Web Hosting

Please find below our list of Web Hosting guides to help with your hosting account.

WordPress BulletProof Security blocks normal logins

This article was posted in: Web Hosting

WordPress Website Security Protection: BulletProof Security protects your WordPress website against XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection... hacking attempts.

While it's a nice idea, the bulk, if not all of what this WordPress plugin does is already taken care of by Mod Security - a WAF (Web Application Firewall) that runs on all of our servers using rulesets which are updated daily.

However, if you really want to run this plugin, then you will need to alter your .htaccess files once BulletProof has edited them.


What to change in your .htaccess files

Look for the following code block. We can't give line numbers because every .htaccess file can be different depending on what else you have installed.

# BRUTE FORCE LOGIN PAGE PROTECTION
# Protects the Login page from SpamBots & Proxies
# that use Server Protocol HTTP/1.0 or a blank User Agent
RewriteCond %{REQUEST_URI} ^(/wp-login\.php|.*wp-login\.php.*)$
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR]
RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$
RewriteRule ^(.*)$ - [F,L]
RewriteBase /

just change the above to

# BRUTE FORCE LOGIN PAGE PROTECTION
# Protects the Login page from SpamBots & Proxies
# that use Server Protocol HTTP/1.0 or a blank User Agent
RewriteCond %{REQUEST_URI} ^(/wp-login\.php|.*wp-login\.php.*)$
RewriteCond %{HTTP_USER_AGENT} ^$
# RewriteCond %{THE_REQUEST} HTTP/1\.0$
# RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$
RewriteRule ^(.*)$ - [F,L]
RewriteBase /

The reason for this is that our reverse proxy, NginX, passes requests through to apache using http/1.0 - which triggers a false positive in the BulletProof Security rules.

Again, our built in Mod Security protection already covers the issue taken care of by the above block of code, you you can quite safely delete the whole code block.