.52.6
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
WordPress Language Packs Prep: All BPS plugin .po and .mo language translation files have been deleted in preparation for new plugin Language Packs creation by the WordPress PolyGlots Team.
Removal: Obsolete BPS automated .po and .mo language translation file deletion function removed.
Visual Enhancement: BPS Plugin Logo: New logo – pulsing animated GIF image.
Visual Enhancement: jQuery :odd Selector alternate table row color for Forms in the Blue UI Theme Skin.
Core Enhancement: Apache Module Forward|Backward Compatibility fallback added for various scenarios where the Live test is blocked/ignored/rejected by Hosts.
Correction: Add Apache Module conditions to Activate Master htaccess BulletProof Mode and Activate BPS Backup BulletProof Mode Forms.
Change|Improvement: The BPS Changelog and Whats New page have been moved to BulletProof Security Forum website.
Reasons for this Changelog|Whats New page change: The BPS Changelog|Whats New page will not have to be translated by the WordPress PolyGlots Language Packs Team for each new version release of BPS, the Changelog|Whats New page will be much easier to maintain, the readme.txt file size will be much smaller in the BPS plugin, a complete history of all BPS version changes through the years and other beneficial reasons.
.52.5
Core Enhancement: Apache Module Forward|Backward Compatibility:
BPS automatically checks which Apache Modules are loaded on your server: mod_access_compat, mod_authz_core and mod_authz_host and checks availability|forward|backward compatibility and also IfModule conditions support to automatically create the correct htaccess code and files for your website|server. All BPS htaccess writing|updating|upgrading|new installations|creation|ip whitelisting, etc. htaccess code is automatically created based on Live BPS Apache Module and IfModule tests that are performed in BPS during BPS plugin upgrades and new installations to determine and create the correct htaccess code for each individual server|website. A new System Info feature has been added that performs Live tests with results and also includes a Visual Test – see New Feature: System Info page: for details. Dev Note: Live Apache Module check and automation performed in-page on htaccess Core page.
Apache Module Compatibility List of Features|Files|htaccess Code Affected:
htaccess Core: Root and wp-admin htaccess code|files creation. Custom Code in-page automated IP whitelisting.
Core: BPS plugin directory self-protection htaccess files.
Login Security: in-page automated IP whitelisting.
DB Backup: in-page automated IP whitelisting.
Maintenance Mode: in-page automated IP whitelisting, BackEnd MMode IP whitelisting.
Setup Wizard: automated htaccess code|files creation.
New Feature: System Info page: Apache Modules|Directives|Backward Compatibility(Yes|No)|IfModule(Yes|No): View Visual Test
The System Info Apache Modules|Directives check checks mod_access_compat, mod_authz_core and mod_authz_host availability|forward|backward compatibility and also IfModule conditions support. A visual test page (Click the View Visual Test link) has also been created to see the Apache Module|htaccess code and checks visually for troubleshooting purposes. BPS automatically detects which Apache Modules are loaded|available on your host server and creates the correct htaccess code for you particular website|server throughout all BPS htaccess files.
Apache Modules|Directives|Backward Compatibility(Yes|No)|IfModule(Yes|No): View Visual Test mod_access_compat is Loaded|Order, Allow, Deny directives are supported|IfModule: Yes mod_authz_core is Loaded|Order, Allow, Deny directives are supported|BC: Yes|IfModule: Yes mod_authz_host is Loaded|Order, Allow, Deny directives are supported|BC: Yes|IfModule: Yes
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
BugFix: Network/Multisite Rewrite Loop End Custom Code Form name field correction.
BugFix|Correction: DB Table Prefix Changer: Only allow entering numbers, lowercase letters and underscores in the Randomly Generated DB Table Prefix Form text box. Special thanks to Sathish from: Cyber Security Works Pvt Ltd for reporting a bug/security vulnerability in the DB Table Prefix Changer tool Form. Notes: You MUST be an Administrator and logged into the site as an Administrator in order to enter/test XSS html testing code in the Randomly Generated DB Table Prefix Form text box. Please do NOT actually try this test if you are using a version of BPS that is below .52.5. BPS .52.5 and above versions will only allow entering numbers, lowercase letters, and underscores for the DB Table Prefix name. If you have a BPS version below .52.5 then entering an invalid DB Table Prefix name will crash your website.
Dev Note: New condition added for Apache Module /mod-test/ folder in 403.php logging template to prevent 403 errors from being logged when Live Apache Module tests are performed|processed.
Dev Note: admin.php obsolete code removal for deny all htaccess file creation for BPS Backup and Master Backups folders.
.52.4
Submenu Name Change|Addition:
UI|UX Submenu name has been changed to: UI|UX|Theme Skin Spinner|ScrollTop WP Toolbar|SLF
Feature Improvement|Enhancement: jQuery ScrollTop Animation:
The jQuery ScrollTop Animation code now performs a conditional Browser User Agent|Rendering Engine check and uses customized jQuery ScrollTop Animation code for each Browser individually for best visual animation/appearance in each Browser. New jQuery ScrollTop animation code has been created that has much better/smoother animation overall.
New Option: Turn On|Off jQuery ScrollTop Animation:
jQuery ScrollTop Animation can be turned On or Off on the UI|UX menu/page. The jQuery ScrollTop Animation is the scrolling animation that you see after submitting BPS Forms, which automatically scrolls to the top of BPS plugin pages to display success or error messages. The jQuery ScrollTop animation code is conditional based on your Browser User Agent|Rendering Engine.
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
BugFix: jQuery ScrollTop Animation 404 image error correction. Special Thanks to: Mike Harrison for reporting this bug.
Dev Note: Structural Core options.php file renamed to core.php and all related URI’s are now pointing to this new page.
Dev Note: HTML Structural and related CSS changes to Core pages: bps-container div and WP wrap class moved and combined.
.52.3
New Feature: Login Security & Monitoring Export|Download Login Security Table Tool:
The Export|Download Login Security Table tool exports (copies) the Login Security Table into the lsm-master.zip file, which you can then download to your computer. The lsm-master.zip file contains the lsm-master.csv file. The CSV (Comma Separated Values) file format can be opened with Microsoft Excel or other applications that can open/use CSV files.
Core Enhancement|Improvement: jQuery ScrollTop animation:
jQuery ScrollTop animation has been added to all BPS plugin pages to animate scrolling pages to top 0 after Forms are submitted so that all displayed success/error messages are visible/viewable with the exception of Forms that should display data and/or messages inpage. All major Browsers tested working fine. IE Issue: IE ScrollTop animation is not fluid/smooth.
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
BugFix: Pre-save Custom Code DB options (if they do not exist) for use in the Custom Code Export|Import Tools. New Installations: Pre-saved in Setup Wizard. Upgrades: Pre-saved in the BPS upgrade function.
BugFix: Login Security Search Form button unclickable due to div problem.
Improvement: Descriptive success/error message created for all Log File Logging Form code, My Notes Form, Custom Code Forms and other various Forms where a descriptive message is important vs using a general/standard WP “Settings Saved” message.
Improvement: BPS Changelog: Special Thanks to: Krzysztof Trynkiewicz – Sukces Strony for improvements to the BPS Changelog format for better readability.
Enhancement: System Info – Website Headers Check Tool display Headers result at top of page instead of inpage.
Enhancement: System Info – System checks are not performed when Website Headers Check Tool Forms are submitted.
Dev Note: Custom Code Forms now using standard Form processing code instead of WP options.php Form code.
Dev Note: New Core File: core-forms.php. New LSM Files: lsm-export.php, lsm-help-text.php.
.52.2
Setup Wizard Automation Enhancement|Improvement:
The Setup Wizard Pre-Installation Checks automatically detects php/php.ini handler htaccess code in an existing root htaccess file and creates/saves that php/php.ini handler code in BPS Custom Code and the new root htaccess file that is automatically created by the Wizard. Prior to BPS .52.2, php/php.ini handler htaccess code required additional manual steps to complete this task.
HUD Check Enhancement|Improvement: php/php.ini handler htaccess code check:
The php/php.ini handler htaccess code HUD check now displays a link to the Setup Wizard page. Clicking the link and visiting the Setup Wizard page automatically creates/saves that php/php.ini handler code in BPS Custom Code.
New Feature: Custom Code Export|Import|Delete Tools:
Export Tool: The Custom Code Export tool exports (copies) all of your Root and wp-admin custom htaccess code into the cc-master.zip file, which you can then download to your computer.
Import Tool: The Custom Code Import tool imports all of your Root and wp-admin Custom Code from the cc-master.zip file on your computer into the Custom Code text boxes and saves your imported custom htaccess code to your WordPress Database. You can unzip the cc-master.zip file on your computer to extract the cc-master.txt file for editing to add/change any custom htaccess code in the cc-master.txt file.
Delete Tool: The Custom Code Delete tool deletes all of your Root and wp-admin Custom Code from all of the Custom Code text boxes and your WordPress Database. The Delete tool can be used for troubleshooting possible invalid/bad custom htaccess code issues/problems or simply just to delete all custom htaccess code in all of the Custom Code text boxes.
New Option: Setup Wizard Options: Network|Multisite Sitewide Login Security Settings:
Network|Multisite Sitewide Login Security Settings: This option is for Network|Multisite sites ONLY. This is an independent option Form that creates and saves Login Security DB option settings for all Network sites when you click the Save Network LSM Options Sitewide button. If Login Security option settings have already been setup and saved for any Network site then those Login Security option settings will NOT be changed. If Login Security options settings have NOT already been setup and saved for any Network site then those Login Security option settings will be created and saved with default settings.
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
Correction: Displayed message text correction for W3TC and WP Super Cache htaccess code error check.
Enhancement: General Help and info section added to Whats New page.
Enhancement: BPS Plugin Uninstall Options on WordPress Plugins page – Uninstaller CSS class name added for modal display problem.
Dev Note: htaccess Core tab page structure/order change.
Dev Core: WP Plugins page BPS plugin description changes.
DB Backup: Additional help info regarding Export|Import of Backup Jobs DB Table.
readme.txt: Requires at least: 3.0 changed to Requires at least: 3.7
.52.1
Submenu Name Change|Addition:
BPS Main Menu > UI|UX Submenu name has been changed to: UI|UX|Theme Skin Processing Spinner WP Toolbar|SLF
Feature Name Change: RSK naming convention changed to Script|Style Loader Filter (SLF):
RSK is a bit too aggressive and is a somewhat offensive naming convention. Cool, but not cool at the same time. Script|Style Loader Filter (SLF) is a logical naming convention and is non-offensive. See the SLF Mod|Description below for additional info.
SLF Mod|Description:
In some cases, filtering other plugin and theme scripts from loading in BPS plugin pages causes the BPS plugin pages to hang severely, which means that a new issue/problem is created that is worse than the original issue/problem that SLF was designed to fix/solve. Original problem: BPS plugin pages not displaying visually correct due to other plugin or theme scripts loading in BPS plugin pages. SLF is set to Off by default. SLF has an On|Off setting under the UI|UX menu/page. See the UI Theme Skin|Processing Spinner|WP Toolbar|SLF Read Me help button for additional information.
Bonus Custom Code Dismiss Notice Enhancement|Improvement:
An additional Dismiss All Notices link|feature has been added to dismiss all Bonus Custom Code notices at the same time. Displayed message: Click the links below to get Bonus Custom Code or click the Dismiss Notice links or click this Dismiss All Notices link. To Reset Dismiss Notices click the Reset|Recheck Dismiss Notices button on the Security Status page.
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
Cosmetic: Undefined index PHP error suppressed for ISL and ACE User Role checkboxes when WP_DEBUG is turned On.
.52
New Menu|Page:
Idle Session Logout|Auth Cookie Expiration
New Feature: Idle Session Logout (ISL)
ISL|ACE Forum Topic: Automatically logout idle/inactive Users. ISL uses javascript Event Listeners to monitor Users activity for these ISL events: keyboard key is pressed, mouse button is pressed, mouse is moved, mouse wheel is rolled up or down, finger is placed on the touch surface/screen and finger already placed on the screen is moved across the screen. Option Settings: Turn On|Off, Idle Session Logout Time in Minutes, Idle Session Logout Page URL, User Account Exceptions, Enable|Disable Idle Session Logouts For These User Roles: Administrator, Editor, Author, Contributor, Subscriber and Enable|Disable Idle Session Logouts For TinyMCE Editors. Click the Idle Session Logout|Auth Cookie Expiration Read Me help button for full details.
New Feature: Auth Cookie Expiration (ACE)
ISL|ACE Forum Topic: Change the WordPress Authentication Cookie Expiration time. The default WordPress Authentication Cookie Expiration time is 2880 Minutes/2 Days and 20160 Minutes/14 Days if a User checks the Remember Me checkbox when they login. You can change the WordPress Authentication Cookie Expiration time to whatever expiration time setting that you choose. Option Settings: Turn On|Off, Auth Cookie Expiration Time in Minutes, Remember Me Auth Cookie Expiration Time in Minutes, User Account Exceptions, Enable|Disable Auth Cookie Expiration Time For These User Roles: Administrator, Editor, Author, Contributor, Subscriber. Click the Idle Session Logout|Auth Cookie Expiration Read Me help button for full details.
New Feature & Root htaccess File Addition: 410 ErrorDocument root htaccess code and template logging file
410 Gone Usage Info: A 410.php template logging file has been created to handle 410 Gone Requests. 410 Gone Requests are logged in the BPS Security Log file. See the 410 Gone Usage Info link above for full details on usage.
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
Enhancement: jQuery Custom Classes added to all BPS jQuery code.
Mod: CSS and js file name changes: -ui- used in naming convention.
Enhancement: jQuery UI Dialog Read Me Help button hide effect changed from explode to blind.
.51.9
Login Security & Monitoring Automated Email Alert Enhancement|Improvement:
Special Thanks to: mewkazoid for pointing out this useful improvement to BPS Login Security & Monitoring automated email alerts. The Login Security & Monitoring Automated Email Alert now contains additional help information about what to do if your User Account is being repeatedly locked.
Brute Force Attack General Info:
Automated Brute Force Login attacks by spambots and hackerbots are a regular and ongoing type of website attack. The volume and frequency of Brute Force Login attacks are steadily increasing and will continue to increase. Brute Force attacks make up somewhere in the neighborhood of 85 percent (probably more like 90 percent to 95 percent) of the total of all types of ongoing website attacks these days. BPS Login Security & Monitoring protects the WordPress Login page from Brute Force attacks, but if your username is publicly known/displayed or can be harvested by automated bots then your user account may get locked very frequently. Check the BPS plugin Whats New page for some additional things you can do to prevent your user account from being locked repeatedly.
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
BugFix: File Permissions cache issue: Root htaccess file not being re-locked when AutoLock is turned On. Special Thanks to: Mike Harrison for reporting this bug.
.51.8
Summary Only: See the BPS plugin Whats New tab page for full descriptions and details
New Feature: Setup Wizard:
The BPS plugin can be setup with literally only 1 click now on the new Setup Wizard page. Setup Wizard Pre-Installation Checks are automatically performed and displayed on the Setup Wizard page. You can re-run the Setup Wizard again at any time.
New Feature: jQuery UI Dialog Form BPS Uninstall Options:
An Uninstall Options link has been created on the WordPress Plugins page under the BulletProof Security plugin. Clicking the Uninstall Options link loads a jQuery UI Dialog Form with 2 uninstall options: BPS Pro Upgrade Uninstall option – If you are upgrading to BPS Pro, select the BPS Pro Upgrade Uninstall option and click the Save Option button or just click the Close button below and do a normal plugin uninstall. Complete BPS Plugin Uninstall option – If you want to completely delete the BPS plugin, all files, Custom Code and BPS database settings, select the Complete BPS Plugin Uninstall option and click the Save Option button.
New Option: Login Security Attempts Remaining option and Core Functionality Improvements:
New Option Attempts Remaining: You can choose to display a “Login Attempts Remaining X” message when an incorrect password is entered. This new option is enabled by default during BPS upgrades and new installations. Core Functionality Improvements: When a User Account is locked out and previous User Account logins were logged|stored in the DB, those previously logged logins and data for those DB Rows is not changed|updated and instead a new DB Row is inserted. This allows for better chronological login tracking and monitoring. Affects both Logging Options – Log All Account Logins and Log Only Account Lockouts options and allows for switching between these Logging Options without affecting functionality or causing issues/problems.
New Bonus Custom Code|Bonus Custom Code Dismiss Notice function Consolidation:
Bonus Custom Code Dismiss Notice Consolidation: Combined|consolidated all Bonus Custom Code Notices into 1 Bonus Custom Code Notice function with 1 displayed Notice message instead of having several different displayed Notices. Each Bonus Custom Code contains a link to the Bonus Custom Code and a Dismiss Notice link. Referer Spammers|Phishing Protection, Mime Sniffing, Data Sniffing, Content Sniffing, Drive-by Download Attack Protection, External iFrame and Clickjacking Protection.
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
New BPS Setup & Overview Video tutorial created: BPS Setup & Overview Video Tutorial – link added on the Setup Wizard page and htaccess Core Security Modes page.
WP 4.2 Bug Reported|Ticket created with PoC (Proof of Concept) and solution provided: WP 4.2 hash anchor Bug Hash anchors were being stripped of URI’s. Solution provided to WP folks. Solution implemented by WP folks. No other issues or problems found with WP 4.2 and BPS Pro versions.
Enhancement: WP flush_rewrite_rules function added to BPS complete plugin uninstall function. Creates new default generic WP root htaccess file on BPS complete plugin uninstall.
BugFix: Dismiss Notice link correction when basename wp-admin on first Dashboard login.
Enhancement: Custom Code inpage check for default WordPress Rewrite code added in Custom Code text boxes.
.51.7
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
Setup & Overview Video Tutorial Created|Added: Link to video tutorial is posted on BPS plugin Description page and htaccess Core Security Modes page.
DB Backup: Backup Files Download|Delete Form scrollable table added and additional Read Me help information added.
Inpage Status Display: Condition added to only load the Inpage Status Display on BPS plugin pages.
WP Toolbar Functionality In BPS Plugin Pages: Default Network/Multisite menu items (nodes) added.
Security Status: Inpage Status Display Turn On|Off Form action link correction to #bps-tabs-2 tab page.
.51.6
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
Correction: Inpage Status Display Turn On|Off code correction.
Addition: System Info page conditional check added for: gc_enabled & gc_collect_cycles functions.
Read Me help text added for: Inpage Status Display and Reset|Recheck Dismiss Notices options.
Addition: Link to Security Modes page added to wp-admin htaccess file alert.
.51.5
Summary Only: See the BPS plugin Whats New tab page for full descriptions and details
New Feature|Visual Enhancement: Inpage Status Display
New Features|Options|Visual Enhancements: UI|UX|Theme Skin | Processing Spinner | WP Toolbar
New Feature|Option: Turn On|Off The Processing Spinner
New Feature|Option: WP Toolbar Functionality In BPS Plugin Pages
New Feature: Memory Usage and Script Completion Time Check|Display
New Features|Options|Visual Enhancements: DB Backup & Security
New Feature|Option: Create Backup Jobs: Rename|Create|Reset Tool
System Info: New Check Added | Changes
htaccess Core: Security Status Page Changes
BPS Submenu Name Change: UI Theme Skin submenu name has been changed to: UI|UX|Theme Skin | Processing Spinner | WP Toolbar
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
BugFix: Dismiss Notices button/link reload current page based on Request URI or Query String.
Optimization|Performance: All BPS pages and functions.
Removal: Obsolete functions/code removed/deleted.
Dev Core: BPS plugin register scripts|styles | Enqueue scripts|styles | Dequeue plugin|theme scripts|styles loading in BPS plugin pages combined into one function. Additionally eliminated bloated individual load settings page code.
BugFix: Additional variable check for conflicting|contradictory Automatic Update message/alert issue.
Enhancement: WordPress Plugins page|BulletProof Security plugin “Settings” link name change to “Setup Steps”.
Enhancement: Maintenance Mode menu page will not be displayed if wp-admin BulletProof Mode has been disabled.
.51.4
Maintenance Mode Network/Multisite Subdomain Completion:
Maintenance Mode coding work has been completed for Network/Multisite subdomain site types. Maintenance Mode now works for every/all WordPress site types, BuddyPress and bbPress site types.
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
BugFix: master-backups folder creation fix for unusual scenarios.
BugFix: Automatic correction during upgrade for any existing timthumb RFI filter duplicate Referer lines.
.51.3
WordPress 4.1 jQuery UI Compatibility Code Correction:
BugFix: BPS jQuery UI Dialog Read Me help window position not centered in WordPress 4.1. Fix: Corrected the BPS jQuery UI Dialog Position Method code by adding the appropriate “my” and “at” options. Note: For anyone else experiencing this issue see this Forum Topic for the solution: jQuery UI Dialog window position not centered
Help Link Corrections: Special thanks to WordPress Member: mrppp for finding and reporting invalid help links in BPS.
.51.2
Significant Root and wp-admin htaccess File Changes: See the BPS plugin Whats New page for more details.
Root htaccess File/Code Fix:
Removal of additional instances of “BEGIN WordPress” and “END WordPress” text from the root htaccess file which caused multiple instances of the default wp htaccess code to be created in the root htaccess file when the WP flush_rewrite_rules function was executed by other plugins and themes.
htaccess Help Text Improvement Overall:
The help text throughout both the root and wp-admin htaccess files was very dated and was in need of updating. Better/clearer examples have been created in the help text. Overall the htaccess files are more streamlined and less cluttered looking visually.
Structure/Order Code Changes:
Several blocks of htaccess code has been structured differently as far as the general order/sequence of code goes in the root htaccess file and more importantly what code will remain in the root htaccess file in the event that the WP flush_rewrite_rules function is executed by another plugin or theme. There are several technical reasons for making these structure/order changes, which I will not bore you with. Basically things are structured/ordered much better for any/every possible scenario that may occur.
Note: This is a one-time BPS Update that requires manual steps to be performed.
All future versions of BPS will do the normal/typical automatic update of the BPS htaccess files. Overall we felt that creating a Notice about these significant changes vs just doing a normal automatic update was the best route to take for the primary reasons stated above and some additional reasons not stated here.
New Custom Code Text Boxes Added:
CUSTOM CODE TURN OFF YOUR SERVER SIGNATURE and CUSTOM CODE DENY ACCESS TO PROTECTED SERVER FILES AND FOLDERS.
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
Enhancement: Custom Code accordion is now using tables vs CSS divs for cross Browser visual compatibility and obsolete CSS code has been removed for the CSS divs.
Improvement: Overall inpage Custom Code help text information/example improvements.
Improvement: Network/Multisite Net Correction code/check removed. No longer needed and is now obsolete.
Enhancement: Remote Address IP check added in the 403.php Security logging template. Will display current IP address for troubleshooting purposes.
.51.1
Obsolete File Deletion:
Special thanks to Pietro Oliva for finding and reporting Form code sanitization issues in the stand-alone bpsunlock.php file/Form code. The bpsunlock.php stand-alone Login Security user account unlock file/Form has been removed/deleted from BPS. After review of the usefulness of this Form it was decided that instead of spending the time to sanitize the Form code the bpsunlock.php file/Form has instead been removed/deleted from BPS.
.51
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
BugFix: System Info page HTTP_HOST variable fallback for SERVER_ADDR IP address retrieval code correction. Missing gethostbyname function has been added to the HTTP_HOST variable IP address fallback and is now returning an IP address correctly.
Code Correction|BugFix|Sanitization: System Info page Check Headers Tool Form code sanitization. Special thanks to Benjamin Kunz Mejri for finding and reporting this Form code sanitization issue that needed to be corrected. Note: This fixes a “security vulnerability” that was reported in BPS version .50.8, but the security vulnerability report is incorrect/not accurate so technically this does not qualify as legtimate security vulnerability, but does qualify as a bug so credit for reporting a bug has been given. We are very appreciative when bugs are reported to us in BPS, but we also have to maintain 100% accuracy and facts in the changelog.
.50.9
System Info Enhancements|Improvements|Additions: DNS Name Server checking code performance improvement and conditional checking added based on domain labels. Network/Multisite subdirectory/subdomain site type check added and changes to existing conditional checks. output_buffering directive variable check changed and text correction. Additional conditional checks for PHP Actual Configuration Memory Limit. Will display color coded recommendations and/or memory limits. Various naming/text changes.
htaccess Core Structural Core Changes:
Reduction in size of large Options Core file by creating additional conditional supporting files with require. Deny All htaccess file is created in the new /core/ folder on init to protect the options.php core file. Other internal Core stuff.
Security Log Design/Visual/Enhancement Changes:
Auto-Locking added to Security Log Turn On/Off Forms. The root .htaccess file is automatically locked again if it was locked. Cross Browser compatibility visual display issues/problems with Email Alerts and Log files Form. Forms are now using tables instead of individual CSS properties.
Login Security Visual/Design Change:
Cross Browser compatibility visual display issues/problems with Option/Settings & Email Alerts and Log files Form. Forms are now using tables instead of individual CSS properties.
DB Backup Log Visual/Design Change:
Cross Browser compatibility visual display issues/problems with Email Alerts and Log files Form. Forms are now using tables instead of individual CSS properties.
Custom Code Network/Multisite Additional Text Box:
CUSTOM CODE WP REWRITE LOOP END: Add WP Rewrite Loop End code here. This is a Special Network/Multisite Custom Code text box that should ONLY be used if the correct WP REWRITE LOOP END code is not being created in your root .htaccess file by AutoMagic. This Custom Code text box and Read Me help text is ONLY displayed if you have a Network/Multisite website.
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
BugFix: Backend Maintenance Mode causing crashes due to newline not being generated in some cases. Additional newline added to wp-admin backend MMode htaccess writing code base
Removal: Removal/Deletion of obsolete usage of bps_DNS_NS() function.
.50.8
Quickie BugFix Release – released 1 hour after release of .50.7:
Network/Multisite BPS plugin Network Activation correction: Conditional wrap added for blog_id 1
.50.7
UX Change: htaccess Core Security Modes AutoMagic Buttons:
BPS automatically detects your site type and displays the correct AutoMagic buttons for your site type. Other site type AutoMagic buttons are no longer displayed on the Security Modes page.
Network/Multisite One Time Code Correction:
If you have a Network/Multisite website/installation of WordPress you will see a one time htaccess code correction Notice message displayed to you with steps to perform the one time code correction when you upgrade BPS.
Go Daddy Managed WordPress Hosting:
If you have Go Daddy Managed WordPress Hosting see the BPS Whats New tab page within the BPS plugin.
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
BugFix: Maintenance Mode countdown timer email website link correction for subdirectory websites.
Improvement: Maintenance Mode CSS visual improvements/changes/corrections.
Dev Note: WordPress 4.0 RC1 final testing completed – no issues or problems.
Removal: Delete old BPS bulletproof-security_info transient content on upgrade.
.50.6
New Option: Login Security & Monitoring Sort DB Rows:
The Ascending Show Oldest Login First option displays logins from the oldest logins to your site to the newest logins to your site. The Descending Show Newest Login First option displays logins from the newest logins to your site to the oldest logins to your site. Example usage: Enter 50 for the Max DB Rows To Show option, which will show a maximum of 50 database rows/logins to your site and set Sort DB Rows option to Descending Show Newest Login First. You will see the last 50 most current/newest logins to your site in descending order.
Enhancements: Login Security & Monitoring:
CSS max-height changed from 1000px to 600px for the scrollable Dynamic DB table. 600px is a much better/more manageable viewing area. Lock, Unlock and Delete labels for individual checkboxes in Dynamic DB search form and standard form. DB Query improvement for the Dynamic DB standard form.
New Option: htaccess Core wp-admin BulletProof Mode Enable/Disable wp-admin BulletProof Mode:
This option is ONLY for Hosts that do not allow .htaccess files in the wp-admin folder. Go Daddy Managed WordPress Hosting (not standard Go Daddy Hosting) is the only known hosting account type where this option should be set to: Disable wp-admin BulletProof Mode. For everyone else you do not need to use this option. The default setting is already set to: Enable wp-admin BulletProof Mode.
Improvement: htaccess Core root domain label retrieval/writing:
Improvement to htaccess Core code when retrieving & writing domain labels. Impact: Folks with 3+ domain label naming conventions such as: http://www.label1.label2.label3.
.50.5
Login Security Password Reset BugFix & New Option:
BugFix: The Lost your password link was not being displayed when Login Security was turned Off. New Option: Turn Off Login Security/Use Password Reset Option ONLY.
.50.4
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
DB Backup: backticks added to DB Backup Query to allow for hyphenated or other special characters in DB naming conventions.
DB Backup dynamic DB table: max-height CSS change
Login Security CSS auto-scroll: max-height CSS change
DB Table Prefix Changer: Additional check for writable files for DSO server types.
Dev Note: Root and wp-admin filter change.
Log timestamps synchronized to GMT: All log timestamps are now synchronized to GMT time.
.50.3
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
Correction|Improvement: root and wp-admin .htaccess filters/rules change/correction/improvement. See the BPS Whats New tab page for more details.
Thanks goes to aselektor for spotting and reporting this.
.50.2
New Feature: DB Backup: Manual or scheduled (Hourly, Daily, Weekly and Monthly) database backups. Send DB Backups via email etc.
New Feature: DB Backup Log: The Backup Job Completion Time, Zip Backup File Name, timestamp. etc. is logged. Backup Job Settings are logged.
New Feature: DB Table Prefix Changer
New Feature: UI Theme Skin: 3 UI Theme Skins: Blue Gel Classic UI Theme, Light Grey jQuery UI Theme, Dark Black WP UI Theme.
Root .htaccess Security Filter Changes: See the BPS Whats New tab page for more details.
Login Security New Option/Option Change & Misc: Disable Password Reset Frontend Only, Disable Password Reset Frontend & Backend.
System Info page: added MySQL Extension, MySQLi Extension check.
Change: Login Security email message text change when user account is locked.
Change: Whitelist the Debug Bar plugin debug-bar css and js scripts.
.50.1
Security Logging major changes/improvements to logging template files/code:
The Security Logging code has been significantly improved in BPS .50.1. Logging is more streamlined, performance optimized & faster than in previous BPS versions, even with the new general conditional pattern checking code added.
Security Logging Change:
As of BPS .50.1 two new Security Log Fields have been added to Security Logging: Event Code and Solution. In Phase 1 of Security Log Solution Targeting the primary focus is on detecting possible Plugin Skip/Bypass rules & wp-admin Skip/Bypass Rules issues that need/require a one-time solution. Since 99.99% of the Security Log entries are blocked/forbidden hackers, spammers, scrapers, harvesters, miners, bad bots, etc. then the Security Log checking conditions can and should be streamlined/performance optimized by only looking at pattern matches in a broad scope.
New Feature and Corrections: Maintenance Mode Accordion:
Maintenance Mode Accordion created for better functionality/usability. Code correction: Maintenance Mode website name not displayed in the reminder email. Code correction: Maintenance Mode Apostrophes/single quote code character displayed with an escape backslash.
New Bonus Custom Code/Dismiss Notice: WordPress XML-RPC DDoS Protection:
Special Thanks goes to Gary Gordon for reporting the recent WordPress XML-RPC exploits/attacks. The XML-RPC DDoS PROTECTION Bonus Custom Code .htaccess code completely turns off/disables IXR-RPC Client/Server capabilities on a website by protecting the WordPress xmlrpc.php file from being publicly accessible, which prevents the IXR XML-RPC Client/Server connection. Using this Bonus Custom Code will turn off/disable remote posting capability from Weblog Clients (A Weblog Client is software you run on your local machine (desktop) that lets you post to your blog via XML-RPC), unless you add (whitelist) your IP address in the XML-RPC DDoS PROTECTION Bonus Code.
New Dismiss Notice Added: WordPress Firewall 2 plugin check:
The WordPress Firewall 2 plugin contains a coding mistake and has not been updated in over 3 years. The wp-admin area is supposed to be whitelisted by default, but that code is not working correctly, which breaks several things in the BPS plugin. The Dismiss Notice will alert users to this existing problem.
New/Updated Help & FAQ Help Links:
Help & FAQ tab pages have updated links, old/outdated links removed, etc.
.50
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
BugFix: Maintenance Mode str_replace has been changed to dirname for GWIOD site types to get the site root index.php file path
Special Thanks go to Eddy Estevez for reporting this bug.
.49.9
New Feature: Maintenance Mode – FrontEnd/BackEnd Maintenance Mode:
The previous Maintenance Mode feature in BPS has been completely removed/replaced with the new Maintenance Mode feature in BPS .49.9. This is a completely new BPS feature. The new BPS Maintenance Mode design includes 20 background images, 15 center images (text box image), allows you to embed image files and YouTube videos, FrontEnd Maintenance Mode, BackEnd Maintenance Mode or both FrontEnd & BackEnd Maintenance Modes and most importantly is fast and simple to use so that you can switch in and out of Maintenance mode quickly and easily. Background image files/options and Center images (text box image) are independent of each other so that you can mix and match different background images with different Center images (text box image).
New Headers check tool added to the System Info page:
Check your website Headers or another website’s Headers by making a GET Request. Both GET and HEAD Headers checking is now available on the System Info page.
New System Info checks:
Standard/GWIOD Site Type, BuddyPress and bbPress. If GWIOD site type display WordPress Address (URL) and Site Address (URL).
BPS Plugin/Theme Script Dequeue function added:
Dequeue any/all other plugin or theme scripts that attempt to load in BPS plugin pages: A new BPS function has been added that Dequeues any/all other plugin or theme scripts on/in BPS plugin pages ONLY, which causes a wide variety of problems for BPS, such as broken plugin functionality, broken menus and pages not displaying visually correct. This new BPS Dequeue function only runs on/in BPS plugin pages and does not run anywhere else or affect anything else on a website. The BPS Dequeue function is only designed to prevent any other plugins or themes from loading their scripts in BPS plugin pages and does not do or affect anything else on a website.
Security Log Code Correction/Enhancement:
Security Log User Agent/Bot filter auto-updated during BPS upgrade: The BPS 403.php Security Log template file is replaced during BPS plugin updates/upgrades, which is normal WordPress plugin update/upgrade procedure. The BPS 403.php Security Logging template is now auto-updated during BPS plugin upgrades/updates and automatically adds any previously added/saved User Agent/Bot filters to the new 403.php template file if any User Agents/Bots to Ignore/Not Log were previously added/saved.
W3TC and WPSC Error checking/messages modified to reflect current version error checking:
Several things have changed in BPS .49.9 relating to W3TC and WPSC and related error messages.
DB Table datatype Issue/problem affects SQL Server (not MySQL) only:
CREATE TABLE Query id column datatype has been changed from mediumint(9) to bigint(20).
Backup & Restore page/other misc pages:
Master File backups and checks are obsolete and have been removed from BPS .49.9.
htaccess Core Security Modes page:
Descriptive titles added to Radio buttons for BulletProof Modes: Root Folder BulletProof Mode, wp-admin Folder BulletProof Mode, Master htaccess BulletProof Mode and BPS Backup BulletProof Mode.
Feature Request by Daedalon:
Unused po & mo Language files automatically deleted: Unused po & mo Language files are automatically deleted on page access for these BPS pages: htaccess Core, Login Security, Security Log and Maintenance Mode.
.49.8
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
Custom Code Code Correction: ENT_QUOTES flag added to Custom Code AutoMagic variables to convert Single Quote HTML entities stored in the DB back to characters during AutoMagic File writing.
.49.7
Network/Multisite Plugin Network Activation or Single subsite Plugin Activation:
As of BulletProof Security .49.7, the BPS plugin can be Network Activated or you can allow the BPS plugin to be activated individually on each Network/Multisite subsite or of course you can choose not to Network Activate BPS or allow the BPS plugin on subsites.
New AutoMagic WP 3.5+ Network/Multisite .htaccess code:
BPS AutoMagic buttons automatically write the correct Network/Multisite root .htaccess code for your site based on your WordPress version.
Network/Multisite New Feature Notice:
BPS can now be Network Activated on Multisite: This Network / Multisite New Feature Dismiss Notice displays on Network/Multisite only to alert Network/Multisite site owners about the new Network Activation capability in BPS.
CSS Visual Style Changes for WP 3.8+ MP6 & Pre 3.8 WP Versions:
WordPress 3.8 is using the new MP6 GUI. A BPS 3.8 CSS stylesheet has been created to visually display things correctly in WordPress 3.8. BPS will automatically load the correct CSS stylesheet for your WordPress version. CSS visual enhancements were also created for pre WordPress 3.8 versions. See the BPS Whats New page for more details
.49.6
Bonus Code Dismiss Notice Added: Author ID / User ID / Username BOT Probe Protection Code:
Protects against hacker Bot Probes looking for WordPress author enumeration (a numbered list of Author ID’s / User ID’s) to exploit.
Generates a standard WordPress 404 Error instead of displaying Author ID’s / User ID’s / Usernames.
Root .htaccess File code modifications/changes: See the BPS Whats New page for more details
OLD: RedirectMatch 403 /\..*$
NEW: RedirectMatch 403 \.(htaccess|htpasswd|errordocs|logs)$
BPS Query String Exploits Code Changes
OLD: RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR]
NEW: RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
OLD: RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR]
NEW: RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
OLD: RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
NEW: RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [NC,OR]
OLD: RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
NEW: RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
.49.5
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
Reverting: Brute Force Login Protection code is now optional/Bonus Code again. BPS will not automatically add this code as standard code in the root .htaccess file. The Brute Force Login Protection Custom Code text box will remain for folks who can use this code on their websites. See the BPS Whats New page for more details
.49.4
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
Correction: Code Mod to Brute Force Login Protection code to allow for the widest possible range of compatibility.
.49.3
New Feature: Security Log zip, email and delete/replace option:
Security Log files are automatically zipped, emailed and replaced with a new blank security log file when they reach the maximum file size setting on the Security Log page. During the BPS upgrade this is automatically set to zip and email log files when they reach 500KB in size.
Structural/Menu Changes:
The Security Log & System Info tab pages have been moved out of htaccess Core and now have their own separate pages/menu links.
New standard root .htaccess code added:
Server Protocol HTTP/1.0 and blank User Agent htaccess BRUTE FORCE LOGIN PAGE PROTECTION code is now standard .htaccess code in the BPS root .htaccess file.
New BPS Custom Code Text box added:
A new Custom Code Text box has been added: CUSTOM CODE BRUTE FORCE LOGIN PAGE PROTECTION.
Check Headers Tool added to the System Info page:
This tool Allows you to check your website Headers or another website’s Headers remotely.
New System Info page check: Public IP|X-Forwarded-For check:
If you are using CloudFlare on your website then you will see Proxy X-Forwarded-For IP Address: instead of Public ISP IP / Your Computer IP Address: displayed to you. This additional check is for troubleshooting issues with CloudFlare, CDN, Proxy or VPN.
PHP mysqli_get_client_info function additional check:
Additional function checking code has been added in cases where the mysqli_get_client_info function is not available on a Host Server.
.49.2
Dismiss Notice text corrections: S-Monitor page text changed to Security Status page
W3TC & WPSC Alerts text corrections: Edit/Upload/Download page text changed to htaccess File Editor page
Dev Core: Several BPS functions renamed for uniqueness/no-conflict assurance
Deprecated: PHP 5.5.x Deprecated function replacement file options.php: mysql_get_client_info replaced with mysqli_get_client_info
Deprecated: PHP 5.5.x Deprecated function replacements file bpsunlock.php: New code using MySQLi instead of MySQL
.49.1
BugFixes|Code Corrections|Enhancements|Misc|CSS|Visual|Other:
BugFix|Correction: Backup folder path correction on Backup & Restore page
Enhancement: WP Filesystem API Method will display the WordPress Filesystem Method in use. For DSO Server troubleshooting additional fields will be displayed if the Script Owner and File Owner ID’s do not match.
Improvement: Custom Code help text changes
Enhancement: Custom Code additional error checking
htaccess auto-writing additions: Additional root htaccess file placeholders/markers added
New Dashboard Dismiss Notices: Sucuri 1-click Hardening, Broken Link Checker, phpini handler, Speed Boost Custom Code, Custom Permalinks check
BugFix|Correction: Dashboard Alerts are now only displayed to Administrators. Editors, Authors, etc will no longer see Alerts
Core Change: The htaccess Core Edit/Upload/Download tab page has been renamed to htaccess File Editor.
Removal: The File Upload & Download features have been removed from the new htaccess File Editor page since these features/options are obsolete.
Visual Enhancements: AutoMagic font size increased, etc.
.49
Security Vulnerability|BugFix|Patch: HTML rendered in Security Log file via Logged Header Fields
Special Thanks goes to Jacek Sowinski via Secunia SVCRP for discovering this vulnerability.
Solution|Fix: Security Log logged Header Fields are now HTML escaped
.48.9
New Options: 2 New Login Security Options Added:
Error Messages: Choose to display Standard WP Login Error Messages or Generic Error Messages.
Password Reset: Enable or Disable Login Password Reset capability. This option also includes additionl Stealth Mode capabilities. Please read the Blue Read Me help button on the BPS Login Security page for a full description and additional help information.
Login Security Bug Fix/Code Correction: Using the /wp-login.php URL no longer generates an initial login error.
New Dismiss Notice: Brute Force Login Protection Code: At some point the Brute Force Login Protection code will be standard in BPS .htaccess files. For now a dismiss notice has been added with a link to the Brute Force Login Protection code.
Additional error checking & Overall Code Improvements: Really too many things to list so in general BPS .48.9 is more streamlined, has better/additional error checking and overall code improvements throughout BPS.
.48.8
Code|Help Text Corrections:
Corrected Help Text typos in Custom Code.
Code Correction for the Network/Multisite menus / pluggable.php issue
.48.7
Improvement: Auto-update now displays ONLY – The BPS Automatic htaccess File Update Completed Successfully!
The old Dashboard Alert has caused a lot of confusion so it is now history
.48.6
Custom Code Additions|Improvements:
Custom Code now includes additional Text Areas/Text Boxes for every possible section of code in the Root and wp-admin .htaccess files.
A jQuery Accordian has been added to Custom Code to ensure that the correct Custom Code Text Areas/Text Boxes are being used, better functionality and visual enhancement.
Windows IIS check/dismiss notice. Displays a dismissable alert for folks who have Windows IIS Servers that allow .htaccess rewriting or have ISAPI_Rewrite installed which allows/converts .htaccess rewriting.
Reset / Recheck Dismiss Notices added to Security Status page
.48.5
Bug fix: Conditional wrap added to /includes/login-security.php
.48.4
Login Security & Monitoring:
Log All User Account Logins or Log Only User Account Lockouts.
Logged DB Fields: User ID, Username, Display Name, Email, Role, Login Time, Lockout Expires, IP Address, Hostname, Request URI
Email Alerting Options: User Account is locked out, An Administrator Logs in, An Administrator Logs in and when a User Account is locked out, Any User logs in when a User Account is locked out, Do Not Send Email Alerts
Login Security Additional Options: Max Login Attempts, Automatic Lockout Time, Manual Lockout Time, Max DB Rows To Show, Turn On/Turn Off
Dynamic DB Form: Lock, Unlock, Delete
Enhanced Search: Allows you to search all of the Login Security database rows/Fields
Stand-alone Unlock Form bpsunlock.php: Unlock User Accounts without having to be logged into the WP Dashboard
Please click the Login Security Blue Read Me help button for full descriptions of all features and options.
.48.3
jQuery Code changes for the new jQuery version in WordPress 3.6
.48.2
BugFix: Turn On/Off Error logging pattern match correction to include all possible scenarios
BugFix: ErrorDocument 401 default added/removed on Turn Error Logging On/Off
.48.1
Security Log: Add / Remove User Agents/Bots to Ignore/Not Log or Allow/Log
New htaccess code: ErrorDocument 401 default
General Coding Improvements & Enhancements
.48
BugFix: facebook externalhit_uatext.php script/error log fix
Enhancement: 400, 403 and 404 Error Logging templates modified
General Coding Improvements & Enhancements
.47.9
Security Logging / HTTP Error Logging On / Off buttons added
Turn Security Logging / HTTP Error Logging On or Off on the Security Log page
Russian Translation by EyeFinity
General Coding Improvements & Enhancements
.47.8
Security Logging / HTTP Error Logging – Log 400, 403 and 404 Errors
Security Logging / HTTP Error Logging Dashboard Alert – log file size
IMPORTANT: NEW root .htacess file code automatically created/modified on upgrade
Additional System Info Check Added: cURL Extension
General Coding Improvements & Enhancements
.47.7
IMPORTANT UPDATE: .htaccess FILE UPDATE FOR WordPress 3.5
BPS Root htaccess code WP 3.5 BugFix: visual and text editor display blank boxes
Problem: Square Bracket filters are blocking the visual and text editor
Solution: Square Brackets are automatically removed from .htaccess files/filters on upgrade to .47.7
.47.6
BPS Master htaccess Folder Deny All .htaccess security protection automated
BPS Backup Folder Deny All .htaccess security protection automated
Turn On AutoLock / Turn Off AutoLock options/buttons added
General Coding Improvements & Enhancements
Visual Improvements/Enhancements
.47.5
General Coding Improvements & Enhancements:
WordPress 3.5 pre-release coding added
Visual Improvements/Enhancements
jQuery coding Improvements/Enhancements
.htaccess code Additions and Improvements
Anti-Comment Spam .htaccess coding added
DNS Host Name Check for htaccess file auto-lock
Screenshot image files moved to the assets folder to reduce plugin size speedier upgrades
.47.4
Improved and Extended Automatic htaccess File Upgrading
No need to reactivate BulletProof Modes when upgrading
Automatic updating from .46.9 to the current version of BPS
Additional System Info Checks Added:
Zend Engine Version, Zend Guard/Optimizer, ionCube Loader, Suhosin, APC, eAccelerator, XCache, Varnish, Memcache and Memcached
System Info Checks: check if extensions are installed, loaded, enabled or disabled
Additional Memory Limit Checks: WordPress Admin Memory Limit, WordPress Base Memory Limit and PHP Actual Configuration Memory Limit
.47.3
.47.2 Automatic .htaccess file updating on upgrade installation added
No need to reactivate BulletProof Modes when upgrading
.47.2 New htaccess security filter added automatically during upgrade
.47.3 New htaccess security filter added automatically during upgrade
.47.3 Deny All protection automatically activated for BPS Master /htaccess folder
WP Dashboard Alerts – Root and wp-admin htaccess file checks
.47.2
Automatic .htaccess file updating on upgrade installation
No need to reactivate BulletProof Modes when upgrading
New htaccess security filter added automatically during upgrade
WP Dashboard Alerts – Root and wp-admin htaccess file checks
Lithuanian Language Translation by Vincent G from Host1Free.com
.47.1
A very minor coding mistake – A superglobal did not have html entities escaped
No reported problems or issues
Sincere thanks to SiNA Rabbani for discovering this coding mistake
Sincere thanks to Jon and Mark from WordPress.org as well for assistance
.47
View the Whats New page in BPS for the latest changes to BPS
No changes have been made to either the Root or wp-admin .htaccess files
i18n Language Translation Coding Added
Language Translation Tutorial link added to the Whats New page in BPS
Coding improvements / enhancements
.46.9
Significant changes to both the Root and wp-admin .htaccess files
Create new Master .htaccess files with AutoMagic and activate all BulletProof Modes.
NEW Custom Code feature added to BPS
Coding improvements / enhancements
.46.8
New TimThumb .htaccess code allows internal image requests but Forbids RFI hacking attempts
BPS is no longer Forbidding TimThumb thumbnailer scripts by default
DNS Name Server check on System Info page
Coding improvements / enhancements
WP Rating and Download Stats added to BPS
CSS nick nacks
.46.7
New jQuery Dialog Read Me Help buttons have been created to replace the old Hover ToolTips
WP_CONTENT_DIR replaces ABSPATH path for sites that have moved wp-content to another location
.htaccess Return Carriage filter modified
.htaccess Slash-Jack filter modified
Several new pop up confirm messages have been added throughout BPS for forms that perform critical operations
Several new SAPI types have been added to CGI and DSO checking
AutoMagic for Network / Multisite sub domain sites is no longer writing the wp-admin forbid coding
Link to Sucuri Malware Website Scanner added
BPS is Forbidding Thumbnailer Scripts by Default
To enable Thumbnailer Scritps see root .htaccess file
.46.6
Cookie filter removed from BPS QUERY STRING EXPLOITS
Explicit “exec” and “execute” filter removed from BPS QUERY STRING EXPLOITS
non-GPL Javascript Countdown Timer removed
BPS is Forbidding Thumbnailer Scripts by Default
To enable Thumbnailer Scritps see root .htaccess file
.46.5
Massive amount of new security filters
Complete restructuring of how .htaccess Rewriting is processed to work with WP
Network / Multisite AutoMagic buttons added
Network / Multisite code added for Super Admins – display BPS menus to Super Admins only
New System Info information added
File permission checking and recommendations for CGI or DSO – SAPI detection
File Lock / Unlock buttons – Read Only root .htaccess – CGI / DSO SAPI detection
Help info updated
Updated Whats New
.46.4
Network / Multisite detect with additional help info
chmod 0644 added to copy function for default, secure and wp-admin htaccess files
Fixed CSS display issues for WP versions 3.2+
Replaced PP donate link with BPS Pro Upgrade link
Replaced BPS Pro Modules page with BPS Pro Features page
Security Status print output instead of var_dump
Help info updated
Other CSS changes
Updated Whats New
.46.3
BPS Security Top Level Menu added
Whats New page was added – Read the new Whats New page for details about the latest changes to BPS
BPS Master htaccess file changes
Maintenance Mode page changes – Form settings saved to the WP DB
HUD, W3TC and WPSC – Heads Up Display checks / messages changes / additions
wp-admin htaccess file removal added
My Notes page was added
.46.2
Additional new .htaccess security coding and modifications added to the BPS master .htaccess files
New plugin conflict permanent fixes added to the secure.htaccess Master file
BulletProof Security is now fully AutoMagic and still offers full manual control
.46.1
Additional new .htaccess coding and modifications added to the BPS master .htaccess files
New plugin conflict permanent fixes added to the secure.htaccess Master file
Maintenance Mode is AutoMagic – Completed the Maintenance Mode page …finally
Create the Maintenance Mode Under Maintenance page from within the Dashboard
Preview your Website Under Maintenance page from within the Dashboard
New System Information Displayed – WordPress Installation Folder, WordPress Installation Type and
WP Permalink Structure Checks and displayed info
Heads Up Display (HUD) created
Improved Error and Warning messages
Major Core code improvements
nick nack core code fixes and improvements
New Help and FAQ links – new help pages created on AIT-pro
.46
New File Uploader code written – no longer using Uploadify code
New File Downloader code written – no longer using Zubrag code
File Uploader is AutoMagic – no setup required
File Downloader is one-click – no setup required
Major overhaul of the core BPS coding
!!! Special Thanks to Jon Cave!!!
for finding a CSRF security vulnerability in BPS .45.9
that has now been eliminated in BPS .46 with new coding
And also excellent coding advice to improve BPS even more
and making the entire WordPress Community a safer and better place
New permanent plugin conflict fixes added to master .htaccess files
.45.9
Critical Update: Security Patch Release
.45.8
Permanent Backup and Restore options added – permanent online backup and restore
Permanent Backup and Restore for all .htaccess files
Permanent Backup and Restore for File Uploader and File Downloader setup settings
Additional new .htaccess coding and modifications added to the BPS master .htaccess files
New plugin conflict permanent fixes added to the secure.htaccess Master file
WordPress readme.html and /wp-admin/install.php are now protected by BulletProof Security
Improved Success / Error messaging – more detailed success / error messages displayed
New Help and FAQ links added – New detailed Help and Info pages created
.45.7
Additional .htaccess coding filters added to the BPS master .htaccess files
File Editor added – Edit the BPS .htaccess files from within the WP Dashboard
File Uploader added – Upload files from within the WP Dashboard
File Downloader added – Download files from within the WP Dashboard
Deny All BulletProof Security Modes added for the /htaccess folder and /backup folder
Nick Nacks, etc.
.45.6
New SQL Injection hacking method blocked – New code added to master .htaccess files
This update protects against this latest new SQL Injection hacking method
Installing BPS does not activate the new BPS .45.6 .htaccess files
After installation please activate the BPS .45.6 BulletProof modes
Please download your current htaccess files first before activating BPS .45.6 Security Modes
.45.4|.45.5 Re-release SVN issue|problem
BugFixes: W3 Total Cache, Simple Facebook Connect, Ozh’ Admin Drop Down Menu, ComicPress
Permanent coding fixes incorporated into master htaccess files to replace workarounds
Additional mission critical PHP Info checks added
Php.ini and php5.ini files are now protected by BulletProof Security
Updated BPS help files – AITpro.com site help files pending
nick nacks here and there
.45.3
More Query String Exploit Filters added to BPS Master .htaccess files
Options -Indexes added to BPS Master .htaccess files at user requests
Added IP address display to maintenance mode javascript countdown timer display
No need to click Update Permalinks anymore for Maintenance Mode – RewriteRule override added
.45.2
New Apache Directives for PHP5 added to the .htaccess master files
Maintenance mode master .htaccess code modified – RewriteCond to load new background png
Maintenance Mode log in / log out issue fixed – Log in / out of your Dashboard in Maintenance Mode
Website Under Maintenance coding modifcations and visual design enhancements
Background Graphic for Website Under Maintenance page created and added in the installation
Minor cosmetic nicks nacks fixed here and there
Help files and hover tool tips help info updated
Tested on WordPress 3.1-alpha – no issues or problems
.45|.45.1 Re-release SVN issue|problem
BugFix: for version check of BPS .htaccess master file
BugFix: for wp-config.php check based on BPS .htaccess version
BugFix: BPS plugin uninstall issue fixed
BugFix: BPS Widget configuration issue fixed
Completely recoded with WordPress 3.0 coding enhancements and improvements
Completely new sophisticated visual design and look
jQuery UI Tabbed Menu with CSS Hover Menu Buttons – see screenshot
New Messaging Display System added
,htaccess code added to master files to .htaccess protect wp-config.php
WordPress DB error on / off checking and verification status display
WordPress version is not displayed – remove_action(‘wp_head’, ‘wp_generator’);
WP generator meta tag removed – remove_action(‘wp_head’, ‘wp_generator’);
Administrator username “admin” check
System information page displays PHP, MySQL, Server Info, etc. – see screenshot
Security Status page added – see screenshot
Help & FAQ page added
BPS Pro Modules page added – BPS Pro Modules are installed separately
New BPS .45.1 Guide created @ AIT-pro.com
.44.1
If you are upgrading from .44 to .44.1 download the /htaccess folder first
before upgrading and upload it back to the back to the BulletProof plugin folder
after you have upgraded to .44.1.
Added Backup form function – backs up users original existing htaccess files
Added Restore form function – restores users original existing htaccess files
Backup folder added for backed up original htaccess files
Removed links from all ToolTips except for the top Read Me! hover ToolTip
.44
First version release of BulletProof Security
Extensive Read Me! help hover ToolTips added to the BulletProof plugin page
Visual and coding Enhancements made to the BulletProof Maintenance page
Function check_perm redeclare conflict fixed