Some Bulletproof Security Questions & Observations

Questions:

1. What are the typical minimal file permissions for .htaccess and BPS directories/folders for BPS to work without getting write errors? (Writing WP .htaccess files and backup copies for same, ie – xxx.htaccess, under BPS folders.)

I’m experiencing errors unless I set FILES and FOLDERS to 777. My website belongs to a “user” on the server and the ownership properties of all files and folders (owner & group) for WP are such as “userX userX”. Rarely is setting 777 a good thing (almost always bad), but does BPS overcome that potential risk due to the extensive and indepth use of .htaccess – of and for .htaccess files?

I may need to do some more experimenting, but when in doubt after trying default 644, I then try 777 and work down from there to where it breaks, finding the minimal setting for things to work. I’m hoping you can save me (and others) the time and hassle of trial and error here… lol

2. Maintenance Mode. While I see the need and usefulness of it FOR CERTAIN CIRCUMSTANCES, I think that if .htaccess can filter on a specific IP address (I have and only use a static IP) to allow all Admin access and functionality without having to go into Maintenance Mode, that would be preferable to having to go into and out of Maint. Mode to add plugins, etc. My Two Cents.

I didn’t see any examples of why and when Maint. Mode should be invoked, just guessing here. Hey! Further reading tells me that Maint. Mode is just a way to suspend/redirect the website (to a particular page) while working on it extensively so visitors don’t get surprised from wierd things happening unexpectantly. Handy, but I would think there are other “Maint Mode” plugins that could or would be easy to turn on/off with more pleasant asthetics built in, else the redirect page would have to be custom built for a pretty and matching theme look, etc.

Actually, a good “Countdown” plugin would be perfect for giving the estimated time when the site will be back online after maintenance is expected to be done.

3. Firewalls. I just read somewhere on your site that BPS (Pro?) now incorporates a Firewall as of version 5.x – How robust is it and how does it compare with OSE Firewall, another plugin that I’ve come across that is fairly recent and gaining lots of traction in the WP community. Can BPS’s firewall be disabled so another (such as OSE Firewall) can be used instead? (Hmm, is it time for a BPS Firewall vs OSE Firewall comparision article, post, or forum topic?)

4. Finally, what I look for in a good plugin is (A) Does it do what I expect? (B) Does it install and set itself up with minimal input from the user? (C) Does it have really good documentation, links to help, an online Forum, etc. so if I get stuck I can look things up. My first impression of BPS is for:

A: Yes, 100% – Once I read up on what BPS is and does. And does not do.

B: Yes, 85% – For me, it did not really turn itself on after activating the plugin. It has to be turned ON after activating, and there were a lot of (okay, just 2, but they were Large with lots of text) Yellow Message areas warning of this and that and I had to figure out what it was talking about and there really wasn’t much in the way of help and explanations. Hence my very first question above about file and folder permissions, and that I didn’t know I had to create certain folders and/or set particular permissions.

C: Yes, 75% – While all the inline help and Readme buttons were good, there is a need for a REALLY Good INSTALL doc or readme on Steps to Take or Checklist after activation: This is what you want to do, How to do it, and If you get this error message or warning, this is what it means and this is how to fix it.

Okay, I’m done. For now. lol