Locked Out

Better WordPress Security Fix

Locked Out

Better WordPress Security is a very robust security plugin for WordPress powered websites.  The login process is modified; changes are made to the WordPress data table prefix; completely turns off the ability to login for a given time period; all are but a few examples of the broad scope of this program’s ability to increase security to your WordPress site.  Better WordPress Security was exactly what I was looking for, so I installed it without hesitation.

Locked Out

Locked Out

The install was pretty simple.  The configuration was straight forward, using a “one click” approach to set up the basic configuration, and then there are settings which are manually set, depending on your use and level of security you want.

The security plugin also offers some System Tweaks that are clearly marked with the warning, “This feature is known to cause conflict with some plugins and themes.”  At this point, I made what seemed like a good decision at the time:  “Go ahead and enable one or two options at a time.  Run the program for  a day or two, if all is well, trigger a couple of more options”  I concluded that by limiting the number of items to be enabled, it would be easy to decide which option created a problem if one occurred, and then find a workaround, or just simply disable the offending program.  The plugin had a little surprise for me.  When one of my options collided with “something “in the program, the plugin would not allow me to log in.  By design, Better WordPress Security had altered my login process.  The process worked fine after the alteration, but apparently only for a while. Not to worry, because the plugin had supplied me with a code to use for logging in when such a disaster prevailed itself upon me.  Time to worry, the code did not work either.  I was totally locked out.

There Has To Be A Backdoor Here Somewhere

Let me start by saying I am neither a WordPress Guru nor a Website Ninja.  I am just a guy trying to logically solve a problem.  Also, I hadn’t gone to DEFCON 4 yet, as I had my entire WordPress sight’s files backed up and waiting for me in a DropBox file.  Once again, file back ups saved my butt.  I am a true believer.

Here’s the journey back to getting my website working again:

  1. Was I hacked?  Even with all the security measures in place (so secure that even I could not access my site), my site could have acquired some malicious code.  I went to my web host site via c-panel.  I wanted to look at my database, so I clicked phpMyAdmin.  Up came a window not lacking in complexity.  I found and clicked my database on the left side of the window.  Next, I took a look at these files:  wp_bwps_lockouts and wp_bwps_log.  Except for some headers and markers, there was no activity.  Then, I went to wp_users.  Here, I was looking for users that might have been deleted, or substituted, and any changes to email addresses.  Struck out again.  No issues.  Probably wasn’t hacked.  This was the max level of my ability here, and everything looked fine.  But it shouldn’t have.  Why did it not show me being locked out?  I was beginning to feel like finding the Holy Grail would be easier than getting an answer to that last question.
  2. Reinstall the database.  I had a fresh database backup, so it seemed like a good time to reinstall it.  I hoped this might cleanup some of the “bad” settings made (by me) during the day when configuring the security plugin.  While still in phpMyAdmin, across the top of the window are tabs, I clicked Import.  I then found a dialog box that asked for the location of the backed up database.  I supplied the location info, and clicked the Go button at the bottom left of the page.  In no time, the new database was installed. I backed out of phpMyAdmin, and then left c-panel.  Time to try my WordPress site.  Better WordPress Security blocked my entrance once again.
  3. Edit .htaccess file.  According to Wikipedia, the .htaccess file is:  “…a directory-level configuration file supported by several web servers, that allows for decentralized management of web server configuration.”  In my case, the file contained many entries written by the security plugin.  Because I could not access my WordPress site and reconfigure/disable the security plugin from my Plugins and Settings options on my Dashboard, getting to .htaccess would be a backdoor solution that should fix (I hoped) my problem.  The file is found inside the host site in the public_html file, along with all the WordPress files.  The .htaccess file is a simple script and can be edited with a text editor.  I decided to remove everything from the .htaccess file that had anything to do with the security plugin.  By using SSH, I accessed the Web Server, and entered the public_html file.  Now I needed a text editor.  I took a guess to see if the nano editor was installed. I typed “nano .htaccess”.  With some relief, I saw the editor open showing me the contents of .htaccess.  I erased the Better WordPress Security entries.  After exiting back to my Mac, I fired up my browser.  Time to try my website.  Yikes!!!  I got a 500 Error, Server configuration message.  My entire website had crashed!!!  One can only inflict so much damage in one day, and I was at my limit.  I shut the computers down and went to bed.
  4. Reinstall a matching data base.  Sometime early the next morning, an aha-phenomenon took place.  I realized that I had brought the .htaccess file back to a time before installing security plugin, but the database was still configured for the {expletive deleted} security plugin.  I backup WordPress files weekly, and my database daily.  In my weekly backup files, I had a database file backed up before the plugin was installed, and using this database, along with my recently updated .htaccess file, everything should work.  At this point, I was out of rabbits to pull from my hat.  If this database fails to resolve my problem, then before spending anymore time in diagnosis, it might well be better to delete the existing WordPress files and reinstall the program again.  I’ll still have my blog posts available, so the only thing I am out is time reconfiguring. Back to c-panel and phpMyAdmin.  I imported the “earlier” database file.  Backed out of c-panel.  Again, loaded the browser, and attempted to get access to my WordPress site.  The access screen appeared.  Looking good so far.  I supplied the proper username and password, hit the login button, and……………….. I was in!!!  Mission accomplished!!!  Everything in WordPress worked fine, and I did not lose any data.  I immediately went to Plugins and deactivated Better WordPress Security.

Summary

Better WordPress Security is a full featured security plugin.  To me, the very thing that makes it great, is the same thing that diminishes it, and that is its own complexity.  Because there are so many plugins available for WordPress, designing any program that accounts for all of them, and all possible interactions between plugins, would be an impossibility.  To its author’s credit, I believe every attempt has been made to make the program as broad and as reliable as possible.  Still the very essence of WordPress to me is flexibility, and that means an infinite amount of variations. I would keep that thought in mind if you decide to try the plugin.  If you do use it, configure it very conservatively.

2 Comments

  • jason Whitelord says:

    The Better WP Security plugin is crap. I mean it’s advertised as the most simple security plugin to use according to WordPress.org but when you get logged out of your own website, it’s just like having your website hacked knowing that the only thing that has control over it is somebody elses code.

    If you look online it seems a HUGE number of people have been negatively impacted by this piece of junk, including myself. Why should we have to spends hour after hour trying to work out how to login to our very own company website when it is the developer of this plugin who is causing so many people absolute utter misery? The guy (Chris Wiegman) should have his ass handed to him and sued for everything he bloody owns.

    How much has he cost hundreds of website owners around the world, it must be hundreds of thousands if not millions of dollars in lost profit. Two years ago plus people were experiencing this exact same problem and today the problem still exists. No matter what you do, it’s impossible to gain access to your own website – how absolutely ridiculous!

    My new business is due to launch in 2 days time, I was just putting the finishing touches to my website and thought to myself that I better install a simple plugin this time to help secure my site against malicious hackers. Now it looks like I won’t be able to launch the company as scheduled and all thanks to this bloody plugin ‘developer’ who has ruined my chance of a successful launch.

    The site is as good as hacked, I cannot get in there and a fix looks incredibly complicated, way beyond my experience to deal with it costing me more money employing somebody else to work this problem out. Worst of all, I’ve now been completely put off from installing any other kind of security plugin for fear exactly the same could happen again.

    I am so disgusted with Chris Wiegman at the moment, this is exactly what I don’t need right now.

    This plugin should be banned from WordPress for good. And the developer, go get a frickin’ job washing dishes instead of ruining other people’s good efforts.

    Absolutely f(expletive)ing ridiculous!

    • prometheus says:

      Sorry you had the problems. As you can tell from my article, Better WP Security had me completely locked out. You did not mention if you had your sight backed up. Hopefully, you did. As I mentioned in my article, I used a secure sell to access my website, replaced a few files, and I was up and running. It sounds simple enough, but it took a lot of research to isolate the problem, and then find out and use the process to fix it. There is an inherent risk when we install any plugin, as there is know way a developer can totally “test” the outcome of their product. There are just too many combinations of WordPress + number of plugins installed. There is no model system. As a security plugin covers a lot of code “under the hood” of WordPress, the number of variants are even greater. To protect ourselves, we can either limit the amount of plugins we use, thus limiting our risk, and/or be sure the site is backed-up, and that we know how to use SSH to access our site and hopefully fix the problem. This does indeed paint a rather gloomy picture, put that is the reality. In the end, hope you got your site running, and that business is good.

Leave a Reply