dwinden
Forum Replies Created
-
In general the lower the number the more secure it is.
So yes 400 is more secure than 444.But will everything still work when setting it to 400 in
every type of server environment ?Perhaps 444 was chosen because that is what matches a file set to read only on a Windows platform (but I don’t think so).
If I’m not mistaken WordPress advise is 644.
dwinden
404 Detection depends on permalinks enabled …
So the 404 File/folder whitelist probably does not work with wildcards.dwinden
Thank you for this valuable feedback.
I would recommend this plugins developers to detect if the user is using APC or APCu and only call apc_clear_cache() when it’s not APCu as this will reset the entire cache.
How would this look like codewise ? Can you provide us with a code example ?
dwinden
The missing Security Status section on the iTSec plugin Dashboard page is a duplicate of this topic.
After a new iTSec plugin install the Important First Steps (IFS) modal window is still automatically displayed when accessing the plugin dashboard page for the first time.
If you have installed the iTSec plugin for the first time in a new website and the IFS modal window is not displayed it might be because of a javascript issue. Check the javascript console for any errors.
Note it is also normally only triggered once.Alternatively you can click on the Show Intro link in the right upper corner of the screen on any iTSec plugin page that is being displayed.
dwinden
It won’t hurt to do some investigation on your own. That way you might learn something.
The journey is far more interesting than the end solution …A clue. Focus on the Force users to choose a unique nickname setting in the iTSec plugin Settings page, WordPress Tweaks section.
Good luck !
dwinden
Just Google it and you’ll find a zillion websites explaining user enumeration.
Did you read the email you received triggered by my previous post ?
There is some additional info in that email that I removed from the post.
Anything with admin in it is easy guessable …
Anyway I found your username using user enumeration.Website security is not just installing and configuring a security plugin. To do it properly also requires a bit of expertise.
The bottom line is that this issue can easily be prevented.One last piece of the puzzle. WordPress does not consider usernames to be a secret. Think about that for a moment …
dwinden
Looks like your WP user account is getting locked out temporarily.
(Default 15 minutes but you may have changed this setting).
This is probably a symptom of a brute force attack in combination with user enumeration.You are either using an easy to guess user or users can be harvested easily through user enumeration.
So you’ll probably need to create a new user, move all content to the new user and then delete the old user.
And you need to do so while preventing user enumeration.Rename the better-wp-security folder and the iTSec plugin will be deactivated. This should allow you to login again.
Basically the site was not properly secured.
dwinden
Perhaps the date\time is set incorrectly on the server where the website is hosted …
Oh no wait, it could also be a bug in the plugin…
Searching for a similar older topic …Got it … it’s this topic.
But not sure whether it actually explains what you are seeing.
Perhaps you can be a bit more specific.
It’s hard to make anything out of just 2 lines of problem description.dwinden
Perhaps you should set the correct timezone for your geog location in WP Settings\General.
dwinden
@june Cleaver
The problem is caused by the Scheduled Database Backup feature of the iTSec plugin.
Disable it temporarily and then wait and see whether that fixes the issue.
dwinden
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?administrator$
RewriteRule ^.* – [F]
</IfModule>Untested so use it at your own risk.
Note this does not block on IP. It simply blocks /administrator requests at the Web server level.dwinden
In general that would be possible.
But no, there is not such feature currently in the iTSec plugin.
The 404 Detection feature comes close but it works a bit different.
You can submit a feature request here.As an alternative manually add blocking rules to your .htaccess file.
Please note /admin is a correct WP Dashboard login page slug.
(just like login, dashboard, wp-admin and wp-login.php)dwinden
According to the 5.2.0 Changelog:
Enhancement: Updated the File Change Detection feature to attempt a max memory limit of 256M rather than 128M as some users experience out of memory issues which could be fixed with the higher memory limit.
Enhancement: Updated the Database Backup feature to attempt a max memory limit of 256M rather than 128M as some users experience out of memory issues which could be fixed with the higher memory limit.
If the info provided above answers your question please mark this topic as ‘resolved’.
dwinden
Ok. It looks like a database\connection issue.
The ‘Lost connection to MySQL server during query …’ error seems to be generic. There are many many reasons why this can happen.
There is some interesting and relevant info about it here.Hopefully using the File Change Detection split setting solves the issue.
Let’s wait and see.dwinden