Česlav Przywara
Forum Replies Created
-
Hi @livingflame,
Thanks for pointing that one out. This file is missing the standard
defined('ABSPATH') or die("Cheatin', huh?!");check, I’ll add it.Cheers,
ČeslavForum: Plugins
In reply to: [All-In-One Security (AIOS) – Security and Firewall] Backup IssueHi @talisman,
Database backup files are zipped only if there is ZIP extension enabled in PHP, so if you are getting plain sql files by email, most likely that website has this extension disabled.
You can find whether this extension is enabled in output of phpinfo or you can create a dummy PHP file with
class_exists( 'ZipArchive' )check – this is what actually AIOWPSF plugin does. For example:<?php echo class_exists( 'ZipArchive' ) ? 'ZIP extension seems enabled' : 'ZIP extension seems disabled';
Cheers,
ČeslavHi,
Sorry, X-Mas are coming…
This issue is complex. The assumption here is that most of plugin users don’t know what server they have (not to mention version), so asking them for it makes no sense. Unfortunately, there is no reliable way how to determine this type of information via PHP, so we took
<IfModule mod_authz_core.c>approach to support both older and newer Apache servers. This is de-facto standard approach, I think Wordfence and other security plugins (or rulesets like 6G) do exactly the same.I don’t know if any of them can deal with active mod_access_compat. I can dig this issue further, but – to be honest – it has low priority to me, cause it is of no interest to my employer. I don’t know if any of the other plugin authors wants to pick up this issue (ping to @wpsolutions here).
You can always manually clean up .htaccess file from old directives and disable firewall rules in the plugin (and only use “Custom Rules” tab for black listing). I can’t really offer a better solution for the time being.
- This reply was modified 9 years, 4 months ago by Česlav Przywara. Reason: grammar
Hi,
Can you paste here the exact error message you get? What features under User Login > Login Lockdown tab you have enabled?
@vasseurb Please, start your own thread.
Hi @mikele3,
Actually the second problem should be resolved already, see the current code: https://github.com/Arsenal21/all-in-one-wordpress-security/blob/master/all-in-one-wp-security/classes/wp-security-user-login.php#L372-L376
You should have the following string available for translation: “You have requested for the account with email address %s to be unlocked. Please click the link below to unlock your account:” – the “%s” part is placeholder for email address that is injected via call to sprintf.
I’ll have a look on the subject-line problem.
Cheers,
ČeslavHi,
The way plugin inserts the unlock request form changed, so this function has been renamed to
AIOWPSecurity_User_Login::get_unlock_request_form(). As the name suggests, it now doesn’t echo the form, but returns HTML string with the form instead, so you have to echo the result yourself.Also, the form is now a true form: <form> and </form> tags are included in returned string (it wasn’t the case before).
Sorry for breaking your implementation!
Cheers,
ČeslavThis typo has been patched in development version, so the problem will be fixed with release of the next version. Thanks again!
Ok, I run some tests and I believe mod_access_compat is most likely the culprit. It allows you to use old syntax in .htaccess for Apache 2.3+, but reportedly can cause troubles when .htaccess mixes old and new syntax.
As I said, I run some tests on my development machine with mod_access_compat on and I can reproduce your problem only when I enable some other firewall features in addition to blacklist manager. I’m not an expert in this field, so it’s hard for me to say what exact rules are causing this issue.
I’m not sure if adding additional
<IfModule mod_access_compat.c>checks makes sense here. For the time being, if you cannot disable mod_access_compat on your webserver, you can use the “Custom Rules” tab and insert the IPs using old syntax. I know it’s not that convenient, but it’s designed for such edge cases.Cheers,
ČeslavHi Jacob,
Thanks for noticing! It will be fixed in the next version of plugin.
Forum: Plugins
In reply to: [All-In-One Security (AIOS) – Security and Firewall] Request for enhancementsHi,
– The ability to immediate – at the first try – lock out ips that try to login with certain – configurable – login names (like admin when the admin name has been changed), preferrably with a longer – or infinite – lockdown time.
This option is already present in the plugin (User Login > Login Lockdown > Instantly Lockout Specific Usernames). The lockout time is however shared with other lockout options.
This is a bit strange, because
mod_authz_coreis available only on Apache 2.3+ that requires the new syntax (Require not ip etc.), so the<IfModule>checks should be fine.Can you check, if you have also mod_access_compat active?
Hi Mike,
Is there a posibility to “test” if the blacklisting is even working at all?
Maybe there’s a service for this somewhere out there, but I always just block my own IP address/range when I want to test .htaccess this way. Of course, it’s better to edit .htaccess file via FTP instead of from within admin interface when performing such test 🙂
Rules created by AIOWPSF shouldn’t collide with each other.
Do you know what Apache version do you have on server? If it’s 2.3 or newer, maybe check if
mod_authz_coremodule is enabled (you can find this in output of phpinfo for example).Hi,
No, but we might add it in the future version. You are not the first to ask for it.
Cheers,
ČeslavI’m sorry, but I haven’t found any info about this “test cookie” (neither online nor in WordPress source code). I can only recommend to turn off the “Instantly Lockout Invalid Usernames” feature.