Few questions after plugin installation

  • Resolved Sloba

    (@slobajossi)


    10 years, 2 months ago

    Hi,
    some things are confusing to me after the installaion, so few questions please:

    1. I do not get the Lockdown feature. When I activate it, I still can access the login page and access the admin after submitting the credentials.
    So, what is it locking then?

    2. Enable Access Key – when I activate this it locks the access to the WSF interface, not to the entire admin. Is it designed to be like that or it’s an error?

    Also, when I enter the access key, instead of unlocking the plugin’s interface immediately, it redirects me to the icwp-wpsf page with the notice:
    “You do not have sufficient permissions to access this page.”

    … though when I hit the browser’s back button everything is unlocked.

    (this is the issue I have found on the Multisite installation, on the regular WP installation it was unlocking without the permission notice)

    3. Plugin notices – when this is disabled everything is fine. When I activate the feature, it displays the notice:
    “Would you like to help translate the WordPress Simple Firewall into your language Head over to: translate.icontrolwp.com”

    The notice doesn’t appear while on the Network Admin (whatever page: Dashboard, Sites, Plugins, etc.). It appears when I, as a Super Admin, access the single site’s admin area.
    The problem is that when I hit the button “Dismiss this notice” it redirects me to the icwp-wpsf-firewall page with the notice:
    “You do not have sufficient permissions to access this page.”

    When I go back to the admin dashboard the notice is still present.

    It’s like it is messing the user permissions on the Multisite.

    (Similar like previous point, this is the issue I have found on the Multisite installation – On the regular WP installation it removes the notice when I hit the dismiss button and I’m able to further browse the admin area without that notice)

    If Plugin notices feature is disabled, does it prevent notices only related to the WSF plugin or any other plugin and the WordPress default notices?

    Thanks!

    https://wordpress.org/plugins/wp-simple-firewall/

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Paul

    (@paultgoodchild)

    10 years, 2 months ago

    Hi,

    Thank you for outlining these problems very clearly. You’re right, you are experiencing them because of how it’s been coded and not taking into account WP Multisite installations properly.

    I will be addressing this in near-future release as I’ve already done quite a bit of the work to get it WPMS ready.

    Thanks again for letting me know about this.

    To address the question about Access Key – yes it is only addressing the WordPress Simple Firewall plugin. This prevents unauthorized users from ever changing the plugin. You should use this in combination with the Lockdown section feature that prevents editing of files from within WordPress. Otherwise, someone could edit the plugin files and remove the Access Key restriction. Unfortunately there’s only so much access restriction that WordPress lets you do.

    I hope that helps explain this a bit further.

    Many thanks,
    Paul.

    Thread Starter Sloba

    (@slobajossi)

    10 years, 2 months ago

    Thanks Paul.

    Just one more question regarding the login protect:
    Cooldown feature is very cool, still I miss one feature from the ‘Limit login attempts’ plugin, and that is to lock the IP if too many attempts are performed from the same IP.
    Can we expect this feature to be implemented?

    Plugin Author Paul

    (@paultgoodchild)

    10 years, 2 months ago

    Hi Sloba,

    This is not currently planned. This adds extra weight to the login process by adding to the database and trying to maintain a list of IP addresses.

    IP Blocking adds weight which, if you’re being hit by a bot isn’t an extra weight you want. The login protection cooldown keeps it light, but much more effective where the attack is coming from a distributed network where IP addresses are changing all the time – ‘limit login attempts’ will never fix the problem of a distributed bot attack and will likely crash your server with a db size that spirals out of control quickly.

    I may yet add it, but it’s fairly redundant and an easy restriction to work around. If I did it, I’d prefer it to be a little smarter about it – likely, I’d just add a special cooldown for login attempts that come from the same IP. Perhaps after each failed attempt, increase the cooldown further.

    I’ll think on it.
    Cheers,
    Paul.

    Thread Starter Sloba

    (@slobajossi)

    10 years, 2 months ago

    I like how you think 🙂
    It would be great to see it in the way you described.
    Thanks for the support!

    Plugin Author Paul

    (@paultgoodchild)

    10 years, 2 months ago

    Just fyi, v2.4.0 should address the multisite issues you reported. If you still see problems, let me know.

    Cheers!
    Paul.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Few questions after plugin installation’ is closed to new replies.