I think Bulletproof just stopped me from damaging my own site

Since \" is not a valid URI/URL format then you would not need to do anything about that. This should just be treated like a soft 404 error. Not really sure about the other things you mentioned. I would need to see the htaccess code you used, any error messages, other messages, etc.

Here are the two lines involved in my Redirect attempt:

# https://www.nonameyet.org/step-four-we-reviewed-our-fears-thoroughly/\"
# https://www.nonameyet.org/step-four-we-reviewed-our-fears-thoroughly/

I first went to this generator and got this response:

## from https://www.htaccessredirect.net/index.php
# Needed before any rewriting
RewriteEngine On
### Built using the .htaccess 301 Redirect Generator from Web Site Advantage
### https://websiteadvantage.com.au/HtAccess-301-Redirect-Generator
### Place after 'RewriteEngine On' and before any CMS specific rewrite rules

## 301 Redirects

In all honesty, it was at that point that I strongly suspected what you have said about the \" not being legit, and I should have just stopped right there. Ultimately, however, I got this from a different generator:

## from https://www.webconfs.com/htaccess-redirect-generator.php
Options +FollowSymlinks
RewriteEngine on
rewriterule ^step-four-we-reviewed-our-fears-thoroughly/\"(.*)$ https://www.nonameyet.org/step-four-we-reviewed-our-fears-thoroughly/$1 [r=301,nc]

I next entered that code via the BPS editor, then my Dashboard washed out just after I had pressed “Save” or whatever. At that point, I refreshed my browser and found myself at the front of a messed-up-looking site, but then clicking on the Dashboard link I could see there got me back in and everything was fine. I next headed for the BPS editor to remove that code I had inserted and discovered your notice about that Options +FollowSymlinks line and why BPS had automagically blocked it out. So as best I can tell, BPS took the hit and covered my butt at the same time without anyone or anything actually being injured by my rookie experimentation!

Many thanks, kind sir.

“…and discovered your notice about that Options +FollowSymlinks line and why BPS had automagically blocked it out.”

BPS does not have a notice/error message that has “Options +FollowSymlinks” text in it so nope that was not coming from BPS. Maybe Wordfence?

In any case, since the URI/URL is not valid then you can just ignore it and do not need to do anything about it. That URL is the same thing as this example URL: https://www.nonameyet.org/step-four-we-reviewed-our-fears-thoroughly/page-that-does-not-really-exist/

This is just an FYI (nothing needs to be done here): A backslash character is a special character in Regular Expressions code and means escape the following character so that it is interpreted as a literal character. To escape the special character “\” in Regular Expressions code you would need to do add 2 backslashes “\\” which means interpret the following backslash character literally instead of interpreting its special meaning.

Just another FYI – I prefer to use the RedirectMatch htaccess directive to do redirects since it allows you to use Regular Expressions code and it is much simpler and cleaner visually.

This would redirect that URI/URL to that post

RedirectMatch 301 ^/step-four-we-reviewed-our-fears-thoroughly/\\"$ https://www.nonameyet.org/step-four-we-reviewed-our-fears-thoroughly/

BPS does not have a notice/error message that has “Options +FollowSymlinks” text in it so nope that was not coming from BPS. Maybe Wordfence?

I was referring to this simple note from BPS in my root htaccess that I should not have called a notice:

# For security reasons, Option followsymlinks cannot be overridden.
#Options +FollowSymlinks
Options +SymLinksIfOwnerMatch
## Redirects

At the time, however, and since that was just above the redirect I had added, I had assumed BPS had trumped my experiment that had included the addition of Options +FollowSymlinks and then added that note to tell me why!

since the URI/URL is not valid then you can just ignore it and do not need to do anything about it.

Understood, and I am presently doing just that with a few at my sandbox site where few things like that are of any real consequence anyway. But in other cases, at least in the past, errors were coming out because of changes I had made at other sites and I began adding redirects whenever I saw them so people could get to wherever they had clicked an embedded link to go.

I just tried your code for the page we have been talking about here and still ended up at the page where a plugin is sending that kind of error, but I suspect the issue there is that the plugin might somehow be catching the error before htaccess can redirect it? That does not make logical sense to me, but that is my Primary Domain in a sub-folder setup with two htaccess files controlling it…or maybe I just have the redirect too low on the public_html page of htaccess. So, now I have something else to try to learn more about, but not until I have completed my move to arvixe.com where I happen to have already mentioned BPS:

https://forum.arvixe.com/smf/wordpress/best-way-to-prevent-wordpress-hack/msg70172/#msg70172

Keep up the good work!

I was referring to this simple note from BPS in my root htaccess that I should not have called a notice:

That is not BPS htaccess code so nope it was not added or created by BPS. We don’t use Options +FollowSymlinks htaccess code because it does NOT work well with WordPress.

https://httpd.apache.org/docs/2.2/mod/core.html#options

Some plugins do overlap, but no single plugin “does it all”.

Quoted from the post in the arvixe forum link above.
Cough, cough yes there is a plugin that does it all (“all” meaning doing things that no other WordPress security plugins are doing and then some) >>> BulletProof Security Pro. ??

Cough, cough yes there is a plugin that does it all (“all” meaning doing things that no other WordPress security plugins are doing and then some) >>> BulletProof Security Pro. ??

I took a fresh look there a few days ago, and yes, I can see it has its advantages!

Question: Am I doing something foolish here…

https://www.nonameyet.org/Fckeditor/editor ??

None of those kinds of hits ever get past BPS and do any harm, but my goal is to stop them at public_html and never let them even get to my Domain’s sub-folder. Also, is it possible to use some kind of wildcard so these these kinds of lines can be merged into one…

Redirect 301 /editor/editor https://tinyurl.com/l2qwunk
Redirect 301 /fckeditor/editor https://tinyurl.com/ktuy4oe
Redirect 301 /Fckeditor/editor https://tinyurl.com/ktuy4oe

??

Yep BPS Pro is amazing and has a perfect track record of zero hacked websites for 3+ years now. No one is going to believe that of course, but it is true. ?? BPS free is pretty darn good too.

Questions:
Do you have Fckeditor installed?
Are you trying to redirect things that are already being handled/blocked by BPS?

Do you have Fckeditor installed?

No.

Are you trying to redirect things that are already being handled/blocked by BPS?

Trying to to stop malicious traffic way out at the gate (public_html) so it never even enters the BPS-protected cluster of sub-folders where all Domains reside…

…and that brings up a secondary question: Why do my redirects for my Primary Domain (also in a sub-folder) have to be out in public_html/.htaccess in order to work at all? Could that be because I have index.php set out there (rather than index.html) and that is what is making it possible for traffic to jump over redirects on the inside even if I have them at the very top of BPS Custom Code? In any case, my primary concern here is that I not get too far out in front of BPS as well as Wordfence and its throttling.

Trying to to stop malicious traffic way out at the gate (public_html) so it never even enters the BPS-protected cluster of sub-folders where all Domains reside…

That is what BPS is already doing. htaccess files are distributed server configuration files. htaccess files are processed first by your server before the PHP code in WordPress by your server. The folder structure or when and where physically does not really come into play or matter or make any difference as long as an htaccess file exists where your website is physically installed/exists.

You have not given me enough information, specific details, the redirect code or what is doing what so I cannot offer any kind of answer for the redirect question.

Another way of phrasing this is: Everything has to go through the BPS Security filters before it reaches your website >>> Everything.

public_html feeds my Primary Domain’s sub-folder where BPS is installed, and redirects in BPS Custom Code inside that folder have no effect on that Domain.

public_html also feeds my other Domains sitting side-by-side with my Primary, and redirects inside those domains’ BPS installations work just fine.

But what I am trying to do is to stop certain traffic from ever even getting past public_html at all…and I am doing that.

Can BPS Pro reach up from a sub-folder and handle .htaccess in a preceding folder?

I feel like I just ate acid. Dude I don’t understand a single thing you just posted above??? Can you try to describe things technically correct or maybe actual examples would be better. ??

I think this Forum Topic link below will answer any htaccess file hierarchy, structure, relational questions.

https://forum.ait-pro.com/forums/topic/htaccess-files-for-multiple-website-domains/

htaccess files are hierarchical/recursive, and that is my point. I know BPS knows public_html precedes it, and from there inside public_html is the example I have already given: I am using public_html/.htaccess to send certain malicious traffic straight to public_html/deadend/image.jpg before it ever encounters BPS at all…and I am hoping that is not a foolish thing to do! I was actually sending them out to a Google search for a while, something like I am doing with this: https://www.farmertank.net, but then realized Google might not appreciate that.