Adds some extra security to your WordPress with only one click. No options page, just activate it!
|Author:||Samuel Aguilera (profile at wordpress.org)|
|WordPress version required:||3.9.2|
|WordPress version tested:||4.9.1|
|Added to WordPress repository:||14-08-2014|
|Total downloads:||4 505|
|Active installs:||1 000+|
Click to start download
- Extract the zip file and just drop the contents in the
wp-content/plugins/directory of your WordPress installation (or install it directly from your dashboard) and then activate it from Plugins page.
Can I use this plugin together with Wordfence Security or any other security plugin?
If you use a plugin like Wordfence Security, or any other security plugin that gives you similar functionality (these that writes rules to .htaccess), you should not be using this plugin or another security plugin. Using more than one security plugin at once can give you unexpected results.
Anyway, SAR One Click Security is a pretty friendly plugin, it adds his security rules without interfering in any other existing content in your .htacces file. In fact I’m using SAR One Click Security + All In One WP Security & Firewall in some sites that I manage.
So technically you can do it if you know what you’re doing, but if you do you’re at your own risk. No support for problems due to the use of another security plugin together with this one.
I already have some custom rules in my .htaccess, will the plugin remove them?
The plugin doesn’t touch any of the current content of your .htaccess file, it only adds his own rules when you activate it, and removes his own rules when you deactivate it.
I’m not sure of what server is running my hosting, can I install this to try?
Yes. If you install this plugin in another server rather than Apache (nginx, IIS, etc…) the plugin only will show a notice in your WordPress admin dashboard, no modifications will be made.
My theme uses TimThumb script, can I use this plugin?
Yes. But you must add the following line to your wp-config.php file BEFORE activating the plugin.
That will allow you to use all features of the plugin excerpt for the TimThumb blocking rule.
If you activated the plugin before inserting the above line in your wp-config.php file, simply deactivate/activate the plugin to allow access for timthumb.php and thumb.php (another file name used for TimThumb).
And if you want to turn off TimThumb support, simply remove the previous mentioned line and deactivate/activate the plugin.
After activating the plugin I get an error 500 page, what can I do?
If you get an error 500 page after activating the plugin this means that your hosting provider doesn’t allow you to set some (or any) settings from your .htaccess
You can manually uninstall plugin’s .htacces rules by open your favorite FTP client and removing all content between # BEGIN SAR One Click Security and # END SAR One Click Security in your .htaccess file located in the root directory of your WordPress installation.
And doing the same in the .htaccess file located in the wp-content dir (or deleting the file if no more content on it).
Rules are working as intended and blockings are working but I get a line in my Apache error.log that starts by [access_compat:error] when a file is blocked by the rules added by the plugin
That means that you’re running Apache 2.4.x
SAR One Click Security can detect automatically your server version and use the new syntax for Apache 2.4 to prevent these lines in your logs if the version number is available from PHP.
But if your ServerTokens directive in your Apache configuration is set to ‘Prod’ (recommended setting), it’s not possible to check the version number from PHP, so you will need to add the following line to your wp-config.php
define( 'SAR_APACHE24_SYNTAX', true);
That will force SAR One Click Security to use the Apache 2.4 syntax in the rules added. You will need to deactivate the plugin and activate it again if you have added that line to your wp-config.php after activating the plugin.
- Added rule to block scans done with WPScan when using the default user-agent.
- Fixed PHP notice for $wp_domain_not_supported var.
- Added blocking of any query string trying to get a copy of the wp-config.php file.
- Added blocking of gf_page=upload query string, this was deprecated in Gravity Forms on May 2015, if your copy of Gravity Forms still uses it, update now!
- Changed some rules from redirecting to localhost IP to triggering a forbidden (403) error.
- Added blocking access to .txt files under any plugin/theme directory to prevent scans for installed plugins/themes.
- Added support for new Apache 2.4.x syntax for deny commands
- Added SAR_APACHE24_SYNTAX constant to allow the use of Apache 2.4.x syntax on servers where the Apache version string is not available due to server configuration
- Modified FilesMatch to prevent access to install.php
- Added old extensions for PHP to the rule that blocks direct access to PHP files in wp-content directory to cover servers that still allows these extensions (crappy shared hosting mainly)
- Prevent .htaccess rules being created in a no supported server on plugin updates (although it makes not sense to keep it activated if you’re not running Apache)
- Added removing version information from page headers. This includes not only the page header (html or xtml) but also feed headers (rss, rss2, atom, rdf) and opml comments. Only the version number is removed, not the entire generator information.
- Some minor code cleanup
- Added support for themes using timthumb.php, check FAQ before installing the plugin to see how.
- Added blocking of access to wp-login.php with blank User Agent and direct posting of credentials
- Improved code that handles .htaccess at wp-content
- Greatly improved some .htaccess rules
- Added translation support.
- Added spanish (es_ES) translation.
- Added routine for future upgrades.
- Added support for existing .htacces in wp-content before plugin activation.
- Added a check to see if server running the plugin is Apache, if not don’t do anything, to avoid creating useless files in not supported servers.
- Also added an admin notice to show to users that installed the plugin in a not supported server.
- First release.