tamramc

Can you try creating just a basic HTML page, with just hello in body, nothing special in headers, to see if that loads quickly? Start with the basics. If it does load quickly, perhaps something 3rd party is improperly configured/installed, or something on server delayed with calls from one app interface to front-end.

Hope that helps…

there is a workaround – using custom fields with any theme, and setting sidebars option to 0 value. same issue exists with WordPress Twenty Twentyone theme, even though it has no sidebars, custom fields will allow other theme options to be disabled.
but to avoid conflicts in general with themes, I’d think the theme option should be consistent with Add/Edit Job page, as it is with Posts and [jobs], [jobs_dashboard], and [submit_job_form]

thanks.

Thanks @lcf. I’ve been blocking IP addresses since 2004. These persons are getting more and more persistent. I’ve gone as far as blocking entire hacker haven countries, countries that none of us do any business with, but are locations of persons persistently running scripts.

I’ve blocked wp-login.php file — restricted access to fingerprint only.
I’ve blocked wp-admin — restricted access to specific IPs only.
I’ve set correct file permissions — to allow just the plugins use from lawful front end interface.

Nothing seems to deter these persons, hijack my elderly uncle’s historic US Navy website, which is just a text only site.

And these persons are doing this all while being watched and reported to FBI immediately, because each of their attempts are recorded and submitted to law enforcement. At some point, they’re going to be caught.

The concern is, what exactly are they trying to do w/ these scripts, and if WordPress or other site owners are aware, because in the past week, is the first time I’ve seen these particular scripts.

1. [siteurl]/register/%7B%7B=+data.profileurl+/

2. /{{=

Luckily, they’re being denied at the gate, but for sites that do not have all of the blocking options we’ve set up, it’s scary to think what the results could be. ??

FTP user does not have permission to view files.

Error establishing a database connection is typically because of incorrect database name, username and/or password w/in wp-config.php, or incorrect location of database (e.g., localhost versus an actual IP address)

I don’t know how files were uploaded, but if files were uploaded as root user, but files are in a directory belonging to a specific user, you need to chown (change owner of files) to correct user.

I hope that helps. But definitely it’s a restriction issue.

No problem: but I don’t know if you’re using Apache’s latest version 2.4 vs older version.

If you have block options set w/in .htaccess file, you’ll need to change permissions so that authorized admin options aren’t blocked.

but what worked for me, which generated in “Great Job!” success from Tools – Site Health

<Files .htaccess>
Require all denied
</Files>

Require all denied
Require ip xxx.xxx.xxx.xxx <<– note this is your ip address and this repeat line for IPs required
Require local

ErrorDocument 400 /error_document_location
ErrorDocument 401 /error_document_location
ErrorDocument 403 /error_document_location
ErrorDocument 413 /error_document_location
ErrorDocument 404 /error_document_location
ErrorDocument 500 /error_document_location

Per this network admin from 185.220.70.155, with XML-RPC disabled, as well as all security tweaks set as recommend, and even .htaccess require all denied, he was able to access XML-RPC using Insomnia REST Client. It started from this hacking source 185.86.231.10. I noticed that file permissions were set to 744 — meaning read accessible, however, .htaccess again, set to require all denied.

• This reply was modified 4 years, 7 months ago by tamramc. Reason: clarity after typing w/o concentration ;-)

oooh my bad, thought I made link public, which is usually first thing done. it is now. sorry about that.

I’m not seeing invisible info, but I just saw on my Smart TV, that USER IDs are displayed instead of the usernames, the same thing hackers tend to look for, ironically to obtain usernames for password guess scripts.

the user ID along w/ username are displayed next to each post.

it has to be an API issue. In my case using LG w/ linux os.

I guess word of advice: don’t use smart browsers for anything sensitive, as they’re not safe at all

• This reply was modified 4 years, 9 months ago by tamramc.

to clarify: the [client IP] is the actual server IP address (one server, multiple hosts/domains)

[Sun May 17 23:48:33.892427 2020] [authz_core:error] [pid 23750] [client xxx.xxx.xxx.xx:35674] AH01630: client denied by server configuration: ./wp-content/plugins/defender-security/languages/wpdef-default.pot, referer: https://[domain-info]/wp-content/plugins/defender-security/languages/wpdef-default.pot

the referer url was the site’s path to your plugin on the same host. the url was also not https://, which is correct because of SSL

while making sure loopback and background updates functioned, happened to notice the error, which appeared several times throughout the day.

• This reply was modified 4 years, 9 months ago by tamramc.

sorry, I’m just seeing these messages because the issue has been resolved. but the original topic contained the server’s ERROR LOG entry with your info. the IP masked, yup, it’s the server’s address, same local host as site.

but possibly related to what was blocking your plugin: deprecated htaccess containers and directives which was not compatible w/ Apache 2.4. Site Health was reporting that background updates weren’t working and loopback was disabled.

once I changed htaccess from Limit container to simply Require from local, while all else was blocked, all was fine. gonna be a lotta unhappy folks, because of their security required to secure financial and personal info on WordPress. certain security directives could prevent functionality, as what was working fine one or two releases ago, now fails, until htaccess options are changed.

oh and stay safe you guys, and thanks for the quick response. ??

and I forgot to mention, the IP denied was the actual host IP, not a general IP. which is why I created this topic. I figured “Require local” should be enough, as host should match local environment.

Require local or Require host hostname is required for WordPress to read wp-admin, if certain security is set in htaccess. But all other plugins were working fine, except Defender and another plugin (resolved before topic) using 2.4 authz_core syntax requirements.

but, hey I’m in pajamas and just woke up, ask me what day it is in NYC right now, and that’ll give you an idea of memory right now LOLLLL

• This reply was modified 4 years, 9 months ago by tamramc.
• This reply was modified 4 years, 9 months ago by tamramc. Reason: clarity formatting

ooooh the irony: ?? you stopped by w/in the 15-minutes that I was playing around w/ redirect from host, versus redirect normally in htaccess. then I disabled 301 Redirect from host because of inconsistent results.

WordPress only gives one site URL option www or non-www. with an SSL certificate, if someone enters just domain-name .com vs. https://www.domain-name .com, “unsafe errors” will occur.

but I updated to your plugin’s latest version, I have not seen server error yet. will let you know, and mark this as resolved.

thanks again.

• This reply was modified 4 years, 9 months ago by tamramc.

prompted upon login to update, that fixed problem. WHEW!!! ?? I should have made screen shots to show what was happening before. but upgrading now to pro. thanks again, and stay safe.

I’ll try deleting again, and reinstallbut if new settings are hardcoded in database, same environment will exist. will let you know what happens. ??

thanks, ?? I understand how the software works — Administrator option was set – and nothing changed, and stats were visible for 2-weeks since install. and again, all was fine until, prompted to update to latest version yesterday which I did. for evaluation for referrals for advertising, I view your app daily, and it’s awesome. so kind of evaluating your product too as I always pay for Pro versions of software can’t live w/o. it’s a great tool, which is very easy and straight forward, w/o all the nonsense info that you don’t need.

app is listed in active plugins installed but not visible in sidemenu at all. I thought because at bottom, do I have to scroll down more? nope, only option now: “Collapse Menu”.

what I’m not understanding is why app disappeared altogether? as if it doesn’t exist.