iThemes Security (formerly Better WP Security)
[resolved] Two v4.0.5 ban IP bugs.... (4 posts)

  1. wp_kc
    Posted 2 years ago #

    Bug One

    iThemes Security plugin version 4.0.5 has lost it's ability to lockout people accessing a site through a proxy server. For example, on 3.4+ versions of the plugin banning a host with an IP address of would add these rules to .htaccess...

    Order Allow,Deny
    Deny from env=DenyAccess
    Allow from all
    SetEnvIF REMOTE_ADDR "^46\.60\.253\.41$" DenyAccess
    SetEnvIF X-FORWARDED-FOR "^46\.60\.253\.41$" DenyAccess
    SetEnvIF X-CLUSTER-CLIENT-IP "^46\.60\.253\.41$" DenyAccess

    Now, all it adds is this...

    Order allow,deny
    Deny from

    This is a big step backwards in security for this plugin.

    Bug Two

    Also, there is a bug with the way the plugin converts the wildcard format of IP addresses to CIDR format. For example, if you enter this into the ban hosts setting...


    This is what comes out in the .htaccess file...

    Deny from
    Deny from

    Anyone who understands CIDR can see that is not correct and results in banning a huge range of addresses.


  2. wp_kc
    Posted 2 years ago #

    There are two possible work-arounds.

    One is to go back to version 3.6.6 of the plugin...

    Or, disable all ban ip and 404 features until these bugs are fixed (which is less desirable because it opens you up to more problems).

  3. jrbrunet
    Posted 2 years ago #

    Thank you for this very helpful information.

  4. Lawn Dude
    Posted 2 years ago #

    The paid version we are told will have enhanced features of security. Possibly it's ability to better lock people out will be available for upgrading in a few months in the paid version. LOL - follow the money!

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic