool – Unable to Download BPS Master Files and Back Ups

[Paul D.]

I completed all the steps including chmod of required wordpress files (as shown in the Security Status).

I tried to download Master and back up files in the htaccess File Editor tab (after enabling my IP to do so) but it won’t let me.  It is giving me an “Error 404 – Not Found” when downloading Master Files and Back up files.

I checked and fixed the  HotLink Protection code and checked my Server Api and it shows me this :

Server API: cgi-fcgi – Your Host Server is using CGI.

Sure, I can download htaccess files from cpanel, but it would be handy to know why I can’t do it in the BPS plugin panel.

Please help.
Thanks.
Paul

[AITpro Admin]

Do have backup files to download?

Have you clicked the File Downloading buttons?

I didn’t know anyone actually ever used this…ever. 😉

[Paul D.]

All entries in “General BulletProof Security File Checks” all green, so I do have backups. =)

Clicking all the blue buttons under BPS Master Files and Backed Up htaccess files (in htaccess File Editor tab) results to the same “Error 404 – Not Found”. I dont have any plugins enabled except for Akismet, BPS and WP Pipeline Slave (which I doubt is the cause).

Any help would be appreciated.

[Paul D.]

I deleted Hotlinking entry since it was there again . I unlocked htaccess and delete hotlinking entry then locked it again.

 

It shows a different error message this time when I tried to download secure.htaccess Master file :

Method Not Implemented
GET to /wp-content/plugins/bulletproof-security/admin/htaccess/secure.htaccess not supported.

Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

[Paul D.]

the BPS buttons and images are somehow gone …and it locked me out with a 403 Forbidden error when I tried logging out from  wordpress and/or logging in from LastPass site .. luckily hitting the browser back button lets me switch out of Bulletproof mode then I switched back to Bulletproof mode… the images are back again and its not locking me out with a 403 forbidden error..

What’s going on ?

[Paul D.]

what are the things that can be done to make the Hotlink code go away ?

(%0A|%0D|%27|%3C|%3E|%00)
\.opendirviewer\.
^.*nameofwebsitehere*
users\.skynet\.be.*

when I tried deleting it.. it will return after a few minutes with this code :

(%0A|%0D|%27|%3C|%3E|%00)
\.opendirviewer\.
^.*somebogusnamehere.local.*
users\.skynet\.be.*

[AITpro Admin]

All of these problems are being caused by the Broken cPanel HotLink Protection Tool.  Please see this Forum Topic:

http://forum.ait-pro.com/forums/topic/read-me-first-free/#cpanel-hotlink-protection

[Paul D.]

Solution: There is only one way to block the broken cPanel HotLink Protection tool, since enabling and disabling it is also broken – you cannot turn it off. You will need to lock your Root .htaccess file (if your Server is configured with CGI then locked means Read Only 404 file permissions) and log into cPanel and delete all code that you see in the HotLink Protection windows. If you unlock your Root .htaccess file at a later time and WordPress and BulletProof Security and ARQ and Quarantine are not working correctly again then you will need to repeat these steps to fix the problem again as this broken tool will probably do the same thing again as soon as your Root .htaccess file is unlocked.

 

I don’t know what you mean.  But Locking the htaccess file and changing/updating the Hotlink code in cpanel won’t let me do it because the htaccess file is “locked”.  Do you mean unlocking htaccess in BPS then changing the settings in cpanel Hotlink then locking htaccess again in BPS plugin ?

[AITpro Admin]

Oh never mind then if your root .htaccess file is locked then do not worry about what you see in the cPanel Hotlink protection tool window because it will not be able to break your website anymore if your root .htaccess file is locked.

I will have to get back to you on the download issue.  It has been years since I checked that code so I will recheck it again today or tomorrow.  Thanks

[Paul D.]

Is it safe to say that if we have Pro Version of BPS, we don’t need any other security plugin ?

[AITpro Admin]

Actually at this point you should also have a Login Protection plugin installed.  BPS Pro will have Login Protection added in BPS Pro 5.8.  Also for disaster recovery you should have a backup and restore plugin.

[Paul D.]

Login LockDown installed.. as for backup and recovery we do have a tool for that and we do backup often before and after loading plugins. We are still testing things out for us to see any conflicts or unwanted plugin clashes.

Good news is that my employer will be availing of BPS Pro some time this week.

We explored Website Defender and Better WP Security but trial limitations and lack of plugin support is too risky than beneficial in case something F-up the website(s) in the future.

Regarding the original error and other errors  posted above, it’s not the case with a different testing site. Must be the theme or whatnots with the previous  wordpress installation.

One question though, clicking the download buttons for the BPS Master Files would display the htaccess codes in another browser tab for me to copy and paste in notepad ? Is that what’s supposed to happen and not download it as file or something like that ?

[AITpro Admin]

I did get a chance to look at that code and yes I see that what is now occurring is the file contents is being displayed in the Browser window now instead of being downloaded.  This is due to changes made in Browsers to make them more secure.

To be honest with you the whole upload/download thing is pretty much defunct/not necessary.  These were very old additions to BPS that were left behind.  Much newer and better techniques/features were added after the download/upload features.  You can achieve the exact same thing as downloading your current active htaccess files by simply going to the htaccess editor window and copying and pasting the file contents directly from the editing windows into a Notepad file on your computer.  It is really not necessary to have backups of the Master files.

In a future version of BPS Pro we will be adding a disaster recovery feature, which will create a minimalized backup of only all mission critical files and your database so that you can quickly restore your site with one-click.  This feature is not going to be designed as an extensive backup and restore feature for backing up everything under a website and is going to focus more on a one-click backup and recovery solution to get the site back to where  it was if the worst case scenario happens.  BPS Pro has an incredible track record of being “BulletProof”, but a disaster recovery plan is a standard that should always be incorporated on any website.

So in summary, the upload/download features will be completely phased out/removed once the disaster recovery feature is added to a future version of BPS Pro.

[Paul D.]

Gotcha. Thanks for the detailed information.

[Author]

Posts