Jun 042014
 

All In One WP Security And Firewall Troubleshooting post helps you resolve some of the most common errors you run into and provides some troubleshooting tips.

Last Updated: September 4, 2019

Latest News: I updated the documentation.

Important: In some cases you might need extra support. Hiring their services will have a positive impact in your website, blog and business. Click on the following URL Premium Support For All In One WP Security Plugin. (This is optional)

All In One WP Security And Firewall Troubleshooting

This is a list of common questions asked in the wordpress.org support forum. I have created this list to help you troubleshoot your issues. If you can’t find an answer to your problem please log into the All In One WP Security And Firewall Support and ask for support. You will receive assistant as soon as possible.

Site Was Hacked

Even though a lot of effort has gone into developing this plugin to protect your site, sites might still get hacked. In that case the following URLs will help you. These are instructions provided by WordPress org support staff.

Aside from the above two links you should also carry out the following to clean your site. ( Steps provided by wpsolutions)

  • Using cpanel file manager delete your wp-admin and wp-includes directories and then upload new versions from a fresh zip file of your WordPress core version.
  • Delete all plugins and re-install fresh new versions. Also do not use old zip files you have on your computer or server. Always get new plugins directly from wordpress.org or from the developer who wrote them. (Same goes for your theme)
  • Also go through your root directory and replace all wp core files with new versions and delete any unknown files. Check your wp-config.php file for any suspicious code.
  • Go through all other wp directories such as uploads etc…and check to see if any suspicious php files are there. (eg, uploads directories should mostly have media files and not php files)
  • Examine all of your server directories which reside outside of your WordPress installation and look for php files.

The above should help you get your site up and running and clean from any viruses.

Delete or Deactivate Plugin Solutions

Q1 ) What happens if I deactivate the plugin will I loose all my settings?

Answer: No, you will not lose any settings upon deactivating AIOWPS – meaning you won’t need to re-configure the plugin again after you activate it again.

The plugin has built into it the intelligence to remove the security .htaccess rules when you deactivate it but it will still remember these settings when you re-activate the plugin, and as pointed out above, it will give you the choice to re-insert these rules back into the .htaccess file.

( Solution quoted by wpsolutions)

When you re-enable the plugin you will see the following message. Say yes to re-insert the rules you previously had set up in the plugin.

Would you like All In One WP Security & Firewall to re-insert the security rules in your .htaccess file which were cleared when you deactivated the plugin?

==================================

Q2 ) How do I completely delete the plugin?

Answer: Follow the instructions below.

– FTP to your host and delete the plugin’s folder. Although this is normally carried out when you deactivate and delete the plugin as the website administrator.

– FTP the .htaccess file from your site to your computer and edit and remove all the code between and including the following tags: Make sure you upload the .htaccess file back into the same location you downloaded the file from via FTP.

# BEGIN All In One WP Security
# END All In One WP Security

– Log into phpMyAdmin and locate the database for the website you are working on. Look for any table entry with the following name aiowps and delete those tables. There should be 6 tables associated with this plugin, in addition to the options settings. There will also be other entries for transients and plugin version etc. The following is a list of tables and entries found in the database.

Note: You might like to check the following URL Remove All In One WP Security Database Tables to learn how to search for the plugins tables in your database.

| aiowps_events |
| aiowps_failed_logins |
| aiowps_global_meta |
| aiowps_login_activity |
| aiowps_login_lockdown |
| aiowps_permanent_block |
| commentmeta |
| comments |

-There are other aiowps settings saved in the WordPress “options” table, under the option name “aio_wp_security_configs”. You should also delete the “aio_wp_security_configs” row in the options table.

The above steps will delete the plugin completely from your database and allow you to start from scratch.

==================================

Q3 ) What if you want access to your site and only reset the plugin. Follow the instructions below.

Answer: Check the following tutorial How To Reset AIOWPS Plugin.


Conflict With Plugins

Q1 ) There is a conflict with LoginPress plugin.

Answer: There was a problem in the following file “wp-security-wp-loaded-task.php line # 60”. It was causing issues.  The solution was to add the following code in the theme’s functions.php file.

==================================

Q2 ) There is a conflict with Theme My Login plugin.

Answer: The Theme My Login developer reached out and provided a solution. Please check the following support thread for a solution.


Conflict With Themes

Q1 ) If you ever have a redirect issue when someone gets locked out because of spamming. Try the following solution. You can read more about the issue from the following forum post.

Solution 1: Can you try adding the following code to your theme’s functions.php file:

add_action('aiowps_wp_loaded_tasks_end', 'remove_aiowps_loaded_actions');
function remove_aiowps_loaded_actions($AIOWPSecurity_WP_Loaded_Tasks){
    remove_action( 'login_init', array( $AIOWPSecurity_WP_Loaded_Tasks, 'aiowps_login_init' ));

}

Brute Force Feature Solutions

Q1 ) What are the main differences between Rename Login Page VS Cookie Based Brute Force Prevention?

Answer One: Underneath they are very different. One uses cookie, the other one doesn’t. They can’t both be enabled at the same time because they will conflict. I would recommend that you try the “rename login page” option first. (Answer provided by mra13)

Answer Two: The cookie based feature does its defending at the .htaccess level (eg,apache) and the rename login feature stops people at the php level. (Answer provided by wpsolutions)

==================================

Q2 ) Brute force cookie url cant logout?

Solution One: The cookie may have either expired or you may have inadvertently removed it via the browser settings somehow.

Anyway, if you ever see such an issue again all you need to do is just type in your secret word URL to refresh the cookie and you should be good to go. ( Solution quoted by wpsolutions)


Translation Solutions

Q1 ) What are the correct file name for your translated files?

Answer: Always name your .mo and .po files correctly. See the following Spanish Language Example:

  • all-in-one-wp-security-and-firewall-es_ES.po
  • all-in-one-wp-security-and-firewall-es_ES.mo

Make sure you add the files in the correct folder “all-in-one-wp-security/languages/” folder.

Note: The plugin languages are now coming from the following URL plugin translation page. So if you wish to translate the plugin into your language please click on the above link.


Windows IIS Solutions

Q1 ) Does it work with IIS servers?

Solution One: All features except those involving .htaccess rules should work ok on ISS.

AIOWPS currently only supports Apache-type servers for the features which need to write .htaccess directives – eg, Firewall features, Blacklist feature etc

Q2 ) How do I set up Pingback Protection: under Firewall -> Basic Firewall Rules when hosted on a Windows Server IIS (IIS 7.5 & Plesk 11)?

Solution One: Below is the IIS equivalent to the apache .htaccess rules for denying access to xmlrpc.php. ( Solution quoted by wpsolutions)

<security>
  <requestFiltering>
    <denyUrlSequences>
      <add sequence="xmlrpc.php" />
    </denyUrlSequences>
  </requestFiltering>
</security>

Log File Solutions

Q1 ) My log files are getting too big, how do I fix this?

Answer One: Just turn off the debug setting and no more logs will be produced. (Go to WP Security -> Settings -> General Settings tab.)

==================================

Q2 ) I am getting repeated lockout notifications yet both logs are empty?

Solution: The lockouts won’t be shown in the log files. They are displayed in the Dashboard -> Locked IP Addresses tab.

Also regarding log files, make sure that you have debug enabled – go to Settings and scroll to bottom of page and check the “Enable Debug” box and save debug settings.

(Solution provided by wpsolutions.)


WordPress Multi-site Solutions

Q1 ) I have a WordPress Multi-site (WPMS) install. I do not see some of the menus of this plugin on my sub-sites. Why is that?

Answer: For multi-site installations there is a single .htaccess file which applies to all your sub-sites. So some of the security features only need to be enabled on your MAIN site. The sub-sites won’t show you the menus for these features. You can configure those settings from the main site of your WPMS install. For example the Firewall rules menu is only accessible from the main site. (Tips and Tricks Solution)

==================================

Q2 ) How do I set up Brute Force feature in a WordPress Multi-site (WPMS) set up?

Answer: Click on the following URL WordPress Multisite Managing AIOWPS Plugin Single Site.


Nginx Solutions

Q1 ) Changing login url breaks lost password url in Nginx. How do I fix this issue?

Answer: Someone in the forum provided a solution to this problem. Please click on the following URL Changing login url breaks lost password url.

==================================

Q2 ) How can I disable xmlrpc via the firewall rules in Nginx servers?

Answer: Check the following support thread in the forum.

==================================

Q3 ) Are the following features compatible with Nginx servers?

Both features are listed under the “Brute Force” tab.

  1. “Rename Login Page”
  2. “Enable IP Whitelisting”

Answer: The “Rename Login Page” is independent of the type of webserver because it works at the PHP level and is thus compatible with Nginx.

However the “Login whitelist” feature uses Apache directives to protect the login page and at this stage it is not compatible with Nginx. Check the following forum support thread.


Database Tables Information And Solutions

Q1 ) I want to clean my AIOWPS tables which are getting quite large (especially global_meta). What is the best option to carry out?

(Solution provided by wpsolutions in the forum)

Solution 1: The plugin has a code which will periodically check the tables created by aiowps and it will cleanup any table which has more than 5000 rows, ie, the code will delete the oldest rows and keep the newest 5000. The “5000” rows is set as a default in the code but I have also added filters for this to allow you to be able to set your own value.

The filters can be found in the wp-security-backup.php file in the function called aiowps_scheduled_db_cleanup_handler.

The cleanup process is triggered once daily using the inbuilt WordPress “wp_schedule_event”.
One way to trigger the cleanup process immediately is to deactivate and activate the aiowps plugin which should kick off the scheduled event.

Solution 2: To use the filters you should not edit any of this plugin’s files but instead you will need to add some code to your theme’s functions.php file.
For example:

add_filter( 'aiowps_max_rows_event_table', 'change_table_rows_remaining', 10, 1 );
add_filter( 'aiowps_max_rows_failed_logins_table', 'change_table_rows_remaining', 10, 1 );
add_filter( 'aiowps_max_rows_login_attempts_table', 'change_table_rows_remaining', 10, 1 );
add_filter( 'aiowps_max_rows_global_meta_table', 'change_table_rows_remaining', 10, 1 );

function change_table_rows_remaining( $rows ) {
	return '1000';
}

The above will set the maximum number of rows to keep for all of the tables to 1000.

==================================

Q2 ) Which features require aiowps_global_meta table?

Explanation One: The table stores the file change detection data and other miscellaneous things such as unlock request keys for cases when someone is using a woocommerce login page. (Answer provided by wpsolutions in the forum)


IP Address Solutions

Q1 ) When you enable the following feature Enable Login Lockdown Feature, you will see the following error message.

ERROR: Access from your IP address has been blocked for security reasons

Solution: Disable Enable Login Lockdown Feature.  Or check to see if your IP address has been locked.

==================================

Q2 ) My IP address has been blocked by the plugin, how do I unblock myself?

Solution One: What you can do is the following, rename the plugin folder via FTP to something like all-in-one-wp-security-and-firewall-temp. Then log into your website again. Rename the plugin folder back to its original name. Enable the plugin and go to Dashboard -> Locked IP Addresses and unlock your IP address.

Solution Two: If you can’t log after trying the above solution please read the following thread Locked Out from the forum. This might help you get back into your site.

==================================

Q3 ) Is there anything outside of firewall rules that will also block IP address?

Solution One: Yes – the spam autoblock functionality does not use .htaccess firewall rules. It checks for IPs that are used to post comments which are marked as “spam” either by Akismet or manually by the admin of the site and if the same IP address has more than the allowed amount of “spam” comments, it will be blocked. (Solution provided by wpsolutions in the forum)

==================================

Q4 ) Wp Security does not recognize external IP addresses. How can I fixed this with the plugin?

Solution: The aiowps function which obtains the IP address uses $_SERVER[‘REMOTE_ADDR’].
In most cases the above global should be the best and least spoofable way to obtain the IP address but there are special cases where certain webservers have a more unusual setup. In that case the server might have some proxy or CDN in front of it and hence you may need to make an adjustment via your wp-config.php file.

One example that you could try is the following code entered in your wp-config.php:


if ( ! empty( $_SERVER['HTTP_X_FORWARDED_FOR'] ) && preg_match( '/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/', $_SERVER['HTTP_X_FORWARDED_FOR'] ) )
	$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR'];

However your hosting environment setup might be different, in that case you might need to experiment with the above code because your real IP address might be located in any of the following globals:
‘HTTP_CF_CONNECTING_IP’, ‘HTTP_CLIENT_IP’, ‘HTTP_X_FORWARDED_FOR’, ‘HTTP_X_FORWARDED’, ‘HTTP_X_CLUSTER_CLIENT_IP’, ‘HTTP_FORWARDED_FOR’, ‘HTTP_FORWARDED’

It is also a good idea to talk to your host support and explain your situation to them. They should be able to point you to which $_SERVER global the real IP address will be in. (Solution provided by wpsolutions in the forum)

You can read the solution form the following forum post. Others have also contributed other solutions as well.

==================================

Q5 ) I am having issues with the Black list feature. I think it is not blocking the IP address I add. What can I do to test this feature?

Solution: To confirm if the blacklist feature works try using your IP address to block yourself temporarily.

1) Make sure you are logged into your server using FTP. This will be handy to unlock yourself if needed.

2) Log into WordPress admin panel and add your IP address to the blacklist settings.

3) Try accessing your site from a browser where you are not logged in.
You should be denied access. If not, then the apache directives are not working on your server.

(If things are working fine and you do get blocked, just FTP your .htaccess file from your server to your computer and edit that file and remove the part of the code which has your IP address and then FTP the file back to the server)

(Solution provided by wpsolutions.)


Miscellaneous Solutions

Q1 ) Every time I try to log into my site I get redirected. I receive the following errror message. You don’t have permission to access /wp-login.php on this server. Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request. This causes a redirect to occur.

Solution: This usually happens if you enabled Login Whitelist feature under Brute Force. The IP address of the computer or laptop trying to access the site is not included in the list. You can either disable Login Whitelist or add the IP address to the list.

Remember: The IP address must be a static IP address.

==================================

Q2 ) I would like to understand how it is possible that all settings are being saved when deactivating or deleting the plugin?

Solution One: The aiowps settings are saved in the WordPress “options” table, under the option name “aio_wp_security_configs”.

When you deactivate this plugin those settings are still in the options table and are available for use next time you activate the plugin.
If you wanted to start your installation from scratch, you could always delete the “aio_wp_security_configs” row in the options table and then re-configure the plugin again. (Solution provided by wpsolutions in the forum)

==================================

Q3 ) How to implement the new filter “aiowps_ip_blocked_error_msg”) added in version 4.1.0?

Solution One: Add the following function to your theme functions.php file. It is always best to use a child theme. Remember to replace ‘My custom error message!’ with your own message. (Solution by Chesio in the forum)

add_filter('aiowps_ip_blocked_error_msg', 'my_custom_message');
function my_custom_message($error_msg) { 
return 'My custom error message!'; 
}

==================================

Q4 ) All In One WP Security & Firewall is producing Error 403. You can not access the page or directory you want. How do I fix this issue?

Solution One: The http 403 forbidden error is most probably caused by one of the features which uses .htaccess directives. For example, the firewall rules or blacklist feature or the white list feature in the brute force menu.

If you want to quickly get back into your site you can edit your .htaccess file and remove all of the rules added by this plugin. ie, remove all code between and including the following tags:

# BEGIN All In One WP Security
# END All In One WP Security

Then when you log back into your site you can go into the various feature settings and disable them or change the configuration as needed. Alternative you can go to the AIOWPS “Settings” menu and scroll to the bottom.  Click the “Disable All Firewall Rules” button. This will clear all the firewall rules from your .htaccess file.  ( Solution quoted by wpsolutions)

==================================

Q5 ) The pages keep reloading over and over none stop?

Answer: Turn off the text selection and copy protection option. It seems like that feature is not working well with the current theme you are using.  (Answer provided by mra13)

==================================

Q6 ) After installing the plugin I can’t regenerate thumbnails or crop images anymore?

Solution: This is probably due to the 5G firewall rule – You can disable that rule if you wish after you copy and paste the rules locally in notepad running Windows operating system. You can then optionally tweak the 5G rules by making some modifications. Then simply create some custom firewall rules feature.

==================================

Q7 ) I am receiving too many IP address lock outs, I think my pingback protection is not working correctly. What do I do?

Answer: Click on the following URl Pingback Protection Settings.

==================================

Q8 ) If the emailed attachment always turns up as an SQL file and not a ZIP file like all the others that means that your server is not configured correctly.

(The following was quoted by Chesio in the forum)

Database backup files are zipped only if there is ZIP extension enabled in PHP, so if you are getting plain sql files by email, most likely that website has this extension disabled.

You can find whether this extension is enabled in output of phpinfo or you can create a dummy PHP file with class_exists( 'ZipArchive' ) check – this is what actually AIOWPSF plugin does.

For example:

<?php
echo class_exists( 'ZipArchive' ) ? 'ZIP extension seems enabled' : 'ZIP extension seems disabled';

==================================

Q9 ) How do I prevent WordPress default link lost your password from displaying when a users types the wrong password to login?

Solution: Enable the “Show generic error message”. This will replace the default WordPress message with the link to the backend to retrieve the password to a text message without a link

==================================

Q10 ) After enabling one of the Brute Force features I am still getting lots of attacks, how can I fixed this issue?

Solution One: Check and see if you have the following enabled. Go to WP Security -> Firewall -> Basic Firewall Rules, locate the following Enable Pingback Protection:.

==================================

Q11 ) What if you can’t log back into your website and you want to totally remove the plugin?

Answer: This is a youtube video created by the developers to help you totally remove the plugin and all entries in the database without login into your website.

==================================

Q12 ) The login lockout feature is locking users after only one failed attempt, regardless of the how many failed attempts it’s set to require. How can I stop this from happening?

Answer: If you have the following checkbox enabled the plugin will lock that visitor out after the first attempt if username is non-existent: ( Solution quoted by wpsolutions)

==================================

Q13 ) I get a 404 error message when I activate the plugin? How can I fix this issue?

Answer: Please check the following forum post. This might help you with this issue.

==================================

Q14 ) I get “The plugin was unable to write to the .htaccess file” when I click on save button in “Save Basic Firewall Settings”. How can I fix this issue?

Server and plugins specs.

  • AIO – Filesystem Security : all green
  • Running on CentOS7 with CWP
  • Apache/2.4.34
  • PHP version 7.2.8
  • WP version 5.0
  • AIO Version 4.3.7.2

Answer: For a possible solution you need to check your server configuration settings. Please check the following forum post to learn more.


If the above does not work make sure that you try again the steps above but this time do not restore the htaccess file settings.

I will be updating this post from time to time. So keep coming back for the latest troubleshooting answers. If you have a question please send me an e-mail or leave a comment.

Enjoy.

All In One WP Security & Firewall Plugin Tutorial List

Manuel Ballesta Ruiz is a web developer, Blogger and WordPress Enthusiast.

  8 Responses to “All In One WP Security And Firewall Troubleshooting”

  1. I’m running All-in-one wp security on a Mac (High Sierra) under Desktop Server localhost environment. In Filesystem Security I get a message that incorrectly says,

    “This plugin has detected that your site is running on a Windows server.
    This feature is not applicable for Windows server installations.”

    I do not have this problem anywhere else in this plugin’s set-up and cannot find a way around this message that will enable me to accurately scan file permissions. I very much appreciate any suggestions you may have for correcting this issue.

    Thanks very much,
    Jeffrey

    • Hi Jeffrey, that message is displayed because you are not running a linux system. For example if you carry out tests in a server running Apache or nginx then you would not see this message. That is because the plugin can make changes to the file permissions in the server. I use Xampp in my laptop running windows 10. I also get this message displayed as well. This is because the plugin cannot make changes to the file permissions in a Mac or Windows environment. You can still test the plugins functionality in a Mac system but you won’t be able to make changes to file permissions.

      I hope the above makes sense to you.

      Kind regards

  2. After installing the second site in multisite system images are not show thro mapped domain on that second site if I disable All In One WP Security plugin all work perfectly.
    How to set a plugin for images to show on subpages.

    Thank you best regards.

    David

    • Hi David, can you try the following test. Deactivate all Firewall Rules. Then carry out a test. Let me know what happens.

      Thank you

  3. “This plugin has detected that your site is running on a Windows server.”

    This is not correct, it is running on a Mac.

    So the plug-in is useless on a Mac?

    • Hi,

      Are you running Mamp server in your mac system? The plugin does work in a mac system. However the file permission system check does not work when you are running this plugin in windows or mac. The developers in the future might change the following notice “This plugin has detected that your site is running on a Windows or Mac server.”

      Let me know if you need more information.

      Kind regards

  4. Cannot access login page when aiowsf is active. Just shows the temporary page. If I rename in cpanel then I can access the wp login page. I have the rename login page disabled.
    Help anyone?

    • Hi Graham, did you enable the Rename Login Page feature under Brute Force tab by any chance? If you did, you must log in using the following example: yoursite.com/secretword. If you did not enable the aforementioned feature, do you see any error messages when you try to log in?

      Regards

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)