[Plugin: BulletProof Security] 403 Error After Upgrade – File Permission Issue

Hi there,

I did the routine update for the Bulletproof Security plugin this morning and was immediately locked out of the site, both front and back end. It’s a 403 Forbidden – You don’t have permission to access / on this server.

Obviously, I need to fix this asap. I looked for the .htaccess files and they were not there or at least I can’t see them. We’ve had BPS on this site since it was launched and never had this problem before.

Can you help? Is there a way to disable to plugin to regain access to the site? If there’s no .htaccess file, how can we be locked out?

thanks in advance!

403 errors can also be caused by the broken cPanel HotLink Protection Tool problem (broken since at least 2002) >>> https://www.ads-software.com/support/topic/plugin-bulletproof-security-broken-cpanel-hotlink-tool-404-errors-unable-to-edit-htaccess-files?replies=6

Look again for the root .htaccess file it is there. Once you find it delete it to log back into your website. Once you are logged back into your website then let me know that.

Thanks for getting back to me — I ftp’d to the site and I’m telling you, there was no root .htaccess file nor was there one in wp-admin directory. I tried uploading the backup .htaccess files (after renaming them) from the BPS backup directory in wp-content. I was allowed to upload the .htaccess to wp-admin but I got a permissions error at the web root for that site and it would not let me upload that file.

Not sure why the cPanel HotLink problem would suddenly surface now since we’ve been using BPS on this site for over a year.

This client opted to stay with their old web host sover.net which is different than the other WordPress clients we handle. The other BPS updates on our own web host went fine — it’s just this one, but boy is it broken.

I’m thinking I may have to uninstall the plugin at least temporarily while we figure out the problem with their server. But I don’t know how to do that with this plugin. Thanks again for any advice you can offer.

When looking at files are you also looking at hidden files? .htaccess files will be hidden on some hosts – you need to ensure that you are looking at all files including hidden files – this will be an option that you choose in whatever file browser or FTP app that you are using. Or you may have a permissions problem on the root folder. Check all folder and file permissions.

The cPanel HotLink Protection Tool has been broken for over 10 years. If your .htaccess file is unlocked for even a second then the broken HotLink Protection Tool coding can instantly destroy your website. You cannot turn it off/disable the broken cPanel HotLink Protection Tool because the “disable” button is also broken. So the point is the problem will happen anytime your root .htaccess file is unlocked. During the BPS automatic upgrade your root .htaccess file is unlocked so that new code can be written to it and then it is locked again.

There are 1,000’s of web hosts and they all have unique things that they allow, do not allow, require, configuration settings, permissions settings, etc etc etc. Basically there are no 2 web hosts that are exactly alike in the World.

BPS Help & Troubleshooting Info
Source: https://www.ait-pro.com/aitpro-blog/297/bulletproof-security-plugin-support/bulletproof-security-wordpress-plugin-support/

BPS setup steps:

1. Click the AutoMagic buttons
2. Activate All BulletProof Modes.
3. Setup complete.

BPS removal steps:

1. Activate Default Mode on the Security Modes page.
2. Use the Delete wp-admin .htaccess feature on the Security Modes page.
3. Deactivate and delete BPS on the WP Plugins page.

Unable to login into your website:

1. Use FTP or your Web Host Control Panel File Manager and delete the .htaccess file in your website root folder.
2. Log into your website, click the BPS AutoMagic Buttons and Activate all BulletProof Modes.

BPS and BPS Pro are not compatible with these 2 Web Hosting Companies (Landis Holdings & NTT Communications)

Hostingzoom (Landis Holdings)
Resellerzoom (Landis Holdings)
Modvps (Landis Holdings)
WowVPS.com (Landis Holdings)
JaguarPC (Landis Holdings)
Verio (NTT Communications)
NTT America (NTT Communications)
NTT Europe (NTT Communications)

BulletProof Security Plugin Conflict or Some Functionality On Your Website Is Not Working Correctly

If you think that BulletProof Security is causing a plugin conflict or any other issue on your website that is causing something not to work, then please use these steps below to take BulletProof Security out of the equation completely for testing. There is no need to deactivate BulletProof Security because it has a built-in Default Mode that allows you to put WordPress in a default state without deactivating BulletProof Security. If you find that BulletProof Security does have a conflict with another plugin then please check the BulletProof Security Plugin Compatibility Issues – Testing and Fixes Page to see if a fix (bypass/skip rule) is already listed. If your plugin is not listed and you have confirmed that BulletProof Security is definitely causing a conflict then please post a comment on the Questions, Comments, Problems & Wishlist Page for BulletProof Security Free and here for BulletProof Security Pro BPS Pro Questions, Comments & Problems.

1. Make a backup of your .htaccess files using BulletProof Security built-in Backup.
2. Activate Default Mode on the Security Modes page.
3. Use the Delete wp-admin .htaccess feature on the Security Modes page.
4. Test your plugin or theme.
5. Restore your .htaccess files using BulletProof Security built-in Restore.

To completely uninstall BulletProof Security you would do steps 2 and 3 above and then just delete the BulletProof Security plugin on the WP Plugins page.

NOTE: Both the Root BulletProof Mode and the wp-admin BulletProof Mode MUST be activated – Activate Root BulletProof Mode and then activate wp-admin BulletProof Mode. If you only activate Root BulletProof Mode and you do not activate the wp-admin BulletProof Mode then some wp-admin Dashboard functions may not work correctly on some web hosts, such as configuring Widgets.

Hi again,

Thanks for the detailed response. I’ve been through all the documentation you pasted above on your web site and I don’t think it applies to us in this case.

1. I checked that my ftp software is displaying hidden files and the option for ‘omitting files that begin with a period’ was NOT checked, so it thinks it’s showing me those files.

2. The server would not let me upload the .htaccess file via ftp when I tried to restore a backup. I got the following ftp error:

.htaccess – error occurred – An FTP error occurred – cannot put .htaccess. Access denied. The file may not exist, or there could be a permission problem. Make sure you have proper authorization on the server and the server is properly configured.

3. I have no doubt there’s a misconfiguration on this server, but I don’t think the CPanel Hotlink issue is the issue in this particular case because if it were, I would have had this problem before for this client and I haven’t. To be honest, I don’t even think they’re using cPanel at sover.net but I’ll see if I can get them to tell me.

4. Most of the instructions above refer to doing things with .htaccess files (which aren’t present) and using the WP dashbaord which I’m forbidden from accessing. This presents a bit of a conundrum.

Are you absolutely sure there’s no way to temporarily deactivate your plugin to restore the web site? Because if not, this is starting to resemble a real problem.

Maybe it is what you say but if so, how do I fix it if I can’t see the files and don’t have cpanel and can’t access the dashboard? Thanks again for helping us out here.

Here is the thing – The security in BPS comes from the .htaccess files that BPS creates – ONLY. The plugin files only perform functions that relate to the BPS plugin itself. You can delete the BulletProof Security plugin folder from /plugins/bulletproof-security and this will remove the BPS plugin files, but if the problem is related to .htaccess files or not having .htaccess files, folder or file permissions problems or Server problems then deleting the BPS plugin folder is not going to do anything for whatever problem is going on for this particular website.

The fact that you are not able to upload a new .htaccess file IS THE REAL PROBLEM. So that is the problem you need to figure out. Once you figure that out then you can upload either a new secure .htaccess file or just a plain old WordPress default .htaccess file. Check folder permissions, check file permissions, can you upload a plain text file as a test file upload, etc etc etc. You need to figure out why you cannot upload a file to this website – that is the problem.

Folder permission should be 755 to allow uploading and writing.
File permissions should be 644 to allow uploading and writing.

The BPS free plugin is installed on this website and not the Pro version correct?

Thanks — this is what I needed to understand and it’s kind of what I thought. So there’s something fishy at the web host. I’ll see if I can get someone to contact their tech support and kill off those invisible .htaccess files. I appreciate your help in sorting this out and I’ll let you know how it goes.

I was able to contact web host technical support and they were able to help me by deleting the .htaccess file at web root that I couldn’t see. The .htaccess file in wp-admin had already been deleted by me, because I could see that file.

At that point, I was able to access the site home page but nothing else. But once I restored the default .htaccess for permalinks, I had the site back again.

The web host tech guy said that the permissions for the root .htaccess file were ‘bad’ in his opinion, and you had suggested in your documentation that for folks having the 403 problem, that would probably be the case.

I would say that despite this problem today, I feel much safer using BPS on all my sites. Not sure what I’m going to do about this one, but for now, I disabled BPS until I can figure out a solution. Thank you for your help. This site is using the free version of the plugin and I know you’re not making anything on it.

The web host tech guy said that the permissions for the root .htaccess file were ‘bad’…

Please contact your host tech guy again and ask him what the technical term “bad” means. LOL i assume that he means 404 Read-Only file permissions. ?? Also ask him if this particular host requires 644 file permissions for .htaccess files and if 404 file permissions are NOT allowed for this particular web host. This may be a web host that needs to be added to the new DNS filter that has been created in BPS .47.5, but i need for you to confirm that these things are true before i can add this host to the Do not lock root .htaccess file Host list. Thanks.

The logic that some hosts use is that by forcing 644 file permissions then the file cannot be made less secure by changing the file permission to say something like 777. But where that logic fails is that the file cannot be made more secure by changing the file permissions to something more secure like 404 permissions. ??

99.99% of all web hosts allow you to set the .htaccess file permissions to 404. I am aware of 5 hosts that do not allow 404 file permissions out of 100’s. ??

Please do this test for this host. Change the current root .htaccess file permissions to 404. If the 403 Forbidden error occurs then change the file permissions back to 644. Then post that web host’s name here so that i can add this host as a host that does not allow 404 permissions for .htaccess files. Thank you.

Hi again,

Sorry, I got pulled into other work. But I’m back. Here’s the scoop: the tech guy was not wild about helping me with this and since the file becomes invisible to me when I change its permissions to 404, I’ll need him to be there to delete the file again as soon as I do it (because the site will become forbidden again). What I’d feel more comfortable doing is asking him your question, specifically: if this particular host requires 644 file permissions for .htaccess files and if 404 file permissions are NOT allowed for this particular web host. Would that work?

I’ll go ahead and ask him and let you know what he says. The filter would be great since I’m sure it’s the non-standard file permission what’s causing this server to choke (who knew?).

Thanks again for following up.

Yep asking them would be great. I just need official confirmation from you before I can add this host’s Name Server.

404 is a standard .htaccess file permission setting for 99.99% of all the 1,000’s of web hosts assuming that the Server is CGI configured, but some hosts (very few) feel that by restricting an .htaccess file’s pemissions to 644 that this will prevent the file’s permission from being set to something less secure like 777. This works, but of course it also creates a problem – the .htaccess file’s permission cannot be set to something more secure such as 404 permissions. It just comes down to a particular host’s preferences, but logically 404 file permssions should be allowed for CGI configured Servers. DSO configured Servers file permissions must be 644 or above otherwise they will not be valid since DSO configured Servers process file/folder ownership permissions differently. ??

Hi,
I have the problem on my own server, but not for every website !
Maybe it could be interesting to have a switch option in the dashboard to disable the change of the rights, couldn’t it ?

This is an old thread. That option was added months ago in BPS .47.6. It is called AutoLock. If you have a DSO configured Server you will not see this option. Please start a new thread if you have a DSO Configured Server since this would be a different issue/problem altogether.