Support » Plugin: iThemes Security (formerly Better WP Security) » Ban List Allowing Banned user free access

Viewing 15 replies - 1 through 15 (of 18 total)
  • I’m seeing something like this too. But it goes like this…

    Attacker attacks site.
    BWPS bans IP address of attacker.
    Attacker attacks again after ban timeout.
    BWPS adds IP address of attacker to .htaccess.
    After ban timeout, attacker can attack again.

    I think what might be happening (I don’t have enough access to the server to test this) is that the attacker is using a proxy server. BWPS is banning the client’s real IP address, but what Apache sees as the connection IP address is the proxy IP address, so the connection isn’t dropped.

    Since BWPS seems to use the real client IP address, I worked around this by manually editing the BWPS lock-out in mySQL and made the timeout of the database to be 20 years in the future.

    For what it worth….

    I see them probing wp admin and other parts that normal visitors dont.

    I put them on the Ban List.

    Then I see them access 10 similar areas….

    I see them because my “Latest Visitors” list shows the IP Ive banned and their click trail
    My Recent Visitors List in Logaholic Shows the IP Ive bannned
    My Last Visitors in Awstats shows the IP address

    So… THe hosting Company sure sees them, since they are reporting them too me..

    But this plugin is not seeing them, or stopping them. This is a Problem for me.

    The part I really Love… Is when they are on the ban list and then I see the IP address on the Lockout list for too many 404’s

    THats the part that makes me wonder why I even bother religiously looking and banning those attempting to gain access…

    If the ban list isn’t going to stop them, whats the point of adding the IP to the list?

    I looked at the BWPS code to see how it is getting the IP address of the visitor. This is what I found…

    //Get the forwarded IP if it exists
    if ( array_key_exists( 'X-Forwarded-For', $headers ) ) {
    	$theIP = $headers['X-Forwarded-For'];
    } else {
    	$theIP = $_SERVER['REMOTE_ADDR'];

    As I read this, if the attacker is using a proxy server, BWPS is ignoring that and using the actual user’s IP address.

    I don’t know about your logging software, maybe it also gives the user’s actual IP address instead of the proxy IP address (for logging access, that makes sense to me).

    Maybe there is a way to configure Apache to use “X-Forwarded-For” headers when evaluating “deny from” directives in .htaccess. More research is required…

    But, I don’t think it would be wise for BWPS (or anything else) to start banning proxy server IP addresses. That could cause unintended DOS for legitimate users behind a proxy.

    Also, banning an IP address forever might not be the best policy either. If someone is attacking with a dynamically allocated IP address, as soon as that address is recycled and used by someone else, they are banned even if they are a legitimate user.

    It might be better to turn off the ban permanently feature and just use a really long ban period (like 24 hours). Since BWPS seems to actually work when it is managing the lockout (as opposed to a .htaccess directive) you should get a good compromise.

    I think I’ve found another workaround (this works for me since I only have one attacker that is apparently using a proxy). Instead of adding…

    Deny from

    to .htaccess (where, of course, is the ip address of your attacker), add this instead…

    SetEnvIf X-Forwarded-For denyclient
    SetEnvIf X-Forwarded-For "^123\.123\.123\.*" denyclient
    deny from env=denyclient

    Put this in at the end of the list that BWPS maintains. Two examples are shown. The first one is for a specific IP address. The second one shows a search string to search for a range of IP addresses.



    Not very sure, but some information hope can help:

    When someone is trying to hack your website, then this plugin will try to detect it. For login attempts, you can configure it under Security > Login Limits. For vulnerability scannings, you can configure it under Security > Intrusion Detection.

    This plugin will monitor the IPs of detected attacks, if they repeat the attack several times under certain period, it will be blocked temporary.

    The blocked IP will be able to access the website after several minutes or hours or days. But if the IP come back and cause trouble again, after several times of blockings, it will go to banned user list.

    If the IP is in the banned user list, it won’t able to access your website except you release it.

    The flow is like this:
    Bad Visitors > Temporary Lockout (blocked) > Blacklist (banned)

    Checking htaccess – the IP addresses are listed, but doesnt seem to matter

    Some webhosts might not able to support .htaccess, you should contact your webshost or ask about this issue with them. Because this plugin has already done what it should, that is banning the IPs by listing it into .htaccess file.

    The majority of the addresses that are in the ban list is because I added them to the list manually.

    I check often to see who has accessed the site, its not advertised nor I am I currently trying to let people know about it.

    Visitors currently have just “Found it” on their own.

    I add the IP addresses to the list that have click trails that go to areas indicating they are trying to break in. SO… I ban that IP address.

    My host supports this. As I have seen on the error logs, IP address that are on the list that have been blocked by host.

    So, your satement: Handoko”this plugin has already done what it should, that is banning the IPs by listing it into .htaccess file.”

    is inaccurate, as I have placed the IP address in the list.



    Interesting. I like to solve the mystery. Let’s not argue but we perform tests. We can’t surely to say it works or not. So the best thing to do is to perform some tests to find out it is work or not. Have you ask your friend (if you want I can do it) to perform the test.

    The tests could be like this:

    1. Someone (for example: me) will try to hack your website multiple times until the IP get lockout from your website.

    2. After it released (which is automatically), it should come back to hack until it generate multiple lockouts, until it goes to the ban list.

    3. Then check and see is the IP in the .htaccess.

    My IP is from Indonesia. Contact me, if you would like me to start. But unfortunately, today I’m busy, I’m going to not to online until tomorrow.

    You need to know if you want to start the tests, you should configure the settings more strict, because the default settings are very tolerable (I think).

    Handoko, try reading my posts above. This is happening because the attacker is using a proxy server and BWPS is not using the correct directive in the .htaccess file to stop it. BWPS needs some redesign to fix this problem.

    Minerlman, did you try the SetEnvIf trick I showed above?



    Okay, I think what you’re talking is IP Spoofing:

    I suggest you to contact the author directly, or I’m afraid the developer won’t see your post. They’re busy, hope your understand, they don’t check this forum too often.

    No. It is not IP spoofing. It is just an attacker using a proxy server. Read this instead…

    BWPS is simply not adding the correct commands to the .htaccess file to stop the attacker.

    I have not tried your solution. I am not sure how or where to add that to the htaccess file. That file is wall of text. I can obviously access the file, I have about 60 Ip address in that file.

    From all over the world mostly, very few domestic US IP’s.

    At the beginning, at the end, without spaces as the rest of the file appears, 3 lines?? I am more a guy with a plugin then a developer type.

    The rest of the plugin features work fine, lock outs, hiding login, etc. I dont want to add code that may disrupt the things that do work.

    So… I am a little stuck here.

    Sorry I did not get back to you sooner. The BWPS section of the .htaccess file should start at or near the top of that file with this…

    # BEGIN Better WP Security

    …and it ends with this…

    # END Better WP Security

    Any line that starts with # is just a comment to help document the file. In between those two comments is the section that denies access to IP addresses. It start with something like this…

    # Abuse bot blocking rule end
    # End Blacklist
    Order allow,deny
    Allow from all

    (note: If you do not have the blacklist option enabled, those first two lines wont’ be there, just the last two)

    These lines are followed by all the IP address banning directives. For example…

    Deny from
    Deny from
    Deny from

    When you don’t see any more “Deny from” lines, that is the end of that section and the start of something else.

    I’ve rethought my original advice. It looks like it is a bad idea to add your own stuff in between the “# BEGIN Better WP Security” and “# END Better WP Security” comments. So, just add your stuff after the “# END Better WP Security” comment.

    For example, let’s say you are seeing IP address still accessing your web site even though it is in the ban list. The end of the BWPS section of the file should look like this…

    # END Better WP Security
    SetEnvIf X-Forwarded-For denyclient
    deny from env=denyclient

    You can add as many of the “SetEnvIf X-Forwarded-For” lines as you want. Just replace the IP address with a different one and make sure you have the “denyclient” part after it. Make sure you always keep “deny from env=denyclient” as the last line.

    Here is what this is doing: “SetEnvIf” (Set Environment variable If true) will set a temporary value if the test condition following it is true. “X-Forwarded-For” is a bit of text that is sent by proxy servers that gives the actual IP address that is making the request for a web page. The “denyclient” can be anything, it’s just the name of the temporary value being created if the test was true. The “deny from env=denyclient” tells the web server to deny access if any of the previous tests came back as true. (It is checking to see if an environment variable named “denyclient” exits. if it does, it means one of the IP tests was true, so it denies the connection.)

    I hope that helps.

Viewing 15 replies - 1 through 15 (of 18 total)
  • The topic ‘Ban List Allowing Banned user free access’ is closed to new replies.