All In One WP Security & Firewall

Version Description

Fixed a bug for general DB backup functionality.
Fixed multi-site DB backup - the plugin will now backup only the tables relevant for the sub-site in question.
Added blank index.html files in various folders inside the plugin.
Disabled the wp-config.php file backup feature until we find a more secure method of doing the backup.

Release Info

Developer	mra13
Plugin	All In One WP Security & Firewall
Version	2.0
Comparing to
See all releases

Code changes from version 1.9 to 2.0

Files changed (19) hide show

admin/index.html +0 -0
admin/wp-security-database-menu.php +8 -1
admin/wp-security-settings-menu.php +24 -15
admin/wp-security-user-accounts-menu.php +12 -12
backups/index.html +0 -0
classes/index.html +0 -0
classes/wp-security-backup.php +74 -12
classes/wp-security-utility-file.php +19 -0
classes/wp-security-utility.php +25 -1
css/index.html +0 -0
images/index.html +0 -0
index.html +0 -0
js/index.html +0 -0
lib/index.html +0 -0
logs/index.html +0 -0
other-includes/index.html +0 -0
readme.txt +190 -182
wp-security-core.php +1 -1
wp-security.php +1 -1

admin/index.html ADDED Viewed

File without changes

admin/wp-security-database-menu.php CHANGED Viewed

	@@ -196,7 +196,14 @@ class AIOWPSecurity_Database_Menu extends AIOWPSecurity_Admin_Menu
196	if ($result)
197	{
198	$backup_file_name = $aio_wp_security->backup_obj->last_backup_file_name;
199	- ~~$backup_file_url~~ = ~~AIO_WP_SECURITY_URL~~ . ~~'/backups/'. $backup_file_name;~~







200	echo '<div id="message" class="updated fade"><p>';
201	_e('DB Backup was successfully completed! Right click on the following file name and save the backup to your computer.','aiowpsecurity');
202	echo '<p>';


196	if ($result)
197	{
198	$backup_file_name = $aio_wp_security->backup_obj->last_backup_file_name;
199	+ if (function_exists('is_multisite') && is_multisite())
200	+ {
201	+ $backup_file_url = $aio_wp_security->backup_obj->last_backup_file_url_multisite . '/' . $backup_file_name;
202	+ }
203	+ else
204	+ {
205	+ $backup_file_url = AIO_WP_SECURITY_URL . '/backups/'. $backup_file_name;
206	+ }
207	echo '<div id="message" class="updated fade"><p>';
208	_e('DB Backup was successfully completed! Right click on the following file name and save the backup to your computer.','aiowpsecurity');
209	echo '<p>';

admin/wp-security-settings-menu.php CHANGED Viewed

	@@ -136,15 +136,16 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
136
137	if ($result)
138	{
139	- if (~~rename(ABSPATH.'.htaccess.backup', ABSPATH.'htaccess_backup.txt'~~))

140	{
141	- $backup_file_url = AIOWPSEC_WP_URL . '/htaccess_backup.txt';
142	echo '<div id="message" class="updated fade"><p>';
143	- _e('Your .htaccess file was successfully backed up! ~~Right~~ ~~click~~ on the ~~following~~ ~~file~~ ~~name~~ ~~and~~ save the ~~backup~~ to your computer.','aiowpsecurity');
144	- echo '<p>';
145	- _e('Your .htaccess File: ');
146	- echo '<a href="'.$backup_file_url.'" target="_blank">'.$backup_file_url.'</a>';
147	- echo '</p>';
148	echo '</p></div>';
149	}
150	else
	@@ -275,15 +276,16 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
275
276	if ($result)
277	{
278	- if (~~rename(ABSPATH.'wp-config.php.backup', ABSPATH.'wp-config-backup.txt'~~))

279	{
280	- $backup_file_url = ~~AIOWPSEC_WP_URL~~ . '/wp-config-backup.txt';
281	echo '<div id="message" class="updated fade"><p>';
282	- _e('Your wp-config.php file was successfully backed up! ~~Right~~ ~~click~~ on the ~~following~~ ~~file~~ ~~name~~ ~~and~~ save the ~~backup~~ to your computer.','aiowpsecurity');
283	- echo '<p>';
284	- _e('Your wp-config.php File: ');
285	- echo '<a href="'.$backup_file_url.'" target="_blank">'.$backup_file_url.'</a>';
286	- echo '</p>';
287	echo '</p></div>';
288	}
289	else
	@@ -358,7 +360,14 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
358	<form action="" method="POST">
359	<?php wp_nonce_field('aiowpsec-save-wp-config-nonce'); ?>
360	<p class="description"><?php _e('Click the button below to backup and save the currently active wp-config.php file.', 'aiowpsecurity'); ?></p>
361	- <input type="submit" name="aiowps_save_wp_config" value="<?php _e('Backup wp-config.php File', 'aiowpsecurity')?>" class="button-primary" />







362	</form>
363	</div></div>
364	<div class="postbox">


136
137	if ($result)
138	{
139	+ $random_prefix = AIOWPSecurity_Utility::generate_alpha_numeric_random_string(10);
140	+ if (rename(ABSPATH.'.htaccess.backup', AIO_WP_SECURITY_BACKUPS_PATH.'/'.$random_prefix.'_htaccess_backup.txt'))
141	{
142	+ // $backup_file_url = AIOWPSEC_WP_URL . '/htaccess_backup.txt';
143	echo '<div id="message" class="updated fade"><p>';
144	+ _e('Your .htaccess file was successfully backed up! Using an FTP program go to the "backups" directory of this plugin to save a copy of the file to your computer.','aiowpsecurity');
145	+ // echo '<p>';
146	+ // _e('Your .htaccess File: ');
147	+ // echo '<a href="'.$backup_file_url.'" target="_blank">'.$backup_file_url.'</a>';
148	+ // echo '</p>';
149	echo '</p></div>';
150	}
151	else

276
277	if ($result)
278	{
279	+ $random_prefix = AIOWPSecurity_Utility::generate_alpha_numeric_random_string(10);
280	+ if (rename(ABSPATH.'wp-config.php.backup', AIO_WP_SECURITY_BACKUPS_PATH.'/'.$random_prefix.'_wp-config-backup.txt'))
281	{
282	+ // $backup_file_url = AIO_WP_SECURITY_BACKUPS_PATH . '/wp-config-backup.txt';
283	echo '<div id="message" class="updated fade"><p>';
284	+ _e('Your wp-config.php file was successfully backed up! Using an FTP program go to the "backups" directory of this plugin to save a copy of the file to your computer.','aiowpsecurity');
285	+ // echo '<p>';
286	+ // _e('Your wp-config.php File: ');
287	+ // echo '<a href="'.$backup_file_url.'" target="_blank">'.$backup_file_url.'</a>';
288	+ // echo '</p>';
289	echo '</p></div>';
290	}
291	else

360	<form action="" method="POST">
361	<?php wp_nonce_field('aiowpsec-save-wp-config-nonce'); ?>
362	<p class="description"><?php _e('Click the button below to backup and save the currently active wp-config.php file.', 'aiowpsecurity'); ?></p>
363	+ <!--<input type="submit" name="aiowps_save_wp_config" value="<?php _e('Backup wp-config.php File', 'aiowpsecurity')?>" class="button-primary" /> -->
364	+ <div class="aio_yellow_box">
365	+ <?php
366	+ $info_msg = '<p>'.__('The feature to back up the wp-config.php has currently been disabled in order to prevent a potential security exploit. We are currently in the process of implementing a more secure method which we will release in a future version of the plugin.', 'aiowpsecurity').'</p>';
367	+ echo $info_msg;
368	+ ?>
369	+ </div>
370	+
371	</form>
372	</div></div>
373	<div class="postbox">

admin/wp-security-user-accounts-menu.php CHANGED Viewed

	@@ -91,12 +91,12 @@ class AIOWPSecurity_User_Accounts_Menu extends AIOWPSecurity_Admin_Menu
91	//display a list of all administrator accounts for this site
92	$postbox_title = __('List of Administrator Accounts', 'aiowpsecurity');
93	//TODO: Multi-site: might need to put separate code for multi-site, ie, check if multi-site and then call get_all_admin_accounts($blog_id).
94	- //if (~~is_multisite~~()) { //get admin accounts for current site
95	- // $blog_id = get_current_blog_id();
96	- // $this->postbox($postbox_title, $this->get_all_admin_accounts($blog_id));
97	- //} else {
98	$this->postbox($postbox_title, $this->get_all_admin_accounts());
99	- //}
100	?>
101	<div class="postbox">
102	<h3><label for="title"><?php _e('Change Admin Username', 'aiowpsecurity')?></label></h3>
	@@ -264,6 +264,13 @@ class AIOWPSecurity_User_Accounts_Menu extends AIOWPSecurity_Admin_Menu
264	return $return_msg;
265	}
266







267	//If user is logged in with username "admin" then log user out and send to login page so they can login again
268	if ($username_is_admin) {
269	//Lets logout the user
	@@ -275,13 +282,6 @@ class AIOWPSecurity_User_Accounts_Menu extends AIOWPSecurity_Admin_Menu
275	$logout_url = AIOWPSecurity_Utility::add_query_data_to_url($logout_url, 'al_additional_data', $encrypted_payload);
276	AIOWPSecurity_Utility::redirect_to_url($logout_url);
277	}
278	-
279	- //TODO - multisite considerations
280	- // if ( is_multisite() ) { //process sitemeta if we're in a multi-site situation
281	- // $oldAdmins = $wpdb->get_var( "SELECT meta_value FROM `" . $wpdb->sitemeta . "` WHERE meta_key = 'site_admins'" );
282	- // $newAdmins = str_replace( '5:"admin"', strlen( $newuser ) . ':"' . $wpdb->escape( $new_username ) . '"', $oldAdmins );
283	- // $wpdb->query( "UPDATE `" . $wpdb->sitemeta . "` SET meta_value = '" . $wpdb->escape( $newAdmins ) . "' WHERE meta_key = 'site_admins'" );
284	- // }
285	}
286	}
287	else {//An invalid username was entered


91	//display a list of all administrator accounts for this site
92	$postbox_title = __('List of Administrator Accounts', 'aiowpsecurity');
93	//TODO: Multi-site: might need to put separate code for multi-site, ie, check if multi-site and then call get_all_admin_accounts($blog_id).
94	+ if (AIOWPSecurity_Utility::is_multisite_install()) { //get admin accounts for current site
95	+ $blog_id = get_current_blog_id();
96	+ $this->postbox($postbox_title, $this->get_all_admin_accounts($blog_id));
97	+ } else {
98	$this->postbox($postbox_title, $this->get_all_admin_accounts());
99	+ }
100	?>
101	<div class="postbox">
102	<h3><label for="title"><?php _e('Change Admin Username', 'aiowpsecurity')?></label></h3>

264	return $return_msg;
265	}
266
267	+ //multisite considerations
268	+ if ( AIOWPSecurity_Utility::is_multisite_install() ) { //process sitemeta if we're in a multi-site situation
269	+ $oldAdmins = $wpdb->get_var( "SELECT meta_value FROM `" . $wpdb->sitemeta . "` WHERE meta_key = 'site_admins'" );
270	+ $newAdmins = str_replace( '5:"admin"', strlen( $new_username ) . ':"' . $wpdb->escape( $new_username ) . '"', $oldAdmins );
271	+ $wpdb->query( "UPDATE `" . $wpdb->sitemeta . "` SET meta_value = '" . $wpdb->escape( $newAdmins ) . "' WHERE meta_key = 'site_admins'" );
272	+ }
273	+
274	//If user is logged in with username "admin" then log user out and send to login page so they can login again
275	if ($username_is_admin) {
276	//Lets logout the user

282	$logout_url = AIOWPSecurity_Utility::add_query_data_to_url($logout_url, 'al_additional_data', $encrypted_payload);
283	AIOWPSecurity_Utility::redirect_to_url($logout_url);
284	}







285	}
286	}
287	else {//An invalid username was entered

backups/index.html ADDED Viewed

File without changes

classes/index.html ADDED Viewed

File without changes

classes/wp-security-backup.php CHANGED Viewed

	@@ -3,6 +3,7 @@ class AIOWPSecurity_Backup
3	{
4	var $last_backup_file_name;//Stores the name of the last backup file when execute_backup function is called
5	var $last_backup_file_path;

6
7	function __construct()
8	{
	@@ -15,11 +16,23 @@ class AIOWPSecurity_Backup
15	function execute_backup()
16	{
17	global $wpdb, $aio_wp_security;

18
19	@ini_set( 'auto_detect_line_endings', true );













20
21	- //get all of the tables
22	- $tables = $wpdb->get_results( 'SHOW TABLES', ARRAY_N );
23	$return = '';
24
25	//cycle through each table
	@@ -58,9 +71,52 @@ class AIOWPSecurity_Backup
58	}
59	$return .= PHP_EOL . PHP_EOL;
60
61	- //~~save~~ ~~file~~
62	- ~~$file~~ ~~= 'database-backup-' . current_time~~( ~~'timestamp'~~ );
63	- ~~$handle = @fopen( AIO_WP_SECURITY_BACKUPS_PATH . '/' . $file . '.sql', 'w+' );~~











































64	$fw_res = @fwrite( $handle, $return );
65	if (!$fw_res)
66	{
	@@ -72,20 +128,24 @@ class AIOWPSecurity_Backup
72	if ( class_exists( 'ZipArchive' ) )
73	{
74	$zip = new ZipArchive();
75	- $archive = $zip->open(~~AIO_WP_SECURITY_BACKUPS_PATH~~ . '/' . $file . '.zip', ZipArchive::CREATE);
76	- $zip->addFile(~~AIO_WP_SECURITY_BACKUPS_PATH~~ . '/' . $file . '.sql', $file . '.sql' );
77	$zip->close();
78
79	//delete .sql and keep zip
80	- @unlink( ~~AIO_WP_SECURITY_BACKUPS_PATH~~ . '/' . $file . '.sql' );
81	$fileext = '.zip';
82	} else
83	{
84	$fileext = '.sql';
85	}
86	$this->last_backup_file_name = $file . $fileext;//database-backup-1367644822.zip or database-backup-1367644822.sql
87	- $this->last_backup_file_path = ~~AIO_WP_SECURITY_BACKUPS_PATH~~. '/' . $file . $fileext;
88	-




89	$this->aiowps_send_backup_email(); //Send backup file via email if applicable
90	$this->aiowps_delete_backup_files();
91	return true;
	@@ -120,7 +180,9 @@ class AIOWPSecurity_Backup
120	global $aio_wp_security;
121	if ( $aio_wp_security->configs->get_value('aiowps_backup_files_stored') > 0 )
122	{
123	- $~~files~~ = ~~scandir~~( ~~AIO_WP_SECURITY_BACKUPS_PATH. '/', 1~~ );


124
125	$count = 0;
126
	@@ -130,7 +192,7 @@ class AIOWPSecurity_Backup
130	{
131	if ( $count >= $aio_wp_security->configs->get_value('aiowps_backup_files_stored') )
132	{
133	- @unlink( ~~AIO_WP_SECURITY_BACKUPS_PATH~~. '/' . $file );
134	}
135	$count++;
136	}


3	{
4	var $last_backup_file_name;//Stores the name of the last backup file when execute_backup function is called
5	var $last_backup_file_path;
6	+ var $last_backup_file_url_multisite;
7
8	function __construct()
9	{

16	function execute_backup()
17	{
18	global $wpdb, $aio_wp_security;
19	+ $is_multi_site = false;
20
21	@ini_set( 'auto_detect_line_endings', true );
22	+ if (function_exists('is_multisite') && is_multisite())
23	+ {
24	+ //Let's get the current site's table prefix
25	+ $site_pref = $wpdb->escape($wpdb->prefix);
26	+ $db_query = "SHOW TABLES LIKE '".$site_pref."%'";
27	+ $tables = $wpdb->get_results( $db_query, ARRAY_N );
28	+ $is_multi_site = true;
29	+ }
30	+ else
31	+ {
32	+ //get all of the tables
33	+ $tables = $wpdb->get_results( 'SHOW TABLES', ARRAY_N );
34	+ }
35


36	$return = '';
37
38	//cycle through each table

71	}
72	$return .= PHP_EOL . PHP_EOL;
73
74	+ //Check to see if the main "backups" directory exists - create it otherwise
75	+ if (!AIOWPSecurity_Utility_File::create_dir(AIO_WP_SECURITY_BACKUPS_PATH))
76	+ {
77	+ $aio_wp_security->debug_logger->log_debug("Creation of DB backup directory failed!",4);
78	+ return false;
79	+ }
80	+
81	+ if ($is_multi_site)
82	+ {
83	+ global $current_blog;
84	+ $blog_id = $current_blog->blog_id;
85	+ //Get the current site name string for use later
86	+ $site_name = get_bloginfo('name');
87	+
88	+ $site_name = strtolower($site_name);
89	+
90	+ //make alphaunermic
91	+ $site_name = preg_replace("/[^a-z0-9_\s-]/", "", $site_name);
92	+
93	+ //Cleanup multiple instances of dashes or whitespaces
94	+ $site_name = preg_replace("/[\s-]+/", " ", $site_name);
95	+
96	+ //Convert whitespaces and underscore to dash
97	+ $site_name = preg_replace("/[\s_]/", "-", $site_name);
98	+
99	+ $file = 'database-backup-site-name-' . $site_name . '-' . current_time( 'timestamp' );
100	+
101	+ //We will create a sub dir for the blog using its blog id
102	+ $dirpath = AIO_WP_SECURITY_BACKUPS_PATH . '/blogid_' . $blog_id . '/';
103	+
104	+ //Create a subdirectory for this blog_id
105	+ if (!AIOWPSecurity_Utility_File::create_dir($dirpath))
106	+ {
107	+ $aio_wp_security->debug_logger->log_debug("Creation of DB backup directory for the following multisite blog ID: ".$blog_details->blog_id,4);
108	+ return false;
109	+ }
110	+
111	+ $handle = @fopen( $dirpath . $file . '.sql', 'w+' );
112	+ }
113	+ else
114	+ {
115	+ $dirpath = AIO_WP_SECURITY_BACKUPS_PATH;
116	+ $file = 'database-backup-' . current_time( 'timestamp' );
117	+ $handle = @fopen( $dirpath . '/' . $file . '.sql', 'w+' );
118	+ }
119	+
120	$fw_res = @fwrite( $handle, $return );
121	if (!$fw_res)
122	{

128	if ( class_exists( 'ZipArchive' ) )
129	{
130	$zip = new ZipArchive();
131	+ $archive = $zip->open($dirpath . '/' . $file . '.zip', ZipArchive::CREATE);
132	+ $zip->addFile($dirpath . '/' . $file . '.sql', $file . '.sql' );
133	$zip->close();
134
135	//delete .sql and keep zip
136	+ @unlink( $dirpath . '/' . $file . '.sql' );
137	$fileext = '.zip';
138	} else
139	{
140	$fileext = '.sql';
141	}
142	$this->last_backup_file_name = $file . $fileext;//database-backup-1367644822.zip or database-backup-1367644822.sql
143	+ $this->last_backup_file_path = $dirpath . '/' . $file . $fileext;
144	+ if ($is_multi_site)
145	+ {
146	+ $this->last_backup_file_url_multisite = AIO_WP_SECURITY_URL . '/backups/blogid_' . $blog_id;
147	+ }
148	+
149	$this->aiowps_send_backup_email(); //Send backup file via email if applicable
150	$this->aiowps_delete_backup_files();
151	return true;

180	global $aio_wp_security;
181	if ( $aio_wp_security->configs->get_value('aiowps_backup_files_stored') > 0 )
182	{
183	+ $path_parts = pathinfo($this->last_backup_file_path);
184	+ $backups_path = $path_parts['dirname'];
185	+ $files = scandir( $backups_path . '/', 1 );
186
187	$count = 0;
188

192	{
193	if ( $count >= $aio_wp_security->configs->get_value('aiowps_backup_files_stored') )
194	{
195	+ @unlink( $backups_path . '/' . $file );
196	}
197	$count++;
198	}

classes/wp-security-utility-file.php CHANGED Viewed

@@ -250,4 +250,23 @@ class AIOWPSecurity_Utility_File
                     return $result;
+                }
+            }


250	return $result;
251	}
252
253	+ /*
254	+ * Checks if a directory exists and creates one if it does not
255	+ */
256	+ static function create_dir($dirpath='')
257	+ {
258	+ $res = true;
259	+ if ($dirpath != '')
260	+ {
261	+ //TODO - maybe add some checks to make sure someone is not passing a path with a filename, ie, something which has ".<extenstion>" at the end
262	+ //$path_parts = pathinfo($dirpath);
263	+ //$dirpath = $path_parts['dirname'] . '/' . $path_parts['basename'];
264	+ if (!file_exists($dirpath))
265	+ {
266	+ $res = mkdir($dirpath, 0755);
267	+ }
268	+ }
269	+ return $res;
270	+ }
271	+
272	}

classes/wp-security-utility.php CHANGED Viewed

@@ -53,7 +53,22 @@ class AIOWPSecurity_Utility
                     if ( $username == '' ) {
                         return false;
+                    }
-            -
                     //check users table
                     $user = $wpdb->get_var( "SELECT user_login FROM `" . $wpdb->users . "` WHERE user_login='" . sanitize_text_field( $username ) . "';" );
                     $userid = $wpdb->get_var( "SELECT ID FROM `" . $wpdb->users . "` WHERE ID='" . sanitize_text_field( $username ) . "';" );
@@ -118,4 +133,13 @@ class AIOWPSecurity_Utility
+                    }
                     return "";
+                }
+            }


53	if ( $username == '' ) {
54	return false;
55	}
56	+
57	+ //If multisite
58	+ if (AIOWPSecurity_Utility::is_multisite_install()){
59	+ $blog_id = get_current_blog_id();
60	+ $admin_users = get_users('blog_id='.$blog_id.'orderby=login&role=administrator');
61	+ $acct_name_exists = false;
62	+ foreach ($admin_users as $user)
63	+ {
64	+ if ($user->user_login == $username){
65	+ $acct_name_exists = true;
66	+ break;
67	+ }
68	+ }
69	+ return $acct_name_exists;
70	+ }
71	+
72	//check users table
73	$user = $wpdb->get_var( "SELECT user_login FROM `" . $wpdb->users . "` WHERE user_login='" . sanitize_text_field( $username ) . "';" );
74	$userid = $wpdb->get_var( "SELECT ID FROM `" . $wpdb->users . "` WHERE ID='" . sanitize_text_field( $username ) . "';" );

133	}
134	return "";
135	}
136	+
137	+ static function is_multisite_install()
138	+ {
139	+ if (function_exists('is_multisite') && is_multisite()){
140	+ return true;
141	+ }else{
142	+ return false;
143	+ }
144	+ }
145	}

css/index.html ADDED Viewed

File without changes

images/index.html ADDED Viewed

File without changes

index.html ADDED Viewed

File without changes

js/index.html ADDED Viewed

File without changes

lib/index.html ADDED Viewed

File without changes

logs/index.html ADDED Viewed

File without changes

other-includes/index.html ADDED Viewed

File without changes

readme.txt CHANGED Viewed

@@ -1,182 +1,190 @@
-            -
            === All In One WP Security & Firewall ===
-            -
            Contributors: Tips and Tricks HQ, wpsolutions, Peter Petreski, Ruhul Amin
-            -
            Donate link: http://www.tipsandtricks-hq.com
-            -
            Tags: security, secure, Anti Virus, antivirus, virus, firewall, login, lockdown, htaccess, hacking, ban hacker, malware, vulnerability, protect, phishing, database, backup, plugin, sql injection, ssl, restrict
-            -
            Requires at least: 3.5
-            -
            Tested up to: 3.6
-            -
            Stable tag: 1.9
-            -
            License: GPLv3
-            -
-            -
            A comprehensive, user-friendly, all in one WordPress security and firewall plugin for your site.
-            -
-            -
            == Description ==
-            -
            = A COMPREHENSIVE, EASY TO USE AND WELL SUPPORTED WORDPRESS SECURITY PLUGIN =
-            -
-            -
            WordPress itself is a very secure platform. However, it helps to add some extra security and firewall to your site by using a security plugin that enforces a lot of good security practices.
-            -
-            -
            The All In One WordPress Security plugin will take your website security to a whole new level.
-            -
-            -
            This plugin is designed and written by experts and is easy to use and understand.
-            -
-            -
            It reduces security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security practices and techniques.
-            -
-            -
            http://www.youtube.com/watch?v=CJvCTlVtazA
-            -
-            -
            All In One WP Security also uses an unprecedented security points grading system to measure how well you are protecting your site based on the security features you have activated.
-            -
-            -
            Our security and firewall rules are categorized into "basic", "intermediate" and "advanced". This way you can apply the firewall rules progressively without breaking your site's functionality.
-            -
-            -
            Below is a list of the security and firewall features offered in this plugin:
-            -
-            -
            = User Accounts Security =
-            -
            * Detect if there is a user account which has the default "admin" username and easily change the username to a value of your choice.
-            -
            * The plugin will also detect if you have any WordPress user accounts which have identical login and display names. Having account's where display name is identical to login name is bad security practice because
-            -
            you are making it 50% easier for hackers because they already know the login name.
-            -
            * Password strength tool to allow you to create very strong passwords.
-            -
-            -
            = User Login Security =
-            -
            * Protect against "Brute Force Login Attack" with the Login Lockdown feature. Users with a certain IP address or range will be locked out of the system for a predetermined amount of time based on the configuration settings and you can also choose to be notified
-            -
            via email whenever somebody gets locked out due to too many login attempts.
-            -
-            -
            * As the administrator you can view a list of all locked out users which are displayed in an easily readable and navigable table which also allows you to unlock individual or bulk IP addresses at the click of a button.
-            -
-            -
            * Force logout of all users after a configurable time period
-            -
-            -
            * Monitor/View failed login attempts which show the user's IP address, User ID/Username and Date/Time of the failed login attempt
-            -
-            -
            * Monitor/View the account activity of all user accounts on your system by keeping track of the username, IP address, login date/time, and logout date/time.
-            -
-            -
            = Database Security =
-            -
            * Easily the default WP prefix to a value of your choice with the click of a button.
-            -
            * Schedule automatic backups and email notifications or make an instant DB backup whenever you want with one click.
-            -
-            -
            = File System Security =
-            -
            * Identify files or folders which have permission settings which are not secure and set the permissions to the recommend secure values with click of a button.
-            -
            * Protect your PHP code by disabling file editing from the WordPress administration area.
-            -
            * Easily view and monitor all host system logs from a single menu page and stay informed of any issues or problems occurring on your server so you can address them quickly.
-            -
            * Prevent people from accessing the readme.html, license.txt and wp-config-sample.php files of your WordPress site.
-            -
-            -
            = htaccess and wp-config.php File Backup and Restore =
-            -
            * Easily backup your original .htaccess and wp-config.php files in case you will need to use them to restore broken functionality.
-            -
            * Modify the contents of the currently active .htaccess or wp-config.php files from the admin dashboard with only a few clicks
-            -
-            -
            = Blacklist Functionality =
-            -
            * Ban users by specifying IP addresses or use a wild card to specify IP ranges.
-            -
            * Ban users by specifying user agents.
-            -
            * Monitor the most active IP addresses which persistently produce the most SPAM comments and instantly block them with the click of a button.
-            -
-            -
            = Firewall Functionality =
-            -
-            -
            This plugin allows you to easily add a lot of firewall protection to your site via htaccess file. An htaccess file is processed by your web server before any other code on your site.
-            -
            So these firewall rules will stop malicious script(s) before it gets a chance to reach the WordPress code on your site.
-            -
-            -
            * Access control facility
-            -
            * Instantly activate a selection of firewall settings ranging from basic, intermediate and advanced
-            -
            * Enable the famous "5G Blacklist" Firewall rules courtesy of [Perishable Press](http://perishablepress.com/)
-            -
            * Forbid proxy comment posting
-            -
            * Disable trace and track
-            -
            * Deny bad or malicious query strings
-            -
            * Protect against Cross Site Scripting (XSS) by activating the comprehensive advanced character string filter.
-            -
            * Instantly block Brute Force Login Attacks via our special Cookie-Based Brute Force Login Prevention feature. This firewall functionality will block all login attempts from people
-            -
            or malicious bots who do not have a special cookie in their browser. You (the site admin) will know how to set this special cookie and be able to log into your site.
-            -
            * WordPress PingBack Vulnerability Protection feature. This firewall feature allows the user to prohibit access to the xmlrpc.php file in order to protect against certain vulnerabilities in the pingback functionality. This is also helpful to block bots from constantly accessing the xmlrpc.php file and wasting your server resource.
-            -
-            -
            = WhoIs Lookup =
-            -
            * Perform a WhoIs lookup of a suspicious host or IP address and get full details.
-            -
-            -
            = Regular updates and additions of new security features =
-            -
            * WordPress Security is something that evolves over time. We will be updating the All In One WP Security plugin with new security features (and fixes if required) on a regular basis so you can rest assured that your site will be on the cutting edge of security protection techniques.
-            -
-            -
            = Works with Most Popular WordPress Plugins =
-            -
            * It should work smoothly with most popular WordPress plugins.
-            -
-            -
            = Additional Features =
-            -
            * Ability to remove the WordPress Generator Meta information from the HTML source of your site.
-            -
            * Ability to prevent people from accessing the readme.html, license.txt and wp-config-sample.php files
-            -
            * Ability to temporarily lock down the front end of your site from general visitors while you do various backend tasks (investigate security attacks, perform site upgrades, do maintenance work etc.)
-            -
-            -
            = Plugin Support =
-            -
            * If you have a question or problem with the All In One Security plugin, post it on the support forum and we will help you.
-            -
-            -
            = Translations =
-            -
            * All In One WP Security plugin can be translated to any language.
-            -
-            -
            Visit the [WordPress Security Plugin](http://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin) page for more details.
-            -
-            -
            == Installation ==
-            -
-            -
            To begin making your WordPress site more secure:
-            -
-            -
            1. Upload the 'all-in-one-wp-security.zip' file from the Plugins->Add New page in the WordPress administration panel.
-            -
            2. Activate the plugin through the 'Plugins' menu in WordPress
-            -
            3. Go to Settings menu under 'WP Security' and start activating the security features of the plugin.
-            -
-            -
            == Usage ==
-            -
-            -
            Go to the settings menu after you activate the plugin and follow the instructions.
-            -
-            -
            == Screenshots ==
-            -
            Check the following page for screenshots:
-            -
            http://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin
-            -
-            -
            == Frequently Asked Questions ==
-            -
            None
-            -
-            -
            == Upgrade Notice ==
-            -
            None
-            -
-            -
            == Changelog ==
-            -
-            -
            = 1.9 =
-            -
            - Added new WordPress PingBack Vulnerability Protection feature. This allows the user to prohibit access to the xmlrpc.php file in order to protect against certain vulnerabilities in the pingback functionality.
-            -
            - Added a configuration item in the brute force login prevention feature to allow ajax functionality to work properly when this feature is enabled.
-            -
            - Added a POT file for language translations.
-            -
            - Made the DB Prefix feature more robust by adding a check to ensure that plugin can write to the wp-config.php file. This will prevent user from losing access to their site in cases where the system changed the prefix but not the entry in the wp-config.php file.
-            -
            - Tightened the data validation for the cookie based brute force login feature to ensure that the user must enter a secret word which consists of alphanumeric characters.
-            -
            - Added edit links to the user account list in the "User Acounts" menu.
-            -
-            -
            = 1.8 =
-            -
            - Moved the front end site lockout feature to a new menu called "Maintenance".
-            -
            - Added a feature in the front-end lockout feature to allow people to specify their own message which will be displayed on the front-end to visitors who try to access the site when it is in lock out state.
-            -
            - Fixed a bug in the front-end lockout feature by adding some checks which ensure that the admin will not get locked if the feature is still active and their login session expires or they log out.
-            -
            - Added a widget in the dashboard menu to show the status of the "maintenance mode" feature.
-            -
-            -
            = 1.7 =
-            -
            - Added a new feature which is a password strength tool which calculates how easy it is for your chosen password to be cracked using a desktop PC and the appropriate SW. This tool should help you create strong passwords.
-            -
            - Added a front-end general visitor lockout feature. This feature allows you to temporarily lock down the front end of your site while you do security investigation, site upgrades, tweaks etc.
-            -
-            -
            = 1.6 =
-            -
            - Added a new option in the cookie-based Brute Force Login Attack prevention feature to allow users to use this feature together with the WordPress's post/page password protection feature.
-            -
            - Fixed a bug in the 5G firewall rules to so that the printed rules include the correct number of '\' characters.
-            -
            - Fixed a minor bug in the "restore from backed up htaccess file" feature.
-            -
            - Enhanced the "Save current wp-config.php file" feature so it will continue to work with all of the firewall rules active on the site.
-            -
            - Added extra checks to account for some error scenarios caused on some servers when recursive file search is done.
-            -
-            -
            = 1.5 =
-            -
            - Added new feature - Cookie-based Brute Force Login Attack Prevention. Check under the "Firewall" menu for this new feature.
-            -
              This feature will stop hackers in their tracks when they try to access your wp-admin or login pages. This feature will secure your WordPress backend by enforcing the requirement that anybody trying to access these pages will require a special cookie.
-            -
-            -
            - Fixed bug related to setting of default configuration for first-time plugin activation.
-            -
-            -
            = 1.4 =
-            -
            - Tweaked the "Deny Bad Query Strings" firewall rules so that plugin deletion and update operations from the WordPress plugins menu are not affected.
-            -
            - Fixed a minor bug related to scheduled database backups.
-            -
            - Added some extra default settings to be applied to the plugin's configuration pages upon activation for the first time.
-            -
            - Plugin will now display a recommendation message if user sets scheduled backup frequency to less than 24 hours.
-            -
-            -
            = 1.3 =
-            -
            - Added a new feature to remove the WordPress Generator Meta information from the HTML source of your site.
-            -
            - Tweaked the "Advanced Character String Filter" to fix issue which was affecting plugins such as "Admin Management Xtended" and also pages with keywords such as "password" in the URL.
-            -
            - Updated one rule in the "Advanced Character String Filter" feature to make it compatible with W3 Total Cache Plugin's minify feature.
-            -
            - Added a "Delete All Failed Login Records" option in the "Failed Login Records" tab. This will delete all entries in the failed logins table and will make it less tedious for users who get a lot of brute force attacks on their site.
-            -
-            -
            = 1.2 =
-            -
            - Moved the rules which disable index views from the "basic firewall" rules to the "additional rules" section. This will prevent any site breakage for
-            -
            those who want to enable the basic firewall but do not have "AllowOverride" option enabled in their httpd.conf
-            -
-            -
            = 1.1 =
-            -
            - Added the following new feature:
-            -
            - Prevent people from accessing the readme.html, license.txt and wp-config-sample.php files.
-            -
-            -
            = 1.0 =
-            -
            - First commit to the WP repository.


1	+ === All In One WP Security & Firewall ===
2	+ Contributors: Tips and Tricks HQ, wpsolutions, Peter Petreski, Ruhul Amin
3	+ Donate link: http://www.tipsandtricks-hq.com
4	+ Tags: security, secure, Anti Virus, antivirus, virus, firewall, login, lockdown, htaccess, hacking, ban hacker, malware, vulnerability, protect, phishing, database, backup, plugin, sql injection, ssl, restrict
5	+ Requires at least: 3.5
6	+ Tested up to: 3.6
7	+ Stable tag: 2.0
8	+ License: GPLv3
9	+
10	+ A comprehensive, user-friendly, all in one WordPress security and firewall plugin for your site.
11	+
12	+ == Description ==
13	+ = A COMPREHENSIVE, EASY TO USE AND WELL SUPPORTED WORDPRESS SECURITY PLUGIN =
14	+
15	+ WordPress itself is a very secure platform. However, it helps to add some extra security and firewall to your site by using a security plugin that enforces a lot of good security practices.
16	+
17	+ The All In One WordPress Security plugin will take your website security to a whole new level.
18	+
19	+ This plugin is designed and written by experts and is easy to use and understand.
20	+
21	+ It reduces security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security practices and techniques.
22	+
23	+ http://www.youtube.com/watch?v=CJvCTlVtazA
24	+
25	+ All In One WP Security also uses an unprecedented security points grading system to measure how well you are protecting your site based on the security features you have activated.
26	+
27	+ Our security and firewall rules are categorized into "basic", "intermediate" and "advanced". This way you can apply the firewall rules progressively without breaking your site's functionality.
28	+
29	+ Below is a list of the security and firewall features offered in this plugin:
30	+
31	+ = User Accounts Security =
32	+ * Detect if there is a user account which has the default "admin" username and easily change the username to a value of your choice.
33	+ * The plugin will also detect if you have any WordPress user accounts which have identical login and display names. Having account's where display name is identical to login name is bad security practice because
34	+ you are making it 50% easier for hackers because they already know the login name.
35	+ * Password strength tool to allow you to create very strong passwords.
36	+
37	+ = User Login Security =
38	+ * Protect against "Brute Force Login Attack" with the Login Lockdown feature. Users with a certain IP address or range will be locked out of the system for a predetermined amount of time based on the configuration settings and you can also choose to be notified
39	+ via email whenever somebody gets locked out due to too many login attempts.
40	+
41	+ * As the administrator you can view a list of all locked out users which are displayed in an easily readable and navigable table which also allows you to unlock individual or bulk IP addresses at the click of a button.
42	+
43	+ * Force logout of all users after a configurable time period
44	+
45	+ * Monitor/View failed login attempts which show the user's IP address, User ID/Username and Date/Time of the failed login attempt
46	+
47	+ * Monitor/View the account activity of all user accounts on your system by keeping track of the username, IP address, login date/time, and logout date/time.
48	+
49	+ = Database Security =
50	+ * Easily the default WP prefix to a value of your choice with the click of a button.
51	+ * Schedule automatic backups and email notifications or make an instant DB backup whenever you want with one click.
52	+
53	+ = File System Security =
54	+ * Identify files or folders which have permission settings which are not secure and set the permissions to the recommend secure values with click of a button.
55	+ * Protect your PHP code by disabling file editing from the WordPress administration area.
56	+ * Easily view and monitor all host system logs from a single menu page and stay informed of any issues or problems occurring on your server so you can address them quickly.
57	+ * Prevent people from accessing the readme.html, license.txt and wp-config-sample.php files of your WordPress site.
58	+
59	+ = htaccess and wp-config.php File Backup and Restore =
60	+ * Easily backup your original .htaccess and wp-config.php files in case you will need to use them to restore broken functionality.
61	+ * Modify the contents of the currently active .htaccess or wp-config.php files from the admin dashboard with only a few clicks
62	+
63	+ = Blacklist Functionality =
64	+ * Ban users by specifying IP addresses or use a wild card to specify IP ranges.
65	+ * Ban users by specifying user agents.
66	+ * Monitor the most active IP addresses which persistently produce the most SPAM comments and instantly block them with the click of a button.
67	+
68	+ = Firewall Functionality =
69	+
70	+ This plugin allows you to easily add a lot of firewall protection to your site via htaccess file. An htaccess file is processed by your web server before any other code on your site.
71	+ So these firewall rules will stop malicious script(s) before it gets a chance to reach the WordPress code on your site.
72	+
73	+ * Access control facility
74	+ * Instantly activate a selection of firewall settings ranging from basic, intermediate and advanced
75	+ * Enable the famous "5G Blacklist" Firewall rules courtesy of [Perishable Press](http://perishablepress.com/)
76	+ * Forbid proxy comment posting
77	+ * Disable trace and track
78	+ * Deny bad or malicious query strings
79	+ * Protect against Cross Site Scripting (XSS) by activating the comprehensive advanced character string filter.
80	+ or malicious bots who do not have a special cookie in their browser. You (the site admin) will know how to set this special cookie and be able to log into your site.
81	+ * WordPress PingBack Vulnerability Protection feature. This firewall feature allows the user to prohibit access to the xmlrpc.php file in order to protect against certain vulnerabilities in the pingback functionality. This is also helpful to block bots from constantly accessing the xmlrpc.php file and wasting your server resource.
82	+
83	+ = Brute force login attack prevention =
84	+ * Instantly block Brute Force Login Attacks via our special Cookie-Based Brute Force Login Prevention feature. This firewall functionality will block all login attempts from people and bots.
85	+
86	+ = WhoIs Lookup =
87	+ * Perform a WhoIs lookup of a suspicious host or IP address and get full details.
88	+
89	+ = Regular updates and additions of new security features =
90	+ * WordPress Security is something that evolves over time. We will be updating the All In One WP Security plugin with new security features (and fixes if required) on a regular basis so you can rest assured that your site will be on the cutting edge of security protection techniques.
91	+
92	+ = Works with Most Popular WordPress Plugins =
93	+ * It should work smoothly with most popular WordPress plugins.
94	+
95	+ = Additional Features =
96	+ * Ability to remove the WordPress Generator Meta information from the HTML source of your site.
97	+ * Ability to prevent people from accessing the readme.html, license.txt and wp-config-sample.php files
98	+ * Ability to temporarily lock down the front end of your site from general visitors while you do various backend tasks (investigate security attacks, perform site upgrades, do maintenance work etc.)
99	+
100	+ = Plugin Support =
101	+ * If you have a question or problem with the All In One Security plugin, post it on the support forum and we will help you.
102	+
103	+ = Translations =
104	+ * All In One WP Security plugin can be translated to any language.
105	+
106	+ Visit the [WordPress Security Plugin](http://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin) page for more details.
107	+
108	+ == Installation ==
109	+
110	+ To begin making your WordPress site more secure:
111	+
112	+ 1. Upload the 'all-in-one-wp-security.zip' file from the Plugins->Add New page in the WordPress administration panel.
113	+ 2. Activate the plugin through the 'Plugins' menu in WordPress
114	+ 3. Go to Settings menu under 'WP Security' and start activating the security features of the plugin.
115	+
116	+ == Usage ==
117	+
118	+ Go to the settings menu after you activate the plugin and follow the instructions.
119	+
120	+ == Screenshots ==
121	+ Check the following page for screenshots:
122	+ http://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin
123	+
124	+ == Frequently Asked Questions ==
125	+ None
126	+
127	+ == Upgrade Notice ==
128	+ None
129	+
130	+ == Changelog ==
131	+
132	+ = 2.0 =
133	+ - Fixed a bug for general DB backup functionality.
134	+ - Fixed multi-site DB backup - the plugin will now backup only the tables relevant for the sub-site in question.
135	+ - Added blank index.html files in various folders inside the plugin.
136	+ - Disabled the wp-config.php file backup feature until we find a more secure method of doing the backup.
137	+
138	+ = 1.9 =
139	+ - Added new WordPress PingBack Vulnerability Protection feature. This allows the user to prohibit access to the xmlrpc.php file in order to protect against certain vulnerabilities in the pingback functionality.
140	+ - Added a configuration item in the brute force login prevention feature to allow ajax functionality to work properly when this feature is enabled.
141	+ - Added a POT file for language translations.
142	+ - Made the DB Prefix feature more robust by adding a check to ensure that plugin can write to the wp-config.php file. This will prevent user from losing access to their site in cases where the system changed the prefix but not the entry in the wp-config.php file.
143	+ - Tightened the data validation for the cookie based brute force login feature to ensure that the user must enter a secret word which consists of alphanumeric characters.
144	+ - Added edit links to the user account list in the "User Acounts" menu.
145	+
146	+ = 1.8 =
147	+ - Moved the front end site lockout feature to a new menu called "Maintenance".
148	+ - Added a feature in the front-end lockout feature to allow people to specify their own message which will be displayed on the front-end to visitors who try to access the site when it is in lock out state.
149	+ - Fixed a bug in the front-end lockout feature by adding some checks which ensure that the admin will not get locked if the feature is still active and their login session expires or they log out.
150	+ - Added a widget in the dashboard menu to show the status of the "maintenance mode" feature.
151	+
152	+ = 1.7 =
153	+ - Added a new feature which is a password strength tool which calculates how easy it is for your chosen password to be cracked using a desktop PC and the appropriate SW. This tool should help you create strong passwords.
154	+ - Added a front-end general visitor lockout feature. This feature allows you to temporarily lock down the front end of your site while you do security investigation, site upgrades, tweaks etc.
155	+
156	+ = 1.6 =
157	+ - Added a new option in the cookie-based Brute Force Login Attack prevention feature to allow users to use this feature together with the WordPress's post/page password protection feature.
158	+ - Fixed a bug in the 5G firewall rules to so that the printed rules include the correct number of '\' characters.
159	+ - Fixed a minor bug in the "restore from backed up htaccess file" feature.
160	+ - Enhanced the "Save current wp-config.php file" feature so it will continue to work with all of the firewall rules active on the site.
161	+ - Added extra checks to account for some error scenarios caused on some servers when recursive file search is done.
162	+
163	+ = 1.5 =
164	+ - Added new feature - Cookie-based Brute Force Login Attack Prevention. Check under the "Firewall" menu for this new feature.
165	+ This feature will stop hackers in their tracks when they try to access your wp-admin or login pages. This feature will secure your WordPress backend by enforcing the requirement that anybody trying to access these pages will require a special cookie.
166	+
167	+ - Fixed bug related to setting of default configuration for first-time plugin activation.
168	+
169	+ = 1.4 =
170	+ - Tweaked the "Deny Bad Query Strings" firewall rules so that plugin deletion and update operations from the WordPress plugins menu are not affected.
171	+ - Fixed a minor bug related to scheduled database backups.
172	+ - Added some extra default settings to be applied to the plugin's configuration pages upon activation for the first time.
173	+ - Plugin will now display a recommendation message if user sets scheduled backup frequency to less than 24 hours.
174	+
175	+ = 1.3 =
176	+ - Added a new feature to remove the WordPress Generator Meta information from the HTML source of your site.
177	+ - Tweaked the "Advanced Character String Filter" to fix issue which was affecting plugins such as "Admin Management Xtended" and also pages with keywords such as "password" in the URL.
178	+ - Updated one rule in the "Advanced Character String Filter" feature to make it compatible with W3 Total Cache Plugin's minify feature.
179	+ - Added a "Delete All Failed Login Records" option in the "Failed Login Records" tab. This will delete all entries in the failed logins table and will make it less tedious for users who get a lot of brute force attacks on their site.
180	+
181	+ = 1.2 =
182	+ - Moved the rules which disable index views from the "basic firewall" rules to the "additional rules" section. This will prevent any site breakage for
183	+ those who want to enable the basic firewall but do not have "AllowOverride" option enabled in their httpd.conf
184	+
185	+ = 1.1 =
186	+ - Added the following new feature:
187	+ - Prevent people from accessing the readme.html, license.txt and wp-config-sample.php files.
188	+
189	+ = 1.0 =
190	+ - First commit to the WP repository.

wp-security-core.php CHANGED Viewed

	@@ -3,7 +3,7 @@
3	if (!class_exists('AIO_WP_Security')){
4
5	class AIO_WP_Security{
6	- var $version = '1.9';
7	var $db_version = '1.2';
8	var $plugin_url;
9	var $plugin_path;


3	if (!class_exists('AIO_WP_Security')){
4
5	class AIO_WP_Security{
6	+ var $version = '2.0';
7	var $db_version = '1.2';
8	var $plugin_url;
9	var $plugin_path;

wp-security.php CHANGED Viewed

	@@ -1,7 +1,7 @@
1	<?php
2	/*
3	Plugin Name: All In One WP Security
4	- Version: v1.9
5	Plugin URI: http://www.tipsandtricks-hq.com/
6	Author: Tips and Tricks HQ, Peter, Ruhul Amin
7	Author URI: http://www.tipsandtricks-hq.com/


1	<?php
2	/*
3	Plugin Name: All In One WP Security
4	+ Version: v2.0
5	Plugin URI: http://www.tipsandtricks-hq.com/
6	Author: Tips and Tricks HQ, Peter, Ruhul Amin
7	Author URI: http://www.tipsandtricks-hq.com/

All In One WP Security & Firewall - Version 2.0

Version Description

Release Info

Code changes from version 1.9 to 2.0