WordPress.org

Ready to get started?Download WordPress

Forums

[Plugin: AskApache Password Protect] What's new in 8/14 version? (21 posts)

  1. beernews
    Member
    Posted 5 years ago #

    I'm just so nervous after what I did to my blog this last time. I remember there being a mention of adding something that would help us from shooting ourselves in the foot and am wondering if that is part of this install.

    Thanks for all of the hard work!!

  2. Robert S
    Member
    Posted 5 years ago #

    I have taken the 4.5.1 (not sure where you get the 8/14 from) version for a test upgrade and would recommend to stay clear of it for now. I had issues during the upgrade and have decided to hold back until we hear more from the plugin developer. He must be flat out (or gone on a holiday) because I have not seen any feedback or responses from him since 4.5 and 4.5.1 were released.

    It's a great plugin and I would not live without it - I have a sense that we'll be seeing a 4.5.2 appear shortly.

    R

  3. Roy
    Member
    Posted 5 years ago #

    My test with 4.5.1 failed too. Fortunatly Ask Apache has mucked up my admin that I know how to fix that in a few minutes (when I have access to my control panel, which is not from work), but I couldn't get 4.5.1 installed, back to 4.3.2 was no problem. (Btw. did I miss the 4.4 series or have they never been available?)

  4. Robert S
    Member
    Posted 5 years ago #

    4.3.2 and then straight on to 4.5 with 4.5.1 available within 24 hours and then no sign of the author. My theory is that he must have worked non stop and gone without sleep for days - he's now resting and probably dreaming about WordPress, plugins and all things Apache.

    Mr Apache?

    Pretty please... where are you??

    R

  5. Robert S
    Member
    Posted 5 years ago #

    4.5.2 just released...

    Lets have a squizz.

    R

  6. beernews
    Member
    Posted 5 years ago #

    I just upgraded. The 8/14 was a reference to the date I first saw a new plugin alert for this.

    I didn't do the full htpass this time as I've run into problems with that in prior installs though I was able to hook up some of the other features this time flawlessly. And the interface looks awesome.

    Nice work, Apache!

  7. Robert S
    Member
    Posted 5 years ago #

    Previous versions fine...

    4.5.2 failing - turned debug on and here's 1st lot of error messages telling me that .htaccess files are not allowed. (What ever the issue is its probably causing the other errors further down - which I have not included.

    If anyone can help please drop a line...

    [ ] .htaccess files allowed

    Array
    (
    [scheme] => http
    [host] => http://www.trupela.com
    [path] => /blog/blog/wp-content/askapache/modaliastest
    )

    Array
    (
    [scheme] => http
    [host] => http://www.trupela.com
    [path] => /blog/blog/wp-content/askapache/modaliastest
    [url] => url
    [method] => GET
    [protocol] => 1.0
    [ip] => 69.89.31.208
    [port] => 80
    [ua] => Mozilla/5.0 (compatible; AskApache_Net/1.0; http://www.askapache.com)
    [referer] => http://www.askapache.com
    [user] =>
    [pass] =>
    [fragment] =>
    )

    Array
    (
    [0] => GET /blog/blog/wp-content/askapache/modaliastest HTTP/1.0
    [1] => Host: http://www.trupela.com
    [2] => User-Agent: Mozilla/5.0 (compatible; AskApache_Net/1.0; http://www.askapache.com)
    [3] => Accept: application/xhtml+xml,text/html;q=0.9,*/*;q=0.5
    [4] => Accept-Language: en-us,en;q=0.5
    [5] => Accept-Encoding: none
    [6] => Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    [7] => Referer: http://www.askapache.com
    )
    Array
    (
    [0] => HTTP/1.1 404 Not Found
    [1] => Date: Sat, 16 Aug 2008 02:22:01 GMT
    [2] => Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8g DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
    [3] => X-Powered-By: PHP/5.2.6
    [4] => X-Pingback: http://www.trupela.com/blog/xmlrpc.php
    [5] => Expires: Wed, 11 Jan 1984 05:00:00 GMT
    [6] => Cache-Control: no-cache, must-revalidate, max-age=0
    [7] => Pragma: no-cache
    [8] => Set-Cookie: bb2_screener_=1218853321+69.89.31.208; path=/blog/
    [9] => Set-Cookie: PHPSESSID=40360e0a308cd823f9ae05a464244009; path=/
    [10] => Last-Modified: Sat, 16 Aug 2008 02:22:02 GMT
    [11] => Connection: close
    [12] => Content-Type: text/html; charset=UTF-8

  8. askapache
    Member
    Posted 5 years ago #

    4.6 just released....

    I added file revisioning support to .htaccess files, so that every time you update or change the .htaccess files it saves the old copy. The next release will provide a DIFF view of the differences.

    Also fixed all the bugs I was notified about or found, and provided the option to bypass some of the testing if you know your server supports something.

    I have to get back to my real job now :) but for the next release I'm going to add a whole user-management area to add and remove users and groups from .htpasswd files.

    Then it will be ready to start using the advanced SID's like mod_security..

  9. Robert S
    Member
    Posted 5 years ago #

    AskApache,

    4.6 still ain't working for me.

    I'm happy to provide you with my feedback to assist in improving this plugin as I know of others also experiencing issues since 4.5. It's a great WP value add and it worked flawlessly for me prior to 4.5.

    Where's the best place/site to give you this feedback?

    R

  10. beernews
    Member
    Posted 5 years ago #

    Cool stuff, indeed. Thx for the hard work.

  11. steinitz
    Member
    Posted 5 years ago #

    askapache said

    fixed all the bugs I was notified about

    How do we notify you?

    Thanks,

    Steve

  12. askapache
    Member
    Posted 5 years ago #

    Ok I major issue that is the only one I have been notified about for version 4.6 is now fixed. rschilt enlightened me to the error by posting that debug output that showed all the tests were going to /blog/blog/ when they should have gone to /blog/

    The problem was I had forgotten to rtrim a single '/' character from a path before doing a str_replace on it and so that means that everyone who has their blog installed in a non-root-directory '/' folder would not be able to get past the test screen.

    Now it will work for you rschilt.

    To notify me, use the contact page on my site, post on this message board, or add a comment to the plugins home-page.

    The next major release will include a couple sweet ways to contact me about problems and suggestions... so until then....

  13. Robert S
    Member
    Posted 5 years ago #

    Pheeewww....!!

    When will the above fix be released?

    R

  14. Robert S
    Member
    Posted 5 years ago #

    Hi AskApache,

    I can now perform the initial tests OK after downloading 4.6.1. Thanks.

    Just one thing now... when trying to create the password file - it comes back with error message:

    ERROR: Please make .../public_html/.htpasswda1 writable and readable

    Even if I specify location and give it permissions 777 - it still comes back with same error. Ideally I would locate the password file above the docunment root as per your suggestion - but need to resolve the above error first.

    Cheers bro,

    R

  15. steinitz
    Member
    Posted 5 years ago #

    Hi askapache,

    Thanks for supplying the contact info (wasn't able to use the webmaster contact form on your site - it gives a not-authorized error). And thanks for continuing to support your great plugin.

    I upgraded to 4.6.1 - it still fails the tests - see below.

    Also, it looks like your fix with the rtrim of '/' is along the right path but the tests still create a wp-content directory in my root directory.

    Let me know what I can do to help with debugging.

    Best regards,

    Steve

    ps. (repeated from another thread) Re mod_auth_digest my host, Hostmonster has stated that they will never enable mod_auth_digest. I explained the issue and escalated it it higher and higher support levels to no avail. Also, I've seen some recommendations elsewhere to leave the mod_auth_digest disabled.

    pps. Here is summarized debug output showing just the failed tests (with two exceptions. Note, auth domain looks funny and has to do with the mysterious wp-content directory.

    Array
    (
    [step] => test
    [plugin_data] => Array
    (
    [Name] => AskApache Password Protect
    [Title] => AskApache Password Protect
    [Description] => Advanced Security: Password Protection, Anti-Spam, Anti-Exploits, more to comeā€¦
    [Author] => AskApache
    [Version] => 4.6.1
    )

    [scheme] => http
    [host] => example.com
    [root_path] => /main/
    [home_path] => /home/example-server/public_html/example/
    [test_dir] => /home/example-server/public_html/example/wp-content/askapache
    [root_htaccess] => /home/example-server/public_html/example/.htaccess
    [admin_htaccess] => /home/example-server/public_html/example/wp-admin/.htaccess
    [admin_mail] => support@example.com
    [authdomain] => /main/wp-admin/ http://example.com/main/wp-admin/
    [authname] => Protected By AskApache
    [authuserfile] => /home/example-server/public_html/example/.htpasswda3
    [algorithm] => md5
    [key] => $P$BSBJlkDrPS4Tg5mEoyfxQ7YuQ0Ese1.
    [htaccess_support] => 0
    [mod_alias_support] => 0
    [mod_rewrite_support] => 0
    [mod_security_support] => 0
    [mod_auth_digest_support] => 0
    [basic_support] => 0
    [digest_support] => 0
    [crypt_support] => 0
    [sha1_support] => 0
    [md5_support] => 0
    [setup_complete] => 0
    [revision_support] => 0
    [apache_version] =>
    [revisions] => Array
    (
    )
    )

    [pass ] Fsockopen Networking Functionality

    File Permission Tests
    If any of these checks fail this plugin will not work. Both your /.htaccess and /wp-admin/.htaccess files must be writable for this plugin, those are the only 2 files this plugin absolutely must be able to modify. If any of the other checks fail you will need to manually create a folder named askapache in your /wp-content/ folder and make it writable.

    [fail ] /wp-admin/.htaccess file writable
    [pass] /wp-admin/.htaccess file writable

    [ fail] .htaccess files allowed

    Array
    (
    [0] => GET /main/wp-content/askapache/modaliastest HTTP/1.0
    [1] => Host: example.com
    [2] => User-Agent: Mozilla/5.0 (compatible; AskApache_Net/1.0; http://www.askapache.com)
    [3] => Accept: application/xhtml+xml,text/html;q=0.9,*/*;q=0.5
    [4] => Accept-Language: en-us,en;q=0.5
    [5] => Accept-Encoding: none
    [6] => Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    [7] => Referer: http://www.askapache.com
    )

    HTTP Digest Authentication
    Now we know the encryption and apache module capabilities of your site. This test literally logs in to your server using Digest Authenticationts, providing the ultimate answer as to if your server supports this scheme.

    [fail ] Major bummer... you don't have mod_auth_digest! (included in apache since 1.1)

    [fail ] Basic Authentication Attempt using Crypt Encryption

    Array
    (
    [0] => GET /main/wp-content/askapache/basic_auth_test.gif HTTP/1.0
    [1] => Host: example.com
    [2] => User-Agent: Mozilla/5.0 (compatible; AskApache_Net/1.0; http://www.askapache.com)
    [3] => Accept: application/xhtml+xml,text/html;q=0.9,*/*;q=0.5
    [4] => Accept-Language: en-us,en;q=0.5
    [5] => Accept-Encoding: none
    [6] => Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    [7] => Referer: http://www.askapache.com
    [8] => Authorization: Basic dGVzdE1ENTp0ZXN0TUQ1
    )
    Array
    (
    [0] => HTTP/1.1 404 Not Found
    [1] => Date: Fri, 22 Aug 2008 09:11:34 GMT
    [2] => Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8g DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
    [3] => Accept-Ranges: bytes
    [4] => Content-Length: 78
    [5] => Connection: close
    [6] => Content-Type: text/html
    )
    [fail ] Basic Authentication Attempt using MD5 Encryption

    Array
    (
    [0] => GET /main/wp-content/askapache/basic_auth_test.gif HTTP/1.0
    [1] => Host: example.com
    [2] => User-Agent: Mozilla/5.0 (compatible; AskApache_Net/1.0; http://www.askapache.com)
    [3] => Accept: application/xhtml+xml,text/html;q=0.9,*/*;q=0.5
    [4] => Accept-Language: en-us,en;q=0.5
    [5] => Accept-Encoding: none
    [6] => Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    [7] => Referer: http://www.askapache.com
    [8] => Authorization: Basic dGVzdFNIQTE6dGVzdFNIQTE=
    )
    Array
    (
    [0] => HTTP/1.1 404 Not Found
    [1] => Date: Fri, 22 Aug 2008 09:11:35 GMT
    [2] => Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8g DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
    [3] => Accept-Ranges: bytes
    [4] => Content-Length: 78
    [5] => Connection: close
    [6] => Content-Type: text/html
    )
    [fail ] Basic Authentication Attempt using SHA1 Encryption

    [pass ] Basic Authentication Access Scheme Supported

  16. katpatuka
    Member
    Posted 5 years ago #

    Hm, I get a ERROR: Failed to create /home/xxx/public_html/.htpasswda3 in ver 4.6.1 even after setting permissions to 666 and user:group to ftpuser:ftpgroup...

  17. sweyhrich
    Member
    Posted 5 years ago #

    Just downloaded this tonight and tried it out. In the process of activating various things the plugin provides, I was sent to my custom 404 page. Now when I try to go to my wp-admin/index.php file, I am greeted with a drop-down box that says:

    Authentication required

    Enter username and password for "Protected By
    AskApache" at http://(my web site)

    I entered the username and password I setup in the plugin, and it didn't work.

    I deleted the .htaccess file from my wp-admin directory, and I still get the drop-down box.

    So now, I am basically barred from my own WordPress site because of something left behind by this plugin. How do I de-activate it, when I can't even get to my admin page??

    Help!

  18. phillwv
    Member
    Posted 5 years ago #

    Oh dear, a me-too post.
    AAPP v461 on WP261:
    ERROR: Failed to create /home/xxx/public_html/.htpasswda3

  19. steinitz
    Member
    Posted 5 years ago #

    Hi sweyhrich,

    I don't think its a permissions problem. I think AA Pass Pro gets confused about where its reading and writing things. I end up with artifacts all over.

    I'm not sure if it will help you but I posted a nasty hack that got me going (barely) at topic 196640. That allowed me to protect my Children's Learning site with others to follow.

    Don't even try to use the pasword protection -- it hasn't worked since 4.3.5. You can use cpanel to do the same thing without the pain. But the rest of Ask Apache's work is gold.

    Steve

  20. askapache
    Member
    Posted 5 years ago #

    Guess what! I've made alot more improvements (this refactoring will never end) to the plugin.. Many are based on improvements to the WordPress Core Files, which I am constantly examining and learning from..

    If you've seen the version 4.6 debugging options, you probably won't believe the 4.7 debugging options. I spent the most time implementing even MORE debugging options so that in the future you can find problems much easier... even if you don't know a thing about syslog, php error logging, etc.. Of course all that was done to try and figure out what was causing all of you posters problems.. and I think I am getting close to a 100% mysterious error free plugin! Which is the main goal and a huge step on the way to the ultimate goal of this plugin.

    I am still working on the user/group management code, so that probably won't be in the upcoming 4.7 release. But one thing I will tell you is the new version will have the best .htaccess anti-spam code for WP (maybe anything) ever seen on the net. (without using mod_security).. It's not incredibly complex or lengthy, the rules are just very specific and very tight. I'm good at finding security vulnerabilities, this is the same thing only backwards.

    I've been logging the entire HTTP request for every comment/trackback/pingback made to my blog for about 6 months (it took forever to find out how to log the entire request like this... I'm saying even the entire POST body.. just like having wireshark installed on the server!)

    Then I would manually go through them about once a week (using a lot of linux shell scripting) and detail the subtle differences between spam and a real comment, and try different things.

    So my blog kills thousands of would-be-spam connections every day to my blog (i actively try to recruit new spammers to study their technique), literally shuts down the TCP connection and wastes 0 bandwidth or CPU that a programming language like PHP used by akismet would waste (basically loading the whole wordpress program for each spam receieved)..

    So I'm hesitant to publish this info, but then again, these spammers are so stupid that I'm not sure they can even read. What do you think?

    Look for the update to come out sometime this month..

  21. askapache
    Member
    Posted 5 years ago #

    Maybe I'll just become the worlds greatest spammer.. it'd take all of about an hour to accomplish that.. much easier than writing this plugin.

    SPAMMER CHALLENGE: *come at me with your best* (but if you hack my server and get me in hot-water with my host I'm coming after you... spam/exploits only, no DOS or heavy net-use.)

Topic Closed

This topic has been closed to new replies.

About this Topic