Headline
CVE-2014-7958: BulletProof Security
Cross-site scripting (XSS) vulnerability in admin/htaccess/bpsunlock.php in the BulletProof Security plugin before .51.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the dbhost parameter.
WordPress Security Protection: Malware scanner, Firewall, Login Security, DB Backup, Anti-Spam… View Security feature highlights below. View BulletProof Security feature details under the FAQ help section below. Effective, Reliable & Easy to use WordPress Security Plugin.
BulletProof Security is a proactive security plugin that automatically fixes 100+ known issues/conflicts with other plugins.
* BPS Setup Wizard AutoFix
BulletProof Security Installation and Setup Video Tutorial
BulletProof Security Feature Highlights
- One-Click Setup Wizard
- Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup)
- MScan Malware Scanner
- .htaccess Website Security Protection (Firewalls)
- Hidden Plugin Folders|Files Cron (HPF)
- Login Security & Monitoring
- JTC-Lite (Limited version of BPS Pro JTC Anti-Spam|Anti-Hacker)
- Idle Session Logout (ISL)
- Auth Cookie Expiration (ACE)
- DB Backup: Full|Partial DB Backups | Manual|Scheduled DB Backups | Email Zip Backups | Cron Delete Old Backups
- DB Table Prefix Changer
- Security Logging
- HTTP Error Logging
- FrontEnd|BackEnd Maintenance Mode
- Extensive System Info (System Info page)
- WordPress Automatic Update Options
- Force Strong Passwords (FSP)
- Send email alerts when new Plugin & Theme updates are available
BulletProof Security Pro Feature Highlights
- One-Click Setup Wizard
- Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup)
- AutoRestore Intrusion Detection & Prevention System (ARQ IDPS)
- Quarantine Intrusion Detection & Prevention System (ARQ IDPS)
- Real-time File Monitor (IDPS)
- MScan Malware Scanner
- DB Monitor Intrusion Detection System (IDS)
- DB Diff Tool: data comparison tool
- DB Backup: Full|Partial DB Backups | Manual|Scheduled DB Backups | Email Zip Backups | Cron Delete Old Backups
- DB Status & Info: extensive database status & info
- Plugin Firewall (IP Firewall): Automated Whitelisting & IP Address Updated in Real-time
- JTC Anti-Spam|Anti-Hacker
- Uploads Folder Anti-Exploit Guard (UAEG)
- .htaccess Website Security Protection (Firewalls)
- Hidden Plugin Folders|Files Cron (HPF)
- Custom php.ini Website Security
- Login Security & Monitoring w/Dashboard Alerting|Status Display & additional options/features
- Idle Session Logout (ISL)
- Auth Cookie Expiration (ACE)
- File|Folder Lock: File Locking | Detect & Lock Folders that were not created by you
- FrontEnd|BackEnd Maintenance Mode
- Security Logging
- HTTP Error Logging
- PHP Error Logging
- DB Table Prefix Changer
- Pro-Tools: 16 mini-plugins
- Heads Up Dashboard Status Display
- Extensive System Info (System Info page)
- WordPress Automatic Update Options
- Force Strong Passwords (FSP)
- Send email alerts when new Plugin & Theme updates are available
- View All BulletProof Security Pro Feature Details
BulletProof Security Recommended Video Tutorials
- BulletProof Security Custom Code Video Tutorial
- BulletProof Security Security Log Video Tutorial
Help Info
Extensive Help Info can be found on the AIT-pro.com Forum website and by clicking the Question Mark Help buttons on BulletProof Security plugin pages. For details about BulletProof
Security plugin features and frequently asked questions see the FAQ section below. The BPS plugin Help and FAQ tab pages also contain additional help links.
Installation
Click the Setup Wizard button.
Optional Features:
- Idle Session Logout (ISL)
- Auth Cookie Expiration (ACE)
- DB Table Prefix Changer
- Maintenance Mode
- UI|UX Settings: Choose UI|UX visual preferences & functionality.
- MScan Malware Scanner
- Uninstall Options
- An Uninstall Options link is located on the WordPress Plugins page under the BulletProof Security plugin.
- Clicking the Uninstall Options link loads a jQuery UI Dialog Form with 2 uninstall options.
- If you are upgrading to BPS Pro, select the BPS Pro Upgrade Uninstall option and click the Save Option button or just click the Close button and do a normal plugin uninstall.
- If you want to completely delete the BPS plugin, all files, Custom Code and BPS database settings, select the Complete BPS Plugin Uninstall option, click the Save Option button, click the Close button and do a normal plugin uninstall.
Translations
Language Packs: Translate BulletProof Security
Bonus Tip: If you use the Google Chrome Browser you can right mouse click in plugin pages and then click on Translate to… To translate plugin text into your Language.
BPS has a GDPR Compliance Setup Wizard Options setting, which allows someone to turn IP address logging On or Off throughout all BPS plugin features by choosing the GDPR Compliance On option setting on the Setup Wizard Options page: BPS Features affected: Security Logging, Login Security Logging, and Maintenance Mode Logging. Note: For simplicity and ease of use there is only one option setting that needs to be set instead of creating individual option settings in all BPS features that perform IP address logging.
BPS GDPR Compliance Forum Topic
WordPress Automatic Update Options
The BPS plugin comes with a must-use plugin called BPS MU Tools. The BPS MU Tools must-use plugin is located on the WordPress Plugins page under the Must-Use link at the top of the WordPress Plugins page. The BPS MU Tools plugin has 6 WP Automatic Update option settings: Disable all Updates: On = All WordPress Automatic Updates: Core, Plugins, Themes and Translations will be disabled | Disable all Core Updates: On = All WordPress Core Automatic Updates: Development, Minor and Major versions are disabled | Enable all Core Updates: On = All WordPress Core Automatic Updates: Development, Minor and Major versions are enabled | Enable Development Updates: On = WordPress Core Automatic Updates are enabled for Development WP versions | Enable Minor Updates: On = WordPress Core Automatic Updates are enabled for Minor WP versions | Enable Major Updates: On = WordPress Core Automatic Updates are enabled for Major WP versions. For more extensive help information click the WordPress Automatic Update Help Forum Topic link below.
* WordPress Automatic Update Help Forum Topic
BulletProof Security Bonus Custom Code
- Brute Force Login Protection .htaccess Code
- Speed Boost Cache .htaccess Code
- HotLink Protection .htaccess Code – Google, Yahoo, Bing safe
- Author ID|Username Bot Probe Protection .htaccess Code
- XML-RPC DDoS Protection .htaccess Code (Double Bonus: Trackback|Pingback Protection)
- Referer Spammers|Phishing Protection .htaccess Code
- Mime Sniffing|Drive-by Download Attack Protection .htaccess Code
- External iFrame and Clickjacking Protection .htaccess Code
- POST Request Attack Protection .htaccess Code
Where can I find BulletProof Security additional troubleshooting steps & support?
Please see the BulletProof Security Forum.
Unable to save Root or wp-admin htaccess custom code using the BPS Custom Code forms
- You may see a 403, 404 or 500 error or no errors and nothing works/happens.
- This common problem is caused by ModSecurity. Please see this Common Known ModSecurity problems forum topic.
Unable to save htaccess code using the BPS htaccess File Editor
- You may see a 403, 404 or 500 error or no errors and nothing works/happens.
- This common problem is caused by ModSecurity. Please see this Common Known ModSecurity problems forum topic.
Unable to login or logout of your website
- You may see a 403, 404 or 500 error or no errors and nothing works/happens.
- This common problem is caused by ModSecurity. Please see this Common Known ModSecurity problems forum topic.
Unable to install plugins or themes using the WordPress Upload Zip installer
- You may see a 403, 404 or 500 error or no errors and nothing works/happens.
- This common problem is caused by ModSecurity. Please see this Common Known ModSecurity problems forum topic.
BulletProof Security Compatible Hosting|Host Server|WordPress Site Types
- Types: Shared, VPS, Dedicated, Managed, Colocation, In-house
- Types: Apache, Linux, Nginx, LiteSpeed, Windows (Windows IIS)
- Types: Standard|Single, Network|Multisite, “Giving WordPress Its Own Directory” (GWIOD), BuddyPress|bbPress, subdomain, subdirectory, HTTPS/SSL
- Note: The Setup Wizard Pre-Installation Check displays compatibility information.
- Note: The Setup Wizard Pre-Installation Check tests if htaccess files can or cannot be used on your website and will automatically disable BPS htaccess features and files if your server/website cannot use htaccess files. You will see the “htaccess Files Disabled Notice” on the Setup Wizard page with a link to a Help Forum Topic.
- Note: BulletProof Security works on all web hosts except for these 3 web hosts: Incompatible Hosts.
Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup)
Setup Wizard AutoFix checks which plugins and themes you currently have installed and will display a BPS Setup Wizard AutoFix Notice to run the BPS Setup Wizard if any currently installed plugins or themes require Custom Code whitelist rules or AutoSetup. The BPS Setup Wizard automatically creates BPS Custom Code whitelist rules for known issues with any plugins and themes that need Custom Code whitelist rules. Setup Wizard AutoFix also automatically sets up and cleans up caching plugin’s htaccess code for these WordPress caching plugins: WP Super Cache, W3 Total Cache, Comet Cache Plugin (free & Pro), WP Fastest Cache Plugin (free & Premium), LiteSpeed Cache and WP Rocket. For more detailed help information and a list of all plugins and themes that have AutoFixes click this link: Setup Wizard AutoFix Forum Topic.
BulletProof Security htaccess File Options (Firewalls, etc.) Features
Description: WordPress Website Security Protection: .htaccess files (distributed Server configuration files) are processed by your server first before any other code on your website. In other words, hackers malicious scripts are stopped by BulletProof Security .htaccess files/Firewalls before those scripts even have a chance to reach the php code in WordPress. BulletProof Security protects your website against 100,000’s of different hacking attempts/attacks. The .htaccess security filters in BulletProof Security are designed to match malicious and nuisance attack patterns. The most important benefits of using a finite pattern matching method vs infinite banning/blocking individual IP’s, Host’s, Referer’s, etc. is that your website performance and Server resources are not negatively impacted. In general, BulletProof Security takes an “Action Approach” to website security. Hacker X, Spammer X, Bad Bot X does bad Action Y = Forbidden/Blocked. An “Action Approach” is a much more effective and performance optimized approach to website security since the bad action itself is being blocked/forbidden instead of attempting to block an individual hacker/spammer that performed a bad action. Example: BulletProof Security blocks all SQL Injection hacking attempts/attacks no matter who (IP Address, hostname, Bot name, etc.) performed the SQL Injection hacking attempt/attack. See the BulletProof Security Login Security & Monitoring Features section for additional features and options. See the BulletProof Security htaccess File Options (Firewalls, etc.) Features section for additional features and options.
- Root Folder BulletProof Mode|Firewall
- wp-admin Folder BulletProof Mode|Firewall
- Built-in .htaccess File Editor & File Manager
- Built-in .htaccess Backup and Restore
- One-click .htaccess website security protection from within the WP Dashboard
- .htaccess security protection against hacking attempts: XSS|RFI|CRLF|CSRF|Base64|Code Injection|SQL Injection
- TimThumb Vulnerability|Exploit .htaccess security protection (Firewall)
- .htaccess Lock|Unlock (404 Read-Only)
- .htaccess AutoLock On|Off
- Security|HTTP Error Logging: 400|403|404|405|410 HTTP Status Codes
- Security Log: Add|Remove User Agents|Bots to Ignore|Not Log or Allow|Log
- Security Log: Turn On|Turn Off|Delete Log
- Security Log: Limit POST Request Body Data – capture or do not capture hacker scripts used in attacks. Note: See BPS POST Request Attack Protection Bonus Custom Code
- Security Log Automation: Automatically zipped, emailed and replaced based on file size
- Automatic .htaccess file updating on BPS upgrade installation
- New .htaccess security filters automatically added during upgrade
- WP Dashboard Alerts|WP Dashboard Dismiss Notices
- Anti Comment Spam .htaccess code – works together with Akismet or other Spam plugins to keep Comment Spam at a minimum
- Anti Comment Spambot .htaccess code – Forbid Empty Referrer Spambots
- Author ID|User ID|Username Bot Probe Protection
- Custom Code feature: Add|Edit|Modify|Save|Export|Import additional Bonus or personal custom .htaccess code
- WordPress and other files protected with .htaccess security protection: readme.html, /wp-admin/install.php, wp-config.php, bb-config.php, php.ini and php5.ini files
- Help & FAQ page: links to BPS Guide and other detailed Help & Info pages
- Extensive jQuery UI Dialog Question Mark Help buttons throughout the BulletProof Security plugin pages
- HUD Success|Error message display
BulletProof Security MScan Malware Scanner
Description: MScan is a malware scanner that scans website files for hacker files or code and scans the WP database for hacker code. MScan Scheduled
scanning is available in BPS Pro only.
* MScan uses file hash comparisons for all WP files (WP Core, Plugins and Themes). File hash comparisons are 100% accurate, which means no false positives will occur for any WP files. All other non-WP files are scanned using standard conventional pattern matching. Now that WP Files are all scanned with file hash comparisons this allowed increasing the detection sensitivity for pattern matching scanning. Additional pattern matching rules have been added to MScan 2.0.
* For more details see the MScan Malware Scanner Guide.
BulletProof Security System Info
- PHP|MySQL|MySQLi|OS|Server|Memory Usage and Limits|IP|SAPI|WP Filesystem API Method|DNS|Apache Modules|Directives Compatibility Checks|Mod Security|Max Upload|Zend Engine Version|Zend Guard|Loader|Optimizer|ionCube Loader|Suhosin|APC|eAccelerator|XCache|Varnish|cURL|OpenSSL Library|cURL OpenSSL Version|Memcache|Memcached|Plugins|Versions Installed|Activated|Get Plugins List|Browser Compression|GD Library|ImageMagick|WP Temp Dir|PHP Temp Dir|PHP Upload Temp Dir|Session Save Path|WP_TEMP_DIR constant|php.ini file path, etc.
- File|Folder Permissions (CGI or DSO)|Script Owner User ID (UID)|File Owner User ID
- PHP Server|PHP.ini|PHP directives Info
- Website Headers Check Tool: Check your website Headers or another website’s Headers remotely.
BulletProof Security Hidden Plugin Folders|Files Cron (HPF)
Description: The HPF Cron checks the WordPress /plugins/ folder for hidden or empty plugin folders and any non-standard WP files or altered files in the /plugins/ folder. If a hidden or empty plugin folder or non-standard WP file is found in the WordPress /plugins/ folder, BPS displays a Dashboard Alert and sends an Email Alert. A hidden or empty plugin folder is a plugin the exists in your /plugins/ folder, but is not displayed on the WordPress Plugins page. A hidden plugin can be used as a hacker backdoor to gain access to your WP Dashboard, hosting account, create user accounts, completely control your website and hosting account, etc. A non-standard WP file or modified/altered file in your /plugins/ folder can also do all of the things a hidden plugin can do.
- A hidden or empty plugin folder is a plugin the exists in your /plugins/ folder, but is not displayed on the WordPress Plugins page. A hidden plugin can be used as a hacker backdoor to gain access to your WP Dashboard, hosting account, create user accounts, completely control your website and hosting account, etc. A non-standard WP file or modified/altered file in your /plugins/ folder can also do all of the things a hidden plugin can do.
- Automated Cron check that checks the WordPress /plugins folder for hidden plugins or non-standard WP file
- Displays Dashboard Alerts
- Sends Email Alerts
- HPF Cron Check Frequency settings: 1, 5, 10, 15, 30 or 60 minutes
- HPF Cron On|Off: Turn the HPF Cron On or Off
- Ignore Hidden Plugin Folders & Files: Whitelisting tool to ignore plugin folders or non-standard WP files
- HPF is automatically setup during BPS Upgrades or when running the BPS Setup Wizard
BulletProof Security Login Security & Monitoring Features
Description: Login Security & Login Monitoring: Log All User Account Logins or Log Only User Account Lockouts (see Screenshot). Brute Force Login Security Protection. Email alerting options allow you to choose 5 different email alerting options: Choose to have email alerts sent when a User Account is locked out, An Administrator Logs in, An Administrator Logs in and when a User Account is locked out, Any User logs in and when a User Account is locked out or Do Not Send Email Alerts. Choose Standard WP Error Messages or Generic Error Messages for Login Security Stealth Mode. Choose to Enable or Disable Login Password Reset capability for Login Security Stealth Mode. See the BulletProof Security Login Security & Monitoring Features section for additional features and options.
- Brute Force Login Security Protection
- Log All User Account Logins or Log Only User Account Lockouts
- Logged DB Fields: User ID|Username|Display Name|Email|Role|Login Time|Lockout Expires|IP Address|Hostname|Request URI
- Email Alerting Options: User Account is locked out|An Administrator Logs in|An Administrator Logs in and when a User Account is locked out|Any User logs in and when a User Account is locked out|Do Not Send Email Alerts
- Login Security Additional Options: Max Login Attempts|Automatic Lockout Time|Manual Lockout Time|Max DB Rows To Show|Enable Login Security for WooCommerce|Turn On|Turn Off
- Login Security Stealth Mode: Standard WP Error Messages or Generic Error Messages.
- Login Security Attempts Remaining: Display a “Login Attempts Remaining X” message when an incorrect password is entered.
- Login Security Stealth Mode: Enable or Disable Login Password Reset capability and links.
- Dynamic DB Form: Lock|Unlock|Delete
- Enhanced Search: Allows you to search all of the Login Security database rows/Fields
- Click the Login Security Question Mark help button for full descriptions of all features and options.
BulletProof Security JTC-Lite
Description: JTC-Lite is a limited version of BPS Pro JTC Anti-Spam|Anti-Hacker that provides Login Form Bot Lockout Protection for the WordPress Login page/Form.
JTC-Lite prevents against constant and repeated user account lockouts caused by Bots attempting to Brute Force Login to your WordPress Login Form and website. If you would like to
protect all of your WordPress Forms, BuddyPress, bbPress and WooCommerce Forms against SpamBot and HackerBot attacks (auto-registrations, auto-logins, auto-posting,
auto-commenting), that security protection is available in BPS Pro JTC Anti-Spam|Anti-Hacker. 99% of all hacking and spamming is automated using HackerBots and SpamBots.
BulletProof Security Idle Session Logout (ISL) Features
Description: Automatically logout idle/inactive Users. ISL uses javascript Event Listeners to monitor Users activity for these ISL events: keyboard key is pressed, mouse button is pressed, mouse is moved, mouse wheel is rolled up or down, finger is placed on the touch surface/screen and finger already placed on the screen is moved across the screen. See the BulletProof Security Idle Session Logout (ISL) Features section for additional features and options info.
- Turn On|Turn Off: ISL is Turned Off by default. Select Turn On ISL to turn ISL On.
- Idle Session Logout Time in Minutes: Time in minutes for when an idle/inactive User should be logged out of your site.
- Idle Session Logout Page URL: Defaults to BPS ISL Logout page URL or choose to redirect logged out users to any URL that you want to redirect them to.
- Idle Session Logout Page Login URL: Displays a clickable Login URL/link to your WP Login page or you can choose not to display a Login URL/link.
- Idle Session Logout Exclude URLs|URIs: This option allows you to exclude any pages or posts that you do not want ISL to check/monitor.
- Idle Session Logout Page Custom Message: Use the default BPS ISL message/text or you can create your own custom ISL message/text.
- Idle Session Logout Page Custom CSS Style: Use the default BPS CSS Style code or enter your own custom CSS Style customizations.
- User Account Exceptions: Disable ISL by User Account names. User Account Exceptions override the User Roles option setting.
- Enable|Disable Idle Session Logouts For These User Roles: Enable ISL for Users by User Role: Administrator, Editor, Author, Contributor, Subscriber & Custom User Roles.
- Enable|Disable Idle Session Logouts For TinyMCE Editors: Disable ISL for any/all pages that have a TinyMCE Editor on them.
BulletProof Security Auth Cookie Expiration (ACE) Features
Description: Change the WordPress Authentication Cookie Expiration time. The default WordPress Authentication Cookie Expiration time is 2880 Minutes/2 Days and 20160 Minutes/14 Days if a User checks the Remember Me checkbox when they login. You can change the WordPress Authentication Cookie Expiration time to whatever expiration time setting that you choose. See the BulletProof Security Auth Cookie Expiration (ACE) Features section for additional features and options info.
- Turn On|Turn Off: ACE is Turned Off by default. Select Turn On ACE to turn ACE On.
- Auth Cookie Expiration Time in Minutes: Time in minutes for when a User should be logged out of your site.
- Remember Me Auth Cookie Expiration Time in Minutes: Time in minutes for when a User should be logged out of your site when the User has checked the Remember Me checkbox.
- Enable|Disable Remember Me Checkbox: Disable and do not display the Remember Me checkbox on your login page.
- User Account Exceptions: Disable ACE by User Account names. User Account Exceptions override the User Roles option setting.
- Enable|Disable Auth Cookie Expiration Time For These User Roles: Enable ACE for Users by User Role: Administrator, Editor, Author, Contributor, Subscriber & Custom User Roles.
BulletProof Security Force Strong Passwords (FSP) Features
Description: Force Strong Passwords (FSP) General Info: Set strong password criteria requirements instead of allowing weak passwords to be created and used. FSP works on standard single WordPress site types, Network|Multisite site types and BuddyPress. WooCommerce already has strong password requirements by default. The FSP option settings do not affect WooCommerce Forms.
- Turn On|Turn Off: FSP is Turned Off by default. Select Turn On FSP to turn FSP On.
- Password Character Length: Set the length of the password the User must enter. The default password character length is 12. The maximum character length is 32.
- Password Criteria Requirements: Check the checkboxes to add requirements. Uncheck the checkboxes to remove requirements. Recommendation: Check all checkboxes.
- At least 1 lowercase letter: Password Criteria Requirements checkbox.
- At least 1 uppercase letter: Password Criteria Requirements checkbox.
- At least 1 number: Password Criteria Requirements checkbox.
- At least 1 special character: Password Criteria Requirements checkbox.
- Displayed Message/Error Message: Enter/type the displayed message that the User will see on the relevant Forms/pages or use the existing default FSP message.
BulletProof Security Send Email Alerts When New Plugin Or Theme Updates Are Available Features
Description: Send email alerts when new Plugin or Theme updates are available. Options: 1 Hour, 12 Hours or 1 Day. Do not send email alerts (default setting), Send Email Alerts for All Plugins, Send Email Alerts for Active Plugins Only, Send Email Alerts for All Themes and Send Email Alerts for Active Theme Only. This feature is located on the Email|Log Settings page.
BulletProof Security DB Backup|Database Backup Features
Description: DB Backup: Create manual and scheduled Backup Jobs. Selective database table backup and full database backup. Scheduled backup job options: Hourly, Daily, Weekly and Monthly. Send scheduled backup zip file via email or just send email only, automatically delete old backup files after a certain period of time, etc., etc., etc. All DB Backup options/settings and default setup is done automatically during upgrades and new installations. See the BulletProof Security DB Backup|Database Backup Features section for additional features and options.
- Manual or scheduled database backups
- Scheduled backup job options: Hourly, Daily, Weekly and Monthly
- Send scheduled backup zip file via email or just send email only
- Selective database table backup and full database backup
- Automatically deletion of old backup files after a certain period of time
- Backup Jobs – Manual|Scheduled Accordion Tab
- Displays the Description|Job Name, Delete and Run Checkboxes, Job Type, Frequency, Last Backup, Next Backup, Email Backup and Job Created table columns.
- Backup Files – Download|Delete Accordion Tab
- Displays the Backup Filename, Delete Checkbox, Download Links, Backup Folder, Size and Date|Time table columns.
- Create Backup Jobs Accordion Tab
- Displays a dynamic DB Table Name checkbox form, Description|Backup Job Name, DB Backup Folder Location (default Obfuscated & Secure BPS Backup Folder location), DB Backup File Download Link|URL, Backup Job Type: Manual or Scheduled, Frequency of Scheduled Backup Job (recurring – Hourly, Daily, Weekly or Monthly), Hour When Scheduled Backup is Run (recurring – start time for a scheduled backup job), Day of Week When Scheduled Backup is Run (recurring – weekday day), Day of Month When Scheduled Backup is Run (recurring – day of the month), Send Scheduled Backup Zip File Via Email or Just Email Only – email zip backup file, do not email backup zip file, email and delete zip backup file or just send an email, Automatically Delete Old Backup Files (Never delete old backup files, delete backup files older than 1 day, 5 days, 10 days, 15 days, 30 days, 60 days, 90 days or 180 days), – Turn On|Off All Scheduled Backups (override – turn on all scheduled backups or turn off all scheduled backups).
- Rename|Create|Reset Tool: Rename|Create|Reset DB Backup Folder Name
- DB Backup Logging
- Depending on your DB Backup settings, log entries will be logged anytime you run a Manual Backup Job or whenever a Scheduled Cron Backup Job is run. The Backup Job Completion Time, Zip Backup File Name, timestamp and other information is logged. If you have chosen the option to automatically delete old zip backup files then the zip backup file name and timestamp will be logged when old zip backup files are automatically deleted. When you create a new Backup Job your Backup Job Settings are logged/saved in the DB Backup Log.
- DB Backup Log Automation: Automatically zipped, emailed and replaced based on file size
- Click the DB Backup Question Mark help button for full descriptions of all features and options.
BulletProof Security FrontEnd|BackEnd Maintenance Mode Features
Description: Display a website under maintenance page with Countdown Timer to website visitors while the website displays and functions normally for you. When the Countdown Timer has completed (reached 0) an email reminder is sent to you to remind you that the Countdown Timer has completed. The new BPS Maintenance Mode design includes 20 background images, 15 center images (text box image), allows you to embed image files and YouTube videos, FrontEnd Maintenance Mode, BackEnd Maintenance Mode or both FrontEnd & BackEnd Maintenance Modes and most importantly is fast and simple to use so that you can switch in and out of Maintenance mode quickly and easily. FrontEnd Maintenance mode is primarily designed for development/maintenance purposes and BackEnd Maintenance Mode is technically a security feature since enabling BackEnd Maintenance Mode allows you to deny access to the /wp-admin folder/WP Dashboard by IP address. See the BulletProof Security FrontEnd|BackEnd Maintenance Mode Features section for additional features and options.
- FrontEnd Maintenance Mode|BackEnd Maintenance Mode or both FrontEnd & BackEnd Maintenance Modes
- Website displays & functions normally while visitors see a website under maintenance page
- TinyMCE WYSIWYG Editor – Create Customizable Website Under Maintenance page
- Embed image files and YouTube videos
- 20 background images|15 center images (text box image)|Roll Your Own Design|Under Maintenance Page
- Background image files/options and Center images (text box image) are independent of each other so that you can mix and match different background images with different Center images (text box image)
- Enable Countdown Timer
- Countdown Timer Text Color
- Maintenance Mode Time in Minutes
- Header Retry-After in Minutes ~ 503 HTTP Status Code
- Enable FrontEnd Maintenance Mode ~ site development, maintenance, coming soon, under construction, etc.
- Enable BackEnd Maintenance Mode ~ Deny All IP address .htaccess protection for the wp-admin folder/WP Dashboard
- Maintenance Mode IP Address Whitelist Text Box: Enter The IP Addresses That Can View The Website Normally (not in Maintenance Mode)
- Maintenance Mode Text|Images|Videos Displayed To Website Visitors
- Background Images: 20 background images ~ mix and match with center images ~ see screenshot
- Center Images: 15 center images ~ mix and match with background images ~ see screenshot
- Background Colors (If not using a Background Image)
- Display Visitor IP Address
- Display Admin|Login Link
- Enable Visitor Logging
- Display Dashboard Reminder Message when site is in Maintenance Mode
- Send Email Reminder when Maintenance Mode Countdown Timer has completed
- Email: To|From|cc|bcc
- Network|Multisite Primary Site Options ONLY
- Put The Primary Site And All Subsites In Maintenance Mode
- Put All Subsites In Maintenance Mode, But Not The Primary Site
- Click the Maintenance Mode Question Mark help button for full descriptions of all features and options.
BulletProof Security is Website Performance Optimized
Website performance is just as important as website security. BulletProof Security is website performance optimized with website owners best interests at heart. BulletProof Security does NOT abuse the WordPress Database by making excessive MySQL Queries. BulletProof Security does NOT store excessive & non-essential data in your WordPress Database. BulletProof Security does NOT use excessive Server Memory & Resources. BulletProof Security does NOT use any gimmicks or bells & whistles that will cost website owners their website performance. The benefits of having website security protection are negated if your website is performing poorly/slowly, continually experiencing out of memory errors/running out of memory, database size growing exponentially with non-essential stored data, etc. BulletProof Security can actually speed up & improve your website performance by using the Speed Boost Cache Bonus Code. See the BulletProof Security Bonus Custom Code help section below.
Can BulletProof Security be Network Activated on Network|Multisite Sites?
The BulletProof Security plugin can be Network Activated or you can allow BulletProof Security to be activated individually on each Network/Multisite subsite or of course you can choose not to Network Activate BulletProof Security or allow the BPS plugin on subsites. Super Admins will see BPS Dashboard Alerts and other Status displays on the Primary Site only. Administrators can activate or deactivate BulletProof Security on subsites if you allow this on your Network/Multisite website. The BPS Primary Site Menus will display all BPS menus. The BPS Subsite Menus will display: Login Security, JTC-Lite, Maintenance Mode, System Info & UI|UX Theme Skin menus. All BulletProof Security features are not available on subsites since Network/Multisite subsites are virtual and do not have physical website folders. All BulletProof Security features work sitewide and affect all other virtual subsites. Login Security and Maintenance Mode work independently on each subsite.
- The BPS Setup Wizard Options page contains these two Network/Multisite options: Network|Multisite Sitewide Login Security Settings and Network|Multisite Sitewide JTC-Lite Settings, which allow you to bulk setup all subsites with default JTC-Lite option settings.
- Login Security works individually for each specific subsite. Login Security has all the same functionality on Network/Multisite subsites with these exceptions: Login Security email alerting is not available for subsites.
- JTC-Lite works individually for each specific subsite. JTC-Lite has all the same functionality on Network/Multisite subsites.
- Maintenance Mode works individually for each specific subsite. MMode has all the same functionality on Network/Multisite subsites with these exceptions: BackEnd Maintenance is not available on subsites & these Primary site options are not available on subsites: Put The Primary Site And All Subsites In Maintenance Mode & Put All Subsites In Maintenance Mode, But Not The Primary Site.
- System Info has all the same functionality on Network/Multisite subsites with these exceptions: MySQL Database information is not displayed on subsites.
- BulletProof Security also works with Network/Multisite Domain Mapping.
BulletProof Security Built-in Troubleshooting|Diagnostic|Logging|Whitelisting
Troubleshooting|Diagnostic|Logging|Whitelisting is built-in to BulletProof Security. BPS troubleshooting steps: BPS Troubleshooting Steps. The Setup Wizard performs Pre-Installation Checks to check for any pre-existing issues that could cause any issues or problems and displays exactly what needs to be done to fix the issue. The Setup Wizard has a built-in feature called AutoFix that automatically creates known fixes for 100+ Plugins and Themes. The BPS Security Log logs blocked hackers, spammers, bad bots, etc. and also logs anything else that is blocked by BPS. If something legitimate is being blocked in another plugin or theme that needs to be allowed/whitelisted then the BPS Security Log entry will contain all the information about what exactly is being blocked so that a whitelist rule can then be created in BPS Custom Code. The BPS Security Log also logs all other 403 errors that occur on your website whether or not they are related to or caused by BPS. Turning Off BPS Security Logging will allow your server to handle error logging and display your server error message instead of BPS displaying the standard 403 template file error message. This is also considered a troubleshooting method to determine if an error is actually coming from your server (ModSecurity, etc.) and not the BPS plugin.
I am seeing Security Log entries in my BulletProof Security Log. What do they mean?
Your Security Log will log 400, 403, 405, 410 and 404 (requires copying the BPS 404 logging code to your Theme’s 404.php Template) Errors. The Security Log logs all 400, 403, 405 and 410 HTTP Response Status Codes by default. You can also log 404 HTTP Response Status Codes by opening this BPS 404 Template file – /bulletproof-security/404.php and copying the logging code into your Theme’s 404 Template file. When you open the BPS 404.php file you will see simple instructions on how to add the 404 logging code to your Theme’s 404 Template file. 99.99% of what is logged in the Security Log is blocked hackers, spammers, bad bots, scrapers, miners, etc. The Security Log is also a troubleshooting tool. If BPS is blocking something legitimate in another plugin or theme then exactly what is being blocked in another plugin or theme by BPS will be logged in the Security Log. A whitelist rule can be created to allow anything legitmate that is being blocked in another plugin or theme.
HTTP Status Codes (Internet Standard)
- 400 Bad Request – The request could not be understood by the Server due to malformed syntax.
- 401 Unauthorized – The request requires user authentication. By default BPS redirects Auth Requests to the correct URI to avoid 404 errors.
- 403 Forbidden – The Server understood the request, but is refusing to fulfill it.
- 404 Not Found – The Server has not found anything matching the Request-URI/URL. No indication is given to whether the condition is temporary or permanent.
- 405 Method Not Allowed – The method specified in the Request-Line is not allowed for the resource identified by the Request-URI. The response MUST include an Allow header containing a list of valid methods for the requested resource. BPS blocks HEAD Requests using a 405 ErrorDocument Redirect. The BPS 405 Template has an Allow header field for the GET, POST and PUT HTTP Methods.
- 410 Gone – The requested resource is no longer available at the Server/site and no forwarding address is known. This condition is expected to be considered permanent.
- 503 Service Unavailable – The Server/site is temporarily performing maintenance. Used in BPS MMode with Retry-After header to indicate when the Server/site will be available again.
Will BulletProof Security or .htaccess files or .htaccess code cause my website to run slower?
No. BulletProof Security or .htaccess files/code in general will not cause a website to run slower. BulletProof Security is website performance optimized and uses very little/low website resources and very little Server memory. BulletProof Security uses a finite number of security rules/filters/code in all .htaccess files. Note: Both W3 Total Cache and WP Super Cache use .htaccess code to speed up website performance.
Can BulletProof Security speed up my website and make it run faster?
Yes. BulletProof security can speed up your website and make it run faster if you use the BPS Speed Boost Cache Code and add it to BPS Custom Code.
Do I need to understand .htaccess code in order to use BulletProof Security?
No. We use a paint by numbers approach, have extensive documented help and fixes on our Forum site and provide exact steps to perform any tasks that need to be done such as adding whitelist rules or other custom code. ie do Step 1, Step 2, Step 3. BPS creates customized .htaccess files for your website by either running the Setup Wizard or clicking the BulletProof Modes Activate buttons. You do not need to know anything about .htaccess website security files or code in order to use the BulletProof Security plugin. Extensive help information can be found in the Question Mark help buttons in BPS. The Help & FAQ tab pages in BulletProof Security contain links to BulletProof Security Forum help topics and video tutorials. The process of adding Custom Code or adding whitelisting rules is automated – See the Custom Code Question Mark help button for Custom Code steps.
Are there any known issues or conflicts with other WordPress Plugins or Themes?
Occasionally issues or conflicts do occur with other plugins, but they are always quickly resolved. BulletProof Security is compatible with all other Plugins and Themes. If BulletProof Security is blocking something legitimate in another plugin or theme a whitelist rule can be created in BPS Custom Code to allow/whitelist whatever was being blocked by BPS. Please check the BulletProof Security Plugin Compatibility page for the steps to search for documented plugin or theme whitelist rules.
How do the BulletProof Security Plugin htaccess File Options (Firewalls) work?
The BulletProof Security Plugin allows you to create and activate .htaccess website security with one-click (literally if the BPS Setup Wizard is run) (figuratively if you are using BPS manual controls) for your website without having to know anything about .htaccess files. The Master .htaccess files are pre-made and BPS writes additional .htaccess code that is customized to each specific website when you run the Setup Wizard or if you use the Manual Controls. There is nothing to figure out or to configure. Either run the Setup Wizard or use the Manual Setup Controls: BulletProof Modes Activate buttons. BPS has built-in Backup and Restore and an .htaccess File Editor for full manual editing control as well. BPS Custom Code allows you to add additional custom .htaccess code or BPS Bonus Custom Code and save it permanently so that your saved code is added/created in your htaccess files.
How does BulletProof Security Plugin Login Security & Monitoring work?
BulletProof Security Login Security & Monitoring allows you to choose whether you want to Log All User Account Logins or Log Only User Account Lockouts. The Dynamic DB Logging Form has 3 checkbox options: Lock, Unlock or Delete database rows. The Login Security database table is hooked into the WordPress Users database table, but they are 2 completely separate database tables. If you lock a User Account then BPS will enforce that lock on that User Account and the User will not be able to log in. If you unlock a User Account then the User will be able to login. Deleting database rows in the Login Security database table does NOT delete the User Account from the WordPress Users database table. When you delete a User Account it is pretty much the same thing as unlocking a User Account. To delete actual User Accounts you would go to the WordPress Users page and delete that User Account.
What to do if your User Account is locked by Login Security out and you are unable to login?
Use FTP or your web host control panel file manager and rename the /bulletproof-security/ plugin folder name to /_bulletproof-security and login to your website. After logging into your website, rename the /_bulletproof-security/ plugin folder name back to /bulletproof-security/. Unlock your User Account on the BPS Login Security and Monitoring page.
What to do if you cannot log back into your website due to an htaccess file/code problem?
If you accidentally added additional invalid custom htaccess code to BPS Custom Code or your web host does not allow you to lock your root .htaccess file and your htaccess file was locked: Use FTP or your Web Host Control Panel File Manager and delete the .htaccess files that BPS creates in your website root folder and your wp-admin folder. Deleting the .htaccess files in your website root folder & wp-admin folder will allow you to log back in to your website. If your web host does not allow locking the root .htaccess file then go to htaccess File Editor tab page and click the Turn Off AutoLock button. Either run the Setup Wizard again or click the BulletProof Modes Activate buttons again. If the problem was caused by invalid custom htaccess code added to BPS Custom Code then remove/delete the invalid custom htaccess code from BPS Custom Code before activating BulletProof Modes again.
Do Idle Session Logout (ISL) or Auth Cookie Expiration (ACE) affect all website visitors to your website?
The Idle Session Logout (ISL) javascript code is only loaded if a User is logged into your website (depends on your ISL option settings for User Accounts/Roles) and is specific to only that User’s Browser/Client Browser and Login Session. Auth Cookie Expiration (ACE) is a WordPress Authentication Cookie that is set when a User logs into your website. Visitors that visit your website that are not logged into your website are not affected in any way by ISL or ACE.
Can the Idle Session Logout Time be changed while Users are logged in or after a User has already logged in?
Yes. ISL is Client Browser based and the Idle Session Logout Time is a variable that has a value that can be changed “on the fly”. Example: If UserA and UserB login to your site and the Idle Session Logout Time was 60 minutes when they logged in and you change the Idle Session Logout Time to 1 minute while UserA and UserB are logged into your site then UserA and UserB and all other Users that are logged into your site (depending on your ISL option settings) will be automatically logged out after being idle/inactive for 1 minute.
Can the Auth Cookie Expiration Time be changed while Users are logged in or after a User has already logged in?
Yes and No. Yes, you can change the Auth Cookie Expiration Time option setting for all Users (depending on your ACE option settings), but the WordPress Authentication Cookie Expiration time is set when Users log into your site and cannot be changed “on the fly”. So if you change the Auth Cookie Expiration Time while UserA and UserB are already logged into your site then the new Auth Cookie Expiration Time that you choose will not take effect until after UserA and UserB logout and log back into your site. The WordPress Authentication Cookie Expiration time can only be set/reset at login. This is the default functionality of the WordPress Authentication Cookie.
How does BulletProof Security FrontEnd|BackEnd Maintenance Mode work?
FrontEnd Maintenance Mode creates template files based on the options you choose and save. When you Turn On Maintenance Mode those template files are copied to the root directory of your website. When you Turn Off Maintenance Mode those template files are deleted from the root directory of your website. Maintenance Mode works by allowing the IP addresses that you enter & save to view the site normally. All other IP addresses will see the Maintenance Mode template page. BackEnd Maintenance Mode writes directly to your wp-admin .htaccess file and adds a deny all block of .htaccess code with the IP addresses the you enter & save when you enable BackEnd Maintenance Mode. When you disable/uncheck BackEnd Maintenance Mode that deny all block of .htaccess code is removed/deleted from your wp-admin .htaccess file. For more extensive help info or CSS Code, Image & Video Embed examples to add in the Maintenance Mode Text, CSS Style Code, Images, Videos Displayed To Website Visitors text area click this Maintenance Mode Guide Forum Topic link: Maintenance Mode Guide.
BPS Alert! Your site does not appear to be protected by BulletProof Security. What does the Alert mean?
The alert means that the currently active root htaccess file that is in use on your website does not contain BPS htaccess security code. You can either run the Setup Wizard again or go to the htaccess File Options Security Modes page and click the Root Folder BulletProof Mode Activate button.
Can I add my own .htaccess code to the BulletProof Security .htaccess files?
Yes. Add any additional custom htaccess security code to the BulletProof Security Custom Code feature. Your custom .htaccess code will be saved permanently to your database (until you delete it). Please view the Question Mark Help button in Custom Code for specific details and Custom Code setup steps.
Does BulletProof Security automatically create or write .htaccess files?
Yes. BulletProof Security automatically creates customized .htaccess website security files for your specific website with either the Setup Wizard or the manually by clicking the BulletProof Modes Activate buttons on the htaccess File Options Security Modes page. BulletProof Security also offers full manual control of editing .htaccess files using the built-in .htaccess File Editor. The BPS Master .htaccess files are pre-made. When you run the Setup Wizard or click the BulletProof Modes Activate buttons your .htaccess Master files are created with specific code for your specific website. You can add additional code to BPS Custom Code or edit the .htaccess files directly or create completely new .htaccess master files from within the WordPress Dashboard using the built-in BPS File Editor or Custom Code – no FTP required – no Web Host Control Panel required. Automation is great, but also having full manual editing control makes BulletProof Security very versatile.
Security Log File Automation – Automatically Zipped, Emailed and Replaced
Security Log files are automatically zipped, emailed and replaced with a new blank Security Log file when the log file reaches the maximum file size setting that you choose. By Default BulletProof Security sets this DB option to zip, email and replace the Security Log file when it reaches 500KB. The Security Log file is checked once per hour with a WordPress Cron. The optimum recommended file size setting is 500KB. Email and Log file settings are located under the Email|Log Settings menu/page.
MScan Malware Scanner Log File Automation – Automatically Zipped, Emailed and Replaced
MScan Log files are automatically zipped, emailed and replaced with a new blank MScan Log file when the log file reaches the maximum file size setting that you choose. By Default BulletProof Security sets this DB option to zip, email and replace the MScan Log file when it reaches 500KB. The MScan Log file is checked once per hour with a WordPress Cron. The optimum recommended file size setting is 500KB. Email and Log file settings are located under the Email|Log Settings menu/page.
DB Backup Log File Automation – Automatically Zipped, Emailed and Replaced
DB Backup Log files are automatically zipped, emailed and replaced with a new blank DB Backup Log file when the log file reaches the maximum file size setting that you choose. By Default BulletProof Security sets this DB option to zip, email and replace the Security Log file when it reaches 500KB. The DB Backup Log file is checked once per hour with a WordPress Cron. The optimum recommended file size setting is 500KB. Email and Log file settings are located under the Email|Log Settings menu/page.
What to do if Hidden Plugin Folders|Files Cron (HPF) detects a hidden plugin folder or file
If a hidden or empty plugin folder is detected or a non-standard WP file is detected then you would use FTP to check the folder or file. If the folder or file contains hacker code or is a hidden plugin or is a non-standard WP file then make a copy of it and delete it. If the plugin folder is just an empty plugin folder then delete it. If you recognize the folder or file you can use the Ignore Hidden Plugin Folders & Files textarea box option to ignore/not check this folder or file.
Does BulletProof Security work with Git distributed version control system?
Yes. BulletProof Security works with Git, but does require some additional set up steps. Please see this thread for the setup steps
Git distributed version control system setup steps
Not only is BPS a highly-effective WordPress security plugin, but also a highly-effective security-education tool. Precisely because it’s not a simple "plug-and-play", install-and-leave-it-alone plugin, but requires the user to familiarize himself with the plugin’s functions, it helps the user to gain the necessary security knowledge to protect his or her own WordPress site. It is through this very learning about the the plugin’s functions that one gains the knowledge needed to be a savvy and security-conscious WordPress user, maybe even expert, eventually. And not only that, through this “training” one also gains an appreciation and foundation for gaining knowledge about cybersecurity in general. Finally, the forum is a treasure-trove of knowledge and training for the effective use of BPS. I like convenience, I like ease-of-use, but BPS tops them all because of its "training". Not for the faint-of-heart, not for the “lazy” but for the aficionado. Thanks for reading
Since I switched to this plugin I feel much more secure
Excellent plugin. Thanks for all you do.
A great piece of software. The interface is somewhat non-standard, it will be more suitable for IT people. But the functionality itself is phenomenal. What is primary to me (other than the protection itself) is that it doesn’t slow down my WP site. It seems impossible that such an extensive and powerful plugin does not affect the speed, but it really is. I did a few tests and this is by far the fastest security plugin for WordPress. Several levels of protection, I feel safe. 🙂 I must mention that I use the PRO version. Powerful and affordable.
Not the prettiest of Security Plugins, but the one I have had no problems with. Excellent!
Read all 585 reviews
“BulletProof Security” is open source software. The following people have contributed to this plugin.
Contributors
- AITpro