Version Description
Added new feature - Cookie-based Brute Force Login Attack Prevention. Check under the "Firewall" menu for this new feature. This feature will stop hackers in their tracks when they try to access your wp-admin or login pages. This feature will secure your WordPress backend by enforcing the requirement that anybody trying to access these pages will require a special cookie.
Fixed bug related to setting of default configuration for first-time plugin activation.
Download this release
Release Info
| Developer | mra13 |
| Plugin |  All In One WP Security & Firewall |
| Version | 1.5 |
| Comparing to | |
| See all releases | |
Code changes from version 1.4 to 1.5
- admin/wp-security-admin-init.php +42 -3
- admin/wp-security-firewall-menu.php +186 -0
- admin/wp-security-user-login-menu.php +3 -2
- classes/grade-system/wp-security-feature-item-manager.php +17 -0
- classes/wp-security-configure-settings.php +60 -0
- classes/wp-security-general-init-tasks.php +8 -1
- classes/wp-security-installer.php +74 -73
- classes/wp-security-utility-htaccess.php +30 -1
- classes/wp-security-utility.php +16 -0
- readme.txt +9 -1
- wp-security-core.php +1 -1
- wp-security.php +1 -1
admin/wp-security-admin-init.php
CHANGED
|
@@ -18,6 +18,7 @@ class AIOWPSecurity_Admin_Init
|
|
| 18 |
|
| 19 |
function __construct()
|
| 20 |
{
|
|
|
|
| 21 |
$this->admin_includes();
|
| 22 |
add_action('admin_menu', array(&$this, 'create_admin_menus'));
|
| 23 |
|
|
@@ -25,7 +26,7 @@ class AIOWPSecurity_Admin_Init
|
|
| 25 |
if (isset($_GET['page']) && strpos($_GET['page'], AIOWPSEC_MENU_SLUG_PREFIX ) !== false ) {
|
| 26 |
add_action('admin_print_scripts', array(&$this, 'admin_menu_page_scripts'));
|
| 27 |
add_action('admin_print_styles', array(&$this, 'admin_menu_page_styles'));
|
| 28 |
-
add_action('
|
| 29 |
}
|
| 30 |
}
|
| 31 |
|
|
@@ -54,15 +55,16 @@ class AIOWPSecurity_Admin_Init
|
|
| 54 |
wp_enqueue_style('aiowpsec-admin-css', AIO_WP_SECURITY_URL. '/css/wp-security-admin-styles.css');
|
| 55 |
}
|
| 56 |
|
| 57 |
-
function
|
| 58 |
{
|
| 59 |
$this->aiowps_media_uploader_modification();
|
| 60 |
$this->initialize_feature_manager();
|
|
|
|
| 61 |
}
|
| 62 |
|
| 63 |
-
//For media uploader thickbox - change button text
|
| 64 |
function aiowps_media_uploader_modification()
|
| 65 |
{
|
|
|
|
| 66 |
global $pagenow;
|
| 67 |
if ('media-upload.php' == $pagenow || 'async-upload.php' == $pagenow)
|
| 68 |
{
|
|
@@ -93,6 +95,43 @@ class AIOWPSecurity_Admin_Init
|
|
| 93 |
$GLOBALS['aiowps_feature_mgr'] = $aiowps_feature_mgr;
|
| 94 |
}
|
| 95 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 96 |
function create_admin_menus()
|
| 97 |
{
|
| 98 |
$menu_icon_url = AIO_WP_SECURITY_URL.'/images/plugin-icon.png';
|
| 18 |
|
| 19 |
function __construct()
|
| 20 |
{
|
| 21 |
+
//This class is only initialized if is_admin() is true
|
| 22 |
$this->admin_includes();
|
| 23 |
add_action('admin_menu', array(&$this, 'create_admin_menus'));
|
| 24 |
|
| 26 |
if (isset($_GET['page']) && strpos($_GET['page'], AIOWPSEC_MENU_SLUG_PREFIX ) !== false ) {
|
| 27 |
add_action('admin_print_scripts', array(&$this, 'admin_menu_page_scripts'));
|
| 28 |
add_action('admin_print_styles', array(&$this, 'admin_menu_page_styles'));
|
| 29 |
+
add_action('init', array( &$this, 'init_hook_handler_for_admin_side'));
|
| 30 |
}
|
| 31 |
}
|
| 32 |
|
| 55 |
wp_enqueue_style('aiowpsec-admin-css', AIO_WP_SECURITY_URL. '/css/wp-security-admin-styles.css');
|
| 56 |
}
|
| 57 |
|
| 58 |
+
function init_hook_handler_for_admin_side()
|
| 59 |
{
|
| 60 |
$this->aiowps_media_uploader_modification();
|
| 61 |
$this->initialize_feature_manager();
|
| 62 |
+
$this->do_other_admin_side_init_tasks();
|
| 63 |
}
|
| 64 |
|
|
|
|
| 65 |
function aiowps_media_uploader_modification()
|
| 66 |
{
|
| 67 |
+
//For changing button text inside media uploader (thickbox)
|
| 68 |
global $pagenow;
|
| 69 |
if ('media-upload.php' == $pagenow || 'async-upload.php' == $pagenow)
|
| 70 |
{
|
| 95 |
$GLOBALS['aiowps_feature_mgr'] = $aiowps_feature_mgr;
|
| 96 |
}
|
| 97 |
|
| 98 |
+
function do_other_admin_side_init_tasks()
|
| 99 |
+
{
|
| 100 |
+
if (isset($_GET['page']) && $_GET['page'] == AIOWPSEC_FIREWALL_MENU_SLUG && isset($_GET['tab']) && $_GET['tab'] == 'tab4')
|
| 101 |
+
{
|
| 102 |
+
global $aio_wp_security;
|
| 103 |
+
if(isset($_POST['aiowps_do_cookie_test_for_bfla'])){
|
| 104 |
+
AIOWPSecurity_Utility::set_cookie_value("aiowps_cookie_test", "1");
|
| 105 |
+
$cur_url = "admin.php?page=".AIOWPSEC_FIREWALL_MENU_SLUG."&tab=tab4";
|
| 106 |
+
$redirect_url = AIOWPSecurity_Utility::add_query_data_to_url($cur_url, "aiowps_cookie_test", "1");
|
| 107 |
+
AIOWPSecurity_Utility::redirect_to_url($redirect_url);
|
| 108 |
+
}
|
| 109 |
+
|
| 110 |
+
if(isset($_POST['aiowps_enable_brute_force_attack_prevention']))//Enabling the BFLA feature so drop the cookie again
|
| 111 |
+
{
|
| 112 |
+
$brute_force_feature_secret_word = sanitize_text_field($_POST['aiowps_brute_force_secret_word']);
|
| 113 |
+
if(empty($brute_force_feature_secret_word)){
|
| 114 |
+
$brute_force_feature_secret_word = "aiowps_secret";
|
| 115 |
+
}
|
| 116 |
+
AIOWPSecurity_Utility::set_cookie_value($brute_force_feature_secret_word, "1");
|
| 117 |
+
}
|
| 118 |
+
|
| 119 |
+
if(isset($_REQUEST['aiowps_cookie_test']))
|
| 120 |
+
{
|
| 121 |
+
$cookie_val = AIOWPSecurity_Utility::get_cookie_value("aiowps_cookie_test");
|
| 122 |
+
if(empty($cookie_val))
|
| 123 |
+
{
|
| 124 |
+
$aio_wp_security->configs->set_value('aiowps_cookie_test_success','');
|
| 125 |
+
}
|
| 126 |
+
else
|
| 127 |
+
{
|
| 128 |
+
$aio_wp_security->configs->set_value('aiowps_cookie_test_success','1');
|
| 129 |
+
}
|
| 130 |
+
$aio_wp_security->configs->save_config();//save the value
|
| 131 |
+
}
|
| 132 |
+
}
|
| 133 |
+
}
|
| 134 |
+
|
| 135 |
function create_admin_menus()
|
| 136 |
{
|
| 137 |
$menu_icon_url = AIO_WP_SECURITY_URL.'/images/plugin-icon.png';
|
admin/wp-security-firewall-menu.php
CHANGED
|
@@ -9,12 +9,14 @@ class AIOWPSecurity_Firewall_Menu extends AIOWPSecurity_Admin_Menu
|
|
| 9 |
'tab1' => 'Basic Firewall Rules',
|
| 10 |
'tab2' => 'Additional Firewall Rules',
|
| 11 |
'tab3' => '5G Blacklist Firewall Rules',
|
|
|
|
| 12 |
);
|
| 13 |
|
| 14 |
var $menu_tabs_handler = array(
|
| 15 |
'tab1' => 'render_tab1',
|
| 16 |
'tab2' => 'render_tab2',
|
| 17 |
'tab3' => 'render_tab3',
|
|
|
|
| 18 |
);
|
| 19 |
|
| 20 |
function __construct()
|
|
@@ -154,6 +156,7 @@ class AIOWPSecurity_Firewall_Menu extends AIOWPSecurity_Admin_Menu
|
|
| 154 |
function render_tab2()
|
| 155 |
{
|
| 156 |
global $aio_wp_security;
|
|
|
|
| 157 |
if(isset($_POST['aiowps_apply_additional_firewall_settings']))//Do advanced firewall submission tasks
|
| 158 |
{
|
| 159 |
$nonce=$_REQUEST['_wpnonce'];
|
|
@@ -223,6 +226,11 @@ class AIOWPSecurity_Firewall_Menu extends AIOWPSecurity_Admin_Menu
|
|
| 223 |
{
|
| 224 |
$this->show_msg_error(__('Could not write to the .htaccess file. Please check the file permissions.', 'aiowpsecurity'));
|
| 225 |
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 226 |
|
| 227 |
}
|
| 228 |
?>
|
|
@@ -481,4 +489,182 @@ class AIOWPSecurity_Firewall_Menu extends AIOWPSecurity_Admin_Menu
|
|
| 481 |
<?php
|
| 482 |
}
|
| 483 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 484 |
} //end class
|
| 9 |
'tab1' => 'Basic Firewall Rules',
|
| 10 |
'tab2' => 'Additional Firewall Rules',
|
| 11 |
'tab3' => '5G Blacklist Firewall Rules',
|
| 12 |
+
'tab4' => 'Brute Force Prevention',
|
| 13 |
);
|
| 14 |
|
| 15 |
var $menu_tabs_handler = array(
|
| 16 |
'tab1' => 'render_tab1',
|
| 17 |
'tab2' => 'render_tab2',
|
| 18 |
'tab3' => 'render_tab3',
|
| 19 |
+
'tab4' => 'render_tab4',
|
| 20 |
);
|
| 21 |
|
| 22 |
function __construct()
|
| 156 |
function render_tab2()
|
| 157 |
{
|
| 158 |
global $aio_wp_security;
|
| 159 |
+
$error = '';
|
| 160 |
if(isset($_POST['aiowps_apply_additional_firewall_settings']))//Do advanced firewall submission tasks
|
| 161 |
{
|
| 162 |
$nonce=$_REQUEST['_wpnonce'];
|
| 226 |
{
|
| 227 |
$this->show_msg_error(__('Could not write to the .htaccess file. Please check the file permissions.', 'aiowpsecurity'));
|
| 228 |
}
|
| 229 |
+
|
| 230 |
+
if($error)
|
| 231 |
+
{
|
| 232 |
+
$this->show_msg_error($error);
|
| 233 |
+
}
|
| 234 |
|
| 235 |
}
|
| 236 |
?>
|
| 489 |
<?php
|
| 490 |
}
|
| 491 |
|
| 492 |
+
function render_tab4()
|
| 493 |
+
{
|
| 494 |
+
global $aio_wp_security;
|
| 495 |
+
|
| 496 |
+
//Save settings for brute force cookie method
|
| 497 |
+
if(isset($_POST['aiowps_apply_cookie_based_bruteforce_firewall']))
|
| 498 |
+
{
|
| 499 |
+
$nonce=$_REQUEST['_wpnonce'];
|
| 500 |
+
if (!wp_verify_nonce($nonce, 'aiowpsec-enable-cookie-based-brute-force-prevention'))
|
| 501 |
+
{
|
| 502 |
+
$aio_wp_security->debug_logger->log_debug("Nonce check failed on enable cookie based brute force prevention feature!",4);
|
| 503 |
+
die("Nonce check failed on enable cookie based brute force prevention feature!");
|
| 504 |
+
}
|
| 505 |
+
|
| 506 |
+
if(isset($_POST['aiowps_enable_brute_force_attack_prevention']))
|
| 507 |
+
{
|
| 508 |
+
$brute_force_feature_secret_word = sanitize_text_field($_POST['aiowps_brute_force_secret_word']);
|
| 509 |
+
if(empty($brute_force_feature_secret_word)){
|
| 510 |
+
$brute_force_feature_secret_word = "aiowps_secret";
|
| 511 |
+
}
|
| 512 |
+
|
| 513 |
+
if(filter_var($_POST['aiowps_cookie_based_brute_force_redirect_url'], FILTER_VALIDATE_URL))
|
| 514 |
+
{
|
| 515 |
+
$aio_wp_security->configs->set_value('aiowps_cookie_based_brute_force_redirect_url',esc_url_raw($_POST['aiowps_cookie_based_brute_force_redirect_url']));
|
| 516 |
+
}
|
| 517 |
+
else
|
| 518 |
+
{
|
| 519 |
+
$aio_wp_security->configs->set_value('aiowps_cookie_based_brute_force_redirect_url','http://127.0.0.1');
|
| 520 |
+
}
|
| 521 |
+
|
| 522 |
+
$aio_wp_security->configs->set_value('aiowps_brute_force_secret_word',$brute_force_feature_secret_word);
|
| 523 |
+
$aio_wp_security->configs->set_value('aiowps_enable_brute_force_attack_prevention','1');
|
| 524 |
+
|
| 525 |
+
//TODO - pretty up the following messages
|
| 526 |
+
$msg = '<p>'.__('You have successfully enabled the cookie based brute force prevention feature', 'aiowpsecurity').'</p>';
|
| 527 |
+
$msg .= '<p>'.__('From now on you will need to log into your WP Admin using the following URL:', 'aiowpsecurity').'</p>';
|
| 528 |
+
$msg .= '<p><strong>'.AIOWPSEC_WP_URL.'/?'.$brute_force_feature_secret_word.'=1</strong></p>';
|
| 529 |
+
$msg .= '<p>'.__('It is important that you save this URL value somewhere in case you forget it, OR,', 'aiowpsecurity').'</p>';
|
| 530 |
+
$msg .= '<p>'.sprintf( __('simply remember to add a "?%s=1" to your current site URL address.', 'aiowpsecurity'), $brute_force_feature_secret_word).'</p>';
|
| 531 |
+
}
|
| 532 |
+
else
|
| 533 |
+
{
|
| 534 |
+
$aio_wp_security->configs->set_value('aiowps_enable_brute_force_attack_prevention','');
|
| 535 |
+
$msg = __('You have successfully saved cookie based brute force prevention feature settings.', 'aiowpsecurity');
|
| 536 |
+
}
|
| 537 |
+
|
| 538 |
+
$aio_wp_security->configs->save_config();//save the value
|
| 539 |
+
$res = AIOWPSecurity_Utility_Htaccess::write_to_htaccess();
|
| 540 |
+
if ($res){
|
| 541 |
+
echo '<div id="message" class="updated fade"><p>';
|
| 542 |
+
echo $msg;
|
| 543 |
+
echo '</p></div>';
|
| 544 |
+
}
|
| 545 |
+
else if($res == -1){
|
| 546 |
+
$this->show_msg_error(__('Could not write to the .htaccess file. Please check the file permissions.', 'aiowpsecurity'));
|
| 547 |
+
}
|
| 548 |
+
|
| 549 |
+
}
|
| 550 |
+
|
| 551 |
+
?>
|
| 552 |
+
<h2><?php _e('Brute Force Prevention Firewall Settings', 'aiowpsecurity')?></h2>
|
| 553 |
+
|
| 554 |
+
<div class="aio_blue_box">
|
| 555 |
+
<?php
|
| 556 |
+
//TODO - need to fix the following message
|
| 557 |
+
$backup_tab_link = '<a href="admin.php?page='.AIOWPSEC_SETTINGS_MENU_SLUG.'&tab=tab2" target="_blank">backup</a>';
|
| 558 |
+
$info_msg = sprintf( __('This should not have any impact on your site\'s general functionality but if you wish you can take a %s of your .htaccess file before proceeding.', 'aiowpsecurity'), $backup_tab_link);
|
| 559 |
+
echo '<p>'.__('A Brute Force Attack is when a hacker tries many combinations of usernames and passwords until they succeed in guessing the right combination.', 'aiowpsecurity').
|
| 560 |
+
'<br />'.__('Due to the fact that at any one time there may be many concurrent login attempts occurring on your site via malicious automated robots, this also has a negative impact on your server\'s memory and performance.', 'aiowpsecurity').
|
| 561 |
+
'<br />'.__('The features in this tab will stop the majority of Brute Force Login Attacks at the .htaccess level thus providing even better protection for your WP login page and also reducing the load on your server because the system does not have to run PHP code to process the login attempts.', 'aiowpsecurity').
|
| 562 |
+
'<br />'.$info_msg.'</p>';
|
| 563 |
+
?>
|
| 564 |
+
</div>
|
| 565 |
+
|
| 566 |
+
<div class="postbox">
|
| 567 |
+
<h3><label for="title"><?php _e('Cookie Based Brute Force Login Prevention', 'aiowpsecurity'); ?></label></h3>
|
| 568 |
+
<div class="inside">
|
| 569 |
+
<?php
|
| 570 |
+
//Display security info badge
|
| 571 |
+
global $aiowps_feature_mgr;
|
| 572 |
+
$aiowps_feature_mgr->output_feature_details_badge("firewall-enable-brute-force-attack-prevention");
|
| 573 |
+
?>
|
| 574 |
+
<form action="" method="POST">
|
| 575 |
+
<?php wp_nonce_field('aiowpsec-enable-cookie-based-brute-force-prevention'); ?>
|
| 576 |
+
<table class="form-table">
|
| 577 |
+
<tr valign="top">
|
| 578 |
+
<th scope="row"><?php _e('Enable Brute Force Attack Prevention', 'aiowpsecurity')?>:</th>
|
| 579 |
+
<td>
|
| 580 |
+
<input name="aiowps_enable_brute_force_attack_prevention" type="checkbox"<?php if($aio_wp_security->configs->get_value('aiowps_enable_brute_force_attack_prevention')=='1') echo ' checked="checked"'; ?> value="1"/>
|
| 581 |
+
<span class="description"><?php _e('Check this if you want to protect your login page from Brute Force Attack.', 'aiowpsecurity'); ?></span>
|
| 582 |
+
<span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php _e('More Info', 'aiowpsecurity'); ?></span></span>
|
| 583 |
+
<div class="aiowps_more_info_body">
|
| 584 |
+
<p class="description">
|
| 585 |
+
<?php
|
| 586 |
+
_e('This feature will deny access to your WordPress login page for all people except those who have a special cookie in their browser.', 'aiowpsecurity');
|
| 587 |
+
echo '<br />';
|
| 588 |
+
_e('To use this feature do the following:', 'aiowpsecurity');
|
| 589 |
+
echo '<br />';
|
| 590 |
+
_e('1) Enable the checkbox.', 'aiowpsecurity');
|
| 591 |
+
echo '<br />';
|
| 592 |
+
_e('2) Enter a secret word which will be difficult to guess. This secret word will be useful whenever you need to know the special URL which you will use to access the login page (see point below).', 'aiowpsecurity');
|
| 593 |
+
echo '<br />';
|
| 594 |
+
_e('3) You will then be provided with a special login URL. You will need to use this URL to login to your WordPress site instead of the usual login URL. NOTE: The system will deposit a special cookie in your browser which will allow you access to the WordPress administration login page.', 'aiowpsecurity');
|
| 595 |
+
echo '<br />';
|
| 596 |
+
_e('Any person trying to access your login page who does not have the special cookie in their browser will be automatically blocked.', 'aiowpsecurity');
|
| 597 |
+
?>
|
| 598 |
+
</p>
|
| 599 |
+
</div>
|
| 600 |
+
</td>
|
| 601 |
+
</tr>
|
| 602 |
+
<tr valign="top">
|
| 603 |
+
<th scope="row"><?php _e('Secret Word', 'aiowpsecurity')?>:</th>
|
| 604 |
+
<td><input size="40" name="aiowps_brute_force_secret_word" value="<?php echo $aio_wp_security->configs->get_value('aiowps_brute_force_secret_word'); ?>" />
|
| 605 |
+
<span class="description"><?php _e('Choose a secret word which you can use to access your special URL. Your are highly encouraged to choose a word which will be difficult to guess.', 'aiowpsecurity'); ?></span>
|
| 606 |
+
</td>
|
| 607 |
+
</tr>
|
| 608 |
+
<tr valign="top">
|
| 609 |
+
<th scope="row"><?php _e('Re-direct URL', 'aiowpsecurity')?>:</th>
|
| 610 |
+
<td><input size="40" name="aiowps_cookie_based_brute_force_redirect_url" value="<?php echo $aio_wp_security->configs->get_value('aiowps_cookie_based_brute_force_redirect_url'); ?>" />
|
| 611 |
+
<span class="description">
|
| 612 |
+
<?php
|
| 613 |
+
_e('Specify a URL to redirect a hacker to when they try to access your WordPress login page.', 'aiowpsecurity');
|
| 614 |
+
?>
|
| 615 |
+
</span>
|
| 616 |
+
<span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php _e('More Info', 'aiowpsecurity'); ?></span></span>
|
| 617 |
+
<div class="aiowps_more_info_body">
|
| 618 |
+
<p class="description">
|
| 619 |
+
<?php
|
| 620 |
+
_e('The URL specified here can be any site\'s URL and does not have to be your own. For example you can be as creative as you like and send hackers to the CIA or NSA home page.', 'aiowpsecurity');
|
| 621 |
+
echo '<br />';
|
| 622 |
+
_e('This field will default to: http://127.0.0.1 if you do not enter a value.', 'aiowpsecurity');
|
| 623 |
+
echo '<br />';
|
| 624 |
+
_e('Useful Tip:', 'aiowpsecurity');
|
| 625 |
+
echo '<br />';
|
| 626 |
+
_e('It\'s a good idea to not redirect attempted brute force login attempts to your site because it increases the load on your server.', 'aiowpsecurity');
|
| 627 |
+
echo '<br />';
|
| 628 |
+
_e('Redirecting a hacker or malicious bot back to "http://127.0.0.1" is ideal because it deflects them back to their own local host and puts the load on their server instead of yours.', 'aiowpsecurity');
|
| 629 |
+
?>
|
| 630 |
+
</p>
|
| 631 |
+
</div>
|
| 632 |
+
|
| 633 |
+
</td>
|
| 634 |
+
</tr>
|
| 635 |
+
</table>
|
| 636 |
+
<?php
|
| 637 |
+
$cookie_test_value = $aio_wp_security->configs->get_value('aiowps_cookie_test_success');
|
| 638 |
+
$bfla_feature_enabled = $aio_wp_security->configs->get_value('aiowps_enable_brute_force_attack_prevention');
|
| 639 |
+
if($cookie_test_value == '1' || $bfla_feature_enabled == '1')//If the cookie test is successful or if the feature is already enabled then go ahead as normal
|
| 640 |
+
{
|
| 641 |
+
if (isset($_REQUEST['aiowps_cookie_test']))
|
| 642 |
+
{//Cookie test was just performed and the test succeded
|
| 643 |
+
echo '<div class="aio_green_box"><p>';
|
| 644 |
+
_e('The cookie test was successful. You can now enable this feature.', 'aiowpsecurity');
|
| 645 |
+
echo '</p></div>';
|
| 646 |
+
}
|
| 647 |
+
echo '<input type="submit" name="aiowps_apply_cookie_based_bruteforce_firewall" value="'.__('Save Feature Settings', 'aiowpsecurity').'" class="button-primary" />';
|
| 648 |
+
}
|
| 649 |
+
else
|
| 650 |
+
{
|
| 651 |
+
//Cookie test needs to be performed
|
| 652 |
+
if(isset($_REQUEST['aiowps_cookie_test']) && $cookie_test_value != '1'){//Test failed
|
| 653 |
+
echo '<div class="aio_red_box"><p>';
|
| 654 |
+
_e('The cookie test failed on this server. So this feature cannot be used on this site.', 'aiowpsecurity');
|
| 655 |
+
echo '</p></div>';
|
| 656 |
+
}
|
| 657 |
+
|
| 658 |
+
//TODO - pretty up the message
|
| 659 |
+
echo '<div class="aio_yellow_box"><p>';
|
| 660 |
+
_e("Before using this feature you are required to perform a cookie test first. This is to make sure that your browser cookie is working correctly and that you won't lock yourself out.", 'aiowpsecurity');
|
| 661 |
+
echo '</p></div>';
|
| 662 |
+
echo '<input type="submit" name="aiowps_do_cookie_test_for_bfla" value="'.__('Perform Cookie Test', 'aiowpsecurity').'" class="button-primary" />';
|
| 663 |
+
}
|
| 664 |
+
?>
|
| 665 |
+
</form>
|
| 666 |
+
</div></div>
|
| 667 |
+
<?php
|
| 668 |
+
}
|
| 669 |
+
|
| 670 |
} //end class
|
admin/wp-security-user-login-menu.php
CHANGED
|
@@ -141,10 +141,11 @@ class AIOWPSecurity_User_Login_Menu extends AIOWPSecurity_Admin_Menu
|
|
| 141 |
<h2><?php _e('Login Lockdown Configuration', 'aiowpsecurity')?></h2>
|
| 142 |
<div class="aio_blue_box">
|
| 143 |
<?php
|
|
|
|
| 144 |
echo '<p>'.__('One of the ways hackers try to compromise sites is via a ', 'aiowpsecurity').'<strong>'.__('Brute Force Login Attack', 'aiowpsecurity').'</strong>.
|
| 145 |
<br />'.__('This is where attackers use repeated login attempts until they guess the password.', 'aiowpsecurity').'
|
| 146 |
-
<br />'.__('Apart from choosing strong passwords, monitoring and blocking IP addresses which are involved in repeated login failures in a short period of time is a very effective way to stop these types of attacks.', 'aiowpsecurity').
|
| 147 |
-
</p>';
|
| 148 |
?>
|
| 149 |
</div>
|
| 150 |
|
| 141 |
<h2><?php _e('Login Lockdown Configuration', 'aiowpsecurity')?></h2>
|
| 142 |
<div class="aio_blue_box">
|
| 143 |
<?php
|
| 144 |
+
$brute_force_login_feature_link = '<a href="admin.php?page='.AIOWPSEC_FIREWALL_MENU_SLUG.'&tab=tab4">Cookie-Based Brute Force Login Prevention</a>';
|
| 145 |
echo '<p>'.__('One of the ways hackers try to compromise sites is via a ', 'aiowpsecurity').'<strong>'.__('Brute Force Login Attack', 'aiowpsecurity').'</strong>.
|
| 146 |
<br />'.__('This is where attackers use repeated login attempts until they guess the password.', 'aiowpsecurity').'
|
| 147 |
+
<br />'.__('Apart from choosing strong passwords, monitoring and blocking IP addresses which are involved in repeated login failures in a short period of time is a very effective way to stop these types of attacks.', 'aiowpsecurity').
|
| 148 |
+
'<p>'.sprintf( __('You may also want to checkout our %s feature for another secure way to protect against these types of attacks.', 'aiowpsecurity'), $brute_force_login_feature_link).'</p>';
|
| 149 |
?>
|
| 150 |
</div>
|
| 151 |
|
classes/grade-system/wp-security-feature-item-manager.php
CHANGED
|
@@ -63,6 +63,7 @@ class AIOWPSecurity_Feature_Item_Manager
|
|
| 63 |
$this->feature_items[] = new AIOWPSecurity_Feature_Item("firewall-basic-rules", "Enable Basic Firewall", $this->feature_point_3, $this->sec_level_basic);
|
| 64 |
|
| 65 |
//Additional and Advanced firewall
|
|
|
|
| 66 |
$this->feature_items[] = new AIOWPSecurity_Feature_Item("firewall-disable-index-views", "Disable Index Views", $this->feature_point_1, $this->sec_level_inter);
|
| 67 |
$this->feature_items[] = new AIOWPSecurity_Feature_Item("firewall-disable-trace-track", "Disable Trace and Track", $this->feature_point_2, $this->sec_level_advanced);
|
| 68 |
$this->feature_items[] = new AIOWPSecurity_Feature_Item("firewall-forbid-proxy-comments", "Forbid Proxy Comments", $this->feature_point_2, $this->sec_level_advanced);
|
|
@@ -164,6 +165,10 @@ class AIOWPSecurity_Feature_Item_Manager
|
|
| 164 |
{
|
| 165 |
$this->check_enable_basic_firewall_feature($item);
|
| 166 |
}
|
|
|
|
|
|
|
|
|
|
|
|
|
| 167 |
if($item->feature_id == "firewall-disable-index-views")
|
| 168 |
{
|
| 169 |
$this->check_disable_index_views_firewall_feature($item);
|
|
@@ -394,6 +399,18 @@ class AIOWPSecurity_Feature_Item_Manager
|
|
| 394 |
}
|
| 395 |
}
|
| 396 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 397 |
function check_forbid_proxy_comments_firewall_feature($item)
|
| 398 |
{
|
| 399 |
global $aio_wp_security;
|
| 63 |
$this->feature_items[] = new AIOWPSecurity_Feature_Item("firewall-basic-rules", "Enable Basic Firewall", $this->feature_point_3, $this->sec_level_basic);
|
| 64 |
|
| 65 |
//Additional and Advanced firewall
|
| 66 |
+
$this->feature_items[] = new AIOWPSecurity_Feature_Item("firewall-enable-brute-force-attack-prevention", "Enable Brute Force Attack Prevention", $this->feature_point_4, $this->sec_level_inter);
|
| 67 |
$this->feature_items[] = new AIOWPSecurity_Feature_Item("firewall-disable-index-views", "Disable Index Views", $this->feature_point_1, $this->sec_level_inter);
|
| 68 |
$this->feature_items[] = new AIOWPSecurity_Feature_Item("firewall-disable-trace-track", "Disable Trace and Track", $this->feature_point_2, $this->sec_level_advanced);
|
| 69 |
$this->feature_items[] = new AIOWPSecurity_Feature_Item("firewall-forbid-proxy-comments", "Forbid Proxy Comments", $this->feature_point_2, $this->sec_level_advanced);
|
| 165 |
{
|
| 166 |
$this->check_enable_basic_firewall_feature($item);
|
| 167 |
}
|
| 168 |
+
if($item->feature_id == "firewall-enable-brute-force-attack-prevention")
|
| 169 |
+
{
|
| 170 |
+
$this->check_enable_bfap_firewall_feature($item);
|
| 171 |
+
}
|
| 172 |
if($item->feature_id == "firewall-disable-index-views")
|
| 173 |
{
|
| 174 |
$this->check_disable_index_views_firewall_feature($item);
|
| 399 |
}
|
| 400 |
}
|
| 401 |
|
| 402 |
+
function check_enable_bfap_firewall_feature($item)
|
| 403 |
+
{
|
| 404 |
+
global $aio_wp_security;
|
| 405 |
+
if ($aio_wp_security->configs->get_value('aiowps_enable_brute_force_attack_prevention') == '1') {
|
| 406 |
+
$item->set_feature_status($this->feature_active);
|
| 407 |
+
}
|
| 408 |
+
else
|
| 409 |
+
{
|
| 410 |
+
$item->set_feature_status($this->feature_inactive);
|
| 411 |
+
}
|
| 412 |
+
}
|
| 413 |
+
|
| 414 |
function check_forbid_proxy_comments_firewall_feature($item)
|
| 415 |
{
|
| 416 |
global $aio_wp_security;
|
classes/wp-security-configure-settings.php
CHANGED
|
@@ -46,6 +46,9 @@ class AIOWPSecurity_Configure_Settings
|
|
| 46 |
$aio_wp_security->configs->set_value('aiowps_banned_ip_addresses','');
|
| 47 |
|
| 48 |
//Firewall features
|
|
|
|
|
|
|
|
|
|
| 49 |
$aio_wp_security->configs->set_value('aiowps_enable_basic_firewall','');//Checkbox
|
| 50 |
$aio_wp_security->configs->set_value('aiowps_disable_index_views','');//Checkbox
|
| 51 |
$aio_wp_security->configs->set_value('aiowps_disable_trace_and_track','');//Checkbox
|
|
@@ -60,6 +63,63 @@ class AIOWPSecurity_Configure_Settings
|
|
| 60 |
$aio_wp_security->configs->save_config();
|
| 61 |
}
|
| 62 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 63 |
static function turn_off_all_security_features()
|
| 64 |
{
|
| 65 |
AIOWPSecurity_Configure_Settings::set_default_settings();
|
| 46 |
$aio_wp_security->configs->set_value('aiowps_banned_ip_addresses','');
|
| 47 |
|
| 48 |
//Firewall features
|
| 49 |
+
$aio_wp_security->configs->set_value('aiowps_enable_brute_force_attack_prevention','');//Checkbox
|
| 50 |
+
$aio_wp_security->configs->set_value('aiowps_brute_force_secret_word','');
|
| 51 |
+
$aio_wp_security->configs->set_value('aiowps_cookie_based_brute_force_redirect_url','http://127.0.0.1');
|
| 52 |
$aio_wp_security->configs->set_value('aiowps_enable_basic_firewall','');//Checkbox
|
| 53 |
$aio_wp_security->configs->set_value('aiowps_disable_index_views','');//Checkbox
|
| 54 |
$aio_wp_security->configs->set_value('aiowps_disable_trace_and_track','');//Checkbox
|
| 63 |
$aio_wp_security->configs->save_config();
|
| 64 |
}
|
| 65 |
|
| 66 |
+
static function add_option_values()
|
| 67 |
+
{
|
| 68 |
+
global $aio_wp_security;
|
| 69 |
+
$blog_email_address = get_bloginfo('admin_email'); //Get the blog admin email address - we will use as the default value
|
| 70 |
+
|
| 71 |
+
//WP Generator Meta Tag feature
|
| 72 |
+
$aio_wp_security->configs->add_value('aiowps_remove_wp_generator_meta_info','');//Checkbox
|
| 73 |
+
|
| 74 |
+
//User password feature
|
| 75 |
+
|
| 76 |
+
//Lockdown feature
|
| 77 |
+
$aio_wp_security->configs->add_value('aiowps_enable_login_lockdown','');//Checkbox
|
| 78 |
+
$aio_wp_security->configs->add_value('aiowps_max_login_attempts','3');
|
| 79 |
+
$aio_wp_security->configs->add_value('aiowps_retry_time_period','5');
|
| 80 |
+
$aio_wp_security->configs->add_value('aiowps_lockout_time_length','60');
|
| 81 |
+
$aio_wp_security->configs->add_value('aiowps_set_generic_login_msg','');//Checkbox
|
| 82 |
+
$aio_wp_security->configs->add_value('aiowps_enable_email_notify','');//Checkbox
|
| 83 |
+
$aio_wp_security->configs->add_value('aiowps_email_address',$blog_email_address);//text field
|
| 84 |
+
$aio_wp_security->configs->add_value('aiowps_enable_forced_logout','');//Checkbox
|
| 85 |
+
$aio_wp_security->configs->add_value('aiowps_logout_time_period','60');
|
| 86 |
+
|
| 87 |
+
//DB Security feature
|
| 88 |
+
//$aio_wp_security->configs->add_value('aiowps_new_manual_db_pefix',''); //text field
|
| 89 |
+
$aio_wp_security->configs->add_value('aiowps_enable_random_prefix','');//Checkbox
|
| 90 |
+
$aio_wp_security->configs->add_value('aiowps_enable_automated_backups','');//Checkbox
|
| 91 |
+
$aio_wp_security->configs->add_value('aiowps_db_backup_frequency','4');
|
| 92 |
+
$aio_wp_security->configs->add_value('aiowps_db_backup_interval','2'); //Dropdown box where (0,1,2) => (hours,days,weeks)
|
| 93 |
+
$aio_wp_security->configs->add_value('aiowps_backup_files_stored','2');
|
| 94 |
+
$aio_wp_security->configs->add_value('aiowps_send_backup_email_address','');//Checkbox
|
| 95 |
+
$aio_wp_security->configs->add_value('aiowps_backup_email_address',$blog_email_address);
|
| 96 |
+
|
| 97 |
+
//Filesystem Security feature
|
| 98 |
+
$aio_wp_security->configs->add_value('aiowps_disable_file_editing','');//Checkbox
|
| 99 |
+
$aio_wp_security->configs->add_value('aiowps_prevent_default_wp_file_access','');//Checkbox
|
| 100 |
+
|
| 101 |
+
//Blacklist feature
|
| 102 |
+
$aio_wp_security->configs->add_value('aiowps_enable_blacklisting','');//Checkbox
|
| 103 |
+
$aio_wp_security->configs->add_value('aiowps_banned_ip_addresses','');
|
| 104 |
+
|
| 105 |
+
//Firewall features
|
| 106 |
+
$aio_wp_security->configs->add_value('aiowps_enable_brute_force_attack_prevention','');//Checkbox
|
| 107 |
+
$aio_wp_security->configs->add_value('aiowps_brute_force_secret_word','');
|
| 108 |
+
$aio_wp_security->configs->add_value('aiowps_cookie_based_brute_force_redirect_url','http://127.0.0.1');
|
| 109 |
+
$aio_wp_security->configs->add_value('aiowps_enable_basic_firewall','');//Checkbox
|
| 110 |
+
$aio_wp_security->configs->add_value('aiowps_disable_index_views','');//Checkbox
|
| 111 |
+
$aio_wp_security->configs->add_value('aiowps_disable_trace_and_track','');//Checkbox
|
| 112 |
+
$aio_wp_security->configs->add_value('aiowps_forbid_proxy_comments','');//Checkbox
|
| 113 |
+
$aio_wp_security->configs->add_value('aiowps_deny_bad_query_strings','');//Checkbox
|
| 114 |
+
$aio_wp_security->configs->add_value('aiowps_advanced_char_string_filter','');//Checkbox
|
| 115 |
+
$aio_wp_security->configs->add_value('aiowps_enable_5g_firewall','');//Checkbox
|
| 116 |
+
|
| 117 |
+
//TODO - keep adding default options for any fields that require it
|
| 118 |
+
|
| 119 |
+
//Save it
|
| 120 |
+
$aio_wp_security->configs->save_config();
|
| 121 |
+
}
|
| 122 |
+
|
| 123 |
static function turn_off_all_security_features()
|
| 124 |
{
|
| 125 |
AIOWPSecurity_Configure_Settings::set_default_settings();
|
classes/wp-security-general-init-tasks.php
CHANGED
|
@@ -9,8 +9,15 @@ class AIOWPSecurity_General_Init_Tasks
|
|
| 9 |
add_filter('the_generator', array(&$this,'remove_wp_generator_meta_info'));
|
| 10 |
}
|
| 11 |
|
| 12 |
-
//
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13 |
|
|
|
|
| 14 |
}
|
| 15 |
|
| 16 |
function remove_wp_generator_meta_info()
|
| 9 |
add_filter('the_generator', array(&$this,'remove_wp_generator_meta_info'));
|
| 10 |
}
|
| 11 |
|
| 12 |
+
//For the cookie based brute force prevention feature
|
| 13 |
+
$bfcf_secret_word = $aio_wp_security->configs->get_value('aiowps_brute_force_secret_word');
|
| 14 |
+
if(isset($_GET[$bfcf_secret_word])){
|
| 15 |
+
//If URL contains secret word in query param then set cookie and then redirect to the login page
|
| 16 |
+
AIOWPSecurity_Utility::set_cookie_value($bfcf_secret_word, "1");
|
| 17 |
+
AIOWPSecurity_Utility::redirect_to_url(AIOWPSEC_WP_URL."/wp-admin");
|
| 18 |
+
}
|
| 19 |
|
| 20 |
+
//Add more tasks that need to be executed at init time
|
| 21 |
}
|
| 22 |
|
| 23 |
function remove_wp_generator_meta_info()
|
classes/wp-security-installer.php
CHANGED
|
@@ -1,73 +1,74 @@
|
|
| 1 |
-
<?php
|
| 2 |
-
|
| 3 |
-
class AIOWPSecurity_Installer
|
| 4 |
-
{
|
| 5 |
-
static function run_installer()
|
| 6 |
-
{
|
| 7 |
-
global $wpdb;
|
| 8 |
-
if (function_exists('is_multisite') && is_multisite())
|
| 9 |
-
{
|
| 10 |
-
// check if it is a network activation - if so, run the activation function for each blog id
|
| 11 |
-
if (isset($_GET['networkwide']) && ($_GET['networkwide'] == 1))
|
| 12 |
-
{
|
| 13 |
-
$old_blog = $wpdb->blogid;
|
| 14 |
-
// Get all blog ids
|
| 15 |
-
$blogids = $wpdb->get_col("SELECT blog_id FROM $wpdb->blogs");
|
| 16 |
-
foreach ($blogids as $blog_id) {
|
| 17 |
-
switch_to_blog($blog_id);
|
| 18 |
-
AIOWPSecurity_Installer::create_db_tables();
|
| 19 |
-
}
|
| 20 |
-
switch_to_blog($old_blog);
|
| 21 |
-
return;
|
| 22 |
-
}
|
| 23 |
-
}
|
| 24 |
-
AIOWPSecurity_Installer::create_db_tables();
|
| 25 |
-
|
| 26 |
-
|
| 27 |
-
|
| 28 |
-
|
| 29 |
-
|
| 30 |
-
|
| 31 |
-
|
| 32 |
-
|
| 33 |
-
|
| 34 |
-
|
| 35 |
-
$
|
| 36 |
-
|
| 37 |
-
|
| 38 |
-
|
| 39 |
-
|
| 40 |
-
|
| 41 |
-
|
| 42 |
-
|
| 43 |
-
|
| 44 |
-
|
| 45 |
-
)
|
| 46 |
-
|
| 47 |
-
|
| 48 |
-
|
| 49 |
-
|
| 50 |
-
|
| 51 |
-
|
| 52 |
-
|
| 53 |
-
|
| 54 |
-
|
| 55 |
-
)
|
| 56 |
-
|
| 57 |
-
|
| 58 |
-
|
| 59 |
-
|
| 60 |
-
|
| 61 |
-
|
| 62 |
-
|
| 63 |
-
|
| 64 |
-
|
| 65 |
-
|
| 66 |
-
|
| 67 |
-
|
| 68 |
-
)
|
| 69 |
-
|
| 70 |
-
|
| 71 |
-
|
| 72 |
-
|
| 73 |
-
}
|
|
|
| 1 |
+
<?php
|
| 2 |
+
|
| 3 |
+
class AIOWPSecurity_Installer
|
| 4 |
+
{
|
| 5 |
+
static function run_installer()
|
| 6 |
+
{
|
| 7 |
+
global $wpdb;
|
| 8 |
+
if (function_exists('is_multisite') && is_multisite())
|
| 9 |
+
{
|
| 10 |
+
// check if it is a network activation - if so, run the activation function for each blog id
|
| 11 |
+
if (isset($_GET['networkwide']) && ($_GET['networkwide'] == 1))
|
| 12 |
+
{
|
| 13 |
+
$old_blog = $wpdb->blogid;
|
| 14 |
+
// Get all blog ids
|
| 15 |
+
$blogids = $wpdb->get_col("SELECT blog_id FROM $wpdb->blogs");
|
| 16 |
+
foreach ($blogids as $blog_id) {
|
| 17 |
+
switch_to_blog($blog_id);
|
| 18 |
+
AIOWPSecurity_Installer::create_db_tables();
|
| 19 |
+
}
|
| 20 |
+
switch_to_blog($old_blog);
|
| 21 |
+
return;
|
| 22 |
+
}
|
| 23 |
+
}
|
| 24 |
+
AIOWPSecurity_Installer::create_db_tables();
|
| 25 |
+
AIOWPSecurity_Configure_Settings::add_option_values();
|
| 26 |
+
}
|
| 27 |
+
|
| 28 |
+
static function create_db_tables()
|
| 29 |
+
{
|
| 30 |
+
//global $wpdb;
|
| 31 |
+
require_once(ABSPATH . 'wp-admin/includes/upgrade.php');
|
| 32 |
+
|
| 33 |
+
//"User Login" related tables
|
| 34 |
+
$lockdown_tbl_name = AIOWPSEC_TBL_LOGIN_LOCKDOWN;
|
| 35 |
+
$failed_login_tbl_name = AIOWPSEC_TBL_FAILED_LOGINS;
|
| 36 |
+
$user_login_activity_tbl_name = AIOWPSEC_TBL_USER_LOGIN_ACTIVITY;
|
| 37 |
+
|
| 38 |
+
$ld_tbl_sql = "CREATE TABLE " . $lockdown_tbl_name . " (
|
| 39 |
+
id bigint(20) NOT NULL AUTO_INCREMENT,
|
| 40 |
+
user_id bigint(20) NOT NULL,
|
| 41 |
+
user_login VARCHAR(150) NOT NULL,
|
| 42 |
+
lockdown_date datetime NOT NULL DEFAULT '0000-00-00 00:00:00',
|
| 43 |
+
release_date datetime NOT NULL DEFAULT '0000-00-00 00:00:00',
|
| 44 |
+
failed_login_ip varchar(100) NOT NULL DEFAULT '',
|
| 45 |
+
PRIMARY KEY (id)
|
| 46 |
+
)ENGINE=MyISAM DEFAULT CHARSET=utf8;";
|
| 47 |
+
dbDelta($ld_tbl_sql);
|
| 48 |
+
|
| 49 |
+
$fl_tbl_sql = "CREATE TABLE " . $failed_login_tbl_name . " (
|
| 50 |
+
id bigint(20) NOT NULL AUTO_INCREMENT,
|
| 51 |
+
user_id bigint(20) NOT NULL,
|
| 52 |
+
user_login VARCHAR(150) NOT NULL,
|
| 53 |
+
failed_login_date datetime NOT NULL DEFAULT '0000-00-00 00:00:00',
|
| 54 |
+
login_attempt_ip varchar(100) NOT NULL DEFAULT '',
|
| 55 |
+
PRIMARY KEY (id)
|
| 56 |
+
)ENGINE=MyISAM DEFAULT CHARSET=utf8;";
|
| 57 |
+
dbDelta($fl_tbl_sql);
|
| 58 |
+
|
| 59 |
+
$ula_tbl_sql = "CREATE TABLE " . $user_login_activity_tbl_name . " (
|
| 60 |
+
id bigint(20) NOT NULL AUTO_INCREMENT,
|
| 61 |
+
user_id bigint(20) NOT NULL,
|
| 62 |
+
user_login VARCHAR(150) NOT NULL,
|
| 63 |
+
login_date datetime NOT NULL DEFAULT '0000-00-00 00:00:00',
|
| 64 |
+
logout_date datetime NOT NULL DEFAULT '0000-00-00 00:00:00',
|
| 65 |
+
login_ip varchar(100) NOT NULL DEFAULT '',
|
| 66 |
+
login_country varchar(150) NOT NULL DEFAULT '',
|
| 67 |
+
browser_type varchar(150) NOT NULL DEFAULT '',
|
| 68 |
+
PRIMARY KEY (id)
|
| 69 |
+
)ENGINE=MyISAM DEFAULT CHARSET=utf8;";
|
| 70 |
+
dbDelta($ula_tbl_sql);
|
| 71 |
+
|
| 72 |
+
update_option("aiowpsec_db_version", AIO_WP_SECURITY_DB_VERSION);
|
| 73 |
+
}
|
| 74 |
+
}
|
classes/wp-security-utility-htaccess.php
CHANGED
|
@@ -16,6 +16,9 @@ class AIOWPSecurity_Utility_Htaccess
|
|
| 16 |
public static $user_agent_blacklist_marker_start = '#AIOWPS_USER_AGENT_BLACKLIST_START';
|
| 17 |
public static $user_agent_blacklist_marker_end = '#AIOWPS_USER_AGENT_BLACKLIST_END';
|
| 18 |
|
|
|
|
|
|
|
|
|
|
| 19 |
public static $disable_index_views_marker_start = '#AIOWPS_DISABLE_INDEX_VIEWS_START';
|
| 20 |
public static $disable_index_views_marker_end = '#AIOWPS_DISABLE_INDEX_VIEWS_END';
|
| 21 |
|
|
@@ -199,6 +202,7 @@ class AIOWPSecurity_Utility_Htaccess
|
|
| 199 |
$rules .= AIOWPSecurity_Utility_Htaccess::getrules_deny_bad_query_strings();
|
| 200 |
$rules .= AIOWPSecurity_Utility_Htaccess::getrules_advanced_character_string_filter();
|
| 201 |
$rules .= AIOWPSecurity_Utility_Htaccess::getrules_5g_blacklist();
|
|
|
|
| 202 |
//TODO: The following utility functions are ready to use when we write the menu pages for these features
|
| 203 |
|
| 204 |
//Add more functions for features as needed
|
|
@@ -405,6 +409,32 @@ class AIOWPSecurity_Utility_Htaccess
|
|
| 405 |
return $rules;
|
| 406 |
}
|
| 407 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 408 |
/*
|
| 409 |
* This function will disable directory listings for all directories, add this line to the
|
| 410 |
* site’s root .htaccess file.
|
|
@@ -424,7 +454,6 @@ class AIOWPSecurity_Utility_Htaccess
|
|
| 424 |
return $rules;
|
| 425 |
}
|
| 426 |
|
| 427 |
-
|
| 428 |
/*
|
| 429 |
* This function will write rules to disable trace and track.
|
| 430 |
* HTTP Trace attack (XST) can be used to return header requests
|
| 16 |
public static $user_agent_blacklist_marker_start = '#AIOWPS_USER_AGENT_BLACKLIST_START';
|
| 17 |
public static $user_agent_blacklist_marker_end = '#AIOWPS_USER_AGENT_BLACKLIST_END';
|
| 18 |
|
| 19 |
+
public static $enable_brute_force_attack_prevention_marker_start = '#AIOWPS_ENABLE_BRUTE_FORCE_PREVENTION_START';
|
| 20 |
+
public static $disable_brute_force_attack_prevention_marker_end = '#AIOWPS_DISABLE_BRUTE_FORCE_PREVENTION_END';
|
| 21 |
+
|
| 22 |
public static $disable_index_views_marker_start = '#AIOWPS_DISABLE_INDEX_VIEWS_START';
|
| 23 |
public static $disable_index_views_marker_end = '#AIOWPS_DISABLE_INDEX_VIEWS_END';
|
| 24 |
|
| 202 |
$rules .= AIOWPSecurity_Utility_Htaccess::getrules_deny_bad_query_strings();
|
| 203 |
$rules .= AIOWPSecurity_Utility_Htaccess::getrules_advanced_character_string_filter();
|
| 204 |
$rules .= AIOWPSecurity_Utility_Htaccess::getrules_5g_blacklist();
|
| 205 |
+
$rules .= AIOWPSecurity_Utility_Htaccess::getrules_enable_brute_force_prevention();
|
| 206 |
//TODO: The following utility functions are ready to use when we write the menu pages for these features
|
| 207 |
|
| 208 |
//Add more functions for features as needed
|
| 409 |
return $rules;
|
| 410 |
}
|
| 411 |
|
| 412 |
+
/*
|
| 413 |
+
* This function will write some drectives to block all people who do not have a cookie
|
| 414 |
+
* when trying to access the WP login page
|
| 415 |
+
*/
|
| 416 |
+
static function getrules_enable_brute_force_prevention()
|
| 417 |
+
{
|
| 418 |
+
global $aio_wp_security;
|
| 419 |
+
$rules = '';
|
| 420 |
+
if($aio_wp_security->configs->get_value('aiowps_enable_brute_force_attack_prevention')=='1')
|
| 421 |
+
{
|
| 422 |
+
$cookie_name = $aio_wp_security->configs->get_value('aiowps_brute_force_secret_word');
|
| 423 |
+
$redirect_url = $aio_wp_security->configs->get_value('aiowps_cookie_based_brute_force_redirect_url');
|
| 424 |
+
$rules .= AIOWPSecurity_Utility_Htaccess::$enable_brute_force_attack_prevention_marker_start . PHP_EOL; //Add feature marker start
|
| 425 |
+
$rules .= 'RewriteEngine On' . PHP_EOL;
|
| 426 |
+
$rules .= 'RewriteCond %{REQUEST_URI} wp-admin [OR]'. PHP_EOL;
|
| 427 |
+
$rules .= 'RewriteCond %{REQUEST_URI} wp-login'. PHP_EOL;
|
| 428 |
+
$rules .= 'RewriteCond %{HTTP_COOKIE} !'.$cookie_name.'= [NC]' . PHP_EOL;
|
| 429 |
+
$rules .= 'RewriteCond %{HTTP_COOKIE} !aiowps_cookie_test= [NC]' . PHP_EOL;
|
| 430 |
+
$rules .= 'RewriteRule .* '.$redirect_url.' [L]' . PHP_EOL;
|
| 431 |
+
$rules .= AIOWPSecurity_Utility_Htaccess::$disable_brute_force_attack_prevention_marker_end . PHP_EOL; //Add feature marker end
|
| 432 |
+
}
|
| 433 |
+
|
| 434 |
+
return $rules;
|
| 435 |
+
}
|
| 436 |
+
|
| 437 |
+
|
| 438 |
/*
|
| 439 |
* This function will disable directory listings for all directories, add this line to the
|
| 440 |
* site’s root .htaccess file.
|
| 454 |
return $rules;
|
| 455 |
}
|
| 456 |
|
|
|
|
| 457 |
/*
|
| 458 |
* This function will write rules to disable trace and track.
|
| 459 |
* HTTP Trace attack (XST) can be used to return header requests
|
classes/wp-security-utility.php
CHANGED
|
@@ -102,4 +102,20 @@ class AIOWPSecurity_Utility
|
|
| 102 |
return $string;
|
| 103 |
}
|
| 104 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 105 |
}
|
| 102 |
return $string;
|
| 103 |
}
|
| 104 |
|
| 105 |
+
static function set_cookie_value($cookie_name, $cookie_value, $expiry_seconds = 86400, $path = '/', $cookie_domain = '')
|
| 106 |
+
{
|
| 107 |
+
$expiry_time = time() + intval($expiry_seconds);
|
| 108 |
+
if(empty($cookie_domain)){
|
| 109 |
+
$cookie_domain = COOKIE_DOMAIN;
|
| 110 |
+
}
|
| 111 |
+
setcookie($cookie_name, $cookie_value, $expiry_time, $path, $cookie_domain);
|
| 112 |
+
}
|
| 113 |
+
|
| 114 |
+
static function get_cookie_value($cookie_name)
|
| 115 |
+
{
|
| 116 |
+
if(isset($_COOKIE[$cookie_name])){
|
| 117 |
+
return $_COOKIE[$cookie_name];
|
| 118 |
+
}
|
| 119 |
+
return "";
|
| 120 |
+
}
|
| 121 |
}
|
readme.txt
CHANGED
|
@@ -4,7 +4,7 @@ Donate link: http://www.tipsandtricks-hq.com
|
|
| 4 |
Tags: security, secure, Anti Virus, antivirus, virus, firewall, login, lockdown, htaccess, hacking, ban hacker, malware, vulnerability, protect, phishing, database, backup, plugin, sql injection, ssl, restrict
|
| 5 |
Requires at least: 3.5
|
| 6 |
Tested up to: 3.6
|
| 7 |
-
Stable tag: 1.
|
| 8 |
License: GPLv3
|
| 9 |
|
| 10 |
A comprehensive, user-friendly, all in one WordPress security and firewall plugin for your site.
|
|
@@ -76,6 +76,8 @@ So these firewall rules will stop malicious script(s) before it gets a chance to
|
|
| 76 |
* Disable trace and track
|
| 77 |
* Deny bad or malicious query strings
|
| 78 |
* Protect against Cross Site Scripting (XSS) by activating the comprehensive advanced character string filter.
|
|
|
|
|
|
|
| 79 |
|
| 80 |
= WhoIs Lookup =
|
| 81 |
* Perform a WhoIs lookup of a suspicious host or IP address and get full details.
|
|
@@ -122,6 +124,12 @@ None
|
|
| 122 |
|
| 123 |
== Changelog ==
|
| 124 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 125 |
= 1.4 =
|
| 126 |
- Tweaked the "Deny Bad Query Strings" firewall rules so that plugin deletion and update operations from the WordPress plugins menu are not affected.
|
| 127 |
- Fixed a minor bug related to scheduled database backups.
|
| 4 |
Tags: security, secure, Anti Virus, antivirus, virus, firewall, login, lockdown, htaccess, hacking, ban hacker, malware, vulnerability, protect, phishing, database, backup, plugin, sql injection, ssl, restrict
|
| 5 |
Requires at least: 3.5
|
| 6 |
Tested up to: 3.6
|
| 7 |
+
Stable tag: 1.5
|
| 8 |
License: GPLv3
|
| 9 |
|
| 10 |
A comprehensive, user-friendly, all in one WordPress security and firewall plugin for your site.
|
| 76 |
* Disable trace and track
|
| 77 |
* Deny bad or malicious query strings
|
| 78 |
* Protect against Cross Site Scripting (XSS) by activating the comprehensive advanced character string filter.
|
| 79 |
+
* Instantly block Brute Force Login Attacks via our special Cookie-Based Brute Force Login Prevention feature. This firewall functionality will block all login attempts from people
|
| 80 |
+
or malicious bots who do not have a special cookie in their browser. You (the site admin) will know how to set this special cookie and be able to log into your site.
|
| 81 |
|
| 82 |
= WhoIs Lookup =
|
| 83 |
* Perform a WhoIs lookup of a suspicious host or IP address and get full details.
|
| 124 |
|
| 125 |
== Changelog ==
|
| 126 |
|
| 127 |
+
= 1.5 =
|
| 128 |
+
- Added new feature - Cookie-based Brute Force Login Attack Prevention. Check under the "Firewall" menu for this new feature.
|
| 129 |
+
This feature will stop hackers in their tracks when they try to access your wp-admin or login pages. This feature will secure your WordPress backend by enforcing the requirement that anybody trying to access these pages will require a special cookie.
|
| 130 |
+
|
| 131 |
+
- Fixed bug related to setting of default configuration for first-time plugin activation.
|
| 132 |
+
|
| 133 |
= 1.4 =
|
| 134 |
- Tweaked the "Deny Bad Query Strings" firewall rules so that plugin deletion and update operations from the WordPress plugins menu are not affected.
|
| 135 |
- Fixed a minor bug related to scheduled database backups.
|
wp-security-core.php
CHANGED
|
@@ -3,7 +3,7 @@
|
|
| 3 |
if (!class_exists('AIO_WP_Security')){
|
| 4 |
|
| 5 |
class AIO_WP_Security{
|
| 6 |
-
var $version = '1.
|
| 7 |
var $db_version = '1.2';
|
| 8 |
var $plugin_url;
|
| 9 |
var $plugin_path;
|
| 3 |
if (!class_exists('AIO_WP_Security')){
|
| 4 |
|
| 5 |
class AIO_WP_Security{
|
| 6 |
+
var $version = '1.5';
|
| 7 |
var $db_version = '1.2';
|
| 8 |
var $plugin_url;
|
| 9 |
var $plugin_path;
|
wp-security.php
CHANGED
|
@@ -1,7 +1,7 @@
|
|
| 1 |
<?php
|
| 2 |
/*
|
| 3 |
Plugin Name: All In One WP Security
|
| 4 |
-
Version: v1.
|
| 5 |
Plugin URI: http://www.tipsandtricks-hq.com/
|
| 6 |
Author: Tips and Tricks HQ, Peter, Ruhul Amin
|
| 7 |
Author URI: http://www.tipsandtricks-hq.com/
|
| 1 |
<?php
|
| 2 |
/*
|
| 3 |
Plugin Name: All In One WP Security
|
| 4 |
+
Version: v1.5
|
| 5 |
Plugin URI: http://www.tipsandtricks-hq.com/
|
| 6 |
Author: Tips and Tricks HQ, Peter, Ruhul Amin
|
| 7 |
Author URI: http://www.tipsandtricks-hq.com/
|
