Please issue a warning if something doesn't work

  • <p>
    tl;ra !
    </p>
    <p>
    By chance I noticed that all the file protection and IP blocking of type “order,deny” that AIOWPS writes to .htaccess is not working at all. The most plausible explication is that the Apache on my host is not configured to allow this type of overrides (“Limit”). Since I’m on shared hosting there’s nothing I can do about this. (the mod_rewrite and mod_alias directives are enabled however.)
    </p>
    <p>
    If I’m not missing something, that means that in my situation the following AIOWPS settings are completely inoperable:
    </p>

    • Basic Firewall Settings
    • WordPress Pingback Vulnerability Protection
    • Prevent Access to Default WP Files
    • Everything blacklist-related(!)
    • Everything whitelist-related

    <p>
    All this gets incorrectly scored as “green” in the UI. Maybe there are even more things failing due to the server config that I’m not aware of… (e.g. if the server doesn’t allow “Options” and “Indexes” the above list grows longer.)
    </p>
    <p>
    For an experienced user it may be a matter of course that certain settings won’t work if not allowed by the httpd.conf but for a noob like me this is irritating. The semantics with the green points made me believe that it is working, which is not true (in my case).
    </p>
    <p>
    Amongst the things that don’t work are very essential features (e.g. blacklisting), so it’s not inspiring confidence if a security plugin doesn’t tell me the truth.
    </p>
    <p>
    The only hint I’ve found is in your FAQ: “The plugin should work on any properly configured servers.” But this is not explicit enough. (And my webhoster is probably convinced that his servers are configured properly ??
    </p>

    <p>
    If you allow me to make a proposal, in my opinion AIOWPS should behave like this:
    </p>

    1. If I select an option that depends on server settings AIOWPS should test if the option is really working.
    2. If not, use an alternative access control method, if possible. E.g. Rewrite.
    3. If this is not feasible a warning should be issued and the setting should be grayed out.
    4. Or, if the above is to complicated or not doable: Flag all server-dependent options in the UI with a big, red label telling me which Apache directive must be enabled for the specific option to work. This way I know that I have to verify if it works, and/or adapt manually the rules in .htaccess to my needs.
    5. Don’t score green points if an option is not really working.

    https://www.ads-software.com/plugins/all-in-one-wp-security-and-firewall/

Viewing 11 replies - 1 through 11 (of 11 total)
  • Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi ecdltf thank you for sharing your views and needed improvements to the plugin. Can you share with us who is your host? Have you spoken to your host in regards to what needs to be enabled in your server?

    All of the issues you described above can be achieved on a shared server if the host carries out the proper configuration. I have 3 clients on a shared host account with Justhost. I have nearly all the options enabled in the plugin except for a few because some plugins requires those features not to be enabled.

    Regards

    Thread Starter ecdltf

    (@ecdltf)

    Thanks for your swift reply.

    Yes, just to be sure I will ask my hosting provider, which directives are allowed exactly.

    But I think you misunderstood my post. The problem is not the Apache config (which, at the end of the day, is always out of your control), the main issue is that AIOWPS blindly reports something as working, which in reality isn’t working. That’s why I said, if an option (e.g. blacklist) depends on a specific server config, then label it accordingly in the UI with “Please verify if it really works!” or so.

    Or even better, be flexible: If Deny isn’t allowed, then switch to Rewrite.

    For example, I’ve simply rewritten AIOWPS’ deny directives (from the blacklist) to compatible rewrite rules, like this:

    
RewriteCond %{REMOTE_ADDR} ^27\.14[8-9]\. [OR]
RewriteCond %{REMOTE_ADDR} ^27\.15[0-1]\.
RewriteRule ^(.*)$ - [F,L]

    This works flawlessly here. And if I can do it manually, I’m sure AIOWPS could do it also ??

    If you don’t want to take server settings into account (or at least test for server settings), then it would probably be more secure to make the firewall an application level firewall.

    I’m gonna try some other security plugins in the next days. Didn’t yet make big research but it seems that ‘WP Simple Firewall’ is a pure application level firewall, and with a similar feature set like AIOWPS. I’ll report back how it goes…

    cheers,
    Tom

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi Tom, sorry for misunderstanding your question.

    In regards to your comment.

    The only hint I’ve found is in your FAQ: “The plugin should work on any properly configured servers.” But this is not explicit enough. (And my webhoster is probably convinced that his servers are configured properly ??

    Most Host nowadays know about WordPress and they know what is required in the server settings to allow WordPress to function correctly. That is one of the reason you read the following sentence “The plugin should work on any properly configured servers.”

    I understand your point of view and we are always open to suggestions from user ??

    One of the plugin developers will look into your suggestion further.

    I look forward to your investigation with other security plugins.

    Regards

    Thread Starter ecdltf

    (@ecdltf)

    Most Host nowadays know about WordPress and they know what is required in the server settings to allow WordPress to function correctly.

    Do you mean that WP (without plugins) won’t work properly if the Deny, Allow, Order directives are disabled?

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi ecdltf, no that is not what I meant.

    WordPress on its own works well without any plugins and the stand default themes. But every body that uses WordPress and knows about WordPress knows that they will be installing plugins especially security, backup and other plugins. They will be using custom themes, free themes and or professional themes. These plugins and themes will requires server resources, bandwidth, MySQL, PHP or other server settings and operating system. Most Host companies are aware of these requirements. So they do their best to implement these settings in their servers because the WordPress community is growing larger every year and they want more business ??

    Thread Starter ecdltf

    (@ecdltf)

    OK, thanks.

    I’m indeed using a fairly minimal setup consisting of WP 4.1 with the standard Twenty Fifteen theme, and a everyday set of rather standard-ish plugins (Add Meta Tags, Akismet, Autoptimize, Compress PNG, Duplicator, Google XML Sitemaps, Jetpack, ONet Regenerate Thumbnails, P3, Prepare New Version, Rewrite Rules Inspector, WP-Piwik, WP Super Cache).

    As far as I can judge AIOWPS seems to be the first plugin not fully supported by my host’s server config. Of course, there are maybe other issues with the other plugins that I’m not yet aware of. (This is my first WP installation and it’s only 4 weeks old now ??

    Thread Starter ecdltf

    (@ecdltf)

    I said:

    I’m gonna try some other security plugins in the next days. Didn’t yet make big research but it seems that ‘WP Simple Firewall’ is a pure application level firewall, and with a similar feature set like AIOWPS. I’ll report back how it goes…

    1st Test finished: While ‘WP Simple Firewall’ has indeed a very nice feature set, this thing increases my page load time by ~1.1?seconds, according to P3 Profiler. This is more than all my other plugins together, Jetpack included! WTH… , this thing is either extremely poorly written or this is just the price for a server-independent firewall. Completely ruled out!

    For comparison: AIOWPS increased the load time by very modest ~0.12 seconds. Congrats!

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi ecdltf please install this plugin P3 (Plugin Performance Profiler) to test how all your plugins are performing together. Remember a few Golden rules in WordPress. Too many plugins can slow down your website. Outdated plugins can slow down and make your website vulnerable. Themes not complying to WordPress standards can also cause issues. And finally if you website is large in resources and is very popular a Shared account might not be enough for your website. That is when you should be looking into a Pro account if your host has one, VPS or Dedicated server.

    One of many websites that you should sing up with is gtmetrix.com to help you understand how your website is performing.

    I hope all of the above helps you further with your website.

    Kind regards

    Thread Starter ecdltf

    (@ecdltf)

    Ehm, please re-read my post above. I just reported you the results from P3.

    I made different tests, manual and auto. (I use to check every plugin with P3 before regularly using it!)

    Thread Starter ecdltf

    (@ecdltf)

    PS: Thanks, I know gtmetrix; for this kind of tests I prefer webpagetest.org

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Thank you for your report I appreciate your comment as well.

    Unfortunately as I was posting my comment above you were also posting your comment. Another words our replies crossed path. If I would have read your comment my reply would have been different.

    Kind regards

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘Please issue a warning if something doesn't work’ is closed to new replies.