dwinden
Forum Replies Created
-
@leslie M WP
According to the 5.4.0 Changelog:
Compatibility Fix: Updated handling of wp_remote_get() responses in preparation for changes coming in WordPress 4.6.
But I’m pretty sure any plugin will need several changes.
You can install 4.6 beta 3 and find out yourself if it is that important.
dwinden
@TZAL
Build 4036 is from an old release (4.6.x).
It should be 4041. So it looks like the database upgrade is failing.
No wonder you are having problems.Below an overview of iTSec plugin releases and its database build version:
5.6.0 – 4041
5.3.7 – 4040
5.1.1 – 4038
4.6.13 – 4036It looks like database upgrading from 4036 to 4041 is a step too big.
So try and upgrade from 4036 to 4038 and then upgrade from 4038 to 4040.
Finally upgrade from 4040 to 4041.First deactivate the current iTSec plugin release (5.6.0)
Then use FTP to delete the better-wp-security folder. DO NOT DELETE the plugin FROM WordPress Dashboard.
Download and MANUALLY (using FTP) install the iTSec plugin 5.1.1 release.
Activate the iTSec plugin 5.1.1 release.
Check on the plugin Dashboard page (System Information section) the build number is now 4038.If so deactivate the current iTSec plugin release (5.1.1)
Then use FTP to delete the better-wp-security folder. DO NOT DELETE the plugin FROM WordPress Dashboard.
Download and MANUALLY (using FTP) install the iTSec plugin 5.3.7 release.
Activate the iTSec plugin 5.3.7 release.
Check on the plugin Dashboard page (System Information section) the build number is now 4040.If so from the WordPress Dashboard update to the iTSec plugin 5.6.0 release which will be offered as an update from wordpress.org
Activate the iTSec plugin 5.6.0 release.
Use phpMyAdmin and check the build number is now 4041.Don’t know whether this will resolve your issue but it makes sense to make the database upgrade steps smaller. Good luck !
dwinden
If so it must be a web server issue and not an iTSec plugin issue.
Talk to your hosting provider.dwinden
Try and ban an IP of a client you have access to and test whether access is forbidden to the site from that client.
Do verify the IP is added to the banned users section in the .htaccess file.
Also make sure you keep access to the site from a different client (IP).If IP banning does not work properly it might be due to a web server configuration issue. Something you should probably discuss with your hosting provider.
It looks like the plugin is doing what it is supposed to.
dwinden
It does work properly. At least the 2 things we are discussing…
The link in the lockout email will take you to the page with the Active Lockouts widget in the sidebar. It’s only the ‘the lockouts page’ text in the email that needs to be updated in order for folks to be able to find the feature.
Some simple html formatting in the email would be nice too.And as stated in the other topic traceip.net is functional again.
Anyway these are minor issues. They won’t affect the security of your site.But keep in mind that any bug in the free version is also present in the Pro paid version since Pro = Free + 10 extra features.
That said the Pro release only displays 2 ads widgets in the sidebar (instead of 5 in the free version).I guess your question is answered. If so please mark this topic as ‘resolved’.
dwinden
Ah I see. Thanks for the clarification.
Just realised my ‘workaround’ won’t actually work, so forget about that post.
No need for a workaround anyway as it seems traceip.net is working again !
dwinden
@russelcunning
The lockout email does need rewording.
There is no such thing as a lockouts page.
Allthough the link included in the lockout email does redirect to the correct Settings page (in 5.4.x or higher release).You need to scroll down on the plugin Settings page till the Active Lockouts widget gets displayed in the sidebar (on the right side of your screen).
iThemes very conveniently positioned the Malware Scan and Active Lockouts widgets between some ads.Nothing a few good code lines in the active theme functions.php file won’t fix 😉 No ads and only the Malware Scan and Active Lockouts widgets get displayed without having to scroll down.
dwinden
Not sure whether you are reacting to my post but email ?
No one mentioned anything about an email in this topic …
Also there is a difference between a solution and a workaround 😉dwinden
@tazo todua
I think the Change Content Directory feature was never intended to be used to prevent a site from being recognized as a WordPress CMS.
However this feature does qualify as security by obscurity.Also according to the text included with the Change Content Directory module:
By default, WordPress stores files for plugins, themes, and uploads in a directory called wp-content. Some older and less intelligent bots hard coded this directory in order to look for vulnerable files. Modern bots are intelligent enough to locate this folder programmatically, thus changing the Content Directory is no longer a recommended security step.
Finally, in the good old iTSec plugin UI interface (pre 5.2.0) whether the Change Content Directory feature was used or not wasn’t reflected at all in the Security Status (High, Medium, Low, Completed).
So you are probably right and this feature is the last one to implement or not at all. There are far more important security steps to implement.
dwinden
Finally triggered the third lockout which should result in a permanent ban.
However I’m still able to access the site !
Are you seeing my ip (starts with 82) listed in the Banned Hosts setting of the Banned Users module ?
But it is probably not in the .htaccess file …
If not, this is definately a bug.dwinden
Just triggered the second temporary lockout. Only took 1 404 …
Again waiting for the temp lockout to expire before my final attempt.
dwinden
Just triggered the first temporary lockout. Only took 7 404s so I think you have probably lowered the 404 Detection Error Threshold setting to 7 (from default 20).
Now I’ll just wait for the temp lockout to expire before my next attempt.
dwinden
Ah, right. Hmmm could be a (serious) bug.
As a test, is it ok if I try to ban my IP on your website ?I’ll generate 20 404s within 5 minutes to trigger a lockout for my IP.
After 3 lockouts my IP should be banned.
You’ll only receive 3 emails: 2 temporary lockouts of my IP and 1 permanent ban of my IP.dwinden
No I don’t think so.
Probably the Banned Users entries as displayed in the advanced Server Config Rules module do not match the iTSec plugin Banned Users entries in the .htaccess file.
If this is true it may be an indication that the plugin cannot write to the .htaccess file. If so it may be a permissions issue.
Is 91.200.12.11 the only IP missing in the .htaccess file ?
Is 91.200.12.11 listed as the last IP in the Ban Hosts setting ?
How many IPs are currently listed in the Ban Hosts setting ?dwinden