iThemes Security not working properly on Apache 2.4

  • Resolved smarx80

    (@smarx80)


    9 years, 10 months ago

    Hi,
    as I said in https://www.ads-software.com/support/topic/better-wp-security-and-apache-2-4

    if you install BWPS on Apache 2.4, when the plugin bans at least one host we receive an “Internal Server Error” message and the site goes down.

    To avoid this we have modified the file common.php of the plugin
    changing lines:

    $rules .=       "Order Allow,Deny" . PHP_EOL .
"Deny from env=DenyAccess" . PHP_EOL .
"Allow from all" . PHP_EOL;

    with these:

    $rules .=       "<RequireAll>" . PHP_EOL .
"Require not env DenyAccess" . PHP_EOL .
"Require all granted" . PHP_EOL .
"</RequireAll>" . PHP_EOL;

    Note to the author: I hope you will include this change (or similar) in the next release. I know it is difficult to detect automatically the version of Apache (2.2 or 2.4), but I would suggest to put a check box in the admin area of the plugin to allow the administrator to choose.

    Simone.

    https://www.ads-software.com/plugins/better-wp-security/

Viewing 4 replies - 1 through 4 (of 4 total)

  • There have been many iTSec plugin updates since you first posted this issue. (In the current iTSec plugin release, 4.5.10, the common.php file does not exist…)

    Have you tested this issue in a recent version of iTSec ?

    dwinden

    According to Apache doc (https://httpd.apache.org/docs/2.4/upgrading.html):
    <==Start quote==>
    Access control

    In 2.2, access control based on client hostname, IP address, and other characteristics of client requests was done using the directives Order, Allow, Deny, and Satisfy.

    In 2.4, such access control is done in the same way as other authorization checks, using the new module mod_authz_host. The old access control idioms should be replaced by the new authentication mechanisms, although for compatibility with old configurations, the new module mod_access_compat is provided.
    <==End quote==>

    I did a quick test and it seems the current iTSec plugin release (4.5.10) is still using Apache 2.2 access control directives (in multiple files).

    So instead of changing the code similarly in several files for the current release of the iTSec plugin I would suggest making sure the mod_access_compat module is loaded in Apache 2.4.

    dwinden

    If you were able to resolve your issue please mark this topic as ‘resolved’.

    dwinden

    Thread Starter smarx80

    (@smarx80)

    Thank you dwinden, problem resolved.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘iThemes Security not working properly on Apache 2.4’ is closed to new replies.