All In One WP Security & Firewall - Version 1.3

Version Description

  • Added a new feature to remove the WordPress Generator Meta information from the HTML source of your site.
  • Tweaked the "Advanced Character String Filter" to fix issue which was affecting plugins such as "Admin Management Xtended" and also pages with keywords such as "password" in the URL.
  • Updated one rule in the "Advanced Character String Filter" feature to make it compatible with W3 Total Cache Plugin's minify feature.
  • Added a "Delete All Failed Login Records" option in the "Failed Login Records" tab. This will delete all entries in the failed logins table and will make it less tedious for users who get a lot of brute force attacks on their site.
Download this release

Release Info

Developer mra13
Plugin Icon 128x128 All In One WP Security & Firewall
Version 1.3
Comparing to
See all releases

Code changes from version 1.2 to 1.3

Files changed (8) hide show
  1. admin/wp-security-settings-menu.php +57 -0
  2. admin/wp-security-user-login-menu.php +39 -1
  3. classes/grade-system/wp-security-feature-item-manager.php +21 -1
  4. classes/wp-security-configure-settings.php +3 -0
  5. classes/wp-security-utility-htaccess.php +70 -56
  6. readme.txt +7 -1
  7. wp-security-core.php +1 -1
  8. wp-security.php +1 -1
admin/wp-security-settings-menu.php CHANGED
@@ -9,12 +9,14 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
9
  'tab1' => 'General Settings',
10
  'tab2' => '.htaccess File',
11
  'tab3' => 'wp-config.php File',
 
12
  );
13
 
14
  var $menu_tabs_handler = array(
15
  'tab1' => 'render_tab1',
16
  'tab2' => 'render_tab2',
17
  'tab3' => 'render_tab3',
 
18
  );
19
 
20
  function __construct()
@@ -396,6 +398,61 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
396
  <?php
397
  }
398
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
399
  function check_if_wp_config_contents($wp_file)
400
  {
401
  $is_wp_config = false;
9
  'tab1' => 'General Settings',
10
  'tab2' => '.htaccess File',
11
  'tab3' => 'wp-config.php File',
12
+ 'tab4' => 'WP Meta Info',
13
  );
14
 
15
  var $menu_tabs_handler = array(
16
  'tab1' => 'render_tab1',
17
  'tab2' => 'render_tab2',
18
  'tab3' => 'render_tab3',
19
+ 'tab4' => 'render_tab4',
20
  );
21
 
22
  function __construct()
398
  <?php
399
  }
400
 
401
+ function render_tab4()
402
+ {
403
+ global $aio_wp_security;
404
+
405
+ if(isset($_POST['aiowps_save_remove_wp_meta_info']))//Do form submission tasks
406
+ {
407
+ $nonce=$_REQUEST['_wpnonce'];
408
+ if (!wp_verify_nonce($nonce, 'aiowpsec-remove-wp-meta-info-nonce'))
409
+ {
410
+ $aio_wp_security->debug_logger->log_debug("Nonce check failed on remove wp meta info options save!",4);
411
+ die("Nonce check failed on remove wp meta info options save!");
412
+ }
413
+ $aio_wp_security->configs->set_value('aiowps_remove_wp_generator_meta_info',isset($_POST["aiowps_remove_wp_generator_meta_info"])?'1':'');
414
+ $aio_wp_security->configs->save_config();
415
+ $this->show_msg_settings_updated();
416
+ }
417
+ ?>
418
+ <h2><?php _e('WP Generator Meta Tag', 'aiowpsecurity')?></h2>
419
+ <div class="aio_blue_box">
420
+ <?php
421
+ echo '<p>'.__('Wordpress generator automatically adds some meta information inside the "head" tags of every page on your site\'s front end. Below is an example of this:', 'aiowpsecurity');
422
+ echo '<br /><strong>&lt;meta name="generator" content="WordPress 3.5.1" /&gt;</strong>';
423
+ echo '<br />'.__('The above meta information shows which version of WordPress your site is currently running and thus can help hackers or crawlers scan your site to see if you have an older version of WordPress or one with a known exploit.', 'aiowpsecurity').'
424
+ <br />'.__('This feature will allow you to remove the WP generator meta info from your site\'s pages.', 'aiowpsecurity').'
425
+ </p>';
426
+ ?>
427
+ </div>
428
+
429
+ <div class="postbox">
430
+ <h3><label for="title"><?php _e('WP Generator Meta Info', 'aiowpsecurity'); ?></label></h3>
431
+ <div class="inside">
432
+ <?php
433
+ //Display security info badge
434
+ global $aiowps_feature_mgr;
435
+ $aiowps_feature_mgr->output_feature_details_badge("wp-generator-meta-tag");
436
+ ?>
437
+
438
+ <form action="" method="POST">
439
+ <?php wp_nonce_field('aiowpsec-remove-wp-meta-info-nonce'); ?>
440
+ <table class="form-table">
441
+ <tr valign="top">
442
+ <th scope="row"><?php _e('Remove WP Generator Meta Info', 'aiowpsecurity')?>:</th>
443
+ <td>
444
+ <input name="aiowps_remove_wp_generator_meta_info" type="checkbox"<?php if($aio_wp_security->configs->get_value('aiowps_remove_wp_generator_meta_info')=='1') echo ' checked="checked"'; ?> value="1"/>
445
+ <span class="description"><?php _e('Check this if you want to remove the meta info produced by WP Generator from all pages', 'aiowpsecurity'); ?></span>
446
+ </td>
447
+ </tr>
448
+ </table>
449
+ <input type="submit" name="aiowps_save_remove_wp_meta_info" value="<?php _e('Save Settings', 'aiowpsecurity')?>" class="button-primary" />
450
+ </form>
451
+ </div></div>
452
+ <?php
453
+ }
454
+
455
+
456
  function check_if_wp_config_contents($wp_file)
457
  {
458
  $is_wp_config = false;
admin/wp-security-user-login-menu.php CHANGED
@@ -226,6 +226,30 @@ class AIOWPSecurity_User_Login_Menu extends AIOWPSecurity_Admin_Menu
226
 
227
  function render_tab2()
228
  {
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
229
  include_once 'wp-security-list-login-fails.php'; //For rendering the AIOWPSecurity_List_Table in tab2
230
  $failed_login_list = new AIOWPSecurity_List_Login_Failed_Attempts(); //For rendering the AIOWPSecurity_List_Table in tab2
231
  if(isset($_REQUEST['action'])) //Do row action tasks for list table form for failed logins
@@ -258,10 +282,24 @@ class AIOWPSecurity_User_Login_Menu extends AIOWPSecurity_Admin_Menu
258
  <?php $failed_login_list->display(); ?>
259
  </form>
260
  </div></div>
 
 
 
 
 
 
 
 
 
 
 
 
 
 
261
  <?php
262
  }
263
 
264
- function render_tab3()
265
  {
266
  global $aio_wp_security;
267
  if(isset($_POST['aiowpsec_save_force_logout_settings']))//Do form submission tasks
226
 
227
  function render_tab2()
228
  {
229
+ global $aio_wp_security, $wpdb;
230
+ if (isset($_POST['aiowps_delete_failed_login_records']))
231
+ {
232
+ $nonce=$_REQUEST['_wpnonce'];
233
+ if (!wp_verify_nonce($nonce, 'aiowpsec-delete-failed-login-records-nonce'))
234
+ {
235
+ $aio_wp_security->debug_logger->log_debug("Nonce check failed for delete all failed login records operation!",4);
236
+ die(__('Nonce check failed for delete all failed login records operation!','aiowpsecurity'));
237
+ }
238
+ $failed_logins_table = AIOWPSEC_TBL_FAILED_LOGINS;
239
+ //Delete all records from the failed logins table
240
+ $result = $wpdb->query("truncate $failed_logins_table");
241
+
242
+ if ($result === FALSE)
243
+ {
244
+ $aio_wp_security->debug_logger->log_debug("User Login Feature - Delete all failed login records operation failed!",4);
245
+ $this->show_msg_error(__('User Login Feature - Delete all failed login records operation failed!','aiowpsecurity'));
246
+ }
247
+ else
248
+ {
249
+ $this->show_msg_updated(__('All records from the Failed Logins table were deleted successfully!','aiowpsecurity'));
250
+ }
251
+ }
252
+
253
  include_once 'wp-security-list-login-fails.php'; //For rendering the AIOWPSecurity_List_Table in tab2
254
  $failed_login_list = new AIOWPSecurity_List_Login_Failed_Attempts(); //For rendering the AIOWPSecurity_List_Table in tab2
255
  if(isset($_REQUEST['action'])) //Do row action tasks for list table form for failed logins
282
  <?php $failed_login_list->display(); ?>
283
  </form>
284
  </div></div>
285
+ <div class="postbox">
286
+ <h3><label for="title"><?php _e('Delete All Failed Login Records', 'aiowpsecurity'); ?></label></h3>
287
+ <div class="inside">
288
+ <form action="" method="POST">
289
+ <?php wp_nonce_field('aiowpsec-delete-failed-login-records-nonce'); ?>
290
+ <table class="form-table">
291
+ <tr valign="top">
292
+ <span class="description"><?php _e('Click this button if you wish to delete all failed login records in one go.', 'aiowpsecurity'); ?></span>
293
+ </tr>
294
+ </table>
295
+ <input type="submit" name="aiowps_delete_failed_login_records" value="<?php _e('Delete All Failed Login Records', 'aiowpsecurity')?>" class="button-primary" onclick="return confirm('Are you sure you want to delete all records?')"/>
296
+ </form>
297
+ </div></div>
298
+
299
  <?php
300
  }
301
 
302
+ function render_tab3()
303
  {
304
  global $aio_wp_security;
305
  if(isset($_POST['aiowpsec_save_force_logout_settings']))//Do form submission tasks
classes/grade-system/wp-security-feature-item-manager.php CHANGED
@@ -24,6 +24,9 @@ class AIOWPSecurity_Feature_Item_Manager
24
  function initialize_features()
25
  {
26
  $this->feature_items = array();
 
 
 
27
 
28
  //User Accounts Menu Features
29
  //Change Admin Username
@@ -106,7 +109,12 @@ class AIOWPSecurity_Feature_Item_Manager
106
  function check_and_set_feature_status()
107
  {
108
  foreach($this->feature_items as $item)
109
- {
 
 
 
 
 
110
  if($item->feature_id == "user-accounts-change-admin-user")
111
  {
112
  $this->check_user_accounts_change_admin_user_feature($item);
@@ -209,6 +217,18 @@ class AIOWPSecurity_Feature_Item_Manager
209
  return $this->total_achievable_points;
210
  }
211
 
 
 
 
 
 
 
 
 
 
 
 
 
212
  function check_user_accounts_change_admin_user_feature($item)
213
  {
214
  if (AIOWPSecurity_Utility::check_user_exists('admin')) {
24
  function initialize_features()
25
  {
26
  $this->feature_items = array();
27
+ //Settings Menu Features
28
+ //WP Generator Meta
29
+ $this->feature_items[] = new AIOWPSecurity_Feature_Item("wp-generator-meta-tag", "Remove WP Generatore Meta Tag", $this->feature_point_1, $this->sec_level_basic);
30
 
31
  //User Accounts Menu Features
32
  //Change Admin Username
109
  function check_and_set_feature_status()
110
  {
111
  foreach($this->feature_items as $item)
112
+ {
113
+ if($item->feature_id == "wp-generator-meta-tag")
114
+ {
115
+ $this->check_remove_wp_generator_meta_feature($item);
116
+ }
117
+
118
  if($item->feature_id == "user-accounts-change-admin-user")
119
  {
120
  $this->check_user_accounts_change_admin_user_feature($item);
217
  return $this->total_achievable_points;
218
  }
219
 
220
+ function check_remove_wp_generator_meta_feature($item)
221
+ {
222
+ global $aio_wp_security;
223
+ if ($aio_wp_security->configs->get_value('aiowps_remove_wp_generator_meta_info') == '1') {
224
+ $item->set_feature_status($this->feature_active);
225
+ }
226
+ else
227
+ {
228
+ $item->set_feature_status($this->feature_inactive);
229
+ }
230
+ }
231
+
232
  function check_user_accounts_change_admin_user_feature($item)
233
  {
234
  if (AIOWPSecurity_Utility::check_user_exists('admin')) {
classes/wp-security-configure-settings.php CHANGED
@@ -9,6 +9,9 @@ class AIOWPSecurity_Configure_Settings
9
  static function set_default_settings()
10
  {
11
  global $aio_wp_security;
 
 
 
12
  //User password feature
13
 
14
  //Lockdown feature
9
  static function set_default_settings()
10
  {
11
  global $aio_wp_security;
12
+ //WP Generator Meta Tag feature
13
+ $aio_wp_security->configs->set_value('aiowps_remove_wp_generator_meta_info','');//Checkbox
14
+
15
  //User password feature
16
 
17
  //Lockdown feature
classes/wp-security-utility-htaccess.php CHANGED
@@ -530,71 +530,85 @@ class AIOWPSecurity_Utility_Htaccess
530
  $rules .= AIOWPSecurity_Utility_Htaccess::$advanced_char_string_filter_marker_start . PHP_EOL; //Add feature marker start
531
 
532
  $rules .= '<IfModule mod_alias.c>
533
- RedirectMatch 403 `
534
- RedirectMatch 403 {
535
- RedirectMatch 403 }
536
- RedirectMatch 403 ~
537
- RedirectMatch 403 &quot;
538
- RedirectMatch 403 &lt;
539
- RedirectMatch 403 &gt;
540
- RedirectMatch 403 //
541
- RedirectMatch 403 %0
542
- RedirectMatch 403 %A
543
- RedirectMatch 403 %B
544
- RedirectMatch 403 %C
545
- RedirectMatch 403 %D
546
- RedirectMatch 403 %E
547
- RedirectMatch 403 %F
548
- RedirectMatch 403 %22
549
- RedirectMatch 403 %27
550
- RedirectMatch 403 %28
551
- RedirectMatch 403 %29
552
- RedirectMatch 403 %3C
553
- RedirectMatch 403 %3E
554
- RedirectMatch 403 %3F
555
- RedirectMatch 403 %5B
556
- RedirectMatch 403 %5C
557
- RedirectMatch 403 %5D
558
- RedirectMatch 403 %7B
559
- RedirectMatch 403 %7C
560
- RedirectMatch 403 %7D
 
 
 
 
 
 
 
 
 
 
561
  # COMMON PATTERNS
562
- Redirectmatch 403 _vpi
 
563
  Redirectmatch 403 xAou6
564
- Redirectmatch 403 db_name
565
- Redirectmatch 403 /query/
 
 
566
  RedirectMatch 403 ImpEvData
567
- Redirectmatch 403 .XMLHTTP
568
  Redirectmatch 403 proxydeny
569
- RedirectMatch 403 function.
570
  Redirectmatch 403 remoteFile
571
  Redirectmatch 403 servername
572
- Redirectmatch 403 &amp;rptmode=
573
- Redirectmatch 403 sys_cpanel
574
- RedirectMatch 403 db_connect
575
  RedirectMatch 403 doeditconfig
576
- RedirectMatch 403 check_proxy
577
- Redirectmatch 403 system_user
578
- Redirectmatch 403 /(null)/
579
  Redirectmatch 403 clientrequest
580
- Redirectmatch 403 option_value
581
- RedirectMatch 403 ref.outcontrol
582
  # SPECIFIC EXPLOITS
583
- RedirectMatch 403 errors.
584
- RedirectMatch 403 config.
585
- RedirectMatch 403 display.
586
- RedirectMatch 403 register.
587
- Redirectmatch 403 password.
588
- RedirectMatch 403 maincore.
589
- RedirectMatch 403 authorize.
590
- Redirectmatch 403 macromates.
591
- RedirectMatch 403 head_auth.
592
- RedirectMatch 403 submit_links.
593
- RedirectMatch 403 change_action.
594
- Redirectmatch 403 com_facileforms/
595
- RedirectMatch 403 admin_db_utilities.
596
- RedirectMatch 403 admin.webring.docs.
597
- Redirectmatch 403 Table/Latest/index.
 
598
  </IfModule>' . PHP_EOL;
599
  $rules .= AIOWPSecurity_Utility_Htaccess::$advanced_char_string_filter_marker_end . PHP_EOL; //Add feature marker end
600
  }
530
  $rules .= AIOWPSecurity_Utility_Htaccess::$advanced_char_string_filter_marker_start . PHP_EOL; //Add feature marker start
531
 
532
  $rules .= '<IfModule mod_alias.c>
533
+ RedirectMatch 403 \,
534
+ RedirectMatch 403 \:
535
+ RedirectMatch 403 \;
536
+ RedirectMatch 403 \=
537
+ RedirectMatch 403 \@
538
+ RedirectMatch 403 \[
539
+ RedirectMatch 403 \]
540
+ RedirectMatch 403 \^
541
+ RedirectMatch 403 \`
542
+ RedirectMatch 403 \{
543
+ RedirectMatch 403 \}
544
+ RedirectMatch 403 \~
545
+ RedirectMatch 403 \"
546
+ RedirectMatch 403 \$
547
+ RedirectMatch 403 \<
548
+ RedirectMatch 403 \>
549
+ RedirectMatch 403 \|
550
+ RedirectMatch 403 \.\.
551
+ RedirectMatch 403 \%0
552
+ RedirectMatch 403 \%A
553
+ RedirectMatch 403 \%B
554
+ RedirectMatch 403 \%C
555
+ RedirectMatch 403 \%D
556
+ RedirectMatch 403 \%E
557
+ RedirectMatch 403 \%F
558
+ RedirectMatch 403 \%22
559
+ RedirectMatch 403 \%27
560
+ RedirectMatch 403 \%28
561
+ RedirectMatch 403 \%29
562
+ RedirectMatch 403 \%3C
563
+ RedirectMatch 403 \%3E
564
+ RedirectMatch 403 \%3F
565
+ RedirectMatch 403 \%5B
566
+ RedirectMatch 403 \%5C
567
+ RedirectMatch 403 \%5D
568
+ RedirectMatch 403 \%7B
569
+ RedirectMatch 403 \%7C
570
+ RedirectMatch 403 \%7D
571
  # COMMON PATTERNS
572
+ Redirectmatch 403 \_vpi
573
+ RedirectMatch 403 \.inc
574
  Redirectmatch 403 xAou6
575
+ Redirectmatch 403 db\_name
576
+ Redirectmatch 403 select\(
577
+ Redirectmatch 403 convert\(
578
+ Redirectmatch 403 \/query\/
579
  RedirectMatch 403 ImpEvData
580
+ Redirectmatch 403 \.XMLHTTP
581
  Redirectmatch 403 proxydeny
582
+ RedirectMatch 403 function\.
583
  Redirectmatch 403 remoteFile
584
  Redirectmatch 403 servername
585
+ Redirectmatch 403 \&rptmode\=
586
+ Redirectmatch 403 sys\_cpanel
587
+ RedirectMatch 403 db\_connect
588
  RedirectMatch 403 doeditconfig
589
+ RedirectMatch 403 check\_proxy
590
+ Redirectmatch 403 system\_user
591
+ Redirectmatch 403 \/\(null\)\/
592
  Redirectmatch 403 clientrequest
593
+ Redirectmatch 403 option\_value
594
+ RedirectMatch 403 ref\.outcontrol
595
  # SPECIFIC EXPLOITS
596
+ RedirectMatch 403 errors\.
597
+ RedirectMatch 403 config\.
598
+ RedirectMatch 403 include\.
599
+ RedirectMatch 403 display\.
600
+ RedirectMatch 403 register\.
601
+ Redirectmatch 403 password\.
602
+ RedirectMatch 403 maincore\.
603
+ RedirectMatch 403 authorize\.
604
+ Redirectmatch 403 macromates\.
605
+ RedirectMatch 403 head\_auth\.
606
+ RedirectMatch 403 submit\_links\.
607
+ RedirectMatch 403 change\_action\.
608
+ Redirectmatch 403 com\_facileforms\/
609
+ RedirectMatch 403 admin\_db\_utilities\.
610
+ RedirectMatch 403 admin\.webring\.docs\.
611
+ Redirectmatch 403 Table\/Latest\/index\.
612
  </IfModule>' . PHP_EOL;
613
  $rules .= AIOWPSecurity_Utility_Htaccess::$advanced_char_string_filter_marker_end . PHP_EOL; //Add feature marker end
614
  }
readme.txt CHANGED
@@ -4,7 +4,7 @@ Donate link: http://www.tipsandtricks-hq.com
4
  Tags: security, secure, Anti Virus, antivirus, virus, firewall, login, lockdown, htaccess, hacking, ban hacker, malware, vulnerability, protect, phishing, database, backup, plugin, sql injection
5
  Requires at least: 3.5
6
  Tested up to: 3.6
7
- Stable tag: 1.2
8
  License: GPLv3
9
 
10
  A comprehensive, user-friendly, all in one WordPress security and firewall plugin for your site.
@@ -117,6 +117,12 @@ None
117
  None
118
 
119
  == Changelog ==
 
 
 
 
 
 
120
  = 1.2 =
121
  - Moved the rules which disable index views from the "basic firewall" rules to the "additional rules" section. This will prevent any site breakage for
122
  those who want to enable the basic firewall but do not have "AllowOverride" option enabled in their httpd.conf
4
  Tags: security, secure, Anti Virus, antivirus, virus, firewall, login, lockdown, htaccess, hacking, ban hacker, malware, vulnerability, protect, phishing, database, backup, plugin, sql injection
5
  Requires at least: 3.5
6
  Tested up to: 3.6
7
+ Stable tag: 1.3
8
  License: GPLv3
9
 
10
  A comprehensive, user-friendly, all in one WordPress security and firewall plugin for your site.
117
  None
118
 
119
  == Changelog ==
120
+ = 1.3 =
121
+ - Added a new feature to remove the WordPress Generator Meta information from the HTML source of your site.
122
+ - Tweaked the "Advanced Character String Filter" to fix issue which was affecting plugins such as "Admin Management Xtended" and also pages with keywords such as "password" in the URL.
123
+ - Updated one rule in the "Advanced Character String Filter" feature to make it compatible with W3 Total Cache Plugin's minify feature.
124
+ - Added a "Delete All Failed Login Records" option in the "Failed Login Records" tab. This will delete all entries in the failed logins table and will make it less tedious for users who get a lot of brute force attacks on their site.
125
+
126
  = 1.2 =
127
  - Moved the rules which disable index views from the "basic firewall" rules to the "additional rules" section. This will prevent any site breakage for
128
  those who want to enable the basic firewall but do not have "AllowOverride" option enabled in their httpd.conf
wp-security-core.php CHANGED
@@ -3,7 +3,7 @@
3
  if (!class_exists('AIO_WP_Security')){
4
 
5
  class AIO_WP_Security{
6
- var $version = '1.2';
7
  var $db_version = '1.2';
8
  var $plugin_url;
9
  var $plugin_path;
3
  if (!class_exists('AIO_WP_Security')){
4
 
5
  class AIO_WP_Security{
6
+ var $version = '1.3';
7
  var $db_version = '1.2';
8
  var $plugin_url;
9
  var $plugin_path;
wp-security.php CHANGED
@@ -1,7 +1,7 @@
1
  <?php
2
  /*
3
  Plugin Name: All In One WP Security
4
- Version: v1.2
5
  Plugin URI: http://www.tipsandtricks-hq.com/
6
  Author: Tips and Tricks HQ, Peter, Ruhul Amin
7
  Author URI: http://www.tipsandtricks-hq.com/
1
  <?php
2
  /*
3
  Plugin Name: All In One WP Security
4
+ Version: v1.3
5
  Plugin URI: http://www.tipsandtricks-hq.com/
6
  Author: Tips and Tricks HQ, Peter, Ruhul Amin
7
  Author URI: http://www.tipsandtricks-hq.com/