Version Description
- Added new feature/checkbox which will instantly lockout IP address ranges which attempt to login with an invalid username.
- Fixed a bug in the Comment SPAM IP Monitoring page where trying to block one or more IPs was failing.
- Removed the word "config" from the list of bad query strings check (to add compatibility with a few more plugins)
- Added a notice in the dashboard menu to show you if there are any recent file changes that the plugin detected.
- Fixed bug with php File Editing feature. Code now also handles older style wp-config.php files which have the php end tag "?>"
- Fixed bug with "Disable All Security Features" button functionality. When clicked, this will now also make the appropriate changes to the .htacces and wp-config.php files if necessary.
- Changed the storage of backup files from the plugin's directory to the uploads directory. Also added a .htaccess file for security.
- Fixed the way user-agent strings were written to the .htacess file from the Blacklist feature. The code now will correctly identify and represent spaces and escaped chars.
- Fixed a bug related to sending backup to correct email address.
Download this release
Release Info
| Developer | mra13 |
| Plugin |  All In One WP Security & Firewall |
| Version | 2.4 |
| Comparing to | |
| See all releases | |
Code changes from version 2.3 to 2.4
- admin/wp-security-blacklist-menu.php +1 -1
- admin/wp-security-dashboard-menu.php +20 -0
- admin/wp-security-database-menu.php +3 -1
- admin/wp-security-filescan-menu.php +10 -0
- admin/wp-security-filesystem-menu.php +7 -126
- admin/wp-security-list-comment-spammer-ip.php +1 -1
- admin/wp-security-settings-menu.php +19 -1
- admin/wp-security-user-login-menu.php +9 -0
- classes/wp-security-backup.php +9 -6
- classes/wp-security-configure-settings.php +4 -2
- classes/wp-security-installer.php +28 -0
- classes/wp-security-user-login.php +8 -7
- classes/wp-security-utility-htaccess.php +7 -2
- classes/wp-security-utility.php +140 -0
- css/wp-security-admin-styles.css +1 -0
- readme.txt +12 -1
- wp-security-core.php +2 -1
- wp-security.php +1 -1
admin/wp-security-blacklist-menu.php
CHANGED
|
@@ -217,7 +217,7 @@ class AIOWPSecurity_Blacklist_Menu extends AIOWPSecurity_Admin_Menu
|
|
| 217 |
{
|
| 218 |
foreach ($submitted_agents as $agent)
|
| 219 |
{
|
| 220 |
-
$text =
|
| 221 |
$agents[] = $text;
|
| 222 |
}
|
| 223 |
}
|
| 217 |
{
|
| 218 |
foreach ($submitted_agents as $agent)
|
| 219 |
{
|
| 220 |
+
$text = sanitize_text_field($agent);
|
| 221 |
$agents[] = $text;
|
| 222 |
}
|
| 223 |
}
|
admin/wp-security-dashboard-menu.php
CHANGED
|
@@ -259,6 +259,26 @@ class AIOWPSecurity_Dashboard_Menu extends AIOWPSecurity_Admin_Menu
|
|
| 259 |
</div></div>
|
| 260 |
</div><!-- aiowps_dashboard_box -->
|
| 261 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 262 |
|
| 263 |
<div class="aiowps_dashboard_box_small">
|
| 264 |
<div class="postbox">
|
| 259 |
</div></div>
|
| 260 |
</div><!-- aiowps_dashboard_box -->
|
| 261 |
|
| 262 |
+
<?php
|
| 263 |
+
if($aio_wp_security->configs->get_value('aiowps_enable_automated_fcd_scan') == '1'){
|
| 264 |
+
|
| 265 |
+
echo '<div class="aiowps_dashboard_box_small">';
|
| 266 |
+
echo '<div class="postbox">';
|
| 267 |
+
echo '<h3><label for="title">File Change Detection</label></h3>';
|
| 268 |
+
echo '<div class="inside">';
|
| 269 |
+
|
| 270 |
+
if($aio_wp_security->configs->get_value('aiowps_fcds_change_detected')){
|
| 271 |
+
echo '<div class="aio_red_box aio_padding_10">File change detected!</div>';
|
| 272 |
+
echo '<p>Please review the changes from the <a href="admin.php?page='.AIOWPSEC_FILESCAN_MENU_SLUG.'">scanner menu</a></p>';
|
| 273 |
+
}
|
| 274 |
+
else{
|
| 275 |
+
echo '<div class="aio_green_box aio_padding_10">No recent file changes detected.</div>';
|
| 276 |
+
}
|
| 277 |
+
|
| 278 |
+
echo '</div></div>';
|
| 279 |
+
echo '</div>';//<!-- aiowps_dashboard_box -->
|
| 280 |
+
}
|
| 281 |
+
?>
|
| 282 |
|
| 283 |
<div class="aiowps_dashboard_box_small">
|
| 284 |
<div class="postbox">
|
admin/wp-security-database-menu.php
CHANGED
|
@@ -202,7 +202,9 @@ class AIOWPSecurity_Database_Menu extends AIOWPSecurity_Admin_Menu
|
|
| 202 |
}
|
| 203 |
else
|
| 204 |
{
|
| 205 |
-
$
|
|
|
|
|
|
|
| 206 |
}
|
| 207 |
echo '<div id="message" class="updated fade"><p>';
|
| 208 |
_e('DB Backup was successfully completed! Right click on the following file name and save the backup to your computer.','aiowpsecurity');
|
| 202 |
}
|
| 203 |
else
|
| 204 |
{
|
| 205 |
+
$upload_dir = wp_upload_dir();
|
| 206 |
+
$aiowps_backup_url = $upload_dir['baseurl'] . '/'.AIO_WP_SECURITY_BACKUPS_DIR_NAME;
|
| 207 |
+
$backup_file_url = $aiowps_backup_url . '/'. $backup_file_name;
|
| 208 |
}
|
| 209 |
echo '<div id="message" class="updated fade"><p>';
|
| 210 |
_e('DB Backup was successfully completed! Right click on the following file name and save the backup to your computer.','aiowpsecurity');
|
admin/wp-security-filescan-menu.php
CHANGED
|
@@ -204,6 +204,16 @@ class AIOWPSecurity_Filescan_Menu extends AIOWPSecurity_Admin_Menu
|
|
| 204 |
|
| 205 |
|
| 206 |
?>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 207 |
<div class="postbox">
|
| 208 |
<h3><label for="title"><?php _e('Manual File Change Detection Scan', 'aiowpsecurity'); ?></label></h3>
|
| 209 |
<div class="inside">
|
| 204 |
|
| 205 |
|
| 206 |
?>
|
| 207 |
+
<div class="aio_blue_box">
|
| 208 |
+
<?php
|
| 209 |
+
echo '<p>'.__('If given an opportunity hackers can insert their code or files into your system which they can then use to carry out malicious acts on your site.', 'aiowpsecurity').
|
| 210 |
+
'<br />'.__('Being informed of any changes in your files can be a good way to quickly prevent a hacker from causing damage to your website.', 'aiowpsecurity').
|
| 211 |
+
'<br />'.__('In general, WordPress core and plugin files and file types such as ".php" or ".js" should not change often and when they do, it is important that you are made aware when a change occurs and which file was affected.', 'aiowpsecurity').
|
| 212 |
+
'<br />'.__('The "File Change Detection Feature" will notify you of any file change which occurs on your system, including the addition and deletion of files by performing a regular automated or manual scan of your system\'s files.', 'aiowpsecurity').
|
| 213 |
+
'<br />'.__('This feature also allows you to exclude certain files or folders from the scan in cases where you know that they change often as part of their normal operation. (For example log files and certain caching plugin files may change often and hence you may choose to exclude such files from the file change detection scan)', 'aiowpsecurity').'</p>';
|
| 214 |
+
?>
|
| 215 |
+
</div>
|
| 216 |
+
|
| 217 |
<div class="postbox">
|
| 218 |
<h3><label for="title"><?php _e('Manual File Change Detection Scan', 'aiowpsecurity'); ?></label></h3>
|
| 219 |
<div class="inside">
|
admin/wp-security-filesystem-menu.php
CHANGED
|
@@ -169,10 +169,10 @@ class AIOWPSecurity_Filesystem_Menu extends AIOWPSecurity_Admin_Menu
|
|
| 169 |
if(isset($_POST['aiowps_disable_file_editing']))
|
| 170 |
{
|
| 171 |
|
| 172 |
-
$res =
|
| 173 |
} else
|
| 174 |
{
|
| 175 |
-
$res =
|
| 176 |
}
|
| 177 |
if ($res)
|
| 178 |
{
|
|
@@ -182,6 +182,11 @@ class AIOWPSecurity_Filesystem_Menu extends AIOWPSecurity_Admin_Menu
|
|
| 182 |
|
| 183 |
//Recalculate points after the feature status/options have been altered
|
| 184 |
$aiowps_feature_mgr->check_feature_status_and_recalculate_points();
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 185 |
}
|
| 186 |
//$this->show_msg_settings_updated();
|
| 187 |
|
|
@@ -404,130 +409,6 @@ class AIOWPSecurity_Filesystem_Menu extends AIOWPSecurity_Admin_Menu
|
|
| 404 |
}
|
| 405 |
|
| 406 |
|
| 407 |
-
/*
|
| 408 |
-
* Modifies the wp-config.php file to disable PHP file editing from the admin panel
|
| 409 |
-
* This func will add the following code:
|
| 410 |
-
* define('DISALLOW_FILE_EDIT', false);
|
| 411 |
-
*
|
| 412 |
-
* NOTE: This function will firstly check if the above code already exists and it will modify the bool value, otherwise it will insert the code mentioned above
|
| 413 |
-
*/
|
| 414 |
-
function disable_file_edits()
|
| 415 |
-
{
|
| 416 |
-
global $aio_wp_security;
|
| 417 |
-
$edit_file_config_entry_exists = false;
|
| 418 |
-
|
| 419 |
-
//Config file path
|
| 420 |
-
$config_file = ABSPATH.'wp-config.php';
|
| 421 |
-
|
| 422 |
-
//Get wp-config.php file contents so we can check if the "DISALLOW_FILE_EDIT" variable already exists
|
| 423 |
-
$config_contents = file($config_file);
|
| 424 |
-
foreach ($config_contents as $line_num => $line)
|
| 425 |
-
{
|
| 426 |
-
if (strpos($line, "'DISALLOW_FILE_EDIT', false"))
|
| 427 |
-
{
|
| 428 |
-
$config_contents[$line_num] = str_replace('false', 'true', $line);
|
| 429 |
-
$edit_file_config_entry_exists = true;
|
| 430 |
-
//$this->show_msg_updated(__('Settings Saved - The ability to edit PHP files via the admin the panel has been DISABLED.', 'aiowpsecurity'));
|
| 431 |
-
} else if(strpos($line, "'DISALLOW_FILE_EDIT', true"))
|
| 432 |
-
{
|
| 433 |
-
$edit_file_config_entry_exists = true;
|
| 434 |
-
$this->show_msg_updated(__('Your system config file is already configured to disallow PHP file editing.', 'aiowpsecurity'));
|
| 435 |
-
return true;
|
| 436 |
-
|
| 437 |
-
}
|
| 438 |
-
}
|
| 439 |
-
|
| 440 |
-
if ($edit_file_config_entry_exists)
|
| 441 |
-
{
|
| 442 |
-
//Now let's modify the wp-config.php file
|
| 443 |
-
if (AIOWPSecurity_Utility_File::write_content_to_file($config_file, $config_contents))
|
| 444 |
-
{
|
| 445 |
-
$this->show_msg_updated(__('Settings Saved - Your system is now configured to not allow PHP file editing.', 'aiowpsecurity'));
|
| 446 |
-
return true;
|
| 447 |
-
}else
|
| 448 |
-
{
|
| 449 |
-
$this->show_msg_error(__('Operation failed! Unable to modify wp-config.php file!', 'aiowpsecurity'));
|
| 450 |
-
$aio_wp_security->debug_logger->log_debug("Disable PHP File Edit - Unable to modify wp-config.php",4);
|
| 451 |
-
return false;
|
| 452 |
-
}
|
| 453 |
-
}else
|
| 454 |
-
{
|
| 455 |
-
//Make a backup of the config file
|
| 456 |
-
if(!AIOWPSecurity_Utility_File::backup_a_file($config_file))
|
| 457 |
-
{
|
| 458 |
-
$this->show_msg_error(__('Failed to make a backup of the wp-config.php file. This operation will not go ahead.', 'aiowpsecurity'));
|
| 459 |
-
$aio_wp_security->debug_logger->log_debug("Disable PHP File Edit - Failed to make a backup of the wp-config.php file.",4);
|
| 460 |
-
return false;
|
| 461 |
-
}
|
| 462 |
-
else{
|
| 463 |
-
$this->show_msg_updated(__('A backup copy of your wp-config.php file was created successfully....', 'aiowpsecurity'));
|
| 464 |
-
}
|
| 465 |
-
|
| 466 |
-
//Construct the config code which we will insert into wp-config.php
|
| 467 |
-
$new_snippet = "//Disable File Edits\n";
|
| 468 |
-
$new_snippet .= 'define(\'DISALLOW_FILE_EDIT\', true);';
|
| 469 |
-
$write_result = file_put_contents($config_file, $new_snippet, FILE_APPEND | LOCK_EX);
|
| 470 |
-
if ($write_result)
|
| 471 |
-
{
|
| 472 |
-
$this->show_msg_updated(__('Settings Saved - Your system is now configured to not allow PHP file editing.', 'aiowpsecurity'));
|
| 473 |
-
}else
|
| 474 |
-
{
|
| 475 |
-
$this->show_msg_error(__('Operation failed! Unable to modify wp-config.php file!', 'aiowpsecurity'));
|
| 476 |
-
}
|
| 477 |
-
}
|
| 478 |
-
return $write_result; //will return true or false depending on whether file write was successful
|
| 479 |
-
}
|
| 480 |
-
|
| 481 |
-
/*
|
| 482 |
-
* Modifies the wp-config.php file to allow PHP file editing from the admin panel
|
| 483 |
-
* This func will modify the following code by replacing "true" with "false":
|
| 484 |
-
* define('DISALLOW_FILE_EDIT', true);
|
| 485 |
-
*/
|
| 486 |
-
|
| 487 |
-
function enable_file_edits()
|
| 488 |
-
{
|
| 489 |
-
global $aio_wp_security;
|
| 490 |
-
$edit_file_config_entry_exists = false;
|
| 491 |
-
|
| 492 |
-
//Config file path
|
| 493 |
-
$config_file = ABSPATH.'wp-config.php';
|
| 494 |
-
|
| 495 |
-
//Get wp-config.php file contents
|
| 496 |
-
$config_contents = file($config_file);
|
| 497 |
-
foreach ($config_contents as $line_num => $line)
|
| 498 |
-
{
|
| 499 |
-
if (strpos($line, "'DISALLOW_FILE_EDIT', true"))
|
| 500 |
-
{
|
| 501 |
-
$config_contents[$line_num] = str_replace('true', 'false', $line);
|
| 502 |
-
$edit_file_config_entry_exists = true;
|
| 503 |
-
} else if(strpos($line, "'DISALLOW_FILE_EDIT', false"))
|
| 504 |
-
{
|
| 505 |
-
$edit_file_config_entry_exists = true;
|
| 506 |
-
$this->show_msg_updated(__('Your system config file is already configured to allow PHP file editing.', 'aiowpsecurity'));
|
| 507 |
-
return true;
|
| 508 |
-
}
|
| 509 |
-
}
|
| 510 |
-
|
| 511 |
-
if (!$edit_file_config_entry_exists)
|
| 512 |
-
{
|
| 513 |
-
//if the DISALLOW_FILE_EDIT settings don't exist in wp-config.php then we don't need to do anything
|
| 514 |
-
$this->show_msg_updated(__('Your system config file is already configured to allow PHP file editing.', 'aiowpsecurity'));
|
| 515 |
-
return true;
|
| 516 |
-
} else
|
| 517 |
-
{
|
| 518 |
-
//Now let's modify the wp-config.php file
|
| 519 |
-
if (AIOWPSecurity_Utility_File::write_content_to_file($config_file, $config_contents))
|
| 520 |
-
{
|
| 521 |
-
$this->show_msg_updated(__('Settings Saved - Your system is now configured to allow PHP file editing.', 'aiowpsecurity'));
|
| 522 |
-
return true;
|
| 523 |
-
}else
|
| 524 |
-
{
|
| 525 |
-
$this->show_msg_error(__('Operation failed! Unable to modify wp-config.php file!', 'aiowpsecurity'));
|
| 526 |
-
$aio_wp_security->debug_logger->log_debug("Disable PHP File Edit - Unable to modify wp-config.php",4);
|
| 527 |
-
return false;
|
| 528 |
-
}
|
| 529 |
-
}
|
| 530 |
-
}
|
| 531 |
|
| 532 |
function filesystem_menu_footer_code()
|
| 533 |
{
|
| 169 |
if(isset($_POST['aiowps_disable_file_editing']))
|
| 170 |
{
|
| 171 |
|
| 172 |
+
$res = AIOWPSecurity_Utility::disable_file_edits();//$this->disable_file_edits();
|
| 173 |
} else
|
| 174 |
{
|
| 175 |
+
$res = AIOWPSecurity_Utility::enable_file_edits();//$this->enable_file_edits();
|
| 176 |
}
|
| 177 |
if ($res)
|
| 178 |
{
|
| 182 |
|
| 183 |
//Recalculate points after the feature status/options have been altered
|
| 184 |
$aiowps_feature_mgr->check_feature_status_and_recalculate_points();
|
| 185 |
+
$this->show_msg_updated(__('Your PHP file editing settings were saved successfully.', 'aiowpsecurity'));
|
| 186 |
+
}
|
| 187 |
+
else
|
| 188 |
+
{
|
| 189 |
+
$this->show_msg_error(__('Operation failed! Unable to modify or make a backup of wp-config.php file!', 'aiowpsecurity'));
|
| 190 |
}
|
| 191 |
//$this->show_msg_settings_updated();
|
| 192 |
|
| 409 |
}
|
| 410 |
|
| 411 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 412 |
|
| 413 |
function filesystem_menu_footer_code()
|
| 414 |
{
|
admin/wp-security-list-comment-spammer-ip.php
CHANGED
|
@@ -26,7 +26,7 @@ class AIOWPSecurity_List_Comment_Spammer_IP extends AIOWPSecurity_List_Table {
|
|
| 26 |
$actions = array(); //blank array
|
| 27 |
}else{
|
| 28 |
$actions = array(
|
| 29 |
-
'block' => sprintf('<a href="admin.php?page=%s&tab=%s&action=%s&spammer_ip=%s" onclick="return confirm(\'Are you sure you want to add this IP address to your blacklist?\')">Block</a>',
|
| 30 |
);
|
| 31 |
}
|
| 32 |
|
| 26 |
$actions = array(); //blank array
|
| 27 |
}else{
|
| 28 |
$actions = array(
|
| 29 |
+
'block' => sprintf('<a href="admin.php?page=%s&tab=%s&action=%s&spammer_ip=%s" onclick="return confirm(\'Are you sure you want to add this IP address to your blacklist?\')">Block</a>',AIOWPSEC_SPAM_MENU_SLUG,$tab,'block_spammer_ip',$item['comment_author_IP']),
|
| 30 |
);
|
| 31 |
}
|
| 32 |
|
admin/wp-security-settings-menu.php
CHANGED
|
@@ -78,7 +78,25 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
|
|
| 78 |
die("Nonce check failed on disable all security features!");
|
| 79 |
}
|
| 80 |
AIOWPSecurity_Configure_Settings::turn_off_all_security_features();
|
| 81 |
-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 82 |
}
|
| 83 |
?>
|
| 84 |
<div class="aio_grey_box">
|
| 78 |
die("Nonce check failed on disable all security features!");
|
| 79 |
}
|
| 80 |
AIOWPSecurity_Configure_Settings::turn_off_all_security_features();
|
| 81 |
+
//Now let's clear the applicable rules from the .htaccess file
|
| 82 |
+
$res = AIOWPSecurity_Utility_Htaccess::write_to_htaccess();
|
| 83 |
+
|
| 84 |
+
//Now let's revert the disable editing setting in the wp-config.php file if necessary
|
| 85 |
+
$res2 = AIOWPSecurity_Utility::enable_file_edits();
|
| 86 |
+
|
| 87 |
+
if ($res)
|
| 88 |
+
{
|
| 89 |
+
$this->show_msg_updated(__('All the security features have been disabled successfully!', 'aiowpsecurity'));
|
| 90 |
+
}
|
| 91 |
+
else if($res == -1)
|
| 92 |
+
{
|
| 93 |
+
$this->show_msg_error(__('Could not write to the .htaccess file. Please restore your .htaccess file manually using the restore functionality in the ".htaccess File".', 'aiowpsecurity'));
|
| 94 |
+
}
|
| 95 |
+
|
| 96 |
+
if(!$res2)
|
| 97 |
+
{
|
| 98 |
+
$this->show_msg_error(__('Could not write to the wp-config.php. Please restore your wp-config.php file manually using the restore functionality in the "wp-config.php File".', 'aiowpsecurity'));
|
| 99 |
+
}
|
| 100 |
}
|
| 101 |
?>
|
| 102 |
<div class="aio_grey_box">
|
admin/wp-security-user-login-menu.php
CHANGED
|
@@ -121,6 +121,7 @@ class AIOWPSecurity_User_Login_Menu extends AIOWPSecurity_Admin_Menu
|
|
| 121 |
$aio_wp_security->configs->set_value('aiowps_retry_time_period',absint($login_retry_time_period));
|
| 122 |
$aio_wp_security->configs->set_value('aiowps_lockout_time_length',absint($lockout_time_length));
|
| 123 |
$aio_wp_security->configs->set_value('aiowps_set_generic_login_msg',isset($_POST["aiowps_set_generic_login_msg"])?'1':'');
|
|
|
|
| 124 |
$aio_wp_security->configs->set_value('aiowps_enable_email_notify',isset($_POST["aiowps_enable_email_notify"])?'1':'');
|
| 125 |
$aio_wp_security->configs->set_value('aiowps_email_address',$email_address);
|
| 126 |
$aio_wp_security->configs->save_config();
|
|
@@ -197,7 +198,15 @@ class AIOWPSecurity_User_Login_Menu extends AIOWPSecurity_Admin_Menu
|
|
| 197 |
<input name="aiowps_set_generic_login_msg" type="checkbox"<?php if($aio_wp_security->configs->get_value('aiowps_set_generic_login_msg')=='1') echo ' checked="checked"'; ?> value="1"/>
|
| 198 |
<span class="description"><?php _e('Check this if you want to show a generic error message when a login attempt fails', 'aiowpsecurity'); ?></span>
|
| 199 |
</td>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 200 |
</tr>
|
|
|
|
| 201 |
<tr valign="top">
|
| 202 |
<th scope="row"><?php _e('Notify By Email', 'aiowpsecurity')?>:</th>
|
| 203 |
<td>
|
| 121 |
$aio_wp_security->configs->set_value('aiowps_retry_time_period',absint($login_retry_time_period));
|
| 122 |
$aio_wp_security->configs->set_value('aiowps_lockout_time_length',absint($lockout_time_length));
|
| 123 |
$aio_wp_security->configs->set_value('aiowps_set_generic_login_msg',isset($_POST["aiowps_set_generic_login_msg"])?'1':'');
|
| 124 |
+
$aio_wp_security->configs->set_value('aiowps_enable_invalid_username_lockdown',isset($_POST["aiowps_enable_invalid_username_lockdown"])?'1':'');
|
| 125 |
$aio_wp_security->configs->set_value('aiowps_enable_email_notify',isset($_POST["aiowps_enable_email_notify"])?'1':'');
|
| 126 |
$aio_wp_security->configs->set_value('aiowps_email_address',$email_address);
|
| 127 |
$aio_wp_security->configs->save_config();
|
| 198 |
<input name="aiowps_set_generic_login_msg" type="checkbox"<?php if($aio_wp_security->configs->get_value('aiowps_set_generic_login_msg')=='1') echo ' checked="checked"'; ?> value="1"/>
|
| 199 |
<span class="description"><?php _e('Check this if you want to show a generic error message when a login attempt fails', 'aiowpsecurity'); ?></span>
|
| 200 |
</td>
|
| 201 |
+
</tr>
|
| 202 |
+
<tr valign="top">
|
| 203 |
+
<th scope="row"><?php _e('Instantly Lockout Invalid Usernames', 'aiowpsecurity')?>:</th>
|
| 204 |
+
<td>
|
| 205 |
+
<input name="aiowps_enable_invalid_username_lockdown" type="checkbox"<?php if($aio_wp_security->configs->get_value('aiowps_enable_invalid_username_lockdown')=='1') echo ' checked="checked"'; ?> value="1"/>
|
| 206 |
+
<span class="description"><?php _e('Check this if you want to instantly lockout login attempts with usernames which do not exist on your system', 'aiowpsecurity'); ?></span>
|
| 207 |
+
</td>
|
| 208 |
</tr>
|
| 209 |
+
|
| 210 |
<tr valign="top">
|
| 211 |
<th scope="row"><?php _e('Notify By Email', 'aiowpsecurity')?>:</th>
|
| 212 |
<td>
|
classes/wp-security-backup.php
CHANGED
|
@@ -73,7 +73,10 @@ class AIOWPSecurity_Backup
|
|
| 73 |
$return .= PHP_EOL . PHP_EOL;
|
| 74 |
|
| 75 |
//Check to see if the main "backups" directory exists - create it otherwise
|
| 76 |
-
|
|
|
|
|
|
|
|
|
|
| 77 |
{
|
| 78 |
$aio_wp_security->debug_logger->log_debug("Creation of DB backup directory failed!",4);
|
| 79 |
return false;
|
|
@@ -103,12 +106,12 @@ class AIOWPSecurity_Backup
|
|
| 103 |
$file = $random_prefix.'-database-backup-site-name-' . $site_name . '-' . current_time( 'timestamp' );
|
| 104 |
|
| 105 |
//We will create a sub dir for the blog using its blog id
|
| 106 |
-
$dirpath =
|
| 107 |
|
| 108 |
//Create a subdirectory for this blog_id
|
| 109 |
if (!AIOWPSecurity_Utility_File::create_dir($dirpath))
|
| 110 |
{
|
| 111 |
-
$aio_wp_security->debug_logger->log_debug("Creation of DB backup directory for the following multisite blog ID: ".$blog_details->blog_id,4);
|
| 112 |
return false;
|
| 113 |
}
|
| 114 |
|
|
@@ -116,7 +119,7 @@ class AIOWPSecurity_Backup
|
|
| 116 |
}
|
| 117 |
else
|
| 118 |
{
|
| 119 |
-
$dirpath =
|
| 120 |
$file = $random_prefix.'-database-backup-' . current_time( 'timestamp' );
|
| 121 |
$handle = @fopen( $dirpath . '/' . $file . '.sql', 'w+' );
|
| 122 |
}
|
|
@@ -147,7 +150,7 @@ class AIOWPSecurity_Backup
|
|
| 147 |
$this->last_backup_file_path = $dirpath . '/' . $file . $fileext;
|
| 148 |
if ($is_multi_site)
|
| 149 |
{
|
| 150 |
-
$this->last_backup_file_url_multisite = AIO_WP_SECURITY_URL . '/backups/blogid_' . $blog_id;
|
| 151 |
}
|
| 152 |
|
| 153 |
$this->aiowps_send_backup_email(); //Send backup file via email if applicable
|
|
@@ -161,7 +164,7 @@ class AIOWPSecurity_Backup
|
|
| 161 |
if ( $aio_wp_security->configs->get_value('aiowps_send_backup_email_address') == '1' )
|
| 162 |
{
|
| 163 |
//Get the right email address.
|
| 164 |
-
if ( is_email( $aio_wp_security->configs->get_value('
|
| 165 |
{
|
| 166 |
$toaddress = $aio_wp_security->configs->get_value('aiowps_backup_email_address');
|
| 167 |
} else
|
| 73 |
$return .= PHP_EOL . PHP_EOL;
|
| 74 |
|
| 75 |
//Check to see if the main "backups" directory exists - create it otherwise
|
| 76 |
+
$upload_dir = wp_upload_dir();
|
| 77 |
+
$aiowps_backup_dir = $upload_dir['basedir'] . '/'.AIO_WP_SECURITY_BACKUPS_DIR_NAME;
|
| 78 |
+
$aiowps_backup_url = $upload_dir['baseurl'] . '/'.AIO_WP_SECURITY_BACKUPS_DIR_NAME;
|
| 79 |
+
if (!AIOWPSecurity_Utility_File::create_dir($aiowps_backup_dir))
|
| 80 |
{
|
| 81 |
$aio_wp_security->debug_logger->log_debug("Creation of DB backup directory failed!",4);
|
| 82 |
return false;
|
| 106 |
$file = $random_prefix.'-database-backup-site-name-' . $site_name . '-' . current_time( 'timestamp' );
|
| 107 |
|
| 108 |
//We will create a sub dir for the blog using its blog id
|
| 109 |
+
$dirpath = $aiowps_backup_dir . '/blogid_' . $blog_id . '/';
|
| 110 |
|
| 111 |
//Create a subdirectory for this blog_id
|
| 112 |
if (!AIOWPSecurity_Utility_File::create_dir($dirpath))
|
| 113 |
{
|
| 114 |
+
$aio_wp_security->debug_logger->log_debug("Creation failed of DB backup directory for the following multisite blog ID: ".$blog_details->blog_id,4);
|
| 115 |
return false;
|
| 116 |
}
|
| 117 |
|
| 119 |
}
|
| 120 |
else
|
| 121 |
{
|
| 122 |
+
$dirpath = $aiowps_backup_dir;
|
| 123 |
$file = $random_prefix.'-database-backup-' . current_time( 'timestamp' );
|
| 124 |
$handle = @fopen( $dirpath . '/' . $file . '.sql', 'w+' );
|
| 125 |
}
|
| 150 |
$this->last_backup_file_path = $dirpath . '/' . $file . $fileext;
|
| 151 |
if ($is_multi_site)
|
| 152 |
{
|
| 153 |
+
$this->last_backup_file_url_multisite = $aiowps_backup_url . '/blogid_' . $blog_id; //AIO_WP_SECURITY_URL . '/backups/blogid_' . $blog_id;
|
| 154 |
}
|
| 155 |
|
| 156 |
$this->aiowps_send_backup_email(); //Send backup file via email if applicable
|
| 164 |
if ( $aio_wp_security->configs->get_value('aiowps_send_backup_email_address') == '1' )
|
| 165 |
{
|
| 166 |
//Get the right email address.
|
| 167 |
+
if ( is_email( $aio_wp_security->configs->get_value('aiowps_backup_email_address') ) )
|
| 168 |
{
|
| 169 |
$toaddress = $aio_wp_security->configs->get_value('aiowps_backup_email_address');
|
| 170 |
} else
|
classes/wp-security-configure-settings.php
CHANGED
|
@@ -28,7 +28,8 @@ class AIOWPSecurity_Configure_Settings
|
|
| 28 |
$aio_wp_security->configs->set_value('aiowps_email_address',$blog_email_address);//text field
|
| 29 |
$aio_wp_security->configs->set_value('aiowps_enable_forced_logout','');//Checkbox
|
| 30 |
$aio_wp_security->configs->set_value('aiowps_logout_time_period','60');
|
| 31 |
-
|
|
|
|
| 32 |
//DB Security feature
|
| 33 |
//$aio_wp_security->configs->set_value('aiowps_new_manual_db_pefix',''); //text field
|
| 34 |
$aio_wp_security->configs->set_value('aiowps_enable_random_prefix','');//Checkbox
|
|
@@ -79,7 +80,7 @@ class AIOWPSecurity_Configure_Settings
|
|
| 79 |
$aio_wp_security->configs->set_value('aiowps_fcd_exclude_files','');
|
| 80 |
$aio_wp_security->configs->set_value('aiowps_send_fcd_scan_email','');//Checkbox
|
| 81 |
$aio_wp_security->configs->set_value('aiowps_fcd_scan_email_address',$blog_email_address);
|
| 82 |
-
$aio_wp_security->configs->set_value('aiowps_fcds_change_detected',FALSE); //used to display a global alert on site when file change detected
|
| 83 |
|
| 84 |
|
| 85 |
//TODO - keep adding default options for any fields that require it
|
|
@@ -110,6 +111,7 @@ class AIOWPSecurity_Configure_Settings
|
|
| 110 |
$aio_wp_security->configs->add_value('aiowps_email_address',$blog_email_address);//text field
|
| 111 |
$aio_wp_security->configs->add_value('aiowps_enable_forced_logout','');//Checkbox
|
| 112 |
$aio_wp_security->configs->add_value('aiowps_logout_time_period','60');
|
|
|
|
| 113 |
|
| 114 |
//DB Security feature
|
| 115 |
//$aio_wp_security->configs->add_value('aiowps_new_manual_db_pefix',''); //text field
|
| 28 |
$aio_wp_security->configs->set_value('aiowps_email_address',$blog_email_address);//text field
|
| 29 |
$aio_wp_security->configs->set_value('aiowps_enable_forced_logout','');//Checkbox
|
| 30 |
$aio_wp_security->configs->set_value('aiowps_logout_time_period','60');
|
| 31 |
+
$aio_wp_security->configs->set_value('aiowps_enable_invalid_username_lockdown','');//Checkbox
|
| 32 |
+
|
| 33 |
//DB Security feature
|
| 34 |
//$aio_wp_security->configs->set_value('aiowps_new_manual_db_pefix',''); //text field
|
| 35 |
$aio_wp_security->configs->set_value('aiowps_enable_random_prefix','');//Checkbox
|
| 80 |
$aio_wp_security->configs->set_value('aiowps_fcd_exclude_files','');
|
| 81 |
$aio_wp_security->configs->set_value('aiowps_send_fcd_scan_email','');//Checkbox
|
| 82 |
$aio_wp_security->configs->set_value('aiowps_fcd_scan_email_address',$blog_email_address);
|
| 83 |
+
$aio_wp_security->configs->set_value('aiowps_fcds_change_detected', FALSE); //used to display a global alert on site when file change detected
|
| 84 |
|
| 85 |
|
| 86 |
//TODO - keep adding default options for any fields that require it
|
| 111 |
$aio_wp_security->configs->add_value('aiowps_email_address',$blog_email_address);//text field
|
| 112 |
$aio_wp_security->configs->add_value('aiowps_enable_forced_logout','');//Checkbox
|
| 113 |
$aio_wp_security->configs->add_value('aiowps_logout_time_period','60');
|
| 114 |
+
$aio_wp_security->configs->add_value('aiowps_enable_invalid_username_lockdown','');//Checkbox
|
| 115 |
|
| 116 |
//DB Security feature
|
| 117 |
//$aio_wp_security->configs->add_value('aiowps_new_manual_db_pefix',''); //text field
|
classes/wp-security-installer.php
CHANGED
|
@@ -18,12 +18,14 @@ class AIOWPSecurity_Installer
|
|
| 18 |
AIOWPSecurity_Installer::create_db_tables();
|
| 19 |
AIOWPSecurity_Configure_Settings::add_option_values();
|
| 20 |
}
|
|
|
|
| 21 |
switch_to_blog($old_blog);
|
| 22 |
return;
|
| 23 |
}
|
| 24 |
}
|
| 25 |
AIOWPSecurity_Installer::create_db_tables();
|
| 26 |
AIOWPSecurity_Configure_Settings::add_option_values();
|
|
|
|
| 27 |
}
|
| 28 |
|
| 29 |
static function create_db_tables()
|
|
@@ -90,4 +92,30 @@ class AIOWPSecurity_Installer
|
|
| 90 |
|
| 91 |
update_option("aiowpsec_db_version", AIO_WP_SECURITY_DB_VERSION);
|
| 92 |
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 93 |
}
|
| 18 |
AIOWPSecurity_Installer::create_db_tables();
|
| 19 |
AIOWPSecurity_Configure_Settings::add_option_values();
|
| 20 |
}
|
| 21 |
+
AIOWPSecurity_Installer::create_db_backup_dir(); //Create a backup dir in the WP uploads directory
|
| 22 |
switch_to_blog($old_blog);
|
| 23 |
return;
|
| 24 |
}
|
| 25 |
}
|
| 26 |
AIOWPSecurity_Installer::create_db_tables();
|
| 27 |
AIOWPSecurity_Configure_Settings::add_option_values();
|
| 28 |
+
AIOWPSecurity_Installer::create_db_backup_dir(); //Create a backup dir in the WP uploads directory
|
| 29 |
}
|
| 30 |
|
| 31 |
static function create_db_tables()
|
| 92 |
|
| 93 |
update_option("aiowpsec_db_version", AIO_WP_SECURITY_DB_VERSION);
|
| 94 |
}
|
| 95 |
+
|
| 96 |
+
static function create_db_backup_dir()
|
| 97 |
+
{
|
| 98 |
+
//Create our folder in the "uploads" directory
|
| 99 |
+
$upload_dir = wp_upload_dir();
|
| 100 |
+
$aiowps_dir = $upload_dir['basedir'] . '/'.AIO_WP_SECURITY_BACKUPS_DIR_NAME;
|
| 101 |
+
if(!is_dir($aiowps_dir)) {
|
| 102 |
+
mkdir($aiowps_dir , 0755, true);
|
| 103 |
+
//Let's also create an empty index.html file in this folder
|
| 104 |
+
$index_file = $aiowps_dir.'/index.html';
|
| 105 |
+
$handle = fopen($index_file, 'w'); //or die('Cannot open file: '.$index_file);
|
| 106 |
+
fclose($handle);
|
| 107 |
+
|
| 108 |
+
//Create an .htacces file
|
| 109 |
+
//Write some rules which will only allow people originating from wp admin page to download the DB backup
|
| 110 |
+
$rules = '';
|
| 111 |
+
$rules .= '<IfModule mod_rewrite.c>
|
| 112 |
+
RewriteEngine On
|
| 113 |
+
RewriteCond %{HTTP_REFERER} !(wp-admin/admin.php) [NC]
|
| 114 |
+
RewriteRule .* http://127.0.0.1 [L]
|
| 115 |
+
</IfModule>' . PHP_EOL;
|
| 116 |
+
$file = $aiowps_dir.'/.htaccess';
|
| 117 |
+
file_put_contents($file, $rules);
|
| 118 |
+
}
|
| 119 |
+
}
|
| 120 |
+
|
| 121 |
}
|
classes/wp-security-user-login.php
CHANGED
|
@@ -36,7 +36,7 @@ class AIOWPSecurity_User_Login
|
|
| 36 |
$user_locked = $this->check_locked_user();
|
| 37 |
if ($user_locked != NULL) {
|
| 38 |
$aio_wp_security->debug_logger->log_debug("Login attempt from blocked IP range - ".$user_locked['failed_login_ip'],2);
|
| 39 |
-
return new WP_Error('authentication_failed', __('<strong>ERROR</strong>: Login failed because your IP address has been blocked
|
| 40 |
Please contact the administrator.', 'aiowpsecurity'));
|
| 41 |
}
|
| 42 |
|
|
@@ -61,7 +61,7 @@ class AIOWPSecurity_User_Login
|
|
| 61 |
$this->increment_failed_logins($username);
|
| 62 |
if($aio_wp_security->configs->get_value('aiowps_enable_login_lockdown')=='1')
|
| 63 |
{
|
| 64 |
-
if($login_attempts_permitted <= $this->get_login_fail_count())
|
| 65 |
{
|
| 66 |
$this->lock_the_user($username);
|
| 67 |
}
|
|
@@ -160,10 +160,10 @@ class AIOWPSecurity_User_Login
|
|
| 160 |
//If the login attempt was made using a non-existent user then let's set user_id to blank and record the attempted user login name for DB storage later on
|
| 161 |
$user_id = '';
|
| 162 |
}
|
| 163 |
-
|
| 164 |
$insert = "INSERT INTO " . $login_lockdown_table . " (user_id, user_login, lockdown_date, release_date, failed_login_IP) " .
|
| 165 |
"VALUES ('" . $user_id . "', '" . $username . "', now(), date_add(now(), INTERVAL " .
|
| 166 |
-
$lockout_time_length . " MINUTE), '" .
|
| 167 |
$result = $wpdb->query($insert);
|
| 168 |
if ($result > 0)
|
| 169 |
{
|
|
@@ -199,8 +199,9 @@ class AIOWPSecurity_User_Login
|
|
| 199 |
//If the login attempt was made using a non-existent user then let's set user_id to blank and record the attempted user login name for DB storage later on
|
| 200 |
$user_id = '';
|
| 201 |
}
|
|
|
|
| 202 |
$insert = "INSERT INTO " . $login_fails_table . " (user_id, user_login, failed_login_date, login_attempt_ip) " .
|
| 203 |
-
"VALUES ('" . $user_id . "', '" . $username . "', now(), '" .
|
| 204 |
$result = $wpdb->query($insert);
|
| 205 |
if ($result == FALSE)
|
| 206 |
{
|
|
@@ -221,9 +222,9 @@ class AIOWPSecurity_User_Login
|
|
| 221 |
if ($email_notification_enabled == 1)
|
| 222 |
{
|
| 223 |
$subject = '['.get_option('siteurl').'] '. __('Site Lockout Notification','aiowpsecurity');
|
| 224 |
-
$email_msg .= __('A lockdown event has occurred due to too many failed login attempts
|
| 225 |
$email_msg .= __('Username: '.($username?$username:"Unknown"),'aiowpsecurity')."\n";
|
| 226 |
-
$email_msg .= __('IP Range: '.$ip_range,'aiowpsecurity')."\n\n";
|
| 227 |
$email_msg .= __('Log into your site\'s WordPress administration panel to see the duration of the lockout or to unlock the user.','aiowpsecurity')."\n";
|
| 228 |
$email_header = 'From: '.get_bloginfo( 'name' ).' <'.get_bloginfo('admin_email').'>' . "\r\n\\";
|
| 229 |
$sendMail = wp_mail($to_email_address, $subject, $email_msg, $email_header);
|
| 36 |
$user_locked = $this->check_locked_user();
|
| 37 |
if ($user_locked != NULL) {
|
| 38 |
$aio_wp_security->debug_logger->log_debug("Login attempt from blocked IP range - ".$user_locked['failed_login_ip'],2);
|
| 39 |
+
return new WP_Error('authentication_failed', __('<strong>ERROR</strong>: Login failed because your IP address has been blocked.
|
| 40 |
Please contact the administrator.', 'aiowpsecurity'));
|
| 41 |
}
|
| 42 |
|
| 61 |
$this->increment_failed_logins($username);
|
| 62 |
if($aio_wp_security->configs->get_value('aiowps_enable_login_lockdown')=='1')
|
| 63 |
{
|
| 64 |
+
if($login_attempts_permitted <= $this->get_login_fail_count() || $aio_wp_security->configs->get_value('aiowps_enable_invalid_username_lockdown')=='1')
|
| 65 |
{
|
| 66 |
$this->lock_the_user($username);
|
| 67 |
}
|
| 160 |
//If the login attempt was made using a non-existent user then let's set user_id to blank and record the attempted user login name for DB storage later on
|
| 161 |
$user_id = '';
|
| 162 |
}
|
| 163 |
+
$ip_range_str = esc_sql($ip_range).'.*';
|
| 164 |
$insert = "INSERT INTO " . $login_lockdown_table . " (user_id, user_login, lockdown_date, release_date, failed_login_IP) " .
|
| 165 |
"VALUES ('" . $user_id . "', '" . $username . "', now(), date_add(now(), INTERVAL " .
|
| 166 |
+
$lockout_time_length . " MINUTE), '" . $ip_range_str . "')";
|
| 167 |
$result = $wpdb->query($insert);
|
| 168 |
if ($result > 0)
|
| 169 |
{
|
| 199 |
//If the login attempt was made using a non-existent user then let's set user_id to blank and record the attempted user login name for DB storage later on
|
| 200 |
$user_id = '';
|
| 201 |
}
|
| 202 |
+
$ip_range_str = esc_sql($ip_range).'.*';
|
| 203 |
$insert = "INSERT INTO " . $login_fails_table . " (user_id, user_login, failed_login_date, login_attempt_ip) " .
|
| 204 |
+
"VALUES ('" . $user_id . "', '" . $username . "', now(), '" . $ip_range_str . "')";
|
| 205 |
$result = $wpdb->query($insert);
|
| 206 |
if ($result == FALSE)
|
| 207 |
{
|
| 222 |
if ($email_notification_enabled == 1)
|
| 223 |
{
|
| 224 |
$subject = '['.get_option('siteurl').'] '. __('Site Lockout Notification','aiowpsecurity');
|
| 225 |
+
$email_msg .= __('A lockdown event has occurred due to too many failed login attempts or invalid username:','aiowpsecurity')."\n";
|
| 226 |
$email_msg .= __('Username: '.($username?$username:"Unknown"),'aiowpsecurity')."\n";
|
| 227 |
+
$email_msg .= __('IP Range: '.$ip_range.'.*','aiowpsecurity')."\n\n";
|
| 228 |
$email_msg .= __('Log into your site\'s WordPress administration panel to see the duration of the lockout or to unlock the user.','aiowpsecurity')."\n";
|
| 229 |
$email_header = 'From: '.get_bloginfo( 'name' ).' <'.get_bloginfo('admin_email').'>' . "\r\n\\";
|
| 230 |
$sendMail = wp_mail($to_email_address, $subject, $email_msg, $email_header);
|
classes/wp-security-utility-htaccess.php
CHANGED
|
@@ -338,7 +338,12 @@ class AIOWPSecurity_Utility_Htaccess
|
|
| 338 |
$count = 1;
|
| 339 |
foreach ( $user_agents as $agent )
|
| 340 |
{
|
| 341 |
-
$
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 342 |
if ( $count < sizeof( $user_agents ) )
|
| 343 |
{
|
| 344 |
$rules .= " [NC,OR]" . PHP_EOL;
|
|
@@ -556,7 +561,7 @@ class AIOWPSecurity_Utility_Htaccess
|
|
| 556 |
//$rules .= 'RewriteCond %{QUERY_STRING} ^.*([|]|(|)||\'|"|;|?|*).* [NC,OR]' . PHP_EOL;
|
| 557 |
//$rules .= 'RewriteCond %{QUERY_STRING} ^.*(%22|%27|%3C|%3E|%5C|%7B|%7C).* [NC,OR]' . PHP_EOL;
|
| 558 |
//$rules .= 'RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127.0).* [NC,OR]' . PHP_EOL;
|
| 559 |
-
$rules .= 'RewriteCond %{QUERY_STRING} ^.*(globals|encode|
|
| 560 |
$rules .= 'RewriteCond %{QUERY_STRING} (\;|\'|\"|%22).*(request|insert|union|declare|drop) [NC]' . PHP_EOL;
|
| 561 |
$rules .= 'RewriteRule ^(.*)$ - [F,L]' . PHP_EOL;
|
| 562 |
$rules .= AIOWPSecurity_Utility_Htaccess::$deny_bad_query_strings_marker_end . PHP_EOL; //Add feature marker end
|
| 338 |
$count = 1;
|
| 339 |
foreach ( $user_agents as $agent )
|
| 340 |
{
|
| 341 |
+
$agent_escaped = quotemeta($agent);
|
| 342 |
+
$pattern = '/\s/'; //Find spaces in the string
|
| 343 |
+
$replacement = '\s'; //Replace spaces with \s so apache can understand
|
| 344 |
+
$agent_sanitized = preg_replace($pattern, $replacement, $agent_escaped);
|
| 345 |
+
|
| 346 |
+
$rules .= "RewriteCond %{HTTP_USER_AGENT} ^" . trim( $agent_sanitized );
|
| 347 |
if ( $count < sizeof( $user_agents ) )
|
| 348 |
{
|
| 349 |
$rules .= " [NC,OR]" . PHP_EOL;
|
| 561 |
//$rules .= 'RewriteCond %{QUERY_STRING} ^.*([|]|(|)||\'|"|;|?|*).* [NC,OR]' . PHP_EOL;
|
| 562 |
//$rules .= 'RewriteCond %{QUERY_STRING} ^.*(%22|%27|%3C|%3E|%5C|%7B|%7C).* [NC,OR]' . PHP_EOL;
|
| 563 |
//$rules .= 'RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127.0).* [NC,OR]' . PHP_EOL;
|
| 564 |
+
$rules .= 'RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]' . PHP_EOL;
|
| 565 |
$rules .= 'RewriteCond %{QUERY_STRING} (\;|\'|\"|%22).*(request|insert|union|declare|drop) [NC]' . PHP_EOL;
|
| 566 |
$rules .= 'RewriteRule ^(.*)$ - [F,L]' . PHP_EOL;
|
| 567 |
$rules .= AIOWPSecurity_Utility_Htaccess::$deny_bad_query_strings_marker_end . PHP_EOL; //Add feature marker end
|
classes/wp-security-utility.php
CHANGED
|
@@ -152,4 +152,144 @@ class AIOWPSecurity_Utility
|
|
| 152 |
echo '</div>';
|
| 153 |
}
|
| 154 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 155 |
}
|
| 152 |
echo '</div>';
|
| 153 |
}
|
| 154 |
|
| 155 |
+
/*
|
| 156 |
+
* Modifies the wp-config.php file to disable PHP file editing from the admin panel
|
| 157 |
+
* This func will add the following code:
|
| 158 |
+
* define('DISALLOW_FILE_EDIT', false);
|
| 159 |
+
*
|
| 160 |
+
* NOTE: This function will firstly check if the above code already exists and it will modify the bool value, otherwise it will insert the code mentioned above
|
| 161 |
+
*/
|
| 162 |
+
static function disable_file_edits()
|
| 163 |
+
{
|
| 164 |
+
global $aio_wp_security;
|
| 165 |
+
$edit_file_config_entry_exists = false;
|
| 166 |
+
|
| 167 |
+
//Config file path
|
| 168 |
+
$config_file = ABSPATH.'wp-config.php';
|
| 169 |
+
|
| 170 |
+
//Get wp-config.php file contents so we can check if the "DISALLOW_FILE_EDIT" variable already exists
|
| 171 |
+
$config_contents = file($config_file);
|
| 172 |
+
|
| 173 |
+
foreach ($config_contents as $line_num => $line)
|
| 174 |
+
{
|
| 175 |
+
if (strpos($line, "'DISALLOW_FILE_EDIT', false"))
|
| 176 |
+
{
|
| 177 |
+
$config_contents[$line_num] = str_replace('false', 'true', $line);
|
| 178 |
+
$edit_file_config_entry_exists = true;
|
| 179 |
+
//$this->show_msg_updated(__('Settings Saved - The ability to edit PHP files via the admin the panel has been DISABLED.', 'aiowpsecurity'));
|
| 180 |
+
} else if(strpos($line, "'DISALLOW_FILE_EDIT', true"))
|
| 181 |
+
{
|
| 182 |
+
$edit_file_config_entry_exists = true;
|
| 183 |
+
//$this->show_msg_updated(__('Your system config file is already configured to disallow PHP file editing.', 'aiowpsecurity'));
|
| 184 |
+
return true;
|
| 185 |
+
|
| 186 |
+
}
|
| 187 |
+
}
|
| 188 |
+
|
| 189 |
+
if ($edit_file_config_entry_exists)
|
| 190 |
+
{
|
| 191 |
+
//Now let's modify the wp-config.php file
|
| 192 |
+
if (AIOWPSecurity_Utility_File::write_content_to_file($config_file, $config_contents))
|
| 193 |
+
{
|
| 194 |
+
//$this->show_msg_updated(__('Settings Saved - Your system is now configured to not allow PHP file editing.', 'aiowpsecurity'));
|
| 195 |
+
return true;
|
| 196 |
+
}else
|
| 197 |
+
{
|
| 198 |
+
//$this->show_msg_error(__('Operation failed! Unable to modify wp-config.php file!', 'aiowpsecurity'));
|
| 199 |
+
$aio_wp_security->debug_logger->log_debug("Disable PHP File Edit - Unable to modify wp-config.php",4);
|
| 200 |
+
return false;
|
| 201 |
+
}
|
| 202 |
+
}else
|
| 203 |
+
{
|
| 204 |
+
//Make a backup of the config file
|
| 205 |
+
if(!AIOWPSecurity_Utility_File::backup_a_file($config_file))
|
| 206 |
+
{
|
| 207 |
+
$this->show_msg_error(__('Failed to make a backup of the wp-config.php file. This operation will not go ahead.', 'aiowpsecurity'));
|
| 208 |
+
//$aio_wp_security->debug_logger->log_debug("Disable PHP File Edit - Failed to make a backup of the wp-config.php file.",4);
|
| 209 |
+
return false;
|
| 210 |
+
}
|
| 211 |
+
else{
|
| 212 |
+
//$this->show_msg_updated(__('A backup copy of your wp-config.php file was created successfully....', 'aiowpsecurity'));
|
| 213 |
+
}
|
| 214 |
+
|
| 215 |
+
//Construct the config code which we will insert into wp-config.php
|
| 216 |
+
$new_snippet = "//Disable File Edits\n";
|
| 217 |
+
$new_snippet .= 'define(\'DISALLOW_FILE_EDIT\', true);';
|
| 218 |
+
|
| 219 |
+
//Check for php ending tags for cases of wp-config file inherited from older WP systems.
|
| 220 |
+
$last_line = end($config_contents);
|
| 221 |
+
if (strrpos($last_line, "?>") !== false)
|
| 222 |
+
{
|
| 223 |
+
$fh = fopen($config_file, 'r+');
|
| 224 |
+
$new_snippet .= '?>';
|
| 225 |
+
fseek($fh, -2, SEEK_END);
|
| 226 |
+
$write_result = fwrite($fh, $new_snippet);
|
| 227 |
+
fclose($fh);
|
| 228 |
+
}
|
| 229 |
+
else
|
| 230 |
+
{
|
| 231 |
+
$write_result = file_put_contents($config_file, $new_snippet, FILE_APPEND | LOCK_EX);
|
| 232 |
+
}
|
| 233 |
+
if ($write_result === false)
|
| 234 |
+
{
|
| 235 |
+
return false;
|
| 236 |
+
}else
|
| 237 |
+
{
|
| 238 |
+
return true;
|
| 239 |
+
}
|
| 240 |
+
}
|
| 241 |
+
}
|
| 242 |
+
|
| 243 |
+
/*
|
| 244 |
+
* Modifies the wp-config.php file to allow PHP file editing from the admin panel
|
| 245 |
+
* This func will modify the following code by replacing "true" with "false":
|
| 246 |
+
* define('DISALLOW_FILE_EDIT', true);
|
| 247 |
+
*/
|
| 248 |
+
|
| 249 |
+
static function enable_file_edits()
|
| 250 |
+
{
|
| 251 |
+
global $aio_wp_security;
|
| 252 |
+
$edit_file_config_entry_exists = false;
|
| 253 |
+
|
| 254 |
+
//Config file path
|
| 255 |
+
$config_file = ABSPATH.'wp-config.php';
|
| 256 |
+
|
| 257 |
+
//Get wp-config.php file contents
|
| 258 |
+
$config_contents = file($config_file);
|
| 259 |
+
foreach ($config_contents as $line_num => $line)
|
| 260 |
+
{
|
| 261 |
+
if (strpos($line, "'DISALLOW_FILE_EDIT', true"))
|
| 262 |
+
{
|
| 263 |
+
$config_contents[$line_num] = str_replace('true', 'false', $line);
|
| 264 |
+
$edit_file_config_entry_exists = true;
|
| 265 |
+
} else if(strpos($line, "'DISALLOW_FILE_EDIT', false"))
|
| 266 |
+
{
|
| 267 |
+
$edit_file_config_entry_exists = true;
|
| 268 |
+
//$this->show_msg_updated(__('Your system config file is already configured to allow PHP file editing.', 'aiowpsecurity'));
|
| 269 |
+
return true;
|
| 270 |
+
}
|
| 271 |
+
}
|
| 272 |
+
|
| 273 |
+
if (!$edit_file_config_entry_exists)
|
| 274 |
+
{
|
| 275 |
+
//if the DISALLOW_FILE_EDIT settings don't exist in wp-config.php then we don't need to do anything
|
| 276 |
+
//$this->show_msg_updated(__('Your system config file is already configured to allow PHP file editing.', 'aiowpsecurity'));
|
| 277 |
+
return true;
|
| 278 |
+
} else
|
| 279 |
+
{
|
| 280 |
+
//Now let's modify the wp-config.php file
|
| 281 |
+
if (AIOWPSecurity_Utility_File::write_content_to_file($config_file, $config_contents))
|
| 282 |
+
{
|
| 283 |
+
//$this->show_msg_updated(__('Settings Saved - Your system is now configured to allow PHP file editing.', 'aiowpsecurity'));
|
| 284 |
+
return true;
|
| 285 |
+
}else
|
| 286 |
+
{
|
| 287 |
+
//$this->show_msg_error(__('Operation failed! Unable to modify wp-config.php file!', 'aiowpsecurity'));
|
| 288 |
+
//$aio_wp_security->debug_logger->log_debug("Disable PHP File Edit - Unable to modify wp-config.php",4);
|
| 289 |
+
return false;
|
| 290 |
+
}
|
| 291 |
+
}
|
| 292 |
+
}
|
| 293 |
+
|
| 294 |
+
|
| 295 |
}
|
css/wp-security-admin-styles.css
CHANGED
|
@@ -7,6 +7,7 @@
|
|
| 7 |
.aio_spacer_10_tblr{margin:10px;}
|
| 8 |
.aio_clear_float{clear: both;}
|
| 9 |
.aio_float_left{float: left;}
|
|
|
|
| 10 |
|
| 11 |
.aiowps_admin_ul_grp1{
|
| 12 |
list-style: circle;
|
| 7 |
.aio_spacer_10_tblr{margin:10px;}
|
| 8 |
.aio_clear_float{clear: both;}
|
| 9 |
.aio_float_left{float: left;}
|
| 10 |
+
.aio_padding_10{padding: 10px !important;}
|
| 11 |
|
| 12 |
.aiowps_admin_ul_grp1{
|
| 13 |
list-style: circle;
|
readme.txt
CHANGED
|
@@ -4,7 +4,7 @@ Donate link: http://www.tipsandtricks-hq.com
|
|
| 4 |
Tags: security, secure, Anti Virus, antivirus, ban, ban hacker, virus, firewall, login, lockdown, htaccess, hack, malware, vulnerability, protect, protection, phishing, database, backup, plugin, sql injection, ssl, restrict
|
| 5 |
Requires at least: 3.5
|
| 6 |
Tested up to: 3.6
|
| 7 |
-
Stable tag: 2.
|
| 8 |
License: GPLv3
|
| 9 |
|
| 10 |
A comprehensive, user-friendly, all in one WordPress security and firewall plugin for your site.
|
|
@@ -45,6 +45,7 @@ via email whenever somebody gets locked out due to too many login attempts.
|
|
| 45 |
* Monitor/View failed login attempts which show the user's IP address, User ID/Username and Date/Time of the failed login attempt
|
| 46 |
|
| 47 |
* Monitor/View the account activity of all user accounts on your system by keeping track of the username, IP address, login date/time, and logout date/time.
|
|
|
|
| 48 |
|
| 49 |
= Database Security =
|
| 50 |
* Easily the default WP prefix to a value of your choice with the click of a button.
|
|
@@ -135,6 +136,16 @@ http://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin
|
|
| 135 |
None
|
| 136 |
|
| 137 |
== Changelog ==
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 138 |
|
| 139 |
= 2.3 =
|
| 140 |
- Added new menu called Scanner with a new feature called File Change Detection. This feature will alert you if any files have changed, added or removed from your system.
|
| 4 |
Tags: security, secure, Anti Virus, antivirus, ban, ban hacker, virus, firewall, login, lockdown, htaccess, hack, malware, vulnerability, protect, protection, phishing, database, backup, plugin, sql injection, ssl, restrict
|
| 5 |
Requires at least: 3.5
|
| 6 |
Tested up to: 3.6
|
| 7 |
+
Stable tag: 2.4
|
| 8 |
License: GPLv3
|
| 9 |
|
| 10 |
A comprehensive, user-friendly, all in one WordPress security and firewall plugin for your site.
|
| 45 |
* Monitor/View failed login attempts which show the user's IP address, User ID/Username and Date/Time of the failed login attempt
|
| 46 |
|
| 47 |
* Monitor/View the account activity of all user accounts on your system by keeping track of the username, IP address, login date/time, and logout date/time.
|
| 48 |
+
* Ability to automatically lockout IP address ranges which attempt to login with an invalid username.
|
| 49 |
|
| 50 |
= Database Security =
|
| 51 |
* Easily the default WP prefix to a value of your choice with the click of a button.
|
| 136 |
None
|
| 137 |
|
| 138 |
== Changelog ==
|
| 139 |
+
= 2.4 =
|
| 140 |
+
- Added new feature/checkbox which will instantly lockout IP address ranges which attempt to login with an invalid username.
|
| 141 |
+
- Fixed a bug in the Comment SPAM IP Monitoring page where trying to block one or more IPs was failing.
|
| 142 |
+
- Removed the word "config" from the list of bad query strings check (to add compatibility with a few more plugins)
|
| 143 |
+
- Added a notice in the dashboard menu to show you if there are any recent file changes that the plugin detected.
|
| 144 |
+
- Fixed bug with php File Editing feature. Code now also handles older style wp-config.php files which have the php end tag "?>"
|
| 145 |
+
- Fixed bug with "Disable All Security Features" button functionality. When clicked, this will now also make the appropriate changes to the .htacces and wp-config.php files if necessary.
|
| 146 |
+
- Changed the storage of backup files from the plugin's directory to the uploads directory. Also added a .htaccess file for security.
|
| 147 |
+
- Fixed the way user-agent strings were written to the .htacess file from the Blacklist feature. The code now will correctly identify and represent spaces and escaped chars.
|
| 148 |
+
- Fixed a bug related to sending backup to correct email address.
|
| 149 |
|
| 150 |
= 2.3 =
|
| 151 |
- Added new menu called Scanner with a new feature called File Change Detection. This feature will alert you if any files have changed, added or removed from your system.
|
wp-security-core.php
CHANGED
|
@@ -3,7 +3,7 @@
|
|
| 3 |
if (!class_exists('AIO_WP_Security')){
|
| 4 |
|
| 5 |
class AIO_WP_Security{
|
| 6 |
-
var $version = '2.
|
| 7 |
var $db_version = '1.3';
|
| 8 |
var $plugin_url;
|
| 9 |
var $plugin_path;
|
|
@@ -51,6 +51,7 @@ class AIO_WP_Security{
|
|
| 51 |
define('AIOWPSEC_WP_URL', site_url());
|
| 52 |
define('AIO_WP_SECURITY_URL', $this->plugin_url());
|
| 53 |
define('AIO_WP_SECURITY_PATH', $this->plugin_path());
|
|
|
|
| 54 |
define('AIO_WP_SECURITY_BACKUPS_PATH', AIO_WP_SECURITY_PATH.'/backups');
|
| 55 |
define('AIO_WP_SECURITY_LIB_PATH', AIO_WP_SECURITY_PATH.'/lib');
|
| 56 |
define('AIOWPSEC_MANAGEMENT_PERMISSION', 'add_users');
|
| 3 |
if (!class_exists('AIO_WP_Security')){
|
| 4 |
|
| 5 |
class AIO_WP_Security{
|
| 6 |
+
var $version = '2.4';
|
| 7 |
var $db_version = '1.3';
|
| 8 |
var $plugin_url;
|
| 9 |
var $plugin_path;
|
| 51 |
define('AIOWPSEC_WP_URL', site_url());
|
| 52 |
define('AIO_WP_SECURITY_URL', $this->plugin_url());
|
| 53 |
define('AIO_WP_SECURITY_PATH', $this->plugin_path());
|
| 54 |
+
define('AIO_WP_SECURITY_BACKUPS_DIR_NAME', 'aiowps_backups');
|
| 55 |
define('AIO_WP_SECURITY_BACKUPS_PATH', AIO_WP_SECURITY_PATH.'/backups');
|
| 56 |
define('AIO_WP_SECURITY_LIB_PATH', AIO_WP_SECURITY_PATH.'/lib');
|
| 57 |
define('AIOWPSEC_MANAGEMENT_PERMISSION', 'add_users');
|
wp-security.php
CHANGED
|
@@ -1,7 +1,7 @@
|
|
| 1 |
<?php
|
| 2 |
/*
|
| 3 |
Plugin Name: All In One WP Security
|
| 4 |
-
Version: v2.
|
| 5 |
Plugin URI: http://www.tipsandtricks-hq.com/
|
| 6 |
Author: Tips and Tricks HQ, Peter, Ruhul Amin
|
| 7 |
Author URI: http://www.tipsandtricks-hq.com/
|
| 1 |
<?php
|
| 2 |
/*
|
| 3 |
Plugin Name: All In One WP Security
|
| 4 |
+
Version: v2.4
|
| 5 |
Plugin URI: http://www.tipsandtricks-hq.com/
|
| 6 |
Author: Tips and Tricks HQ, Peter, Ruhul Amin
|
| 7 |
Author URI: http://www.tipsandtricks-hq.com/
|
