svacontact

Thanks for the response and suggestion! Wasn’t really requesting support, just wanted to pass this on to hopefully save someone else some time when troubleshooting phpMyAdmin issues. I have narrowed this down further to these 2 lines in 6G which cause 404s:

RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC,OR]
RewriteCond %{QUERY_STRING} (javascript:)(.*)(;) [NC,OR]

And this line in the AIOWPS firewall settings which cases a javascript error:

RedirectMatch 403 config\.

Versions as follows:
Apache: 2.4.39
MySQL: 10.2.10-MariaDB
php: 7.2.16
phpMyAdmin: 4.8.5

Sorry, this was NOT a URE function but was coming from another plugin. Apologies for the confusion!

Found a solution to this although I’m sure there is a more elegant way. Inserted this PHP code to override the username lookup link:

add_filter( ‘wpmem_username_link_str’, ‘my_username_link_str’, 10, 2 );
function my_username_link_str( $str, $link ) {
return “<font color=red>Please use the Contact Form if you have forgotten your Username</font>”;
}

This still left the possibility of direct URL access, so I handled that with an htaccess rule. Based on another support post, I also blocked direct access to the password change URL with htaccess.

BTW, the reason I asked about this is that I was getting quite a few really annoying password reset attempts from non-members. I’m hopeful that forcing the use of a Contact Form to retrieve the username will curtail a lot of this.

Awesome, works perfectly. Thank you! Can’t believe it was that simple.

Thanks, no cache plugin.

Sorry, I gave you incorrect information. Placing the RedirectMatch statement in the Custom Rules does not work. I’m guessing this is because the original filter statement is executed first, and the redirect has already occurred(?). I forgot to clear the browser cache between tests which lead me to the wrong conclusion.

Yes, that works. Thanks.

Excellent! Thank you.

Problem solved. Thanks for the super quick response!

Thanks! Worked great. Here is the code I used if it will help anyone else.

// 5/22/2017 Send email to admin on pwd reset
add_action(‘wpmem_pwd_reset’, ‘pwd_reset_admin_email’);

function pwd_reset_admin_email ($user_id) {
$user_data = get_userdata( $user_id );
$user = $user_data->data;
$subject = “User Password Reset”;
$admin_email = “[email protected]”;
$message = sprintf( __( ‘This user has performed a password reset.’ ) ) . “\r\n\r\n”;
$message .= sprintf( __( ‘Display Name: %s’ ), $user->display_name ). “\r\n\r\n”;
wp_mail( $admin_email, $subject, $message);
}

Thanks for your responses. Yes, I have left feedback for the plugin developers.

My intention was to raise awareness that I am seeing a trend that seems to be taking advantage of the push to keep plugins updated.

I’m a bit surprised that this is not seen as a WordPress issue. WordPress publishes Detailed Plugin Guidelines Detailed Plugin Guidelines Item 11 is quite explicit about Advertising. I’m simply suggesting that adding a simple sentence to Item 11 that states something to the effect that releasing updates for the sole purpose of advertising or marketing are strongly discouraged. Thank You.

Update on this. Today after logout/login I now see the banner, the menus are in the right place and the Main, Usage and F.A.Q menus work. The other menus are blank.

Thanks @wpsolutions. Any idea when the next release will be out? I only ask because I haven’t upgraded prod to 4.2.7 because of this issue, but am a bit concerned because the changelog listed it as security-related. Am I ok using whois on version 4.2.6 for now?

Yes, confirmed. With 6G deactivated, the default .htaccess using the “require not ip” method works as expected. With 6G activated it does not work.

Seems that @reesdg may have identified the problem. The second use of RequireAll in .htaccess for the 6G Firewall:

<RequireAll>
Require all Granted
Require not env bad_bot
</RequireAll>

overrides the first use of RequireAll that contains the list of blocked IPs. This also explains why forcing the older “Allow/Deny” method for IP blocking works.

Interesting also that 6G out-of-the-box includes it’s own section to block IPs that uses the older method:

# 6G:[BAD IPS]
<Limit GET HEAD OPTIONS POST PUT>
Order Allow,Deny
Allow from All
# uncomment/edit/repeat next line to block IPs
# Deny from 123.456.789
</Limit>

I understand that you are integrating 6G with other code and therefore don’t include this section – just thought the approach was interesting.

Thanks for the quick reply and workaround. I found this post:
Blacklist IP doesn’t work when 6G Blacklist Firewall Rules Applied (@reesdg).
Sounds like it could be the same issue(??). I do have 6G Firewall active.