All In One Security Troubleshooting post helps you resolve some of the most common errors you run into and provides some troubleshooting tips.
Last Updated: November 6, 2023
Latest News: Updated the documentation.
This is a list of common issues people have reported in wordpress.org support forum. I have created this list to help you troubleshoot some of the most common issues you might run into. If you can’t find an answer to your issue please click the following link All In One WP Security And Firewall Support and create a support ticket. Someone will assist you as soon as possible.
Important: In some cases you might need extra support. Hiring our premium services can help you further. Click on the following link Premium Support For All In One WP Security Plugin.
What you need:
All In One Security Troubleshooting
Site Was Hacked
Even though a lot of effort has gone into developing this plugin to protect your site, sites might still get hacked. In that case the following URLs will help you. These are instructions provided by WordPress org support staff.
Aside from the above two links you should also carry out the following to clean your site. ( Steps provided by wpsolutions)
- Using cpanel file manager delete your wp-admin and wp-includes directories and then upload new versions from a fresh zip file of your WordPress core version.
- Delete all plugins and re-install fresh new versions. Also do not use old zip files you have on your computer or server. Always get new plugins directly from wordpress.org or from the developer who wrote them. (Same goes for your theme)
- Also go through your root directory and replace all wp core files with new versions and delete any unknown files. Check your wp-config.php file for any suspicious code.
- Go through all other wp directories such as uploads etc…and check to see if any suspicious php files are there. (eg, uploads directories should mostly have media files and not php files)
- Examine all of your server directories which reside outside of your WordPress installation and look for php files.
The above should help you get your site up and running and clean from any viruses.
Conflict With Plugins
Q1 There is a conflict with LoginPress plugin.
Answer: There was a problem in the following file “wp-security-wp-loaded-task.php line # 60”. It was causing issues. The solution was to add the following code in the theme’s functions.php file.
==================================
Q2 There is a conflict with Theme My Login plugin.
Answer: The Theme My Login developer reached out and provided a solution. Please check the following support thread for a solution.
Conflict With Themes
Q1 If you ever have a redirect issue when someone gets locked out because of spamming. Try the following solution. You can read more about the issue from the following forum post.
Solution 1: Can you try adding the following code to your theme’s functions.php file:
add_action('aiowps_wp_loaded_tasks_end', 'remove_aiowps_loaded_actions');
function remove_aiowps_loaded_actions($AIOWPSecurity_WP_Loaded_Tasks){
remove_action( 'login_init', array( $AIOWPSecurity_WP_Loaded_Tasks, 'aiowps_login_init' ));
}
Sites not hosted in Apache servers
Important: Sites that are not hosted in Apache servers cannot activate the following features added to the .htaccess file.
- Firewall =- All rules
- Enable Brute Force Attack Prevention:
- Enable IP Whitelisting:
- Block Spambots From Posting Comments:
- Enable IP Whitelisting:
- Enable IP or User Agent Blacklisting:
- Prevent Access to WP Default Install Files:
Windows IIS Solutions
Q1 Does it work with IIS servers?
Solution One: All features except those involving .htaccess rules should work ok in an IIS server.
Q2 How do I set up Pingback Protection: under Firewall -> Basic Firewall Rules when hosted on a Windows Server IIS (IIS 7.5 & Plesk 11)?
Solution One: Below is the IIS equivalent to the apache .htaccess rules for denying access to xmlrpc.php. ( Solution quoted by wpsolutions)
<security>
<requestFiltering>
<denyUrlSequences>
<add sequence="xmlrpc.php" />
</denyUrlSequences>
</requestFiltering>
</security>
Nginx Solutions
Q1 Changing login url breaks lost password url in Nginx. How do I fix this issue?
Answer: Someone in the forum provided a solution to this problem. Please click on the following URL Changing login url breaks lost password url.
===================
Q2 How do I fix the issue with permalink settings in nginx when using “Rename Login Page” feature?
Answer: The “Rename Login Page Feature” works perfectly if the “Permalink Setting” is set to “Plain” but if you change the permalink to “Post name” you get a 404 error message in Nginx. Nginx does not understand the rewrite rules in the .htaccess file. The following forum post provides a solution submitted by one of the users.
===================
Q3 How can I disable xmlrpc via the firewall rules in Nginx servers?
Answer: Check the following support thread in the forum.
===================
Q4 Are the following features compatible with Nginx servers?
Both features are listed under the “Brute Force” tab.
- “Rename Login Page”
- “Enable IP Whitelisting”
Answer: The “Rename Login Page” is independent of the type of web server because it works at the PHP level and is thus compatible with Nginx.
However the “Login whitelist” feature uses Apache directives to protect the login page and at this stage it is not compatible with Nginx. Check the following forum support thread.
==================================
OpenLiteSpeed (OLS) Solutions
Q1 How do I fix the issue with “Rename Login Page” feature using OpenLiteSpeed server?
Answer: The following forum post provides a solution submitted by one of the users.
===================
Q2 What .htaccess rules are incompatible with OpenLiteSpeed (OLS)? It’s a 50/50 situation.
Answer: The following forum post provides an answer.
Log File Solutions
Q1 I am getting repeated lockout notifications yet both logs are empty?
Solution: The lockouts won’t be shown in the log files. They are displayed in the Dashboard -> Locked IP Addresses tab.
Also regarding log files, make sure that you have debug enabled – go to Settings and scroll to bottom of page and check the “Enable Debug” box and save debug settings.
(Solution provided by wpsolutions.)
IP Address Solutions
Q1 WP Security does not recognize external IP addresses. How can I fixed this with the plugin?
Solution: The aiowps function which obtains the IP address uses $_SERVER[‘REMOTE_ADDR’].
In most cases the above global should be the best and least spoofable way to obtain the IP address but there are special cases where certain webservers have a more unusual setup. In that case the server might have some proxy or CDN in front of it and hence you may need to make an adjustment via your wp-config.php file.
One example that you could try is the following code entered in your wp-config.php:
if ( ! empty( $_SERVER['HTTP_X_FORWARDED_FOR'] ) && preg_match( '/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/', $_SERVER['HTTP_X_FORWARDED_FOR'] ) )
$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR'];
However your hosting environment setup might be different, in that case you might need to experiment with the above code because your real IP address might be located in any of the following globals:
‘HTTP_CF_CONNECTING_IP’, ‘HTTP_CLIENT_IP’, ‘HTTP_X_FORWARDED_FOR’, ‘HTTP_X_FORWARDED’, ‘HTTP_X_CLUSTER_CLIENT_IP’, ‘HTTP_FORWARDED_FOR’, ‘HTTP_FORWARDED’
It is also a good idea to talk to your host support and explain your situation to them. They should be able to point you to which $_SERVER global the real IP address will be in. (Solution provided by wpsolutions in the forum)
You can read the solution form the following forum post. Others have also contributed other solutions as well.
Miscellaneous Solutions
Q1 All In One WP Security & Firewall is producing Error 403. You can not access the page or directory you want. How do I fix this issue?
Solution One: The http 403 forbidden error is most probably caused by one of the features which uses .htaccess directives. For example, the firewall rules or blacklist feature or the white list feature in the brute force menu.
If you want to quickly get back into your site you can edit your .htaccess file and remove all of the rules added by this plugin. ie, remove all code between and including the following tags:
# BEGIN All In One WP Security
# END All In One WP Security
Then when you log back into your site you can go into the various feature settings and disable them or change the configuration as needed. Alternative you can go to the AIOWPS “Settings” menu and scroll to the bottom. Click the “Disable All Firewall Rules” button. This will clear all the firewall rules from your .htaccess file. ( Solution quoted by wpsolutions)
==================================
Q2 If the emailed attachment always turns up as an SQL file and not a ZIP file like all the others that means that your server is not configured correctly.
(The following was quoted by Chesio in the forum)
Database backup files are zipped only if there is ZIP extension enabled in PHP, so if you are getting plain sql files by email, most likely that website has this extension disabled.
You can find whether this extension is enabled in output of phpinfo or you can create a dummy PHP file with class_exists( 'ZipArchive' )
check – this is what actually AIOWPSF plugin does.
For example:
<?php echo class_exists( 'ZipArchive' ) ? 'ZIP extension seems enabled' : 'ZIP extension seems disabled';
=============================
If the above does not work make sure that you try again the steps above but this time do not restore the htaccess file settings.
I will be updating this post from time to time. So keep coming back for the latest troubleshooting answers. If you have a question please send me an e-mail or leave a comment.
Enjoy.
All In One Security (AIOS) Plugin Tutorial List
I’m running All-in-one wp security on a Mac (High Sierra) under Desktop Server localhost environment. In Filesystem Security I get a message that incorrectly says,
“This plugin has detected that your site is running on a Windows server.
This feature is not applicable for Windows server installations.”
I do not have this problem anywhere else in this plugin’s set-up and cannot find a way around this message that will enable me to accurately scan file permissions. I very much appreciate any suggestions you may have for correcting this issue.
Thanks very much,
Jeffrey
Hi Jeffrey, that message is displayed because you are not running a linux system. For example if you carry out tests in a server running Apache or nginx then you would not see this message. That is because the plugin can make changes to the file permissions in the server. I use Xampp in my laptop running windows 10. I also get this message displayed as well. This is because the plugin cannot make changes to the file permissions in a Mac or Windows environment. You can still test the plugins functionality in a Mac system but you won’t be able to make changes to file permissions.
I hope the above makes sense to you.
Kind regards
After installing the second site in multisite system images are not show thro mapped domain on that second site if I disable All In One WP Security plugin all work perfectly.
How to set a plugin for images to show on subpages.
Thank you best regards.
David
Hi David, can you try the following test. Deactivate all Firewall Rules. Then carry out a test. Let me know what happens.
Thank you
“This plugin has detected that your site is running on a Windows server.”
This is not correct, it is running on a Mac.
So the plug-in is useless on a Mac?
Hi,
Are you running Mamp server in your mac system? The plugin does work in a mac system. However the file permission system check does not work when you are running this plugin in windows or mac. The developers in the future might change the following notice “This plugin has detected that your site is running on a Windows or Mac server.”
Let me know if you need more information.
Kind regards
Cannot access login page when aiowsf is active. Just shows the temporary page. If I rename in cpanel then I can access the wp login page. I have the rename login page disabled.
Help anyone?
Hi Graham, did you enable the Rename Login Page feature under Brute Force tab by any chance? If you did, you must log in using the following example: yoursite.com/secretword. If you did not enable the aforementioned feature, do you see any error messages when you try to log in?
Regards