batteriesInc

Just a question: is there an option for making it immediately part of the backend login window so that it im mediately demands UID, password and 2FA (with 2FA left blank if not yet set up)? It seems to cut down on attempted dictionary attacks.

As a matter of fact, this could be useful for the front end as well so maybe a switchable option for each individually?

You are a legend! Thank you, that may just do the trick :).

It would be cool if there was a switch to SUSPEND the plugin which would re-apply the settings but pick up current site data as setting it up takes quite some time and I appreciate not having a login at /wp-admin from the moment the site is live.

I guess at present the “Settings – Copy/Paste import” feature is the only way to achieve that quickly..

That said, the restored site worked immediately the moment the .htaccess adjustment was made, so I think I’ll keep this approach for now.

Anyway, case closed ??

Almost forgot.

Issue resolved and now marked as such to help your statistics, thank you.

Hi, yes, that appears to cover it, but it does highlight another possible feature request: a possibility to choose the blacklist to be placed in .htaccess instead of it being handled in PHP.

There are arguments for either, so it would be good if the user had the choice.

Thanks for the exceptionally quick response!

No, scratch that – it’s resolved. My apologies.

Note to self: more coffee first.

Could I observe, however, that the actual core issue does not appear to have been resolved? It would be helpful if there was a way to manually trigger that specific confirmation email, or even re-trigger if nothing has been received (with a nice, shiny button next to the email address which could disappear once the confirmation has been received, for example)..

Hi Sergio,

Thanks for the quick reply :).

1 – the review is well earned, and I’m happy to repeat that wherever you want it posted. The “other” WP Piwik implementation gives you a stats panel right in WP but its setup is thus as a consequence more involved (it needs an API Authentication Token for each individual website). Yours could only be simpler if you leave the protocol (http/https) attached to the URL :).

2 – yes, correct, that’s the piwik.php proxy script I was thinking of, but it needs all sorts of API token shenanigans to work so maybe you could find a simpler but still safe approach for that too.

As for needing time: hey, it’s holiday season! Relax, and enjoy the sun.

And thanks for writing this plugin!

Cheers, Binc

Thanks too – learned something new ??

You may be seeing the 404 of the underlying Apache server where it pulls up its own 404 page instead of even triggering WordPress to generate a page – it never gets that far, let alone trigger the 404.php. I tend to get those if I have a URL structure that uses a “?page_id=” format.

Try adding a statement like “ErrorDocument 404 /?page_id=999999” to your .htaccess file (if you use All In One WordPress Security, go to the “Firewall” tab and drop it in the window under “Custom Rules” and tick the box). If you use a different URL format leave out the question mark.

This will make Apache ask WordPress for the error page, and by giving a number that doesn’t exist you’ll trigger the WP’s 404.php instead of that of the server underneath.

Actually, I know of that one, and no, AFAIK it’s opt-out. But, crucially, this is not a secret, hidden-in-the-depths-of-code data collection that you (a) first have to discover and (b) have to hunt the Net for to find ways to disable, you get a heads up on this on installation which includes instructions on how to disable it, and that is very simple indeed.

Opt-out rather than opt-in is compliant with most privacy laws on non-sensitive data. You could get pedantic about the requirement for the choice to be explicit rather than implicit, but in the overall context I think you’d be splitting hairs.

That said, I’m still going to take a look at it with Wireshark and EtherApe (or Visual Sniff, a cut down version on macOS – depends how much time I have next week).

Anyway, thanks for the help, I appreciate it.

Cheers, bInc

OK, that archived post was interesting, because that saves me a whole bucketload of work for another project (I was planning to check for leakage already). One of the early decisions in that project was that themes with Google fonts should be rejected, which meant custom design as there isn’t a template out in WP land that doesn’t rely on them.

Given the current developments on privacy in Europe, this establishes the use of WordPress as problematic for personal users, possibly rather soon. Privacy Shield is up for review in September, and the way things are going I can’t see that being renewed without some significant pain for US based organisations.

I’m surprised that WordPress (et al) see data as something that users shouldn’t have a choice about. There should have been at least some explicit statement that “data x, y, z is collected from your site, adjust settings a, b, and c if you do not want this”. The privacy statement at www.ads-software.com is on examination also not exactly encouraging.

Sigh. Anyway, thank you VERY much for answering so quickly. I guess I better get hold of a Joomla stack for the other project and start checking that for what it leaks. If that checks out I may replace other sites I have as well, just in case September gets ugly (or later, I suspect there will be a considerable amount of debate as this directly impacts some $14bn worth of income for US service providers). It’s a lot more work, but on the other hand it’s more flexible too so it’s not a complete loss, and I can then claim GDPR compliance before it’s even officially live :).

• This reply was modified 7 years, 7 months ago by batteriesInc.

OK, let me get this straight – this seems to suggest this theme is hitting the Net every single time it is displayed because it happens to be running a non-English language. Really?

Or is it somehow uploaded to the site on first site language selection and stored there somewhere (in which case, where)?

In either case, the question remains which code actually does this because I have not been able to find it yet. I am going to take a break and continue this tomorrow. If this isn’t solved I guess it’s time to install a bitnami stack and run a test site with wireshark online and watch what actual traffic leaves the site for a third party.

Thanks for the replies!

• This reply was modified 7 years, 7 months ago by batteriesInc.

Thanks, but this is exactly where I get confused: in site-info.php, the English seems to be hardcoded as pure static information. There is no function called, it’s s a straight output in English.

So where does the Dutch come from? Somewhere in the site database? I see no code pulling in that data. I may have to this with wireshark online, just to see what actually happens..

I’d start with changing the admin URL and then <b>NOT</b> publishing it online somewhere. You’ll still get the 404s of people trying the regular wp-login but you can ignore those. Personally I wouldn’t worry too much about the blocked ones (they merely prove the protection works) but I’d change the admin URL to something else that nobody knows and see what happens. If you get a lot of hits on your “old” admin URL it means someone has leaked it.

I’d also see just how well protected your files are – I’m no .htaccess expert but blocking file and directory reads strike me as a minimum precaution – maybe you have a conflict there. If someone can read your AIOWPS settings, changing the admin URL is going to be mildly pointless.

Apologies if you already know this – it’s more what I would do as a moderately competent amateur :).