iThemes Security (formerly Better WP Security)
[resolved] Suggestions and BWPS 4.0 (82 posts)

  1. Hi everyone,

    Thank you all for the support of this plugin! I am working hard on the next major release which I hope to have out by WordCamp Miami in early April. So far I have the folloing on the feature list:

    * Import-export function
    * Better division of basic/advanced options
    * Two-factor auth
    * Admin action logging
    * Improved documentation and commenting
    * Improved performance of existing features
    * A new way of providing support

    As for the latter, it's no secret that I haven't been monitoring these forums often and, frankly, I do not plan to change that in the future. What I will be moving to will be a paid support option similar to the models in place by W3 Total Cache and other plugins. In this scenario the forums themselves will continue to function as a community supported knowledge base with this single suggestions thread monitored by me.

    In addition, if anyone would like to contribute features, code, etc I am in particular need of IIS compatibility as I don't have the experience with IIS to add it myself. I've moved development of the project to GitHub at https://github.com/ChrisWiegman/Better-WP-Security and will gladly include any provide patches or additions while providing proper recognition to those who contribute.

    Finally, Please keep your comments in this thread to suggestions only. If you are stuck search the forums, look at the faq, or get in touch with me outside of the forums. I've been hard at work providing free support to anyone who asks and I do not plan on changing that model until the 4.0 comes out.

    Chris Wiegman
    Better WP Security


  2. HCE
    Posted 3 years ago #

    Hi Chris!

    Great plugin! Thanks for all your hard work on it. I just have one suggestion:

    The "Hide Backend" feature should hide the backend url until logged in.

    For example, if the option is selected to "Hide Backend", and the login url is changed to /login/, as opposed to /wp-login.php/, then when you go to /login/ it should not redirect to /wp-login.php?"secret key"/. Any site visitor who may stumble upon the login url will see the secret key, and know it's a WordPress backend. This should not be revealed to visitors not logged in.

    Sean Fisher's "Lockdown WP Admin" plugin (http://wordpress.org/extend/plugins/lockdown-wp-admin/) hides both the /wp-admin/ and /wp-login.php/ until the user is logged in. When using this plugin, if the login url is changed to /login/, as opposed to /wp-login.php/ it does not redirect, as your "Better WP Security" plugin does. It stays on the /login/ url until the user is logged in.

    It would improve your "Hide Backend" feature if you incorporated this from "Lockdown WP Admin".

  3. HCE
    Posted 3 years ago #

    Also, instead of /wp-admin/ being redirected to /not_found?redirect_to=http%253A%252F%252Fwww.yourwebsite.com%252Fwp-admin%252F&reauth=1, it should just stay on the /wp-admin/ url and return a 404 page.

  4. Molandra
    Posted 3 years ago #

    I'm using Cimy Swift SMTP plugin, and it does not work for e-mail backups from Better WP Security. It would be great if this two plugins would be compatible.

  5. reiniggen
    Posted 3 years ago #


    please remove all the apple-touch-icon-xxx.png from your 404-tracking and logs - nobody needs it. It just blocked all iOS users on our sites, and it has nothing to do with the better security. All webmasters have 404-statistics for this.

    Thank you!

  6. reiniggen
    Posted 3 years ago #

    Or make a new 404 White List for the relative urls ;-)

  7. jdaviescoates
    Posted 3 years ago #

    Hi there, great plugin, even if it takes a little getting used to.

    One problem I had (with a completely fresh wordpress install with no other plugins/ themes installed) was that is was impossible to turn off the ban list, and when I manually edited the .htaccess file to remove the changes the BWPS dashboard still showed the relevant line (8.) as green instead of yellow. The only way I could get around this was to delete and reinstall the plugin. I'm not the only one to have had this problem either (see e.g. http://wordpress.org/support/topic/plugin-better-wp-security-better-wp-blocking-googlebot?replies=15#post-3906650 )

    So, in addition to your proposed suggestions (which all sound great other than you not giving any free support), my suggestion would be to do something to fix that :)

  8. joneiseman
    Posted 3 years ago #

    Hi Chris,

    Thanks for the great plugin.

    I have a suggestion for a new feature to prevent access to the back-end. In the .htaccess file only allow a specific list of ip addresses to access the wp-login.php script (a "white-list"). In addition add a .htaccess to the wp-admin directory and only allow access based on the "white list". Finally, add a password protected script that would allow a temporary ip address to be added to the white list. This would allow the administrator to get into the back-end when traveling to a wifi location. The script could automatically get the remote ip and add it to the white list. I have a perl script that can do this if you're interested.

    I have implemented this on my website but it seems like this would be a nice feature to add to your plugin.

    The advantage of this approach is that it prevents a big load on the server when the spam-bots try brute force log-in attempts since this requires a lot of script execution (wp-login.php). Even though the attempts are blocked, the scripts will still get executed (at least until the .htaccess file gets updated to block a particular IP address).


  9. Grant Palin
    Posted 3 years ago #

    For some of the items in the list - scheduling regular backups, protecting login from brute force attack, and actively looking for changed files - I'm already using distinct plugins to handle those concerns. Yet these items remain as unresolved issues in the list. Perhaps provide a checkbox for these to indicate that they are handled separately?

    These quibbles aside, I appreciate having all these potential issues reported in one place, along with recommended resolutions, so well done!

  10. jdaviescoates
    Posted 3 years ago #

    Another suggestion:

    When BWPS plugin is not allowed to directly edit core files, append something to the email notifications about having to go and manually edit them yourself.

    e.g. I just got the following message:

    A host, can check the host at http://ip-adress.com/ip_tracer/ has been locked out of the WordPress site at http://mysite.com parmanently due to too many login attempts. You may login to the site to manually release the lock if necessary.

    The wording is a bit mislead because until I manually update the .htaccess file myself (I'm presently not allowing the plugin to directly edit files - in part to learn what it actually does) that IP will NOT be locked out.

    This could be made a lot more obvious, e.g. by chaning the text and including something about needing to edit the file yourself if BWPS security is configured to not be able to edit files directly.

  11. jdaviescoates
    Posted 3 years ago #

    I just tried hiding the backend on my multisite - didn't seem to do anything whatsoever. I guess perhaps this is because it is a multisite with domain mapping etc?

    Assuming it is a multisite my suggestion is that it is made clear somewhere that it doesn't work for multisites and/ or to give didn't rules/ methods that do work for multisites.

    PS I like Grants suggestion above too, to create check boxes where you can indicate you've sorted certain things some other way.

  12. jdaviescoates
    Posted 3 years ago #

    Another suggestion:

    Maintain a list somewhere of plugins/ themes that are known to be incompatible with certain options (and link to these where it says "Warning: This feature is known to cause conflicts with some plugins and themes"), i.e. a page that lists all options known to not work with some plugins/ themes, with a list of known themes below each option.

    This would help people make informed decisions about whether or not to try activating them or not.

  13. DomenLo
    Posted 3 years ago #

    I would love to see "site lockout notification" emails that contain what specifically they tried to access...

    So that it's an intuitive way to see if it's a hack attempt or something an admin/user messed up.


    Also, working hidden backend on domain mapping :)

  14. cbunting99
    Posted 3 years ago #

    Would also be nice if you could include a URL scanner for the admin and plugins directory. A recursive search checking for any external urls outside of our own. http://www.*

    While I understand why many plugin authors add links, like options or paypal donate buttons, The wordpress admin should never be allowed to connect to 3rd party sites in my opinion.

    Just a thought,

  15. jdtools
    Posted 3 years ago #

    Suggest to add Ban or only Allow by country and not just IP range.

    Here is what you can add

  16. WaldenPondDesign
    Posted 3 years ago #

    Great plugin, love it. Many thanks.

    Guess there's no such thing as original thought as my suggestion is very similar to "jdtools".

    One of my sites is a restaurant in Connecticut. It's getting hammered by an IP range from Russia. There's no legitimate reason that a person from Russia would be looking at an Italian restaurant in CT.

    It would be great if:

    1: The admin could create a list of "suspect countries" and failed login threshold. When the threshold was reached that country was blocked.

    2: Notes could be added to blocked IP's

    3: Cumulative chart showing history of blocked IP's and respective countries.

  17. danielmartins
    Posted 3 years ago #

    Did you remove the repository from GitHub ?

  18. Chris Wiegman
    Posted 3 years ago #

    @danielmartins Nope....

    ...Although I realized I moved it from my personal account to Bit51 (https://github.com/bit51/Better-WP-Security). Sorry about not updating that one.

  19. danielmartins
    Posted 3 years ago #

    No problem!.. and thanks to put the src code on github.. makes easy do collaboration with the project.

    I think it's better write suggestions on the issues tab on github than here.

    So, I'll write some suggestions there.

    And thanks fot this essential plugin for any wp instance.

  20. Chris Wiegman
    Posted 3 years ago #

    Thanks Daniel!

  21. gkjono
    Posted 3 years ago #

    Great plugin, thanks for all of your work!

    It would be nice to have seperate ban/lockout setting based on the username they attempt to login with. For example, I would like to immediately block anybody that tries to login with the "admin" username.

  22. raceman59
    Posted 3 years ago #

    Please add the feature to disable the "Lost your password?" link and password recovery function in the wordpress login.php interface.

    I get hundreds of 'bots a day probing my site for vulnerabilities with the "Lost your password?" link. It really needs a built in option to be disabled it. Since that is not the case you can claim this feature and allow us to disable this annoyance in your plugin.


  23. hchoate
    Posted 3 years ago #

    My problems with existing script is 'excess' 404s, that is, no way to exclude file types (W3 Total Cache plugin .htaccess method of skip WordPress 404 error handling for static files does not work) or whitelist my own IP.

    Also it seems Enable Banned Users keeps turning itself back on.

    Adds up to choice between legitimate users being locked out and disabling 404 detection.

  24. archerdata
    Posted 3 years ago #

    I really like your plugin as it's been very effective. Kudos!

    A perfect "Login" page option would be to deny and permanently ban ALL attempted admin logins except those listed in a box, one per line ... OR ... deny ALL admin logins except for users identified as having "Administrator" privileges.

    ANY attempt to use "admin" as a login should instantly and permanently BAN the IP.

  25. Amanda & Steve
    Posted 3 years ago #

    Thank you for this plugin - it is a must-have.

    Another vote please for enhancing the 'Hide Backend' to only allow it to be visible to only a whitelist of IPs.

    Many thanks.

  26. ieio
    Posted 3 years ago #

    great job!
    show IPs of bad login attempts, not only when they're locked out

  27. Justin Norton
    Posted 3 years ago #

    Slight code change to bit51.php line 353:

    if( ! is_wp_error( $feed ) ) {
    $feeditems = $feed->get_items( 0, $feed->get_item_quantity( 5 ) ); //narrow feed to last 5 items

    Sorry don't have time for GIT today.


  28. luciano-passuello
    Posted 3 years ago #

    My suggestion is to implement file protection for common leftover file extensions, such as in wp-config.php.bak, wp-config.php.original, .swp, etc.

    I get 404 logs all the time from attackers trying to exploit those.

    Here's a starter, from a random site that I found:

    # Block access to backup and source files
    # This files may be left by some text/html editors and
    # pose a great security danger, when someone can access them
    <FilesMatch "(\.(bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$">
      Order allow,deny
      Deny from all
      Satisfy All
  29. HCE
    Posted 3 years ago #


    I noticed an error message about line 353 on bit51.php. Did you post the fix? Should we replace the current line of code with the code you provided? Or were you just identifying the issue?

  30. Justin Norton
    Posted 3 years ago #

    Not fixed, just a suggested fix as the feed wasn't found and caused an exception on my local machine.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic


No tags yet.