Ready to get started?Download WordPress


iThemes Security (formerly Better WP Security)
[resolved] Two v4.0.5 ban IP bugs.... (4 posts)

  1. wp_kc
    Posted 11 months ago #

    Bug One

    iThemes Security plugin version 4.0.5 has lost it's ability to lockout people accessing a site through a proxy server. For example, on 3.4+ versions of the plugin banning a host with an IP address of would add these rules to .htaccess...

    Order Allow,Deny
    Deny from env=DenyAccess
    Allow from all
    SetEnvIF REMOTE_ADDR "^46\.60\.253\.41$" DenyAccess
    SetEnvIF X-FORWARDED-FOR "^46\.60\.253\.41$" DenyAccess
    SetEnvIF X-CLUSTER-CLIENT-IP "^46\.60\.253\.41$" DenyAccess

    Now, all it adds is this...

    Order allow,deny
    Deny from

    This is a big step backwards in security for this plugin.

    Bug Two

    Also, there is a bug with the way the plugin converts the wildcard format of IP addresses to CIDR format. For example, if you enter this into the ban hosts setting...


    This is what comes out in the .htaccess file...

    Deny from
    Deny from

    Anyone who understands CIDR can see that is not correct and results in banning a huge range of addresses.


  2. wp_kc
    Posted 11 months ago #

    There are two possible work-arounds.

    One is to go back to version 3.6.6 of the plugin...

    Or, disable all ban ip and 404 features until these bugs are fixed (which is less desirable because it opens you up to more problems).

  3. jrbrunet
    Posted 11 months ago #

    Thank you for this very helpful information.

  4. Lawn Dude
    Posted 11 months ago #

    The paid version we are told will have enhanced features of security. Possibly it's ability to better lock people out will be available for upgrading in a few months in the paid version. LOL - follow the money!


You must log in to post.

About this Plugin

About this Topic