iThemes Security (formerly Better WP Security)
[Plugin: Better WP Security] Suggestion (23 posts)

  1. BigWhiteDog
    Posted 4 years ago #

    Note on plug-in description that it doesn't fully work on windows servers.


  2. voidzero
    Posted 4 years ago #

    Cool, I propose to make this a generic "suggestions" thread.

    Here's my suggestion: add an option to deny requests to 'readme.txt' in all directories. I have been hammered by scanbots that are trying to figure out which plugins I have by scanning readme.txt files. Those files don't need world readable permissions anyway.

  3. @voidzero I like the generic suggestions idea and have posted it as sticky.

    @BigWhiteDog what is the issue with Windows Servers?

  4. BigWhiteDog
    Posted 4 years ago #

    I like Viodzero's idea as well.

    My issue (and Windoz haters, I know, I know, It's what I got for now ok?) is that there was nothing in the plug-in description that said that a large number of the functions/changes needed would not work on Windows running IIS even if Apache is on the server. I now have to find a PHP code-mech that I can trust to go through and fix what this plug in couldn't.

    What could be fixed/changed works great and has helped us blunt the attack(s) we are under.

  5. @BigWhiteDog

    That's a tough one as I simply don't have any window's servers to test on. My guess is the issue is with a few path variables (I will look at trying to find them all) but I simply can't be certain...

  6. cogmios
    Posted 3 years ago #

    i would like an option that turn on XMLRPC posting when logged into the site and turns it off when logging out of the site.

  7. cogmios
    Posted 3 years ago #

    + if a user has already changed the prefix of the database during the install then grey out the option

  8. Yaron Guez
    Posted 3 years ago #

    Hi, I can't figure out how to search the forum so I apologize if this has already be proposed.

    I'm not sure if it's possible but it would be hugely useful to disable file change detection when an administrator updates a plugin from the dashboard.


  9. dukejames27
    Posted 3 years ago #

    The following message appears within e-mails to inform a user if a file was changed or 404 was detected.
    "Please review the report below to verify changes are not the result of a comprimise."

    I don't think this message should be within the e-mail because there is no details within the e-mail or even an attachment.

  10. dukejames27
    Posted 3 years ago #

    Whether a 404 or a file change is detected, an e-mail is sent with the following message:

    A file (or files) on your site at <i>web address</i> have been changed.

    I'd suggest making the e-mail specific to whatever was detected. If it was a 404, it should say 404 and if it was a file change, it should say file change. When both are detected, they should both be listed within the same e-mail.

  11. dukejames27
    Posted 3 years ago #

    I'd like to suggest a way of backing up the BWPS settings. There are a great number of options which needs to be configured and although I could recover the entire WordPress database, recovering it just for the BWPS settings may cause issues.

  12. mikii
    Posted 3 years ago #


    I'd like to suggest an auto-ban by login username attempt.
    E.g. if you have changed the admin user, auto-ban those triyng to login as "admin" or any othe rcustom name (e.g. the part of the web address string, commun words as "God", etc....

    Thanks for the great work!

  13. CentralTrans
    Posted 3 years ago #

    I second mikii suggestion. If they are dumb enough to try admin, they should be immediately blocked.

  14. beeeerock
    Posted 3 years ago #

    @Bit51, I think it would be very useful to see the username that was attempted in the list of IP's locked out for bad log in attempts (logging page). Going one step further, it would be great to have a button next to each to automagically add the offending IP to the permanent ban list! Adding the IP's manually is tedious.

    Perhaps this option could also be offered next to the bad logins themselves. Then the ones that didn't exceed the lockout threshold could also be blocked with a single click.

    Given the number of these attempts it's probably less than useful in the scheme of things, but it would at least make the admin feel better to know he's done *something* to stop them! ;-)

    Out of interest, does a long list of banned IP's cause much of a performance hit?

  15. RahimTSNE
    Posted 3 years ago #

    if any file change then it shows in the log if we configure something in the detect page. I suppose there should be options (or link) in the log page, for every detection next to them, if we find that it is OK and no need to detect that particular file or directory any more then we just click the link and it is automatically got added in the detection setting to not to detect. It will be useful for the caching plugins and people who are not so techy like me.

  16. folgerj
    Posted 3 years ago #

    It would be nice if the writer of the plugin actually visits his forum page... I would ask a question but unless there is some hope of seeing answers from the developer then what is the use?

  17. kevjon
    Posted 3 years ago #

    Just what I was thinking!
    If the author of the plugin cannot provide proper support via the forum then I have no faith in the plugin; especially as there are some very seious problems being ignored.

  18. sleeplessinDC
    Posted 3 years ago #

    Please show the IP address in the Bad Logins section. That way I can tell if someone just forgot their password or someone is trying to guess login usernames. Plus I'd like to know where all the bizarre usernames tried are coming from.

  19. vakondweb
    Posted 3 years ago #

    I'd like to suggest an option with country code, so all other country would be denied in htaccess by default to reach the admin area.

    I made it like this:

    deny from all
    allow from .hu

    Very good plugin, thanks a lot!

  20. C S
    Posted 3 years ago #

    My suggestion is for the layout of contents of the tab "Backup":

    "Enable Scheduled Backups" yes/no with checkbox is okay.

    The words "which will be emailed to the address below" should be removed.

    The layout of the interval setting is okay.

    But...... the following options should be grouped by radio buttons, not by checkboxes. So it is clear that only one of them can be activated:

    (o) send backups by E-Mail to admin --> SHOW admin's mailaddress, read-only. Give NO input field!
    (o) send backups by E-Mail --> [input field for custom address]
    (o) keep backup files on server --> [input field for number]

    Having done this, the hint "Please note that this setting only applies if "Send Backups by Email" is not selected." can be removed.
    That's much easier to understand, I bet.

  21. Upward Creative
    Posted 3 years ago #


    First of thanks for the great plugin.

    I was wondering though, is it posible to build an import / export functionality into the plugin?

    It would be really useful when setting up this plugin on any sites for clients.

    I guessing it may be difficult for parts of the plugins functionality?
    But if people were able to export then import any of there preferred settings, it would be a great time saver.

    Thanks a lot for you efforts.

  22. While I'm sorry you had a bad experience cuteandbronzed perhaps next time you should try emailing me if you get stuck or read one of the two articles referenced on how to completely remove the plugin should you activate a feature that conflicts with your installation. No, I don't often post in these forums, I have however been responding to anyone who contacts me for help through any other method. In addition, your accusation that this plugin changes core files is simply wrong. It only modifies the wp-config.pho and .htaccess which are in fact considered settings files and are modified by many plugins in this repository. Both of these changes are in fact documented in the FAQ section on this site under the title "What Is Changed By Better Wp Security." Finally, I am quite clear that not all the changes in this plugin will work for every site and therefore you must be careiful of what you turn on. With over 400,000 downloads and only 32 total negative reviews and a "working" status over the majority of its history it is clear that the plugin is helping a number of folks and that, as with all plugins of this complexity, it's problems are rare but possible. For those who do encounter problems and reach out to me however for help not a single site has ever been harmed and in each case the plugin was configured with the options required for the site in question.

  23. archerdata
    Posted 3 years ago #

    A host, can check the host at http://ip-adress.com/ip_tracer/ has been locked out of the WordPress site at http://scriptnurse.com/wp parmanently due to too many attempts to open a file that does not exist. You may login to the site to manually release the lock if necessary.



    A host, (you can check the host at http://ip-adress.com/ip_tracer/
    has been locked out of the WordPress site at http://mysite.com/wp PERMANENTLY due to
    too many attempts to open a file that does not exist.

    You may login to the site to manually release the lock, if necessary.

    I tried to make it more readable and to correct spelling to make it look more polished.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic