This feature will definitely block all access to both wp-admin and wp-login.php if one tries to access these directly when the feature is enabled.
Obviously there is something not quite right in your case which we’ll need to figure out.
Which browser type were you using when you tried accessing the login page?
Can you try the same thing with a totally different browser?
From your admin panel, can you confirm that your htaccess file contains the required rules for the brute force prevention feature?
(Simply go to WP Security->Settings->htaccess tab and view the contents of the file. Look for the #AIOWPS_ENABLE_BRUTE_FORCE_PREVENTION_START tag.)
Are you currently running another plugin which may also have inserted some htaccess rules related to login/admin pages?
I’ve tried it in in both FireFox, IE and Chrome.
Still getting the same issue.
The htaccess is a brand new clean htacess with just the AIO & Firewall code.
HOWEVER…
I notice that the “Edit” per plugin is gone, and I was using Better WP Security and selected the hide “Edit” per file/plugin/themes; so I reinstalled Better WP Security and surprisingly all the settings still remained even though the htacess file is brand new with only AIO code.
I’ve even run WP Spring Clean to remove all the related database file from Better WP Security.
I unchecked all the Tweaks from Better WP, then delete it again and the “Edit” per plugin came back.
Apparently, I don’t know why the site still inherit settings from the former deleted Better WP Security plugin even though I deleted it and cleaned it with WP Spring Clean of its database file and replace a fresh htacess before I installed AIO.
I checked the setting htacess for the brute force section, here’s what I have:
#AIOWPS_ENABLE_BRUTE_FORCE_PREVENTION_START
RewriteEngine On
RewriteCond %{REQUEST_URI} (wp-admin|wp-login)
RewriteCond %{HTTP_COOKIE} !testing= [NC]
RewriteCond %{HTTP_COOKIE} !aiowps_cookie_test= [NC]
RewriteRule .* http://127.0.0.1 [L]
#AIOWPS_ENABLE_BRUTE_FORCE_PREVENTION_END
I have just now also tested this plugin on another different site (which never installed Better WP Security) and I’m still getting these same errros.
The gravatar disappears and the “secretkey” login doesn’t work and the only way to access the login is typing wp-login.php.
Same problem as other site.
I’ve ever tried turning off the Firewall and kept only the Basic Protections…the Brute Force Prevention doesn’t work.
But I figure out the problem with the Gravatar from the “User Avatar Plugin” not showing is because I have the “Bad Query Strings” checked
What’s strange now for my 1st site I have the the “Bad Query Strings” active and the Gravatar all of a sudden shows up now, while the other 2nd site “Bad Query Strings” disalbe only way for it to show up.
Actually I take that back, now the Gravatar doesn’t show up with Bad Query Strings for 1st site checked.
This is really confusing.
It is is likely that you have another plugin that is conflicting with some of the firewall rules of the security plugin.
Why don’t you first only activate the basic features and check if your site functions with those. Have you tried deactivating other plugins and then activate them one by one to see which one causes the issue?
OK, before…I couldn’t access the login page either with “wp-admin” or “?secretcode=1” but only with “wp-config.php.”
But now today, I couldn’t access it through either 3, and was locked out.
I disabled the plugin with FTP, and still couldn’t access the login page.
Then remember, unlike Better WP Security, that when plugin’s disable the .htacess still remains, so I deleted all the codes related to AIOWS in htaccess.
Now I’ve activated AIOWS again in the dashbaord, but the codes in .htacess didn’t come back, and I’m not protected anymore with the former codes once inside the htacess.
Huh?
Any suggestion?
Hi @ipex Media,
It seems like you have a unique situation where something with your host setup is causing the plugin to not work properly.
Which hosting provider are you with and what type of host setup do you have (ie, shared/VPS etc)?
…when plugin’s disable the .htacess still remains
We have plans to further make this plugin more user-friendly by automatically reverting htaccess contents when the plugin is deactivated. For now you will have to do this manually. (Please see this link for tips on how to do this:
http://www.tipsandtricks-hq.com/how-to-restore-the-htaccess-file-when-using-the-all-in-one-wp-security-plugin-5945)
I couldn’t access the login page either with “wp-admin” or “?secretcode=1” but only with “wp-config.php.”
I’m not sure what you mean by accessing the login page with wp-config.php? Can you please provide more info?
Which hosting provider are you with and what type of host setup do you have (ie, shared/VPS etc)?
Shared on IXWebHosting
We have plans to further make this plugin more user-friendly by automatically reverting htaccess contents when the plugin is deactivated.
I’m not 100% sure if this would be ideal…
http://wordpress.org/support/topic/a-discovered-loophole-and-recommendation-for-this-plugin?replies=2
I’m not sure what you mean by accessing the login page with wp-config.php? Can you please provide more info?
I said this above for the very first post in this thread that when I first installed AIOWS enabling the “Prevent Brute Force Prevention” I was NOT able to log in with “my secret code” and “wp-admin (which this was what it should do)”….and the “wp-config.php” was supposed to not work…but it did and became the one way to login at the end of the url.
But now “wp-config.php” doesn’t work either along with “secret code” and “wp-admin.”
This is a little weird. It looks like this plugin is just not working correctly on your current server configuration.
The hosting you are using is not a WordPress’s recommended hosting provider so I have no idea what configuration could be wrong on this server. Here is a list of WordPress’s recommended hosting:
http://wordpress.org/hosting/
I know that you have already tried the better wp security plugin so I would recommend you to try the bulletproof security plugin. Maybe that plugin will have better luck on your server:
http://wordpress.org/plugins/bulletproof-security/
