[Plugin: BulletProof Security] Bulletproof Security Took Down Main Site

.htaccess files are not exclusive to WordPress. https://en.wikipedia.org/wiki/Htaccess

FYI – the disadvantages performance loss info on that Wiki page is incorrect. .htaccess files do not cause a performance loss and whether or not the httpd.conf or the .htaccess file contain the rules it does not make any difference – there is no performance loss when using .htaccess files. Thousands of lines of .htaccess code can be processed in milliseconds. ??

“…apart from 1 where the blog was installed in sub-directory and was a small part of a larger PHP driven e-commerce site…”

If you put an .htaccess file in a folder then all the files in that folder will follow the security rules in that .htaccess file.

If your other php application or platform requires it’s own specific .htaccess rules then you can create those using the BPS built-in .htaccess File Editor. Usually a good site architecture will keep separate apps in separate folder as sharing folders can be problematic when trying to apply website security to each different app. And in general you should have all apps in self contained environments / directories / folders.

If a Parent folder has an .htaccess file created in it then the subfolders of that parent will also have the .htaccess security rules applied to them.
If you add an .htaccess file in a Child folder of a Parent folder then the Child folder will follow the security rules of it’s own .htaccess file instead of the Parent .htaccess file.

When you use AutoMagic to create your Master .htacess files and then Activate them with BulletProof Modes. The Master files are copied to the respective folders for that site ONLY >>> 1 .htaccess file is copied to the Root folder for that site and 1 .htaccess file is copied to the /wp-admin folder for that site. The Deny All .htaccess files protect BPS files themselves and are copied to BPS Plugin folders.

Clarification >>> this is what the Apache website is saying verbatim from the Reference link for that statement regarding an .htaccess file causing a performance loss.

“In general, you should never use .htaccess files unless you don’t have access to the main server configuration file. There is, for example, a prevailing misconception that user authentication should always be done in .htaccess files. This is simply not the case. You can put user authentication configurations in the main server configuration, and this is, in fact, the preferred way to do things.”

So what is incorrect about the statement on the Wiki page is that the statement should say specifically that a performance loss will be experienced if you use an .htaccess file for authentication purposes. And I think it is relevant to mention that the performance loss when using an .htaccess file for authentication purposes would be in milliseconds. ??

And this is also relevant – W3TC and SuperCache use .htaccess rules to significantly improve website performance. ?? The BPS .htaccess security rules focus only on security, so they neither slow down or speed up website website performance – they ONLY handle website security.

I understand how .htaccess files work. What I don’t understand is why BPS would create .htaccess files that affect folders higher in the a hierarchical structure than where WordPress is installed? Our blog is installed in /blog directory and BPS .htaccess files affected / root directory. The offending .htaccess file was actually in /blog/wp-admin/ and now I would like to know if any other .htaccess files were created by BPS that are outside of the WordPress directory?

When you create .htaccess files for a site in the /blog folder then you will have 2 .htaccess files created >>> 1 in /blog/.htaccess and 1 in /blog/wp-admin/.htaccess.

What you just stated is not possible. Only folders from /blog and below would have .htaccess security rules applied to them. Your Root folder for your Hosting Account / Domain Root cannot be affected by an .htaccess file in a child folder – that is not possible.

Although if you incorrectly created .htaccess files in your /blog folder that are somehow rewriting to the / root folder then i could see that that could cause problems, but that would only be URL rewriting and not security filter issues.

BPS only creates the 2 files i mentioned above in the location i mentioned above because that is what the coding is coded to do and it cannot magically do something that it is not coded to do.