500 errors efter installing Bulletproof Security

When I edit the .htaccess files with vim, via SSH, I can see a lot of ^M at the end of almost every line. What’s that about?

This is probably the cause of the problem if you have a MAC based Server – BSD or Mountain Lion, etc. The Control M line breaks are a Windows based Line Break. The last save of the BPS plugin files was done in Windows CR LF Code Format. This was a mistake and should have been LF UNIX Code Format. This is corrected in BPS .47.5, which will be released in a couple of days. You will need to strip out the the ^M line breaks.

Other things that can cause 500 errors are:

Using and .htaccess file on Windows Hosting. BPS is designed for Apache Linux Hosting.

Comment out the Options -Indexes line below with a # sign in your root .htaccess file as shown below.

# DO NOT SHOW DIRECTORY LISTING
# If you are getting 500 Errors when activating BPS then comment out Options -Indexes
# by adding a # sign in front of it. If there is a typo anywhere in this file you will also see 500 errors.
#Options -Indexes

BPS and BPS Pro are compatible with 1,000′s of Web Hosts, but are not compatible with these 3 Web Hosting Companies (Landis Holdings, NTT Communications & DreamHost – Due to Custom Server Configurations)

Hostingzoom (Landis Holdings)
Resellerzoom (Landis Holdings)
Modvps (Landis Holdings)
WowVPS.com (Landis Holdings)
JaguarPC (Landis Holdings)
Verio (NTT Communications)
NTT America (NTT Communications)
NTT Europe (NTT Communications)
DreamHost

The Broken cPanel HotLink Protection Tool problem.
https://www.ads-software.com/support/topic/plugin-bulletproof-security-broken-cpanel-hotlink-tool-404-errors-unable-to-edit-htaccess-files?replies=7

Some web hosts only allow 644 file permissions. change the root .htaccess file permissions to 644.

This is all done on a VPS running Ubuntu Server 12.04 LTS hosted by Inception Hosting, so I don’t think that it’s a webhost cPanel issue.

The thing is that I manually removed all ^M entries but still no go.
I use en_US.ISO-8859-1 as locale on the server, if that matters ..

I’m thinking it maybe has something to do with my vhost for this WP-installation?

<VirtualHost *:80>
        ServerName blog.site.com
        ServerAlias blog.site.com
        DocumentRoot /var/www/blog/html/

        ErrorLog ${APACHE_LOG_DIR}/blog.site.error.log
        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/blog.site.access.log combined

        <Directory /var/www/blog/html>
                Options FollowSymlinks
                AllowOverride FileInfo
        </Directory>
</VirtualHost>

Have you tried using a default regular WordPress .htaccess file? Does it work or do you still get 500 errors? Open your root .htaccess and look at the formatting. Is there formatting with line breaks or is the code all one big block of code without line breaks?

I’m not real familiar with LogLevel WARN and use RewriteLogLevel for .htaccess debugging.

“The RewriteLogLevel directive sets the verbosity level of the rewriting logfile. The default level 0 means no logging, while 9 or more means that practically all actions are logged.

To disable the logging of rewriting actions simply set Level to 0. This disables all rewrite action logs.

Using a high value for Level will slow down your Apache server dramatically! Use the rewriting logfile at a Level greater than 2 only for debugging!”

# Log to a file:
RewriteLog “/usr/local/var/apache/logs/rewrite.log”
# 2 is recommended for Production sites
RewriteLogLevel 2

hmm yeah aren’t you supposed to have your paths in double quotes (probably either way is fine)? It is possible that it could be your httpd-vhosts.conf config, but i don’t think the problem is actually going to be that “deep”. Delete the root .htaccess file and then just resave your custom permalink structure to generate a new WordPress Default .htaccess file and let me know what happens at that point.

NameVirtualHost *:80

<VirtualHost example-site.local>
    ServerAdmin postmaster@localhost
    DocumentRoot "C:/xampp/htdocs/example-site"
    ServerName example-site.local
    ServerAlias example-site.local
    <Directory "C:/xampp/htdocs/example-site">
    	Options Indexes FollowSymLinks Includes ExecCGI
    	AllowOverride All
    	Order allow,deny
    	Allow from all
    </Directory>
</VirtualHost>

I stripped out the vhost-file and now it actually works!

I just added this, to the Options statement.
Indexes Includes ExecCGI

Thanks for your support!

Awesome!!!
thanks for confirming all is well. ??

AITpro – What is it that we’re doing here at DreamHost that won’t let your plugin work? If you want to email me, hit me up at mepstein AT dreamhost.com ??

In my experience, DreamHost has always had much more advanced config stuff available to hosted customers compared to a lot of other Hosts, which typically offer the standardized one size fits all hosting accounts. ?? And of course DreamHost actively does a lot more custom Server security config stuff to actively beef up security for customers and the Hosting Environment, which of course is awesome. ??

Ok so actually here is the issue. I have only had 1 person/DreamHost customer report a problem and at the time i was not able to contact other DreamHost customers using BPS so i had to post this until i could check with other DreamHost peeps to do follow-ups to ensure all was well with them. I was going to tackle that today. But it is looking like actually this is just an isolated issue so far.

The person has the “My Happy Hosting” plan.
These are the issues that were causing problems for only BPS Pro, but i had to post something to “freeze” everything until i had time to do full research.

1. This user’s WordPress installation/version is automatically updated so what happens is if BPS Pro AutoRestore/Quarantine is turned on while the upgrade occurs then all WordPress Core files are AutoRestored and sent to Quarantine by BPS Pro.

2. This user is not getting the BPS Pro upgrade notification within the WP Dashboard so i assume that this is being actively blocked – i did not have to dig further into why this was, but most likely Remote API GET HTTP connections are being actively blocked.

3. The ZipArchive Class appears to be disabled on this user’s Server.

All of things add/increase security for this particular user, but also cause the user problems so what i need to determine is if this is just done on his particular hosting account type or if these are new sitewide policies, etc. And i think that the active approach that DreamHost takes to protect their customers if very admirable so i am definitely not knocking DH in any way shape or form. ??

So give me a day or two to dig deeper into these things and contact other DH customers and most likely i can remove this “freeze” posting that was posted as a CYA post LOL ?? At this point since i have not heard from any other DreamHost customers then it should be able to remove that post today or tomorrow once i can contact them to confirm all is well.

@mika – ok i have checked in with several folks who have VPS and Shared Hosting on DreamHost and they are not having any problems whatsoever with BPS so this was apparently just an isolated incident. Thanks.