supawiz6991

@thetechxpert Thank you for the follow up. I’ve gone ahead and submitted it to Avast for a false positive review to hopefully get them to stop flagging it.

Again, this wasn’t just an issue with the files on my site but was also being flagged immediately when trying to download a fresh copy of the plugin from the plugin page here -> https://www.ads-software.com/plugins/elementor/.

That being said, I noticed an update was pushed out 3 hours ago. As of this update, avast is no longer flagging the plugin when trying to download it from that location.

Thanks again.

@graham45 still being flagged for me both on my site AND when trying to download a fresh copy from the wordpress website.

I’m seeing this as well. The plugin is using the U2F API which is deprecated in chrome and will be removed completely in February.

Is implementation of Web Authentication API into the plugin being worked on?

Relevanssi is not set to index TablePress.

Here is our code fix which resolved the issue:

Thanks for the quick reply!

When the Relevanssi plugin is disabled the error goes away.

I did post in the support forum for that plugin as well since our troubleshooting pointed to them as the root cause (which your troubleshooting confirms).

Any chance your web host is running Mod Security or something similar to it? I’m experiencing this issue as well. In my case, mod security is flagging them.

ModSecurity: Warning. Match of “rx ^OPTIONS$” against “REQUEST_METHOD” required. [id “960015”] [msg “Request Missing an Accept Header”] [severity “CRITICAL”] [hostname “uticamack.com”] [uri “/wp-content/uploads/2016/04/example.pdf”] [unique_id “WBi8yn8AAAEAAHEsHisAAAAQ”]

Whats weird is that, if I keep refreshing the page sometimes the PDF’s load and sometimes it does not. I’m guessing white listing that rule may help but I’d rather not do that.

Now that I’ve had sometime to further investigate this:

1. Manually adding an ip address to the “banned IP address” section doesnt indeed lockout devices coming from that IP address.

2. Brute Force Protection is not working as expected. I set my setting to 5 attempts per host and 40 attempts per user, yet the user is still being locked out before the host.

2a. User lockouts are not appearing in the Active Lockouts section unless they try to login as admin (immediate ban option is active).

This now appears to be a separate issue from https://www.ads-software.com/support/topic/table-wordpress-muwp_itsec_lockouts-doesnt-exist?replies=1 . The site this is installed on is a single site.

Done. This functionality really needs to happen and sooner than later.

@lernerconsulting

Good advice! To add to it:

https://www.example.com/?author=1 <- adding ?auther=1 can be used to find the user name. While it shows the nick name on the page the actual username is shown in the URL.
To prevent hackers from exploiting this I strongly recommend adding this to your .htaccess file:

# Stop wordpress username enumeration vulnerability
RewriteCond %{REQUEST_URI} ^/$
RewriteCond %{QUERY_STRING} ^/?author=([0-9]*)
RewriteRule ^(.*)$ https://yourdomainhere.com/? [L,R=301]

*Update: I’ve dropped a line to the folks at wordpress about the username showing in the URL and not the nick/display name.

Sounds like the username could be getting locked out.
If you go to

security -> Logs
then do
select filter: “Invalid Login Attempts”

Check for your Username and IP.
How many attempts do you see from each? Where are they coming from?

Normally when this happens to me its because the site is under brute force attack.

Just realized I was running plugin version 5.0.1. Updated and so far the issue hasn’t returned. I’ll mark this as resolved and if the issue returns I’ll re-open.

Long time user of the plugin here (Been using it since the Better-WP-Security days).

Regarding your issue. IF the page is white but doesn’t show the word error then I recommend you take a look at the websites error log.

When you setup iThemes security,
1. Did you use the “hid the backend” feature?
2. Did you enable the “Database Backup” feature?
3. Did you enable the SSL feature?
4. What System Tweaks did you enable?
5. Did you change anything in the advanced section?

Issue Resolved!

For those that may find this:

The direct cause of the issue is unknown but is possibly due to some customization on the site and/or the number of plugins installed on the site.

The developer made a change to the plugin that will prevent this issue in the future.

A+ Support! Thanks!

Followed the steps above and it didn’t work. Is a theme conflict possible?