livingflame
Forum Replies Created
-
Forum: Plugins
In reply to: [All-In-One Security (AIOS) – Security and Firewall] More SecurityHi @mbrsolution
I know that you have a lot of works, but, please, if you can, add:
– Historial of Visits by IP (with flag), Yes, WordFence has this, but, WF and AIOWSF together does not works well.
Yes, because your plugin has Login Records, its okey, but, not has Historial of Visits.
– Better File Scaner
– Malware Scaner connected to Sucuri for example
– More Ddos protection
– Better FireWall
– Google reCaptcha
– More Security for BuddyPress and Bbpress (please, remember the problem with AIO captcha and bp login).- This reply was modified 8 years, 2 months ago by livingflame.
It works, but it takes a few minutes to run.
Refresh your Browser. Clear the cache.
Forum: Plugins
In reply to: [All-In-One Security (AIOS) – Security and Firewall] Admin IP Locked Out!If your IP is in a White List, Go to your /public_html (using FileZilla), open .htaccess and change your old IP Adddress for the new. I do that because my IP is not static.
Secret Url revealed after Max Login Attempts
For example: https://www.yoursite.com/yourcustom wp login: monkey
When a user fails, this secret Url is reveled. I think that is it a problem :/
So please, configure your plugin to NOT show this secret login url.Other think, this message is very short:
ERROR: Access from your IP address has been blocked for security reasons. Please contact the administrator.
Maybe:
ERROR: Access from your IP address has been blocked during 30 minutes for security reasons. Please contact the administrator to: [email protected]
(Here the Admin can put whatever email that he or she wants. Login Options / Email… you know)- This reply was modified 8 years, 2 months ago by livingflame.
Okey @mbrsolution , but, you need to expand the options!
BuddyPress is crowing fast!
Maybe, you can check this code: www.ads-software.com/plugins/wp-recaptcha-bp/
But, I dont want more and more plugins, I prefer that your All In One has this.
>>> Remember: wp-admin, captcha does not work in comments, etc. ??
- This reply was modified 8 years, 2 months ago by livingflame.
FULL HEADERS:
# Protect Headers and Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options nosniff Header always append X-Frame-Options SAMEORIGIN # Header Content-Security-Policy Header set X-Content-Security-Policy "allow 'self';"OTHER CODE:
# Tell the browser to attempt the HTTPS version first Header add Strict-Transport-Security "max-age=157680000" # Disable server signature Header set ServerSignature "Off" Header set ServerTokens "Prod" # Control Cross-Domain Policies Header set X-Permitted-Cross-Domain-Policies "master-only"Sharing code. See Headers, SQL, WP Includes and Wp Admin and Uploads. If you want, you can add these in your Next Update.
Protect wp-admin directory, .htaccess in wp-admin:
# First protect this htaccess <files .htaccess> order allow,deny deny from all </files> <FilesMatch "\.(css|js|jpg|jpeg|gif|png)$"> Order Allow,Deny Allow from All Satisfy Any </FilesMatch> <Files admin-ajax.php> Order Allow,Deny Allow from All Satisfy Any </Files> # Protect wp-admin by IP Address order deny,allow allow from 00.0.00.00 deny from all
Protect uploads with this, .htaccess in uploads directory:# First protect this htaccess <files .htaccess> order allow,deny deny from all </files> # Secure uploads directory <Files ~ ".*\..*"> Order Allow,Deny Deny from all </Files> <FilesMatch "\.(jpg|jpeg|jpe|gif|png|pdf|mp4|mpeg|mp3)$"> Order Deny,Allow Allow from all </FilesMatch>This code for uploads is util if you are using buddypress or bbpress + rtmedia (or whatever media uploader for users).
- This reply was modified 8 years, 2 months ago by livingflame.
- This reply was modified 8 years, 2 months ago by livingflame.
Hi again, there is a little problem with captcha, if you active it, ok! works one time, after not. I dont know why! And for buddypress does not work. Please check!
Suggestion: For custom captcha, add google recaptcha.
You can put a field to add google recaptcha api keys ?? If it active.
# Protect wp-includes directory # Block the include-only files. RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] # Prevent SQL injections Options +FollowSymLinks RewriteEngine On RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ index.php [F,L]- This reply was modified 8 years, 2 months ago by livingflame.
One more think… About the FireWall.
I dont know why, https://www.wpdoctor.es does not detect this firewall like a Valid WAF.WAF sections appears in red. Please, try this wpdoctor scaner ??
Hi there. Well, for now this >
display_errors = Offis working.
You know, full path disclosure is a wp vulnerability.About WordFence… okey… But I prefer one plugin, for now yours.
Please, add Google reCaptcha for Login, Register and whatever form. Your native captcha does not work well in site with BuddyPress.
About the file Scaner, update it! Maybe like WordFence…
Login Attempt list: If you can, put flags. For example: IP Address from Spain, etc.
Wp-admin rename like wp-login.
Includes this (.htaccess):
# Protect Headers Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options nosniff Header always append X-Frame-Options SAMEORIGINAnd some protection for SQL injections.
For now is all. If I see an errors, I write you! Good Luck!Okey!
But, for the others php of plugins and themes? Full Path Disc. is very extended…Can I use WordFence and AIOWSF together? I did try, but I get an error. Not login.
But maybe you can update AIOWSF Scaner the next time.
An off-topic question. How does AIO Scan work? I’ve tried the WordFence Scaner, it’s interesting, it even shows if a file has been changed.
I get it. That’s why I said: It’s a solution, but I do not think it’s the best.
So far it has worked for me. The site works normal.And, many plugins and themes have this problem of showing the full path, including yours. If a hacker know that… you know…
I hope you can find a better solution.
display_errors = Off works for all php full path disclosure.
But, for now, I don’t know if this solution is the best.
- This reply was modified 8 years, 2 months ago by livingflame.