I’ve released a minor updated to the Better WP Security plugin for WordPress. Version 3.2.2 fixes two problems a 500 error when ban-users in enabled and IP or agents list are empty and error that logged bad logins and 404s even when features were turned off.
Better WP Security 3.2.2
April 8th, 2012 11 Comments
You might also like
About Chris Wiegman
Chris is the owner of Bit51 where he blogs about web development and works on WordPress plugins such as Better WP Security. In addition Chris is a Senior Developer for Springbox in Austin, TX where he develops a host of solutions for clients large and small.
Discussion
Please review our Comment Policy and our Privacy Policy before posting.
Bit51 is resource designed to help the web development and related communities grow and improve websites with articles, tutorials, and software solutions such as Better WP Security.
Enter your email address to get the latest posts, updates, and special offers from Bit51.
You’ve done great work since I last looked at this plugin, but the “basic” defaults can be really chaotic, resulting in users being logged out and the admin getting a ton of log and alert emails. There really needs to be a whitelist for admin IPs and an alternative address for the alerts, options to get them or not, or digests, etc.
I’ve sen this problem in several different scenarios where a bad admin user experience tends to defeat the whole security purpose. I.e., slamming admins with too much file change and other security-related information to process in an email or single screen. I’m not sure what the exact solution is, but it has to involve a rigorous application of the “less is more” principle without letting people turn of or tune out of security notices.
You’ve done great work since I last looked at this plugin, but the “basic” defaults can be really chaotic, resulting in users being logged out and the admin getting a ton of log and alert emails. There really needs to be a whitelist for admin IPs and an alternative address for the alerts.
I’ve seen this problem in several different scenarios where a bad admin user experience tends to defeat the whole security purpose. I.e., slamming admins with too much file change and other security-related information. I’m not sure what the exact solution is, but it has to involve a rigorous application of the “less is more” principle without letting people turn off or tune out security notices.
Thanks Mike,
The problem with the admin IP is that for most folks it isn’t static. The plugin will not lockout someone who is logged in, but automatically whitelisting ip addresses for users who aren’t logged in can be dangerous for when that IP changes.
As for the email, you’re both right. That is something that I will provide an option for in upcoming versions.
Chris,
One question on Better Security. Does it implement the functionality of WordPress Firewall 2? I find that plugin is doing a decent job to block direct calls against php files. I know Better Security does role in some of the capabilities of other plugins. I’m being lazy asking without pouring through the code.
Mike
Can you email me directly and I’ll send you a couple of hack attempts that Firewall 2 flagged?
Chris, thanks for the great plug-in! I’ve been using it for some time. Since I updated to the newest release, my thumbnails in my front page have disappeared? I looked through the changelog and I can’t see anywhere that would possibly cause this. I haven’t added anymore plug-ins since and when I turn off BWPS, it all goes back to normal.
Dan,
You’re right on the money with your analysis and it is a problem I am actively working on. Finding a usable balance between feature and function with a plugin like this is quite a challenge. That said, plan on seeing a continued evolution of the UI over the coming months as I try to make it more palatable to more people.
Chris,
You might want to look at WordPress Firewall 2 settings page. They automatically add the IP of the admin account when the plugin is activated to an admin IP whitelist. This would help eliminate locking yourself out by intrusion detection kicking in.
I agree with Dan that a separate alert email address would be ideal.
Honestly Mike, I’m not sure. I haven’t used Firewall 2 since before I started this project….
Nik, can you please submit this to the forums at http://forums.bit51.com? We’ll see if we can’t get to the bottom of it.
Nik, looking at your site try turning off “Filter suspicious query strings” in System Tweaks and let me know if that fixes it. After looking at the images I’m more curious as to why they worked before the upgrade…