All In One WP Security & Firewall - Version 2.3

Version Description

  • Added new menu called Scanner with a new feature called File Change Detection. This feature will alert you if any files have changed, added or removed from your system.
  • Fixed "Deny Bad Query Strings" rules to not break the ability to drag components in the WordPress "Appearance->Menus" page
  • Fixed an activation time warning (on sites with WP_DEBUG option enabled)
  • Re-implemented the wp-config.php file content backup feature. It now directly downloads the contents of the file to your computer.
  • Multi-site enhancements: Suppressed access to configuration settings for features which are not allowed to be configured from subsites of multi-site installations.
  • Fixed a bug with login lockdown feature.
Download this release

Release Info

Developer mra13
Plugin Icon 128x128 All In One WP Security & Firewall
Version 2.3
Comparing to
See all releases

Code changes from version 2.2 to 2.3

Files changed (24) hide show
  1. admin/wp-security-admin-init.php +35 -3
  2. admin/wp-security-blacklist-menu.php +1 -2
  3. admin/wp-security-dashboard-menu.php +3 -0
  4. admin/wp-security-filescan-menu.php +394 -0
  5. admin/wp-security-filesystem-menu.php +2 -2
  6. admin/wp-security-list-comment-spammer-ip.php +16 -6
  7. admin/wp-security-list-locked-ip.php +3 -3
  8. admin/wp-security-settings-menu.php +23 -49
  9. admin/wp-security-spam-menu.php +17 -1
  10. admin/wp-security-user-accounts-menu.php +1 -2
  11. classes/grade-system/wp-security-feature-item-manager.php +24 -0
  12. classes/wp-security-backup.php +2 -2
  13. classes/wp-security-config.php +2 -0
  14. classes/wp-security-configure-settings.php +23 -0
  15. classes/wp-security-cronjob-handler.php +1 -0
  16. classes/wp-security-file-scan.php +244 -0
  17. classes/wp-security-installer.php +18 -0
  18. classes/wp-security-user-login.php +3 -3
  19. classes/wp-security-utility-file.php +19 -0
  20. classes/wp-security-utility-htaccess.php +1 -1
  21. classes/wp-security-utility.php +10 -0
  22. readme.txt +13 -2
  23. wp-security-core.php +8 -3
  24. wp-security.php +2 -2
admin/wp-security-admin-init.php CHANGED
@@ -17,6 +17,7 @@ class AIOWPSecurity_Admin_Init
17
  var $firewall_menu;
18
  var $maintenance_menu;
19
  var $spam_menu;
 
20
 
21
  function __construct()
22
  {
@@ -133,6 +134,19 @@ class AIOWPSecurity_Admin_Init
133
  $aio_wp_security->configs->save_config();//save the value
134
  }
135
  }
 
 
 
 
 
 
 
 
 
 
 
 
 
136
  }
137
 
138
  function create_admin_menus()
@@ -144,15 +158,28 @@ class AIOWPSecurity_Admin_Init
144
  add_submenu_page(AIOWPSEC_MAIN_MENU_SLUG, __('User Accounts', 'aiowpsecurity'), __('User Accounts', 'aiowpsecurity') , AIOWPSEC_MANAGEMENT_PERMISSION, AIOWPSEC_USER_ACCOUNTS_MENU_SLUG, array(&$this, 'handle_user_accounts_menu_rendering'));
145
  add_submenu_page(AIOWPSEC_MAIN_MENU_SLUG, __('User Login', 'aiowpsecurity'), __('User Login', 'aiowpsecurity') , AIOWPSEC_MANAGEMENT_PERMISSION, AIOWPSEC_USER_LOGIN_MENU_SLUG, array(&$this, 'handle_user_login_menu_rendering'));
146
  add_submenu_page(AIOWPSEC_MAIN_MENU_SLUG, __('Database Security', 'aiowpsecurity'), __('Database Security', 'aiowpsecurity') , AIOWPSEC_MANAGEMENT_PERMISSION, AIOWPSEC_DB_SEC_MENU_SLUG, array(&$this, 'handle_database_menu_rendering'));
147
- add_submenu_page(AIOWPSEC_MAIN_MENU_SLUG, __('Filesystem Security', 'aiowpsecurity'), __('Filesystem Security', 'aiowpsecurity') , AIOWPSEC_MANAGEMENT_PERMISSION, AIOWPSEC_FILESYSTEM_MENU_SLUG, array(&$this, 'handle_filesystem_menu_rendering'));
 
 
 
 
148
  add_submenu_page(AIOWPSEC_MAIN_MENU_SLUG, __('WHOIS Lookup', 'aiowpsecurity'), __('WHOIS Lookup', 'aiowpsecurity') , AIOWPSEC_MANAGEMENT_PERMISSION, AIOWPSEC_WHOIS_MENU_SLUG, array(&$this, 'handle_whois_menu_rendering'));
149
- add_submenu_page(AIOWPSEC_MAIN_MENU_SLUG, __('Blacklist Manager', 'aiowpsecurity'), __('Blacklist Manager', 'aiowpsecurity') , AIOWPSEC_MANAGEMENT_PERMISSION, AIOWPSEC_BLACKLIST_MENU_SLUG, array(&$this, 'handle_blacklist_menu_rendering'));
 
 
 
 
150
  if (AIOWPSecurity_Utility::is_multisite_install() && get_current_blog_id() != 1){
151
  //Suppress the firewall menu if site is a multi site AND not the main site
152
  }else{
153
  add_submenu_page(AIOWPSEC_MAIN_MENU_SLUG, __('Firewall', 'aiowpsecurity'), __('Firewall', 'aiowpsecurity') , AIOWPSEC_MANAGEMENT_PERMISSION, AIOWPSEC_FIREWALL_MENU_SLUG, array(&$this, 'handle_firewall_menu_rendering'));
154
  }
155
  add_submenu_page(AIOWPSEC_MAIN_MENU_SLUG, __('SPAM Prevention', 'aiowpsecurity'), __('SPAM Prevention', 'aiowpsecurity') , AIOWPSEC_MANAGEMENT_PERMISSION, AIOWPSEC_SPAM_MENU_SLUG, array(&$this, 'handle_spam_menu_rendering'));
 
 
 
 
 
156
  add_submenu_page(AIOWPSEC_MAIN_MENU_SLUG, __('Maintenance', 'aiowpsecurity'), __('Maintenance', 'aiowpsecurity') , AIOWPSEC_MANAGEMENT_PERMISSION, AIOWPSEC_MAINTENANCE_MENU_SLUG, array(&$this, 'handle_maintenance_menu_rendering'));
157
  do_action('aiowpsecurity_admin_menu_created');
158
  }
@@ -191,7 +218,7 @@ class AIOWPSecurity_Admin_Init
191
  function handle_filesystem_menu_rendering()
192
  {
193
  include_once('wp-security-filesystem-menu.php');
194
- $this->filesystem_menu = new AIOWPSecurity_Filescan_Menu();
195
  }
196
 
197
  function handle_whois_menu_rendering()
@@ -224,6 +251,11 @@ class AIOWPSecurity_Admin_Init
224
  $this->spam_menu = new AIOWPSecurity_Spam_Menu();
225
  }
226
 
 
 
 
 
 
227
 
228
  }//End of class
229
 
17
  var $firewall_menu;
18
  var $maintenance_menu;
19
  var $spam_menu;
20
+ var $filescan_menu;
21
 
22
  function __construct()
23
  {
134
  $aio_wp_security->configs->save_config();//save the value
135
  }
136
  }
137
+
138
+ if(isset($_POST['aiowps_save_wp_config']))//the wp-config backup operation
139
+ {
140
+ $nonce=$_REQUEST['_wpnonce'];
141
+ if (!wp_verify_nonce($nonce, 'aiowpsec-save-wp-config-nonce'))
142
+ {
143
+ $aio_wp_security->debug_logger->log_debug("Nonce check failed on wp_config file save!",4);
144
+ die("Nonce check failed on wp_config file save!");
145
+ }
146
+ $wp_config_path = ABSPATH . 'wp-config.php';
147
+ $result = AIOWPSecurity_Utility_File::backup_a_file($wp_config_path); //Backup the wp_config.php file
148
+ AIOWPSecurity_Utility_File::download_a_file_option1($wp_config_path, "wp-config-backup.txt");
149
+ }
150
  }
151
 
152
  function create_admin_menus()
158
  add_submenu_page(AIOWPSEC_MAIN_MENU_SLUG, __('User Accounts', 'aiowpsecurity'), __('User Accounts', 'aiowpsecurity') , AIOWPSEC_MANAGEMENT_PERMISSION, AIOWPSEC_USER_ACCOUNTS_MENU_SLUG, array(&$this, 'handle_user_accounts_menu_rendering'));
159
  add_submenu_page(AIOWPSEC_MAIN_MENU_SLUG, __('User Login', 'aiowpsecurity'), __('User Login', 'aiowpsecurity') , AIOWPSEC_MANAGEMENT_PERMISSION, AIOWPSEC_USER_LOGIN_MENU_SLUG, array(&$this, 'handle_user_login_menu_rendering'));
160
  add_submenu_page(AIOWPSEC_MAIN_MENU_SLUG, __('Database Security', 'aiowpsecurity'), __('Database Security', 'aiowpsecurity') , AIOWPSEC_MANAGEMENT_PERMISSION, AIOWPSEC_DB_SEC_MENU_SLUG, array(&$this, 'handle_database_menu_rendering'));
161
+ if (AIOWPSecurity_Utility::is_multisite_install() && get_current_blog_id() != 1){
162
+ //Suppress the firewall menu if site is a multi site AND not the main site
163
+ }else{
164
+ add_submenu_page(AIOWPSEC_MAIN_MENU_SLUG, __('Filesystem Security', 'aiowpsecurity'), __('Filesystem Security', 'aiowpsecurity') , AIOWPSEC_MANAGEMENT_PERMISSION, AIOWPSEC_FILESYSTEM_MENU_SLUG, array(&$this, 'handle_filesystem_menu_rendering'));
165
+ }
166
  add_submenu_page(AIOWPSEC_MAIN_MENU_SLUG, __('WHOIS Lookup', 'aiowpsecurity'), __('WHOIS Lookup', 'aiowpsecurity') , AIOWPSEC_MANAGEMENT_PERMISSION, AIOWPSEC_WHOIS_MENU_SLUG, array(&$this, 'handle_whois_menu_rendering'));
167
+ if (AIOWPSecurity_Utility::is_multisite_install() && get_current_blog_id() != 1){
168
+ //Suppress the firewall menu if site is a multi site AND not the main site
169
+ }else{
170
+ add_submenu_page(AIOWPSEC_MAIN_MENU_SLUG, __('Blacklist Manager', 'aiowpsecurity'), __('Blacklist Manager', 'aiowpsecurity') , AIOWPSEC_MANAGEMENT_PERMISSION, AIOWPSEC_BLACKLIST_MENU_SLUG, array(&$this, 'handle_blacklist_menu_rendering'));
171
+ }
172
  if (AIOWPSecurity_Utility::is_multisite_install() && get_current_blog_id() != 1){
173
  //Suppress the firewall menu if site is a multi site AND not the main site
174
  }else{
175
  add_submenu_page(AIOWPSEC_MAIN_MENU_SLUG, __('Firewall', 'aiowpsecurity'), __('Firewall', 'aiowpsecurity') , AIOWPSEC_MANAGEMENT_PERMISSION, AIOWPSEC_FIREWALL_MENU_SLUG, array(&$this, 'handle_firewall_menu_rendering'));
176
  }
177
  add_submenu_page(AIOWPSEC_MAIN_MENU_SLUG, __('SPAM Prevention', 'aiowpsecurity'), __('SPAM Prevention', 'aiowpsecurity') , AIOWPSEC_MANAGEMENT_PERMISSION, AIOWPSEC_SPAM_MENU_SLUG, array(&$this, 'handle_spam_menu_rendering'));
178
+ if (AIOWPSecurity_Utility::is_multisite_install() && get_current_blog_id() != 1){
179
+ //Suppress the filescan menu if site is a multi site AND not the main site
180
+ }else{
181
+ add_submenu_page(AIOWPSEC_MAIN_MENU_SLUG, __('Scanner', 'aiowpsecurity'), __('Scanner', 'aiowpsecurity') , AIOWPSEC_MANAGEMENT_PERMISSION, AIOWPSEC_FILESCAN_MENU_SLUG, array(&$this, 'handle_filescan_menu_rendering'));
182
+ }
183
  add_submenu_page(AIOWPSEC_MAIN_MENU_SLUG, __('Maintenance', 'aiowpsecurity'), __('Maintenance', 'aiowpsecurity') , AIOWPSEC_MANAGEMENT_PERMISSION, AIOWPSEC_MAINTENANCE_MENU_SLUG, array(&$this, 'handle_maintenance_menu_rendering'));
184
  do_action('aiowpsecurity_admin_menu_created');
185
  }
218
  function handle_filesystem_menu_rendering()
219
  {
220
  include_once('wp-security-filesystem-menu.php');
221
+ $this->filesystem_menu = new AIOWPSecurity_Filesystem_Menu();
222
  }
223
 
224
  function handle_whois_menu_rendering()
251
  $this->spam_menu = new AIOWPSecurity_Spam_Menu();
252
  }
253
 
254
+ function handle_filescan_menu_rendering()
255
+ {
256
+ include_once('wp-security-filescan-menu.php');
257
+ $this->filescan_menu = new AIOWPSecurity_Filescan_Menu();
258
+ }
259
 
260
  }//End of class
261
 
admin/wp-security-blacklist-menu.php CHANGED
@@ -62,8 +62,7 @@ class AIOWPSecurity_Blacklist_Menu extends AIOWPSecurity_Admin_Menu
62
 
63
  function render_tab1()
64
  {
65
- //if this is the case there is no need to display a "fix permissions" button
66
- global $wpdb, $aio_wp_security;
67
  global $aiowps_feature_mgr;
68
  $result = 1;
69
  if (isset($_POST['aiowps_save_blacklist_settings']))
62
 
63
  function render_tab1()
64
  {
65
+ global $aio_wp_security;
 
66
  global $aiowps_feature_mgr;
67
  $result = 1;
68
  if (isset($_POST['aiowps_save_blacklist_settings']))
admin/wp-security-dashboard-menu.php CHANGED
@@ -266,6 +266,9 @@ class AIOWPSecurity_Dashboard_Menu extends AIOWPSecurity_Admin_Menu
266
  <div class="inside">
267
 
268
  <p>We are working to make your WordPress site more secure. Please support us, here is how:</p>
 
 
 
269
  <p>
270
  <a href="http://twitter.com/intent/tweet?url=http://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin&text=I love the All In One WP Security and Firewall plugin!" target="_blank" class="aio_tweet_link">Post to Twitter</a>
271
  </p>
266
  <div class="inside">
267
 
268
  <p>We are working to make your WordPress site more secure. Please support us, here is how:</p>
269
+ <p>
270
+ <a href="https://plus.google.com/102469783420435518783/" target="_blank">Follow us on Google+</a>
271
+ </p>
272
  <p>
273
  <a href="http://twitter.com/intent/tweet?url=http://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin&text=I love the All In One WP Security and Firewall plugin!" target="_blank" class="aio_tweet_link">Post to Twitter</a>
274
  </p>
admin/wp-security-filescan-menu.php ADDED
@@ -0,0 +1,394 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ <?php
2
+
3
+ class AIOWPSecurity_Filescan_Menu extends AIOWPSecurity_Admin_Menu
4
+ {
5
+ var $menu_page_slug = AIOWPSEC_FILESCAN_MENU_SLUG;
6
+
7
+ /* Specify all the tabs of this menu in the following array */
8
+ var $menu_tabs = array(
9
+ 'tab1' => 'File Change Detection',
10
+ );
11
+
12
+ var $menu_tabs_handler = array(
13
+ 'tab1' => 'render_tab1',
14
+ );
15
+
16
+ function __construct()
17
+ {
18
+ $this->render_menu_page();
19
+ }
20
+
21
+ function get_current_tab()
22
+ {
23
+ $tab_keys = array_keys($this->menu_tabs);
24
+ $tab = isset( $_GET['tab'] ) ? $_GET['tab'] : $tab_keys[0];
25
+ return $tab;
26
+ }
27
+
28
+ /*
29
+ * Renders our tabs of this menu as nav items
30
+ */
31
+ function render_menu_tabs()
32
+ {
33
+ $current_tab = $this->get_current_tab();
34
+
35
+ echo '<h2 class="nav-tab-wrapper">';
36
+ foreach ( $this->menu_tabs as $tab_key => $tab_caption )
37
+ {
38
+ $active = $current_tab == $tab_key ? 'nav-tab-active' : '';
39
+ echo '<a class="nav-tab ' . $active . '" href="?page=' . $this->menu_page_slug . '&tab=' . $tab_key . '">' . $tab_caption . '</a>';
40
+ }
41
+ echo '</h2>';
42
+ }
43
+
44
+ /*
45
+ * The menu rendering goes here
46
+ */
47
+ function render_menu_page()
48
+ {
49
+ $tab = $this->get_current_tab();
50
+ ?>
51
+ <div class="wrap">
52
+ <div id="poststuff"><div id="post-body">
53
+ <?php
54
+ $this->render_menu_tabs();
55
+ //$tab_keys = array_keys($this->menu_tabs);
56
+ call_user_func(array(&$this, $this->menu_tabs_handler[$tab]));
57
+ ?>
58
+ </div></div>
59
+ </div><!-- end of wrap -->
60
+ <?php
61
+ }
62
+
63
+ function render_tab1()
64
+ {
65
+ global $wpdb, $aio_wp_security;
66
+ global $aiowps_feature_mgr;
67
+
68
+ if (isset($_POST['fcd_scan_info']))
69
+ {
70
+ //Display scan file change info and clear the global alert variable
71
+ //TODO: display file change details
72
+
73
+ //Clear the global variable
74
+ $aio_wp_security->configs->set_value('aiowps_fcds_change_detected', FALSE);
75
+ $aio_wp_security->configs->save_config();
76
+
77
+ //Display the last scan results
78
+ $this->display_last_scan_results();
79
+ }
80
+
81
+ if (isset($_POST['aiowps_manual_fcd_scan']))
82
+ {
83
+ $nonce=$_REQUEST['_wpnonce'];
84
+ if (!wp_verify_nonce($nonce, 'aiowpsec-fcd-manual-scan-nonce'))
85
+ {
86
+ $aio_wp_security->debug_logger->log_debug("Nonce check failed for manual file change detection scan operation!",4);
87
+ die(__('Nonce check failed for manual file change detection scan operation!','aiowpsecurity'));
88
+ }
89
+
90
+ $result = $aio_wp_security->filescan_obj->execute_file_change_detection_scan();
91
+ //If this is first scan display special message
92
+ if ($result['initial_scan'] == 1)
93
+ {
94
+ $this->show_msg_updated(__('The plugin has detected that this is your first file change detection scan. The file details from this scan will be used to detect file changes for future scans!','aiowpsecurity'));
95
+ }
96
+ // else
97
+ // {
98
+ // $aio_wp_security->debug_logger->log_debug("Manual File Change Detection scan operation failed!",4);
99
+ // $this->show_msg_error(__('Manual File Change Detection scan operation failed!','aiowpsecurity'));
100
+ // }
101
+ }
102
+
103
+ if(isset($_POST['aiowps_schedule_fcd_scan']))//Do form submission tasks
104
+ {
105
+ $error = '';
106
+ $reset_scan_data = FALSE;
107
+ $file_types = '';
108
+ $files = '';
109
+
110
+ $nonce=$_REQUEST['_wpnonce'];
111
+ if (!wp_verify_nonce($nonce, 'aiowpsec-scheduled-fcd-scan-nonce'))
112
+ {
113
+ $aio_wp_security->debug_logger->log_debug("Nonce check failed for file change detection scan options save!",4);
114
+ die("Nonce check failed for file change detection scan options save!");
115
+ }
116
+
117
+ $fcd_scan_frequency = sanitize_text_field($_POST['aiowps_fcd_scan_frequency']);
118
+ if(!is_numeric($fcd_scan_frequency))
119
+ {
120
+ $error .= '<br />'.__('You entered a non numeric value for the "backup time interval" field. It has been set to the default value.','aiowpsecurity');
121
+ $fcd_scan_frequency = '4';//Set it to the default value for this field
122
+ }
123
+
124
+ if (!empty($_POST['aiowps_fcd_exclude_filetypes']))
125
+ {
126
+ $file_types = trim($_POST['aiowps_fcd_exclude_filetypes']);
127
+ //$file_types_array = preg_split( '/\r\n|\r|\n/', $file_types );
128
+
129
+ //Get the currently saved config value and check if this has changed. If so do another scan to reset the scan data so it omits these filetypes
130
+ if ($file_types != $aio_wp_security->configs->get_value('aiowps_fcd_exclude_filetypes'))
131
+ {
132
+ $reset_scan_data = TRUE;
133
+ }
134
+ }
135
+
136
+ if (!empty($_POST['aiowps_fcd_exclude_files']))
137
+ {
138
+ $files = trim($_POST['aiowps_fcd_exclude_files']);
139
+ //Get the currently saved config value and check if this has changed. If so do another scan to reset the scan data so it omits these files/dirs
140
+ if ($files != $aio_wp_security->configs->get_value('aiowps_fcd_exclude_files'))
141
+ {
142
+ $reset_scan_data = TRUE;
143
+ }
144
+
145
+ }
146
+
147
+ $email_address = sanitize_email($_POST['aiowps_fcd_scan_email_address']);
148
+ if(!is_email($email_address))
149
+ {
150
+ $error .= '<p>'.__('You have entered an incorrect email address format. It has been set to your WordPress admin email as default.','aiowpsecurity').'</p>';
151
+ $email_address = get_bloginfo('admin_email'); //Set the default value to the blog admin email
152
+ }
153
+
154
+ if($error)
155
+ {
156
+ $this->show_msg_error(__('Attention!','aiowpsecurity').$error);
157
+ }
158
+
159
+ //Save all the form values to the options
160
+ $aio_wp_security->configs->set_value('aiowps_enable_automated_fcd_scan',isset($_POST["aiowps_enable_automated_fcd_scan"])?'1':'');
161
+ $aio_wp_security->configs->set_value('aiowps_fcd_scan_frequency',absint($fcd_scan_frequency));
162
+ $aio_wp_security->configs->set_value('aiowps_fcd_scan_interval',$_POST["aiowps_fcd_scan_interval"]);
163
+ $aio_wp_security->configs->set_value('aiowps_fcd_exclude_filetypes',$file_types);
164
+ $aio_wp_security->configs->set_value('aiowps_fcd_exclude_files',$files);
165
+ $aio_wp_security->configs->set_value('aiowps_send_fcd_scan_email',isset($_POST["aiowps_send_fcd_scan_email"])?'1':'');
166
+ $aio_wp_security->configs->set_value('aiowps_fcd_scan_email_address',$email_address);
167
+ $aio_wp_security->configs->save_config();
168
+
169
+ //Recalculate points after the feature status/options have been altered
170
+ $aiowps_feature_mgr->check_feature_status_and_recalculate_points();
171
+ $this->show_msg_settings_updated();
172
+
173
+ //Let's check if backup interval was set to less than 24 hours
174
+ if (isset($_POST["aiowps_enable_automated_fcd_scan"]) && ($fcd_scan_frequency < 24) && $_POST["aiowps_fcd_scan_interval"]==0)
175
+ {
176
+ $alert_user_msg = 'ATTENTION: You have configured your file change detection scan to occur at least once daily. For most websites we recommended that you choose a less frequent
177
+ schedule such as once every few days, once a week or once a month. Choosing a less frequent schedule will also help reduce your server load.';
178
+ $this->show_msg_updated(__($alert_user_msg, 'aiowpsecurity'));
179
+ }
180
+
181
+ if($reset_scan_data)
182
+ {
183
+ //Clear old scan row and ask user to perform a fresh scan to reset the data
184
+ $aiowps_global_meta_tbl_name = AIOWPSEC_TBL_GLOBAL_META_DATA;
185
+ $where = array('meta_key1' => 'file_change_detection', 'meta_value1' => 'file_scan_data');
186
+ $wpdb->delete( $aiowps_global_meta_tbl_name, $where);
187
+ $result = $aio_wp_security->filescan_obj->execute_file_change_detection_scan();
188
+ $new_scan_alert = __('NEW SCAN COMPLETED: The plugin has detected that you have made changes to the "File Types To Ignore" or "Files To Ignore" fields.
189
+ In order to ensure that future scan results are accurate, the old scan data has been refreshed.', 'aiowpsecurity');
190
+ $this->show_msg_updated($new_scan_alert);
191
+ }
192
+
193
+ }
194
+
195
+ //Display an alert warning message if a file change was detected
196
+ if ($aio_wp_security->configs->get_value('aiowps_fcds_change_detected'))
197
+ {
198
+ $error_msg = __('All In One WP Security & Firewall has detected that there was a change in your host\'s files.', 'aiowpsecurity');
199
+
200
+ $button = '<div><form action="" method="POST"><input type="submit" name="fcd_scan_info" value="'.__('View Scan Details & Clear This Message', 'aiowpsecurity').'" class="button-secondary" /></form></div>';
201
+ $error_msg .= $button;
202
+ $this->show_msg_error($error_msg);
203
+ }
204
+
205
+
206
+ ?>
207
+ <div class="postbox">
208
+ <h3><label for="title"><?php _e('Manual File Change Detection Scan', 'aiowpsecurity'); ?></label></h3>
209
+ <div class="inside">
210
+ <form action="" method="POST">
211
+ <?php wp_nonce_field('aiowpsec-fcd-manual-scan-nonce'); ?>
212
+ <table class="form-table">
213
+ <tr valign="top">
214
+ <span class="description"><?php _e('To perform a manual file change detection scan click on the button below.', 'aiowpsecurity'); ?></span>
215
+ </tr>
216
+ </table>
217
+ <input type="submit" name="aiowps_manual_fcd_scan" value="<?php _e('Perform Scan Now', 'aiowpsecurity')?>" class="button-primary" />
218
+ </form>
219
+ </div></div>
220
+ <div class="postbox">
221
+ <h3><label for="title"><?php _e('Automated File Change Detection', 'aiowpsecurity'); ?></label></h3>
222
+ <div class="inside">
223
+ <?php
224
+ //Display security info badge
225
+ global $aiowps_feature_mgr;
226
+ $aiowps_feature_mgr->output_feature_details_badge("scan-file-change-detection");
227
+ ?>
228
+
229
+ <form action="" method="POST">
230
+ <?php wp_nonce_field('aiowpsec-scheduled-fcd-scan-nonce'); ?>
231
+ <table class="form-table">
232
+ <tr valign="top">
233
+ <th scope="row"><?php _e('Enable Automated File Change Detection Scan', 'aiowpsecurity')?>:</th>
234
+ <td>
235
+ <input name="aiowps_enable_automated_fcd_scan" type="checkbox"<?php if($aio_wp_security->configs->get_value('aiowps_enable_automated_fcd_scan')=='1') echo ' checked="checked"'; ?> value="1"/>
236
+ <span class="description"><?php _e('Check this if you want the system to automatically/periodically scan your files to check for file changes based on the settings below', 'aiowpsecurity'); ?></span>
237
+ </td>
238
+ </tr>
239
+ <tr valign="top">
240
+ <th scope="row"><?php _e('Scan Time Interval', 'aiowpsecurity')?>:</th>
241
+ <td><input size="5" name="aiowps_fcd_scan_frequency" value="<?php echo $aio_wp_security->configs->get_value('aiowps_fcd_scan_frequency'); ?>" />
242
+ <select id="backup_interval" name="aiowps_fcd_scan_interval">
243
+ <option value="0" <?php selected( $aio_wp_security->configs->get_value('aiowps_fcd_scan_interval'), '0' ); ?>><?php _e( 'Hours', 'aiowpsecurity' ); ?></option>
244
+ <option value="1" <?php selected( $aio_wp_security->configs->get_value('aiowps_fcd_scan_interval'), '1' ); ?>><?php _e( 'Days', 'aiowpsecurity' ); ?></option>
245
+ <option value="2" <?php selected( $aio_wp_security->configs->get_value('aiowps_fcd_scan_interval'), '2' ); ?>><?php _e( 'Weeks', 'aiowpsecurity' ); ?></option>
246
+ </select>
247
+ <span class="description"><?php _e('Set the value for how often you would like a scan to occur', 'aiowpsecurity'); ?></span>
248
+ </td>
249
+ </tr>
250
+ <tr valign="top">
251
+ <th scope="row"><?php _e('File Types To Ignore', 'aiowpsecurity')?>:</th>
252
+ <td><textarea name="aiowps_fcd_exclude_filetypes" rows="5" cols="50"><?php echo $aio_wp_security->configs->get_value('aiowps_fcd_exclude_filetypes'); ?></textarea>
253
+ <br />
254
+ <span class="description"><?php _e('Enter each file type or extension on a new line which you wish to exclude from the file change detection scan.', 'aiowpsecurity'); ?></span>
255
+ <span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php _e('More Info', 'aiowpsecurity'); ?></span></span>
256
+ <div class="aiowps_more_info_body">
257
+ <?php
258
+ echo '<p class="description">'.__('You can exclude file types from the scan which would not normally pose any security threat if they were changed. These can include things such as image files.', 'aiowpsecurity').'</p>';
259
+ echo '<p class="description">'.__('Example: If you want the scanner to ignore files of type jpg, png, and bmp, then you would enter the following:', 'aiowpsecurity').'</p>';
260
+ echo '<p class="description">'.__('jpg', 'aiowpsecurity').'</p>';
261
+ echo '<p class="description">'.__('png', 'aiowpsecurity').'</p>';
262
+ echo '<p class="description">'.__('bmp', 'aiowpsecurity').'</p>';
263
+ ?>
264
+ </div>
265
+ </td>
266
+ </tr>
267
+ <tr valign="top">
268
+ <th scope="row"><?php _e('Files/Directories To Ignore', 'aiowpsecurity')?>:</th>
269
+ <td><textarea name="aiowps_fcd_exclude_files" rows="5" cols="50"><?php echo $aio_wp_security->configs->get_value('aiowps_fcd_exclude_files'); ?></textarea>
270
+ <br />
271
+ <span class="description"><?php _e('Enter each file or directory on a new line which you wish to exclude from the file change detection scan.', 'aiowpsecurity'); ?></span>
272
+ <span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php _e('More Info', 'aiowpsecurity'); ?></span></span>
273
+ <div class="aiowps_more_info_body">
274
+ <?php
275
+ echo '<p class="description">'.__('You can exclude specific files/directories from the scan which would not normally pose any security threat if they were changed. These can include things such as log files.', 'aiowpsecurity').'</p>';
276
+ echo '<p class="description">'.__('Example: If you want the scanner to ignore certain files in different directories or whole directories, then you would enter the following:', 'aiowpsecurity').'</p>';
277
+ echo '<p class="description">'.__('cache/config/master.php', 'aiowpsecurity').'</p>';
278
+ echo '<p class="description">'.__('somedirectory', 'aiowpsecurity').'</p>';
279
+ ?>
280
+ </div>
281
+ </td>
282
+ </tr>
283
+ <tr valign="top">
284
+ <th scope="row"><?php _e('Send Email When Change Detected', 'aiowpsecurity')?>:</th>
285
+ <td>
286
+ <input name="aiowps_send_fcd_scan_email" type="checkbox"<?php if($aio_wp_security->configs->get_value('aiowps_send_fcd_scan_email')=='1') echo ' checked="checked"'; ?> value="1"/>
287
+ <span class="description"><?php _e('Check this if you want the system to email you if a file change was detected', 'aiowpsecurity'); ?></span>
288
+ <br /><input size="40" name="aiowps_fcd_scan_email_address" value="<?php echo $aio_wp_security->configs->get_value('aiowps_fcd_scan_email_address'); ?>" />
289
+ <span class="description"><?php _e('Enter an email address', 'aiowpsecurity'); ?></span>
290
+ </td>
291
+ </tr>
292
+ </table>
293
+ <input type="submit" name="aiowps_schedule_fcd_scan" value="<?php _e('Save Settings', 'aiowpsecurity')?>" class="button-primary" />
294
+ </form>
295
+ </div></div>
296
+
297
+ <?php
298
+ }
299
+
300
+ /*
301
+ * Outputs the last scan results in a postbox
302
+ */
303
+ function display_last_scan_results()
304
+ {
305
+ global $wpdb;
306
+ //Let's get the results array from the DB
307
+ $query = "SELECT * FROM ".AIOWPSEC_TBL_GLOBAL_META_DATA." WHERE meta_key1='file_change_detection'";
308
+ $scan_db_data = $wpdb->get_row($query, ARRAY_A);
309
+ if ($scan_db_data === NULL)
310
+ {
311
+ //TODO: Failure scenario
312
+ return;
313
+ }
314
+ $date_last_scan = $scan_db_data['date_time'];
315
+ $scan_results_unserialized = maybe_unserialize($scan_db_data['meta_value5']);
316
+ ?>
317
+ <div class="postbox">
318
+ <h3><label for="title"><?php _e('Latest File Change Scan Results', 'aiowpsecurity'); ?></label></h3>
319
+ <div class="inside">
320
+ <?php
321
+ $files_added_output = "";
322
+ $files_removed_output = "";
323
+ $files_changed_output = "";
324
+ if (!empty($scan_results_unserialized['files_added']))
325
+ {
326
+ //Output table of files added
327
+ echo '<div class="aio_info_with_icon aio_spacer_10_tb">'.__('The following files were added to your host.', 'aiowpsecurity').'</div>';
328
+ $files_added_output .= '<table class="widefat">';
329
+ $files_added_output .= '<tr>';
330
+ $files_added_output .= '<th>'.__('File','aiowpsecurity').'</th>';
331
+ $files_added_output .= '<th>'.__('File Size','aiowpsecurity').'</th>';
332
+ $files_added_output .= '<th>'.__('File Modified','aiowpsecurity').'</th>';
333
+ $files_added_output .= '</tr>';
334
+ foreach ($scan_results_unserialized['files_added'] as $key=>$value) {
335
+ $files_added_output .= '<tr>';
336
+ $files_added_output .= '<td>'.$key.'</td>';
337
+ $files_added_output .= '<td>'.$value['filesize'].'</td>';
338
+ $files_added_output .= '<td>'.date('Y-m-d H:i:s',$value['last_modified']).'</td>';
339
+ $files_added_output .= '</tr>';
340
+ }
341
+ $files_added_output .= '</table>';
342
+ echo $files_added_output;
343
+ }
344
+ echo '<div class="aio_spacer_15"></div>';
345
+ if (!empty($scan_results_unserialized['files_removed']))
346
+ {
347
+ //Output table of files removed
348
+ echo '<div class="aio_info_with_icon aio_spacer_10_tb">'.__('The following files were removed from your host.', 'aiowpsecurity').'</div>';
349
+ $files_removed_output .= '<table class="widefat">';
350
+ $files_removed_output .= '<tr>';
351
+ $files_removed_output .= '<th>'.__('File','aiowpsecurity').'</th>';
352
+ $files_removed_output .= '<th>'.__('File Size','aiowpsecurity').'</th>';
353
+ $files_removed_output .= '<th>'.__('File Modified','aiowpsecurity').'</th>';
354
+ $files_removed_output .= '</tr>';
355
+ foreach ($scan_results_unserialized['files_removed'] as $key=>$value) {
356
+ $files_removed_output .= '<tr>';
357
+ $files_removed_output .= '<td>'.$key.'</td>';
358
+ $files_removed_output .= '<td>'.$value['filesize'].'</td>';
359
+ $files_removed_output .= '<td>'.date('Y-m-d H:i:s',$value['last_modified']).'</td>';
360
+ $files_removed_output .= '</tr>';
361
+ }
362
+ $files_removed_output .= '</table>';
363
+ echo $files_removed_output;
364
+
365
+ }
366
+
367
+ echo '<div class="aio_spacer_15"></div>';
368
+
369
+ if (!empty($scan_results_unserialized['files_changed']))
370
+ {
371
+ //Output table of files changed
372
+ echo '<div class="aio_info_with_icon aio_spacer_10_tb">'.__('The following files were changed on your host.', 'aiowpsecurity').'</div>';
373
+ $files_changed_output .= '<table class="widefat">';
374
+ $files_changed_output .= '<tr>';
375
+ $files_changed_output .= '<th>'.__('File','aiowpsecurity').'</th>';
376
+ $files_changed_output .= '<th>'.__('File Size','aiowpsecurity').'</th>';
377
+ $files_changed_output .= '<th>'.__('File Modified','aiowpsecurity').'</th>';
378
+ $files_changed_output .= '</tr>';
379
+ foreach ($scan_results_unserialized['files_changed'] as $key=>$value) {
380
+ $files_changed_output .= '<tr>';
381
+ $files_changed_output .= '<td>'.$key.'</td>';
382
+ $files_changed_output .= '<td>'.$value['filesize'].'</td>';
383
+ $files_changed_output .= '<td>'.date('Y-m-d H:i:s',$value['last_modified']).'</td>';
384
+ $files_changed_output .= '</tr>';
385
+ }
386
+ $files_changed_output .= '</table>';
387
+ echo $files_changed_output;
388
+ }
389
+
390
+ ?>
391
+ </div></div>
392
+ <?php
393
+ }
394
+ } //end class
admin/wp-security-filesystem-menu.php CHANGED
@@ -1,6 +1,6 @@
1
  <?php
2
 
3
- class AIOWPSecurity_Filescan_Menu extends AIOWPSecurity_Admin_Menu
4
  {
5
  var $menu_page_slug = AIOWPSEC_FILESYSTEM_MENU_SLUG;
6
 
@@ -554,7 +554,7 @@ class AIOWPSecurity_Filescan_Menu extends AIOWPSecurity_Admin_Menu
554
  if (!$error_file_contents)
555
  {
556
  //TODO - error could not read file, display notice???
557
- $aio_wp_security->debug_logger->log_debug("AIOWPSecurity_Filescan_Menu - Unable to read file: ".$filepath,4);
558
 
559
  }
560
  $last_50_entries = array_slice($error_file_contents, -50); //extract the last 50 entries
1
  <?php
2
 
3
+ class AIOWPSecurity_Filesystem_Menu extends AIOWPSecurity_Admin_Menu
4
  {
5
  var $menu_page_slug = AIOWPSEC_FILESYSTEM_MENU_SLUG;
6
 
554
  if (!$error_file_contents)
555
  {
556
  //TODO - error could not read file, display notice???
557
+ $aio_wp_security->debug_logger->log_debug("AIOWPSecurity_Filesystem_Menu - Unable to read file: ".$filepath,4);
558
 
559
  }
560
  $last_50_entries = array_slice($error_file_contents, -50); //extract the last 50 entries
admin/wp-security-list-comment-spammer-ip.php CHANGED
@@ -21,9 +21,14 @@ class AIOWPSecurity_List_Comment_Spammer_IP extends AIOWPSecurity_List_Table {
21
  function column_comment_author_IP($item){
22
  $tab = strip_tags($_REQUEST['tab']);
23
  //Build row actions
24
- $actions = array(
25
- 'block' => sprintf('<a href="admin.php?page=%s&tab=%s&action=%s&spammer_ip=%s" onclick="return confirm(\'Are you sure you want to add this IP address to your blacklist?\')">Block</a>',AIOWPSEC_BLACKLIST_MENU_SLUG,$tab,'block_spammer_ip',$item['comment_author_IP']),
26
- );
 
 
 
 
 
27
 
28
  //Return the user_login contents
29
  return sprintf('%1$s <span style="color:silver"></span>%2$s',
@@ -59,9 +64,14 @@ class AIOWPSecurity_List_Comment_Spammer_IP extends AIOWPSecurity_List_Table {
59
  }
60
 
61
  function get_bulk_actions() {
62
- $actions = array(
63
- 'block' => 'Block'
64
- );
 
 
 
 
 
65
  return $actions;
66
  }
67
 
21
  function column_comment_author_IP($item){
22
  $tab = strip_tags($_REQUEST['tab']);
23
  //Build row actions
24
+ if (AIOWPSecurity_Utility::is_multisite_install() && get_current_blog_id() != 1){
25
+ //Suppress the block link if site is a multi site AND not the main site
26
+ $actions = array(); //blank array
27
+ }else{
28
+ $actions = array(
29
+ 'block' => sprintf('<a href="admin.php?page=%s&tab=%s&action=%s&spammer_ip=%s" onclick="return confirm(\'Are you sure you want to add this IP address to your blacklist?\')">Block</a>',AIOWPSEC_BLACKLIST_MENU_SLUG,$tab,'block_spammer_ip',$item['comment_author_IP']),
30
+ );
31
+ }
32
 
33
  //Return the user_login contents
34
  return sprintf('%1$s <span style="color:silver"></span>%2$s',
64
  }
65
 
66
  function get_bulk_actions() {
67
+ if (AIOWPSecurity_Utility::is_multisite_install() && get_current_blog_id() != 1){
68
+ //Suppress the block link if site is a multi site AND not the main site
69
+ $actions = array(); //blank array
70
+ }else{
71
+ $actions = array(
72
+ 'block' => 'Block'
73
+ );
74
+ }
75
  return $actions;
76
  }
77
 
admin/wp-security-list-locked-ip.php CHANGED
@@ -18,11 +18,11 @@ class AIOWPSecurity_List_Locked_IP extends AIOWPSecurity_List_Table {
18
  }
19
 
20
  function column_failed_login_ip($item){
21
- $tab = strip_tags($_REQUEST['tab']);
22
  //Build row actions
23
  $actions = array(
24
- 'unlock' => sprintf('<a href="admin.php?page=%s&tab=%s&action=%s&lockdown_id=%s" onclick="return confirm(\'Are you sure you want to unlock this address range?\')">Unlock</a>',AIOWPSEC_USER_LOGIN_MENU_SLUG,$tab,'unlock_ip',$item['id']),
25
- 'delete' => sprintf('<a href="admin.php?page=%s&tab=%s&action=%s&lockdown_id=%s" onclick="return confirm(\'Are you sure you want to delete this item?\')">Delete</a>',AIOWPSEC_USER_LOGIN_MENU_SLUG,$tab,'delete_blocked_ip',$item['id']),
26
  );
27
 
28
  //Return the user_login contents
18
  }
19
 
20
  function column_failed_login_ip($item){
21
+ //$tab = strip_tags($_REQUEST['tab']);
22
  //Build row actions
23
  $actions = array(
24
+ 'unlock' => sprintf('<a href="admin.php?page=%s&action=%s&lockdown_id=%s" onclick="return confirm(\'Are you sure you want to unlock this address range?\')">Unlock</a>',AIOWPSEC_USER_LOGIN_MENU_SLUG,'unlock_ip',$item['id']),
25
+ 'delete' => sprintf('<a href="admin.php?page=%s&action=%s&lockdown_id=%s" onclick="return confirm(\'Are you sure you want to delete this item?\')">Delete</a>',AIOWPSEC_USER_LOGIN_MENU_SLUG,'delete_blocked_ip',$item['id']),
26
  );
27
 
28
  //Return the user_login contents
admin/wp-security-settings-menu.php CHANGED
@@ -90,7 +90,7 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
90
  <h3><label for="title"><?php _e('WP Security Plugin', 'aiowpsecurity'); ?></label></h3>
91
  <div class="inside">
92
  <p><?php _e('Thank you for using our WordPress security plugin. There are a lot of security features in this plugin.', 'aiowpsecurity'); ?></p>
93
- <p><?php _e('Go through each menu items and enable the security options to add more security to your site.', 'aiowpsecurity'); ?></p>
94
  <p><?php _e('It is a good practice to take a backup of your .htaccess file, database and wp-config.php file before activating the security features. This plugin has options that you can use to backup those resources easily.', 'aiowpsecurity'); ?></p>
95
  <p>
96
  <ul class="aiowps_admin_ul_grp1">
@@ -213,7 +213,15 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
213
  </p>';
214
  ?>
215
  </div>
216
-
 
 
 
 
 
 
 
 
217
  <div class="postbox">
218
  <h3><label for="title"><?php _e('Save the current .htaccess file', 'aiowpsecurity'); ?></label></h3>
219
  <div class="inside">
@@ -257,49 +265,12 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
257
  </div></div>
258
 
259
  <?php
 
260
  }
261
 
262
  function render_tab3()
263
  {
264
  global $aio_wp_security;
265
-
266
- if(isset($_POST['aiowps_save_wp_config']))//Do form submission tasks
267
- {
268
- $nonce=$_REQUEST['_wpnonce'];
269
- if (!wp_verify_nonce($nonce, 'aiowpsec-save-wp-config-nonce'))
270
- {
271
- $aio_wp_security->debug_logger->log_debug("Nonce check failed on wp_config file save!",4);
272
- die("Nonce check failed on wp_config file save!");
273
- }
274
- $wp_config_path = ABSPATH . 'wp-config.php';
275
- $result = AIOWPSecurity_Utility_File::backup_a_file($wp_config_path); //Backup the wp_config.php file
276
-
277
- if ($result)
278
- {
279
- $random_prefix = AIOWPSecurity_Utility::generate_alpha_numeric_random_string(10);
280
- if (rename(ABSPATH.'wp-config.php.backup', AIO_WP_SECURITY_BACKUPS_PATH.'/'.$random_prefix.'_wp-config-backup.txt'))
281
- {
282
- // $backup_file_url = AIO_WP_SECURITY_BACKUPS_PATH . '/wp-config-backup.txt';
283
- echo '<div id="message" class="updated fade"><p>';
284
- _e('Your wp-config.php file was successfully backed up! Using an FTP program go to the "backups" directory of this plugin to save a copy of the file to your computer.','aiowpsecurity');
285
- // echo '<p>';
286
- // _e('Your wp-config.php File: ');
287
- // echo '<a href="'.$backup_file_url.'" target="_blank">'.$backup_file_url.'</a>';
288
- // echo '</p>';
289
- echo '</p></div>';
290
- }
291
- else
292
- {
293
- $aio_wp_security->debug_logger->log_debug("wp-config.php file rename failed during backup!",4);
294
- $this->show_msg_error(__('wp-config.php file rename failed during backup. Please check your root directory for the backup file using FTP.','aiowpsecurity'));
295
- }
296
- }
297
- else
298
- {
299
- $aio_wp_security->debug_logger->log_debug("wp-config.php - Backup operation failed!",4);
300
- $this->show_msg_error(__('wp-config.php backup failed.','aiowpsecurity'));
301
- }
302
- }
303
 
304
  if(isset($_POST['aiowps_restore_wp_config_button']))//Do form submission tasks
305
  {
@@ -353,20 +324,22 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
353
  </p>';
354
  ?>
355
  </div>
356
-
 
 
 
 
 
 
 
 
357
  <div class="postbox">
358
  <h3><label for="title"><?php _e('Save the current wp-config.php file', 'aiowpsecurity'); ?></label></h3>
359
  <div class="inside">
360
  <form action="" method="POST">
361
  <?php wp_nonce_field('aiowpsec-save-wp-config-nonce'); ?>
362
- <p class="description"><?php _e('Click the button below to backup and save the currently active wp-config.php file.', 'aiowpsecurity'); ?></p>
363
- <!--<input type="submit" name="aiowps_save_wp_config" value="<?php _e('Backup wp-config.php File', 'aiowpsecurity')?>" class="button-primary" /> -->
364
- <div class="aio_yellow_box">
365
- <?php
366
- $info_msg = '<p>'.__('The feature to back up the wp-config.php has currently been disabled in order to prevent a potential security exploit. We are currently in the process of implementing a more secure method which we will release in a future version of the plugin.', 'aiowpsecurity').'</p>';
367
- echo $info_msg;
368
- ?>
369
- </div>
370
 
371
  </form>
372
  </div></div>
@@ -403,6 +376,7 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
403
  </div></div>
404
 
405
  <?php
 
406
  }
407
 
408
  function render_tab4()
90
  <h3><label for="title"><?php _e('WP Security Plugin', 'aiowpsecurity'); ?></label></h3>
91
  <div class="inside">
92
  <p><?php _e('Thank you for using our WordPress security plugin. There are a lot of security features in this plugin.', 'aiowpsecurity'); ?></p>
93
+ <p><?php _e('Go through each menu items and enable the security options to add more security to your site. Start by activating the basic features first.', 'aiowpsecurity'); ?></p>
94
  <p><?php _e('It is a good practice to take a backup of your .htaccess file, database and wp-config.php file before activating the security features. This plugin has options that you can use to backup those resources easily.', 'aiowpsecurity'); ?></p>
95
  <p>
96
  <ul class="aiowps_admin_ul_grp1">
213
  </p>';
214
  ?>
215
  </div>
216
+ <?php
217
+ if (AIOWPSecurity_Utility::is_multisite_install() && get_current_blog_id() != 1)
218
+ {
219
+ //Hide config settings if MS and not main site
220
+ AIOWPSecurity_Utility::display_multisite_message();
221
+ }
222
+ else
223
+ {
224
+ ?>
225
  <div class="postbox">
226
  <h3><label for="title"><?php _e('Save the current .htaccess file', 'aiowpsecurity'); ?></label></h3>
227
  <div class="inside">
265
  </div></div>
266
 
267
  <?php
268
+ } // End if statement
269
  }
270
 
271
  function render_tab3()
272
  {
273
  global $aio_wp_security;
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
274
 
275
  if(isset($_POST['aiowps_restore_wp_config_button']))//Do form submission tasks
276
  {
324
  </p>';
325
  ?>
326
  </div>
327
+ <?php
328
+ if (AIOWPSecurity_Utility::is_multisite_install() && get_current_blog_id() != 1)
329
+ {
330
+ //Hide config settings if MS and not main site
331
+ AIOWPSecurity_Utility::display_multisite_message();
332
+ }
333
+ else
334
+ {
335
+ ?>
336
  <div class="postbox">
337
  <h3><label for="title"><?php _e('Save the current wp-config.php file', 'aiowpsecurity'); ?></label></h3>
338
  <div class="inside">
339
  <form action="" method="POST">
340
  <?php wp_nonce_field('aiowpsec-save-wp-config-nonce'); ?>
341
+ <p class="description"><?php _e('Click the button below to backup and download the contents of the currently active wp-config.php file.', 'aiowpsecurity'); ?></p>
342
+ <input type="submit" name="aiowps_save_wp_config" value="<?php _e('Backup wp-config.php File', 'aiowpsecurity')?>" class="button-primary" />
 
 
 
 
 
 
343
 
344
  </form>
345
  </div></div>
376
  </div></div>
377
 
378
  <?php
379
+ } //End if statement
380
  }
381
 
382
  function render_tab4()
admin/wp-security-spam-menu.php CHANGED
@@ -116,6 +116,13 @@ class AIOWPSecurity_Spam_Menu extends AIOWPSecurity_Admin_Menu
116
  <?php
117
  //Display security info badge
118
  $aiowps_feature_mgr->output_feature_details_badge("block-spambots");
 
 
 
 
 
 
 
119
  ?>
120
  <table class="form-table">
121
  <tr valign="top">
@@ -135,6 +142,7 @@ class AIOWPSecurity_Spam_Menu extends AIOWPSecurity_Admin_Menu
135
  </td>
136
  </tr>
137
  </table>
 
138
  </div></div>
139
 
140
  <input type="submit" name="aiowps_apply_comment_spam_prevention_settings" value="<?php _e('Save Settings', 'aiowpsecurity')?>" class="button-primary" />
@@ -224,7 +232,15 @@ class AIOWPSecurity_Spam_Menu extends AIOWPSecurity_Admin_Menu
224
  <div class="postbox">
225
  <h3><label for="title"><?php _e('SPAMMER IP Address Results', 'aiowpsecurity'); ?></label></h3>
226
  <div class="inside">
227
- <?php
 
 
 
 
 
 
 
 
228
  //Fetch, prepare, sort, and filter our data...
229
  $spammer_ip_list->prepare_items();
230
  //echo "put table of locked entries here";
116
  <?php
117
  //Display security info badge
118
  $aiowps_feature_mgr->output_feature_details_badge("block-spambots");
119
+ if (AIOWPSecurity_Utility::is_multisite_install() && get_current_blog_id() != 1)
120
+ {
121
+ //Hide config settings if MS and not main site
122
+ AIOWPSecurity_Utility::display_multisite_message();
123
+ }
124
+ else
125
+ {
126
  ?>
127
  <table class="form-table">
128
  <tr valign="top">
142
  </td>
143
  </tr>
144
  </table>
145
+ <?php } //End if statement ?>
146
  </div></div>
147
 
148
  <input type="submit" name="aiowps_apply_comment_spam_prevention_settings" value="<?php _e('Save Settings', 'aiowpsecurity')?>" class="button-primary" />
232
  <div class="postbox">
233
  <h3><label for="title"><?php _e('SPAMMER IP Address Results', 'aiowpsecurity'); ?></label></h3>
234
  <div class="inside">
235
+ <?php
236
+ if (AIOWPSecurity_Utility::is_multisite_install() && get_current_blog_id() != 1)
237
+ {
238
+ echo '<div class="aio_yellow_box">';
239
+ echo '<p>'.__('The plugin has detected that you are using a Multi-Site WordPress installation.', 'aiowpsecurity').'</p>
240
+ <p>'.__('Only the "superadmin" can block IP addresses from the main site.', 'aiowpsecurity').'</p>
241
+ <p>'.__('Take note of the IP addresses you want blocked and ask the superadmin to add these to the blacklist using the "Blacklist Manager" on the main site.', 'aiowpsecurity').'</p>';
242
+ echo '</div>';
243
+ }
244
  //Fetch, prepare, sort, and filter our data...
245
  $spammer_ip_list->prepare_items();
246
  //echo "put table of locked entries here";
admin/wp-security-user-accounts-menu.php CHANGED
@@ -90,8 +90,7 @@ class AIOWPSecurity_User_Accounts_Menu extends AIOWPSecurity_Admin_Menu
90
  <?php
91
  //display a list of all administrator accounts for this site
92
  $postbox_title = __('List of Administrator Accounts', 'aiowpsecurity');
93
- //TODO: Multi-site: might need to put separate code for multi-site, ie, check if multi-site and then call get_all_admin_accounts($blog_id).
94
- if (AIOWPSecurity_Utility::is_multisite_install()) { //get admin accounts for current site
95
  $blog_id = get_current_blog_id();
96
  $this->postbox($postbox_title, $this->get_all_admin_accounts($blog_id));
97
  } else {
90
  <?php
91
  //display a list of all administrator accounts for this site
92
  $postbox_title = __('List of Administrator Accounts', 'aiowpsecurity');
93
+ if (AIOWPSecurity_Utility::is_multisite_install()) { //Multi-site: get admin accounts for current site
 
94
  $blog_id = get_current_blog_id();
95
  $this->postbox($postbox_title, $this->get_all_admin_accounts($blog_id));
96
  } else {
classes/grade-system/wp-security-feature-item-manager.php CHANGED
@@ -74,6 +74,11 @@ class AIOWPSecurity_Feature_Item_Manager
74
 
75
  //SPAM Prevention
76
  $this->feature_items[] = new AIOWPSecurity_Feature_Item("block-spambots", "Block Spambots", $this->feature_point_2, $this->sec_level_basic);
 
 
 
 
 
77
  }
78
 
79
  function get_feature_item_by_id($feature_id)
@@ -214,6 +219,12 @@ class AIOWPSecurity_Feature_Item_Manager
214
  {
215
  $this->check_enable_block_spambots_feature($item);
216
  }
 
 
 
 
 
 
217
  }
218
  }
219
 
@@ -503,4 +514,17 @@ class AIOWPSecurity_Feature_Item_Manager
503
  $item->set_feature_status($this->feature_inactive);
504
  }
505
  }
 
 
 
 
 
 
 
 
 
 
 
 
 
506
  }
74
 
75
  //SPAM Prevention
76
  $this->feature_items[] = new AIOWPSecurity_Feature_Item("block-spambots", "Block Spambots", $this->feature_point_2, $this->sec_level_basic);
77
+
78
+ //Filescan
79
+ //File change detection
80
+ $this->feature_items[] = new AIOWPSecurity_Feature_Item("scan-file-change-detection", "File Change Detection", $this->feature_point_4, $this->sec_level_inter);
81
+
82
  }
83
 
84
  function get_feature_item_by_id($feature_id)
219
  {
220
  $this->check_enable_block_spambots_feature($item);
221
  }
222
+
223
+ if($item->feature_id == "scan-file-change-detection")
224
+ {
225
+ $this->check_enable_fcd_scan_feature($item);
226
+ }
227
+
228
  }
229
  }
230
 
514
  $item->set_feature_status($this->feature_inactive);
515
  }
516
  }
517
+
518
+ function check_enable_fcd_scan_feature($item)
519
+ {
520
+ global $aio_wp_security;
521
+ if ($aio_wp_security->configs->get_value('aiowps_enable_automated_fcd_scan') == '1') {
522
+ $item->set_feature_status($this->feature_active);
523
+ }
524
+ else
525
+ {
526
+ $item->set_feature_status($this->feature_inactive);
527
+ }
528
+ }
529
+
530
  }
classes/wp-security-backup.php CHANGED
@@ -7,7 +7,7 @@ class AIOWPSecurity_Backup
7
 
8
  function __construct()
9
  {
10
- add_action('aiowps_perform_scheduled_backup_tasks', array(&$this, 'aiowps_scheduled_backup_handler')); //TODO - this action never gets fired - need to investigate
11
  }
12
 
13
  /**
@@ -163,7 +163,7 @@ class AIOWPSecurity_Backup
163
  //Get the right email address.
164
  if ( is_email( $aio_wp_security->configs->get_value('aiowps_send_backup_email_address') ) )
165
  {
166
- $toaddress = $aio_wp_security->configs->get_value('aiowps_send_backup_email_address');
167
  } else
168
  {
169
  $toaddress = get_site_option( 'admin_email' );
7
 
8
  function __construct()
9
  {
10
+ add_action('aiowps_perform_scheduled_backup_tasks', array(&$this, 'aiowps_scheduled_backup_handler'));
11
  }
12
 
13
  /**
163
  //Get the right email address.
164
  if ( is_email( $aio_wp_security->configs->get_value('aiowps_send_backup_email_address') ) )
165
  {
166
+ $toaddress = $aio_wp_security->configs->get_value('aiowps_backup_email_address');
167
  } else
168
  {
169
  $toaddress = get_site_option( 'admin_email' );
classes/wp-security-config.php CHANGED
@@ -21,6 +21,8 @@ class AIOWPSecurity_Config{
21
  }
22
 
23
  function add_value($key, $value){
 
 
24
  if (array_key_exists($key, $this->configs)){
25
  //Don't update the value for this key
26
  }
21
  }
22
 
23
  function add_value($key, $value){
24
+ if(!is_array($this->configs)){$this->configs = array();}
25
+
26
  if (array_key_exists($key, $this->configs)){
27
  //Don't update the value for this key
28
  }
classes/wp-security-configure-settings.php CHANGED
@@ -69,6 +69,18 @@ class AIOWPSecurity_Configure_Settings
69
 
70
  //SPAM Prevention menu
71
  $aio_wp_security->configs->set_value('aiowps_enable_spambot_blocking','');//Checkbox
 
 
 
 
 
 
 
 
 
 
 
 
72
 
73
  //TODO - keep adding default options for any fields that require it
74
 
@@ -140,6 +152,17 @@ class AIOWPSecurity_Configure_Settings
140
  //SPAM Prevention menu
141
  $aio_wp_security->configs->add_value('aiowps_enable_spambot_blocking','');//Checkbox
142
 
 
 
 
 
 
 
 
 
 
 
 
143
  //TODO - keep adding default options for any fields that require it
144
 
145
  //Save it
69
 
70
  //SPAM Prevention menu
71
  $aio_wp_security->configs->set_value('aiowps_enable_spambot_blocking','');//Checkbox
72
+
73
+ //Filescan features
74
+ //File change detection feature
75
+ $aio_wp_security->configs->set_value('aiowps_enable_automated_fcd_scan','');//Checkbox
76
+ $aio_wp_security->configs->set_value('aiowps_fcd_scan_frequency','4');
77
+ $aio_wp_security->configs->set_value('aiowps_fcd_scan_interval','2'); //Dropdown box where (0,1,2) => (hours,days,weeks)
78
+ $aio_wp_security->configs->set_value('aiowps_fcd_exclude_filetypes','');
79
+ $aio_wp_security->configs->set_value('aiowps_fcd_exclude_files','');
80
+ $aio_wp_security->configs->set_value('aiowps_send_fcd_scan_email','');//Checkbox
81
+ $aio_wp_security->configs->set_value('aiowps_fcd_scan_email_address',$blog_email_address);
82
+ $aio_wp_security->configs->set_value('aiowps_fcds_change_detected',FALSE); //used to display a global alert on site when file change detected
83
+
84
 
85
  //TODO - keep adding default options for any fields that require it
86
 
152
  //SPAM Prevention menu
153
  $aio_wp_security->configs->add_value('aiowps_enable_spambot_blocking','');//Checkbox
154
 
155
+ //Filescan features
156
+ //File change detection feature
157
+ $aio_wp_security->configs->add_value('aiowps_enable_automated_fcd_scan','');//Checkbox
158
+ $aio_wp_security->configs->add_value('aiowps_fcd_scan_frequency','4');
159
+ $aio_wp_security->configs->add_value('aiowps_fcd_scan_interval','2'); //Dropdown box where (0,1,2) => (hours,days,weeks)
160
+ $aio_wp_security->configs->add_value('aiowps_fcd_exclude_filetypes','');
161
+ $aio_wp_security->configs->add_value('aiowps_fcd_exclude_files','');
162
+ $aio_wp_security->configs->add_value('aiowps_send_fcd_scan_email','');//Checkbox
163
+ $aio_wp_security->configs->add_value('aiowps_fcd_scan_email_address',$blog_email_address);
164
+ $aio_wp_security->configs->add_value('aiowps_fcds_change_detected',FALSE); //used to display a global alert on site when file change detected
165
+
166
  //TODO - keep adding default options for any fields that require it
167
 
168
  //Save it
classes/wp-security-cronjob-handler.php CHANGED
@@ -16,6 +16,7 @@ class AIOWPSecurity_Cronjob_Handler {
16
  //do_action('aiowps_force_logout_check');
17
  //do_action('aiowps_check_password_stuff');
18
  do_action('aiowps_perform_scheduled_backup_tasks');
 
19
  }
20
 
21
  // function aiowps_daily_cron_event_handler()
16
  //do_action('aiowps_force_logout_check');
17
  //do_action('aiowps_check_password_stuff');
18
  do_action('aiowps_perform_scheduled_backup_tasks');
19
+ do_action('aiowps_perform_fcd_scan_tasks');
20
  }
21
 
22
  // function aiowps_daily_cron_event_handler()
classes/wp-security-file-scan.php ADDED
@@ -0,0 +1,244 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ <?php
2
+ class AIOWPSecurity_Filescan
3
+ {
4
+
5
+ function __construct()
6
+ {
7
+ add_action('aiowps_perform_fcd_scan_tasks', array(&$this, 'aiowps_scheduled_fcd_scan_handler'));
8
+ }
9
+
10
+ /**
11
+ * This function will recursively scan through all directories starting from the specified location
12
+ * It will store the path/filename, last_modified and filesize values in a multi-dimensional associative array
13
+ */
14
+ function execute_file_change_detection_scan()
15
+ {
16
+ global $aio_wp_security;
17
+ $scan_result = array();
18
+ if($this->has_scan_data()){
19
+ $scanned_data = $this->do_file_change_scan(); //Scan the filesystem and get details
20
+ $last_scan_data = $this->get_last_scan_data();
21
+ $scan_result = $this->compare_scan_data($last_scan_data,$scanned_data);
22
+ $scan_result['initial_scan'] = '';
23
+ $this->save_scan_data_to_db($scanned_data, 'update', $scan_result);
24
+ if (!empty($scan_result['files_added']) || !empty($scan_result['files_removed']) || !empty($scan_result['files_changed'])){
25
+ //This means there was a change detected
26
+ $aio_wp_security->configs->set_value('aiowps_fcds_change_detected', TRUE);
27
+ $aio_wp_security->configs->save_config();
28
+ $aio_wp_security->debug_logger->log_debug_cron("File Change Detection Feature: change to filesystem detected!");
29
+
30
+ $this->aiowps_send_file_change_alert_email(); //Send file change scan results via email if applicable
31
+ }
32
+ return $scan_result;
33
+ }
34
+ else{
35
+ $scanned_data = $this->do_file_change_scan();
36
+ $this->save_scan_data_to_db($scanned_data);
37
+ $scan_result['initial_scan'] = '1';
38
+ return $scan_result;
39
+ }
40
+ }
41
+
42
+ function aiowps_send_file_change_alert_email()
43
+ {
44
+ global $aio_wp_security;
45
+ if ( $aio_wp_security->configs->get_value('aiowps_send_fcd_scan_email') == '1' )
46
+ {
47
+ //Get the right email address.
48
+ if ( is_email( $aio_wp_security->configs->get_value('aiowps_fcd_scan_email_address') ) )
49
+ {
50
+ $toaddress = $aio_wp_security->configs->get_value('aiowps_fcd_scan_email_address');
51
+ } else
52
+ {
53
+ $toaddress = get_site_option( 'admin_email' );
54
+ }
55
+
56
+ $to = $toaddress;
57
+ $headers = 'From: ' . get_option( 'blogname' ) . ' <' . $to . '>' . PHP_EOL;
58
+ $subject = __( 'All In One WP Security - File change detected!', 'aiowpsecurity' ) . ' ' . date( 'l, F jS, Y \a\\t g:i a', current_time( 'timestamp' ) );
59
+ //$attachment = array();
60
+ $message = __( 'A file change was detected on your system for site URL', 'aiowpsecurity' ) . ' ' . get_option( 'siteurl' ) . __( '. Scan was generated on', 'aiowpsecurity' ) . ' ' . date( 'l, F jS, Y \a\\t g:i a', current_time( 'timestamp' ) );
61
+ $message .= "\r\n".__( 'Login to your site to view the scan details.', 'aiowpsecurity' );
62
+
63
+ wp_mail( $to, $subject, $message, $headers );
64
+ }
65
+ }
66
+
67
+ function aiowps_scheduled_fcd_scan_handler()
68
+ {
69
+ global $aio_wp_security;
70
+ if($aio_wp_security->configs->get_value('aiowps_enable_automated_fcd_scan')=='1')
71
+ {
72
+ $aio_wp_security->debug_logger->log_debug_cron("Filescan - Scheduled fcd_scan is enabled. Checking now to see if scan needs to be done...");
73
+ $current_time = strtotime(current_time('mysql'));
74
+ $fcd_scan_frequency = $aio_wp_security->configs->get_value('aiowps_fcd_scan_frequency'); //Number of hours or days or months interval
75
+ $interval_setting = $aio_wp_security->configs->get_value('aiowps_fcd_scan_interval'); //Hours/Days/Months
76
+ switch($interval_setting)
77
+ {
78
+ case '0':
79
+ $interval = 'hours';
80
+ break;
81
+ case '1':
82
+ $interval = 'days';
83
+ break;
84
+ case '2':
85
+ $interval = 'weeks';
86
+ break;
87
+ }
88
+ $last_fcd_scan_time = $aio_wp_security->configs->get_value('aiowps_last_fcd_scan_time');
89
+ if ($last_fcd_scan_time != NULL)
90
+ {
91
+ $last_fcd_scan_time = strtotime($aio_wp_security->configs->get_value('aiowps_last_fcd_scan_time'));
92
+ $next_fcd_scan_time = strtotime("+".abs($fcd_scan_frequency).$interval, $last_fcd_scan_time);
93
+ if ($next_fcd_scan_time <= $current_time)
94
+ {
95
+ //It's time to do a filescan
96
+ $result = $this->execute_file_change_detection_scan(ABSPATH);
97
+ // if ($result)
98
+ // {
99
+ $aio_wp_security->configs->set_value('aiowps_last_fcd_scan_time', current_time('mysql'));
100
+ $aio_wp_security->configs->save_config();
101
+ $aio_wp_security->debug_logger->log_debug_cron("Filescan - Scheduled filescan was successfully completed.");
102
+ // }
103
+ // else
104
+ // {
105
+ // $aio_wp_security->debug_logger->log_debug_cron("Filescan - Scheduled filescan operation failed!",4);
106
+ // }
107
+ }
108
+ }
109
+ else
110
+ {
111
+ //Set the last scan time to now so it can trigger for the next scheduled period
112
+ $aio_wp_security->configs->set_value('aiowps_last_fcd_scan_time', current_time('mysql'));
113
+ $aio_wp_security->configs->save_config();
114
+ }
115
+ }
116
+ }
117
+
118
+ /* Returns true if there is at least one previous scaned data in the DB. False otherwise */
119
+ function has_scan_data()
120
+ {
121
+ global $wpdb;
122
+ //For scanced data the meta_key1 column valu is 'file_change_detection', meta_value1 column value is 'file_scan_data'. Then the data is stored in meta_value4 column.
123
+ $aiowps_global_meta_tbl_name = AIOWPSEC_TBL_GLOBAL_META_DATA;
124
+ $resultset = $wpdb->get_row("SELECT * FROM $aiowps_global_meta_tbl_name WHERE meta_key1 = 'file_change_detection' AND meta_value1='file_scan_data'", OBJECT);
125
+ if($resultset){
126
+ $scan_data = maybe_unserialize($resultset->meta_value4);
127
+ if(!empty($scan_data)){
128
+ return true;
129
+ }
130
+ }
131
+ return false;
132
+ }
133
+
134
+ function get_last_scan_data()
135
+ {
136
+ global $wpdb;
137
+ //For scanced data the meta_key1 column valu is 'file_change_detection', meta_value1 column value is 'file_scan_data'. Then the data is stored in meta_value4 column.
138
+ $aiowps_global_meta_tbl_name = AIOWPSEC_TBL_GLOBAL_META_DATA;
139
+ $resultset = $wpdb->get_row("SELECT * FROM $aiowps_global_meta_tbl_name WHERE meta_key1 = 'file_change_detection' AND meta_value1='file_scan_data'", OBJECT);
140
+ if($resultset){
141
+ $scan_data = maybe_unserialize($resultset->meta_value4);
142
+ return $scan_data;
143
+ }
144
+ return array(); //return empty array if no old scan data
145
+ }
146
+
147
+ function save_scan_data_to_db($scanned_data, $save_type = 'insert', $scan_result = array())
148
+ {
149
+ global $wpdb;
150
+ //For scanced data the meta_key1 column valu is 'file_change_detection', meta_value1 column value is 'file_scan_data'. Then the data is stored in meta_value4 column.
151
+ $aiowps_global_meta_tbl_name = AIOWPSEC_TBL_GLOBAL_META_DATA;
152
+ $payload = serialize($scanned_data);
153
+ $scan_result = serialize($scan_result);
154
+ $date_time = current_time('mysql');
155
+ $data = array('date_time' => $date_time, 'meta_key1' => 'file_change_detection', 'meta_value1' => 'file_scan_data', 'meta_value4' => $payload, 'meta_key5' => 'last_scan_result', 'meta_value5' => $scan_result);
156
+ if($save_type == 'insert'){
157
+ $wpdb->insert($aiowps_global_meta_tbl_name, $data);
158
+ }
159
+ else{
160
+ $where = array('meta_key1' => 'file_change_detection', 'meta_value1' => 'file_scan_data');
161
+ $wpdb->update($aiowps_global_meta_tbl_name, $data, $where);
162
+
163
+ }
164
+ return true;
165
+ }
166
+
167
+ function do_file_change_scan($start_dir=ABSPATH)
168
+ {
169
+ global $aio_wp_security;
170
+ $filescan_data = array();
171
+ $dit = new RecursiveDirectoryIterator($start_dir);
172
+ $rit = new RecursiveIteratorIterator(
173
+ $dit, RecursiveIteratorIterator::SELF_FIRST);
174
+
175
+ $file_types_to_skip = $aio_wp_security->configs->get_value('aiowps_fcd_exclude_filetypes');
176
+
177
+ foreach ($rit as $fileinfo) {
178
+ if ($fileinfo->isDir()) continue; //skip directories
179
+ if ($fileinfo->getFilename() == 'wp-security-log-cron-job.txt' || $fileinfo->getFilename() == 'wp-security-log.txt') continue; //skip aiowps log files
180
+ //Let's omit any file types from the scan which were specified in the settings if necessary
181
+ if (!empty($file_types_to_skip)){
182
+ $file_types_to_skip = strtolower($file_types_to_skip);
183
+ //$current_file_ext = strtolower($fileinfo->getExtension()); //getExtension() only available on PHP 5.3.6 or higher
184
+ $ext = pathinfo($fileinfo->getFilename(), PATHINFO_EXTENSION);
185
+ $current_file_ext = strtolower($ext);
186
+ if (!empty($current_file_ext)){
187
+ if (strpos($file_types_to_skip, $current_file_ext) !== FALSE) continue;
188
+ }
189
+ }
190
+ //Let's omit specific files or directories from the scan which were specified in the settings
191
+ $filename = $fileinfo->getPathname();
192
+ $files_to_skip = $aio_wp_security->configs->get_value('aiowps_fcd_exclude_files');
193
+ if (!empty($files_to_skip))
194
+ {
195
+ $file_array = explode(PHP_EOL, $files_to_skip);
196
+ $skip_this = FALSE;
197
+ foreach ($file_array as $f_or_dir)
198
+ {
199
+ if (strpos($filename, trim($f_or_dir)) !== FALSE){
200
+ $skip_this = TRUE;
201
+ }
202
+ }
203
+ if ($skip_this) continue;
204
+ }
205
+ $filescan_data[$filename] = array();
206
+ $filescan_data[$filename]['last_modified'] = $fileinfo->getMTime();
207
+ $filescan_data[$filename]['filesize'] = $fileinfo->getSize();
208
+
209
+ }
210
+ return $filescan_data;
211
+ }
212
+
213
+ function compare_scan_data($last_scan_data, $new_scanned_data)
214
+ {
215
+ $files_added = @array_diff_assoc( $new_scanned_data, $last_scan_data ); //Identify new files added: get all files which are in the new scan but not present in the old scan
216
+ $files_removed = @array_diff_assoc( $last_scan_data, $new_scanned_data ); //Identify files deleted : get all files which are in the old scan but not present in the new scan
217
+ $new_scan_minus_added = @array_diff_key( $new_scanned_data, $files_added ); //Get all files in current scan which were not newly added
218
+ $old_scan_minus_deleted = @array_diff_key( $last_scan_data, $files_removed ); //Get all files in old scan which were not deleted
219
+ $file_changes_detected = array();
220
+
221
+ //compare file hashes and mod dates
222
+ foreach ( $new_scan_minus_added as $entry => $key) {
223
+ if ( array_key_exists( $entry, $old_scan_minus_deleted ) )
224
+ {
225
+ //check filesize and last_modified values
226
+ if (strcmp($key['last_modified'], $old_scan_minus_deleted[$entry]['last_modified']) != 0 ||
227
+ strcmp($key['filesize'], $old_scan_minus_deleted[$entry]['filesize']) != 0)
228
+ {
229
+ $file_changes_detected[$entry]['filesize'] = $key['filesize'];
230
+ $file_changes_detected[$entry]['last_modified'] = $key['last_modified'];
231
+ }
232
+ }
233
+
234
+ }
235
+
236
+ //create single array of all changes
237
+ $results = array(
238
+ 'files_added' => $files_added,
239
+ 'files_removed' => $files_removed,
240
+ 'files_changed' => $file_changes_detected
241
+ );
242
+ return $results;
243
+ }
244
+ }
classes/wp-security-installer.php CHANGED
@@ -35,6 +35,7 @@ class AIOWPSecurity_Installer
35
  $lockdown_tbl_name = AIOWPSEC_TBL_LOGIN_LOCKDOWN;
36
  $failed_login_tbl_name = AIOWPSEC_TBL_FAILED_LOGINS;
37
  $user_login_activity_tbl_name = AIOWPSEC_TBL_USER_LOGIN_ACTIVITY;
 
38
 
39
  $ld_tbl_sql = "CREATE TABLE " . $lockdown_tbl_name . " (
40
  id bigint(20) NOT NULL AUTO_INCREMENT,
@@ -70,6 +71,23 @@ class AIOWPSecurity_Installer
70
  )ENGINE=MyISAM DEFAULT CHARSET=utf8;";
71
  dbDelta($ula_tbl_sql);
72
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
73
  update_option("aiowpsec_db_version", AIO_WP_SECURITY_DB_VERSION);
74
  }
75
  }
35
  $lockdown_tbl_name = AIOWPSEC_TBL_LOGIN_LOCKDOWN;
36
  $failed_login_tbl_name = AIOWPSEC_TBL_FAILED_LOGINS;
37
  $user_login_activity_tbl_name = AIOWPSEC_TBL_USER_LOGIN_ACTIVITY;
38
+ $aiowps_global_meta_tbl_name = AIOWPSEC_TBL_GLOBAL_META_DATA;
39
 
40
  $ld_tbl_sql = "CREATE TABLE " . $lockdown_tbl_name . " (
41
  id bigint(20) NOT NULL AUTO_INCREMENT,
71
  )ENGINE=MyISAM DEFAULT CHARSET=utf8;";
72
  dbDelta($ula_tbl_sql);
73
 
74
+ $gm_tbl_sql = "CREATE TABLE " . $aiowps_global_meta_tbl_name . " (
75
+ meta_id bigint(20) NOT NULL auto_increment,
76
+ date_time datetime NOT NULL default '0000-00-00 00:00:00',
77
+ meta_key1 varchar(255) NOT NULL,
78
+ meta_key2 varchar(255) NOT NULL,
79
+ meta_key3 varchar(255) NOT NULL,
80
+ meta_key4 varchar(255) NOT NULL,
81
+ meta_key5 varchar(255) NOT NULL,
82
+ meta_value1 varchar(255) NOT NULL,
83
+ meta_value2 text NOT NULL,
84
+ meta_value3 text NOT NULL,
85
+ meta_value4 longtext NOT NULL,
86
+ meta_value5 longtext NOT NULL,
87
+ PRIMARY KEY (meta_id)
88
+ )ENGINE=MyISAM DEFAULT CHARSET=utf8;";
89
+ dbDelta($gm_tbl_sql);
90
+
91
  update_option("aiowpsec_db_version", AIO_WP_SECURITY_DB_VERSION);
92
  }
93
  }
classes/wp-security-user-login.php CHANGED
@@ -35,7 +35,7 @@ class AIOWPSecurity_User_Login
35
 
36
  $user_locked = $this->check_locked_user();
37
  if ($user_locked != NULL) {
38
- $aio_wp_security->debug_logger->log_debug("Login attempt from blocked IP range - ".$user_locked['failed_login_IP'],2);
39
  return new WP_Error('authentication_failed', __('<strong>ERROR</strong>: Login failed because your IP address has been blocked due to too many failed login attempts.
40
  Please contact the administrator.', 'aiowpsecurity'));
41
  }
@@ -117,9 +117,9 @@ class AIOWPSecurity_User_Login
117
  $login_lockdown_table = AIOWPSEC_TBL_LOGIN_LOCKDOWN;
118
  $ip = AIOWPSecurity_Utility_IP::get_user_ip_address(); //Get the IP address of user
119
  $ip_range = AIOWPSecurity_Utility_IP::get_sanitized_ip_range($ip); //Get the IP range of the current user
120
- $locked_user = $wpdb->get_var("SELECT user_id FROM $login_lockdown_table " .
121
  "WHERE release_date > now() AND " .
122
- "failed_login_IP LIKE '" . esc_sql($ip_range) . "%'");
123
  return $locked_user;
124
  }
125
 
35
 
36
  $user_locked = $this->check_locked_user();
37
  if ($user_locked != NULL) {
38
+ $aio_wp_security->debug_logger->log_debug("Login attempt from blocked IP range - ".$user_locked['failed_login_ip'],2);
39
  return new WP_Error('authentication_failed', __('<strong>ERROR</strong>: Login failed because your IP address has been blocked due to too many failed login attempts.
40
  Please contact the administrator.', 'aiowpsecurity'));
41
  }
117
  $login_lockdown_table = AIOWPSEC_TBL_LOGIN_LOCKDOWN;
118
  $ip = AIOWPSecurity_Utility_IP::get_user_ip_address(); //Get the IP address of user
119
  $ip_range = AIOWPSecurity_Utility_IP::get_sanitized_ip_range($ip); //Get the IP range of the current user
120
+ $locked_user = $wpdb->get_row("SELECT * FROM $login_lockdown_table " .
121
  "WHERE release_date > now() AND " .
122
+ "failed_login_ip LIKE '" . esc_sql($ip_range) . "%'", ARRAY_A);
123
  return $locked_user;
124
  }
125
 
classes/wp-security-utility-file.php CHANGED
@@ -119,6 +119,25 @@ class AIOWPSecurity_Utility_File
119
  }
120
  }
121
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
122
  /*
123
  * This function will compare the current permission value for a file or dir with the recommended value.
124
  * It will compare the individual "execute", "write" and "read" bits for the "public", "group" and "owner" permissions.
119
  }
120
  }
121
 
122
+ static function download_a_file_option1($file_path, $file_name = '')
123
+ {
124
+ $file = $file_path;//Full ABS path to the file
125
+ if(empty($file_name)){$file_name = basename($file);}
126
+
127
+ header('Content-Description: File Transfer');
128
+ header('Content-Type: application/octet-stream');
129
+ header('Content-Disposition: attachment; filename='.$file_name);
130
+ header('Content-Transfer-Encoding: binary');
131
+ header('Expires: 0');
132
+ header('Cache-Control: must-revalidate');
133
+ header('Pragma: public');
134
+ header('Content-Length: ' . filesize($file));
135
+ //ob_clean();
136
+ //flush();
137
+ readfile($file);
138
+ exit;
139
+ }
140
+
141
  /*
142
  * This function will compare the current permission value for a file or dir with the recommended value.
143
  * It will compare the individual "execute", "write" and "read" bits for the "public", "group" and "owner" permissions.
classes/wp-security-utility-htaccess.php CHANGED
@@ -557,7 +557,7 @@ class AIOWPSecurity_Utility_Htaccess
557
  //$rules .= 'RewriteCond %{QUERY_STRING} ^.*(%22|%27|%3C|%3E|%5C|%7B|%7C).* [NC,OR]' . PHP_EOL;
558
  //$rules .= 'RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127.0).* [NC,OR]' . PHP_EOL;
559
  $rules .= 'RewriteCond %{QUERY_STRING} ^.*(globals|encode|config|localhost|loopback).* [NC,OR]' . PHP_EOL;
560
- $rules .= 'RewriteCond %{QUERY_STRING} ^.*(request|insert|union|declare|drop).* [NC]' . PHP_EOL;
561
  $rules .= 'RewriteRule ^(.*)$ - [F,L]' . PHP_EOL;
562
  $rules .= AIOWPSecurity_Utility_Htaccess::$deny_bad_query_strings_marker_end . PHP_EOL; //Add feature marker end
563
  }
557
  //$rules .= 'RewriteCond %{QUERY_STRING} ^.*(%22|%27|%3C|%3E|%5C|%7B|%7C).* [NC,OR]' . PHP_EOL;
558
  //$rules .= 'RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127.0).* [NC,OR]' . PHP_EOL;
559
  $rules .= 'RewriteCond %{QUERY_STRING} ^.*(globals|encode|config|localhost|loopback).* [NC,OR]' . PHP_EOL;
560
+ $rules .= 'RewriteCond %{QUERY_STRING} (\;|\'|\"|%22).*(request|insert|union|declare|drop) [NC]' . PHP_EOL;
561
  $rules .= 'RewriteRule ^(.*)$ - [F,L]' . PHP_EOL;
562
  $rules .= AIOWPSecurity_Utility_Htaccess::$deny_bad_query_strings_marker_end . PHP_EOL; //Add feature marker end
563
  }
classes/wp-security-utility.php CHANGED
@@ -142,4 +142,14 @@ class AIOWPSecurity_Utility
142
  return false;
143
  }
144
  }
 
 
 
 
 
 
 
 
 
 
145
  }
142
  return false;
143
  }
144
  }
145
+
146
+ //This is a general yellow box message for when we want to suppress a feature's config items because site is subsite of multi-site
147
+ static function display_multisite_message()
148
+ {
149
+ echo '<div class="aio_yellow_box">';
150
+ echo '<p>'.__('The plugin has detected that you are using a Multi-Site WordPress installation.', 'aiowpsecurity').'</p>
151
+ <p>'.__('This feature can only be configured by the "superadmin" on the main site.', 'aiowpsecurity').'</p>';
152
+ echo '</div>';
153
+ }
154
+
155
  }
readme.txt CHANGED
@@ -1,10 +1,10 @@
1
  === All In One WP Security & Firewall ===
2
  Contributors: Tips and Tricks HQ, wpsolutions, Peter Petreski, Ruhul Amin
3
  Donate link: http://www.tipsandtricks-hq.com
4
- Tags: security, secure, Anti Virus, antivirus, virus, firewall, login, lockdown, htaccess, hacking, ban hacker, malware, vulnerability, protect, phishing, database, backup, plugin, sql injection, ssl, restrict
5
  Requires at least: 3.5
6
  Tested up to: 3.6
7
- Stable tag: 2.2
8
  License: GPLv3
9
 
10
  A comprehensive, user-friendly, all in one WordPress security and firewall plugin for your site.
@@ -85,6 +85,9 @@ or malicious bots who do not have a special cookie in their browser. You (the si
85
  = WhoIs Lookup =
86
  * Perform a WhoIs lookup of a suspicious host or IP address and get full details.
87
 
 
 
 
88
  = Comment SPAM Security =
89
  * Monitor the most active IP addresses which persistently produce the most SPAM comments and instantly block them with the click of a button.
90
  * Prevent comments from being submitted if it doesn't originate from your domain (this should reduce some SPAM bot comment posting on your site).
@@ -133,6 +136,14 @@ None
133
 
134
  == Changelog ==
135
 
 
 
 
 
 
 
 
 
136
  = 2.2 =
137
  - Added a new feature which will block some spambots from submitting comments.
138
  - Moved Comment SPAM IP monitoring interface to the new "SPAM Prevention" menu.
1
  === All In One WP Security & Firewall ===
2
  Contributors: Tips and Tricks HQ, wpsolutions, Peter Petreski, Ruhul Amin
3
  Donate link: http://www.tipsandtricks-hq.com
4
+ Tags: security, secure, Anti Virus, antivirus, ban, ban hacker, virus, firewall, login, lockdown, htaccess, hack, malware, vulnerability, protect, protection, phishing, database, backup, plugin, sql injection, ssl, restrict
5
  Requires at least: 3.5
6
  Tested up to: 3.6
7
+ Stable tag: 2.3
8
  License: GPLv3
9
 
10
  A comprehensive, user-friendly, all in one WordPress security and firewall plugin for your site.
85
  = WhoIs Lookup =
86
  * Perform a WhoIs lookup of a suspicious host or IP address and get full details.
87
 
88
+ = Security Scanner =
89
+ * The file change detection scanner can alert you if any files have changed in your WordPress system. You can then investigate and see if that was a legitimate change or some bad code was injected.
90
+
91
  = Comment SPAM Security =
92
  * Monitor the most active IP addresses which persistently produce the most SPAM comments and instantly block them with the click of a button.
93
  * Prevent comments from being submitted if it doesn't originate from your domain (this should reduce some SPAM bot comment posting on your site).
136
 
137
  == Changelog ==
138
 
139
+ = 2.3 =
140
+ - Added new menu called Scanner with a new feature called File Change Detection. This feature will alert you if any files have changed, added or removed from your system.
141
+ - Fixed "Deny Bad Query Strings" rules to not break the ability to drag components in the WordPress "Appearance->Menus" page
142
+ - Fixed an activation time warning (on sites with WP_DEBUG option enabled)
143
+ - Re-implemented the wp-config.php file content backup feature. It now directly downloads the contents of the file to your computer.
144
+ - Multi-site enhancements: Suppressed access to configuration settings for features which are not allowed to be configured from subsites of multi-site installations.
145
+ - Fixed a bug with login lockdown feature.
146
+
147
  = 2.2 =
148
  - Added a new feature which will block some spambots from submitting comments.
149
  - Moved Comment SPAM IP monitoring interface to the new "SPAM Prevention" menu.
wp-security-core.php CHANGED
@@ -3,8 +3,8 @@
3
  if (!class_exists('AIO_WP_Security')){
4
 
5
  class AIO_WP_Security{
6
- var $version = '2.2';
7
- var $db_version = '1.2';
8
  var $plugin_url;
9
  var $plugin_path;
10
  var $configs;
@@ -13,6 +13,7 @@ class AIO_WP_Security{
13
  var $cron_handler;
14
  var $user_login_obj;
15
  var $backup_obj;
 
16
 
17
  function __construct()
18
  {
@@ -65,11 +66,13 @@ class AIO_WP_Security{
65
  define('AIOWPSEC_FIREWALL_MENU_SLUG', 'aiowpsec_firewall');
66
  define('AIOWPSEC_MAINTENANCE_MENU_SLUG', 'aiowpsec_maintenance');
67
  define('AIOWPSEC_SPAM_MENU_SLUG', 'aiowpsec_spam');
 
68
 
69
  global $wpdb;
70
  define('AIOWPSEC_TBL_LOGIN_LOCKDOWN', $wpdb->prefix . 'aiowps_login_lockdown');
71
  define('AIOWPSEC_TBL_FAILED_LOGINS', $wpdb->prefix . 'aiowps_failed_logins');
72
  define('AIOWPSEC_TBL_USER_LOGIN_ACTIVITY', $wpdb->prefix . 'aiowps_login_activity');
 
73
 
74
  }
75
 
@@ -85,6 +88,7 @@ class AIO_WP_Security{
85
 
86
  include_once('classes/wp-security-user-login.php');
87
  include_once('classes/wp-security-backup.php');
 
88
  include_once('classes/wp-security-cronjob-handler.php');
89
  include_once('classes/grade-system/wp-security-feature-item.php');
90
  include_once('classes/grade-system/wp-security-feature-item-manager.php');
@@ -151,7 +155,8 @@ class AIO_WP_Security{
151
 
152
  //Actions, filters, shortcodes goes here
153
  $this->user_login_obj = new AIOWPSecurity_User_Login();//Do the user login operation tasks
154
- $this->backup_obj = new AIOWPSecurity_Backup();//Object to handle backup tasks
 
155
  $this->cron_handler = new AIOWPSecurity_Cronjob_Handler();
156
 
157
  add_action('wp_head',array(&$this, 'aiowps_header_content'));
3
  if (!class_exists('AIO_WP_Security')){
4
 
5
  class AIO_WP_Security{
6
+ var $version = '2.3';
7
+ var $db_version = '1.3';
8
  var $plugin_url;
9
  var $plugin_path;
10
  var $configs;
13
  var $cron_handler;
14
  var $user_login_obj;
15
  var $backup_obj;
16
+ var $filescan_obj;
17
 
18
  function __construct()
19
  {
66
  define('AIOWPSEC_FIREWALL_MENU_SLUG', 'aiowpsec_firewall');
67
  define('AIOWPSEC_MAINTENANCE_MENU_SLUG', 'aiowpsec_maintenance');
68
  define('AIOWPSEC_SPAM_MENU_SLUG', 'aiowpsec_spam');
69
+ define('AIOWPSEC_FILESCAN_MENU_SLUG', 'aiowpsec_filescan');
70
 
71
  global $wpdb;
72
  define('AIOWPSEC_TBL_LOGIN_LOCKDOWN', $wpdb->prefix . 'aiowps_login_lockdown');
73
  define('AIOWPSEC_TBL_FAILED_LOGINS', $wpdb->prefix . 'aiowps_failed_logins');
74
  define('AIOWPSEC_TBL_USER_LOGIN_ACTIVITY', $wpdb->prefix . 'aiowps_login_activity');
75
+ define('AIOWPSEC_TBL_GLOBAL_META_DATA', $wpdb->prefix . 'aiowps_global_meta');
76
 
77
  }
78
 
88
 
89
  include_once('classes/wp-security-user-login.php');
90
  include_once('classes/wp-security-backup.php');
91
+ include_once('classes/wp-security-file-scan.php');
92
  include_once('classes/wp-security-cronjob-handler.php');
93
  include_once('classes/grade-system/wp-security-feature-item.php');
94
  include_once('classes/grade-system/wp-security-feature-item-manager.php');
155
 
156
  //Actions, filters, shortcodes goes here
157
  $this->user_login_obj = new AIOWPSecurity_User_Login();//Do the user login operation tasks
158
+ $this->backup_obj = new AIOWPSecurity_Backup();//Object to handle backup tasks
159
+ $this->filescan_obj = new AIOWPSecurity_Filescan();//Object to handle backup tasks
160
  $this->cron_handler = new AIOWPSecurity_Cronjob_Handler();
161
 
162
  add_action('wp_head',array(&$this, 'aiowps_header_content'));
wp-security.php CHANGED
@@ -1,7 +1,7 @@
1
  <?php
2
  /*
3
  Plugin Name: All In One WP Security
4
- Version: v2.2
5
  Plugin URI: http://www.tipsandtricks-hq.com/
6
  Author: Tips and Tricks HQ, Peter, Ruhul Amin
7
  Author URI: http://www.tipsandtricks-hq.com/
@@ -38,4 +38,4 @@ function aiowps_ms_handle_new_blog_creation($blog_id, $user_id, $domain, $path,
38
  switch_to_blog($old_blog);
39
  }
40
  }
41
- add_action('wpmu_new_blog', 'aiowps_ms_handle_new_blog_creation', 10, 6);
1
  <?php
2
  /*
3
  Plugin Name: All In One WP Security
4
+ Version: v2.3
5
  Plugin URI: http://www.tipsandtricks-hq.com/
6
  Author: Tips and Tricks HQ, Peter, Ruhul Amin
7
  Author URI: http://www.tipsandtricks-hq.com/
38
  switch_to_blog($old_blog);
39
  }
40
  }
41
+ add_action('wpmu_new_blog', 'aiowps_ms_handle_new_blog_creation', 10, 6);