All In One WP Security & Firewall

Version Description

Added a new option in the cookie-based Brute Force Login Attack prevention feature to allow users to use this feature together with the WordPress's post/page password protection feature.
Fixed a bug in the 5G firewall rules to so that the printed rules include the correct number of '\' characters.
Fixed a minor bug in the "restore from backed up htaccess file" feature.
Enhanced the "Save current wp-config.php file" feature so it will continue to work with all of the firewall rules active on the site.
Added extra checks to account for some error scenarios caused on some servers when recursive file search is done.

Release Info

Developer	mra13
Plugin	All In One WP Security & Firewall
Version	1.6
Comparing to
See all releases

Code changes from version 1.5 to 1.6

Files changed (15) hide show

admin/wp-security-blacklist-menu.php +5 -0
admin/wp-security-database-menu.php +4 -0
admin/wp-security-filesystem-menu.php +9 -1
admin/wp-security-firewall-menu.php +37 -3
admin/wp-security-settings-menu.php +8 -3
admin/wp-security-user-login-menu.php +11 -0
classes/grade-system/wp-security-feature-item-manager.php +6 -0
classes/wp-security-configure-settings.php +9 -6
classes/wp-security-user-login.php +8 -27
classes/wp-security-utility-file.php +6 -0
classes/wp-security-utility-htaccess.php +11 -9
classes/wp-security-utility-ip-address.php +22 -0
readme.txt +8 -1
wp-security-core.php +1 -1
wp-security.php +1 -1

admin/wp-security-blacklist-menu.php CHANGED Viewed

	@@ -66,6 +66,7 @@ class AIOWPSecurity_Blacklist_Menu extends AIOWPSecurity_Admin_Menu
66	{
67	//if this is the case there is no need to display a "fix permissions" button
68	global $wpdb, $aio_wp_security;

69	$result = 1;
70	if (isset($_POST['aiowps_save_blacklist_settings']))
71	{
	@@ -116,6 +117,10 @@ class AIOWPSecurity_Blacklist_Menu extends AIOWPSecurity_Admin_Menu
116	{
117	$aio_wp_security->configs->set_value('aiowps_enable_blacklisting',isset($_POST["aiowps_enable_blacklisting"])?'1':'');
118	$aio_wp_security->configs->save_config(); //Save the configuration




119	$this->show_msg_settings_updated();
120
121	$write_result = AIOWPSecurity_Utility_Htaccess::write_to_htaccess(); //now let's write to the .htaccess file


66	{
67	//if this is the case there is no need to display a "fix permissions" button
68	global $wpdb, $aio_wp_security;
69	+ global $aiowps_feature_mgr;
70	$result = 1;
71	if (isset($_POST['aiowps_save_blacklist_settings']))
72	{

117	{
118	$aio_wp_security->configs->set_value('aiowps_enable_blacklisting',isset($_POST["aiowps_enable_blacklisting"])?'1':'');
119	$aio_wp_security->configs->save_config(); //Save the configuration
120	+
121	+ //Recalculate points after the feature status/options have been altered
122	+ $aiowps_feature_mgr->check_feature_status_and_recalculate_points();
123	+
124	$this->show_msg_settings_updated();
125
126	$write_result = AIOWPSecurity_Utility_Htaccess::write_to_htaccess(); //now let's write to the .htaccess file

admin/wp-security-database-menu.php CHANGED Viewed

	@@ -171,6 +171,7 @@ class AIOWPSecurity_Database_Menu extends AIOWPSecurity_Admin_Menu
171	function render_tab2()
172	{
173	global $aio_wp_security;

174	if (isset($_POST['aiowps_manual_db_backup']))
175	{
176	$nonce=$_REQUEST['_wpnonce'];
	@@ -244,6 +245,9 @@ class AIOWPSecurity_Database_Menu extends AIOWPSecurity_Admin_Menu
244	$aio_wp_security->configs->set_value('aiowps_send_backup_email_address',isset($_POST["aiowps_send_backup_email_address"])?'1':'');
245	$aio_wp_security->configs->set_value('aiowps_backup_email_address',$email_address);
246	$aio_wp_security->configs->save_config();



247	$this->show_msg_settings_updated();
248
249	//Let's check if backup interval was set to less than 24 hours


171	function render_tab2()
172	{
173	global $aio_wp_security;
174	+ global $aiowps_feature_mgr;
175	if (isset($_POST['aiowps_manual_db_backup']))
176	{
177	$nonce=$_REQUEST['_wpnonce'];

245	$aio_wp_security->configs->set_value('aiowps_send_backup_email_address',isset($_POST["aiowps_send_backup_email_address"])?'1':'');
246	$aio_wp_security->configs->set_value('aiowps_backup_email_address',$email_address);
247	$aio_wp_security->configs->save_config();
248	+
249	+ //Recalculate points after the feature status/options have been altered
250	+ $aiowps_feature_mgr->check_feature_status_and_recalculate_points();
251	$this->show_msg_settings_updated();
252
253	//Let's check if backup interval was set to less than 24 hours

admin/wp-security-filesystem-menu.php CHANGED Viewed

	@@ -155,6 +155,7 @@ class AIOWPSecurity_Filescan_Menu extends AIOWPSecurity_Admin_Menu
155	function render_tab2()
156	{
157	global $aio_wp_security;

158
159	if(isset($_POST['aiowps_disable_file_edit']))//Do form submission tasks
160	{
	@@ -178,6 +179,9 @@ class AIOWPSecurity_Filescan_Menu extends AIOWPSecurity_Admin_Menu
178	//Save settings if no errors
179	$aio_wp_security->configs->set_value('aiowps_disable_file_editing',isset($_POST["aiowps_disable_file_editing"])?'1':'');
180	$aio_wp_security->configs->save_config();



181	}
182	//$this->show_msg_settings_updated();
183
	@@ -222,6 +226,7 @@ class AIOWPSecurity_Filescan_Menu extends AIOWPSecurity_Admin_Menu
222	function render_tab3()
223	{
224	global $aio_wp_security;

225	if(isset($_POST['aiowps_save_wp_file_access_settings']))//Do form submission tasks
226	{
227	$nonce=$_REQUEST['_wpnonce'];
	@@ -243,6 +248,9 @@ class AIOWPSecurity_Filescan_Menu extends AIOWPSecurity_Admin_Menu
243
244	//Commit the config settings
245	$aio_wp_security->configs->save_config();



246
247	//Now let's write the applicable rules to the .htaccess file
248	$res = AIOWPSecurity_Utility_Htaccess::write_to_htaccess();
	@@ -329,7 +337,7 @@ class AIOWPSecurity_Filescan_Menu extends AIOWPSecurity_Admin_Menu
329	}
330
331	$logResults = AIOWPSecurity_Utility_File::recursive_file_search('error_log', 0, ABSPATH);
332	- if (empty($logResults) \|\| $logResults == NULL \|\| $logResults == '')
333	{
334	$this->show_msg_updated(__('No system logs were found!', 'aiowpsecurity'));
335	}


155	function render_tab2()
156	{
157	global $aio_wp_security;
158	+ global $aiowps_feature_mgr;
159
160	if(isset($_POST['aiowps_disable_file_edit']))//Do form submission tasks
161	{

179	//Save settings if no errors
180	$aio_wp_security->configs->set_value('aiowps_disable_file_editing',isset($_POST["aiowps_disable_file_editing"])?'1':'');
181	$aio_wp_security->configs->save_config();
182	+
183	+ //Recalculate points after the feature status/options have been altered
184	+ $aiowps_feature_mgr->check_feature_status_and_recalculate_points();
185	}
186	//$this->show_msg_settings_updated();
187

226	function render_tab3()
227	{
228	global $aio_wp_security;
229	+ global $aiowps_feature_mgr;
230	if(isset($_POST['aiowps_save_wp_file_access_settings']))//Do form submission tasks
231	{
232	$nonce=$_REQUEST['_wpnonce'];

248
249	//Commit the config settings
250	$aio_wp_security->configs->save_config();
251	+
252	+ //Recalculate points after the feature status/options have been altered
253	+ $aiowps_feature_mgr->check_feature_status_and_recalculate_points();
254
255	//Now let's write the applicable rules to the .htaccess file
256	$res = AIOWPSecurity_Utility_Htaccess::write_to_htaccess();

337	}
338
339	$logResults = AIOWPSecurity_Utility_File::recursive_file_search('error_log', 0, ABSPATH);
340	+ if (empty($logResults) \|\| $logResults == NULL \|\| $logResults == '' \|\| $logResults === FALSE)
341	{
342	$this->show_msg_updated(__('No system logs were found!', 'aiowpsecurity'));
343	}

admin/wp-security-firewall-menu.php CHANGED Viewed

	@@ -68,6 +68,7 @@ class AIOWPSecurity_Firewall_Menu extends AIOWPSecurity_Admin_Menu
68
69	function render_tab1()
70	{

71	global $aio_wp_security;
72	if(isset($_POST['aiowps_apply_basic_firewall_settings']))//Do form submission tasks
73	{
	@@ -90,6 +91,9 @@ class AIOWPSecurity_Firewall_Menu extends AIOWPSecurity_Admin_Menu
90
91	//Commit the config settings
92	$aio_wp_security->configs->save_config();



93
94	//Now let's write the applicable rules to the .htaccess file
95	$res = AIOWPSecurity_Utility_Htaccess::write_to_htaccess();
	@@ -121,7 +125,6 @@ class AIOWPSecurity_Firewall_Menu extends AIOWPSecurity_Admin_Menu
121	<div class="inside">
122	<?php
123	//Display security info badge
124	- global $aiowps_feature_mgr;
125	$aiowps_feature_mgr->output_feature_details_badge("firewall-basic-rules");
126	?>
127	<form action="" method="POST">
	@@ -492,6 +495,7 @@ class AIOWPSecurity_Firewall_Menu extends AIOWPSecurity_Admin_Menu
492	function render_tab4()
493	{
494	global $aio_wp_security;

495
496	//Save settings for brute force cookie method
497	if(isset($_POST['aiowps_apply_cookie_based_bruteforce_firewall']))
	@@ -522,6 +526,12 @@ class AIOWPSecurity_Firewall_Menu extends AIOWPSecurity_Admin_Menu
522	$aio_wp_security->configs->set_value('aiowps_brute_force_secret_word',$brute_force_feature_secret_word);
523	$aio_wp_security->configs->set_value('aiowps_enable_brute_force_attack_prevention','1');
524






525	//TODO - pretty up the following messages
526	$msg = '<p>'.__('You have successfully enabled the cookie based brute force prevention feature', 'aiowpsecurity').'</p>';
527	$msg .= '<p>'.__('From now on you will need to log into your WP Admin using the following URL:', 'aiowpsecurity').'</p>';
	@@ -536,6 +546,10 @@ class AIOWPSecurity_Firewall_Menu extends AIOWPSecurity_Admin_Menu
536	}
537
538	$aio_wp_security->configs->save_config();//save the value




539	$res = AIOWPSecurity_Utility_Htaccess::write_to_htaccess();
540	if ($res){
541	echo '<div id="message" class="updated fade"><p>';
	@@ -613,7 +627,7 @@ class AIOWPSecurity_Firewall_Menu extends AIOWPSecurity_Admin_Menu
613	_e('Specify a URL to redirect a hacker to when they try to access your WordPress login page.', 'aiowpsecurity');
614	?>
615	</span>
616	- <span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php _e('More Info', 'aiowpsecurity'); ?></span></span>
617	<div class="aiowps_more_info_body">
618	<p class="description">
619	<?php
	@@ -629,9 +643,29 @@ class AIOWPSecurity_Firewall_Menu extends AIOWPSecurity_Admin_Menu
629	?>
630	</p>
631	</div>
632	-
633	</td>
634	</tr>





















635	</table>
636	<?php
637	$cookie_test_value = $aio_wp_security->configs->get_value('aiowps_cookie_test_success');


68
69	function render_tab1()
70	{
71	+ global $aiowps_feature_mgr;
72	global $aio_wp_security;
73	if(isset($_POST['aiowps_apply_basic_firewall_settings']))//Do form submission tasks
74	{

91
92	//Commit the config settings
93	$aio_wp_security->configs->save_config();
94	+
95	+ //Recalculate points after the feature status/options have been altered
96	+ $aiowps_feature_mgr->check_feature_status_and_recalculate_points();
97
98	//Now let's write the applicable rules to the .htaccess file
99	$res = AIOWPSecurity_Utility_Htaccess::write_to_htaccess();

125	<div class="inside">
126	<?php
127	//Display security info badge

128	$aiowps_feature_mgr->output_feature_details_badge("firewall-basic-rules");
129	?>
130	<form action="" method="POST">

495	function render_tab4()
496	{
497	global $aio_wp_security;
498	+ global $aiowps_feature_mgr;
499
500	//Save settings for brute force cookie method
501	if(isset($_POST['aiowps_apply_cookie_based_bruteforce_firewall']))

526	$aio_wp_security->configs->set_value('aiowps_brute_force_secret_word',$brute_force_feature_secret_word);
527	$aio_wp_security->configs->set_value('aiowps_enable_brute_force_attack_prevention','1');
528
529	+ if(isset($_POST['aiowps_brute_force_attack_prevention_pw_protected_exception'])){
530	+ $aio_wp_security->configs->set_value('aiowps_brute_force_attack_prevention_pw_protected_exception','1');
531	+ }else {
532	+ $aio_wp_security->configs->set_value('aiowps_brute_force_attack_prevention_pw_protected_exception','');
533	+ }
534	+
535	//TODO - pretty up the following messages
536	$msg = '<p>'.__('You have successfully enabled the cookie based brute force prevention feature', 'aiowpsecurity').'</p>';
537	$msg .= '<p>'.__('From now on you will need to log into your WP Admin using the following URL:', 'aiowpsecurity').'</p>';

546	}
547
548	$aio_wp_security->configs->save_config();//save the value
549	+
550	+ //Recalculate points after the feature status/options have been altered
551	+ $aiowps_feature_mgr->check_feature_status_and_recalculate_points();
552	+
553	$res = AIOWPSecurity_Utility_Htaccess::write_to_htaccess();
554	if ($res){
555	echo '<div id="message" class="updated fade"><p>';

627	_e('Specify a URL to redirect a hacker to when they try to access your WordPress login page.', 'aiowpsecurity');
628	?>
629	</span>
630	+ <span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php _e('More Info', 'aiowpsecurity'); ?></span></span>
631	<div class="aiowps_more_info_body">
632	<p class="description">
633	<?php

643	?>
644	</p>
645	</div>

646	</td>
647	</tr>
648	+ <tr valign="top">
649	+ <th scope="row"><?php _e('My Site Has Posts Or Pages Which Are Password Protected', 'aiowpsecurity')?>:</th>
650	+ <td>
651	+ <input name="aiowps_brute_force_attack_prevention_pw_protected_exception" type="checkbox"<?php if($aio_wp_security->configs->get_value('aiowps_brute_force_attack_prevention_pw_protected_exception')=='1') echo ' checked="checked"'; ?> value="1"/>
652	+ <span class="description"><?php _e('Check this if you are using the native WordPress password protection feature for some or all of your blog posts or pages.', 'aiowpsecurity'); ?></span>
653	+ <span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php _e('More Info', 'aiowpsecurity'); ?></span></span>
654	+ <div class="aiowps_more_info_body">
655	+ <p class="description">
656	+ <?php
657	+ _e('In the cases where you are protecting some of your posts or pages using the in-built WordPress password protection feature, a few extra lines of directives and exceptions need to be added to your .htacces file so that people trying to access pages are not automatically blocked.', 'aiowpsecurity');
658	+ echo '<br />';
659	+ _e('By enabling this checkbox the plugin will add the necessary rules and exceptions to your .htacces file so that people trying to access these pages are not automatically blocked.', 'aiowpsecurity');
660	+ echo '<br />';
661	+ echo "<strong>".__('Helpful Tip:', 'aiowpsecurity')."</strong>";
662	+ echo '<br />';
663	+ _e('If you do not use the WordPress password protection feature for your posts or pages then it is highly recommended that you leave this checkbox disabled.', 'aiowpsecurity');
664	+ ?>
665	+ </p>
666	+ </div>
667	+ </td>
668	+ </tr>
669	</table>
670	<?php
671	$cookie_test_value = $aio_wp_security->configs->get_value('aiowps_cookie_test_success');

admin/wp-security-settings-menu.php CHANGED Viewed

	@@ -277,9 +277,9 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
277
278	if ($result)
279	{
280	- if (rename(ABSPATH.'wp-config.php.backup', ABSPATH.'wp-config~~.php.~~backup.txt'))
281	{
282	- $backup_file_url = AIOWPSEC_WP_URL . '/wp-config~~.php.~~backup.txt';
283	echo '<div id="message" class="updated fade"><p>';
284	_e('Your wp-config.php file was successfully backed up! Right click on the following file name and save the backup to your computer.','aiowpsecurity');
285	echo '<p>';
	@@ -401,7 +401,8 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
401	function render_tab4()
402	{
403	global $aio_wp_security;
404	-

405	if(isset($_POST['aiowps_save_remove_wp_meta_info']))//Do form submission tasks
406	{
407	$nonce=$_REQUEST['_wpnonce'];
	@@ -412,6 +413,10 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
412	}
413	$aio_wp_security->configs->set_value('aiowps_remove_wp_generator_meta_info',isset($_POST["aiowps_remove_wp_generator_meta_info"])?'1':'');
414	$aio_wp_security->configs->save_config();




415	$this->show_msg_settings_updated();
416	}
417	?>


277
278	if ($result)
279	{
280	+ if (rename(ABSPATH.'wp-config.php.backup', ABSPATH.'wp-config-backup.txt'))
281	{
282	+ $backup_file_url = AIOWPSEC_WP_URL . '/wp-config-backup.txt';
283	echo '<div id="message" class="updated fade"><p>';
284	_e('Your wp-config.php file was successfully backed up! Right click on the following file name and save the backup to your computer.','aiowpsecurity');
285	echo '<p>';

401	function render_tab4()
402	{
403	global $aio_wp_security;
404	+ global $aiowps_feature_mgr;
405	+
406	if(isset($_POST['aiowps_save_remove_wp_meta_info']))//Do form submission tasks
407	{
408	$nonce=$_REQUEST['_wpnonce'];

413	}
414	$aio_wp_security->configs->set_value('aiowps_remove_wp_generator_meta_info',isset($_POST["aiowps_remove_wp_generator_meta_info"])?'1':'');
415	$aio_wp_security->configs->save_config();
416	+
417	+ //Recalculate points after the feature status/options have been altered
418	+ $aiowps_feature_mgr->check_feature_status_and_recalculate_points();
419	+
420	$this->show_msg_settings_updated();
421	}
422	?>

admin/wp-security-user-login-menu.php CHANGED Viewed

	@@ -68,6 +68,7 @@ class AIOWPSecurity_User_Login_Menu extends AIOWPSecurity_Admin_Menu
68	function render_tab1()
69	{
70	global $aio_wp_security;

71	include_once 'wp-security-list-locked-ip.php'; //For rendering the AIOWPSecurity_List_Table in tab1
72	$locked_ip_list = new AIOWPSecurity_List_Locked_IP(); //For rendering the AIOWPSecurity_List_Table in tab1
73
	@@ -123,6 +124,10 @@ class AIOWPSecurity_User_Login_Menu extends AIOWPSecurity_Admin_Menu
123	$aio_wp_security->configs->set_value('aiowps_enable_email_notify',isset($_POST["aiowps_enable_email_notify"])?'1':'');
124	$aio_wp_security->configs->set_value('aiowps_email_address',$email_address);
125	$aio_wp_security->configs->save_config();




126	$this->show_msg_settings_updated();
127	}
128
	@@ -303,6 +308,8 @@ class AIOWPSecurity_User_Login_Menu extends AIOWPSecurity_Admin_Menu
303	function render_tab3()
304	{
305	global $aio_wp_security;


306	if(isset($_POST['aiowpsec_save_force_logout_settings']))//Do form submission tasks
307	{
308	$error = '';
	@@ -329,6 +336,10 @@ class AIOWPSecurity_User_Login_Menu extends AIOWPSecurity_Admin_Menu
329	$aio_wp_security->configs->set_value('aiowps_logout_time_period',absint($logout_time_period));
330	$aio_wp_security->configs->set_value('aiowps_enable_forced_logout',isset($_POST["aiowps_enable_forced_logout"])?'1':'');
331	$aio_wp_security->configs->save_config();




332	$this->show_msg_settings_updated();
333	}
334	?>


68	function render_tab1()
69	{
70	global $aio_wp_security;
71	+ global $aiowps_feature_mgr;
72	include_once 'wp-security-list-locked-ip.php'; //For rendering the AIOWPSecurity_List_Table in tab1
73	$locked_ip_list = new AIOWPSecurity_List_Locked_IP(); //For rendering the AIOWPSecurity_List_Table in tab1
74

124	$aio_wp_security->configs->set_value('aiowps_enable_email_notify',isset($_POST["aiowps_enable_email_notify"])?'1':'');
125	$aio_wp_security->configs->set_value('aiowps_email_address',$email_address);
126	$aio_wp_security->configs->save_config();
127	+
128	+ //Recalculate points after the feature status/options have been altered
129	+ $aiowps_feature_mgr->check_feature_status_and_recalculate_points();
130	+
131	$this->show_msg_settings_updated();
132	}
133

308	function render_tab3()
309	{
310	global $aio_wp_security;
311	+ global $aiowps_feature_mgr;
312	+
313	if(isset($_POST['aiowpsec_save_force_logout_settings']))//Do form submission tasks
314	{
315	$error = '';

336	$aio_wp_security->configs->set_value('aiowps_logout_time_period',absint($logout_time_period));
337	$aio_wp_security->configs->set_value('aiowps_enable_forced_logout',isset($_POST["aiowps_enable_forced_logout"])?'1':'');
338	$aio_wp_security->configs->save_config();
339	+
340	+ //Recalculate points after the feature status/options have been altered
341	+ $aiowps_feature_mgr->check_feature_status_and_recalculate_points();
342	+
343	$this->show_msg_settings_updated();
344	}
345	?>

classes/grade-system/wp-security-feature-item-manager.php CHANGED Viewed

	@@ -107,6 +107,12 @@ class AIOWPSecurity_Feature_Item_Manager
107	<?php
108	}
109






110	function check_and_set_feature_status()
111	{
112	foreach($this->feature_items as $item)


107	<?php
108	}
109
110	+ function check_feature_status_and_recalculate_points()
111	+ {
112	+ $this->check_and_set_feature_status();
113	+ $this->calculate_total_points();
114	+ }
115	+
116	function check_and_set_feature_status()
117	{
118	foreach($this->feature_items as $item)

classes/wp-security-configure-settings.php CHANGED Viewed

	@@ -46,9 +46,6 @@ class AIOWPSecurity_Configure_Settings
46	$aio_wp_security->configs->set_value('aiowps_banned_ip_addresses','');
47
48	//Firewall features
49	- $aio_wp_security->configs->set_value('aiowps_enable_brute_force_attack_prevention','');//Checkbox
50	- $aio_wp_security->configs->set_value('aiowps_brute_force_secret_word','');
51	- $aio_wp_security->configs->set_value('aiowps_cookie_based_brute_force_redirect_url','http://127.0.0.1');
52	$aio_wp_security->configs->set_value('aiowps_enable_basic_firewall','');//Checkbox
53	$aio_wp_security->configs->set_value('aiowps_disable_index_views','');//Checkbox
54	$aio_wp_security->configs->set_value('aiowps_disable_trace_and_track','');//Checkbox
	@@ -56,6 +53,11 @@ class AIOWPSecurity_Configure_Settings
56	$aio_wp_security->configs->set_value('aiowps_deny_bad_query_strings','');//Checkbox
57	$aio_wp_security->configs->set_value('aiowps_advanced_char_string_filter','');//Checkbox
58	$aio_wp_security->configs->set_value('aiowps_enable_5g_firewall','');//Checkbox





59
60	//TODO - keep adding default options for any fields that require it
61
	@@ -103,9 +105,6 @@ class AIOWPSecurity_Configure_Settings
103	$aio_wp_security->configs->add_value('aiowps_banned_ip_addresses','');
104
105	//Firewall features
106	- $aio_wp_security->configs->add_value('aiowps_enable_brute_force_attack_prevention','');//Checkbox
107	- $aio_wp_security->configs->add_value('aiowps_brute_force_secret_word','');
108	- $aio_wp_security->configs->add_value('aiowps_cookie_based_brute_force_redirect_url','http://127.0.0.1');
109	$aio_wp_security->configs->add_value('aiowps_enable_basic_firewall','');//Checkbox
110	$aio_wp_security->configs->add_value('aiowps_disable_index_views','');//Checkbox
111	$aio_wp_security->configs->add_value('aiowps_disable_trace_and_track','');//Checkbox
	@@ -113,6 +112,10 @@ class AIOWPSecurity_Configure_Settings
113	$aio_wp_security->configs->add_value('aiowps_deny_bad_query_strings','');//Checkbox
114	$aio_wp_security->configs->add_value('aiowps_advanced_char_string_filter','');//Checkbox
115	$aio_wp_security->configs->add_value('aiowps_enable_5g_firewall','');//Checkbox




116
117	//TODO - keep adding default options for any fields that require it
118


46	$aio_wp_security->configs->set_value('aiowps_banned_ip_addresses','');
47
48	//Firewall features



49	$aio_wp_security->configs->set_value('aiowps_enable_basic_firewall','');//Checkbox
50	$aio_wp_security->configs->set_value('aiowps_disable_index_views','');//Checkbox
51	$aio_wp_security->configs->set_value('aiowps_disable_trace_and_track','');//Checkbox

53	$aio_wp_security->configs->set_value('aiowps_deny_bad_query_strings','');//Checkbox
54	$aio_wp_security->configs->set_value('aiowps_advanced_char_string_filter','');//Checkbox
55	$aio_wp_security->configs->set_value('aiowps_enable_5g_firewall','');//Checkbox
56	+ $aio_wp_security->configs->set_value('aiowps_enable_brute_force_attack_prevention','');//Checkbox
57	+ $aio_wp_security->configs->set_value('aiowps_brute_force_secret_word','');
58	+ $aio_wp_security->configs->set_value('aiowps_cookie_based_brute_force_redirect_url','http://127.0.0.1');
59	+ $aio_wp_security->configs->set_value('aiowps_enable_brute_force_attack_prevention','');//Checkbox
60	+ $aio_wp_security->configs->set_value('aiowps_brute_force_attack_prevention_pw_protected_exception','');//Checkbox
61
62	//TODO - keep adding default options for any fields that require it
63

105	$aio_wp_security->configs->add_value('aiowps_banned_ip_addresses','');
106
107	//Firewall features



108	$aio_wp_security->configs->add_value('aiowps_enable_basic_firewall','');//Checkbox
109	$aio_wp_security->configs->add_value('aiowps_disable_index_views','');//Checkbox
110	$aio_wp_security->configs->add_value('aiowps_disable_trace_and_track','');//Checkbox

112	$aio_wp_security->configs->add_value('aiowps_deny_bad_query_strings','');//Checkbox
113	$aio_wp_security->configs->add_value('aiowps_advanced_char_string_filter','');//Checkbox
114	$aio_wp_security->configs->add_value('aiowps_enable_5g_firewall','');//Checkbox
115	+ $aio_wp_security->configs->add_value('aiowps_enable_brute_force_attack_prevention','');//Checkbox
116	+ $aio_wp_security->configs->add_value('aiowps_brute_force_secret_word','');
117	+ $aio_wp_security->configs->add_value('aiowps_cookie_based_brute_force_redirect_url','http://127.0.0.1');
118	+ $aio_wp_security->configs->add_value('aiowps_brute_force_attack_prevention_pw_protected_exception','');//Checkbox
119
120	//TODO - keep adding default options for any fields that require it
121

classes/wp-security-user-login.php CHANGED Viewed

	@@ -109,7 +109,8 @@ class AIOWPSecurity_User_Login
109	{
110	global $wpdb;
111	$login_lockdown_table = AIOWPSEC_TBL_LOGIN_LOCKDOWN;
112	- $~~ip_range~~ = ~~$this->get_sanitized_ip_range~~(); //Get the IP ~~range~~ of ~~the current~~ user

113	$locked_user = $wpdb->get_var("SELECT user_id FROM $login_lockdown_table " .
114	"WHERE release_date > now() AND " .
115	"failed_login_IP LIKE '" . $wpdb->escape($ip_range) . "%'");
	@@ -124,8 +125,8 @@ class AIOWPSecurity_User_Login
124	global $wpdb, $aio_wp_security;
125	$failed_logins_table = AIOWPSEC_TBL_FAILED_LOGINS;
126	$login_retry_interval = $aio_wp_security->configs->get_value('aiowps_retry_time_period');
127	-
128	- $ip_range = ~~$this->~~get_sanitized_ip_range(); //Get the IP range of the current user
129	$login_failures = $wpdb->get_var("SELECT COUNT(ID) FROM $failed_logins_table " .
130	"WHERE failed_login_date + INTERVAL " .
131	$login_retry_interval . " MINUTE > now() AND " .
	@@ -141,8 +142,8 @@ class AIOWPSecurity_User_Login
141	global $wpdb, $aio_wp_security;
142	$login_lockdown_table = AIOWPSEC_TBL_LOGIN_LOCKDOWN;
143	$lockout_time_length = $aio_wp_security->configs->get_value('aiowps_lockout_time_length');
144	-
145	- $ip_range = ~~$this->~~get_sanitized_ip_range(); //Get the IP range of the current user
146	$username = sanitize_user($username);
147	$user = get_user_by('login',$username); //Returns WP_User object if exists
148	if ($user)
	@@ -179,7 +180,8 @@ class AIOWPSecurity_User_Login
179	//$login_attempts_permitted = $aio_wp_security->configs->get_value('aiowps_max_login_attempts');
180	//$lockout_time_length = $aio_wp_security->configs->get_value('aiowps_lockout_time_length');
181	$login_fails_table = AIOWPSEC_TBL_FAILED_LOGINS;
182	- $~~ip_range~~ = ~~$this->get_sanitized_ip_range~~(); //Get the IP ~~range~~ of ~~the current~~ user

183
184	$username = sanitize_user($username);
185	$user = get_user_by('login',$username); //Returns WP_User object if it exists
	@@ -201,27 +203,6 @@ class AIOWPSecurity_User_Login
201
202	}
203
204	- /*
205	- * Returns the first three octets of a sanitized IP address so it can used as an IP address range
206	- */
207	- function get_sanitized_ip_range()
208	- {
209	- global $aio_wp_security;
210	- $ip = AIOWPSecurity_Utility_IP::get_user_ip_address(); //Get the IP address of user
211	- $ip_range = '';
212	- $valid_ip = filter_var($ip, FILTER_VALIDATE_IP); //Sanitize the IP address
213	- if ($valid_ip)
214	- {
215	- $ip_range = substr($valid_ip, 0 , strrpos ($valid_ip, ".")); //strip last portion of address to leave an IP range
216	- }
217	- else
218	- {
219	- //Write log if the 'REMOTE_ADDR' contains something which is not an IP
220	- $aio_wp_security->debug_logger->log_debug("AIOWPSecurity_User_Login - Invalid IP received ".$ip,4);
221	- }
222	- return $ip_range;
223	- }
224	-
225	/*
226	* This function queries the aiowps_failed_logins table and returns the number of failures for current IP range within allowed failure period
227	*/


109	{
110	global $wpdb;
111	$login_lockdown_table = AIOWPSEC_TBL_LOGIN_LOCKDOWN;
112	+ $ip = AIOWPSecurity_Utility_IP::get_user_ip_address(); //Get the IP address of user
113	+ $ip_range = AIOWPSecurity_Utility_IP::get_sanitized_ip_range($ip); //Get the IP range of the current user
114	$locked_user = $wpdb->get_var("SELECT user_id FROM $login_lockdown_table " .
115	"WHERE release_date > now() AND " .
116	"failed_login_IP LIKE '" . $wpdb->escape($ip_range) . "%'");

125	global $wpdb, $aio_wp_security;
126	$failed_logins_table = AIOWPSEC_TBL_FAILED_LOGINS;
127	$login_retry_interval = $aio_wp_security->configs->get_value('aiowps_retry_time_period');
128	+ $ip = AIOWPSecurity_Utility_IP::get_user_ip_address(); //Get the IP address of user
129	+ $ip_range = AIOWPSecurity_Utility_IP::get_sanitized_ip_range($ip); //Get the IP range of the current user
130	$login_failures = $wpdb->get_var("SELECT COUNT(ID) FROM $failed_logins_table " .
131	"WHERE failed_login_date + INTERVAL " .
132	$login_retry_interval . " MINUTE > now() AND " .

142	global $wpdb, $aio_wp_security;
143	$login_lockdown_table = AIOWPSEC_TBL_LOGIN_LOCKDOWN;
144	$lockout_time_length = $aio_wp_security->configs->get_value('aiowps_lockout_time_length');
145	+ $ip = AIOWPSecurity_Utility_IP::get_user_ip_address(); //Get the IP address of user
146	+ $ip_range = AIOWPSecurity_Utility_IP::get_sanitized_ip_range($ip); //Get the IP range of the current user
147	$username = sanitize_user($username);
148	$user = get_user_by('login',$username); //Returns WP_User object if exists
149	if ($user)

180	//$login_attempts_permitted = $aio_wp_security->configs->get_value('aiowps_max_login_attempts');
181	//$lockout_time_length = $aio_wp_security->configs->get_value('aiowps_lockout_time_length');
182	$login_fails_table = AIOWPSEC_TBL_FAILED_LOGINS;
183	+ $ip = AIOWPSecurity_Utility_IP::get_user_ip_address(); //Get the IP address of user
184	+ $ip_range = AIOWPSecurity_Utility_IP::get_sanitized_ip_range($ip); //Get the IP range of the current user
185
186	$username = sanitize_user($username);
187	$user = get_user_by('login',$username); //Returns WP_User object if it exists

203
204	}
205





















206	/*
207	* This function queries the aiowps_failed_logins table and returns the number of failures for current IP range within allowed failure period
208	*/

classes/wp-security-utility-file.php CHANGED Viewed

	@@ -56,7 +56,13 @@ class AIOWPSecurity_Utility_File
56	static function recursive_file_search($pattern='*', $flags = 0, $path='')
57	{
58	$paths=glob($path.'*', GLOB_MARK\|GLOB_ONLYDIR\|GLOB_NOSORT);



59	$files=glob($path.$pattern, $flags);



60	foreach ($paths as $path) { $files=array_merge($files,AIOWPSecurity_Utility_File::recursive_file_search($pattern, $flags, $path)); }
61	return $files;
62	}


56	static function recursive_file_search($pattern='*', $flags = 0, $path='')
57	{
58	$paths=glob($path.'*', GLOB_MARK\|GLOB_ONLYDIR\|GLOB_NOSORT);
59	+ if ($paths === FALSE){
60	+ return FALSE;
61	+ }
62	$files=glob($path.$pattern, $flags);
63	+ if ($files === FALSE){
64	+ return FALSE;
65	+ }
66	foreach ($paths as $path) { $files=array_merge($files,AIOWPSecurity_Utility_File::recursive_file_search($pattern, $flags, $path)); }
67	return $files;
68	}

classes/wp-security-utility-htaccess.php CHANGED Viewed

	@@ -17,7 +17,7 @@ class AIOWPSecurity_Utility_Htaccess
17	public static $user_agent_blacklist_marker_end = '#AIOWPS_USER_AGENT_BLACKLIST_END';
18
19	public static $enable_brute_force_attack_prevention_marker_start = '#AIOWPS_ENABLE_BRUTE_FORCE_PREVENTION_START';
20	- public static $~~disable_brute_force_attack_prevention_marker_end~~ = '#~~AIOWPS_DISABLE_BRUTE_FORCE_PREVENTION_END~~';
21
22	public static $disable_index_views_marker_start = '#AIOWPS_DISABLE_INDEX_VIEWS_START';
23	public static $disable_index_views_marker_end = '#AIOWPS_DISABLE_INDEX_VIEWS_END';
	@@ -423,12 +423,15 @@ class AIOWPSecurity_Utility_Htaccess
423	$redirect_url = $aio_wp_security->configs->get_value('aiowps_cookie_based_brute_force_redirect_url');
424	$rules .= AIOWPSecurity_Utility_Htaccess::$enable_brute_force_attack_prevention_marker_start . PHP_EOL; //Add feature marker start
425	$rules .= 'RewriteEngine On' . PHP_EOL;
426	- $rules .= 'RewriteCond %{REQUEST_URI} wp-admin ~~[OR]~~'. PHP_EOL;
427	- $~~rules .=~~ '~~RewriteCond %{REQUEST_URI} wp-login~~'. ~~PHP_EOL;~~



428	$rules .= 'RewriteCond %{HTTP_COOKIE} !'.$cookie_name.'= [NC]' . PHP_EOL;
429	$rules .= 'RewriteCond %{HTTP_COOKIE} !aiowps_cookie_test= [NC]' . PHP_EOL;
430	$rules .= 'RewriteRule .* '.$redirect_url.' [L]' . PHP_EOL;
431	- $rules .= AIOWPSecurity_Utility_Htaccess::$~~disable_brute_force_attack_prevention_marker_end~~ . PHP_EOL; //Add feature marker end
432	}
433
434	return $rules;
	@@ -669,7 +672,7 @@ class AIOWPSecurity_Utility_Htaccess
669	RewriteCond %{QUERY_STRING} (\"\|%22).*(<\|>\|%3) [NC,OR]
670	RewriteCond %{QUERY_STRING} (javascript:).*(\;) [NC,OR]
671	RewriteCond %{QUERY_STRING} (<\|%3C).script.(>\|%3) [NC,OR]
672	- RewriteCond %{QUERY_STRING} (~~\\\|\.\./\|`\|=\~~'$\|=%27$) [NC,OR]
673	RewriteCond %{QUERY_STRING} (\;\|\'\|\"\|%22).*(union\|select\|insert\|drop\|update\|md5\|benchmark\|or\|and\|if) [NC,OR]
674	RewriteCond %{QUERY_STRING} (base64_encode\|localhost\|mosconfig) [NC,OR]
675	RewriteCond %{QUERY_STRING} (boot\.ini\|echo.*kae\|etc/passwd) [NC,OR]
	@@ -693,8 +696,8 @@ class AIOWPSecurity_Utility_Htaccess
693	RedirectMatch 403 (https?\|ftp\|php)\://
694	RedirectMatch 403 /(https?\|ima\|ucp)/
695	RedirectMatch 403 /(Permanent\|Better)$
696	- RedirectMatch 403 (~~\=\\\~~'~~\|\=\\%~~27~~\|/\\\~~'/?\|\)\.css\()$
697	- RedirectMatch 403 (\,\|\)\+\|/\,/\|\{0\}\|\(/\(~~\|\.\.\.\|\+\+\+\|\\|\|\\\~~"~~\\\~~")
698	RedirectMatch 403 \.(cgi\|asp\|aspx\|cfg\|dll\|exe\|jsp\|mdb\|sql\|ini\|rar)$
699	RedirectMatch 403 /(contac\|fpw\|install\|pingserver\|register)\.php$
700	RedirectMatch 403 (base64\|crossdomain\|localhost\|wwwroot\|e107\_)
	@@ -744,8 +747,7 @@ class AIOWPSecurity_Utility_Htaccess
744	{
745	$is_htaccess = false;
746	$file_contents = file_get_contents($file);
747	-
748	- if (!$file_contents \|\| $file_contents == 0)
749	{
750	return -1;
751	}


17	public static $user_agent_blacklist_marker_end = '#AIOWPS_USER_AGENT_BLACKLIST_END';
18
19	public static $enable_brute_force_attack_prevention_marker_start = '#AIOWPS_ENABLE_BRUTE_FORCE_PREVENTION_START';
20	+ public static $enable_brute_force_attack_prevention_marker_end = '#AIOWPS_ENABLE_BRUTE_FORCE_PREVENTION_END';
21
22	public static $disable_index_views_marker_start = '#AIOWPS_DISABLE_INDEX_VIEWS_START';
23	public static $disable_index_views_marker_end = '#AIOWPS_DISABLE_INDEX_VIEWS_END';

423	$redirect_url = $aio_wp_security->configs->get_value('aiowps_cookie_based_brute_force_redirect_url');
424	$rules .= AIOWPSecurity_Utility_Htaccess::$enable_brute_force_attack_prevention_marker_start . PHP_EOL; //Add feature marker start
425	$rules .= 'RewriteEngine On' . PHP_EOL;
426	+ $rules .= 'RewriteCond %{REQUEST_URI} (wp-admin\|wp-login)'. PHP_EOL;// If URI contains wp-admin or wp-login
427	+ if($aio_wp_security->configs->get_value('aiowps_brute_force_attack_prevention_pw_protected_exception')=='1')
428	+ {
429	+ $rules .= 'RewriteCond %{QUERY_STRING} !(action\=postpass)' . PHP_EOL; // Possible workaround for people usign the password protected page/post feature
430	+ }
431	$rules .= 'RewriteCond %{HTTP_COOKIE} !'.$cookie_name.'= [NC]' . PHP_EOL;
432	$rules .= 'RewriteCond %{HTTP_COOKIE} !aiowps_cookie_test= [NC]' . PHP_EOL;
433	$rules .= 'RewriteRule .* '.$redirect_url.' [L]' . PHP_EOL;
434	+ $rules .= AIOWPSecurity_Utility_Htaccess::$enable_brute_force_attack_prevention_marker_end . PHP_EOL; //Add feature marker end
435	}
436
437	return $rules;

672	RewriteCond %{QUERY_STRING} (\"\|%22).*(<\|>\|%3) [NC,OR]
673	RewriteCond %{QUERY_STRING} (javascript:).*(\;) [NC,OR]
674	RewriteCond %{QUERY_STRING} (<\|%3C).script.(>\|%3) [NC,OR]
675	+ RewriteCond %{QUERY_STRING} (\\\\|\.\./\|`\|=\'$\|=%27$) [NC,OR]
676	RewriteCond %{QUERY_STRING} (\;\|\'\|\"\|%22).*(union\|select\|insert\|drop\|update\|md5\|benchmark\|or\|and\|if) [NC,OR]
677	RewriteCond %{QUERY_STRING} (base64_encode\|localhost\|mosconfig) [NC,OR]
678	RewriteCond %{QUERY_STRING} (boot\.ini\|echo.*kae\|etc/passwd) [NC,OR]

696	RedirectMatch 403 (https?\|ftp\|php)\://
697	RedirectMatch 403 /(https?\|ima\|ucp)/
698	RedirectMatch 403 /(Permanent\|Better)$
699	+ RedirectMatch 403 (\=\\\\\\\'\|\=\\\%27\|/\\\\\\\'/?\|\)\.css\()$
700	+ RedirectMatch 403 (\,\|\)\+\|/\,/\|\{0\}\|\(/\(\|\.\.\.\|\+\+\+\|\\|\|\\\\\"\\\\\")
701	RedirectMatch 403 \.(cgi\|asp\|aspx\|cfg\|dll\|exe\|jsp\|mdb\|sql\|ini\|rar)$
702	RedirectMatch 403 /(contac\|fpw\|install\|pingserver\|register)\.php$
703	RedirectMatch 403 (base64\|crossdomain\|localhost\|wwwroot\|e107\_)

747	{
748	$is_htaccess = false;
749	$file_contents = file_get_contents($file);
750	+ if ($file_contents === FALSE \|\| strlen($file_contents) == 0)

751	{
752	return -1;
753	}

classes/wp-security-utility-ip-address.php CHANGED Viewed

@@ -24,6 +24,28 @@ class AIOWPSecurity_Utility_IP
                     return $userIP;
+                }
                 static function create_ip_list_array_from_string_with_newline($ip_addresses)
+                {
                     $ip_list_array = explode(PHP_EOL, $ip_addresses);


24	return $userIP;
25	}
26
27	+ /*
28	+ * Returns the first three octets of a sanitized IP address so it can used as an IP address range
29	+ */
30	+ static function get_sanitized_ip_range($ip)
31	+ {
32	+ global $aio_wp_security;
33	+ //$ip = AIOWPSecurity_Utility_IP::get_user_ip_address(); //Get the IP address of user
34	+ $ip_range = '';
35	+ $valid_ip = filter_var($ip, FILTER_VALIDATE_IP); //Sanitize the IP address
36	+ if ($valid_ip)
37	+ {
38	+ $ip_range = substr($valid_ip, 0 , strrpos ($valid_ip, ".")); //strip last portion of address to leave an IP range
39	+ }
40	+ else
41	+ {
42	+ //Write log if the 'REMOTE_ADDR' contains something which is not an IP
43	+ $aio_wp_security->debug_logger->log_debug("AIOWPSecurity_Utility_IP - Invalid IP received ".$ip,4);
44	+ }
45	+ return $ip_range;
46	+ }
47	+
48	+
49	static function create_ip_list_array_from_string_with_newline($ip_addresses)
50	{
51	$ip_list_array = explode(PHP_EOL, $ip_addresses);

readme.txt CHANGED Viewed

	@@ -4,7 +4,7 @@ Donate link: http://www.tipsandtricks-hq.com
4	Tags: security, secure, Anti Virus, antivirus, virus, firewall, login, lockdown, htaccess, hacking, ban hacker, malware, vulnerability, protect, phishing, database, backup, plugin, sql injection, ssl, restrict
5	Requires at least: 3.5
6	Tested up to: 3.6
7	- Stable tag: 1.5
8	License: GPLv3
9
10	A comprehensive, user-friendly, all in one WordPress security and firewall plugin for your site.
	@@ -124,6 +124,13 @@ None
124
125	== Changelog ==
126







127	= 1.5 =
128	- Added new feature - Cookie-based Brute Force Login Attack Prevention. Check under the "Firewall" menu for this new feature.
129	This feature will stop hackers in their tracks when they try to access your wp-admin or login pages. This feature will secure your WordPress backend by enforcing the requirement that anybody trying to access these pages will require a special cookie.


4	Tags: security, secure, Anti Virus, antivirus, virus, firewall, login, lockdown, htaccess, hacking, ban hacker, malware, vulnerability, protect, phishing, database, backup, plugin, sql injection, ssl, restrict
5	Requires at least: 3.5
6	Tested up to: 3.6
7	+ Stable tag: 1.6
8	License: GPLv3
9
10	A comprehensive, user-friendly, all in one WordPress security and firewall plugin for your site.

124
125	== Changelog ==
126
127	+ = 1.6 =
128	+ - Added a new option in the cookie-based Brute Force Login Attack prevention feature to allow users to use this feature together with the WordPress's post/page password protection feature.
129	+ - Fixed a bug in the 5G firewall rules to so that the printed rules include the correct number of '\' characters.
130	+ - Fixed a minor bug in the "restore from backed up htaccess file" feature.
131	+ - Enhanced the "Save current wp-config.php file" feature so it will continue to work with all of the firewall rules active on the site.
132	+ - Added extra checks to account for some error scenarios caused on some servers when recursive file search is done.
133	+
134	= 1.5 =
135	- Added new feature - Cookie-based Brute Force Login Attack Prevention. Check under the "Firewall" menu for this new feature.
136	This feature will stop hackers in their tracks when they try to access your wp-admin or login pages. This feature will secure your WordPress backend by enforcing the requirement that anybody trying to access these pages will require a special cookie.

wp-security-core.php CHANGED Viewed

	@@ -3,7 +3,7 @@
3	if (!class_exists('AIO_WP_Security')){
4
5	class AIO_WP_Security{
6	- var $version = '1.5';
7	var $db_version = '1.2';
8	var $plugin_url;
9	var $plugin_path;


3	if (!class_exists('AIO_WP_Security')){
4
5	class AIO_WP_Security{
6	+ var $version = '1.6';
7	var $db_version = '1.2';
8	var $plugin_url;
9	var $plugin_path;

wp-security.php CHANGED Viewed

	@@ -1,7 +1,7 @@
1	<?php
2	/*
3	Plugin Name: All In One WP Security
4	- Version: v1.5
5	Plugin URI: http://www.tipsandtricks-hq.com/
6	Author: Tips and Tricks HQ, Peter, Ruhul Amin
7	Author URI: http://www.tipsandtricks-hq.com/


1	<?php
2	/*
3	Plugin Name: All In One WP Security
4	+ Version: v1.6
5	Plugin URI: http://www.tipsandtricks-hq.com/
6	Author: Tips and Tricks HQ, Peter, Ruhul Amin
7	Author URI: http://www.tipsandtricks-hq.com/

All In One WP Security & Firewall - Version 1.6

Version Description

Release Info

Code changes from version 1.5 to 1.6