Support » Plugin: iThemes Security (formerly Better WP Security) » Fix for blocking hosts behind load balancer

  • Hi all,

    We have some WP sites behind a load balancer, and the normal method of Apache blocking (Deny from 1.2.3.4) does not work.

    Instead, we use the following format:

    # this goes after Order allow,deny
    Deny from env=DenyAccess
    # then for each blocked IP:
    SetEnvIf X-Cluster-Client-Ip "^1\.2\.3\.4" DenyAccess

    Please note the \. instead of just .. This is because SetEnvIf uses regex matching, so we want to escape the . (for those not familiar with regex, it matches any single character).

    To patch WP Better Security, you need to edit a few lines (these line #’s may change in future updates!). In /wp-content/plugins/better-wp-security/inc/admin/common.php:

    Around line 316, replace:

    $rules .= "Order allow,deny" . PHP_EOL .

    with

    $rules .= "Order allow,deny" . PHP_EOL .
    "Deny from env=DenyAccess" . PHP_EOL .

    Around line line 352, replace:

    $trule = "Deny from " . $dhost . PHP_EOL;

    with

    $rs_dhost = str_replace(".", "\.", $dhost);
    $trule = 'SetEnvIf X-Cluster-Client-Ip "^' . $rs_dhost . '" DenyAccess' . PHP_EOL;

    And finally, around 378, replace:

    $rules .= "Deny from " . $dhost . PHP_EOL;

    with

    $rs_dhost = str_replace(".", "\.", $dhost);
    $rules .= 'SetEnvIf X-Cluster-Client-Ip "^' . $rs_dhost . '" DenyAccess' . PHP_EOL;

    Hope this helps someone! This has been tested on Rackspace Cloud Sites, and will likely work for things like Varnish (if you’re having issues) as well.

    http://wordpress.org/extend/plugins/better-wp-security/

Viewing 2 replies - 1 through 2 (of 2 total)
  • hello has this been fixed in latest version? or do we have to do a patch for sites behind load balancer?

    Yes ds123, I just looked through inc/admin/common.php and it appears that these changes have been integrated into the plugin.

    Cheers!

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Fix for blocking hosts behind load balancer’ is closed to new replies.