WordPress.org

Support

Support » Plugins and Hacks » [Resolved] Two v4.0.5 ban IP bugs….

[Resolved] Two v4.0.5 ban IP bugs….

  • Bug One

    iThemes Security plugin version 4.0.5 has lost it’s ability to lockout people accessing a site through a proxy server. For example, on 3.4+ versions of the plugin banning a host with an IP address of 46.60.253.41 would add these rules to .htaccess…

    Order Allow,Deny
    Deny from env=DenyAccess
    Allow from all
    SetEnvIF REMOTE_ADDR "^46\.60\.253\.41$" DenyAccess
    SetEnvIF X-FORWARDED-FOR "^46\.60\.253\.41$" DenyAccess
    SetEnvIF X-CLUSTER-CLIENT-IP "^46\.60\.253\.41$" DenyAccess

    Now, all it adds is this…

    Order allow,deny
    Deny from 46.60.253.41

    This is a big step backwards in security for this plugin.

    Bug Two

    Also, there is a bug with the way the plugin converts the wildcard format of IP addresses to CIDR format. For example, if you enter this into the ban hosts setting…

    178.78.27.*
    180.75.*.*

    This is what comes out in the .htaccess file…

    Deny from 178.78.27.0/8
    Deny from 180.75.0.0/16

    Anyone who understands CIDR can see that 178.78.27.0/8 is not correct and results in banning a huge range of addresses.

    https://wordpress.org/plugins/better-wp-security/

Viewing 3 replies - 1 through 3 (of 3 total)
Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘[Resolved] Two v4.0.5 ban IP bugs….’ is closed to new replies.