Viewing 8 replies - 1 through 8 (of 8 total)
  • I could really do with some help on this one please guys it’s urgent now…?

    Have you tried this:

    Fixing iThemes Security Lockouts

    dwinden

    Nope not this issue my ip is not in this table, thank you for your help though really appreciate it 🙂

    Can I try the url that you are using ?
    Wondering what message you get (if at all) …
    Not much info to go on …

    dwinden

    Yer sure i changed the base login url in the ithemes setting to be ee-admin so the url should be

    http://www.estillomarketing.com/ee-admin & this was working before i upgraded the version of wordpress, after i had done the update it was working fine until i logged out. Then i couldn’t get back in.

    The htaccess file has this info in it also:

    # BEGIN Better WP Security
    <IfModule mod_rewrite.c>
    RewriteEngine On
    
    RewriteRule ^ee-login/?$ /wp-login.php?awxz3zc03winl3fq0gwcr [R,L]
    
    RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
    RewriteRule ^ee-admin/?$ /wp-login.php?awxz3zc03winl3fq0gwcr&redirect_to=/wp-admin/ [R,L]
    
    RewriteRule ^ee-admin/?$ /wp-admin/?awxz3zc03winl3fq0gwcr [R,L]
    
    RewriteRule ^ee-register/?$ /wp-login.php?awxz3zc03winl3fq0gwcr&action=register [R,L]
    
    RewriteCond %{SCRIPT_FILENAME} !^(.*)admin-ajax\.php
    RewriteCond %{HTTP_REFERER} !^(.*)estillomarketing.com/wp-admin
    RewriteCond %{HTTP_REFERER} !^(.*)estillomarketing.com/wp-login\.php
    RewriteCond %{HTTP_REFERER} !^(.*)estillomarketing.com/ee-login
    RewriteCond %{HTTP_REFERER} !^(.*)estillomarketing.com/ee-admin
    RewriteCond %{HTTP_REFERER} !^(.*)estillomarketing.com/ee-register
    RewriteCond %{QUERY_STRING} !^awxz3zc03winl3fq0gwcr
    RewriteCond %{QUERY_STRING} !^action=logout
    RewriteCond %{QUERY_STRING} !^action=rp
    RewriteCond %{QUERY_STRING} !^action=register
    RewriteCond %{QUERY_STRING} !^action=postpass
    RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
    RewriteRule ^.*wp-admin/?|^.*wp-login\.php /not_found [R,L]
    
    RewriteCond %{QUERY_STRING} ^loggedout=true
    RewriteRule ^.*$ /wp-login.php?awxz3zc03winl3fq0gwcr [R,L]
    </IfModule>
    # END Better WP Security

    Ok I can work with that info …

    I think upgrading WP has invalidated the old rewrite rules in .htaccess.

    Try replacing the following 3 lines:

    RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
    RewriteRule ^ee-admin/?$ /wp-login.php?awxz3zc03winl3fq0gwcr&redirect_to=/wp-admin/ [R,L]

    RewriteRule ^ee-admin/?$ /wp-admin/?awxz3zc03winl3fq0gwcr [R,L]

    with:

    RewriteRule ^(/)?ee-admin/?$ /wp-login.php [QSA,L]

    in .htaccess.

    Then access http://www.estillomarketing.com/ee-admin

    Still some extra questions in case we are not moving forward:

    From what WordPress version and to what WordPress version did you upgrade ?

    Are you using the free or Pro version of the iThemes Security plugin ?
    And are you on version 4.5.6 of the plugin ?

    Any idea what awxz3zc03winl3fq0gwcr is ?

    And last but not least what browser are you using ?

    dwinden

    A little knowledge goes along way, i had thought there was an issue with the .htaccess but when you mentioned it may be that it had not been updated i then checked it against another site i have updated recently that works here is what i found.

    .htaccess file that didn’t work

    # BEGIN Better WP Security
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteRule ^ee-login/?$ /wp-login.php?awxz3zc03winl3fq0gwcr [R,L]
    RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
    RewriteRule ^ee-admin/?$ /wp-login.php?awxz3zc03winl3fq0gwcr&redirect_to=/wp-admin/ [R,L]
    RewriteRule ^ee-admin/?$ /wp-admin/?awxz3zc03winl3fq0gwcr [R,L]
    RewriteRule ^ee-register/?$ /wp-login.php?awxz3zc03winl3fq0gwcr&action=register [R,L]
    RewriteCond %{SCRIPT_FILENAME} !^(.*)admin-ajax\.php
    RewriteCond %{HTTP_REFERER} !^(.*)estillomarketing.com/wp-admin
    RewriteCond %{HTTP_REFERER} !^(.*)estillomarketing.com/wp-login\.php
    RewriteCond %{HTTP_REFERER} !^(.*)estillomarketing.com/ee-login
    RewriteCond %{HTTP_REFERER} !^(.*)estillomarketing.com/ee-admin
    RewriteCond %{HTTP_REFERER} !^(.*)estillomarketing.com/ee-register
    RewriteCond %{QUERY_STRING} !^awxz3zc03winl3fq0gwcr
    RewriteCond %{QUERY_STRING} !^action=logout
    RewriteCond %{QUERY_STRING} !^action=rp
    RewriteCond %{QUERY_STRING} !^action=register
    RewriteCond %{QUERY_STRING} !^action=postpass
    RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
    RewriteRule ^.*wp-admin/?|^.*wp-login\.php /not_found [R,L]
    
    RewriteCond %{QUERY_STRING} ^loggedout=true
    RewriteRule ^.*$ /wp-login.php?awxz3zc03winl3fq0gwcr [R,L]
    </IfModule>
    # END Better WP Security

    .htaccess file that does work

    # BEGIN iThemes Security
    
    	# BEGIN Hide Backend
    			# Rules to hide the dashboard
    			RewriteRule ^(/)?ee-admin/?$ /wp-login.php [QSA,L]
    
    	# END Hide Backend
    	# BEGIN Tweaks
    		# Rules to block access to WordPress specific files
    		<files .htaccess>
    			Order allow,deny
    			Deny from all
    		</files>
    		<files readme.html>
    			Order allow,deny
    			Deny from all
    		</files>
    		<files readme.txt>
    			Order allow,deny
    			Deny from all
    		</files>
    		<files install.php>
    			Order allow,deny
    			Deny from all
    		</files>
    		<files wp-config.php>
    			Order allow,deny
    			Deny from all
    		</files>
    
    		# Rules to disable directory browsing
    		Options -Indexes
    
    		<IfModule mod_rewrite.c>
    			RewriteEngine On
    
    			# Rules to protect wp-includes
    			RewriteRule ^wp-admin/includes/ - [F]
    			RewriteRule !^wp-includes/ - [S=3]
    			RewriteCond %{SCRIPT_FILENAME} !^(.*)wp-includes/ms-files.php
    			RewriteRule ^wp-includes/[^/]+\.php$ - [F]
    			RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F]
    			RewriteRule ^wp-includes/theme-compat/ - [F]
    
    			# Rules to prevent php execution in uploads
    			RewriteRule ^(.*)/uploads/(.*).php(.?) - [F]
    
    			# Rules to block unneeded HTTP methods
    			RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC]
    			RewriteRule ^(.*)$ - [F]
    
    			# Rules to block suspicious URIs
    			RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
    			RewriteCond %{QUERY_STRING} ^.*\.(bash|git|hg|log|svn|swp|cvs) [NC,OR]
    			RewriteCond %{QUERY_STRING} etc/passwd [NC,OR]
    			RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
    			RewriteCond %{QUERY_STRING} ftp\:  [NC,OR]
    			RewriteCond %{QUERY_STRING} http\:  [NC,OR]
    			RewriteCond %{QUERY_STRING} https\:  [NC,OR]
    			RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    			RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
    			RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    			RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ĂȘ|"|;|\?|\*|=$).* [NC,OR]
    			RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR]
    			RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
    			RewriteCond %{QUERY_STRING} ^.*(127\.0).* [NC,OR]
    			RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
    			RewriteCond %{QUERY_STRING} ^.*(request|concat|insert|union|declare).* [NC]
    			RewriteCond %{QUERY_STRING} !^loggedout=true
    			RewriteCond %{QUERY_STRING} !^action=jetpack-sso
    			RewriteCond %{QUERY_STRING} !^action=rp
    			RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
    			RewriteCond %{HTTP_REFERER} !^http://maps\.googleapis\.com(.*)$
    			RewriteRule ^(.*)$ - [F]
    
    			# Rules to block foreign characters in URLs
    			RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F).* [NC]
    			RewriteRule ^(.*)$ - [F]
    
    			# Rules to help reduce spam
    			RewriteCond %{REQUEST_METHOD} POST
    			RewriteCond %{REQUEST_URI} ^(.*)wp-comments-post\.php*
    			RewriteCond %{HTTP_REFERER} !^(.*)co.uk.*
    			RewriteCond %{HTTP_REFERER} !^http://jetpack\.wordpress\.com/jetpack-comment/ [OR]
    			RewriteCond %{HTTP_USER_AGENT} ^$
    			RewriteRule ^(.*)$ - [F]
    		</IfModule>
    	# END Tweaks
    # END iThemes Security

    As you can see they have completely changed how it works so the old htaccess file would never have worked, thank you for your help it pointed me in the right direction.

    Ok, great. Glad I could help.

    To prevent issues like these from occurring I think it would help when the first (comment) line includes iTSec Plugin and WP version numbers like so:

    # BEGIN iThemes Security 4.5.6 – (WP 4.1)

    This way you can easily determin how up to date the iTSec Plugin entries in .htaccess are. Noone stopping you from putting these versions in manually.
    Would be better though when iTSec Plugin did this for you (Chris ?).

    As a side note: Looks like there is an iTSec Plugin 4.5.8 update since yesterday.

    Oh and don’t forget to change the ee-admin slug since it is public info now … 😉
    On the other hand when iTSec Plugin is doing its work properly, who cares …

    dwinden

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Locked out’ is closed to new replies.