[Plugin: AskApache Password Protect] Failed test results- sending off to host

  • Host migrated to new servers recently. Couldn’t access my wp-admin after my server was done (this w/ old version of the plugin). They sent me this email after doing some work..

    We’ve corrected the .htaccess file in the ‘wp-admin/’ directory. It appears you had some references to disable the mod_security engine for this directory and we recently upgraded our servers to mod_sec2 so these directives no longer work properly. I’ve commented them out and the login page is now loading properly.

    Then I had to deactivate the plugin later for some reason and got a 404 error on every site page but my main page. I could still access my admin panel just fine.

    Put my site into maintenance and phoned tech support. I think they essentially tweaked/reversed what the others did. Upgraded the plugin, re-activated, and failed the test in a number of spots.

    Took a couple screenshots and am sending these over to tech support. I hope to hear back on why the server doesnt work with the plugin and if so, I’ll report back here…by the way I use Hostgator.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Thread Starter beernews

    (@beernews)

    These are not severe security issues.
    In fact, none of them are security problems at all, unless you are paranoid about having a standard .htpasswd file, as opposed to crypt() or md5() formatted .htpasswd file.

    So, to answer your question, you should not be worried about these.
    The reason your plugin will not work is because of the lack of HTTP Digest Authentication.

    ————————-

    Looks like I’m done with this plugin :\

    For anyone who wants to still block directories with images, etc., I recommend using Apache’s code in your wordpress home directory .htaccess file (put it anywhere outside of the hash tags ### in that file).

    RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /wp-content/.*$ [NC]
RewriteCond %{REQUEST_FILENAME} !^.+(flexible-upload-wp25js|media)\.php$
RewriteCond %{REQUEST_FILENAME} ^.+\.(php|html|htm|txt)$
RewriteRule .* - [F,NS,L]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /wp-includes/.*$ [NC]
RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ /wp-includes/js/.+/.+\ HTTP/ [NC]
RewriteCond %{REQUEST_FILENAME} ^.+\.php$
RewriteRule .* - [F,NS,L]
Options -Indexes
DirectoryIndex index.html index.php /index.php

    Thanks beernews.. nice.

    I’ve been working on a completely improved version on/off for about a month with the specific goal of finally ending all the little errors that can crop up when dealing with .htaccess.

    To that effect I am succeeding marvelously, first I’ve converted the plugin to a class (4+5 compat), I’ve replaced my error_handling with WordPress’s WP_Error class, and the coolest change is the new tests I’ve added.

    To make a long story short, I downloaded each major release of the apache httpd source code starting at version 1.3.0 and finishing with version 2.2.10, I then compiled each version and built a HTTPD from source for all 64 versions.

    Then I went through each version and determined the compatible modules for that version, and I’m pretty confident that I was also able to find each and every directive allowed by the compatible modules for that version (including core directives).

    Basically I can now test a server using a variety of methods and determine almost 100% accurately what version of Apache (down to the API) is running, what modules (and versions) are enabled, and each and every directive that is allowed or disallowed for that version.

    So this is so awesome because now we can enable all sorts of additional security features.

    Other big changes are:

    • Completely hands-off updates, so that updating the plugin keeps all your settings.
    • making each SID module have its own configuration and options (like protecting individual files, individual request, and custom exploit strings).
    • Advanced ErrorDocument usage and handling (like tracking repeat offenders and suggesting they be blocked, emailing admin with custom info, etc..)
    • Multi User/Group password Control

    And this time I am developing the plugin using a plethora of wordpress installations and configurations, to make sure that it will work regardless of a custom siteurl, blogid, etc..

    Release will come before 2009.. I have some vacations to take and business to finish first.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘[Plugin: AskApache Password Protect] Failed test results- sending off to host’ is closed to new replies.