All In One WP Security & Firewall - Version 1.1

Version Description

  • Added the following new feature:
  • Prevent people from accessing the readme.html, license.txt and wp-config-sample.php files.
Download this release

Release Info

Developer mra13
Plugin Icon 128x128 All In One WP Security & Firewall
Version 1.1
Comparing to
See all releases

Code changes from version 1.0 to 1.1

Files changed (8) hide show
  1. admin/wp-security-dashboard-menu.php +2 -2
  2. admin/wp-security-filesystem-menu.php +75 -1
  3. classes/grade-system/wp-security-feature-item-manager.php +18 -0
  4. classes/wp-security-configure-settings.php +1 -0
  5. classes/wp-security-utility-htaccess.php +63 -125
  6. readme.txt +32 -16
  7. wp-security-core.php +1 -1
  8. wp-security.php +1 -1
admin/wp-security-dashboard-menu.php CHANGED
@@ -164,7 +164,7 @@ class AIOWPSecurity_Dashboard_Menu extends AIOWPSecurity_Admin_Menu
164
  <div class="inside">
165
 
166
  <?php
167
- _e('Below is the current status of the critical features that you should activate on your site for maximum security','aiowpsecurity');
168
  $feature_items = $feature_mgr->feature_items;
169
  $username_admin_feature = $feature_mgr->get_feature_item_by_id("user-accounts-change-admin-user");
170
  echo '<div class="aiowps_feature_status_container">';
@@ -236,7 +236,7 @@ class AIOWPSecurity_Dashboard_Menu extends AIOWPSecurity_Admin_Menu
236
 
237
  <p>We are working to make your WordPress site more secure. Please support us, here is how:</p>
238
  <p>
239
- <a href="http://twitter.com/intent/tweet?url=http://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin&text=I love the All In One WP Security and Firewall plugin!" target="_blank" class="aio_tweet_link">Post to Tweeter</a>
240
  </p>
241
  <p>
242
  <a href="http://wordpress.org/plugins/all-in-one-wp-security-and-firewall/" target="_blank" class="aio_rate_us_link">Vote & Rate Now</a>
164
  <div class="inside">
165
 
166
  <?php
167
+ _e('Below is the current status of the critical features that you should activate on your site to achieve a minimum level of recommended security','aiowpsecurity');
168
  $feature_items = $feature_mgr->feature_items;
169
  $username_admin_feature = $feature_mgr->get_feature_item_by_id("user-accounts-change-admin-user");
170
  echo '<div class="aiowps_feature_status_container">';
236
 
237
  <p>We are working to make your WordPress site more secure. Please support us, here is how:</p>
238
  <p>
239
+ <a href="http://twitter.com/intent/tweet?url=http://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin&text=I love the All In One WP Security and Firewall plugin!" target="_blank" class="aio_tweet_link">Post to Twitter</a>
240
  </p>
241
  <p>
242
  <a href="http://wordpress.org/plugins/all-in-one-wp-security-and-firewall/" target="_blank" class="aio_rate_us_link">Vote & Rate Now</a>
admin/wp-security-filesystem-menu.php CHANGED
@@ -8,13 +8,15 @@ class AIOWPSecurity_Filescan_Menu extends AIOWPSecurity_Admin_Menu
8
  var $menu_tabs = array(
9
  'tab1' => 'File Permissions',
10
  'tab2' => 'PHP File Editing',
11
- 'tab3' => 'Host System Logs',
 
12
  );
13
 
14
  var $menu_tabs_handler = array(
15
  'tab1' => 'render_tab1',
16
  'tab2' => 'render_tab2',
17
  'tab3' => 'render_tab3',
 
18
  );
19
 
20
  function __construct()
@@ -218,6 +220,78 @@ class AIOWPSecurity_Filescan_Menu extends AIOWPSecurity_Admin_Menu
218
  }
219
 
220
  function render_tab3()
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
221
  {
222
  global $aio_wp_security;
223
 
8
  var $menu_tabs = array(
9
  'tab1' => 'File Permissions',
10
  'tab2' => 'PHP File Editing',
11
+ 'tab3' => 'WP File Access',
12
+ 'tab4' => 'Host System Logs',
13
  );
14
 
15
  var $menu_tabs_handler = array(
16
  'tab1' => 'render_tab1',
17
  'tab2' => 'render_tab2',
18
  'tab3' => 'render_tab3',
19
+ 'tab4' => 'render_tab4',
20
  );
21
 
22
  function __construct()
220
  }
221
 
222
  function render_tab3()
223
+ {
224
+ global $aio_wp_security;
225
+ if(isset($_POST['aiowps_save_wp_file_access_settings']))//Do form submission tasks
226
+ {
227
+ $nonce=$_REQUEST['_wpnonce'];
228
+ if (!wp_verify_nonce($nonce, 'aiowpsec-prevent-default-wp-file-access-nonce'))
229
+ {
230
+ $aio_wp_security->debug_logger->log_debug("Nonce check failed on enable basic firewall settings!",4);
231
+ die("Nonce check failed on enable basic firewall settings!");
232
+ }
233
+
234
+ //Save settings
235
+ if(isset($_POST['aiowps_prevent_default_wp_file_access']))
236
+ {
237
+ $aio_wp_security->configs->set_value('aiowps_prevent_default_wp_file_access','1');
238
+ }
239
+ else
240
+ {
241
+ $aio_wp_security->configs->set_value('aiowps_prevent_default_wp_file_access','');
242
+ }
243
+
244
+ //Commit the config settings
245
+ $aio_wp_security->configs->save_config();
246
+
247
+ //Now let's write the applicable rules to the .htaccess file
248
+ $res = AIOWPSecurity_Utility_Htaccess::write_to_htaccess();
249
+
250
+ if ($res)
251
+ {
252
+ $this->show_msg_updated(__('You have successfully saved the Prevent Access to Default WP Files configuration.', 'aiowpsecurity'));
253
+ }
254
+ else if($res == -1)
255
+ {
256
+ $this->show_msg_error(__('Could not write to the .htaccess file. Please check the file permissions.', 'aiowpsecurity'));
257
+ }
258
+ }
259
+
260
+ ?>
261
+ <h2><?php _e('WordPress Files', 'aiowpsecurity')?></h2>
262
+ <div class="aio_blue_box">
263
+ <?php
264
+ $info_msg = sprintf( __('This feature allows you to prevent access to files such as %s, %s and %s which are delivered with all WP installations.', 'aiowpsecurity'), 'readme.html', 'license.txt', 'wp-config-sample.php');
265
+ echo '<p>'.$info_msg.'</p>'.'<p>'.__('By preventing access to these files you are hiding some key pieces of information (such as WordPress version info) from potential hackers.', 'aiowpsecurity').'</p>';
266
+ ?>
267
+ </div>
268
+
269
+ <div class="postbox">
270
+ <h3><label for="title"><?php _e('Prevent Access to Default WP Files', 'aiowpsecurity'); ?></label></h3>
271
+ <div class="inside">
272
+ <?php
273
+ //Display security info badge
274
+ global $aiowps_feature_mgr;
275
+ $aiowps_feature_mgr->output_feature_details_badge("block-wp-files-access");
276
+ ?>
277
+ <form action="" method="POST">
278
+ <?php wp_nonce_field('aiowpsec-prevent-default-wp-file-access-nonce'); ?>
279
+ <table class="form-table">
280
+ <tr valign="top">
281
+ <th scope="row"><?php _e('Prevent Access to WP Default Install Files', 'aiowpsecurity')?>:</th>
282
+ <td>
283
+ <input name="aiowps_prevent_default_wp_file_access" type="checkbox"<?php if($aio_wp_security->configs->get_value('aiowps_prevent_default_wp_file_access')=='1') echo ' checked="checked"'; ?> value="1"/>
284
+ <span class="description"><?php _e('Check this if you want to prevent access to readme.html, license.txt and wp-config-sample.php.', 'aiowpsecurity'); ?></span>
285
+ </td>
286
+ </tr>
287
+ </table>
288
+ <input type="submit" name="aiowps_save_wp_file_access_settings" value="<?php _e('Save Setting', 'aiowpsecurity')?>" class="button-primary" />
289
+ </form>
290
+ </div></div>
291
+ <?php
292
+ }
293
+
294
+ function render_tab4()
295
  {
296
  global $aio_wp_security;
297
 
classes/grade-system/wp-security-feature-item-manager.php CHANGED
@@ -48,6 +48,8 @@ class AIOWPSecurity_Feature_Item_Manager
48
  $this->feature_items[] = new AIOWPSecurity_Feature_Item("filesystem-file-permissions", "File Permissions", $this->feature_point_4, $this->sec_level_basic);
49
  //PHP File Editing
50
  $this->feature_items[] = new AIOWPSecurity_Feature_Item("filesystem-file-editing", "File Editing", $this->feature_point_2, $this->sec_level_basic);
 
 
51
 
52
  //Blacklist Manager Menu Features
53
  //IP and user agent blacklisting
@@ -138,6 +140,10 @@ class AIOWPSecurity_Feature_Item_Manager
138
  {
139
  $this->check_filesystem_file_editing_feature($item);
140
  }
 
 
 
 
141
 
142
  if($item->feature_id == "blacklist-manager-ip-user-agent-blacklisting")
143
  {
@@ -301,6 +307,18 @@ class AIOWPSecurity_Feature_Item_Manager
301
  $item->set_feature_status($this->feature_inactive);
302
  }
303
  }
 
 
 
 
 
 
 
 
 
 
 
 
304
 
305
  function check_enable_ip_useragent_blacklist_feature($item)
306
  {
48
  $this->feature_items[] = new AIOWPSecurity_Feature_Item("filesystem-file-permissions", "File Permissions", $this->feature_point_4, $this->sec_level_basic);
49
  //PHP File Editing
50
  $this->feature_items[] = new AIOWPSecurity_Feature_Item("filesystem-file-editing", "File Editing", $this->feature_point_2, $this->sec_level_basic);
51
+ //Prevent Access WP Install Files
52
+ $this->feature_items[] = new AIOWPSecurity_Feature_Item("block-wp-files-access", "WordPress Files Access", $this->feature_point_2, $this->sec_level_basic);
53
 
54
  //Blacklist Manager Menu Features
55
  //IP and user agent blacklisting
140
  {
141
  $this->check_filesystem_file_editing_feature($item);
142
  }
143
+ if($item->feature_id == "block-wp-files-access")
144
+ {
145
+ $this->check_block_wp_files_access_feature($item);
146
+ }
147
 
148
  if($item->feature_id == "blacklist-manager-ip-user-agent-blacklisting")
149
  {
307
  $item->set_feature_status($this->feature_inactive);
308
  }
309
  }
310
+
311
+ function check_block_wp_files_access_feature($item)
312
+ {
313
+ global $aio_wp_security;
314
+ if ($aio_wp_security->configs->get_value('aiowps_prevent_default_wp_file_access') == '1') {
315
+ $item->set_feature_status($this->feature_active);
316
+ }
317
+ else
318
+ {
319
+ $item->set_feature_status($this->feature_inactive);
320
+ }
321
+ }
322
 
323
  function check_enable_ip_useragent_blacklist_feature($item)
324
  {
classes/wp-security-configure-settings.php CHANGED
@@ -34,6 +34,7 @@ class AIOWPSecurity_Configure_Settings
34
 
35
  //Filesystem Security feature
36
  $aio_wp_security->configs->set_value('aiowps_disable_file_editing','');//Checkbox
 
37
 
38
  //Blacklist feature
39
  $aio_wp_security->configs->set_value('aiowps_enable_blacklisting','');//Checkbox
34
 
35
  //Filesystem Security feature
36
  $aio_wp_security->configs->set_value('aiowps_disable_file_editing','');//Checkbox
37
+ $aio_wp_security->configs->set_value('aiowps_prevent_default_wp_file_access','');//Checkbox
38
 
39
  //Blacklist feature
40
  $aio_wp_security->configs->set_value('aiowps_enable_blacklisting','');//Checkbox
classes/wp-security-utility-htaccess.php CHANGED
@@ -6,6 +6,9 @@ class AIOWPSecurity_Utility_Htaccess
6
  //This will make it easy to locate the blocks of code for deletion if someone disables a feature
7
  public static $ip_blacklist_marker_start = '#AIOWPS_IP_BLACKLIST_START';
8
  public static $ip_blacklist_marker_end = '#AIOWPS_IP_BLACKLIST_END';
 
 
 
9
 
10
  public static $basic_htaccess_rules_marker_start = '#AIOWPS_BASIC_HTACCESS_RULES_START';
11
  public static $basic_htaccess_rules_marker_end = '#AIOWPS_BASIC_HTACCESS_RULES_END';
@@ -34,8 +37,37 @@ class AIOWPSecurity_Utility_Htaccess
34
  //NOP
35
  }
36
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
37
  static function write_to_htaccess()
38
  {
 
 
 
 
 
 
39
  //clean up old rules first
40
  if (AIOWPSecurity_Utility_Htaccess::delete_from_htaccess() == -1)
41
  {
@@ -155,6 +187,7 @@ class AIOWPSecurity_Utility_Htaccess
155
  static function getrules()
156
  {
157
  $rules = "";
 
158
  $rules .= AIOWPSecurity_Utility_Htaccess::getrules_basic_htaccess();
159
  $rules .= AIOWPSecurity_Utility_Htaccess::getrules_blacklist();
160
  $rules .= AIOWPSecurity_Utility_Htaccess::getrules_disable_trace_and_track();
@@ -176,29 +209,42 @@ class AIOWPSecurity_Utility_Htaccess
176
  return $rules;
177
  }
178
 
179
- static function getrules_blacklist()
 
 
 
 
180
  {
181
  global $aio_wp_security;
182
  @ini_set( 'auto_detect_line_endings', true );
183
 
184
- //figure out what server they're using
185
- if (strstr(strtolower(filter_var($_SERVER['SERVER_SOFTWARE'], FILTER_SANITIZE_STRING)), 'apache'))
186
- {
187
- $aiowps_server = 'apache';
188
- }
189
- else if (strstr(strtolower(filter_var($_SERVER['SERVER_SOFTWARE'], FILTER_SANITIZE_STRING)), 'nginx'))
190
- {
191
- $aiowps_server = 'nginx';
192
- }
193
- else if (strstr(strtolower(filter_var($_SERVER['SERVER_SOFTWARE'], FILTER_SANITIZE_STRING)), 'litespeed'))
194
- {
195
- $aiowps_server = 'litespeed';
196
- }
197
- else
198
- { //unsupported server
199
- return -1;
 
200
  }
 
 
 
201
 
 
 
 
 
 
202
  $rules = '';
203
  if($aio_wp_security->configs->get_value('aiowps_enable_blacklisting')=='1')
204
  {
@@ -332,24 +378,6 @@ class AIOWPSecurity_Utility_Htaccess
332
  global $aio_wp_security;
333
  @ini_set( 'auto_detect_line_endings', true );
334
 
335
- //figure out what server they're using
336
- if (strstr(strtolower(filter_var($_SERVER['SERVER_SOFTWARE'], FILTER_SANITIZE_STRING)), 'apache'))
337
- {
338
- $aiowps_server = 'apache';
339
- }
340
- else if (strstr(strtolower(filter_var($_SERVER['SERVER_SOFTWARE'], FILTER_SANITIZE_STRING)), 'nginx'))
341
- {
342
- $aiowps_server = 'nginx';
343
- }
344
- else if (strstr(strtolower(filter_var($_SERVER['SERVER_SOFTWARE'], FILTER_SANITIZE_STRING)), 'litespeed'))
345
- {
346
- $aiowps_server = 'litespeed';
347
- }
348
- else
349
- { //unsupported server
350
- return -1;
351
- }
352
-
353
  $rules = '';
354
  if($aio_wp_security->configs->get_value('aiowps_enable_basic_firewall')=='1')
355
  {
@@ -390,24 +418,6 @@ class AIOWPSecurity_Utility_Htaccess
390
  global $aio_wp_security;
391
  @ini_set( 'auto_detect_line_endings', true );
392
 
393
- //figure out what server they're using
394
- if (strstr(strtolower(filter_var($_SERVER['SERVER_SOFTWARE'], FILTER_SANITIZE_STRING)), 'apache'))
395
- {
396
- $aiowps_server = 'apache';
397
- }
398
- else if (strstr(strtolower(filter_var($_SERVER['SERVER_SOFTWARE'], FILTER_SANITIZE_STRING)), 'nginx'))
399
- {
400
- $aiowps_server = 'nginx';
401
- }
402
- else if (strstr(strtolower(filter_var($_SERVER['SERVER_SOFTWARE'], FILTER_SANITIZE_STRING)), 'litespeed'))
403
- {
404
- $aiowps_server = 'litespeed';
405
- }
406
- else
407
- { //unsupported server
408
- return -1;
409
- }
410
-
411
  $rules = '';
412
  if($aio_wp_security->configs->get_value('aiowps_disable_trace_and_track')=='1')
413
  {
@@ -432,24 +442,6 @@ class AIOWPSecurity_Utility_Htaccess
432
  global $aio_wp_security;
433
  @ini_set( 'auto_detect_line_endings', true );
434
 
435
- //figure out what server they're using
436
- if (strstr(strtolower(filter_var($_SERVER['SERVER_SOFTWARE'], FILTER_SANITIZE_STRING)), 'apache'))
437
- {
438
- $aiowps_server = 'apache';
439
- }
440
- else if (strstr(strtolower(filter_var($_SERVER['SERVER_SOFTWARE'], FILTER_SANITIZE_STRING)), 'nginx'))
441
- {
442
- $aiowps_server = 'nginx';
443
- }
444
- else if (strstr(strtolower(filter_var($_SERVER['SERVER_SOFTWARE'], FILTER_SANITIZE_STRING)), 'litespeed'))
445
- {
446
- $aiowps_server = 'litespeed';
447
- }
448
- else
449
- { //unsupported server
450
- return -1;
451
- }
452
-
453
  $rules = '';
454
  if($aio_wp_security->configs->get_value('aiowps_forbid_proxy_comments')=='1')
455
  {
@@ -476,24 +468,6 @@ class AIOWPSecurity_Utility_Htaccess
476
  global $aio_wp_security;
477
  @ini_set( 'auto_detect_line_endings', true );
478
 
479
- //figure out what server they're using
480
- if (strstr(strtolower(filter_var($_SERVER['SERVER_SOFTWARE'], FILTER_SANITIZE_STRING)), 'apache'))
481
- {
482
- $aiowps_server = 'apache';
483
- }
484
- else if (strstr(strtolower(filter_var($_SERVER['SERVER_SOFTWARE'], FILTER_SANITIZE_STRING)), 'nginx'))
485
- {
486
- $aiowps_server = 'nginx';
487
- }
488
- else if (strstr(strtolower(filter_var($_SERVER['SERVER_SOFTWARE'], FILTER_SANITIZE_STRING)), 'litespeed'))
489
- {
490
- $aiowps_server = 'litespeed';
491
- }
492
- else
493
- { //unsupported server
494
- return -1;
495
- }
496
-
497
  $rules = '';
498
  if($aio_wp_security->configs->get_value('aiowps_deny_bad_query_strings')=='1')
499
  {
@@ -540,24 +514,6 @@ class AIOWPSecurity_Utility_Htaccess
540
  global $aio_wp_security;
541
  @ini_set( 'auto_detect_line_endings', true );
542
 
543
- //figure out what server they're using
544
- if (strstr(strtolower(filter_var($_SERVER['SERVER_SOFTWARE'], FILTER_SANITIZE_STRING)), 'apache'))
545
- {
546
- $aiowps_server = 'apache';
547
- }
548
- else if (strstr(strtolower(filter_var($_SERVER['SERVER_SOFTWARE'], FILTER_SANITIZE_STRING)), 'nginx'))
549
- {
550
- $aiowps_server = 'nginx';
551
- }
552
- else if (strstr(strtolower(filter_var($_SERVER['SERVER_SOFTWARE'], FILTER_SANITIZE_STRING)), 'litespeed'))
553
- {
554
- $aiowps_server = 'litespeed';
555
- }
556
- else
557
- { //unsupported server
558
- return -1;
559
- }
560
-
561
  $rules = '';
562
  if($aio_wp_security->configs->get_value('aiowps_advanced_char_string_filter')=='1')
563
  {
@@ -647,24 +603,6 @@ class AIOWPSecurity_Utility_Htaccess
647
  global $aio_wp_security;
648
  @ini_set( 'auto_detect_line_endings', true );
649
 
650
- //figure out what server they're using
651
- if (strstr(strtolower(filter_var($_SERVER['SERVER_SOFTWARE'], FILTER_SANITIZE_STRING)), 'apache'))
652
- {
653
- $aiowps_server = 'apache';
654
- }
655
- else if (strstr(strtolower(filter_var($_SERVER['SERVER_SOFTWARE'], FILTER_SANITIZE_STRING)), 'nginx'))
656
- {
657
- $aiowps_server = 'nginx';
658
- }
659
- else if (strstr(strtolower(filter_var($_SERVER['SERVER_SOFTWARE'], FILTER_SANITIZE_STRING)), 'litespeed'))
660
- {
661
- $aiowps_server = 'litespeed';
662
- }
663
- else
664
- { //unsupported server
665
- return -1;
666
- }
667
-
668
  $rules = '';
669
  if($aio_wp_security->configs->get_value('aiowps_enable_5g_firewall')=='1')
670
  {
6
  //This will make it easy to locate the blocks of code for deletion if someone disables a feature
7
  public static $ip_blacklist_marker_start = '#AIOWPS_IP_BLACKLIST_START';
8
  public static $ip_blacklist_marker_end = '#AIOWPS_IP_BLACKLIST_END';
9
+
10
+ public static $prevent_wp_file_access_marker_start = '#AIOWPS_BLOCK_WP_FILE_ACCESS_START';
11
+ public static $prevent_wp_file_access_marker_end = '#AIOWPS_BLOCK_WP_FILE_ACCESS_END';
12
 
13
  public static $basic_htaccess_rules_marker_start = '#AIOWPS_BASIC_HTACCESS_RULES_START';
14
  public static $basic_htaccess_rules_marker_end = '#AIOWPS_BASIC_HTACCESS_RULES_END';
37
  //NOP
38
  }
39
 
40
+ //Gets server type. Returns -1 if server is not supported
41
+ static function get_server_type()
42
+ {
43
+ //figure out what server they're using
44
+ if (strstr(strtolower(filter_var($_SERVER['SERVER_SOFTWARE'], FILTER_SANITIZE_STRING)), 'apache'))
45
+ {
46
+ return 'apache';
47
+ }
48
+ else if (strstr(strtolower(filter_var($_SERVER['SERVER_SOFTWARE'], FILTER_SANITIZE_STRING)), 'nginx'))
49
+ {
50
+ return 'nginx';
51
+ }
52
+ else if (strstr(strtolower(filter_var($_SERVER['SERVER_SOFTWARE'], FILTER_SANITIZE_STRING)), 'litespeed'))
53
+ {
54
+ return 'litespeed';
55
+ }
56
+ else
57
+ { //unsupported server
58
+ return -1;
59
+ }
60
+
61
+ }
62
+
63
  static function write_to_htaccess()
64
  {
65
+ //figure out what server is being used
66
+ if (AIOWPSecurity_Utility_Htaccess::get_server_type() == -1)
67
+ {
68
+ return -1; //unable to write to the file
69
+ }
70
+
71
  //clean up old rules first
72
  if (AIOWPSecurity_Utility_Htaccess::delete_from_htaccess() == -1)
73
  {
187
  static function getrules()
188
  {
189
  $rules = "";
190
+ $rules .= AIOWPSecurity_Utility_Htaccess::getrules_block_wp_file_access();
191
  $rules .= AIOWPSecurity_Utility_Htaccess::getrules_basic_htaccess();
192
  $rules .= AIOWPSecurity_Utility_Htaccess::getrules_blacklist();
193
  $rules .= AIOWPSecurity_Utility_Htaccess::getrules_disable_trace_and_track();
209
  return $rules;
210
  }
211
 
212
+ /*
213
+ * This function will write rules to prevent people from accessing the following files:
214
+ * readme.html, license.txt and wp-config-sample.php.
215
+ */
216
+ static function getrules_block_wp_file_access()
217
  {
218
  global $aio_wp_security;
219
  @ini_set( 'auto_detect_line_endings', true );
220
 
221
+ $rules = '';
222
+ if($aio_wp_security->configs->get_value('aiowps_prevent_default_wp_file_access')=='1')
223
+ {
224
+ $rules .= AIOWPSecurity_Utility_Htaccess::$prevent_wp_file_access_marker_start . PHP_EOL; //Add feature marker start
225
+ $rules .= '<files license.txt>
226
+ order allow,deny
227
+ deny from all
228
+ </files>
229
+ <files wp-config-sample.php>
230
+ order allow,deny
231
+ deny from all
232
+ </files>
233
+ <files readme.html>
234
+ order allow,deny
235
+ deny from all
236
+ </files>' . PHP_EOL;
237
+ $rules .= AIOWPSecurity_Utility_Htaccess::$prevent_wp_file_access_marker_end . PHP_EOL; //Add feature marker end
238
  }
239
+
240
+ return $rules;
241
+ }
242
 
243
+ static function getrules_blacklist()
244
+ {
245
+ global $aio_wp_security;
246
+ @ini_set( 'auto_detect_line_endings', true );
247
+ $aiowps_server = AIOWPSecurity_Utility_Htaccess::get_server_type();
248
  $rules = '';
249
  if($aio_wp_security->configs->get_value('aiowps_enable_blacklisting')=='1')
250
  {
378
  global $aio_wp_security;
379
  @ini_set( 'auto_detect_line_endings', true );
380
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
381
  $rules = '';
382
  if($aio_wp_security->configs->get_value('aiowps_enable_basic_firewall')=='1')
383
  {
418
  global $aio_wp_security;
419
  @ini_set( 'auto_detect_line_endings', true );
420
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
421
  $rules = '';
422
  if($aio_wp_security->configs->get_value('aiowps_disable_trace_and_track')=='1')
423
  {
442
  global $aio_wp_security;
443
  @ini_set( 'auto_detect_line_endings', true );
444
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
445
  $rules = '';
446
  if($aio_wp_security->configs->get_value('aiowps_forbid_proxy_comments')=='1')
447
  {
468
  global $aio_wp_security;
469
  @ini_set( 'auto_detect_line_endings', true );
470
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
471
  $rules = '';
472
  if($aio_wp_security->configs->get_value('aiowps_deny_bad_query_strings')=='1')
473
  {
514
  global $aio_wp_security;
515
  @ini_set( 'auto_detect_line_endings', true );
516
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
517
  $rules = '';
518
  if($aio_wp_security->configs->get_value('aiowps_advanced_char_string_filter')=='1')
519
  {
603
  global $aio_wp_security;
604
  @ini_set( 'auto_detect_line_endings', true );
605
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
606
  $rules = '';
607
  if($aio_wp_security->configs->get_value('aiowps_enable_5g_firewall')=='1')
608
  {
readme.txt CHANGED
@@ -1,33 +1,33 @@
1
  === All In One WP Security & Firewall ===
2
  Contributors: Tips and Tricks HQ, wpsolutions, Peter Petreski, Ruhul Amin
3
- Donate link: http://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin
4
- Tags: security, Anti Virus, antivirus, virus, firewall, secure, login, lockdown, htaccess, hacking, malware, vulnerability, protect, phishing, database, backup, plugin
5
  Requires at least: 3.5
6
  Tested up to: 3.6
7
- Stable tag: 1.0
8
  License: GPLv3
9
 
10
- A comprehensive, user-friendly, all in one security and firewall plugin for your WordPress site.
11
 
12
  == Description ==
13
  = A COMPREHENSIVE, EASY TO USE AND WELL SUPPORTED WORDPRESS SECURITY PLUGIN =
14
 
15
  WordPress itself is a very secure platform. However, it helps to add some extra security and firewall to your site by using a security plugin that enforces a lot of good security practices.
16
 
17
- The All In One WP Security plugin will take your website security to a whole new level.
18
 
19
  This plugin is designed and written by experts and is easy to use and understand.
20
 
21
  It offers the latest recommended WordPress security practices and techniques.
22
 
 
 
23
  All In One WP Security also uses an unprecedented security points grading system to measure how well you are protecting your site based on the security features you have activated.
24
 
 
 
25
  Below is a list of the security and firewall features offered in this plugin:
26
 
27
- = .htaccess and wp-config.php settings =
28
- * Easily backup your original .htaccess and wp-config.php files in case you will need to use them to restore broken functionality.
29
- * Modify the contents of the currently active .htaccess or wp-config.php from the admin dashboard with only a few clicks
30
-
31
  = User Accounts Security =
32
  * Detect if there is a user account which has the default "admin" username and easily change the username to a value of your choice.
33
  * The plugin will also detect if you have any WordPress user accounts which have identical login and display names. Having account's where display name is identical to login name is bad security practice because
@@ -42,20 +42,22 @@ via email whenever somebody gets locked out due to too many login attempts.
42
  * Force logout of all users after a configurable time period
43
 
44
  * Monitor/View failed login attempts which show the user's IP address, User ID/Username and Date/Time of the failed login attempt
 
45
  * Monitor/View the account activity of all user accounts on your system by keeping track of the username, IP address, login date/time, and logout date/time.
46
 
47
  = Database Security =
48
  * Easily the default WP prefix to a value of your choice with the click of a button.
49
-
50
  * Schedule automatic backups and email notifications or make an instant DB backup whenever you want with one click.
51
 
52
  = File System Security =
53
  * Identify files or folders which have permission settings which are not secure and set the permissions to the recommend secure values with click of a button.
54
  * Protect your PHP code by disabling file editing from the WordPress administration area.
55
  * Easily view and monitor all host system logs from a single menu page and stay informed of any issues or problems occurring on your server so you can address them quickly.
 
56
 
57
- = WhoIs Lookup =
58
- * Perform a WhoIs lookup of a suspicious host or IP address.
 
59
 
60
  = Blacklist Functionality =
61
  * Ban users by specifying IP addresses or use a wild card to specify IP ranges.
@@ -63,6 +65,10 @@ via email whenever somebody gets locked out due to too many login attempts.
63
  * Monitor the most active IP addresses which persistently produce the most SPAM comments and instantly block them with the click of a button.
64
 
65
  = Firewall Functionality =
 
 
 
 
66
  * Instantly activate a selection of firewall settings ranging from basic, intermediate and advanced.
67
  * Enable the famous "5G Blacklist" Firewall rules courtesy of [Perishable Press](http://perishablepress.com/)
68
  * Forbid proxy comment posting
@@ -70,11 +76,14 @@ via email whenever somebody gets locked out due to too many login attempts.
70
  * Deny bad or malicious query strings
71
  * Protect against Cross Site Scripting (XSS) by activating the comprehensive advanced character string filter.
72
 
73
- = Other Benefits =
 
 
74
  = Regular updates and additions of new security features =
75
  * WordPress Security is something that evolves over time. We will be updating the All In One WP Security plugin with new security features (and fixes if required) on a regular basis so you can rest assured that your site will be on the cutting edge of security protection techniques.
 
 
76
  * It should work smoothly with most popular WordPress plugins.
77
- * Our firewall rules are categorized into "basic", "intermediate" and "advanced". This way you can apply the firewall rules progressively without breaking your site's functionality.
78
 
79
  = Plugin Support =
80
  * If you have a question or problem with the All In One Security plugin, post it on the support forum and we will help you.
@@ -82,20 +91,23 @@ via email whenever somebody gets locked out due to too many login attempts.
82
  = Translations =
83
  * All In One WP Security plugin can be translated to any language.
84
 
 
 
85
  == Installation ==
86
 
87
  To begin making your WordPress site more secure:
88
 
89
  1. Upload the 'all-in-one-wp-security.zip' file from the Plugins->Add New page in the WordPress administration panel.
90
  2. Activate the plugin through the 'Plugins' menu in WordPress
91
- 3. Go to Settings menu under 'WP Security' and use the configuration wizard or start configuring the plugin yourself.
92
 
93
  == Usage ==
94
 
95
  Go to the settings menu after you activate the plugin and follow the instructions.
96
 
97
  == Screenshots ==
98
- None
 
99
 
100
  == Frequently Asked Questions ==
101
  None
@@ -105,5 +117,9 @@ None
105
 
106
  == Changelog ==
107
 
 
 
 
 
108
  = 1.0 =
109
  - First commit to the WP repository.
1
  === All In One WP Security & Firewall ===
2
  Contributors: Tips and Tricks HQ, wpsolutions, Peter Petreski, Ruhul Amin
3
+ Donate link: http://www.tipsandtricks-hq.com
4
+ Tags: security, secure, Anti Virus, antivirus, virus, firewall, login, lockdown, htaccess, hacking, ban hacker, malware, vulnerability, protect, phishing, database, backup, plugin, sql injection
5
  Requires at least: 3.5
6
  Tested up to: 3.6
7
+ Stable tag: 1.1
8
  License: GPLv3
9
 
10
+ A comprehensive, user-friendly, all in one WordPress security and firewall plugin for your site.
11
 
12
  == Description ==
13
  = A COMPREHENSIVE, EASY TO USE AND WELL SUPPORTED WORDPRESS SECURITY PLUGIN =
14
 
15
  WordPress itself is a very secure platform. However, it helps to add some extra security and firewall to your site by using a security plugin that enforces a lot of good security practices.
16
 
17
+ The All In One WordPress Security plugin will take your website security to a whole new level.
18
 
19
  This plugin is designed and written by experts and is easy to use and understand.
20
 
21
  It offers the latest recommended WordPress security practices and techniques.
22
 
23
+ http://www.youtube.com/watch?v=CJvCTlVtazA
24
+
25
  All In One WP Security also uses an unprecedented security points grading system to measure how well you are protecting your site based on the security features you have activated.
26
 
27
+ Our security and firewall rules are categorized into "basic", "intermediate" and "advanced". This way you can apply the firewall rules progressively without breaking your site's functionality.
28
+
29
  Below is a list of the security and firewall features offered in this plugin:
30
 
 
 
 
 
31
  = User Accounts Security =
32
  * Detect if there is a user account which has the default "admin" username and easily change the username to a value of your choice.
33
  * The plugin will also detect if you have any WordPress user accounts which have identical login and display names. Having account's where display name is identical to login name is bad security practice because
42
  * Force logout of all users after a configurable time period
43
 
44
  * Monitor/View failed login attempts which show the user's IP address, User ID/Username and Date/Time of the failed login attempt
45
+
46
  * Monitor/View the account activity of all user accounts on your system by keeping track of the username, IP address, login date/time, and logout date/time.
47
 
48
  = Database Security =
49
  * Easily the default WP prefix to a value of your choice with the click of a button.
 
50
  * Schedule automatic backups and email notifications or make an instant DB backup whenever you want with one click.
51
 
52
  = File System Security =
53
  * Identify files or folders which have permission settings which are not secure and set the permissions to the recommend secure values with click of a button.
54
  * Protect your PHP code by disabling file editing from the WordPress administration area.
55
  * Easily view and monitor all host system logs from a single menu page and stay informed of any issues or problems occurring on your server so you can address them quickly.
56
+ * Prevent people from accessing the readme.html, license.txt and wp-config-sample.php files of your WordPress site.
57
 
58
+ = htaccess and wp-config.php File Backup and Restore =
59
+ * Easily backup your original .htaccess and wp-config.php files in case you will need to use them to restore broken functionality.
60
+ * Modify the contents of the currently active .htaccess or wp-config.php files from the admin dashboard with only a few clicks
61
 
62
  = Blacklist Functionality =
63
  * Ban users by specifying IP addresses or use a wild card to specify IP ranges.
65
  * Monitor the most active IP addresses which persistently produce the most SPAM comments and instantly block them with the click of a button.
66
 
67
  = Firewall Functionality =
68
+
69
+ This plugin allows you to easily add a lot of firewall protection to your site via htaccess file. An htaccess file is processed by your web server before any other code on your site.
70
+ So these firewall rules will stop malicious script(s) before it gets a chance to reach the WordPress code on your site.
71
+
72
  * Instantly activate a selection of firewall settings ranging from basic, intermediate and advanced.
73
  * Enable the famous "5G Blacklist" Firewall rules courtesy of [Perishable Press](http://perishablepress.com/)
74
  * Forbid proxy comment posting
76
  * Deny bad or malicious query strings
77
  * Protect against Cross Site Scripting (XSS) by activating the comprehensive advanced character string filter.
78
 
79
+ = WhoIs Lookup =
80
+ * Perform a WhoIs lookup of a suspicious host or IP address and get full details.
81
+
82
  = Regular updates and additions of new security features =
83
  * WordPress Security is something that evolves over time. We will be updating the All In One WP Security plugin with new security features (and fixes if required) on a regular basis so you can rest assured that your site will be on the cutting edge of security protection techniques.
84
+
85
+ = Works with Most Popular WordPress Plugins =
86
  * It should work smoothly with most popular WordPress plugins.
 
87
 
88
  = Plugin Support =
89
  * If you have a question or problem with the All In One Security plugin, post it on the support forum and we will help you.
91
  = Translations =
92
  * All In One WP Security plugin can be translated to any language.
93
 
94
+ Visit the [WordPress Security Plugin](http://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin) page for more details.
95
+
96
  == Installation ==
97
 
98
  To begin making your WordPress site more secure:
99
 
100
  1. Upload the 'all-in-one-wp-security.zip' file from the Plugins->Add New page in the WordPress administration panel.
101
  2. Activate the plugin through the 'Plugins' menu in WordPress
102
+ 3. Go to Settings menu under 'WP Security' and start activating the security features of the plugin.
103
 
104
  == Usage ==
105
 
106
  Go to the settings menu after you activate the plugin and follow the instructions.
107
 
108
  == Screenshots ==
109
+ Check the following page for screenshots:
110
+ http://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin
111
 
112
  == Frequently Asked Questions ==
113
  None
117
 
118
  == Changelog ==
119
 
120
+ = 1.1 =
121
+ - Added the following new feature:
122
+ - Prevent people from accessing the readme.html, license.txt and wp-config-sample.php files.
123
+
124
  = 1.0 =
125
  - First commit to the WP repository.
wp-security-core.php CHANGED
@@ -3,7 +3,7 @@
3
  if (!class_exists('AIO_WP_Security')){
4
 
5
  class AIO_WP_Security{
6
- var $version = '1.0';
7
  var $db_version = '1.2';
8
  var $plugin_url;
9
  var $plugin_path;
3
  if (!class_exists('AIO_WP_Security')){
4
 
5
  class AIO_WP_Security{
6
+ var $version = '1.1';
7
  var $db_version = '1.2';
8
  var $plugin_url;
9
  var $plugin_path;
wp-security.php CHANGED
@@ -1,7 +1,7 @@
1
  <?php
2
  /*
3
  Plugin Name: All In One WP Security
4
- Version: v1.0.0
5
  Plugin URI: http://www.tipsandtricks-hq.com/
6
  Author: Tips and Tricks HQ, Peter, Ruhul Amin
7
  Author URI: http://www.tipsandtricks-hq.com/
1
  <?php
2
  /*
3
  Plugin Name: All In One WP Security
4
+ Version: v1.1
5
  Plugin URI: http://www.tipsandtricks-hq.com/
6
  Author: Tips and Tricks HQ, Peter, Ruhul Amin
7
  Author URI: http://www.tipsandtricks-hq.com/