Pro Sites htaccess file challenge, or os it?

Hi everyone,

Here's the challenge;

I'm using multi site and I have my wild card set up.

I have Pro sites set up go to sites> ad new and create a site. It shows under all sites just fine.

I click dashboard and I get a hostgator 404 error page.
It won't let me go to the dashboard or see the newly created site.

I had the bullet proof security plugin installed which rewrites your htaccess file.
I've pasted the file below for reference.

Another challenge is that when I coppied my htaccess file bullet proof security had already been installed.

So, and solutions you have would be great.

If it is the htaccess file can I go delete the content> ensure the permissions are at 644> go to permalinks> change permalinks> have WP rewrite the file> then ad the network setup file back in as I did when I set it up?

2nd part of that question: With that htaccess file creation wouldn't the network setup file just replace the whole htaccess file any way? So, couldn't I just go replace the current bullet proof file with it and call it a day?

Thank you in advance for your help.

Here's the file:

# If you edit the BULLETPROOF .50.1 >>>>>>> SECURE .HTACCESS text above
# you will see error messages on the BPS Security Status page
# BPS is reading the version number in the htaccess file to validate checks
# If you would like to change what is displayed above you
# will need to edit the BPS /includes/functions.php file to match your changes
# If you update your WordPress Permalinks the code between BEGIN WordPress and
# END WordPress is replaced by WP htaccess code.
# This removes all of the BPS security code and replaces it with just the default WP htaccess code
# To restore this file use BPS Restore or activate BulletProof Mode for your Root folder again.

# BEGIN WordPress
# IMPORTANT!!! DO NOT DELETE!!! - B E G I N Wordpress above or E N D WordPress - text in this file
# They are reference points for WP, BPS and other plugins to write to this htaccess file.
# BPS needs to find the - BPSQSE - text string in this file to validate that your security filters exist

ServerSignature Off

# If you are using a PHP Handler add your web hosts PHP Handler below

# If you are getting 500 Errors when activating BPS then comment out Options -Indexes
# by adding a # sign in front of it. If there is a typo anywhere in this file you will also see 500 errors.
Options -Indexes

# Use index.php as default directory index file
# index.html will be ignored will not load.
DirectoryIndex index.php index.html /index.php

# See this link:
# for more information before choosing to add this code to BPS Custom Code
# Protects the Login page from SpamBots & Proxies
# that use Server Protocol HTTP/1.0 or a blank User Agent

# BPS has premade 403 Forbidden, 400 Bad Request and 404 Not Found files that are used
# to track and log 403, 400 and 404 errors that occur on your website. When a hacker attempts to
# hack your website the hackers IP address, Host name, Request Method, Referering link, the file name or
# requested resource, the user agent of the hacker and the query string used in the hack attempt are logged.
# All BPS log files are htaccess protected so that only you can view them.
# The 400.php, 403.php and 404.php files are located in /wp-content/plugins/bulletproof-security/
# The 400 and 403 Error logging files are already set up and will automatically start logging errors
# after you install BPS and have activated BulletProof Mode for your Root folder.
# If you would like to log 404 errors you will need to copy the logging code in the BPS 404.php file
# to your Theme's 404.php template file. Simple instructions are included in the BPS 404.php file.
# You can open the BPS 404.php file using the WP Plugins Editor.
# NOTE: By default WordPress automatically looks in your Theme's folder for a 404.php template file.

ErrorDocument 400 /wp-content/plugins/bulletproof-security/400.php
ErrorDocument 401 default
ErrorDocument 403 /wp-content/plugins/bulletproof-security/403.php
ErrorDocument 404 /404.php

# Files and folders starting with a dot: .htaccess, .htpasswd, .errordocs, .logs
RedirectMatch 403 \.(htaccess|htpasswd|errordocs|logs)$

RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]

# This filter is for blocking junk bots and spam bots from making a HEAD request, but may also block some
# HEAD request from bots that you want to allow in certains cases. This is not a security filter and is just
# a nuisance filter. This filter will not block any important bots like the google bot. If you want to allow
# all bots to make a HEAD request then remove HEAD from the Request Method filter.
# The TRACE, DELETE, TRACK and DEBUG request methods should never be allowed against your website.
RewriteEngine On
RewriteRule ^(.*)$ - [F,L]

# IMPORTANT!!! If you add or remove a skip rule you must change S= to the new skip number
# Example: If RewriteRule S=5 is deleted than change S=6 to S=5, S=7 to S=6, etc.

# Adminer MySQL management tool data populate
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/adminer/ [NC]
RewriteRule . - [S=12]
# Comment Spam Pack MU Plugin - CAPTCHA images not displaying
RewriteCond %{REQUEST_URI} ^/wp-content/mu-plugins/custom-anti-spam/ [NC]
RewriteRule . - [S=11]
# Peters Custom Anti-Spam display CAPTCHA Image
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/peters-custom-anti-spam-image/ [NC]
RewriteRule . - [S=10]
# Status Updater plugin fb connect
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/fb-status-updater/ [NC]
RewriteRule . - [S=9]
# Stream Video Player - Adding FLV Videos Blocked
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/stream-video-player/ [NC]
RewriteRule . - [S=8]
# XCloner 404 or 403 error when updating settings
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/xcloner-backup-and-restore/ [NC]
RewriteRule . - [S=7]
# BuddyPress Logout Redirect
RewriteCond %{QUERY_STRING} action=logout&redirect_to=http%3A%2F%2F(.*) [NC]
RewriteRule . - [S=6]
# redirect_to=
RewriteCond %{QUERY_STRING} redirect_to=(.*) [NC]
RewriteRule . - [S=5]
# Login Plugins Password Reset And Redirect 1
RewriteCond %{QUERY_STRING} action=resetpass&key=(.*) [NC]
RewriteRule . - [S=4]
# Login Plugins Password Reset And Redirect 2
RewriteCond %{QUERY_STRING} action=rp&key=(.*) [NC]
RewriteRule . - [S=3]

# Only Allow Internal File Requests From Your Website
# To Allow Additional Websites Access to a File Use [OR] as shown below.
# RewriteCond %{HTTP_REFERER} ^.** [OR]
# RewriteCond %{HTTP_REFERER} ^.**
RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:slight_smile:slight_frown:%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:slight_smile:slight_frown:%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
RewriteRule .* index.php [F,L]
RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
RewriteCond %{HTTP_REFERER} ^.*demo5.local.*
RewriteRule . - [S=1]

# The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
# Good sites such as W3C use it for their W3C-LinkChecker.
# Add or remove user agents temporarily or permanently from the first User Agent filter below.
# If you want a list of bad bots / User Agents to block then scroll to the end of this file.
RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# wp-config.php, bb-config.php, php.ini, php5.ini, readme.html
# Replace Allow from with your current IP address and remove the
# pound sign # from in front of the Allow from line of code below to access these
# files directly from your browser.

<FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|readme\.html|bb-config\.php)">
Order allow,deny
Deny from all
#Allow from

# IMPORTANT!!! DO NOT DELETE!!! the END WordPress text below
# END WordPress

# To Test that your Hotlinking protection is working visit
#RewriteEngine On
#RewriteCond %{HTTP_REFERER} !^https?://(www\.)?add-your-domain-here\.com [NC]
#RewriteCond %{HTTP_REFERER} !^$
#RewriteRule .*\.(jpeg|jpg|gif|bmp|png)$ - [F]

# This is a better approach to blocking Comment Spammers so that you do not
# accidentally block good traffic to your website. You can add additional
# Comment Spammer IP addresses on a case by case basis below.
# Searchable Database of known Comment Spammers

<FilesMatch "^(wp-comments-post\.php)">
Order Allow,Deny
Deny from 46.119.35.
Deny from 46.119.45.
Deny from 91.236.74.
Deny from 93.182.147.
Deny from 93.182.187.
Deny from 94.27.72.
Deny from 94.27.75.
Deny from 94.27.76.
Deny from 193.105.210.
Deny from 195.43.128.
Deny from 198.144.105.
Deny from 199.15.234.
Allow from all

# If you would like to block more bad bots you can get a blacklist from
# You should monitor your site very closely for at least a week if you add a bad bots list
# to see if any website traffic problems or other problems occur.
# Copy and paste your bad bots user agent code list directly below.

  • Jack Kitterhing
    • Code Norris

    Hi there @Enfusia,

    Hope you're well today and thanks for your question.

    Can you disable BPS security and overwrite your current .htaccess in the root of the install to

    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    # add a trailing slash to /wp-admin
    RewriteRule ^wp-admin$ wp-admin/ [R=301,L]
    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^ - [L]
    RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
    RewriteRule ^(.*\.php)$ wp/$1 [L]
    RewriteRule . index.php [L]

    And see if that works? The above is the default sub domain install .htaccess :slight_smile:

    Thank you!

    Kind Regards

  • Enfusia
    • Design Lord, Child of Thor

    Hi, thank you I deleted everything on the file and checked to be sure by clicking select all and got nothing. I then over wrote it with the code I was given above.

    I created a new site and it goes to a 404 error page.

    Should I do anything more for the network setup?

    The new sites are not defaulting to free. They are setting themselves up as level 1 sites. If that helps in any understanding.

    What should I do next?

    Thank you, Patrick

  • Enfusia
    • Design Lord, Child of Thor

    I also just double checked my wp-config file and everything looks good there:
    define('MULTISITE', true);
    define('SUBDOMAIN_INSTALL', true);
    define('DOMAIN_CURRENT_SITE', '');
    define('PATH_CURRENT_SITE', '/');
    define('SITE_ID_CURRENT_SITE', 1);
    define('BLOG_ID_CURRENT_SITE', 1);

    What do you think the problem could be?

  • Enfusia
    • Design Lord, Child of Thor

    Just to be clear, this is the same issue that I had a thread for yesterday. It didn't get resolved and no one had replied to it so I made this new thread. I've now read maybe 30 threads etc in Google on this (it seems to be common) and no one has a definitive answer yet.

    I really need to get this resolved as this is a clients site and I'd like to avoid looking like a doorknob if at all possible.

    Thank you in advance, Patrick

  • Vaughan
    • Support/SLS MockingJay

    Hi @enfusia,

    Our feeds work on old to new.

    so everytime you reply on a thread thread, it knocks the thread to the back of the queue each time.

    Can you provide us with site login details and FTP credentials?

    Can you send your details using the following contact form (select i have a different question from the dropdown.)

    Mark for attn: Vaughan
    Include a ref URL to this thread.

    Please include site login details (super-admin if on multisite)
    Also include FTP login details so I can take a look at the theme files.


  • Enfusia
    • Design Lord, Child of Thor

    Hi, the credentials have been sent. Will you reply back here or via email?

    Thank you very much for working with me on resolving this. Ive now read maybe 50+ posts and threads in Google on it.

    So, whatever you do to fix it, I would like to know what that was. And you might author a report on it as it seems to be a challenge many run into. The WP forum has many posts on it with no one providing a solution.

    Thank you, Patrick

  • Enfusia
    • Design Lord, Child of Thor

    Hi, Thank you, I sent it within 10 minutes or so of your reply. According to the time on the front the help forum you had replied 2 min before I saw it.
    It said, your email has been sent.

    Would you like me to send it again?

    Thank you, Patrick

  • Enfusia
    • Design Lord, Child of Thor

    Hi, did you receive the email with credentials yet?

    I've thought of something that may be helpful.

    I'm wondering if apache isn't configured to ignore some or all of the settings. As you likley know. On some servers the allow override directive controls can be set to allow override none and should be set to allow override all.

    The files they could be in are httpd.conf or apache2.conf usually correct? The challenge is I can't seem to locate them. In Hostgator the Apache Handler is worthless for this function. Or do you know something I don't. They've got the dang things hidden.

    Then we may need to debug Apache syntax is to put the the .htaccess contents into the main Apache configuration file under a <Directory> directive. Apache has an option to parse and check its configuration files. To run an Apache syntax check, run: httpd -S. But again I can't see them from my view or am I missing them somehow?

    It appears the .htaccess file is being read. I had already tested that by getting an error after inserting "test" after rewrite engine on. You could double check that but it looks good.

    The other things that come to mind are that:
    1. When you look their is that 2nd instance of the htaccess file just below the main one that is numbered. I'm not to sure if that is supposed to be there in not?

    2. Are the settings for this access file being overriden by another htaccess file? There is that file out in the main public html area where all sites are listed, but that shouldn't matter should it?

    Ok, please let me know that you recieved the credentials. Let's figure this puppy out.

    Thank you, Patrick

  • Vaughan
    • Support/SLS MockingJay


    Glad I could get to the bottom of this Patrick :slight_smile: Not sure what was happening to the emails in our system, but luckily my personal email worked fine to converse with.

    For others who maybe having the same issues using hostgator.

    The issue was that although we went through the DNS settings and setup CNAMES correctly for the wildcard subdomain, this still didn't work, running a ping test on the main domain & the subsites, resulted in a completely different IP address being returned for the subsites than was used for the main domain, even though we had used correct CNAME etc for the wildcard.

    The issue turned out to be that an A record was also setup for webdisk.domain in the DNS zone too, after that zone entry was removed the system started working fine again after re-propogation.

    So if you are using hostgator & receive the same issues with 404's on your subsites (when using an addon domain) check your DNS zone settings for a entry, other subdomains should be fine, but you can't have an entry for the webdisk itself, if you see one, remove it & wait a few hours. This should then resolve the issue and allow use of wildcard domains properly.

    Hope this helps

  • Ali
    • Flash Drive

    I am having the same / similar issue with bluehost.
    I am setting up a pilot project with pro site.

    1) WP is installed on webroot
    2) *.mydomain wildcard added in subdomains
    3) .htaccess is setup for subdomain
    4) created site in WP manually. It was created but going to site or dashboard results in 404
    5) I thought, maybe sites can only be created via Pro Site setup. Might as well setup paypal sandbox. Still 404.

    After many threads, google searches I found this post.
    I also found webdisk in zone editor of bluehos based on Vaughan's instructions. If this solves the problem, I will post here and give some points to @Vaughan


  • Ali
    • Flash Drive

    Hi again,

    Not sure if removing the webdisk was needed but in my case, I had to re-create the wildcard subdomain.

    Apparently, by default, * subdomains wildcard was setup with public_html/wildcard in the path (does not show this in listing).

    I deleted my * entry and recreated it, making sure the auto fill "wildcard" was not in the path and now sub domain websites are showing up! no more 404s.



Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.