Suggestions and BWPS 4.0

Currently, I have WordPress installed into a subdirectory at https://www.example.com/wordpress, although the site address is just https://www.example.com.

And I’ve enabled HackRepair.com’s blacklist on the Ban tab of BWPS. This results in a whole bunch of entries being added to the .htaccess file.

However, BWPS adds those entries to the .htaccess file which is in the /wordpress subdirectory, and I believe this is incorrect.

Instead, it should add those entries to the .htaccess file which is in the root directory. This is where WordPress itself adds its own mod_rewrite rules, and I believe this is the correct place for all WordPress .htaccess rules to reside, even when WordPress is installed into a subdirectory.

It would be great if BWPS 4.0 would add its rules to the .htaccess in the root directory and not create a second .htaccess file in the subdirectory where it is not needed.

Thanks!

Hi,
I like the User and Bot Blacklist developed by Jim Walker of HackRepair.com. But, it blocks all Java clients and I need to allow Java clients.

It’d be great if there was a way to create a whitelist for specified User Agents.

Robert

Howdy. Great plugin. Thank you!

Quick suggestion: add support for WP stored in a subfolder of root. I see many threads on people not being able to login after using the “Hide Backend” option. Looking at .htaccess, I noticed you have hardcoded the redirects as “/WordPress/wp-login.php?…”. I changed mine to “WordPress/MySubfolder/wp-login.php?…” and everything worked again. I’m not a hardcore developer so maybe this was a decision on your part, but if not…

Thanks again!

Hi,

I had a problem with the latest release (maybe a plugin conflict, I’m not sure), and I decided to reinstall the previous version. Problem: even when I go to the release notes history and try to install 3.5.1, what is downloaded is the present release.
I finally solved this by extracting the BWPS plugin from a website backup file, and then uploading that. It would be easier to be able to download the earlier plugin versions.

Tx
Craig Hesser
https://jimmycraig.info/

Suggestion:
Changing Table Prefix
Let the user choose between an auto generated and a self-defined table prefix. If you have many installs on one DB, it’s great to be able to have semantically meaningful prefixes, so it’s not so hard to figure out which prefix belongs to which install. It should be very simple to implement.

================

( ) Autogenerated
(x) Custom: [ ] <- enter prefix without trailing underscore

*Change Prefix*

================

Suggestion:
404 error log. We now have the option to delete all 404s in one go. Please add check boxes so we can choose which one to delete and which ones stay for further monitoring.

Thanks

Hi,

Is there anyway you can include this into the checker for detection?

https://www.blocklist.de/en/export.html

Its blocklists for WP and Joomla bruteforce attackers?

Add some features from this plugin you don’t have: https://codecanyon.net/theme_previews/4812947-guaven-fp-unique-source-code-and-hidden-wpadmin

Also the ability to change the slug /not_found to something we can customize.

The possibility to change email [email protected] and remove most branding of wordpress because of security issues.

Would it be practical to simply block a particular countries IP address in order to avoid attacks on a site? I seem to be getting intrusions from certain countries that are attempting something that warrants your software to block them from my site. Would Better WP Security consider adding that as an option for us?

One thing this plugin desperately needs is some kind of accurate reporting on its successes and failures. It will happily tell you that it has created a backup when in fact it has not. This can be caused by permissions problems for example.

It will do the same for renaming the wp-content folder, though refreshing the page will show you that the folder is still called ‘wp-content’. But you have to look for it, because the message reports success.

It would be nice to have the Perishablepress: 5G Blacklist 2013 in the Better WP Security.

Hide backend multisite support.

In practice this means means that the request to example.com/subsite/administration-slug, subsite.example.com/administration-slug, or (domain mapped) examplesubsite.com/administration-slug, should be redirected to example.com/subsite/wp-login.php, subsite.example.com/wp-login.php, or examplesubsite.com/wp-login.php, rather than to example.com/wp-login.php, where they are now being redirected to.

POSSIBLE SUGGESTION

Hi Chris (BWPS Developer),

I don’t know if it’s helpful, but I occasionally forget to delete the config-sample file in the root. If you think this is a potential threat, may be have your excellent pluggin check for it’s existence?

Cheers!

Chris

Another suggestion:

Fix the security breach with the logout url.

The hide backend doesn’t appear to be effective as when you enable it, but then go to example.com/wp-login.php?action=logout it brings you to a page that asks you if you want to log out and if you click on “log out” it brings you to the login page that reveals your secret key. So in effect, it does not hide your backend because anyone can find your backend just by going to the standard logout url.

Hi Chris, a chunk of other enhancements or request i have,

I use your plugin as the main security defense on all my sites, but i also use it in combination with a chuck of others because your plugin just doesn’t have all these features i want, if you would consider implementing them then i can cut down on conflicts and double ups.

The following plugins and main features that i cant live without and although they would make your plugin a mammoth i think it would make it the best one on the market and i would pay for that.

WP-Ban https://www.ads-software.com/plugins/wp-ban/ Ban by referrer, Host Names, Banned Message customization. A really good way to scare hobby hackers is by displaying their ip address has been banned and the admin of the site has been notified. (ban by referrer helped block out those Russian sites that send you Spam links that have your URL in them)

WP Robots Txt https://www.ads-software.com/plugins/wp-robots-txt/ I think having the robots.txt editor should go hand in hand with the ban user agent area.

TimThumb Vulnerability Scanner https://www.ads-software.com/plugins/timthumb-vulnerability-scanner/ The amount of times I have fixed my theme when a theme developer has put old timthumbs versions in there theme, and an additional area to remove the flicker and other timthumbs vulnerabilities from the file.

Invisible Captcha https://www.ads-software.com/plugins/invisible-captcha/
Help us out include a form of hidden capture when we install your plugin.

Fantastic Content Protector Free https://www.ads-software.com/plugins/fantastic-content-protector-free/ I know there are ways around this but preventing the hobby hacker from right clicking can really help cut down bad users.

AskApache Password Protect https://www.ads-software.com/plugins/askapache-password-protect/ This guy just knows his stuff, definitely should check out his blog and this plugin. Almost stopped all attacks on the website.

404 Redirected https://www.ads-software.com/plugins/404-redirected/ You have all these great logs on bad 404’s how about giving us options to act on them like this plugin for instance (no i don’t have an admin.php file how about a redirect to 127.0.0.1).

Can you have an option that we can choose which admin can see and use your plugin like Advanced Access Manager https://www.ads-software.com/plugins/advanced-access-manager/ This way if you have other admin users, they never see or know that this plugin is running (use full in the case where you have a customer that want’s admin access but you don’t want them messing around in here.

ByREV WP-PICShield https://www.ads-software.com/plugins/byrev-wp-picshield-hotlink-defence/ Someone suggested hotlinking, blocking all hotlinking isn’t always the best, one of my users has a portfolio, and a lot of traffic comes from google images, however google is really bad at hotlinking, this plugin has been great, when someone trys to download the original image from google images, that get a cached hotlinking is banned image instead and have the option to come to the site to view it and using in combination with right click the onlyway they can get the image is with printscreen, this has helped boost stolen traffic back to the site.

How about including a good password generator in the top admin bar, so that when a user wants to update their insecure password they can generate a really strong one and insert it into their user. Also your enforce strong passwords doesn’t seem to work on woo-commerce users like customer shop manager.

Also an area to change the admin username (existing strong username) to something that is not a standard wordpress allowed username (for users that dont know about editing their php). Did you know that although wordpress and 1 click script installers prevent you from using !@#$%^&* in your username, you can go into php myadmin and overwrite your username with a more secure one including these symbols and longer length usernames and passwords, and wordpress will then load and use the more secure username.

I know you have some spam blocking in the htacess file but you may want to have a look at Ban Hammer https://www.ads-software.com/plugins/ban-hammer/ block specific email types from registering like @mail.ru etc,
and Clobber spam users https://www.ads-software.com/plugins/clobber-spam-users/
and Stop Spammers https://www.ads-software.com/plugins/stop-spammer-registrations-plugin/

For woo-commerce integration how about a separate filter, long query string, I want the protection from sql injection, but i also want to recieve my paypal ipn notifications, currently have to disable to get it to work.

You include a file change detection how about including a scanner for the changes Anti Virus https://www.ads-software.com/plugins/antivirus/ Although i know when i do a plugin update that i have changed the files, that doesn’t mean the files are not safe. Let us scan them and revert them if needed.

Phew got it all out, I don’t think ill have any more requests if you put some of these features in.