• I’ve used the ITSEC_DISABLE_MODULES constant several times in the past without issue. I follow standard procedure and put the following line near the top of the file in wp-config.php

    define( 'ITSEC_DISABLE_MODULES', true);

    I’ve noticed that this has not worked for a while. I’ve tried both local environment and production environment. It seems to have no effect whatsoever. I’ve tried disabling all other plugins and using the default twentytwentyone theme. I’ve tried moving the definition to different spots in wp-config.php. I wrote a function to check the constant in my theme and it shows it is defined and set to true, but iThemes continues to work as if nothing is changed and there is no notice displayed in the dashboard as there is supposed to be when this constant is set.

    Any idea what is going on?

Viewing 7 replies - 1 through 7 (of 7 total)
  • Hi b2bdd,

    I’m afraid the latest (free) iTSec plugin 8.0.2 release is a little bit different than what we were all used to.

    According to the 8.0.0 release Changelog:

    Tweak: When the Global setting “Hide Security Menu in Admin Bar” is enabled, notices will no longer be printed on non-iThemes Security pages. Instead, you can access the Message Center from the Settings or Dashbaord toolbars.

    … and there is no notice displayed in the dashboard as there is supposed to be when this constant is set.

    I’ve performed a quick test and I can confirm there is no traditional WordPress Core notice displayed on any page. However the notice is available either under the Security menu in the Admin Bar (on any page), or (when the “Hide Security Menu in Admin Bar” setting is enabled) under the Dashboard and Settings pages, Notifications horizontal menu option.

    +++++ To prevent any confusion, I’m not iThemes +++++

    Thread Starter b2bdd

    (@b2bdd)

    Thanks for your efforts @nlpro , however this isn’t just a matter of the notification not showing up. All of the iThemes Security Modules continue to operate as normal when the constant is defined. There is no notice displayed on *any* page, inside or outside the iThemes dashboard.

    I should’ve clarified at the start though – I am using iThemes Security Pro v7.0.3 and WordPress v5.8.1, although I’ve noticed this issue for several months across different versions, and different websites as well.

    Ah, right. I only checked in the iTSec 8.0.2 release. And both, the notification and the functionality seems to be working as expected there.

    So now I’ll check the Pro 7.0.3 release ??

    Meanwhile try and enable the iTSec plugin Debug page (if not already) by adding the line below to the wp-config.php file:

    define('ITSEC_DEBUG', true);

    It’s also a nice testcase to see whether wp-config.php changes have the expected effect.

    The Debug page will also allow you to check for any constants set in the wp-config.php file as well as a list of active modules (unfortunately the ITSEC_DISABLE_MODULES constant has no effect on the list of active modules, perhaps a bug!).

    The Debug page is added as a new menu option under Security. So you can simply navigate to Security > Debug. Then check under System Info, the section:

    ### iThemes Security ###

    So after doing some tests with the 7.0.3 Pro release, I can still say that the notice(s) work as expected.

    BUT Two-Factor Authentication (I have the Email provider configured as primary) continues asking for an authentication code at login. So it looks like the ITSEC_DISABLE_MODULES constant has no effect on Two-Factor Authentication.

    So then I (disabled the constant and) added the ITSEC_DISABLE_TWO_FACTOR constant to the wp-config.php file. This time there is a two-factor specific notice available and no auth code is required on login.

    When you use the ITSEC_DISABLE_MODULES constant, are you then relying on it to disable all modules or is it a specific module (like Two-Factor Authentication) that you want to disable ?

    Another thing I noticed is that the WordPress Tweaks and System Tweaks modules are no longer affected by the ITSEC_DISABLE_MODULES constant. However this seems to be as designed since the 8.0.x/7.0.x (Free/Pro) release. Previously it was possible to enable/disable these 2 modules from the UI where WordPress Tweaks was of type “default-active” and System Tweaks was of type “default-inactive”. In the 8.0.x/7.0.x UI this is no longer the case. As of 8.0.x/7.0.x both modules have changed to type “always-active”.
    So it seems “always-active” type modules are unaffected by the ITSEC_DISABLE_MODULES constant.

    Only modules of type “default-active” or “default-inactive” (except the Hide Backend module which is of type “always-active” but nevertheless provides a checkbox in the UI for enabling/disabling the module) can be enabled/disabled from the UI and should be affected by the ITSEC_DISABLE_MODULES constant.

    So all in all it looks like things changed and got a little bit more complex in regards of using the ITSEC_DISABLE_MODULES constant.

    Hope the above makes any sense to you.

    Just wanted to add 3 additional notes to this topic:

    – To find what type of module a module is (in the latest Pro release) navigate to the wp-content/plugins/ithemes-security-pro/core/modules folder (or for the Free release wp-content/plugins/better-wp-security/core/modules). A file named module.json exists in every module subfolder which (amongst others) includes a “Status” property.

    – The ITSEC_DISABLE_MODULES constant has no effect whatsoever on the toggle switches in the UI. This is probably as designed.

    – In the Free 7.3.1/Pro 5.9.1 release the Hide Backend module was enhanced to disable when the ITSEC_DISABLE_MODULES constant is set in the wp-config.php file.

    Enhancement: When ITSEC_DISABLE_MODULES is set, prevent hide backend from running.

    scz

    (@splinarcz)

    Hi, I might be having a similar issue..

    Since the new version 8 a System Tweak “Disable Directory Browsing” is by default “always-active”.

    For some reason it’s not compatible with settings of my hosting provider and once this setting is on I get server error 500. On other hosting it works fine.

    The issue is I’m unable to install/use the new iTSec since it crushes the site immediately. I’ve tried to change the settings in /wp-content/plugins/better-wp-security/core/modules/system-tweaks/module.json to change the module status but to no good. The only way is changing .htaccess settings Options -Indexes but it keeps the UI checkbox on.

    Do you have any idea how to override the settings? Thanks

    @splinarcz

    I have an idea how to fix that but it’s probably best to open your own topic as per the forum guidelines. Expect an answer from me there ??

    +++++ To prevent any confusion, I’m not iThemes +++++

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘ITSEC_DISABLE_MODULES constant has no effect’ is closed to new replies.