dwinden
Forum Replies Created
-
Allthough iThemes is doing its best to position this plugin as a one-size-fits-all and one-click security solution in reality it needs to be tailored to suit your website needs.
That said iThemes did produce a video that runs through all the recommended iTSec Pro settings. Watch and learn from this video here.
A couple of notes regarding this iTSec Pro video:
- iTSec Pro = Free iTSec plugin + 10 extra features.
- The video was created in Oct 2015. This means what’s being demonstrated in this video is done using an older iTSec Pro release.
- As of release 5.2.0 (released in Jan 2016) the Security Status metabox on the plugin Dashboard page has been removed. It will be replaced by a better tool in the next major release (probably 6.0).
So this explains why in the video the Security Status metabox is still present.
If you prefer to run the latest plugin release that still includes the Security Status metabox you should download and install the 5.1.1 release. - You will probably notice some slight differences on some pages which are due to the fact that the video was recorded while working on a WordPress env that runs on the Nginx web server. Which is odd because it would make much more sense to record such a video while using a WordPress env that runs on the Apache web server.
Note these ui differences will not show if you are also running WordPress while using the Nginx web server.
Anyway keep in mind that the Schedule Database Backups and File Change Detection settings are the 2 (bulk process) features that have most impact on performance and memory usage.
How much impact will depend on the size of your site and database.
Considering your symptom (site slow or occasionally broken) these 2 options would be the first candidates to disable if enabled (default disabled).dwinden
There is a Hesabim (My Account) link on your homepage that allows login attempts. Though it does not seem to be THE WordPress admin login form.
Still could be the iTSec plugin is registering failed login attempts from this form (probably not).Anyway it looks like the secret login slug is not exposed on your homepage.
As I said in my previous post, there are other ways to attempt logins. It looks like XMLRPC is still enabled. So a brute force attack using xmlrpc.php probably works fine …
Check your web server logs for any xmlrpc.php requests.
If these exist in the log disable XMLRPC.dwinden
Thank you for providing that extra info.
Fixing this is not as easy as permanently saving these options in the database.
The options probably need to be created in the database at activation of the plugin. And they need to be set to the proper default value. Otherwise these options will trigger actions that are not (yet) supposed to be triggered.
Since these options are currently created/deleted other changes need to be made as well. The pieces of code that deletes the options needs to be removed or rewritten to set the value back to default after an action has been performed.
Looking at your screenshots I noticed the relevant SQL queries run pretty fast. Which means there will not be any noticeable performance gain.
I agree running less SQL statement on your database is a good thing but if there is no noticeable performance gain who cares …Another thing to consider is that ok so we can cut down on the number of SQL queries but saving the options permanently in the database with autoload=yes means there is more data loaded into memory at WordPress initialization. So you win a bit on one side of the diamond and loose a bit on the other side of the diamond.
There are even some other considerations I’m not going to discuss here.
What I’m trying to say is that this is more of a cosmetic thing.
The effort is probably not worth the gain.But look at it on the bright side, iThemes might disagree with me (if they everrrrr read this post) 😉
dwinden
That sounds like a sane thing to do.
But it seems to me WordPress cannot differentiate between a 404 or 410.
As the iTSec plugin is triggered to log a 404 when WordPress detects a 404, how would the iTSec plugin be able to know whether it was a true 404 or a 410 ?dwinden
Strictly speaking you are right. It should be 400 or 440.
But there may be hosting envs out there that might have problems with permissions set as low as 400 or 440. I think the idea behind 444 is to set the permissions as low as possible but still allow as much hosting envs as possible to function.
Anyway the WordPress File Permission feature in its current form is crap. Setting the wp-config.php file permissions to 440 or 400 (which is better protection than 444) still results in a WARNING.
Also what is an absolute path doing in a column named Relative Path 😉
dwinden
Upvote the existing Customer Feature Request on the iThemes Security (Pro) Public Roadmap (Currently 41 votes).
dwinden
In order to be able to answer your question please post the link to your site.
Does your web server logs actually show that your secret login slug is being accessed from unknown IPs ?
There are other ways to do login attempts …
dwinden
Manually deleting the wp-content/uploads/ithemes-security/backup.lock folder should take care of this Php Warning.
Alternatively disable the Schedule Database Backups setting in the Database Backups section of the iTSec plugin Settings page.
dwinden
Is the Schedule Database Backups setting in the Database Backups section of the iTSec plugin Settings page enabled ?
Is the File Change Detection setting enabled ?
Is your website using Apache web server ? If so what version ?
Please post the content of your .htaccess file while obscuring any sensitive info.
dwinden
If enabled you could try and disable the Schedule Database Backups setting in the Database Backups section of the iTSec plugin Settings page.
That should fix the issue.
dwinden
If you require no further assistance please mark this topic as ‘resolved’.
dwinden