Magic Buttons and Admin Notice Issue

Go to the BPS System Info tab page and post this information about your website/Server.

Server Type:
Operating System:
WP Filesystem API Method:
Server API:

Here is the information you requested

Website Root Folder: https://www.proxy.com
Document Root Path: /home/cheaplt/public_html
WP ABSPATH: /home/cheaplt/public_html/
Parent Directory: /home/cheaplt
Server / Website IP Address: xxx.xxx.xxx.xxx
Host by Address: xxx.xxx.xxx.xxx
DNS Name Server: ns1.proxy.com
Public IP / Your Computer IP Address: xxx.xxx.xxx.xxx
Server Type: Apache/2.2.25 (Unix) mod_ssl/2.2.25 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_bwlimited/1.4
Operating System: Linux
Server API: cgi-fcgi – Your Host Server is using CGI.
cURL: cURL Extension is Loaded
Zend Engine Version: 2.3.0
Zend Guard/Optimizer: A Zend Extension is Not Loaded
ionCube Loader: ionCube Loader Extension is Loaded Version: 40401
Suhosin: Suhosin is Not Installed/Loaded
APC: APC Extension is Not Loaded
eAccelerator: eAccelerator Extension is Not Loaded
XCache: XCache Extension is Loaded but Not Enabled
Varnish: Varnish Extension is Not Loaded
Memcache: Memcache Extension is Not Loaded
Memcached: Memcached Extension is Not Loaded

I took out my IP and domain from the copy and paste.

Upgrade to the new version of BPS that was released an hour ago and then post this from the BPS System Info page:

WP Filesystem API Method:

Oh wow nevermind I know what the issue is. I missed that you said your Host added additional .htaccess code in your root .htaccess file. Post that additional .htaccess code and I’ll tell you where you need to copy and paste it too.

Yeah they added alot, and im not sure what they added and what they didn’t. can i send this hta code through personal message, i am unsure if it leaks sensitive data or not.

Actually all you need to do is to make sure that the top of the .htaccess file has this text at the very top of the file:

# BULLETPROOF .49.2 >>>>>>> SECURE .HTACCESS

If anything is above this text then cut and paste it below this. Also did you put all of the custom .htaccess code that your Host added in BPS Custom Code? If not, then if you use the AutoMagic buttons at a later time that code will be overwritten.

on my Current Root htaccess file this is above the BULLET PROOF .49.2 code

# BEGIN Better WP Security
Order Allow,Deny
Deny from env=DenyAccess
Allow from all
SetEnvIF REMOTE_ADDR “^69\.170\.53\.187$” DenyAccess
SetEnvIF X-FORWARDED-FOR “^69\.170\.53\.187$” DenyAccess
SetEnvIF X-CLUSTER-CLIENT-IP “^69\.170\.53\.187$” DenyAccess
SetEnvIF REMOTE_ADDR “^76\.254\.45\.70$” DenyAccess
SetEnvIF X-FORWARDED-FOR “^76\.254\.45\.70$” DenyAccess
SetEnvIF X-CLUSTER-CLIENT-IP “^76\.254\.45\.70$” DenyAccess
<IfModule mod_rewrite.c>
RewriteEngine On

RewriteCond %{HTTP_USER_AGENT} ^69\\\\\\\\\\\\\\\\\\\\\.170\\\\\\\\\\\\\\\\\\\\\.53\\\\\\\\\\\\\\\\\\\\\.187 [NC]
RewriteRule ^(.*)$ – [F,L]

</IfModule>
# END Better WP Security

Im not sure what my hosting server added so i wont beable to put any custom codes anywhere =(.

Wow what’s up with this? This is not valid code below???
^69\\\\\\\\\\\\\\\\\\\\\.170\\\\\\\\\\\\\\\\\\\\\.53\\\\\\\\\\\\\\\\\\\\\.187 [NC]

Ok all you have to do is cut and paste this # BULLETPROOF .49.2 >>>>>>> SECURE .HTACCESS above the all other code. This is just text commented out, but BPS needs to find this at the top of the .htaccess file.

Sorry mate forgot to mention this was right below the better WP code

# BULLETPROOF .49 >>>>>>> SECURE .HTACCESS

# If you edit the BULLETPROOF .49 >>>>>>> SECURE .HTACCESS text above
# you will see error messages on the BPS Security Status page
# BPS is reading the version number in the htaccess file to validate checks
# If you would like to change what is displayed above you
# will need to edit the BPS /includes/functions.php file to match your changes
# If you update your WordPress Permalinks the code between BEGIN WordPress and
# END WordPress is replaced by WP htaccess code.
# BEGIN WordPress

isn’t this the same thing? im a bit confused sorry.

The check for the BPS version number looks at the top of the file X number of characters. In any case, this is just commented out text. A pound sign means the text is commented out so cutting and pasting this to the top of the htaccess file will allow BPS to find the version number and this will not affect anything else since this it just text commented out.

Or you can just ignore the BPS Alert! Your site does not appear to be protected by BulletProof Security alert. Either way is fine.

Oh, so currently even thought it says that notice, my site is being protected?

also i may of confused you, this code is above the BPS code you mentioned, should i remove it for the BPS to work properly

# BULLETPROOF .49 >>>>>>> SECURE .HTACCESS

# If you edit the BULLETPROOF .49 >>>>>>> SECURE .HTACCESS text above
# you will see error messages on the BPS Security Status page
# BPS is reading the version number in the htaccess file to validate checks
# If you would like to change what is displayed above you
# will need to edit the BPS /includes/functions.php file to match your changes
# If you update your WordPress Permalinks the code between BEGIN WordPress and
# END WordPress is replaced by WP htaccess code.
# BEGIN WordPress

This goes at the very top of the .htaccess file:
# BULLETPROOF .49 >>>>>>> SECURE .HTACCESS

Okay it is now at the very top =D, does this mean my site is protected now regardless of the notice?

Are you still seeing the Alert? If so, then the other thing that BPS checks for to verify that BPS security code is actually in use is the BPS Query String section of security filters.

Do you still see the BPS Query String section of code in your root .htaccess file?

# BEGIN BPSQSE BPS QUERY STRING EXPLOITS
…
…
…
# END BPSQSE BPS QUERY STRING EXPLOITS