BPS SECURITY / HTTP ERROR LOG

The most likely causes are either the ErrorDocument .htaccess code does not exist in your root .htaccess file, your Host does not allow the ErrorDocument .htaccess directive on your website or you have the Sucuri plugin installed and you are using the wp-content 1-click hardening option:

https://forum.ait-pro.com/forums/topic/security-log-no-log-entries-security-log-is-not-logging-errors/

Permalinks structure : /%category%/%postname%.htm

example.com/;union : error logging not working in BulletProof, but it’s ok in Better WP Security log !

No Sucuri plugin installed.

Creating new Master htaccess files and… No change ??

In htaccess root :

ErrorDocument 400 /wp-content/plugins/bulletproof-security/400.php
ErrorDocument 401 default
ErrorDocument 403 /wp-content/plugins/bulletproof-security/403.php
ErrorDocument 404 /404.php

NB : “File Open and Write test successful! Your Security Log file is writable.”

If you are using another plugin to log errors then most likely the errors will be logged by that plugin and not BPS. So I assume Better WP Security is overriding BPS security logging and handling this instead. So basically I guess you would just use Better WP Security error logging instead of BPS Security logging. Typically when 2 plugins are doing the same or similar thing then 1 will override the other.

I love BulletProof… I want use it ! I erased Better WP Security but… Always BulletProof log doesn’t work ??
How fix ?

Click the Create secure.htaccess File AutoMagic button and activate root folder BulletProof Mode again to ensure that your root .htaccess file has all the correct .htaccess code.

The simplest way to test if Security logging is working is to use this string in your Browser’s address bar:
Replace example.com with your actual domain name.
example.com/index.php?sp_executesql

“Click the Create secure.htaccess File AutoMagic button and activate root folder BulletProof Mode again to ensure that your root .htaccess file has all the correct .htaccess code.”

Check : ok.

“in your Browser’s address bar:
Replace example.com with your actual domain name.
example.com/index.php?sp_executesql”

403 display, but nothing in HTTP ERROR LOG ??

Ok then most likely your Host does not allow the .htaccess ErrorDocument directive to be used on your website or your Host is intercepting those 403 redirects and logging them in the Host Server error document log file. Ask your Host if they are restricting/blocking the .htaccess ErrorDocument directive.

My website is hosting on my VPS (with PleskPanel)

Are you saying that you have access to the httpd.conf file? If so, post your AllowOverride directive code in your httpd.conf file.

https://httpd.apache.org/docs/current/mod/core.html#allowoverride

in log Host Server (for 403) :

[warn] [client 86.71.213.211] mod_fcgid: stderr: PHP Fatal error: Cannot redeclare bps_Master_htaccess_folder_bpsbackup_denyall() (previously declared in /var/www/vhosts/mydomainname.com/httpdocs/wp-content/plugins/bulletproof-security/includes/functions.php:12) in /var/www/vhosts/mydomainname.com/httpdocs/wp-content/plugins/bulletproof-security/includes/functions.php on line 27

/etc/apache2/httpd.conf :

<IfModule mpm_prefork_module>
ServerLimit 500
StartServers 30
MinSpareServers 30
MaxSpareServers 50
MaxClients 100
MaxRequestsPerChild 700
</IfModule>

Nothing else in https.conf at /etc/apache2/

/etc/apache2/apache2.conf :

#
# Based upon the NCSA server configuration files originally by Rob McCool.
#
# This is the main Apache server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See https://httpd.apache.org/docs/2.2/ for detailed information about
# the directives.
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned.
#
# The configuration directives are grouped into three basic sections:
#  1. Directives that control the operation of the Apache server process as a
#     whole (the 'global environment').
#  2. Directives that define the parameters of the 'main' or 'default' server,
#     which responds to requests that aren't handled by a virtual host.
#     These directives also provide default values for the settings
#     of all virtual hosts.
#  3. Settings for virtual hosts, which allow Web requests to be sent to
#     different IP addresses or hostnames and have them handled by the
#     same Apache server process.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path.  If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "foo.log"
# with ServerRoot set to "/etc/apache2" will be interpreted by the
# server as "/etc/apache2/foo.log".
#

### Section 1: Global Environment
#
# The directives in this section affect the overall operation of Apache,
# such as the number of concurrent requests it can handle or where it
# can find its configuration files.
#

#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# NOTE!  If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the LockFile documentation (available
# at <URL:https://httpd.apache.org/docs/2.2/mod/mpm_common.html#lockfile>);
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
#ServerRoot "/etc/apache2"

#
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
#
LockFile ${APACHE_LOCK_DIR}/accept.lock

#
# PidFile: The file in which the server should record its process
# identification number when it starts.
# This needs to be set in /etc/apache2/envvars
#
PidFile ${APACHE_PID_FILE}

#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300

#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On

#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100

#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 15

##
## Server-Pool Size Regulation (MPM specific)
## 

# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule mpm_prefork_module>
StartServers       1
MinSpareServers    1
MaxSpareServers    5
MaxClients        10
    MaxRequestsPerChild   0
</IfModule>

# worker MPM
# StartServers: initial number of server processes to start
# MaxClients: maximum number of simultaneous client connections
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadLimit: ThreadsPerChild can be changed to this maximum value during a
#              graceful restart. ThreadLimit can only be changed by stopping
#              and starting Apache.
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule mpm_worker_module>
StartServers       1
MinSpareThreads    1
MaxSpareThreads    4
    ThreadLimit          64
    ThreadsPerChild      25
MaxClients        10
    MaxRequestsPerChild   0
</IfModule>

# event MPM
# StartServers: initial number of server processes to start
# MaxClients: maximum number of simultaneous client connections
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule mpm_event_module>
StartServers       1
MaxClients        10
MinSpareThreads    1
MaxSpareThreads    4
    ThreadLimit          64
    ThreadsPerChild      25
    MaxRequestsPerChild   0
</IfModule>

# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}

#
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives.  See also the AllowOverride
# directive.
#

AccessFileName .htaccess

#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy all
</Files>

#
# DefaultType is the default MIME type the server will use for a document
# if it cannot otherwise determine one, such as from filename extensions.
# If your server contains mostly text or HTML documents, "text/plain" is
# a good value.  If most of your content is binary, such as applications
# or images, you may want to use "application/octet-stream" instead to
# keep browsers from trying to display binary files as though they are
# text.
#
DefaultType text/plain

#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off

# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog ${APACHE_LOG_DIR}/error.log

#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn

# Include module configuration:
Include mods-enabled/*.load
Include mods-enabled/*.conf

# Include all the user configurations:
Include httpd.conf

# Include ports listing
Include ports.conf

#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
# If you are behind a reverse proxy, you might want to change %h into %{X-Forwarded-For}i
#
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

# Include of directories ignores editors' and dpkg's backup files,
# see README.Debian for details.

# Include generic snippets of statements
Include conf.d/

# Include the virtual host configurations:
Include sites-enabled/
GracefulShutDownTimeout 3
AddOutputFilter INCLUDES .shtml
AddType text/html .shtml
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps

mod_fcgid: stderr: PHP Fatal error: Cannot redeclare...

This error indicates that there is something wrong with the folders or files in the /bulletproof-security folder. FTP to your website and delete the bulletproof security plugin folder /plugins/bulletproof-security and reinstall BPS.

I am not familiar with the AccessFileName directive, but you can use AllowOverride on Debian.

https://stackoverflow.com/questions/4111682/why-doesnt-htaccess-have-any-effect

https://httpd.apache.org/docs/current/mod/core.html#accessfilename

#
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives. See also the AllowOverride
# directive.
#

AccessFileName .htaccess

example of local vhost setup using AllowOverride in a vhost conf file.
https://forum.ait-pro.com/forums/topic/wordpress-ssl-htaccess-code-rewrite-ssl-rewritecond-server_port/#post-7291

Here is a good Debian specific example:
https://www.ralf-lang.de/2012/11/26/no-bullshit-1-apache-vhost-config-allowoverride-alldoes-not-activate-mod_rewrite/

Basically all you need to do is add this code to the httpd.conf file. Your Directory path needs to be your actual real path.

<Directory /var/www/>
Options Indexes FollowSymLinks Includes ExecCGI
    	AllowOverride All
        Order Allow,Deny
        Allow from all
</Directory>

https://serverfault.com/questions/302488/apache2-debian-squeeze-htaccess-disabled