BulletProof Security is a security plugin for WordPress. You can download it for free from the WordPress repository; or install it from the plugin installation tab within your website’s wp-admin.
For this review I tested BulletProof Security version 0.49.7 on WordPress version 3.7.1 in debug mode, with PHP display_errors on. The .zip file for version 0.49.7 is 574kb, and the plugin takes up 2.23MB of disk space when installed in my test environment.
Installing BulletProof Security
Unlike many other WordPress security plugins, BulletProof Security acts primarily as a rule-based firewall for your system. Due to the futility of blocking by IP address in the era of the distributed botnet, a rule-based firewall is increasingly becoming the standard “best practice” for securing your WordPress installation.
Plugin reputation
BulletProof Security comes highly recommended by the WordPress community. The plugin has been downloaded 943,565 times (rapidly approaching a million) and enjoys a 4.8 out of 5 star ranking.
I always check the 1 star reviews, to look for potential known bugs. In this case, they’re not very helpful. One commenter stated briefly, “Website stopped working” but did not explain what type of crash was suffered. With nearly a million downloads and only one comment along these lines, I’d say this result is not typical. The only other one-star comment is a year old, and pertains to an issue that was fixed the same day. In the thread started by that particular comment, one user recommended using BulletProof Security in conjunction with Wordfence. That may be great advice, but this review is only meant to discuss one plugin at a time. So let’s go!
First Impressions
I activate the BulletProof Security plugin, and here’s what happens.
What you will see
Upon activation, BulletProof Security tests for the presence of certain .htaccess files or rules within existing .htaccess files; and if those files or rules are not present, it presents a “nag” alert at the top of every screen within the wp-admin. The nag has a quick link to get your new installation configured properly. BulletProof Security does require your permission to make certain system changes, because some of the things that it does could potentially have unintended consequences for your system.
What I saw on my local test environment
Oh, bad news. The first thing I see when installing the plugin is a Notice-level PHP error. Looking at the call stack in the error message, this error is caused by the function bpsGetDomainRoot() within the plugin’s functions.php file. Visiting another page within my wp-admin does not make the error go away. Deactivating my cache plugin does not make the error go away.
Looking at the source code, this error is caused by the fact that I’m running the plugin in a development environment. The relevant function is meant to remove the “www” from the SERVER_NAME constant. It works fine with either ‘www.example.com’ or simply ‘example.com’ (without the w’s) but it throws a wobbly when the server’s name is “localhost” because “localhost” does not have a top level domain (such as .com, .net, .org, .me, etc).
Well, you won’t be running this plugin on your local testing server, you’ll be running it on a real website; so this error will not affect you. Moving right along!
Configuring BulletProof Security
BulletProof Security must be configured before it begins to protect your website from attacks. These steps cannot be automated, because they have the potential to overwrite some existing data, if you have a lot of rules in your .htaccess files already.
So first I click the link within the “nag” at the top of the page within my wp-admin. This link takes me to the Security Status page.
I’m getting more errors here. PHP is complaining about an undefined constant named UPLOADBLOGSDIR. This error does not appear to be related to my local testing environment. In fact, looking at the source code I see that the use of this constant is intended to provide WordPress MultiSite compatibility for the plugin. However, I’m not running a MultiSite installation, so the use of the constant throws a Notice-level PHP error. I’d recommend that the plugin developer should add an additional check to prevent the recurrence of this error.
Again, I’m running in debug mode with display_errors turned on. Most users should not see this error unless they take the time to examine their server’s error logs. Instead, most users will see something like this:
Indicating that BulletProof Security is installed, but not yet configured.
I have added a few 301 Redirects to my .htaccess file just to confirm that they are deleted when I activate the options within BulletProof Security.
Now for the test.
Configuration Steps
There is no one-click installer for BulletProof Security.
From the “security status” tab I click over to the “Security Modes” tab. From there I click the button labeled “Create secure.htaccess File.” An alert reminds me that creating the file is not the same as enabling it. I click OK. I get a Success message.
Next I select the radio input named “BulletProof Mode” and click “Activate.”
Another alert asks me if I have backed up the data in my existing .htaccess file, and whether I created secure.htaccess in the previous step. I click OK again.
I get an almost-success message with a red “important” reminder that I should also enable an .htaccess file for my wp-admin folder. So I scroll down and click the “BulletProof Mode” radio button for the wp-admin folder, and again click Activate. I get another success message.
Now I revisit the Security Status tab.
This time most of the status messages are green. The notable exception is related to creating backups of my BulletProof Security .htaccess files.
That’s a low priority, so first let’s see what effects this plugin has had on the system so far.
Well first I’d like to note, there’s still a nag message at the top of my screen. It invites me to visit the plugin author’s website for “Bonus custom code: brute force login protection.” This is an IP-based .htaccess snippet that, when properly configured, will ban any user other than the website owner from accessing the login page. The code is hardly unique to this plugin, and as I’ve discussed elsewhere, it’s only useful if you have a small number of people who ever need to access the website’s admin area, and they only ever do so from the same location. However, it is in fact one of the strongest (arguably “bulletproof”) methods of repelling brute force attacks without resorting to complex solutions like two-factor authentication (also known as cell-phone sign-in). So I highly recommend implementing this code on most small business websites if possible. For now, I’m going to dismiss the little nag message at the top of my screen.
Oh you’re kidding me. I dismiss the nag, and it shows me a different nag! This one says, “Bonus custom code: Speed boost cache code.” It’s got another link back to the plugin author’s website. Look, I appreciate all the work the developer has gone into making this plugin excellent, but when I dismiss a nag, I want it gone, I don’t want it replaced with another nag. Grumbling, I dismiss this one also.
AND I GET A THIRD NAG! This one says, “Bonus custom code: Author enumeration BOT probe code.” With yet another link back to the developer’s website. Come on, guy. Too many nags. I don’t care anymore. Fortunately, when I dismiss this one, it actually goes away this time.
Behind the scenes
Let’s see what changes this plugin has made to the test environment.
File system changes
This plugin’s primary feature is related to the creation of .htaccess files.
As expected, activating the plugin’s “BulletProof Mode” overwrote my existing .htaccess file. My HTTP status 301 Redirect directives were completely erased. If I had not kept a backup, they’d have been gone completely.
But that’s ok, because I planned for this, and my existing file was just a placeholder anyway.
The rules put in place by BulletProof Security are excellent. They include some of the best practices recommended by early versions of the HTML5 Boilerplate, and some of the rules included in Jeff Starr’s essential 5G Firewall, and mix them up with a number of additional rules to forbid directory traversal, SQL injection attacks, remote file inclusion, cross-site scripting, a lot of general snooping, and arbitrary code execution vulnerabilities. (If you don’t know what any of that means, let’s just say briefly: they’re really nasty. If you want more information about why people hack websites, you can start with this blog post.)
Interestingly, if you set up BulletProof Security on a new website before you set up your permalink settings, all the BulletProof .htaccess rules will be wiped by WordPress and replaced with the usual WordPress rewrite, when you set up permalinks. So it’s important to remember to make any permalink changes before you install and configure the BPS plugin.
In addition to changing the root .htaccess file, the plugin also creates new .htaccess files within the /wp-admin/ folder, and within the plugin’s own folder. Furthermore, the plugin creates a new folder for itself within /wp-content/, outside of the plugins folder, which is somewhat unusual behavior. The new folder is named “bps-backup” and is presumably there so you can restore all the plugin data if the plugin itself is accidentally deleted from your system.
Database changes
The BulletProof Security plugin creates two new tables in the database.
The table named “wp_bpspro_login_security” tracks failed login attempts. This is for use with the Login Security feature. I hadn’t got to that menu item yet, but it appears to be enabled by default.
The table named “wp_bpspro_seclog_ignore” saves the User-Agent string of bots whose activities you might not want to log, because they generate such an overwhelming number of error messages.
Surprisingly, BulletProof Security seems to store very little information in the “wp_options” table. The only option I can find stored there is named “bulletproof_security_options_email.” This single record does contain a rather long array of e-mail options. It keeps track of the preferences from several of the menu options pages; including what level of security threat warrants an email notification; who those notifications should be sent to; whether the messages should be cc’ed to anyone (and so on); and the maximum size of the security log (which is stored separately as a text file).
The Result
So much for system changes. Let’s examine the plugin’s more visible effects.
Public-facing code changes
BulletProof Security does not make obvious changes to the source code or output of your WordPress website’s pages. Unless you are an attacker, you’re unlikely to be able to detect that a site is running the plugin. And in my opinion, this is how all security plugins should be: invisible to legitimate users.
On the back end: menu items
So let’s look more closely at the plugin itself, within the wp-admin area.
.htaccess Core
This is where most of the plugin’s settings are found. We went through most of this above, when we activated and configured the plugin.
This screen also has a number of additional links. You can enable maintenance mode, access the FAQ or the forum on the plugin author’s website, and view the changelog. The tab, “BPS Pro Features” tells you how the plugin is improved if you purchase the paid upgrade. The “Website scanner” tab is a link to a third-party service, presumably paid. The “Website SEO” tab is also a link to a third-party website, almost certainly a service that would cost money.
Login security
Login security is an essential component of any WordPress security plugin, because by default WordPress is just begging to be brute-forced. The core system would allow the same attacker to attempt twenty thousand different passwords within two minutes if the server could respond that fast. This is a vulnerability that I hope the WordPress core development team will rectify eventually. However, as I keep saying, the era of the distributed botnet has rendered IP-based lockouts practically useless. Still, there’s no reason we should make it easy for attackers, by allowing them to pound away from the same computer twenty thousand times.
Unfortunately, the default setting for Error Messages is “Standard WP Login Errors,” which are overly verbose and can give an attacker information that they do not deserve, like whether or not they’re attempting to brute force an account that actually exists. I’d be happier if the plugin’s default setting was to obfuscate login error messages.
Security log
This tab keeps track of bad bots whose attempts were denied by the plugin. BulletProof Security serves its own custom files when a visitor encounters a 400 Bad Request, 403 Forbidden, or 404 Not Found error. Those events are then logged in a plaintext file. You can view the events from this screen. If one particular bot generates lots and lots of error messages, you can choose to ignore it and not log the events (the bot will continue to be blocked).
This screen also has the option to send email alerts when a user is locked out for too many login failures.
System info
This tab reveals information about your server. I’m not going to post a screenshot… Most of this is not something you can do anything about if you’re on shared hosting. There are a few pieces of information that could help you to make your website security better. For example, under “PHP Server /PHP.ini Info” BulletProof Security states whether or not your system allows such potential security vulnerabilities as “Allow URL fopen” and “Register Globals.” If you find that those are turned on for your site, you should consider editing php.ini if you’re on a VPS, or else posting your own custom php.ini file within your web root directory. So that’s the purpose of this screen: to reveal information about your system that could be useful to an attacker. It also shows a lot of other system information.
Uninstalling
Upon deactivation, the plugin does not delete any information.
Upon plugin deletion, BulletProof Security does not remove the entries it had added to your .htaccess file. So if you’re uninstalling the plugin because you want attackers to be able to do unsafe things to your website, you would have to delete the BulletProof rules from your .htaccess file by hand.
Upon plugin deletion, the “bps-backup” folder remains within the wp-content folder. This does allow the plugin to be easily reinstalled; but it does sort of violate the whole concept of deleting and uninstalling a plugin.
Oh, it gets worse. Upon plugin deletion, the BulletProof Security tables are NOT deleted from the database. Tsk, tsk. I feel that plugins should always clean up after themselves. Unlike the last plugin I reviewed, I do not see even a deep-buried option that would allow me to tell the plugin to delete its data upon deactivation.
Assessment
I like BulletProof Security, I really do. I think this type of rule-based firewall is essential for WordPress security. As you can see from this review, I do have a number of gripes about this plugin.
- Setup requires too many steps. This is not user-friendly.
- The plugin fails to clean up after itself by deleting its database tables and backup folder from the system when it is uninstalled by the user.
- There are way too many nags.
- Also there are several coding errors that show up on my system. One of those coding errors is specific to an installation running as localhost; the others probably only show up in debug mode. Even so, I’d recommend to the developer that they might be worthy of a fix when he has time.
- And finally, I personally think a more restrictive login error message setting should be enabled by default.
Other than that, though, BulletProof Security provides essential back-end security to your WordPress website. If you’re not big on editing your .htaccess files by hand, then you should probably install this plugin or one like it. Alternatively if you’re a professional web designer, and you frequently set up lots of WordPress websites, and you want to be able to get them set up quickly with restrictive .htaccess settings and minimal fuss, then this plugin may be the one (or one of the ones) for you.
How does BulletProof Security compare to other security plugins? I can’t wait to find out. I’ve got to review a couple others first, and then in the end I’ll see how they all stack up. Wait and see!