Support » Plugin: iThemes Security (formerly Better WP Security) » Better WordPress Security BulletProof Security issue.

  • Zaek

    (@zaek)


    I had some issues getting BulletProof Security to work with BWP. I had to disable:

    #11 Your .htaccess file is partially secured. ..click to fix.

    #17 wp-config.php and .htacess are writeable. ..click to fix.

    And also all of the server tweaks.

    Now that I have it working, “with the above disabled” I cannot get *Hide backend – Admin Slug to change, save, do anything it just appears to save, and I try to login with the new url and it drops unknown page error. I try with default, and it lets me login.

    http://wordpress.org/plugins/better-wp-security/

Viewing 15 replies - 1 through 15 (of 30 total)
  • AITpro

    (@aitpro)

    This code will do what you are looking for:

    Another method to allow your Login page to be only accessible to you…

    …would be to add this function to your Theme’s functions.php file. In this example you would need to enter: http://www.example.com/wp-login.php?mySecretString=foobar to gain access to your login page. You would of course change “mySecretString=foobar” to whatever you want for your secret Query String.

    // Simple Query String Login page protection
    function example_simple_query_string_protection_for_login_page() {
    $QS = '?mySecretString=foobar';
    $theRequest = 'http://' . $_SERVER['SERVER_NAME'] . '/' . 'wp-login.php' . '?'. $_SERVER['QUERY_STRING'];
    
    // these are for testing
    // echo $theRequest . '<br>';
    // echo site_url('/wp-login.php').$QS.'<br>';
    
    if ( site_url('/wp-login.php').$QS == $theRequest ) {
    echo 'Query string matches';
    } else {
    header( 'Location: http://' . $_SERVER['SERVER_NAME'] . '/' );
    }
    }
    add_action('login_head', 'example_simple_query_string_protection_for_login_page');
    Zaek

    (@zaek)

    thanks much!

    I got it working by copying the rewrites section in the better wp security dashboard, and added it to the rewrites section for custom code. Not sure if this would cause issues down the road or not, as i read somewhere else that Better WP Security’s rewrite code is *not written correctly. But for now it works.

    Should I delete that code, and try the above mentioned?

    Ill have to buy your product when I have the money, your offering support when Better WP Security does not, its not even your product, that says alot.

    AITpro

    (@aitpro)

    LOL I just happened to find this thread in a Google search because of the “BulletProof Security” text. 😉 Definitely not trying to take on supporting any other plugins since I have my hands full already and this was not a tactic or hidden agenda of any kind. The information you posted was very useful so I grabbed it and also saved this link for future reference. One of these days I will do a full test and document everything that is an issue between the 2 plugins.

    Yep, I believe BWPS adds its .htaccess code outside of the WordPress rewrite loop so that .htaccess code would not do anything past the first URL rewrite level.

    /first level/second level/third level/

    Anyway what the code above does is if you have a website where you do not allow anyone to register, login or post comments is it prevents anyone else from being able to log into your site. Your /wp-admin area will also be protected with this code.

    wtwp

    (@wtwp)

    Hi AITpro,

    I have just read your comment and I’m thinking of disabling ‘anyone can register’ on my site.
    I came here because I wanted to add BWS to my site as I already have BPS to see if there would be any conflict.

    You see, in the last 24 hours I have had an influx of subscribers to my site through /wp-admin. Their names and emails are ficticious and they never contribute anything to the site, based on previous subscribers. So im wandering why bother to register anyway. I have DISQUS, but they won’t use it.

    I don’t want to cause any problem by installing BWS and find that my site is gone.

    Is it advisable to totally disable ‘anyone can register’ in the backend? This way, I can have my peace.

    Thank you in advance.

    AITpro

    (@aitpro)

    Yep, if you do not want anyone except for you to be able to login into your site then yep turn off anyone can register to your site. If your IP address stays fairly constant (3 octets are always the same IP address numbers) then you can use the IP based protection for your site: http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/

    We are using the IP based protection on several testing sites so that no one but us can login to those testing sites.

    wtwp

    (@wtwp)

    Thanks, I have just done that and also followed the instructions on the brute force login attack.

    The other thing I didn’t do though is ‘http://www.example.com/wp-login.php?mySecretString=foobar’ because I don’t know how to access this bit. It is not visible. I don’t want to mess about with the style.css. I’m not comfortable doing it.

    Is it worth deleting those users you reckon?

    AITpro

    (@aitpro)

    The IP based protection is used instead of doing the Simple Query String login protection so you are good to go and would not need to also add that.

    wtwp

    (@wtwp)

    Ok.
    Do I delete the registered subscribers or will they be prevented from logging in since I have modified the login system?

    Thanks again 🙂

    AITpro

    (@aitpro)

    Either way is fine since no one can login to your site except for you. So that choice is up to you.

    wtwp

    (@wtwp)

    I tried to log out, but this is the message I’m getting.
    I also tried to login with a different administrator user name, still the same error 🙁

    *****************
    mysite.com 403 Forbidden Error Page

    If you arrived here due to a search or clicking on a link click your Browser’s back button to return to the previous page. Thank you.

    ******************

    Is there any quick fix for this?

    AITpro

    (@aitpro)

    FTP to your website and remove the IP address blocking code from your root .htaccess file. I assume it is incorrect.

    AITpro

    (@aitpro)

    Then log back into your site and either permanently remove the IP based login protection code or correct the mistake. Most likely you have entered in the wrong IP address or you cannot use this code if your IP address octets change frequently.

    wtwp

    (@wtwp)

    Well, I have deleted it through server file manager.
    Would you be amending the code to the right one?

    AITpro

    (@aitpro)

    The code works fine, but I don’t recommend that you use it because this code assumes that you are fairly tech-savvy. No offense meant, so I hope that I do not offend you. 😉

    wtwp

    (@wtwp)

    No offence at all.
    I made it clear I’m not that techie, but can deal with a minimal cut and paste or straightforward things.

    If the code works fine, and I followed the instructions, I wonder why it came up with the error.

    Anyway, I have deleted the users and disabled subscriber registration.

    Thanks for your time.

Viewing 15 replies - 1 through 15 (of 30 total)
  • The topic ‘Better WordPress Security BulletProof Security issue.’ is closed to new replies.