SoftBlue

Thanks for the fix.

On my site (using Chrome), the above fix seems to result in a recursion within .htaccess that ultimately resolves with a browser reported error. This doesn’t work well for me because it is where I get dumped off to after doing site updates & maintenance.

Using the following I was able to change the location to the default page for my site:

RewriteRule .* https://mydomainname.com%{REQUEST_URL}? [R=301,L]

I’m not proficient with .htaccess & regular expressions, so there must be a more elegant solution. Please exercise caution and use the previously mentioned precautions.

Hopefully this will be fixed in an upcoming release of the plugin.

For those of us, and I expect we are legions, it would be nice if we could restrict access to admin from a list of IP addresses. I’m sure there are more pressing things on the agenda.

I seem to be getting hit by the loggedout=true hack. It appears from looking at .htaccess that it should not be difficult to protect against. My problem is the number of sites that I will need to step through.

Update:
The reason some Secret Key strings fail is because the .htaccess file filters query strings for common commands and code fragments which are used for code injection. URL queries including SQL and some other code injection attempts are filtered out before reaching the Hide Backend commands. Apparently, when the Secret Key string is created it is not checked to insure these are not inadvertently included in the Secret Key.

Having found the source of the problem and understanding its apparent cause has reafirrmed my trust in the Better WP Security plugin.

I agree. Information access for problem solving/research is painful. I’m looking for other information and thought I could help some here.

Your memory report has a conflict. Limit in wp-config v. the maximum you report. Take a further look at where you are getting your numbers and try to resolve. Not probably what will fix your immediate problem.

Based on your report, there is a memory issue which needs to be addressed. It is installed in a lot of other systems. Keep your options open that this might not be the problem.

Try de-activating your other plugins. Something is definitely wrong. Although reported in WBS not conclusive as source.

Try turning off some of the plugin features and see if this helps.

The hide login option is one that I am looking at. Currently it is OK for me.

It is frustrating. The potential for error exists. The potential for self-inflicted damage exists.

A file hash is a string that computed to uniquely identify the contents of a file. It is used to determine if the file has been changed. When the hash computed through examination of the file has changed, the file has changed.

The plugin should report all changes. Including those you make at its direction.

The idea is that if it tells you something changed that you didn’t touch you know you have a problem.

In this case, the plugin works as designed.

I deleted my .htaccess and recreated with permalinks/save.

I agree this is a good plugin. It is trying to do some complicated things. I expect not all possible things can be tested.

I’m testing the hide login and site change features. They have caused me trouble in the past, but seem to be working OK now.

In one of my tests it add further troubles with deactivate and re-activate. I ended up with lockout in admin pages. It seems like going with a scorched-earth full delete – full regression test without the plugin – then clean install is the way to go. That is what I’m doing with my site-by-site move to a new server.

The problem is that when you remove the plug-in it drops a couple of carrage returns onto the end of your config-wp.php file. PHP does not like this. There may not be ANY characters after the program terminator ( ?> ).

Open your config-wp.php and remove any extra invisible characters from the end of the file, and you should be good-to-go.

I have also noticed that the config-wp.php is set to read-only after plug-in removal. Need to change to fix your config-wp.php file.

Hope this helps.

BTW: I like the plug-in. I removed it to facilitate moving my sites to a new server.

To recreate your .htacess file (from nothing) just go to settings/permalinks and hit save.