Hi,
Can you check this similar discussion: goddady installation.
Also: PHP INI files and Goddady’s hosting.
We do not plan to make any new benchmarks, because the results will be identical. If you use a plugin that requires to have WP + the DB + the plugin(s) loaded, it will kill your server if you face a distributed attack.
I do not know about any issue with the Sucuri plugin. NinjaFirewall works before WP and its plugins are loaded so, in most cases, there is no conflict. If you see any issue, simply report it here.
Still unable to install.
Here are the results of ninjacheck.php
NinjaFirewall (WP edition) troublershooter
Warning: session_start() [function.session-start]: Cannot send session cache limiter – headers already sent (output started at /home/content/XX/XXXXXXX/html/Wordpress/ninjacheck.php:36) in /home/content/XX/XXXXXXX/html/Wordpress/wp-content/plugins/ninjafirewall/ninjafirewall.php on line 43
HTTP server :Apache
PHP version :5.3.24
PHP SAPI :CGI-FCGI
auto_prepend_file : none
NinjaFirewall detection : NinjaFirewall is not loaded
Loaded INI file :/home/content/XX/XXXXXXX/html/php5.ini
user_ini.filename :.user.ini
user_ini.cache_ttl:300 seconds
User PHP INI :php5.ini found –
DOCUMENT_ROOT :/var/chroot/home/content/XX/XXXXXXX/html
wp-config.php :found in /home/content/XX/XXXXXXX/html/Wordpress/wp-config.php
ABSPATH :/home/content/XX/XXXXXXX/html/Wordpress/ (ABSPATH != DOCUMENT_ROOT)
WordPress version :4.1.1
WP_CONTENT_DIR :/home/content/XX/XXXXXXX/html/Wordpress/wp-content
Plugins directory :/home/content/XX/XXXXXXX/html/Wordpress/wp-content/plugins
BTW about the recursive php.ini
Which .htaccess file are you refering in http://ninjafirewall.com/wordpress/help.php
I tried adding the .htaccess too.
BTW Ninja Firewall is just bunch of PHP script right. So If I just use Pro version can’t I protect my wordpress with that too. Just asking. I am thinking on the line of installing it in root and maybe there is configuration to lets it protect wordpress (multiple) in one go. Is that something that can be done. This is only if WP one doesn’t work out.
I do not recommend at all to use the Pro edition to protect one or more WP sites: it has much less options/features and, most important, it lacks all WP security rules! So the WP edition is really your best bet. If you have 2 or more sites, you need to install one copy per site.
You are running CGI-FCGI, therefore you need to use a PHP INI (I assume “php.ini”). But it seems that your Goddady hosting account will never let you use one in a subfolder.
It is still possible to bypass such restriction. Check our blog about installing multiple copies of NinjaFirewall with HHVM (which allows only one php.ini file), specially the “Multiple-site installation” chapter: Installing NinjaFirewall with HHVM.
You will need to create the “php.ini” file in the main public_html folder. Regarding the “route.php” script, you could create it in the same folder, or inside the WP subfolder, it is not too much important.
During the installation, select HHVM as the “Server and SAPI”.
However, if one day you want to uninstall NinjaFirewall, remember that you will need to remove the instruction from the PHP INI first, and then to uninstall it from the WP admin dashboard, because the uninstaller will not be able to find the PHP INI in the parent directory.
OK. I will talk to GoDaddy Hosting Support to have HHVM installed. I am assuming it can only be done by them.
I do have zend codes is my php.ini. I think I installed them long ago but don’t remember when. HHVM would not have any conflict with them I assume.
Anyways It will likely take few day.
I will report back. If this works, I will gladly make a small tutorial and share with you. You have been great so far helping me out.
Editing manually php.ini is not a great problem. In fact I like to do it manually.
I don’t think they will install HHVM.
My example was just to show that your case is very similar and that you can use our blog article to solve your issue.
Assuming that:
Your document_root is: /var/chroot/home/content/XX/XXXXXXX/html
Your WP is installed in: /home/content/XX/XXXXXXX/html/Wordpress/
1) Start NinjaFirewall installer from your WP admin dashboard.
2) When you reach the “System configuration” page, select “Other + HHVM” and click “Next Step”.
3) Create a “/var/chroot/home/content/XX/XXXXXXX/html/route.php” script, and add the following code to it:
<?php
// Prepend the firewall for the /Wordpress/ sub-folder:
if ( strpos($_SERVER['SCRIPT_FILENAME'], '/home/content/XX/XXXXXXX/html/Wordpress') !== false ) {
// Add the full path to NinjaFirewall firewall.php:
require('/home/content/XX/XXXXXXX/html/Wordpress/wp-content/plugins/ninjafirewall/lib/firewall.php');
}
Edit the two “/XX/XXXXXXX/” occurrences with the correct paths.
4) Create a “/var/chroot/home/content/XX/XXXXXXX/html/php.ini”, and add the following code to it:
; NinjaFirewall: load route.php
auto_prepend_file = /home/content/XX/XXXXXXX/html/route.php
Here again, replace the X’s with the correct path.
Note: maybe you will need to use “/var/chroot/home/….” rather then “/home/…”
5) Go back to NinjaFirewall installer and click on the Test NinjaFirewall button.
If that does not work, you may need to rename the “php.ini” to “.user.ini” or “php5.ini”. Also, as mentioned on Goddady’s PHP INI page, you may need to wait a couple of minutes after making changes to the INI files.
Awesome. It now works. Tested only on Single Site so far but will install on other blogs too.
BTW about Login Protection/Enable brute force attack protection – this is off by default. Will making it always ON, slow down my site.
When using All in one security pack, I see around 10 failed login attempts daily (which are automatically blocked for a week – lockdown).
So when should I consider login attempts to be brute-force. My website is relatively low traffic as of now.
If you enable “Always ON”, it will always block any access to the wp-login page and will prompt you for the user/password defined in the Login Protection page. That works before WordPress is loaded, so that won’t slow down the site: it can handle a few thousands of HTTP request per second.
A very small brute-force attack would be at least around 5 POST requests/10 seconds. Usually, it is much higher than that.
If you are the only person who can log into the dashboard, set it to “Always ON” preferably.
So is it similar to using .htpasswd?
Currently I am the only person but in 1-2 month it will change.
I do use a membership plugin with custom login page and also has a Login form in my Menu. So lets say I enable it. Will those who login from custom page/login or Menu also get prompted for user/password defined in the Login Protection page (wp-login.php is probably being called (in backened) but I do not think there is redirect to wp-login – not an expert so don’t know).
To stop wp-login access I had tried out renaming wp-login.php once but that breaks my 2 step authentication and membership login. Then I tried .htpasswd but well if users gets promoted for an extra login-password it will be annoying.
PS: I think, WordPress should have a in-built feature to change wp-login page to whatever we wish. This will stop most of the brute-force – most automated once atleast)
More or less like a .htaccess, but it does not use any system file, and works with any Unix-based HTTP servers. It also whitelist you for a while (using PHP session), so that it will not ask you again for the password if you log out and then log in 10 minutes later.
A custom login form/plugin may not always need to use the wp-login.php script. It can manage the user authentication and redirect him/her to /wp-admin/ folder.
NinjaFirewall only deals with the wp-login.php script.
Ohh! I tried enabling Login Protection and using custom login. It didn’t work. Probably because of 2 step authentication and wp-login was being called else 2 step won’t work.
Anyways thanks for all help.
The Ninja Firewall Stats show 119 attempts since yesterday. 5% critical and rest medium. Good to see those hacking attempts being stopped.
Marking this as resolved. Since my main problem is resolved. Thanks again.
