forceoff file doesn’t work in v9.1.0

  • Resolved MrMattEastwood

    (@mrmatteastwood)


    4 years, 3 months ago

    Hey guys! This is just to let you know that the forceoff file doesn’t do anything when running Shield version 9.1.0.

    Steps to Reproduce:
    1. Enable security admin password in settings
    2. Log into webspace using FTP client (e.g. Filezilla)
    3. Create forceoff file in wp-content/plugins/wp-simple-firewall
    4. Log into WordPress and try to access Shield settings

    Current behaviour:
    When attempting to access Shield Security settings from WP’s dashboard with a forceoff file present in wp-content/plugins/wp-simple-firewall after having previously enabled Security Admin, the Security Admin feature is still enabled.

    Expected behaviour:
    The forceoff file should temporarily disable all Shield features so a user can go into the settings and make changes, e.g. reset Security Admin pin.

    Notes:
    – Issue encountered on https://www.erasmus-frankfurter-stadtschule.de/
    – Sending recovery e-mail did not work. I presume this is because of a misconfigured server, I’ve never worked with this hosting company before.
    – Issue occurs whether file is created on local PC and uploaded or created directly on webspace using FileZilla
    – Issue also occurs when setting “forceoff” file permissions from xxx to 644, which are the same permissions of the other files in the same directory
    – Shield seems to be completely unaware of the forceoff file’s presence, since there is no prompt in the Shield Settings UI offering the user to delete the file.
    – Renaming the plugin’s directory does disable the plugin altogether, but doesn’t give the user the capability of resetting the Security Admin pin.

    In my case, I was able to recover my Security Admin pin, so I’m back in. However, I would have been locked out completely had I not remembered the pin.

    I’m wondering if there is a way to change the Security Admin pin in the SQL database?

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Paul

    (@paultgoodchild)

    Hi! Thank you for the very thorough feedback on this.

    We’re not seeing this behaviour anywhere else, other than this particular host you’ve described. It sounds like you’ve worked with Shield on other sites? If not, could you perhaps try it with another host?

    I suspect that this particular host configuration doesn’t allow PHP to correctly detect the presence of the file in the folder, for whatever reason. The myriad of terrible host configurations is mind-boggling – another one we’ve seen is where .json files can’t be read from disk using PHP.

    The process to detect the forceoff file uses a very simple filesystem iterator in PHP. If the file isn’t showing up, I can’t explain that, but it’s down to the particular hosting platform as to why a file on-disk doesn’t appear to PHP. And other than PHP, we have no other way to detect the presence of a file.

    Something to test out here is using a file like “forceoff.txt” or “forceoff.php”, as our file search is quite broad, allowing you to create a forceoff file with an extension and we’ll still find it.

    Regarding changing it using SQL, this can be done, but it’s not straight forward like normal WP options:

    1. Search for option key icwp_wpsf_admin_access_restriction_options within wp_options table.
    2. You’ll see a serialised array of options and values. Look for admin_access_key
    3. This will be followed by a 32-digit MD5 hash. Simply replace this hash with one where you know the source string. Use something like this.
    4. Save.

    Alternatively, you can use our WP-CLI integration, though this is only available on ShieldPRO.

    Hope this helps. Thanks again for reporting.

    Thread Starter MrMattEastwood

    (@mrmatteastwood)

    Hey Paul, thanks to you for your quick and in-depth reply. You were right, this seems to be down to the hosting company indeed. I tried this on my own website at brandartery.com (host is SiteGround), and the forceoff file worked as it should.

    Good to know it’s the host (funny it didn’t occur to me even though I suspected them for the e-mails not being sent), and even better to know how to do this in SQL. Thanks!

    Plugin Author Paul

    (@paultgoodchild)

    No problem at all… glad you were able to confirm it was the host!

    What was the host, if you don’t mind me asking? Did changing the file name to something like forceoff.php make any difference?

    Thanks,
    Paul.

    Thread Starter MrMattEastwood

    (@mrmatteastwood)

    The hosting company was Host Europe (https://www.hosteurope.de/en/), and no, no difference when appending the extension .php to the file.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘forceoff file doesn’t work in v9.1.0’ is closed to new replies.

Tags