“Our basic firewall rules have been upgraded” motification

Hi @sdagency

If you go to WP Security > Dashboard you can see as below notice. It shows what settings are disabled. Only mentioned 4 (XML-RPC, proxy comment, bad query string, advanced char filter) in the image might be possible disabled. Not all basic firewall rules.

https://snipboard.io/SYPtgv.jpg

Regards

When I updated there was no listing like this screenshot which causes a lot of confusion because the email warning says, “we have disabled the features” and “You can enable the features again by logging into your WordPress dashboard…” So we don’t know if features were disabled or not without the info you show in your screenshot. If some were disabled we wouldn’t know which ones to re-enable.

To add to the confusion the screenshot says they are applied differently now, so why would they need to be re-enabled? Are we re-enabling the old version or cutting the features back on in the new version. Way confusing.

Hi @sdagency

That notice in the dashboard should have shown which of those 4 enabled and there is a button to reactivate those disabled.

Yes instead .htacess rules which are supported in Apache server only now it is PHP based rules so those are disabled to make sure it do not create the lockouts or plugin conflict unexpectedly.

you can reactivate those. if any issues can deactivate for example the Enable advanced character string filter enabled start making issues for Japanese char in URL

You can find more details in below topic.

https://www.ads-software.com/support/topic/5-2-2-confusion/

Still TOTALLY confused. I read that thread. My understanding is some rules were in .htaccess but better off in PHP, so you guys are moving them there. BUT Then you say you can re-activate the ones going to .htaccess? Why would I do that if it’s better they are in PHP? And how would one verify they aren’t a problem reactivating without reactivating and seeing there is a problem?

Not trying to be unhelpful or just negative to be negative, but many of us don’t live and breath web security technology. We just want to protect our sites. We have clients asking us what this means and we can’t tell them, “Well many of us don’t really understand what’s going on.”

What I and so many others need to know is.

1. How do we know whether each site is or should be using a PHP or .htaccess method?
2. Is there any need to reactivate the .htaccess ones if everything is over on PHP now?
3. How does one safely test the .htaccess ones to know they are ok to reactivate?
   
   We appreciate the plugin but are stumped at if there needs to be one method, two, some hybrid of both and how to answer clients. Thanks.

Hi @sdagency

From questions it seems you still do not undestood.

We are moving from .htaccess rules to PHP based so Nginx and Lightspeed server running WordPress sites also AIOS firewall functionality can work. .htaccess works on apachae server only.

XML-RPC, proxy comment, bad query string, advanced char filter this 4 option related rules are moved from .htaccess to PHP and it is now available in PHP only.

So your answers

1. It will be PHP only for above 4 not .htaccess rules.
2. you need to reactivate that one of 4 security option other wise it will not work so if you do not enable xml rpc then {siteurl}/xmlrpc.php do not show 403 error.
3. You should enable it but if you experience any issue conflict with other plugin or any thing else try disable those 4 options first.

Regards