What is Changed By Better WP Security

WordPress LogoA lot of questions I get about Better WP Security (BWPS) involve figuring out what is actually changed byt the plugin. Due to the complexity of the plugin there are a number of changes made to your WordPress install itself (all of which are documented somewhere within WordPress.org). Here is a list of all the changes made (minus it’s own options) as of version 2.4.

File System Changes

  • .htaccess
    BWPS makes numerous changes to .htaccess all of which are between the # BEGIN Better WP Security line and the # END Better WP Security. These changes are removed when the plugin is deactivated and may be manually deleted at any time without any adverse affects to your site. If you have been using the “Hide Backend” feature however deleting this code will result in your login, register, and admin URLs reverting to the original as defined by WordPress.
  • wp-config.php
    As with the .htaccess file,BWPS also changes a lot of code in the wp-config.php file. Unlike .htaccess however many changes to w-config.php cannot be manually removed without breaking your website.

    • The Content Directory option adds the lines define(‘WP_CONTENT_DIR’, ‘[new path to content directory]’); and define(‘WP_CONTENT_URL’, ‘[new content directory url]’);. Deleting these lines will break WordPress if you don’t manually rename the wp-content folder back to wp-content. In addition, if you have links to media or other files pointing to the changed wp-content directory throughout your site these links will also break until they are manually updated.
    • The Database Prefix option changes the $table_prefix  = ‘xxx'; line whereas xxx is the prefix used in your database. Manually changing this line will break your website.
    • The Turn off file editor in WordPress Back-end option under System Tweaks adds the line define(‘DISALLOW_FILE_EDIT’, true); to the file. This line can be safely deleted manually without breaking your website.
    • The Enforce SSL option in System Tweaks adds the lines define(‘FORCE_SSL_ADMIN’, true); and define(‘FORCE_SSL_LOGIN’, true); to the file. These lines can be safely removed without breaking your website.
  • wp-content folder
    • The Content Directory option physically renames the wp-content folder. This cannot be changed manually without changing the associated entry in the wp-config.php file. In addition, as with the option in the wp-config.php file, changing this will result in links to media and other files throughout the site breaking.

Database Changes

  • The Intrusion Detection and Limit Logins options will create three BWPS tables in the database. These tables can be deleted if these options are not active and can be emptied at any time without breaking your site. Note that d404 table contains information on files missing in your site that might help you improve your SEO. Also, if you are locked out of your site after activating intrusion detection you can see what files are causing the errors. For more information see my post on the issue.
  • The Database Prefix option will rename every table in the database utilizing the chosen database prefix. In addition, it will update the user_roles option in the options table to utilize the new database prefix. Changing any one of these without the others as well as the entry in your wp-config.php file will break your website.
In the end only a very unique problem should ever cause a user to have to manually change any of the above settings manually. When it does happen it is almost always caused by a lack of memory on the server resulting in only partial changes made to the above options (i.e. changing a file entry but not the associated database entry). There has however been one report in which the wp-config.php file was completely wiped out, most like due to a memory issue. For this reason I can’t stress enough that before your make any changes, whether in the options or manually, please backup your site!
About Chris Wiegman

Chris is a developer for iThemes where he works on the iThemes Security and iThemes Security Pro WordPress plugins. In past roles he has served as a teacher, blogger, manager and even an airline captain. He resides in Austin, TX with his wife Joy and their four-legged children.

Find Chris on Facebook, , LinkedIn, and Twitter.

Comments

  1. Quick question, searched google and everything cant find an answer, tried the hide backend options, now i get a 500 error, what files or where do i put the secret key in??? Thanks for the help.

  2. OK, now we are getting somewhere. I just installed a fresh wp multisite (three.three.one) with Better WordPress Security as the first plugin. I completely secured my site from top to bottom, thank you.

    But, I can not login for some reason. I am going to try and remove the code from the .htaccess and see if I can login then. Otherwise, I may have memory problems.

    I will get back to you.

  3. Hi Chris
    I’ve a serious problem with “Hide Backend” on 2 sites with WordPress core files tucked nicely in a subdirectory. Basically, I cannot log in because the mod_rewrite refuses to recognise that WordPress runs in the root but lives in the subdirectory…

    I’ve tried creating a forum account to post this with a support request but the verification email has not arrived after a couple of hours…

    Thanks
    Ben

  4. Hi Chris,

    After updating to latest version I notice the option on hardening htaccess is gone. The modified htaccess code from the previous version remains after the update and I am wondering if the htaccess “hardening” is no longer part of the plugin?

    Thanks

    Gerry

  5. Not sure which setting adds the following line but the line interferes with the display of images on mobile sites:

    RewriteRule ^wp-includes/[^/]+.php$ – [F,L]

    If you need a mobile theme to test it with I will happily provide one.

  6. Better WP Security has noticed a change to some files in your WordPress installation. Please review the logs to make sure your system has not been compromised.

    I have 3072 including:

    wp-settings.php 2012-03-27 13:42:44 7dc2f9ee172156d2bcf748a97bc69c7d
    wp-includes/canonical.php 2012-03-27 13:42:44 0cf338ce93c60b16a0590ad654ff2447
    wp-includes/class-phpass.php 2012-03-27 13:42:44 42a2353f8fb1b4f78d3a326459dd1eec
    wp-includes/author-template.php 2012-03-27 13:42:44 684e42660fd6bf25d80d0e09108cad50

    Are these anything to worry about? Or are these updates from wordpress or the theme?

    thanks

  7. @hello

    Did you re-install the WordPress core files by clicking the “Update/Reinstall” button in the WordPress Updates settings around the 27th March? If not, go to sitecheck.sucuri.net/scanner/ and scan your site.

  8. @ Lee – I thought it may be, I can’t remember to tell you the truth but very probable – thankyou :)

  9. Remember, it will pick up any change in the files resulting from updates, upgrades, reinstalls, etc. If you know you did one of these you’re fine. It’s when you know you didn’t do anything that you have to worry.

  10. When thjis great plugin is installed on several sites, how do I know which site orginated the “change notice” alert. I received one yesterday and I couldn’t tell which site was alerting me. I must have missed something along the way :-)

  11. @Chris

    Awesome!! I am going to roll out on several sites and this will be critical to be able to quickly check on the problem site. On an unrelated question…if you wanted 80% of the pulgin’s benefit what options would you select?

  12. Hi Gerry,

    The domain should now work in the development version (http://downloads.wordpress.org/plugin/better-wp-security.zip). It will display the domain name first in all email notifications…..

    …As to your question, this depends largely on the content of the site.I don’t really want to give an “80%” rule as the best practice is to turn on all the features that work for your site (depending on your configuration some features may not work for you). Turning on anything is better than nothing at all and using everything you safely can will be the best security you can get.

  13. Thanks Chris,

    I have been trying to figure out which settings give me the most “bang for the buck” so I don’t end up creating problems for myself down the road, with other pulgins, or problems accessing my account etc. Invariabily I forget a few months after I install a plugin what I did, and then have to go back and reconstruct what I have done. I understand your answer.!! Thanks for the great plugin.

  14. Thanks Gerry!

    I wish I could get more specific but given the nature of the reason for this plugin it just really isn’t designed to work that way.

    Cheers,
    Chris

  15. I was getting hacked regularly until I installed your plugin. But now my wordpress admin login page is not accessible. If I rename the htaccess file using file manager I can access the Dashboard but my site is not visible until I put it back. Any ideas on what is wrong with my htaccess file?

  16. All was well till I enabled file change detection and as per the warning it created a memory problem, I got things going by deleting the plugin via cpanel, but when i tried to reinstall it the site went down again, I assume this enable detection is now set in the database, if so please advise on where to find it, or any other suggestions please

  17. Hi Chris,
    Ive just posted a ‘help message’ on the wordpress.org blog and am contacting you here as well as I’m a bit desperate. I have just downloaded your plugin and pages/plugins/settings have all disappeared from the dashboard. I’m definately in over my head here!
    Im a learner so if you could please let me know how to reinstate my dashboard, reverse any changes that the plugin has made and uninstall it I would be very grateful.
    Thank you!!!

  18. Hi Chris,

    Unless you have a plugin or something you need to specifically code to use it don’t worry about it. The only reason I make it available is to handle various plugins and themes that need it. If you do need it, you can get it from your .htaccess.

  19. Hi Gerry,

    It’s now under “server tweaks” in the “system tweaks” page. The term .htaccess was too confusing for most folks so I moved it to hopefully make it easier.

  20. Ben, there is a database option in your options table called “bwps_filecheck.” Deleting the option will disable file checking and allow you back into your site where you can reset all options.

    Chris

Comments are closed.