[Resolved] Two v4.0.5 ban IP bugs….
iThemes Security plugin version 4.0.5 has lost it’s ability to lockout people accessing a site through a proxy server. For example, on 3.4+ versions of the plugin banning a host with an IP address of 18.104.22.168 would add these rules to .htaccess…
Order Allow,Deny Deny from env=DenyAccess Allow from all SetEnvIF REMOTE_ADDR "^46\.60\.253\.41$" DenyAccess SetEnvIF X-FORWARDED-FOR "^46\.60\.253\.41$" DenyAccess SetEnvIF X-CLUSTER-CLIENT-IP "^46\.60\.253\.41$" DenyAccess
Now, all it adds is this…
Order allow,deny Deny from 22.214.171.124
This is a big step backwards in security for this plugin.
Also, there is a bug with the way the plugin converts the wildcard format of IP addresses to CIDR format. For example, if you enter this into the ban hosts setting…
This is what comes out in the .htaccess file…
Deny from 126.96.36.199/8 Deny from 188.8.131.52/16
Anyone who understands CIDR can see that 184.108.40.206/8 is not correct and results in banning a huge range of addresses.
- The topic ‘[Resolved] Two v4.0.5 ban IP bugs….’ is closed to new replies.