iThemes Security plugin version 4.0.5 has lost it’s ability to lockout people accessing a site through a proxy server. For example, on 3.4+ versions of the plugin banning a host with an IP address of 22.214.171.124 would add these rules to .htaccess…
Order Allow,Deny Deny from env=DenyAccess Allow from all SetEnvIF REMOTE_ADDR "^46\.60\.253\.41$" DenyAccess SetEnvIF X-FORWARDED-FOR "^46\.60\.253\.41$" DenyAccess SetEnvIF X-CLUSTER-CLIENT-IP "^46\.60\.253\.41$" DenyAccess
Now, all it adds is this…
Order allow,deny Deny from 126.96.36.199
This is a big step backwards in security for this plugin.
Also, there is a bug with the way the plugin converts the wildcard format of IP addresses to CIDR format. For example, if you enter this into the ban hosts setting…
This is what comes out in the .htaccess file…
Deny from 188.8.131.52/8 Deny from 184.108.40.206/16
Anyone who understands CIDR can see that 220.127.116.11/8 is not correct and results in banning a huge range of addresses.
- The topic ‘Two v4.0.5 ban IP bugs….’ is closed to new replies.