dwinden
Forum Replies Created
-
Oh, one last thing.
The article was written based on the 4.4.13 release available at the time.
So there is no mentioning of the Override Proxy Detection setting in the article as it was only to be included in a later release (4.5.2).
According to the 4.5.2 Changelog:
- New Feature: Override proxy IP detection
dwinden
Because it’s not.
The fact that wp-login gives access to the login page is a web server issue at your hosting provider. If properly configured wp-login will not give access to the WordPress Dashboard login page.
Try it on several environments at different hosting providers (if possible) and you’ll see …
dwinden
Amazing what you can find on the internet if you know exactly what you are searching for 😉
Read this almost 2 years old article …
Considering the fact that the iTSec plugin does provide a setting to change the (less secure) default behavior any chance for a free pizza lunch revenge bet ? … hihi 😉
dwinden
1. wp-login.php -> check
2. wp-admin -> check
3. admin -> check
4. login -> check
5. (not listed but) dashboard -> checkALL 5 default WordPress login page slugs are blocked.
wp-login is not a default WordPress login page slug …
dwinden
I simply wanted to respond to your post and provide some info you might have missed but I think is certainly relevant.
Your post also made me think … (yuk ;-))
I read everywhere on the internet that using $_SERVER[‘REMOTE_ADDR’] is the most secure way of obtaining the client IP address in php.
Still not 100% safe so validation, sanitation and escaping is important.But when the web server is behind a proxy $_SERVER[‘REMOTE_ADDR’] returns the proxy IP. This would greatly impact the Brute Force Protection feature of the plugin.
So to provide a proxy solution the iTSec plugin by default reports the IP from the (less secure) web server HTTP_% request headers (if any exist)
and otherwise falls back to using the more secure $_SERVER[‘REMOTE_ADDR’].And the Override Proxy Detection setting provides a way to change that default behavior.
Having contemplated all this I realized it would probably be safer to simply use the more secure $_SERVER[‘REMOTE_ADDR’] by default and offer a (by default disabled) Enable Proxy Detection setting for proxy setups.
Now, I may be getting this all wrong. If so please explain. Always looking to learn new things 😉
dwinden
The plugin includes a setting (Override Proxy Detection) which allows you to override proxy IP detection when you know your site is not behind a proxy …
if ( ITSEC_Modules::get_setting( 'global', 'proxy_override' ) ) { return esc_sql( $_SERVER['REMOTE_ADDR'] ); }The Override Proxy Detection setting is disabled by default …
dwinden
@0xff
By default WordPress does not make use of the admin-post.php file.
Delete it and a vanilla WordPress env will continue to function without a bleep.However the admin-ajax.php file is used by WordPress core in eg the WordPress Heartbeat API.
Deleting this file will break a vanilla WordPress env.So that’s probably why the iTSec plugin Hide Backend feature includes an exception for the admin-ajax.php file but not for the admin-post.php file.
Adding an exception for the admin-post.php file to the Hide Backend code is probably no security risk (provided the admin-post.php file is used properly in a form).
Note I’m not an iThemes employee.
dwinden
@0xff
Correction:
… modify /core/modules/hide-backend/class-itsec-hide-backend.php file and lines 161/162:
strpos( $_SERVER['REQUEST_URI'], 'admin-ajax.php' ) === false && $this->auth_cookie_expired === falseto:
strpos( $_SERVER['REQUEST_URI'], 'admin-ajax.php' ) === false && strpos( $_SERVER['REQUEST_URI'], 'admin-post.php' ) === false && $this->auth_cookie_expired === falsedwinden
It just seemed weird to me that I suddenly started getting the emails even though I had installed iThemes security last year.
The brute force attacks probably started recently.
The other thing that worried me was the link said they were locking ME out! Even though I was having no problems logging in.
Starting from the 5.4.0 release your IP address is automatically whitelisted by the iTSec plugin when logged in as an administrator user.
So even when the user account is (temporarily) locked out your whitelisted IP still allows you to login with that user account.
(Or if you are already logged in with the user account you will not suddenly get locked out as a result of the brute force attack).As it seems your initial question has been answered please mark this topic as ‘resolved’.
dwinden
Check your web server error_log to find out which type of brute force attack is used (login page or XMLRPC).
Then take the appropriate action to prevent that type of brute force attack.
Or simply prevent any type of brute force attack if you don’t allow subscribers to your site.
(Enable Hide Backend module and if possible disable XMLRPC in WordPress Tweaks module).dwinden
The message “This has been disabled.” is normally displayed when you try to access the Dashboard login page using wp-admin or wp-login.php while you enabled the iTSec plugin Hide Backend feature.
dwinden
Looks like this is not an iTSec plugin issue.
Deactivate one by one the other plugins and hopefully this will allow you to find the cause of the warning.
dwinden
Renaming the better-wp-security folder should allow you to login again.
Once logged in rename the folder back to better-wp-security.
Then click on the iTSec plugin Delete link in the plugins page.
dwinden
Fixed in the iTSec 5.6.1 release. According to the 5.6.1 changelog:
Bug Fix: Prevented some notices from displaying to users who do not need to see them.
Bug Fix: Limited notices to only display on specific pages on the dashboard.dwinden