Česlav Przywara
Forum Replies Created
-
Forum: Plugins
In reply to: [Simple Download Monitor] Create a password that is not case sensitiveHi @mcnamara14,
There’s no way how to do it without touching plugin files (ie. no filter etc.) Anyway, you can achieve this by editing line 33 in simple-download-monitor/includes/sdm-download-request-handler.php file.
Change:
$post_pass != $pass_val
To:
strtolower($post_pass) != strtolower($pass_val)
This way the password check will be case insensitive.
Cheers,
ČeslavForum: Plugins
In reply to: [All-In-One Security (AIOS) – Security and Firewall] Log Files Always EmptyThanks again for sticking with this, it was very refreshing to see developers stick to an issue until resolved instead of pretending it doesn’t exist 🙂
Well, thanks for sticking with this issue too 🙂 There’s a plenty of support requests that are “unsolved”, because their reporters fail to provide additional feedback or just never come back to say “Thank you, my problem is solved”.
Hi @wpmot,
I’ll check the WP-Members plugin to see if there’s a conflict, but you should start your own forum thread, this one is resolved.
Cheers,
ČeslavHi,
Can you be more specific regarding: “i continue to have kacking by post request on wp-admin/admin-ajax.php” ? Can you post examples of the hack attempts here?
Keep in mind that
wp-admin/admin-ajax.phpfile normally receives a lot of POST traffic, because all AJAX requests generated by WordPress are routed through that file.Cheers,
ČeslavForum: Plugins
In reply to: [All-In-One Security (AIOS) – Security and Firewall] Log Files Always Empty[…] as I am in the midst of grading class projects for C++ and to say I have come across some real freakshows is an understatement.
Sounds like a lot of fun 😉 Take your time!
- This reply was modified 9 years, 5 months ago by Česlav Przywara.
Hi,
I’m glad you’ve managed to solve your issue. Btw. feel free to post the plugin name here for reference, so we can check if there can be anything done to prevent compatibility issues with this plugin.
Cheers,
ČeslavForum: Plugins
In reply to: [All-In-One Security (AIOS) – Security and Firewall] 4.2.3 broke loginHi,
The problem appear if somebody use a plugin that must remote validate a users, es: ldap,ad,openid ecc…
I would not generalize too much. The problem appears with “Simple LDAP Login”, because it hooks to authenticate filter with priority 1 (ie. very, very early). The problematic AIOWPSF routine that you patched is hooked with the same priority, but for a reason: if an IP is locked, the login attempt should be terminated as soon as possible to spare system resources in case of brute-force attack.
Your patch is fine and I would merge it if I could, but I think an even better solution is to issue a PR to “Simple LDAP Login” requesting modification of their hook priority to a value slightly higher than 1. This way, AIOWPSF will be able to block login attempts from locked IPs before LDAP authentication is performed.
Cheers,
ČeslavForum: Plugins
In reply to: [All-In-One Security (AIOS) – Security and Firewall] 4.2.3 broke loginHi David,
4.2.3 changed the way
authenticatehooks are altered by the plugin. Before, AIOWPSF replaced one of default hooks added by WordPress core with its own version and this implementation unfortunately failed to support login via email.Since 4.2.3, all default WordPress hooks attached to
authenticatemethod are retained and AIOWPSF adds extra hooks before (to check if user IP is locked) and after (to perform all other checks). So I would actually expect less friction between AIOWPSF and other plugins that hooks into users authentication process.I don’t know Simple LDAP Login, so if you can investigate the issue further, it would be great. Anyway, I might have a look on it when I have some time.
Cheers,
ČeslavForum: Plugins
In reply to: [All-In-One Security (AIOS) – Security and Firewall] Log Files Always EmptyHi Mike,
The recent version (4.2.3) now has a permanent
.htaccessfile with access deny directives in logs directory. Thanks once more for your thoughts on this!So where to now? because this has more than jumped the shark into the ridiculous. Let me know what else you need to figure this out.
Ok, let us please tackle your problem step by step:
- Update the plugin to 4.2.3 so we are on the same level.
- Make sure you have logging enabled in plugin settings. I know you already did, but just in case.
- Run an action that result in a message being written to log file. One example is running a manual DB backup – if the backup procedure proceeds correctly, there should be a message in the
wp-security-loginforming you about attempted deletion of old backup files. - Check contents of
wp-security-logvia plugin dashboard. If it says the log is empty, please check the contents of the file directly on your webserver – either via FTP or webFTP if you have one. Log files are inlogssubdirectory of the plugin.
If the log file is empty, the only explanation I can think about is that your webserver cannot write to it due file permissions. Could you please check what are file permissions of log files? Related questions: Can you update your plugins from within WordPress dashboard? If so, did you have to give WordPress your FTP credentials or did it work right away?
Cheers,
Česlav- This reply was modified 9 years, 5 months ago by Česlav Przywara.
- This reply was modified 9 years, 5 months ago by Česlav Przywara.
- This reply was modified 9 years, 5 months ago by Česlav Przywara.
Hi @frank_f19 and others,
The fix is included in recent version (4.2.3). Please, give it a try and report back!
Your welcome!
Btw. it does seem plain wrong to me that your host updates
.htaccessfile in a way that does not preserve its original contents. WordPress puts some directives in.htaccesstoo if you have nice permalinks enabled…Glad to hear you managed to sort it out!
- This reply was modified 9 years, 5 months ago by Česlav Przywara.
Hi @tober1,
No, the plugin has no such functionality.
When you re-save any of the plugin settings/features that are implemented via
.htaccessdirectives, entire AIOWPSF-generated content of.htaccessfile is restored (ie. not only that particular feature you just saved). But the plugin won’t notice that the.htaccessfile has changed and plugin-generated content has been lost as result.Hi,
Probably the plugin was able to rename your tables, but not to update the
$table_prefixconfiguration variable that is stored inwp-config.phpfile.Can you access your database with a tool like phpMyAdmin or Adminer? Or do you know the random prefix that the plugin has generated?
@bphilly and possibly others with the same problem: I implemented a fix for this issue in a branch of my AIOWPSF fork.
If you are comfortable with installing plugins from GitHub, feel free to check it out and let us know whether the fix works for you or not.