bulletproof-security.0.47.5 not working

@heartwood – i think that Firewall 2 is just seeing some code that it is interpreting as malicious so this is just a false alarm, but thanks for that input. There are several things that Firewall 2 sees in BPS Pro that it considers possible malicious code and those folks just tell Firewall 2 to ignore those false alarms. Thanks.

@heartwood – ok then this host does have file permission restrictions in place so this host will be added to the DNS Name Server DO NOT AUTOMATICALLY LOCK the root .htaccess file coding. Thanks.

I am still analyzing why the FORBID EMPTY REFFERER SPAMBOTS code would cause a 404 error on your particular website/Host. This is not occurring on most hosts.

The last thing you mentioned is related to URL’s being broken so it is a 404 issue of some kind.

Also in general there could be several isolated problems going on here so i want to be very careful here about not lumping isolated incidents under 1 umbrella. ?? The fact still remains the most upgrade installations to BPS .47.5 are working perfectly fine with the exception of a handful of folks.

@heartwood – Please do these steps below.

1. Download your root .htaccess file to your computer.
2. Click the Create secure.htaccess AutoMagic button.
3. Go to the BPS Edit/Upload/Download tab page.
4. Click on the secure.htaccess tab and copy all the contents of that file.
5. Paste the contents of that file and overwrite all the contents of the .htaccess file that you downloaded to your computer and save the file.
6. upload that .htaccess file and overwrite your root .htaccess file in your website root folder.
7. change the root .htaccess file permissions to 644.

Please post the results of doing these steps above. Thanks.

Do you mean try to put the original secure.htaccess back first? That’s what kept disappearing and I had to edit it to make it stop doing that.

The downloaded root .htaccess was missing most of the code I thought I’d managed to put back in. I replaced it first with the version on my computer that I had thought was working:

# BEGIN WordPress

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /

RewriteRule ^index\.php$ - [L]

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L]

</IfModule>

# END WordPress

#   BULLETPROOF .47.5 >>>>>>> SECURE .HTACCESS

# If you edit the  BULLETPROOF .47.5 >>>>>>> SECURE .HTACCESS text above

# you will see error messages on the BPS Security Status page

# BPS is reading the version number in the htaccess file to validate checks

# If you would like to change what is displayed above you

# will need to edit the BPS /includes/functions.php file to match your changes

# If you update your WordPress Permalinks the code between BEGIN WordPress and

# END WordPress is replaced by WP htaccess code.

# This removes all of the BPS security code and replaces it with just the default WP htaccess code

# To restore this file use BPS Restore or activate BulletProof Mode for your Root folder again.

# BEGIN WordPress

# IMPORTANT!!! DO NOT DELETE!!! - BEGIN WordPress above or END WordPress - text in this file

# They are reference points for WP, BPS and other plugins to write to this htaccess file.

# IMPORTANT!!! DO NOT DELETE!!! - BPSQSE BPS QUERY STRING EXPLOITS - text

# BPS needs to find the - BPSQSE - text string in this file to validate that your security filters exist

# TURN OFF YOUR SERVER SIGNATURE

ServerSignature Off

# ADD A PHP HANDLER

# If you are using a PHP Handler add your web hosts PHP Handler below

# DO NOT SHOW DIRECTORY LISTING

# If you are getting 500 Errors when activating BPS then comment out Options -Indexes 

# by adding a # sign in front of it. If there is a typo anywhere in this file you will also see 500 errors.

Options -Indexes

# DIRECTORY INDEX FORCE INDEX.PHP

# Use index.php as default directory index file

# index.html will be ignored will not load.

DirectoryIndex index.php index.html /index.php

# BPS PRO ERROR LOGGING AND TRACKING - Available in BPS Pro only

# BPS Pro has premade 403 Forbidden, 400 Bad Request and 404 Not Found files that are used 

# to track and log 403, 400 and 404 errors that occur on your website. When a hacker attempts to

# hack your website the hackers IP address, Host name, Request Method, Referering link, the file name or

# requested resource, the user agent of the hacker and the query string used in the hack attempt are logged.

# BPS Pro Log files are added to the P-Security All Purpose File Manager to view them.

# All BPS Pro log files are htaccess protected so that only you can view them. 

# The 400.php, 403.php and 404.php files are located in /wp-content/plugins/bulletproof-security/

# The 400 and 403 Error logging files are already set up and will automatically start logging errors

# after you install BPS Pro and have activated BulletProof Mode for your Root folder.

# If you would like to log 404 errors you will need to copy the logging code in the BPS Pro 404.php file

# to your Theme's 404.php template file. Simple instructions are included in the BPS Pro 404.php file.

# You can open the BPS Pro 404.php file using the WP Plugins Editor or by using the BPS Pro File Manager.

# NOTE: By default WordPress automatically looks in your Theme's folder for a 404.php template file.

# ErrorDocument 400 /wp-content/plugins/bulletproof-security/400.php

# ErrorDocument 403 /wp-content/plugins/bulletproof-security/403.php

ErrorDocument 404 /404.php

# DENY ACCESS TO PROTECTED SERVER FILES - .htaccess, .htpasswd and all file names starting with dot
RedirectMatch 403 /\..*$

RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]

# PLUGINS AND VARIOUS EXPLOIT FILTER SKIP RULES
# IMPORTANT!!! If you add or remove a skip rule you must change S= to the new skip number
# Example: If RewriteRule S=5 is deleted than change S=6 to S=5, S=7 to S=6, etc.

# Adminer MySQL management tool data populate
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/adminer/ [NC]
RewriteRule . - [S=12]
# Comment Spam Pack MU Plugin - CAPTCHA images not displaying
RewriteCond %{REQUEST_URI} ^/wp-content/mu-plugins/custom-anti-spam/ [NC]
RewriteRule . - [S=11]
# Peters Custom Anti-Spam display CAPTCHA Image
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/peters-custom-anti-spam-image/ [NC]
RewriteRule . - [S=10]
# Status Updater plugin fb connect
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/fb-status-updater/ [NC]
RewriteRule . - [S=9]
# Stream Video Player - Adding FLV Videos Blocked
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/stream-video-player/ [NC]
RewriteRule . - [S=8]
# XCloner 404 or 403 error when updating settings
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/xcloner-backup-and-restore/ [NC]
RewriteRule . - [S=7]
# BuddyPress Logout Redirect
RewriteCond %{QUERY_STRING} action=logout&redirect_to=http%3A%2F%2F(.*) [NC]
RewriteRule . - [S=6]
# redirect_to=
RewriteCond %{QUERY_STRING} redirect_to=(.*) [NC]
RewriteRule . - [S=5]
# Login Plugins Password Reset And Redirect 1
RewriteCond %{QUERY_STRING} action=resetpass&key=(.*) [NC]
RewriteRule . - [S=4]
# Login Plugins Password Reset And Redirect 2
RewriteCond %{QUERY_STRING} action=rp&key=(.*) [NC]
RewriteRule . - [S=3]

# TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
# Only Allow Internal File Requests From Your Website
# To Allow Additional Websites Access to a File Use [OR] as shown below.
# RewriteCond %{HTTP_REFERER} ^.*YourWebsite.com.* [OR]
# RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*
RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
RewriteRule .* index.php [F,L]
RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
#RewriteCond %{HTTP_REFERER} ^.*demo5.local.*
RewriteRule . - [S=1]

# BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
# Good sites such as W3C use it for their W3C-LinkChecker.
# Add or remove user agents temporarily or permanently from the first User Agent filter below.
# If you want a list of bad bots / User Agents to block then scroll to the end of this file.
RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=https:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=https://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|%3c|%3e|%5b|%5d).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x5b|\x5d|\x7f).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# DENY BROWSER ACCESS TO THESE FILES
# wp-config.php, bb-config.php, php.ini, php5.ini, readme.html
# Replace Allow from 88.77.66.55 with your current IP address and remove the
# pound sign # from in front of the Allow from line of code below to access these
# files directly from your browser.

<FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|readme\.html|bb-config\.php)">
Order allow,deny
Deny from all
#Allow from 88.77.66.55
</FilesMatch>

# IMPORTANT!!! DO NOT DELETE!!! the END WordPress text below
# END WordPress

The secure.htaccess was also incomplete, so I replaced that first too.

Then I followed your instructions. At step 4, the secure.htaccess was back to the original version rather than what I thought I had just uploaded — it had the FORBID EMPTY REFFERER SPAMBOTS and REQUEST METHODS FILTERED code back in it. However, I followed your directions exactly, and copy-pasted it into the downloaded root .htaccess and re-uploaded that, overwriting the one that was on the server. I changed the permissions to 644. The file immediately disappeared and the 404 errors were back.

I’ve re-uploaded the file that has the above code, both in the root as .htaccess with 604 permissions, and in the BPS admin/htaccess folder as secure.htaccess with 644 permissions, and all is working again.

[Moderator Note: Please use the pastebin for large blocks of code. 250 lines of .htaccess directives is just a little excessive.]

Ok yep that is what i thought would happen. Either this is because of the Broken cPanel HotLink Protection Tool problem or because your Host is stripping out .htaccess code automatically.

You are in a catch 22 situation on this host if it is the Broken cPanel HotLink Protection Tool that is doing this because you cannot lock your root .htaccess file to stop it from doing the damage that it does. The only way i have found to block this broken tool is by locking the root .htaccess file with 404 permission, which your Host does not allow.

So take a look in your cPanel and look for the HotLink Protection Tool and post the gibberish code that you see in the text boxes for that tool in your reply.

If you do not see gibberish code in the HotLink Protection Tool windows then your Host is doing this automatically to the root .htaccess file.

Also at the very top of the file you have standard WordPress htaccess code? this will of course cause things not to work correctly. Was this added automatically to your root .htaccess file?

The top of your root .htaccess file should start from:
# BULLETPROOF .47.5 >>>>>>> SECURE .HTACCESS

I didn’t think I had enabled Hotlink Protection throughout that whole process, but sure enough it said it was enabled:

URLs to allow access:

(%0A|%0D|%27|%3C|%3E|%00)
\.opendirviewer\.
users\.skynet\.be.*

Block direct access for these extensions (separate by commas):
.*

I clicked the Disable button and now it’s back to what it had been when I originally checked (which I did for the first time in response to your mention of it in your first post to this thread). So now it just has the list of the site’s domain names as URLs, and the list of extensions in the second box are now back to saying
jpg,jpeg,gif,png,bmp
but says it’s disabled.

No, the WordPress code was the basic code I used to get the .htaccess file to stop disappearing, and I just didn’t remove it. It didn’t get added automatically. I’ve removed it now, and re-uploaded the two files.

Yep this is the classic gibberish coding that is created by the broken cPanel HotLink Protection Tool so yep it is the broken cPanel HotLink Protection Tool that is causing the problems for your website.

It does not matter whether you enable the broken cPanel HotLink Protection Tool because both enable and disable are also broken – it runs automatically whether you like it or not and like i said the only way i have found to successfully prevent it from causing 404, 403 and 500 errors and breaking your website is to lock the root .htaccess file which prevents the broken cPanel HotLink Protection Tool from destroying your .htaccess file coding. Unfortunately, your host does not allow you to lock your .htaccess file – catch22. And i hate to tell you this, but the problem will occur over and over again – there is only one way to stop it and that is to lock your root .htaccess file.

… and then I got the 404 errors again. So I’ve put back the one with the WordPress code at the top, and it all seems to be working again.

Does that give you any clues?

Aaaargh! I re-downloaded it to check that it was still intact, and now it doesn’t have the WordPress code in it. I’m not getting the 404 errors but the Hotlink Protection has enabled itself again and is again showing the

(%0A|%0D|%27|%3C|%3E|%00)
\.opendirviewer\.
users\.skynet\.be.*

code
???

yep you have the classic broken cPanel HotLink Protection Tool problem that has been going on now for over 10 years. Since your Host does not allow you to lock your root .htaccess file then what i recommend is that you contact them to permanently remove this broken tool from your cPanel. I am getting pretty tired of having to deal with this same problem year after year so i am going to see if it is possible to kill this broken junk tool from within BPS itself. It is absolutely ridiculous to me that a problem could go on as long as it has – 10+ years really? My god.

Yep the broken cPanel HotLink Protection Tool will continue to break your website until the end of time since you are unable to block it by using 404 file permissions on your htaccess file.

Thanks for your patience with this. I’ll get in touch with my web host.