Ithemes Security conflicts with Nextgen Gallery

mellowvision
(@mellowvision)

9 years, 5 months ago

After recent updates, I was unable to upload images into nextgen. After careful disabling and tweaking, I was able to narrow the issue down to the .htaccess file that iThemes Security creates to rewrite the login location.

If I remove that .htaccess file, I can upload images to NextGen. But then my login location is exposed.

Please advise.

https://wordpress.org/plugins/better-wp-security/

Viewing 9 replies - 1 through 9 (of 9 total)

Thread Starter mellowvision
(@mellowvision)

9 years, 5 months ago

I have contacted Nextgen customer support, and they claim it’s an issue with iThemes, not their plugin.

iThemes Support
(@ithemes-support)

9 years, 5 months ago

Hi,

Could you try disabling Long URLs and Suspicious Query Strings and see if that helps?

Thanks,

Gerroald

Thread Starter mellowvision
(@mellowvision)

9 years, 5 months ago

nope. I uninstalled this plugin and will be awaiting to hear back when it’s known to be compatible. Otherwise I’ll find a better security plugin. Been nothing but problems with this plugin since the name change.

In fact, I have removed the plugin and just left the htaccess file it creates in place. This htaccess file is what breaks the Nextgen plugin. ithemes security doesn’t even need to be active. Just the htaccess is enough to break it.
Thread Starter mellowvision
(@mellowvision)

9 years, 5 months ago
I’ve had more back and forth with the developers of Nextgen, who believe that the conflict is with how iThemes Security writes the portion of the htaccess file that redirects the login URL.

Specifically, they said they didn’t understand why it was written this way, and how line 2 below wouldn’t cause conflicts with other plugins.

Here are the lines they said were causing the conflict. I’ve edited out the private details…
```
RewriteCond %{SCRIPT_FILENAME} !^(.*)admin-ajax\.php
RewriteCond %{HTTP_REFERER} !^(.*)url.com/wordpressdirectory/wp-admin
RewriteCond %{HTTP_REFERER} !^(.*)url.com/wordpressdirectory/wp-login\.php
RewriteCond %{HTTP_REFERER} !^(.*)url.com/wordpressdirectory/location
RewriteCond %{HTTP_REFERER} !^(.*)url.com/wordpressdirectory/locationb
RewriteCond %{HTTP_REFERER} !^(.*)url.com/wordpressdirectory/locationc
RewriteCond %{QUERY_STRING} !^qmkjj0xqerhjkcygky4fi
RewriteCond %{QUERY_STRING} !^action=logout
RewriteCond %{QUERY_STRING} !^action=rp
RewriteCond %{QUERY_STRING} !^action=register
RewriteCond %{QUERY_STRING} !^action=postpass
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
RewriteRule ^.*wp-admin/?|^.*wp-login\.php /wordpressdirectory/not_found [R,L]
```
Thread Starter mellowvision
(@mellowvision)

9 years, 4 months ago

bump
AITpro
(@aitpro)

9 years, 4 months ago
Simple troubleshooting steps…

start with adding this to wp-config.php then go deeper………..
```
/** NextGen Gallery Fix **/
if ( preg_match( '/wp-login\.php/', $_SERVER['REQUEST_URI'], $matches ) ) {
	if ( ! defined( 'NGG_DISABLE_RESOURCE_MANAGER' ) ) {
		define( 'NGG_DISABLE_RESOURCE_MANAGER', true );
	}
}
```
AITpro
(@aitpro)

9 years, 4 months ago

[retract]

AITpro
(@aitpro)

9 years, 4 months ago

Oops yeah disregard. Just looked at the ithemes code again and yeah the basic troubleshooting code above wouldn’t help in any way.

Thread Starter mellowvision
(@mellowvision)

9 years, 4 months ago

would be great if this was addressed.

Viewing 9 replies - 1 through 9 (of 9 total)

The topic ‘Ithemes Security conflicts with Nextgen Gallery’ is closed to new replies.