Support » Plugin: iThemes Security (formerly Better WP Security) » Two v4.0.5 ban IP bugs….

  • Resolved wp_kc


    Bug One

    iThemes Security plugin version 4.0.5 has lost it’s ability to lockout people accessing a site through a proxy server. For example, on 3.4+ versions of the plugin banning a host with an IP address of would add these rules to .htaccess…

    Order Allow,Deny
    Deny from env=DenyAccess
    Allow from all
    SetEnvIF REMOTE_ADDR "^46\.60\.253\.41$" DenyAccess
    SetEnvIF X-FORWARDED-FOR "^46\.60\.253\.41$" DenyAccess
    SetEnvIF X-CLUSTER-CLIENT-IP "^46\.60\.253\.41$" DenyAccess

    Now, all it adds is this…

    Order allow,deny
    Deny from

    This is a big step backwards in security for this plugin.

    Bug Two

    Also, there is a bug with the way the plugin converts the wildcard format of IP addresses to CIDR format. For example, if you enter this into the ban hosts setting…


    This is what comes out in the .htaccess file…

    Deny from
    Deny from

    Anyone who understands CIDR can see that is not correct and results in banning a huge range of addresses.

Viewing 3 replies - 1 through 3 (of 3 total)
Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Two v4.0.5 ban IP bugs….’ is closed to new replies.