iThemes Rules and WPEngine

  • This is more of a general question.

    Recently WPEngine sent notices out for all of our installs (over 2000 spread across multiple WPE server instances) that they will be forcing the upgrade to PHP 7.4

    Each of these installs utilizes iThemes Security.

    With this upgrade, comes the notice that they will no longer support .htaccess files, seemingly opting for 100% nginx.

    I am currently chatting with them about the possibility of local nginx config files for each install, however, it is not looking likely… which means… iThemes Security in it’s current state will become basically null and void for a great portion of it’s functionality.

    Do you have plans to work around this?

Viewing 5 replies - 1 through 5 (of 5 total)
  • Thread Starter Kevin Pirnie

    (@kevp75)

    Confirmed. WPEngine will not be allowing local install nginx configurations.

    Hi Kevin,

    You may be interested in reading What Rules are Enforced by the .htaccess File in iThemes Security (Pro)?

    The article is a bit outdated (and missing 1 entry) so below an updated list for the current iTSec release:

    Security> Settings> Features> Lockouts> Ban Users> Default Ban List
Security> Settings> Advanced> System Tweaks> Protect System Files
Security> Settings> Advanced> System Tweaks> Disable Directory Browsing
Security> Settings> Advanced> System Tweaks> Disable PHP in Uploads
Security> Settings> Advanced> System Tweaks> Disable PHP in Plugins
Security> Settings> Advanced> System Tweaks> Disable PHP in Themes
Security> Settings> Advanced> WordPress Tweaks> XML-RPC (Disable XML-RPC)

    As you can see WPEngine’s decision has little impact on the iTSec plugin’s features.(Even less after the iTSec plugin 8.0 release since many System/WordPress Tweaks settings, which all added rules to the .htaccess file, have been removed.)

    Also note that the iTSec plugin most important features (like strong passwords, two-factor authentication and Brute Force Protection) are unaffected.

    Personally, the only one I would really hate to miss is disabling XML-RPC. But that setting not only adds rules to the .htaccess file but hooks into the WordPress core xmlrpc_enabled filter as well (possibly as a fallback mechanism).

    +++++ To prevent any confusion, I’m not iThemes +++++

    Thread Starter Kevin Pirnie

    (@kevp75)

    Thanks @nlpro
    Aye, I’m aware of those. Honestly those Ban List rules make up the bulk of the protections for our sites.

    It’s always better to have the server software itself do the blocking than it is to have WordPress or even any php do the processing. Cuts down on PHP processes overloading the servers.

    I’m hopeful with 8.0, that there are indeed items put in place to circumvent, or the iThemes team is in talks with WPEngine, however, I may be removing this off of 2000+ websites (40% of those are Pro plugins… hate to have to drop that much business from iThemes…)

    • This reply was modified 3 years, 3 months ago by Kevin Pirnie.
    Thread Starter Kevin Pirnie

    (@kevp75)

    I would be ok with the plugin even generating those rules in a copy/paste text area. At least then we would be able to send that off to WPE to have implemented. However, the way the WPE system is now, you either import the rules through them, or you enter them yourself 1 by 1, and that’s just not feasible.

    I would be ok with the plugin even generating those rules in a copy/paste text area.

    The iTSec plugin has got you covered.

    Security > Settings > Tools -> Server Config Rules

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘iThemes Rules and WPEngine’ is closed to new replies.