[Plugin: Better WP Security] Suggestion

Cool, I propose to make this a generic “suggestions” thread.

Here’s my suggestion: add an option to deny requests to ‘readme.txt’ in all directories. I have been hammered by scanbots that are trying to figure out which plugins I have by scanning readme.txt files. Those files don’t need world readable permissions anyway.

@voidzero I like the generic suggestions idea and have posted it as sticky.

@bigwhitedog what is the issue with Windows Servers?

I like Viodzero’s idea as well.

My issue (and Windoz haters, I know, I know, It’s what I got for now ok?) is that there was nothing in the plug-in description that said that a large number of the functions/changes needed would not work on Windows running IIS even if Apache is on the server. I now have to find a PHP code-mech that I can trust to go through and fix what this plug in couldn’t.

What could be fixed/changed works great and has helped us blunt the attack(s) we are under.

@bigwhitedog

That’s a tough one as I simply don’t have any window’s servers to test on. My guess is the issue is with a few path variables (I will look at trying to find them all) but I simply can’t be certain…

i would like an option that turn on XMLRPC posting when logged into the site and turns it off when logging out of the site.

+ if a user has already changed the prefix of the database during the install then grey out the option

Hi, I can’t figure out how to search the forum so I apologize if this has already be proposed.

I’m not sure if it’s possible but it would be hugely useful to disable file change detection when an administrator updates a plugin from the dashboard.

Thanks!

The following message appears within e-mails to inform a user if a file was changed or 404 was detected.
“Please review the report below to verify changes are not the result of a comprimise.”

I don’t think this message should be within the e-mail because there is no details within the e-mail or even an attachment.

Whether a 404 or a file change is detected, an e-mail is sent with the following message:

A file (or files) on your site at <i>web address</i> have been changed.

I’d suggest making the e-mail specific to whatever was detected. If it was a 404, it should say 404 and if it was a file change, it should say file change. When both are detected, they should both be listed within the same e-mail.

I’d like to suggest a way of backing up the BWPS settings. There are a great number of options which needs to be configured and although I could recover the entire WordPress database, recovering it just for the BWPS settings may cause issues.

HI.

I’d like to suggest an auto-ban by login username attempt.
E.g. if you have changed the admin user, auto-ban those triyng to login as “admin” or any othe rcustom name (e.g. the part of the web address string, commun words as “God”, etc….

Thanks for the great work!

I second mikii suggestion. If they are dumb enough to try admin, they should be immediately blocked.

@bit51, I think it would be very useful to see the username that was attempted in the list of IP’s locked out for bad log in attempts (logging page). Going one step further, it would be great to have a button next to each to automagically add the offending IP to the permanent ban list! Adding the IP’s manually is tedious.

Perhaps this option could also be offered next to the bad logins themselves. Then the ones that didn’t exceed the lockout threshold could also be blocked with a single click.

Given the number of these attempts it’s probably less than useful in the scheme of things, but it would at least make the admin feel better to know he’s done *something* to stop them! ??

Out of interest, does a long list of banned IP’s cause much of a performance hit?

if any file change then it shows in the log if we configure something in the detect page. I suppose there should be options (or link) in the log page, for every detection next to them, if we find that it is OK and no need to detect that particular file or directory any more then we just click the link and it is automatically got added in the detection setting to not to detect. It will be useful for the caching plugins and people who are not so techy like me.

It would be nice if the writer of the plugin actually visits his forum page… I would ask a question but unless there is some hope of seeing answers from the developer then what is the use?