bulletproof-security.0.47.5 not working

getting the same error…

Also, wordpress reporting .47.5 , however in .htaccess and within the plugin itself, reporting as Pro 5.D … Just a hunch this may be the source of the problem.

Same or similar problem on fuzzyskeletonian.com (NSFW) — front page worked, none of the other pages could be found, all 404’d. BPS wouldn’t create a new .htaccess file, though it would try and create an empty .htaccess but cough up an error saying “secure.htaccess on public_html/wp-content/plugins/bulletproof-security/admin/htaccess is not found or not re-writable”

Within Cpanel, the file was both there and writable, so the error didn’t make much sense.

This only happened on update, no other changes were made.

ETA: Installed the previous version and the blog is back, thank goodness — thank you bsp2012 for the suggestion!

What a mess, though. Something is clearly wrong with this update — I have a feeling that as morning breaks in the U.S., BPS is going to have a TON of complaint posts to deal with.

Overall the .47.5 upgrade is working fine for most folks so I need to isolate the common denominator with you guys to figure out why the upgrade is not working correctly on your websites/Hosts/Servers. Or of course these could all be separate isolated problems/incidents. Or just the same old common problems that resurface over and over again on upgrades such as the cPanel Broken HotLink Protection Tool problem sigh >>> https://www.ads-software.com/support/topic/plugin-bulletproof-security-broken-cpanel-hotlink-tool-404-errors-unable-to-edit-htaccess-files?replies=7

So first let me explain some things that changed just to get some facts on the page. They may be relevant or they may not be relevant. At this point there have been 2,600 upgrade installations so far and only you guys are having issues/problems with the .47.5 upgrade so logically this appears to be an isolated problem or separate isolated problems and not an overall coding problem/issue in .47.5.

1. The BPS plugin files were resaved in UNIX LF Code Format as they were incorrectly saved in CR LF Windows Code Format in .47.4 – this is most likely not relevant and this issue would only affect Mac based Servers by displaying Control M characters in .htaccess files on those Mac based Servers (Mountain Lion, BSD, etc) in .47.4. The .47.5 release fixes that Code Format issue for those particular folks.

2. plugins_url and WP_PLUGIN_DIR Constants were added to replace several WP_CONTENT_DIR Contants – this also is probably not relevant, unless of course the problem is symlink related, but i seriously doubt that is the issue.

3. BPS now does a DNS Host Name check so it is possible that this coding check does not work on your particular websites/Hosts/Server – this is actually something that could be a problem on a larger scale, but so far it does not appear to be an issue or problem on a larger scale so most likely this change is also irrelevant to the problems/issues you guys are experiencing.

I am leaning more toward that these are all isolated incidents since the ratio of reported problems is actually very low 3 out of 2,600 downloads/installations and literally only you guys so far – lucky you right. ??

@ bsp2012 – The plugin overall size decreased because the screenshot image files were moved to the SVN Assets folder. This helps make the zip installations faster and of course reduces Bandwidth and resource cost for www.ads-software.com.

This is an important clue to the problem that is occurring on your website/Host/Server – “When I tried uploading the secure.htaccess again on that folder, the file is not seen though it was upload correctly. And, when I tried creating the file, secure.htaccess disappears on that folder after saving the code in the editor.”

The file has to exist if you are uploading it so you would need to turn on “Show Hidden Files” to see the .htaccess file since on some Hosts these files are hidden by default. Or another problem could be a file permission/ownership problem – do you see file or folder permissions that show 0000 (4 zeros) instead of 644 or 755?

@ bsp2012 – Please do these troubleshooting steps.
1. Make a backup of your .htaccess files using BulletProof Security built-in Backup.
2. Click the AutoMagic buttons and activate BulletProof Modes for both your Root folder and wp-admin folder.
3. Deactivate all your plugins except for BPS.
4. install the BPS automatic update to .47.5

let me know what happens at this point.

@damian500 – please also try the troubleshooting steps above.

@sbbn – This is a great clue – “secure.htaccess on public_html/wp-content/plugins/bulletproof-security/admin/htaccess is not found or not re-writable”

…and indicates that the .htaccess file is either being deleted or damaged during the BPS upgrade, which sounds like the classic cPanel Broken HotLink Protection Tool problem.

Please also follow the troubleshooting steps above and let me know what happens at this point.

I ran into the same problem — the root .htaccess and secure.htaccess files both disappearing and being “not found or nor re-writable” by BPS. Neither were they visible in Filezilla and Cpanel but NOT because of being hidden files: the wp-admin folder’s .htaccess file was visible.

I uploaded a basic .htaccess file to the root and duplicated it as secure.htaccess in the BPS admin/htaccess directory, and then painstakingly copied over each portion of the code, one at a time, to see which part was making it break. This is the only one that triggered the problem:

# REQUEST METHODS FILTERED
# This filter is for blocking junk bots and spam bots from making a HEAD request, but may also block some
# HEAD request from bots that you want to allow in certains cases. This is not a security filter and is just
# a nuisance filter. This filter will not block any important bots like the google bot. If you want to allow
# all bots to make a HEAD request then remove HEAD from the Request Method filter.
# The TRACE, DELETE, TRACK and DEBUG request methods should never be allowed against your website.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F,L]

So I removed that part of the code and it works fine again. Hope this helps figure out why, and how to accomplish the intended goal in some other way that’s not as problematic.
??

I spoke too soon — getting 404 errors for all but the homepage. But at least the .htaccess files are staying put…

The problem you are describing sounds exactly like the cPanel Broken HotLink Protection Tool problem. do you have cPanel for your web host control panel?

Oh never mind i see you already said you have cPanel. LOL

ok look at this post and let me know if this is the problem. This problem has been occurring for over 10 years and i assume will continue to happen to the end of time. ugh.

cPanel Broken HotLink Protection Tool problem
https://www.ads-software.com/support/topic/plugin-bulletproof-security-broken-cpanel-hotlink-tool-404-errors-unable-to-edit-htaccess-files?replies=7

And logically i am getting a clearer picture of what might be happening thanks to you isolating the new coding area that the broken HotLink Protection Tool is now seeing to break everything in even more ways. sigh. The broken cPanel HotLink Protection Tool will scan your root .htaccess file and it looks for code like this – RewriteCond %{HTTP_REFERER} ^.*example.com.* so that it can automatically incorporate that .htaccess code into its own cPanel options. this is really neat, but unfortunately it does not work correctly and ends up destroying the valid htaccess code and generates either 403, 404 or 500 errors and does anywhere from breaking your site URL’s to crashing your entire website.

# TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
# Only Allow Internal File Requests From Your Website
# To Allow Additional Websites Access to a File Use [OR] as shown below.
# RewriteCond %{HTTP_REFERER} ^.*YourWebsite.com.* [OR]
# RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*
RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
RewriteRule .* index.php [F,L]
RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
RewriteCond %{HTTP_REFERER} ^.*example.com.*
RewriteRule . - [S=1]

Also to all who have posted in this thread please list your web hosts. BPS now has new DNS Name Server coding that will detect your web host and not automatically lock your root .htaccess file if your particular Host does not allow this. This may or may not be relevant to the problem, but it is worth gathering that information and eliminating that possibility. Also please check the current file permissions for your root .htaccess file and then test changing the file permissions from 644 to 404 if the root .htaccess file permissions are not already 404 permissions. Please post whether or not changing the root .htaccess file permissions to 404 causes a problem for your particular website. Also please list your Server API type – you will find this information under the BPS System Info tab page. Thanks.

https://www.ads-software.com/support/topic/plugin-bulletproof-security-403-error-after-upgrade-htaccess-file-permission-issue?replies=1

Ok i now have 3 confirmed people who are using Namecheap hosting that are having both BPS files being incorrectly quarantined and also BPS .htaccess files that are being incorrectly quarantined. It appears that Namecheap has a malfunctioning scanner that is incorrectly scanning files or scanning files in a too general way and quarantining these legitimate files.

For all people who posted in this thread please post your web host name.

I will be posting a sticky post to the top of the BPS Forum for folks who have Namecheap hosting until i have a chance to contact Namecheap and alert them to this problem.

Thank you.

Getting the same error too. My webhost is Stablehost and also using cPanel. Previous versions worked fine but this new version 0.47.5 Bullet Proof Security not working correctly. :/

Yep i think there are 2 problems going on here – the Namecheap incorrect quarantining of BPS .htaccess files and then the good old cPanel Broken HotLink Protection Tool problem. Woohoo! LOL

Please see this post regarding the cPanel Broken HotLink Protection Tool for the steps you can take to fix the problem >>> https://www.ads-software.com/support/topic/plugin-bulletproof-security-broken-cpanel-hotlink-tool-404-errors-unable-to-edit-htaccess-files?replies=7

Okay, I got the 404 errors to disappear by also removing this part of the code:

# FORBID EMPTY REFFERER SPAMBOTS
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} (wp-comments-post\.php)
#RewriteCond %{HTTP_REFERER} !^.*demo5.local.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule .* - [F]

Web host is EthicalHost.ca
Server API is CGI
Attempting to change permissions to 404 resulted in them being changed to 604 (server override).

Locking the root .htaccess within BPS after editing resulted in some of the code disappearing — not the end of the code being truncated, but all the code for PLUGINS AND VARIOUS EXPLOIT FILTER SKIP RULES, TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE, and BPSQSE BPS QUERY STRING EXPLOITS. I’d already removed FORBID EMPTY REFFERER SPAMBOTS and REQUEST METHODS FILTERED.

I’ve left it “unlocked” in BPS, with permissions set to 604.

Clicking the Update File button sent me to
[website URL]/#bps-tabs-5
instead of
[website URL]/wp-admin/admin.php?page=bulletproof-security/admin/options.php#bps-tabs-5
but using the browser’s Back button enabled me to get back to the BPS tabs.

Also it is looking like a couple other hosts are also using the same scanner or scanning script that is misinterpreting valid htaccess code as malicious code. So this may not be isolated to only one host. i will try to find the source of that scanner script or application to isolate it and find out its name so that i can identify why it is misinterpreting valid code.

I just got some alerts from the WordPress Firewall 2 plugin, concerning my edits of the .htaccess files, so maybe that’s where some of the problems are from when trying to save the edits. I’ll have to remember to disable the firewall temporarily next time.

Or just save a lot of hardship for a lot of folks and just say sayonara to that “misinterpreted valid code” and move on…
??

Well that would be going backwards instead of moving forward. The .htaccess code has value and is working on most web hosts. So instead of throwing the baby out with the bath water i would like to isolate the source of these problems since this is only occurring on a very small scale relatively. Out of 3,370 upgrade installations of BPS .47.5 the number of folks experiencing problems is very low. So i would like to keep moving forward on this one. If even 1% of the upgrade installations were failing then i would quickly revert back to .47.4, but we are well below that mark.