Failure to write Banned Users to .htaccess

Well, my fault, one banned IP had hyphens instead of dots! Duh…
But an error message would have been nice.

I just tested:

111-222-333-444

and got the following error message:

111-222-333-444 is not a valid address in the ban users box.

So how exactly did your faulty ip address look like ?

dwinden

The only difference between my incorrect IP and yours would be the number of digits in one or two quadrants, otherwise the same. I no longer have the bad IP available. In trying to id the issue I tried to save several dozen times and eventually isolated the hyphenated IP. None produced an error message, just an .htaccess that was missing ALL banned users. The only clue that something was wrong was the unchecked Enable Banned Users checkbox.

Here is some more info:
I selected a random IP in the current list (166.137.136.78) and replaced the dots with dashes. Voila! Failure but No error message.

I did the same with your ip address and again received the message …
Note I’m testing with a single ip address where you probably have a list of ip adresses … still should not make any difference.

Just to be sure … The error message is displayed at the top of the Settings page where it would normally say “Settings Updated”.

Do you have the “Enable HackRepair.com’s blacklist feature” checkbox enabled and\or do you have any “User Agents” specified ?

dwinden

Interesting case. Still cannot reproduce it …
Just lost my latest post after clicking on the Post button …
Grrrr …

How many ips have you got ? (Not that it should make any difference).
Are you using any of the other “Banned Users” settings ? (Default Blacklist & Banned User Agents).

dwinden

Ya, I thought I had lost my first post to this thread then after 30 minutes when I sent a second they both showed. Ya gotta love these computers!

I have 43 banned IPs.
Default blacklist: yes.
Banned agents: Baidu, BaiduSpider and yandex.
One entry is ###.###.*.* but seems okay.
Also have blocke 3 countries but those are outside of the iThemesSecurity region of .htaccess.

Ah ok. I’ll get back to you tomorrow.
Sleepy time in Europe …

dwinden

Sweet dreams…

Ok, so let’s see whether sleeping cleared my head …
I’ve been testing enabling Default Blacklist & Banned User Agents
but unfortunately still cannot reproduce …

I do have some info about the User Agents (Don’t think it has any influence on this issue but I just thought I better share it with you).
yandex is already in the Default Blacklist. Not as yandex but as Yandex.
So I think you can remove that one (unless the casing is relevant).
The other 2 are not in the current Default Blacklist.

However there is also a known bug when specifying multiple User Agents.
When you look at the lines added to the .htaccess you will notice that they look like this:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^Baidu [NC]
RewriteCond %{HTTP_USER_AGENT} ^BaiduSpider [NC]
RewriteCond %{HTTP_USER_AGENT} ^yandex [NC]
RewriteRule ^(.*)$ – [F]
</IfModule>

Notice that the first 2 RewriteCond lines have [NC] specified where it should be [NC,OR]
To verify this you can compare these type of lines with similar type of lines added by the Default Blacklist option.
Basically with these lines in the .htaccess file NONE of the 3 User Agents specified are blocked …
Only specifying a single User Agent will produce correct .htaccess lines. To solve this issue 2 iTSec code fixes need to be applied. If you are interested in these code fixes just let me know.

Now back on topic again. It’s going to be hard to figure out what is causing your issue. For debugging purposes you could try and add the following lines (in the order as specified) to the wp-config.php file:

error_reporting(E_ALL); ini_set('display_errors', 1);
define('WP_DEBUG', true);

(Note 1: adding these lines to wp-config.php may start displaying other probably unrelated PHP warning messages in frontend and backend …)

(Note 2: “define(‘WP_DEBUG’, false);” line probably already exists. So you only need to change false to true and then add 1 new line. Make sure the 2 lines are in the order as specified).

Then make sure there is an ip address with at least 1 hyphen specified and click on the “Save All Changes” button. I’m hoping some sort of php warning\error will be displayed. If so that might help. (Don’t forget to undo the changes to the wp-config.php file as soon as possible … !)

If not, would it be possible to provide a temporary login account so that I can perform an iTSec audit in your WP env ?
I won’t change anything, just have a quick look around.
Alternatively we could do a TeamViewer session so that you can keep an eye on me while I perform the iTSec audit (if that makes you feel more comfortable ;-)).
In case of using the TeamViewer method I prefer to use the latest Firefox browser release with the latest FireBug browser plugin installed. So it might be that you’ll need to set that up for me prior to the TeamViewer session.

Oh almost forgot (hmm did I get enough sleep last night?), send me the following 2 files anyway by email [ redacted, support is not offered via email, Skype, IM etc. only in the forums ]

– wp-config.php (Don’t forget to change any sensitive content first !!)
– active theme functions.php file from the wp-content/themes/[name of active theme] folder (which normally contains any customized code).

dwinden

I’ve had a quick look at the iTSec PHP code for Ban Users …
Even though I receive an error message when attempting to save an invalid ip address it turns out it’s only half of the message …

I get:

166.137.136-78 is not a valid address in the ban users box.

but it should be:

Note that the ban users feature has been disabled until the following errors are corrected:

166.137.136-78 is not a valid address in the ban users box.

In order to get the full message you need to implement a small code fix:

– First make a copy of the wp-content/plugins/better-wp-security/modules/free/ban-users/class-itsec-ban-users-admin.php file.
– Then edit this file and search (only once) for:

$no_errors === true

and then replace true with false. After editing save the change to the file.

Now it would be interesting to see whether you still do not get ANY message (when saving with an invalid Ban Users ip address).

dwinden

Good morning…

The [NC] lines seem to be working for me. I’m really new at this so I may be misunderstanding something. I previously had a lot of bot traffic from BaiduSpider and Yandex. After adding the user agent lines both are now getting 403s. I added the lowercase Baidu and yandex just for extra comfort ??

My site is a new genealogy site and I don’t expect any traffic from outside US and Europe. I don’t see any need for bots in other countries which have become a nuisance. Probably should mention I also blocked China, Russia and Ukraine using code similar to below. These lines (several thousand) are below the iTSec and WordPress ssections.

`# BEGIN China Blacklist
<Limit GET HEAD POST>
order allow,deny
allow from all
deny from 1.0.1.0/24
deny from 1.0.2.0/23
snip…snip
deny from 193.109.216.0/24
</Limit>
# END China Blacklist’

I have tested with and without the above blacklist lines with no difference.

So, I added your debug lines and received the following messages with or without the hyphen in the IP. Being a noob, I can’t tell if this is important but obviously something is not quite correct.

‘Strict Standards: Non-static method Category_Template_Hierarchy::init() should not be called statically in /home/sturdy2/public_html/wp-content/plugins/category-template-hierarchy/category-template-hierarchy.php on line 126

Warning: session_start(): Cannot send session cache limiter – headers already sent (output started at /home/sturdy2/public_html/wp-content/plugins/category-template-hierarchy/category-template-hierarchy.php:126) in /home/sturdy2/public_html/wp-content/plugins/wp-file-upload/wordpress_file_upload.php on line 2

Notice: bbp_setup_current_user was called incorrectly. The current user is being initialized without using $wp->init(). Please see Debugging in WordPress for more information. (This message was added in version 2.3.) in /home/sturdy2/public_html/wp-includes/functions.php on line 3547

Notice: Undefined variable: message in /home/sturdy2/public_html/wp-content/plugins/better-wp-security/modules/free/ban-users/class-itsec-ban-users-admin.php on line 636

Warning: Cannot modify header information – headers already sent by (output started at /home/sturdy2/public_html/wp-content/plugins/category-template-hierarchy/category-template-hierarchy.php:126) in /home/sturdy2/public_html/wp-includes/pluggable.php on line 1178′

One more comment: I am using the Local Business Theme ver 2.0 from inkThemes.com and it looks like the theme is no longer available. Maybe a this is a theme issue?

On the bright side, I have learned NOT to put hyphens in IPs!

Looks like our last posts crossed. Give me a couple of hours and I’ll try your fix and get back. My wife tells me I have other stuff to do ??

Changed $no_errors === true to $no_errors === false on lines 631 and 649. I am now getting the error message so all looks okay.

Edit: I just noticed the ref to line 636 in the previous error messages.

Goodmorning …

Glad to see you have your priorities straight …

Let me first explain how these User Agent lines in .htaccess work.

So there are 3 RewriteCond lines followed by 1 RewriteRule in the .htaccess file for the 3 User Agents specified in Ban Users.
Because the RewriteCond lines end with [NC] (and more importantly because there is no OR specified) they are being interpreted as AND.
So for the single RewriteRule to be executed all 3 conditions must be met !

However when the first 2 RewriteCond lines end with [NC,OR] the single RewriteRule will be executed when the first RewriteCond condition is met OR when the second RewriteCond condition is met OR when the third RewriteCond condition is met …
So that’s a big difference don’t you think …?

As I said before, for confirmation look at the lines added by the Default Blacklist option.

Perhaps the geo-ip banning is keeping BaiduSpider and Yandex out …
The 3 User Agents added in the Ban Users option of the iTSec plugin certainly not …

Now on to the result of the debug lines … I see you get 5 messages.
1 Strict Standards error, 2 warnings and 2 notices.

The Strict Standards error and 2 warnings are all related to the “Category Template Hierarchy” plugin.
I had a quick look on the www.ads-software.com page for this plugin and there it says:

This plugin hasn’t been updated in over 2 years. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.

Deactivating and\or deleting the “Category Template Hierarchy” plugin (but only if you are 100% sure it is not being used) will probably take care of those messages.

The “Notice: bbp_setup_current_user was called incorrectly” message is a good candidate to google on … anyway it has nothing to do with the iTSec plugin.

Last but not least the very relevant “Notice: Undefined variable: message” which points to a very well known iTSec plugin file !

Oh, while typing in this post I just noticed your third post for today.
It seems the earlier mentioned fix to the code has already had a positive effect. So that’s good news.

But I understand you applied the edit twice while it should only be applied once. So please undo the second edit. This is IMPORTANT !
My apologies for the inconvenience.

Back to the “Notice: Undefined variable: message”. Indeed the bug I found in the code causes this notice. And it was the reason why you did not see any message. Applying the code fix will have taken care of it.

So it wasn’t a theme issue.

Please keep in mind that as soon as you update the iTSec plugin this code fix will be lost and the issue may return.
Hopefully iThemes will fix this bug ASAP.

Any other questions please let me know.

Note: iThemes released iTSec plugin 4.6.8 10 minutes ago.
You know what to do after updating … ??

dwinden