dwinden
Forum Replies Created
-
No problem, better a late response than no response 😉
Are there any errors in the web server error_log ?
Have you set the Log Type setting to File Only or Both (Default -> Database Only) in the Global Settings section ?
dwinden
In that case enable the Disable File Locking setting in the Global Settings section of the iTSec plugin Settings page.
Clean up any existing backup.lock folder and then see whether the PHP warning persists.dwinden
It turns out there are actually 3 known core vulnerabilities in WordPress 4.4.2 which have been fixed in the 4.5 release:
Security
In addition to the new features, enhancements, and bug-fixes, WordPress 4.5 solves a few security problems:
- SSRF Bypass using Octal & Hexedecimal IP addresses, reported by Yu Wang & Tong Shi from BAIDU XTeam
- Reflected XSS on the network settings page, reported by Emanuel Bronshtein (@e3amn2l)
- Script compression option CSRF, reported by Ronni Skansing
So it looks like the reported vulnerabilities are not false positives. Best advise I can give you is to update to WordPress 4.5
dwinden
No, the iThemes Security plugin will probably not protect you against all such WordPress core vulnerabilities.
Have you verified that these are known WordPress 4.4.2 core vulnerabilities ? I mean they could also be false positives …
I noticed you specified 4.4.2 as the WordPress version for this topic.
Known WordPress core vulnerabilities are potentially fixed by updating to the latest WordPress release. But according to the WPScan Vulnerability Database there are no known 4.4.2 core vulnerabilities.Update to WordPress 4.5 then run the Patchman scan again. Would be interesting to see whether these core vulnerabilities are still reported in 4.5. If so, try and get them verified.
dwinden
I’m sorry to hear it doesn’t work for you.
I tested my workaround in a vanilla WordPress 4.5 env with the Twentysixteen theme active.
dwinden
Thank you for finally responding to the One-Click Secure issue.
Any idea what happened to the other topic ?… as the One Click button was only ever intended to be a tool for helping to speed up the configuration of the settings known to have few conflicts on the vast majority of sites
Let’s focus for a moment on the part from your reaction highlighted above.
I would agree with that statement IF display of the Important First Steps modal box was optional.
However it is not. A first time user of the plugin will ALWAYS be presented with the Important First Steps modal box.
Even though they do initially get an option, when dismissed, the user is automatically confronted with the Important First Steps modal box upon ANY subsequent action. Note I’m specifically describing the scenario, right after plugin install\activation.So since iThemes calls this modal box Important First Steps it is safe to assume that there is a high probability that first time users simply follow the recommendations … and finally click on the One-Click Secure button.
It then reports:
Site Secured. Check the Dashboard for further suggestions on securing your site.
“Site Secured” ? Huh ! Since the code behind the One-Click Secure button is removed, not a single setting is being changed… NOTHING has been secured ! Now what is a One-Click Secure button doing on a modal box named Important First Steps when clicking that button does ab-so-lu-te-ly NOTHING to secure your site ?
“Check the Dashboard for further suggestions on securing your site.” ! Huh ! Since the Security Status feature has been removed from the Dashboard there is NOTHING to check !
So common sense tells me first time users will be confused or at least mislead …
Something that can simply be prevented by REMOVING the One-Click Secure button from the Important First Steps modal box …It’s a pity that the GA data tracking feature does not track how often the One-Click Secure button is being clicked upon. But I’m pretty sure it’s being clicked upon a LOT …
I also noticed that one of the features which would normally be enabled by the One-Click Secure button is Brute Force Protection.
Which I think is a pretty important feature …Please reconsider, for now I rest my case.
Anyone reading this topic and who agrees with my findings please add a
@dwinden +1
post to this topic.
The other topic had already received 2 of such posts (including a third yesterday in the form of only an email notification since the topic’s status was set to closed).
dwinden
Ok, now you’ve got me really interested.
That is, if you are looking at the right database (just checking) 😉Would you be interested in assisting me trying to figure this out ?
Or is disabling the Schedule Database Backups setting a good enough solution and you don’t really want to spend any more time on getting to the bottom of this ?Note I’m not an iThemes employee, just a guy in for a challenge.
There must be something specific in your database that is causing this …
dwinden
Good evening rdekruijf,
Screenshots are always welcome.
Have you tried from a different device ?
What client env are you on (OS, browser) ?
Interesting case …dwinden
@the Hack Repair Guy
… but as soon as you save any changes to the settings in the iTSec plugin you need to … log into your File Editor, and remove the line in your .htaccess AGAIN …
So it’s more convenient to change the right template (*.inc) file.
Not perfect since any change to the template file will be discarded after a plugin update.dwinden
@andrew Nevins
Is that documented anywhere ?
If so I apologize for any inconvenience I caused 😉
dwinden
@ryan Duff
You totally misinterpreted my post…haha
Dont worry I don’t blame you.Anyway I trust WordPress when they say their moderators are smart.
So instead of insulting their intelligence by overexplaining I expect them to be able to figure things out. That is if a moderator takes the time to read things properly …Oh, and I have read the Forum Welcome, thank you.
Eargerly waiting for a response that is actually about the issue I opened this topic for.
Now where did I read that in the Forum Welcome …dwinden
Is the Backup Full Database setting enabled ? (default disabled).
No tables with 10000s of records in the database ?
Instead of looking at the total size of tables it’s probably better to look at the # of records per table.
dwinden
@jan Dembowski
You didn’t disappoint me. Exactly the biased response I expected from you.
It says somewhere in the Forum Welcome: “Our moderators are smart”.Do some proper reading and figure it out. It’s all there.
You’re right about the email though …dwinden
Sneak Peek: 2 Big iThemes Security & Sync Updates Coming Very Soon
1. A Brand New Dashboard for iThemes Security Pro
The best WP security plugin is getting even better. The new dashboard for iThemes Security Pro is going to make it faster and easier for you to secure all your WP sites. As you can see, the new dashboard puts all the vital security modules right at your fingertips plus a new “recommended” section.
iThemes Security New Dashboard screenshot
2. iThemes Sync Reporting for BackupBuddy (and Soon for iThemes Security)
For anyone interested in the complete newsletter email, send an email to [ redacted, support is not offered via email, Skype, IM etc. only in the forums ] and I’ll forward the newsletter to you.
dwinden
Disable the Schedule Database Backups setting in the Database Backups section of the iTSec plugin Settings page.
Or lower the database backup size so that it fits in the available memory.
There may be logs tables from other plugins in the database that contain 10000s or 100000s of records. Clear the data from those logs table and your worries are over.dwinden
