Suggestions and BWPS 4.0

  • Hi everyone,

    Thank you all for the support of this plugin! I am working hard on the next major release which I hope to have out by WordCamp Miami in early April. So far I have the folloing on the feature list:

    * Import-export function
    * Better division of basic/advanced options
    * Two-factor auth
    * Admin action logging
    * Improved documentation and commenting
    * Improved performance of existing features
    * A new way of providing support

    As for the latter, it’s no secret that I haven’t been monitoring these forums often and, frankly, I do not plan to change that in the future. What I will be moving to will be a paid support option similar to the models in place by W3 Total Cache and other plugins. In this scenario the forums themselves will continue to function as a community supported knowledge base with this single suggestions thread monitored by me.

    In addition, if anyone would like to contribute features, code, etc I am in particular need of IIS compatibility as I don’t have the experience with IIS to add it myself. I’ve moved development of the project to GitHub at https://github.com/ChrisWiegman/Better-WP-Security and will gladly include any provide patches or additions while providing proper recognition to those who contribute.

    Finally, Please keep your comments in this thread to suggestions only. If you are stuck search the forums, look at the faq, or get in touch with me outside of the forums. I’ve been hard at work providing free support to anyone who asks and I do not plan on changing that model until the 4.0 comes out.

    Sincerely,
    Chris Wiegman
    Developer
    Better WP Security

    https://www.ads-software.com/extend/plugins/better-wp-security/

Viewing 15 replies - 61 through 75 (of 81 total)

  • First off, great plugin!

    A simple enhancement request for the ‘Hide backend’ feature:

    Could there be an option or a filter for the 404 rewrite? Yesterday, one of our sites got to taste a botnet brutforce attack. Login limits didn’t really help since the IP changed constantly. I then remembered the hide feature and managed to activate it, which resulted in a bunch of 404’s for a while instead. This is better of course, but it still fires up a new WP instance everytime, hogging resources.

    Currently, the rule looks something like RewriteRule ^.*wp-admin/?|^.*wp-login\.php /wp-test/not_found [R,L]. Being able to throw a forbidden instead, RewriteRule ^.*wp-admin/?|^.*wp-login\.php - [F,L], would be great.

    First, thanks for the great plugin!

    I got locked out by enabling File Change Detection. It seems that perhaps this is a problem with low-memory shared hosting sites. (Actually, my site’s limit is 256M, so I don’t know if that is the actual problem.) I finally got back into my site by reading this thread and hacking into the database: https://www.ads-software.com/support/topic/how-to-disable-file-change-with-better-security-configuration-file?replies=10#post-4612036

    My suggestion is this:

    • Do not mark “14. Your installation is not actively looking for changed files.” as a red item in the Dashboard. It should be blue, since it is a dangerous option for many site configurations.
    • In the “File Change Detection” section, please post a prominent warning that this option could lock out some sites.
    • If possible, try to figure out what it is that causes some sites to lock out. I can give you my site’s system information, if necessary.

    Thanks again for the great plugin!

    ochado

    I had this problem when i first used BWPS for the first time, I found that it was a problem with using cheap shared hosting services, try looking for a better host. Or alternatively use a service like securi.net to scan your files.

    This function has actually saved a lot of time when a site is hacked. If you set it up to send an email to you, preferably one that shows up on your phone, you can then respond immediately. It gives you a report of changed files, added files and deleted files, you can setup a white list of files that you update all the time, like backups, cache folder, wp-contents, but it tells you down to the exact file that was changed. Saving days of hours trying to figure what the hacker actually changed. If you don’t know, then the other process of comparing your hosting logs, can take forever, and its quicker to rebuild your site from a backup, but they could get in again because you don’t know which file was the compromise. I enforce all my clients onto a hosting service that can handle this function, as it makes my job a whole lot easier.

    For Nginx compatibility in relation to identifying the correct IP for 404 errors and login lockouts, we suggest inc/class-bit51-bwps-utilities.php rows 136-149 be further modified to look for the X-Real-Ip header, then the X-Forwarded-For header, then the REMOTE_ADDR.

    It would be great if you would patch the 3.5.6 version for this and push to 3.5.7. For now, we replaced all instances of X-Forwarded-For in the inc/secure.php file with X-Real-Ip (rows 483-496) to resolve our issue. php is not our strength (but we’re working on it and nested if statements are something we still screw up), so we’re not going to push a patch to you but will be happy to test one.

    Re: LanauzeDesigns.com comment, it may not be a memory problem at all. If your site has a lot of plugins, themes and media, the file change data sent to MySQL may exceed the default 1MB packet size. If you have access to your error logs, look for a message like “WordPress database error MySQL server has gone away for query INSERT INTO wp_t2uqew_options” or “WordPress database error MySQL server has gone away for query INSERT INTO wp_t2uqew_bwps_log“. That’s a likely indicator of a packet size limit that needs to be increased. More info at https://www.vbulletin.com/forum/forum/vbulletin-legacy-versions-products/legacy-vbulletin-versions/vbulletin-2-how-do-i-and-troubleshooting/44661-mysql-server-gone-away-error-explained. For VPS and dedicated server hosting you can likely make a change. For shared hosting, it doesn’t hurt to ask.

    Hi

    please add adjustable “not_found” redirect so they can not discover it is better wp security running as by the redirect to “not_found” is pretty obvious to detect which plugin it is that is doing this.

    Thank you

    Hi

    please add correct redirect for login when in wpms mapped domains are used. You can check if domainmapping plugin is running when sunrise.php is available.

    I had to change your code to 

    RewriteCond %{HTTP_REFERER} !^(.*)*/wp-admin
RewriteCond %{HTTP_REFERER} !^(.*)*/wp-login\.php
RewriteCond %{HTTP_REFERER} !^(.*)*/my-hidden-login
RewriteCond %{HTTP_REFERER} !^(.*)*/my-hidden-admin
RewriteCond %{HTTP_REFERER} !^(.*)*/my-hidden-register-new-user

    to make it work on the mapped subdomains.

    thank you !

    Can you please remove the logged login attemps the momenty somebody gets blacklisted ip? This way the database keeps clear.

    So once somebody is blacklisted we dont need the login attemps anymore. Or at least create a option todo so.

    Thanks

    +one on BackuPs login redirect change for htaccess. We’ve just been tolerating the not_found page and getting back to admin area via the admin bar. Unless there is some issue we’re missing, maybe make that change for all installs so a conditional doesn’t need to be added?

    After testing BackuPs login redirect change for htaccess, we need to retract our +1. We got locked out of our WPMS test site admin area with remote login and admin redirect on and off. We resolved our not_found issue as follows:

    RewriteCond %{HTTP_REFERER} !^(.*)site1.tld/wp-admin
RewriteCond %{HTTP_REFERER} !^(.*)site1.tld/wp-login\.php
RewriteCond %{HTTP_REFERER} !^(.*)site1.tld/my-hidden-login
RewriteCond %{HTTP_REFERER} !^(.*)site1.tld/my-hidden-admin
RewriteCond %{HTTP_REFERER} !^(.*)site1.tld/my-hidden-register-new-user
RewriteCond %{HTTP_REFERER} !^(.*)site2.tld/wp-admin
RewriteCond %{HTTP_REFERER} !^(.*)site2.tld/wp-login\.php
RewriteCond %{HTTP_REFERER} !^(.*)site2.tld/my-hidden-login
RewriteCond %{HTTP_REFERER} !^(.*)site2.tld/my-hidden-admin
RewriteCond %{HTTP_REFERER} !^(.*)site2.tld/my-hidden-register-new-user
etcetera

    While this could mean a lengthy htaccess for large wpms installs, perhaps the domains data should be referenced?

    Most ackward it works here without any issues. I also had the very lengthy htaccess and could resolve it this way. But maybe its because we also have a custom.php in the mu-plugins folder with this code

    <?php
remove_action( 'template_redirect', 'maybe_redirect_404' );
?>

    btw we also have hidden the original subdomain path in the mapped domain. So only the mapped domain is visible and acts like the root domain.

    as for the not_found i changed it to the 404 because i dont like the not_found in the url.

    I am having an issue with banned IP addresses still hitting my site multiple times a day. I once banned myself (just before the WordPress 3.6 update) and got a blank page with one line of error text (now resolved). Since the update banned users get a 403 error associated with hostgator – my host provider – but these IP addresses are still hitting my site multiple times a day. I have more than 5000 404 errors showing in the logs (I haven’t even launched the site yet). It appears to be the same 40 to 50 or so IP addresses showing up daily and the logs look really messy.

    How can the IP addresses that I have banned stop showing up in the 404 log page so I can clearly see what new IP addresses are hitting the site?
    Thank you

    wp-login.php and same for register, etc – are not hidden by the plugin.

    Also, VERY IMPORTANT!!!!!!!!!

    When, oh when are you going to implement full NGINX support or at least document how to translate ALL of the rules which are possible with .htccess to nginx config?

    You have been saying the plugin is compatible with NGINX for ages and have not even once contributed any how-to about it! Shame on you!

    Hi,
    I want to notice some little issues on some installation.
    If I apply the change of wp-content folder to something different, on some WP installation there is an issue during media uploading.

    The solution:
    – on wp-config.php you need to add define(“CONTENTDIR”, …) as the same value for “WP_CONTENT_DIR”…
    – on wp-config.php you need to fix with define define( ‘UPLOADS’, ‘nome_of_users_for_wp_content/’.’uploads’ );

    Another issue: I have an installation on https://www.domain.com/otherstuff/demotest/ … but it’s strange, when I want to logout I go to https://www.domain.com/otherstuff/&#8230; Infact, on .htaccess I don’t have the path for
    $_SERVER[…]/domain.con/otherstuff/demotest/logout (for example)

    but

    $_SERVER[…]/domain.con/otherstuff/logout

    I have applied editings by hand, but every time I make a change on this plugin, I need to add the last folder on paths.

    thank you

    typo in Database Backup:

    “This is because there is too much sensative information in the backup files and you do not want anyone just stumbling upon them.”

    sensative should be sensitive

    White list IPs banded with administrators logins would be a nice thing to have.

Viewing 15 replies - 61 through 75 (of 81 total)
  • The topic ‘Suggestions and BWPS 4.0’ is closed to new replies.