Support » Plugin: iThemes Security (formerly Better WP Security) » Suggestions and BWPS 4.0

  • Hi everyone,

    Thank you all for the support of this plugin! I am working hard on the next major release which I hope to have out by WordCamp Miami in early April. So far I have the folloing on the feature list:

    * Import-export function
    * Better division of basic/advanced options
    * Two-factor auth
    * Admin action logging
    * Improved documentation and commenting
    * Improved performance of existing features
    * A new way of providing support

    As for the latter, it’s no secret that I haven’t been monitoring these forums often and, frankly, I do not plan to change that in the future. What I will be moving to will be a paid support option similar to the models in place by W3 Total Cache and other plugins. In this scenario the forums themselves will continue to function as a community supported knowledge base with this single suggestions thread monitored by me.

    In addition, if anyone would like to contribute features, code, etc I am in particular need of IIS compatibility as I don’t have the experience with IIS to add it myself. I’ve moved development of the project to GitHub at and will gladly include any provide patches or additions while providing proper recognition to those who contribute.

    Finally, Please keep your comments in this thread to suggestions only. If you are stuck search the forums, look at the faq, or get in touch with me outside of the forums. I’ve been hard at work providing free support to anyone who asks and I do not plan on changing that model until the 4.0 comes out.

    Chris Wiegman
    Better WP Security

Viewing 15 replies - 1 through 15 (of 81 total)
  • Hi Chris!

    Great plugin! Thanks for all your hard work on it. I just have one suggestion:

    The “Hide Backend” feature should hide the backend url until logged in.

    For example, if the option is selected to “Hide Backend”, and the login url is changed to /login/, as opposed to /wp-login.php/, then when you go to /login/ it should not redirect to /wp-login.php?”secret key”/. Any site visitor who may stumble upon the login url will see the secret key, and know it’s a WordPress backend. This should not be revealed to visitors not logged in.

    Sean Fisher’s “Lockdown WP Admin” plugin ( hides both the /wp-admin/ and /wp-login.php/ until the user is logged in. When using this plugin, if the login url is changed to /login/, as opposed to /wp-login.php/ it does not redirect, as your “Better WP Security” plugin does. It stays on the /login/ url until the user is logged in.

    It would improve your “Hide Backend” feature if you incorporated this from “Lockdown WP Admin”.

    Also, instead of /wp-admin/ being redirected to /not_found?, it should just stay on the /wp-admin/ url and return a 404 page.

    I’m using Cimy Swift SMTP plugin, and it does not work for e-mail backups from Better WP Security. It would be great if this two plugins would be compatible.


    please remove all the apple-touch-icon-xxx.png from your 404-tracking and logs – nobody needs it. It just blocked all iOS users on our sites, and it has nothing to do with the better security. All webmasters have 404-statistics for this.

    Thank you!

    Or make a new 404 White List for the relative urls 😉

    Hi there, great plugin, even if it takes a little getting used to.

    One problem I had (with a completely fresh wordpress install with no other plugins/ themes installed) was that is was impossible to turn off the ban list, and when I manually edited the .htaccess file to remove the changes the BWPS dashboard still showed the relevant line (8.) as green instead of yellow. The only way I could get around this was to delete and reinstall the plugin. I’m not the only one to have had this problem either (see e.g. )

    So, in addition to your proposed suggestions (which all sound great other than you not giving any free support), my suggestion would be to do something to fix that 🙂

    Hi Chris,

    Thanks for the great plugin.

    I have a suggestion for a new feature to prevent access to the back-end. In the .htaccess file only allow a specific list of ip addresses to access the wp-login.php script (a “white-list”). In addition add a .htaccess to the wp-admin directory and only allow access based on the “white list”. Finally, add a password protected script that would allow a temporary ip address to be added to the white list. This would allow the administrator to get into the back-end when traveling to a wifi location. The script could automatically get the remote ip and add it to the white list. I have a perl script that can do this if you’re interested.

    I have implemented this on my website but it seems like this would be a nice feature to add to your plugin.

    The advantage of this approach is that it prevents a big load on the server when the spam-bots try brute force log-in attempts since this requires a lot of script execution (wp-login.php). Even though the attempts are blocked, the scripts will still get executed (at least until the .htaccess file gets updated to block a particular IP address).


    For some of the items in the list – scheduling regular backups, protecting login from brute force attack, and actively looking for changed files – I’m already using distinct plugins to handle those concerns. Yet these items remain as unresolved issues in the list. Perhaps provide a checkbox for these to indicate that they are handled separately?

    These quibbles aside, I appreciate having all these potential issues reported in one place, along with recommended resolutions, so well done!

    Another suggestion:

    When BWPS plugin is not allowed to directly edit core files, append something to the email notifications about having to go and manually edit them yourself.

    e.g. I just got the following message:

    A host, can check the host at has been locked out of the WordPress site at parmanently due to too many login attempts. You may login to the site to manually release the lock if necessary.

    The wording is a bit mislead because until I manually update the .htaccess file myself (I’m presently not allowing the plugin to directly edit files – in part to learn what it actually does) that IP will NOT be locked out.

    This could be made a lot more obvious, e.g. by chaning the text and including something about needing to edit the file yourself if BWPS security is configured to not be able to edit files directly.

    I just tried hiding the backend on my multisite – didn’t seem to do anything whatsoever. I guess perhaps this is because it is a multisite with domain mapping etc?

    Assuming it is a multisite my suggestion is that it is made clear somewhere that it doesn’t work for multisites and/ or to give didn’t rules/ methods that do work for multisites.

    PS I like Grants suggestion above too, to create check boxes where you can indicate you’ve sorted certain things some other way.

    Another suggestion:

    Maintain a list somewhere of plugins/ themes that are known to be incompatible with certain options (and link to these where it says “Warning: This feature is known to cause conflicts with some plugins and themes”), i.e. a page that lists all options known to not work with some plugins/ themes, with a list of known themes below each option.

    This would help people make informed decisions about whether or not to try activating them or not.

    I would love to see “site lockout notification” emails that contain what specifically they tried to access…

    So that it’s an intuitive way to see if it’s a hack attempt or something an admin/user messed up.

    Also, working hidden backend on domain mapping 🙂

    Would also be nice if you could include a URL scanner for the admin and plugins directory. A recursive search checking for any external urls outside of our own. http://www.*

    While I understand why many plugin authors add links, like options or paypal donate buttons, The wordpress admin should never be allowed to connect to 3rd party sites in my opinion.

    Just a thought,

    Suggest to add Ban or only Allow by country and not just IP range.

    Here is what you can add

    Great plugin, love it. Many thanks.

    Guess there’s no such thing as original thought as my suggestion is very similar to “jdtools”.

    One of my sites is a restaurant in Connecticut. It’s getting hammered by an IP range from Russia. There’s no legitimate reason that a person from Russia would be looking at an Italian restaurant in CT.

    It would be great if:

    1: The admin could create a list of “suspect countries” and failed login threshold. When the threshold was reached that country was blocked.

    2: Notes could be added to blocked IP’s

    3: Cumulative chart showing history of blocked IP’s and respective countries.

Viewing 15 replies - 1 through 15 (of 81 total)
  • The topic ‘Suggestions and BWPS 4.0’ is closed to new replies.