[Plugin: BulletProof Security] 500 error on subdomain where I installed WordPress

By the way, I just noticed that the title of the webpage is different to the error it details on the text. The title of the page that shows the error is “403 forbidden”.

I don’t know if this is relevant

Did you click the AutoMagic buttons first before activating BulletProof Modes on your sub folder/sub domain sites?

If you are unable to log into your site then use FTP or your web host control panel file manager and delete the .htaccess file in the website root folder of the site you cannot log into. Then log into your site, click the AutoMagic buttons and activate all BulletProof Modes.

Hi,
Yes I think so, but don’t remember. I certainly did everything to have the safest settings.

Ok I’ll try what you say. Thanks for your reply!

I followed your instructions.

1) deleted htaccess (renamed it actually, was too chicken to delete it, just in case. I called it .htaccess_old_bulletproof)

(note: I have a simple image on the subdirectory that’s all there is, for testing purposes)

2) I pressed both automagic buttons and refreshed the subdirectory website to check. All ok. Image showing.

3) I activated Website Root Folder .htaccess Security Mode, and refreshed the subdirectory website. THIS BROKE THE WEBSITE showing the message I detailed on my first post.

4) I deactivated this Website Root Folder .htaccess Security Mode, and reverted it to default.

5) I carefully activated one by one of the following modes, refreshing in between each. No activation of these modes broke the website.

My conclusion is that the problem is on the “Website Root Folder .htaccess Security Mode”. Only when this was activated the website broke.

What should I do to resolve this? ??

THANK YOU!

When you say you have subdomain sites are they true subdomain sites?
Example: mysubdomain.example.com
or are you talking about subfolder wordpress installations?
Example: example.com/wordpress-subfolder-site

Go to the WordPress Settings Panel, click on General Settings and post your…
WordPress Address (URL)
Site Address (URL)

Also go to the System Info page and post these things below.
DNS Name Server:
Server Type:
Operating System:
Server API:
Multisite:

I actually think that Wordfence is an awesome security program that works better specifically with Bluehost. And it’s Free https://www.wordfence.com

@bh_wp_guru – Yep Wordfence is good security plugin. Just curious have they fixed the ongoing memory/resource problems that have been going on for months with that plugin? The last time i checked the Wordfence plugin with the P3 profiler plugin, wordfence was consuming up to 45% of a websites resources/memory and causing website slowness and other problems. I have not checked the latest version so maybe they finally got that figured out. Thanks.

I just installed and tested Wordfence 3.1.6 with the P3 Profiler plugin and the same memory/resource problem is still occurring. The website performance is severely impacted by Wordfence. I think there are some really excellent things about Wordfence, but website performance is not something you can sacrifice for security sake because that is self defeating. A website security plugin (or all/any other plugins) should not interfere with website performance whatsoever.

Wordfence is activated with no scanning just the plugin being activated severely increases the avg load time.

WordPress Plugin Profile Report
===========================================
Report date: August 22, 2012
Theme name: Twenty Eleven
Pages browsed: 11
Avg. load time: 3.9352 sec
Number of plugins: 8
Plugin impact: 80.53% of load time
Avg. plugin time: 3.1688 sec
Avg. core time: 0.6268 sec
Avg. theme time: 0.1298 sec
Avg. mem usage: 20.73 MB
Avg. ticks: 2,472
Avg. db queries : 37.00
Margin of error : 0.0097 sec

Plugin list:
===========================================
P3 (Plugin Performance Profiler) – 0.0397 sec – 1.25%
Akismet – 0.0545 sec – 1.72%
BulletProof Security Pro – 0.2520 sec – 7.95%
Page Links To – 0.0251 sec – 0.79%
Plugin Central – 0.0315 sec – 0.99%
Theme My Login – 0.7408 sec – 23.38%
W3 Total Cache – 0.7993 sec – 25.22%
Wordfence Security – 1.2258 sec – 38.68%

When you deactivate Wordfence you see that the average load time goes back to a normal and decent page load speed.

WordPress Plugin Profile Report
===========================================
Report date: August 22, 2012
Theme name: Twenty Eleven
Pages browsed: 11
Avg. load time: 0.9313 sec
Number of plugins: 7
Plugin impact: 67.44% of load time
Avg. plugin time: 0.6281 sec
Avg. core time: 0.2515 sec
Avg. theme time: 0.0396 sec
Avg. mem usage: 18.45 MB
Avg. ticks: 2,023
Avg. db queries : 37.36
Margin of error : 0.0121 sec

Plugin list:
===========================================
P3 (Plugin Performance Profiler) – 0.0343 sec – 5.46%
Akismet – 0.0169 sec – 2.69%
BulletProof Security Pro – 0.0873 sec – 13.89%
Page Links To – 0.0179 sec – 2.85%
Plugin Central – 0.0451 sec – 7.17%
Theme My Login – 0.3385 sec – 53.89%
W3 Total Cache – 0.0882 sec – 14.04%

Hi
What I meant with “subdomain” is a WordPress installation within a WordPress installation that contains the other domains. They look like independent domains to the outside world, like https://www.example.com, but behind the scenes it is contained in the main wordpress install.

I was told by Bluehost that it is the BPS in the main WordPress install that is creating the problem, that’s why I am here ??

BulletProof puts a lot in your .htaccess file and that will apply to all subfolders. So when you have a WordPress in a subfolder, its trying to apply all of those settings also. You would either need to install Bulletproof onto that subfolder wordpress also, so it gets its own copy of .htaccess for its subfolder, or you will have to create your own custom .htaccess for that subfolder that will cancel out or undo everything done in the main folder’s .htaccess

I think that’s what you are asking about, let me know if I am answering something different then you asked.

Ohhhh…that’s very interesting. So are you saying that a local BPS in the sub-installation would override the power of the BPS sitting above it at the root level? Very interesting. I am surprised.

I’ll try that then, and see if it works
Thank you

BH_WP_Guru is correct. .htaccess files work in a hierarchical way. If a parent folder has an .htaccess file and a child folder does NOT have an .htaccess file then the security rules and rewrite rules in the parent folder will be applied to the child folder. If the child folder has its own .htaccess file then it will follow the security rules and rewrite rules of its own .htaccess file instead of the parent .htaccess file.

@skeitel – No, a subfolder/child folder .htaccess file cannot be applied to a parent folder. the rules are applied from parent to child.

Each site should have BPS installed and each site should have its own .htaccess files that were created using AutoMagic and then activating all BulletProof Modes.

I still do not know exactly what type of WordPress installations you have, but i think they are sub folder installations and not true subdomain wordpress installations.
Are you saying that you have WordPress websites set up like this.

WebsiteA – / installed in the root website folder
WebsiteB – /WebsiteB installed in a sub folder called WebsiteB
WebsiteC – /WebsiteC installed in a sub folder called WebsiteC

A subdomain site URL would look like this – mysubdomain.example.com

did you setup DNS in your web host control panel to have your other sites point to your main domain or have you done any other DNS settings anywhere else?

What I have is what you describe as Website C. I don’t have mysubdomain.example.com

Regarding DNS, I have not re-directed anyting manually. I just use the auto-installation script from Bluehost so I don’t know exactly how this works, sorry.

I’ll try to install BPS in the subfolder website and see how that goes then.

Thanks again

Is the problem still occurring or is the problem resolved?

@aitpro Just so you know, .htaccess works in a waterfall approach (what I have always heard it called). Like you said all information in the parent will take affect in the child if there is no .htaccess. That being said, if there is a .htaccess in the child directory, it needs to contain some information so that it doesn’t still use the parent directories settings. For example if you don’t want the redirects in the parent directory being used on the child, you would need to create the .htaccess in the child and simply add RewriteEngine On. That way the child directory would look there for redirects and see that there aren’t any.

I hope I made sense ??