iThemes Security (formerly Better WP Security)
Fix for blocking hosts behind load balancer (3 posts)

  1. bcorcoran
    Posted 2 years ago #

    Hi all,

    We have some WP sites behind a load balancer, and the normal method of Apache blocking (Deny from does not work.

    Instead, we use the following format:

    # this goes after Order allow,deny
    Deny from env=DenyAccess
    # then for each blocked IP:
    SetEnvIf X-Cluster-Client-Ip "^1\.2\.3\.4" DenyAccess

    Please note the \. instead of just .. This is because SetEnvIf uses regex matching, so we want to escape the . (for those not familiar with regex, it matches any single character).

    To patch WP Better Security, you need to edit a few lines (these line #'s may change in future updates!). In /wp-content/plugins/better-wp-security/inc/admin/common.php:

    Around line 316, replace:

    $rules .= "Order allow,deny" . PHP_EOL .


    $rules .= "Order allow,deny" . PHP_EOL .
    "Deny from env=DenyAccess" . PHP_EOL .

    Around line line 352, replace:

    $trule = "Deny from " . $dhost . PHP_EOL;


    $rs_dhost = str_replace(".", "\.", $dhost);
    $trule = 'SetEnvIf X-Cluster-Client-Ip "^' . $rs_dhost . '" DenyAccess' . PHP_EOL;

    And finally, around 378, replace:

    $rules .= "Deny from " . $dhost . PHP_EOL;


    $rs_dhost = str_replace(".", "\.", $dhost);
    $rules .= 'SetEnvIf X-Cluster-Client-Ip "^' . $rs_dhost . '" DenyAccess' . PHP_EOL;

    Hope this helps someone! This has been tested on Rackspace Cloud Sites, and will likely work for things like Varnish (if you're having issues) as well.


  2. ds123
    Posted 1 year ago #

    hello has this been fixed in latest version? or do we have to do a patch for sites behind load balancer?

  3. bcorcoran
    Posted 1 year ago #

    Yes ds123, I just looked through inc/admin/common.php and it appears that these changes have been integrated into the plugin.


Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic


No tags yet.