Bulletproof Security Plugin Causes Shopp to Break

This article is out-of-date and should be ignored. Please see the comments by Ed, author of the Bulletproof Security Plugin, for clarifications on how Bulletproof Security Plugin does work with Shopp.


Installation of the Bulletproof Security plugin causes Shopp to stop functioning properly. The breakage can be scripts not running properly, pages not viewable, or settings not to be saved. One of the first things you may notice is not bing able to activate your key in Shopp.


Installing Bulletproof Security plugin, add’s .htaccess files to every folder inside your WordPress install, including other plugin folders and their sub-folders. The .htaccess restricts access to the folder’s contents, making some plugins, including Shopp not function correctly.

Note: Even if you deactivate Bulletproof Security plugin – the .htaccess files it adds will remain.


You will need to go through your /wp-content/,/plugins/, and /shopp/ plugin director and remove the .htaccess files. Alternatively, if you know how to manipulate .htaccess, you can change/remove there restrictions set in place inside the .htaccess files.

See Also

Bulletproof Security Plugin Causes Shopp to Break
  • 0.00 / 5 5
  1. Two thoughts on this.

    The first (admittedly this won’t be applicable to many shared hosting users) is that Apache can be instructed to stop parsing .htaccess files.

    The relevant rewrite rules could then be moved to the vhosts or another appropriate config file – end result is that the .htaccess files generated by Bulletproof Security will simply be ignored.

    The second is that the process of removing the .htaccess files can be automated – this code could be a starting point:

     * This script needs to be placed in the WordPress root directory,
     * that is to say on the same level as the wp-admin, wp-content
     * and wp-includes directories.
     * @var string
    $wp_root = dirname(FILE);
     * If WordPress is installed in a subdirectory then change this
     * value to true. This means any .htaccess files within the 
     * root directory will also be destroyed.
     * @var boolean
    $in_subdir = false;
     * We'll let PHP handle the heavy lifting for this one.
    $dir = new RecursiveDirectoryIterator($wp_root, FilesystemIterator::SKIP_DOTS);
    $iterator = new RecursiveIteratorIterator($dir);
     * Iterate across the WordPress directory structure and remove
     * .htaccess files as and when they are found.
    while ($iterator->valid()) 
        // Look at the current filesys object
        $entity = $iterator->key();
    // Hunt down any .htaccess files
    if (basename($entity) == '.htaccess')
        // Respect the $in_subdir setting
        if ($in_subdir or (dirname($entity) != $wp_root)) 
            // Try to remove it
            if (unlink($entity)) echo "Successfully deleted $entity \n";
            else echo "Unable to delete $entity \n";
    // Proceed

    Might need to be tweaked according to particular set-ups … the code formatting is off right now, I’ll see if someone can tidy it up.

    February 24th   #

  2. If you use BulletProof Security, it could prevent Shopp from working correctly.

    Here are some general security practices:

    • Maintain security updates for your computer and any other systems that can access your WordPress admin (WP-admin)
    • Use a modern web browser (NOT Internet Explorer 6) — see http://browsehappy.com
    • Ensure that you are running a current version of WordPress
    • Ensure you are using appropriate permissions — usually 755 for folders & 644 for files
    • Ensure that your theme is up-to-date
    • Ensure that your plugins are up-to-date
    • Remove the ‘admin’ account and replace with another one. Set a strong password and change them every few months.
    • Use salts in your wp-config.php file
    June 7th   #

  3. Hello,

    This is Ed from AITpro the author of the BPS and BPS Pro plugins. There is some incorrect info here about BPS and BPS Pro.

    BPS and BPS Pro only add 2 .htaccess files – 1 in the website root folder and 1 in the wp-admin folder. .htaccess files are not added anywhere else.

    The 2 .htaccess files are intentionally not removed on uninstallation of BPS and BPS Pro to prevent common user mistakes that end up leaving a website completely unprotected. Years ago we did have the .htaccess files removed on uninstallation – the result was that many websites were hacked due to user mistakes since they no longer had any website security protection. Also we are off the hook if someone consciously and deliberately removes their website security protection. 😉

    There is simple bypass/skip rule here for the Shopp plugin here that allows BPS and Shopp to play nice with each other – http://www.ait-pro.com/aitpro-blog/2252/bulletproof-security-plugin-support/checking-plugin-compatibility-with-bps-plugin-testing-to-do-list/#Shopp

    @Barry – .htaccess files are processed first before any php coding. That is what makes .htaccess website security so much more effective than any other type of website security. So the php code example you posted would be processed after the .htaccess coding.

    @Lorenzo – general WordPress hardening practices are great to use, but BPS and BPS Pro are website security plugins that block malicious hacking scripts and just using the WordPress general hardening practices does not protect a website from hackers and hacker scripts.

    Best Regards,

    August 16th   #

  4. Oh also if you can simply include a RewriteEngine Off .htaccess file with your plugin and BPS and BPS Pro will not apply any security filters to the Shopp plugin.

    You would used Notepad (not Word or WordPad) and add one line of .htaccess code in that .htaccess file and then include it in the base/root folder of the Shopp plugin. Thanks.

    RewriteEngine Off

    Best Regards,

    August 16th   #

  5. Or you could of course create your own .htaccess security file with your own security rules for your Shopp plugin – this is the route i would take if it were me. 😉 .htaccess files are hierarchical so if an .htaccess file exists in your plugin folder then your plugin would follow the security rules in that .htaccess files and not the BPS or BPS Pro security rules in the .htaccess file in the website root folder. Thanks.

    Best Regards,

    August 16th   #

  6. I’m using BPS Pro on several websites plus a shop website without any problem at all.

    October 29th   #

  7. Hi Reza,

    Yep BPS and BPS Pro do not block most ecommerce or shopping cart plugins. BPS and BPS Pro are designed to block malicious scripts used in hacker Recon or hacking attempts and sometimes plugins or themes accidentally use unsafe code, unsafe characters, unsafe query strings or unsafe coding practices in general based on Website Security Industry Standards. BPS and BPS Pro will block these unsafe things because that is what BPS is designed to do.

    I provide skip/bypass rules for those particular plugins or themes that BPS does block unsafe coding practices or code, but ideally what should really happen is the unsafe coding should be made safe according to Website Security Industry Standards.

    The bottom line is BPS and BPS Pro only block things that are bad based on Website Security Industry Standards.

    Best Regards,

    November 17th   #

You must be logged in to post a comment.

© Ingenesis Limited. Shopp™ is a registered trademark of Ingenesis Limited.