Php 8.0, login, & brute force protection

  • Resolved saintandrews

    (@saintandrews)


    3 years, 8 months ago

    First: is Ninja Firewall WP and WP+ good to go with Php 8.0? I’ve seen the minimum version required, but not yet a definite yes on 8.0.

    Second: I’ve been testing my site with 8.0, and so far everything externally looks fine. I upgraded the path in my .htaccess file to direct NFW to the new 8.0 version of Php. I hit the wall, though, when trying to log in: I get a blank page with wp-login.php?reauth=1.

    The thing is, I myself initiated the reauth=1 nearly two years ago upon this advice from this forum:

    https://www.ads-software.com/support/topic/odd-new-login-page-behavior/

    I actually use the WP+ edition now, and, for the life of me cannot now locate an “NF HTML” form to try to revert the reauth query string, and it appears that the reauth string may now be baked into the core itself, because even with NFW disabled the login page still reads wp-login.php?reauth=1.

    So, tl;dr, I’m basically trying to isolate whether and how NFW-WP+ may be having problems digesting PHP 8.0, specifically the brute force protected login page, or if some other variable(s) are the culprit.

    Thanks,

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author nintechnet

    (@nintechnet)

    It is compatible with PHP 8.x.

    Can you run the troubleshooter script and paste the results here?

    I upgraded the path in my .htaccess file to direct NFW to the new 8.0 version of Php.

    Can you paste the directive here, including the <IfModule.. lines?

    Thread Starter saintandrews

    (@saintandrews)

    Thanks for the quick response. Selective redactions have obviously been made below.

    The directive path:

    <IfModule mod_env.c>
    SetEnv PHPRC /home/name/php/phprc/7.4/phprc
    </IfModule>

    or

    <IfModule mod_env.c>
    SetEnv PHPRC /home/name/php/phprc/8.0/phprc
    </IfModule>

    Various wp-check.php returns:

    [BEGIN PHP 7.4, NFW-WP+ w/brute force protection active]

    NinjaFirewall (WP edition) troubleshooter
    HTTP server : Apache
    PHP version : 7.4.15
    PHP SAPI : CGI-FCGI

    auto_prepend_file : /home/name/example.com/wp-content/nfwlog/ninjafirewall.php
    Loader’s path to firewall : /home/name/example.com/wp-content/plugins/nfwplus/lib/firewall.php
    wp-config.php : found in /home/name/wp-config.php

    [END PHP 7.4, NFW-WP+ w/brute force protection active]

    [BEGIN PHP 8.0, NFW-WP+ w/brute force protection active]

    https://www.example.com = only blank white space

    [END PHP 8.0, NFW-WP+ w/brute force protection active]

    [BEGIN PHP 8.0, with NFW-WP+ entirely disabled]

    NinjaFirewall (WP edition) troubleshooter
    HTTP server : Apache
    PHP version : 8.0.2
    PHP SAPI : CGI-FCGI

    auto_prepend_file : /home/name/example.com/wp-content/nfwlog/ninjafirewall.php
    Loader’s path to firewall : The loader does not exist: /home/name/example.com/wp-content/plugins/nfwplus/lib/firewall.php
    wp-config.php : found in /home/name/wp-config.php

    [END PHP 8.0, with NFW-WP+ entirely disabled]

    [BEGIN PHP 8.0, with NFW-WP+ itself active but w/brute force only disabled]

    When accessing https://www.example.com alone:

    “There has been a critical error on this website.

    Learn more about troubleshooting WordPress.”

    When accessing https://www.example.com/wp-check.php

    NinjaFirewall (WP edition) troubleshooter
    HTTP server : Apache
    PHP version : 8.0.2
    PHP SAPI : CGI-FCGI

    auto_prepend_file : /home/name/example.com/wp-content/nfwlog/ninjafirewall.php
    Loader’s path to firewall : /home/name/example.com/wp-content/plugins/nfwplus/lib/firewall.php
    wp-config.php : found in /home/name/wp-config.php

    [END PHP 8.0, with NFW-WP+ itself active but w/brute force only disabled]

    Plugin Author nintechnet

    (@nintechnet)

    That looks like a PHP error. Enable debugging in WordPress:
    1. Edit your wp-config.php
    2. Search for:
    define('WP_DEBUG', false);
    3. Replace with:
    define('WP_DEBUG', true);
    4. Add this line below:
    define( 'WP_DEBUG_LOG', true );

    When you get the blank page or the critical error message, check the PHP error log, it will be located in “/wp-content/debug.log”.

    Undo the above change after debugging.

    Thread Starter saintandrews

    (@saintandrews)

    I tweaked my wp-config file as you suggested and used this option from above

    [BEGIN PHP 8.0, NFW-WP+ w/brute force protection active]

    https://www.example.com = only blank white space

    [END PHP 8.0, NFW-WP+ w/brute force protection active]

    attempting to log in to test.

    The debug.log implicated another plugin with a specific problem on a specific line. I disabled that plugin entirely, cleared my browser, and attempted to login again. The results were the same – just a blank white page after the initial brute force screen – but there were also no changes in the debug log. I deleted the log, cleared everything again, and repeated the process, but I could never get the debug log to recreate itself.

    But it happens that my host runs a standing PP log of their own which dates back years. The most recent entries, repeated since at least early March – that is, predating my attempt to change from PHP 7.4 to 8.0 – include these

    [BEGIN]

    [31-Mar-2021 04:31:24 America/Los_Angeles] PHP Fatal error: Uncaught Error: Undefined constant “GEOIP_STANDARD” in /home/name/example.com/wp-content/plugins/nfwplus/lib/firewall.php:577
    Stack trace:
    #0 /home/name/example.com/wp-content/plugins/nfwplus/lib/firewall.php(285): nfw_is_asn(‘a:39:{i:0;s:7:”…’)
    #1 /home/name/example.com/wp-content/nfwlog/ninjafirewall.php(7): include_once(‘/home/name/a…’)
    #2 {main}
    thrown in /home/name/example.com/wp-content/plugins/nfwplus/lib/firewall.php on line 577
    [31-Mar-2021 04:32:23 America/Los_Angeles] PHP Fatal error: Uncaught Error: Undefined constant “GEOIP_STANDARD” in /home/name/example.com/wp-content/plugins/nfwplus/lib/firewall.php:577
    Stack trace:
    #0 /home/name/example.com/wp-content/plugins/nfwplus/lib/firewall.php(285): nfw_is_asn(‘a:39:{i:0;s:7:”…’)
    #1 /home/name/example.com/wp-content/nfwlog/ninjafirewall.php(7): include_once(‘/home/name/a…’)
    #2 {main}
    thrown in /home/name/example.com/wp-content/plugins/nfwplus/lib/firewall.php on line 577
    [31-Mar-2021 04:32:34 America/Los_Angeles] PHP Fatal error: Uncaught Error: Undefined constant “GEOIP_STANDARD” in /home/name/example.com/wp-content/plugins/nfwplus/lib/firewall.php:577
    Stack trace:
    #0 /home/name/example.com/wp-content/plugins/nfwplus/lib/firewall.php(285): nfw_is_asn(‘a:39:{i:0;s:7:”…’)
    #1 /home/name/example.com/wp-content/nfwlog/ninjafirewall.php(7): include_once(‘/home/name/a…’)
    #2 {main}
    thrown in /home/name/example.com/wp-content/plugins/nfwplus/lib/firewall.php on line 577

    [END]

    which may or may not have anything to do with anything but which I’m offering just so you’ll know.

    At this point I think I’m just going to bide my time and continue with PHP 7.4. My only real reason for upgrading was to see if I could wring out a little more site speed.

    This superior firewall plugin continues to perform flawlessly for me under 7.4, the PHP log above notwithstanding, and I may try to repeat the debug process again to see if I can unearth anything else.

    Unless you can think of any other reason why NFW-W+ doesn’t or can’t hand off to the login page from its brute force page under PHP 8.0, with or without that reauth query string which has now become a constant, at this point I think I’m best served just making a strategic retreat back into the status quo.

    Thanks for your help, and if I turn up the solution, I’ll be sure to update this reply.

    Plugin Author nintechnet

    (@nintechnet)

    I see the problem, but cannot reproduce the error on PHP 8.
    Anyway, to fix it you would need to edit this file: /wp-content/plugins/nfwplus/lib/firewall.php

    Open it, and search for GEOIP_STANDARD. There are two occurrences and they should be replaced with NFW_GEOIP_STANDARD.

    I’ll fix it in the next version.

    Thread Starter saintandrews

    (@saintandrews)

    For whatever reason, making those changes allowed me to proceed to the main login page using NFW-WP+ with brute force enabled under PHP 8.0. IOW, taking NFW out of the problem as a variable – thus revealing a garden of others not NFW related.

    But that resolves this thread. Thanks again.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Php 8.0, login, & brute force protection’ is closed to new replies.