Ask a Question

How to fix the missing security headers issue?

In the portal this may show up under "improvements" when you view your site. If you have our WordPress plugin installed, we will automatically try to inject the security headers into the response. If this does not work, perhaps due to an aggressive caching plugin or caching/proxy server, you may have to add the .htaccess rules below manually to your .htaccess file. <b>Adding the security headers automatically</b> To add the security headers automatically you need to navigate to app or Patchstack plugin in your WordPress dashboard. <b>How to do it via Patchstack plugin?</b> <ol><li> Navigate to your WordPress dashboard</li> <li>On the left side menu find Settings</li> <li>Under Settings find Security</li> <li>From the Patchstack plugin menu click Firewall </li> <li>Scroll down until you see .htaccess Features</li> <li>Tick the green box "Add security headers" </li> <li>Scroll down and Save settings</li></ol> <b>How to do it in Patchstack app? </b> <ol> <li>Click on the site you want to add security headers to from Portal dashboard</li> <li>Scroll down and find the Hardening tab </li> <li>From the Hardening options choose Firewall tab</li> <li>Click the option "Add security headers"</li> <li>Scroll down and click Save settings</li></ol> <b>Adding the security headers manually</b> If you do not have a WordPress site or do not want to use our plugin, you can manually add the following security headers into the .htaccess file if you use <b>Apache</b>: <pre> &lt;IfModule mod_headers.c&gt; Header set Referrer-Policy "strict-origin-when-cross-origin" Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options "nosniff" Header set X-Frame-Options "SAMEORIGIN" Header set Strict-Transport-Security "max-age=31536000" Header unset X-Powered-By &lt;/IfModule&gt;</pre> If you are running <b>nginx</b>, add the following to the configuration file and restart or reload nginx: add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header Strict-Transport-Security "max-age=31536000"; add_header Referrer-Policy "strict-origin-when-cross-origin"; Additionally, in order to permanently remove the X-Powered-By header instead of using above changes, set the expose_php value of your PHP configuration to "Off". You may have to ask your host to make above changes. <i>Note that it may take up to 12 hours before the security headers error in the portal is resolved. Or click on the "Rescan Site" button when you view your site in our portal.</i>

Why is the portal showing the firewall of my site as delayed?

This firewall error might show up on the portal. On the portal you might see that the firewall is indicating as being "delayed". This can happen due to a few reasons: <ol><li> Scheduled tasks are not running properly on your site. We attempt to ping our API from your site every hour. However, since WordPress scheduled tasks run when you have visitors on your site, this might not happen if you have no visitors on your site. It is also possible scheduled tasks are not running at all on your site even when you have visitors due to an error. You can use a plugin such as <a href="" target="_blank">WP Crontrol</a> to keep track of your scheduled tasks.</li> <li>You do not have the right API credentials configured on the license settings page. The API credentials which you can find on the portal under your site > Site Settings > API Keys should match the API credentials on your site at wp-admin > Settings > Security > License page.</li></ol> One potential solution to reason 1 is to use a server based scheduled task which triggers your scheduled tasks even when you have no visitors. <ol><li>Disable the default WordPress cronjob by adding the following to your wp-config.php file in the root folder of your site: <pre>define('DISABLE_WP_CRON', true);</pre></li> <li>Setup a cronjob in your hosting account management panel. In CPanel this can be found under Advanced > Cron Jobs.</li> <li>Set the interval to something between 5 and 15 minutes.</li> <li>Set the cron command to the following (change the URL to your own): <pre>wget -q -O - >/dev/null 2>&1</pre></li> <li>Now click on the create new cron job button.</li></ol>

How to get the site and secret key for the reCAPTCHA feature?

You have to enter your own reCAPTCHA keys in order to use the reCAPTCHA feature, here is how. <ol><li>Login into your Google account at <a href="" target="_blank"></a> </li> <li>Go here: <a href="" target="_blank"></a> </li> <li>In the label, enter your site name.</li> <li>Check "reCAPTCHA v2" OR "reCAPTCHA v3" depending on which reCAPTCHA version you want to use. The "reCAPTCHA v3" feature is only available in our plugin version 1.3 and up.</li> <li>In the domains field, enter your domain(s).</li> <li>Check the checkbox to agree to the terms.</li> <li>Click on "Register".</li> <li>You will now see the "Site key" and "Secret key" which you will need to copy over to our plugin, then save the settings on the settings page.</li></ol>

I'm receiving the error: "Destination folder already exists" during the installation.

This error might show up during the installation of Patchstack. If you already installed Patchstack before at some point, try deleting /wp-content/plugins/patchstack/ and then re-install the plugin. If after that it still shows the same error, upload the Patchstack folder inside the .zip file to /wp-content/plugins/ and then activate it on the plugins page of WordPress.

What IP addresses do the servers of Patchstack use to whitelist?

<b>Below is a list of most of our IP addresses that we currently use. Sometimes you need to whitelist these IP addresses in order avoid that your hosting provider or (secondary) firewall blocks our services.</b> <b>Note that we may add and remove IP addresses at any time without notice.</b> (as of September 2020) (as of December 2020) (as of March 2021) <b>CIDR Notation</b> <b>IPTables Rules</b> iptables -A INPUT -s -j ACCEPT iptables -A OUTPUT -d -j ACCEPT iptables -A INPUT -s -j ACCEPT iptables -A OUTPUT -d -j ACCEPT iptables -A INPUT -s -j ACCEPT iptables -A OUTPUT -d -j ACCEPT iptables -A INPUT -s -j ACCEPT iptables -A OUTPUT -d -j ACCEPT iptables -A INPUT -s -j ACCEPT iptables -A OUTPUT -d -j ACCEPT iptables -A INPUT -s -j ACCEPT iptables -A OUTPUT -d -j ACCEPT iptables -A INPUT -s -j ACCEPT iptables -A OUTPUT -d -j ACCEPT iptables -A INPUT -s -j ACCEPT iptables -A OUTPUT -d -j ACCEPT iptables -A INPUT -s -j ACCEPT iptables -A OUTPUT -d -j ACCEPT

How do I manually remove the Patchstack plugin from my site?

If you would like to manually remove the Patchstack plugin from your site, you will have to perform several actions. In order to manually remove the Patchstack plugin from your WordPress site, please login into FTP of your site first, or if you have access to something such as CPanel/WHM you can find the file manager feature. Once logged in, head to the following location /wp-content/plugins/ and delete the folder <b>patchstack</b>. Once this is done, Patchstack will be removed from your WordPress site.

How to fix "Improper HTTP to HTTPS redirection"?

When your site does not properly redirect HTTP requests to HTTPS, a Man-In-The-Middle attack may be possible. It must redirect straight from the HTTP to the HTTPS version of your site with no additional HTTP redirects in-between. In order to fix this on a WordPress site, first make sure your site is available over HTTPS (you might have to ask your host regarding this matter). If it is available over HTTPS, we recommend that you install the "Really Simple SSL" plugin. After the plugin setup, it may take up to 12 hours before the HTTPS/SSL error in the portal is resolved. <b>Apache</b> If you do not run a WordPress site, you can create a .htaccess file in the root of your website (or modify existing one) through FTP or a file manager in CPanel/WHM/Plesk and add the following (make sure to change the domain name on the last line): <pre> RewriteEngine On RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$$1 [R,L] </pre> <b>nginx</b> It's a bit more technical to do this for Nginx, as you probably need root access to modify the Nginx web server configuration settings. The easiest way is to set up a listener for port 80 (HTTP), which redirects traffic with a 301 permanent redirect to the port 443 (HTTPS) listener.

How do multisite work and its pricing model?

Once you install the plugin on a multisite installation, you will see a page where you can activate Patchstack on the sites that are available on the multisite installation. Each site will be added to the portal individually and will take up a slot on your account, which means you will be charged for each one individually.

I turned on the "Move and rename login page" feature but forgot what I named the new login page.

It's possible you forgot what you renamed your admin page to. Now what to do? Unfortunately, the only way to find out is by disabling the Patchstack plugin, then re-activate it and check what you entered in the login rename page textarea on the settings page of Patchstack. Follow <a href="" target="_blank">this guide</a>, but don't delete the folder. Rename it to something else, such as _webarx. Afterwards, we recommend renaming it back to Patchstack.

Where is the Patchstack settings page on the plugin?

Since version 1.3.5, we moved the Patchstack settings page to its own page. <b>Versions 1.3.5 up to 2.1.0</b> When we released version 1.3.5 of the Patchstack plugin, we moved the Patchstack settings page link from its own section to the "Settings" menu of WordPress. It can now be found under the "Security" sub-menu option of the "Settings" main menu. <b>Versions 2.1.0+</b> Since version 2.1.0, the Patchstack settings are hidden by default and we encourage you to manage the Patchstack settings of your WordPress site through <a href="" target="_blank"></a>. If you do not wish to do this, you can go to wp-admin > Settings > Security and on this page click on the link at the bottom of the screen to turn on the setting management through WordPress.