All In One WP Security & Firewall - Version 2.5

Version Description

  • Added a new feature which will list the currently logged in users who have been active within the last 15 minutes.
  • Added a new feature in settings menu which will disable all firewall rules and clear all applicable directives in the .htaccess file.
  • Improved the way the wp-config.php file is handled when it contains an ending PHP tag "?>" (older sites that were using PHP4 earlier).
Download this release

Release Info

Developer mra13
Plugin Icon 128x128 All In One WP Security & Firewall
Version 2.5
Comparing to
See all releases

Code changes from version 2.4 to 2.5

Files changed (15) hide show
  1. admin/wp-security-dashboard-menu.php +49 -0
  2. admin/wp-security-list-logged-in-users.php +85 -0
  3. admin/wp-security-settings-menu.php +39 -1
  4. admin/wp-security-user-login-menu.php +65 -2
  5. classes/wp-security-configure-settings.php +22 -1
  6. classes/wp-security-deactivation-tasks.php +71 -0
  7. classes/wp-security-general-init-tasks.php +61 -0
  8. classes/wp-security-installer.php +16 -0
  9. classes/wp-security-user-login.php +42 -0
  10. classes/wp-security-utility-file.php +29 -1
  11. classes/wp-security-utility.php +32 -48
  12. css/wp-security-admin-styles.css +5 -2
  13. readme.txt +9 -2
  14. wp-security-core.php +11 -1
  15. wp-security.php +2 -2
admin/wp-security-dashboard-menu.php CHANGED
@@ -282,6 +282,55 @@ class AIOWPSecurity_Dashboard_Menu extends AIOWPSecurity_Admin_Menu
282
 
283
  <div class="aiowps_dashboard_box_small">
284
  <div class="postbox">
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
285
  <h3><label for="title">Spread the Word</label></h3>
286
  <div class="inside">
287
 
282
 
283
  <div class="aiowps_dashboard_box_small">
284
  <div class="postbox">
285
+ <h3><label for="title">Logged In Users</label></h3>
286
+ <div class="inside">
287
+ <?php
288
+ $users_online_link = '<a href="admin.php?page='.AIOWPSEC_USER_LOGIN_MENU_SLUG.'&tab=tab5">Logged In Users</a>';
289
+ if (AIOWPSecurity_Utility::is_multisite_install())
290
+ {
291
+ $logged_in_users = get_site_transient('users_online');
292
+ $num_users = count($logged_in_users);
293
+ if($num_users > 1)
294
+ {
295
+ echo '<div class="aio_red_box"><p>'.__('Number of users currently logged in site-wide is:','aiowpsecurity').' <strong>'.$num_users.'</strong></p>';
296
+ $info_msg = '<p>'.sprintf( __('Go to the %s menu to see more details', 'aiowpsecurity'), $users_online_link).'</p>';
297
+ echo $info_msg.'</div>';
298
+ }
299
+ else
300
+ {
301
+ echo '<div class="aio_green_box"><p>'.__('There are no other site-wide users currently logged in.','aiowpsecurity').'</p></div>';
302
+ }
303
+ }
304
+ else
305
+ {
306
+ $logged_in_users = get_transient('users_online');
307
+ if ($logged_in_users === false || $logged_in_users == NULL)
308
+ {
309
+ $num_users = 0;
310
+ }
311
+ else
312
+ {
313
+ $num_users = count($logged_in_users);
314
+ }
315
+ if($num_users > 1)
316
+ {
317
+ echo '<div class="aio_red_box"><p>'.__('Number of users currently logged into your site is:','aiowpsecurity').' <strong>'.$num_users.'</strong></p>';
318
+ $info_msg = '<p>'.sprintf( __('Go to the %s menu to see more details', 'aiowpsecurity'), $users_online_link).'</p>';
319
+ echo $info_msg.'</div>';
320
+ }
321
+ else
322
+ {
323
+ echo '<div class="aio_green_box"><p>'.__('There are no other users currently logged in.','aiowpsecurity').'</p></div>';
324
+ }
325
+ }
326
+ ?>
327
+ </div></div>
328
+ </div><!-- aiowps_dashboard_box -->
329
+
330
+ <div class="aio_clear_float"></div>
331
+
332
+ <div class="aiowps_dashboard_box_small aiowps_spread_the_word_widget">
333
+ <div class="postbox">
334
  <h3><label for="title">Spread the Word</label></h3>
335
  <div class="inside">
336
 
admin/wp-security-list-logged-in-users.php ADDED
@@ -0,0 +1,85 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ <?php
2
+
3
+ class AIOWPSecurity_List_Logged_In_Users extends AIOWPSecurity_List_Table {
4
+
5
+ function __construct(){
6
+ global $status, $page;
7
+
8
+ //Set parent defaults
9
+ parent::__construct( array(
10
+ 'singular' => 'item', //singular name of the listed records
11
+ 'plural' => 'items', //plural name of the listed records
12
+ 'ajax' => false //does this table support ajax?
13
+ ) );
14
+
15
+ }
16
+
17
+ function column_default($item, $column_name){
18
+ return $item[$column_name];
19
+ }
20
+
21
+
22
+ function get_columns(){
23
+ $columns = array(
24
+ 'user_id' => 'User ID',
25
+ 'username' => 'Login Name',
26
+ 'ip_address' => 'IP Address',
27
+ );
28
+ return $columns;
29
+ }
30
+
31
+ function get_sortable_columns() {
32
+ $sortable_columns = array(
33
+ 'user_id' => array('user_id',false),
34
+ 'username' => array('username',false),
35
+ 'ip_address' => array('ip_address',false),
36
+ );
37
+ return $sortable_columns;
38
+ }
39
+
40
+ function get_bulk_actions() {
41
+ return array();
42
+ }
43
+
44
+ function process_bulk_action() {
45
+ }
46
+
47
+ function prepare_items() {
48
+ //First, lets decide how many records per page to show
49
+ $per_page = 20;
50
+ $columns = $this->get_columns();
51
+ $hidden = array();
52
+ $sortable = $this->get_sortable_columns();
53
+
54
+ $this->_column_headers = array($columns, $hidden, $sortable);
55
+
56
+ //$this->process_bulk_action();
57
+
58
+ global $wpdb;
59
+ global $aio_wp_security;
60
+ /* -- Ordering parameters -- */
61
+ //Parameters that are going to be used to order the result
62
+ $orderby = !empty($_GET["orderby"]) ? mysql_real_escape_string($_GET["orderby"]) : 'user_id';
63
+ $order = !empty($_GET["order"]) ? mysql_real_escape_string($_GET["order"]) : 'DESC';
64
+
65
+ $logged_in_users = (AIOWPSecurity_Utility::is_multisite_install() ? get_site_transient('users_online') : get_transient('users_online'));
66
+
67
+ foreach ($logged_in_users as $key=>$val)
68
+ {
69
+ $userdata = get_userdata($val['user_id']);
70
+ $username = $userdata->user_login;
71
+ $val['username'] = $username;
72
+ $logged_in_users[$key] = $val;
73
+ }
74
+ $data = $logged_in_users;
75
+ $current_page = $this->get_pagenum();
76
+ $total_items = count($data);
77
+ $data = array_slice($data,(($current_page-1)*$per_page),$per_page);
78
+ $this->items = $data;
79
+ $this->set_pagination_args( array(
80
+ 'total_items' => $total_items, //WE have to calculate the total number of items
81
+ 'per_page' => $per_page, //WE have to determine how many items to show on a page
82
+ 'total_pages' => ceil($total_items/$per_page) //WE have to calculate the total number of pages
83
+ ));
84
+ }
85
+ }
admin/wp-security-settings-menu.php CHANGED
@@ -98,6 +98,28 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
98
  $this->show_msg_error(__('Could not write to the wp-config.php. Please restore your wp-config.php file manually using the restore functionality in the "wp-config.php File".', 'aiowpsecurity'));
99
  }
100
  }
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
101
  ?>
102
  <div class="aio_grey_box">
103
  <p>For information, updates and documentation, please visit the <a href="http://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin" target="_blank">AIO WP Security & Firewall Plugin</a> Page.</p>
@@ -130,7 +152,23 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
130
  ?>
131
  </div>
132
  <div class="submit">
133
- <input type="submit" name="aiowpsec_disable_all_features" value="<?php _e('Disable All Security Features'); ?>" />
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
134
  </div>
135
  </form>
136
  </div></div>
98
  $this->show_msg_error(__('Could not write to the wp-config.php. Please restore your wp-config.php file manually using the restore functionality in the "wp-config.php File".', 'aiowpsecurity'));
99
  }
100
  }
101
+
102
+ if(isset($_POST['aiowpsec_disable_all_firewall_rules']))//Do form submission tasks
103
+ {
104
+ $nonce=$_REQUEST['_wpnonce'];
105
+ if (!wp_verify_nonce($nonce, 'aiowpsec-disable-all-firewall-rules'))
106
+ {
107
+ $aio_wp_security->debug_logger->log_debug("Nonce check failed on disable all firewall rules!",4);
108
+ die("Nonce check failed on disable all firewall rules!");
109
+ }
110
+ AIOWPSecurity_Configure_Settings::turn_off_all_firewall_rules();
111
+ //Now let's clear the applicable rules from the .htaccess file
112
+ $res = AIOWPSecurity_Utility_Htaccess::write_to_htaccess();
113
+
114
+ if ($res)
115
+ {
116
+ $this->show_msg_updated(__('All firewall rules have been disabled successfully!', 'aiowpsecurity'));
117
+ }
118
+ else if($res == -1)
119
+ {
120
+ $this->show_msg_error(__('Could not write to the .htaccess file. Please restore your .htaccess file manually using the restore functionality in the ".htaccess File".', 'aiowpsecurity'));
121
+ }
122
+ }
123
  ?>
124
  <div class="aio_grey_box">
125
  <p>For information, updates and documentation, please visit the <a href="http://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin" target="_blank">AIO WP Security & Firewall Plugin</a> Page.</p>
152
  ?>
153
  </div>
154
  <div class="submit">
155
+ <input type="submit" class="button" name="aiowpsec_disable_all_features" value="<?php _e('Disable All Security Features'); ?>" />
156
+ </div>
157
+ </form>
158
+ </div></div>
159
+
160
+ <div class="postbox">
161
+ <h3><label for="title"><?php _e('Disable All Firewall Rules', 'aiowpsecurity'); ?></label></h3>
162
+ <div class="inside">
163
+ <form method="post" action="<?php echo $_SERVER["REQUEST_URI"]; ?>">
164
+ <?php wp_nonce_field('aiowpsec-disable-all-firewall-rules'); ?>
165
+ <div class="aio_blue_box">
166
+ <?php
167
+ echo '<p>'.__('This feature will disable all firewall rules which are currently active in this plugin and it will also delete these rules from your .htacess file. Use it if you think one of the firewall rules is causing an issue on your site.', 'aiowpsecurity').'</p>';
168
+ ?>
169
+ </div>
170
+ <div class="submit">
171
+ <input type="submit" class="button" name="aiowpsec_disable_all_firewall_rules" value="<?php _e('Disable All Firewall Rules'); ?>" />
172
  </div>
173
  </form>
174
  </div></div>
admin/wp-security-user-login-menu.php CHANGED
@@ -9,13 +9,16 @@ class AIOWPSecurity_User_Login_Menu extends AIOWPSecurity_Admin_Menu
9
  'tab1' => 'Login Lockdown',
10
  'tab2' => 'Failed Login Records',
11
  'tab3' => 'Force Logout',
12
- 'tab4' => 'Account Activity',
 
 
13
  );
14
  var $menu_tabs_handler = array(
15
  'tab1' => 'render_tab1',
16
  'tab2' => 'render_tab2',
17
  'tab3' => 'render_tab3',
18
  'tab4' => 'render_tab4',
 
19
  );
20
 
21
  function __construct()
@@ -393,7 +396,6 @@ class AIOWPSecurity_User_Login_Menu extends AIOWPSecurity_Admin_Menu
393
 
394
  function render_tab4()
395
  {
396
- //TODO - needs completing...
397
  include_once 'wp-security-list-acct-activity.php'; //For rendering the AIOWPSecurity_List_Table in tab4
398
  $acct_activity_list = new AIOWPSecurity_List_Account_Activity(); //For rendering the AIOWPSecurity_List_Table in tab2
399
  if(isset($_REQUEST['action'])) //Do row action tasks for list table form for login activity display
@@ -429,6 +431,67 @@ class AIOWPSecurity_User_Login_Menu extends AIOWPSecurity_Admin_Menu
429
  <?php
430
  }
431
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
432
 
433
  /*
434
  * This function will unlock an IP range by modifying the "release_date" column of a record in the "login_lockdown" table
9
  'tab1' => 'Login Lockdown',
10
  'tab2' => 'Failed Login Records',
11
  'tab3' => 'Force Logout',
12
+ 'tab4' => 'Account Activity Logs',
13
+ 'tab5' => 'Logged In Users',
14
+
15
  );
16
  var $menu_tabs_handler = array(
17
  'tab1' => 'render_tab1',
18
  'tab2' => 'render_tab2',
19
  'tab3' => 'render_tab3',
20
  'tab4' => 'render_tab4',
21
+ 'tab5' => 'render_tab5',
22
  );
23
 
24
  function __construct()
396
 
397
  function render_tab4()
398
  {
 
399
  include_once 'wp-security-list-acct-activity.php'; //For rendering the AIOWPSecurity_List_Table in tab4
400
  $acct_activity_list = new AIOWPSecurity_List_Account_Activity(); //For rendering the AIOWPSecurity_List_Table in tab2
401
  if(isset($_REQUEST['action'])) //Do row action tasks for list table form for login activity display
431
  <?php
432
  }
433
 
434
+ function render_tab5()
435
+ {
436
+ $logged_in_users = (AIOWPSecurity_Utility::is_multisite_install() ? get_site_transient('users_online') : get_transient('users_online'));
437
+
438
+ global $aio_wp_security;
439
+ include_once 'wp-security-list-logged-in-users.php'; //For rendering the AIOWPSecurity_List_Table
440
+ $user_list = new AIOWPSecurity_List_Logged_In_Users();
441
+
442
+ if (isset($_POST['aiowps_refresh_logged_in_user_list']))
443
+ {
444
+ $nonce=$_REQUEST['_wpnonce'];
445
+ if (!wp_verify_nonce($nonce, 'aiowpsec-logged-in-users-nonce'))
446
+ {
447
+ $aio_wp_security->debug_logger->log_debug("Nonce check failed for users logged in list!",4);
448
+ die(__('Nonce check failed for users logged in list!','aiowpsecurity'));
449
+ }
450
+
451
+ $user_list->prepare_items();
452
+
453
+ // if(isset($_REQUEST['action'])) //Do list table form row action tasks
454
+ // {
455
+ //no actions for now
456
+ // }
457
+ }
458
+
459
+ ?>
460
+ <div class="postbox">
461
+ <h3><label for="title"><?php _e('Refresh Logged In User Data', 'aiowpsecurity'); ?></label></h3>
462
+ <div class="inside">
463
+ <form action="" method="POST">
464
+ <?php wp_nonce_field('aiowpsec-logged-in-users-nonce'); ?>
465
+ <input type="submit" name="aiowps_refresh_logged_in_user_list" value="<?php _e('Refresh Data', 'aiowpsecurity')?>" class="button-primary" />
466
+ </form>
467
+ </div></div>
468
+
469
+ <div class="aio_blue_box">
470
+ <?php
471
+ echo '<p>'.__('This tab displays all users who are currently logged into your site.', 'aiowpsecurity').'
472
+ <br />'.__('If you suspect there is a user or users who are logged in which should not be, you can block them by inspecting the IP addresses from the data below and adding them to your blacklist.', 'aiowpsecurity').'
473
+ </p>';
474
+ ?>
475
+ </div>
476
+ <div class="postbox">
477
+ <h3><label for="title"><?php _e('Currently Logged In Users', 'aiowpsecurity'); ?></label></h3>
478
+ <div class="inside">
479
+ <?php
480
+ //Fetch, prepare, sort, and filter our data...
481
+ $user_list->prepare_items();
482
+ //echo "put table of locked entries here";
483
+ ?>
484
+ <form id="tables-filter" method="get" onSubmit="return confirm('Are you sure you want to perform this bulk operation on the selected entries?');">
485
+ <!-- For plugins, we also need to ensure that the form posts back to our current page -->
486
+ <input type="hidden" name="page" value="<?php echo $_REQUEST['page']; ?>" />
487
+ <input type="hidden" name="tab" value="<?php echo $_REQUEST['tab']; ?>" />
488
+ <!-- Now we can render the completed list table -->
489
+ <?php $user_list->display(); ?>
490
+ </form>
491
+ </div></div>
492
+ <?php
493
+
494
+ }
495
 
496
  /*
497
  * This function will unlock an IP range by modifying the "release_date" column of a record in the "login_lockdown" table
classes/wp-security-configure-settings.php CHANGED
@@ -60,7 +60,6 @@ class AIOWPSecurity_Configure_Settings
60
  $aio_wp_security->configs->set_value('aiowps_enable_brute_force_attack_prevention','');//Checkbox
61
  $aio_wp_security->configs->set_value('aiowps_brute_force_secret_word','');
62
  $aio_wp_security->configs->set_value('aiowps_cookie_based_brute_force_redirect_url','http://127.0.0.1');
63
- $aio_wp_security->configs->set_value('aiowps_enable_brute_force_attack_prevention','');//Checkbox
64
  $aio_wp_security->configs->set_value('aiowps_brute_force_attack_prevention_pw_protected_exception','');//Checkbox
65
  $aio_wp_security->configs->set_value('aiowps_brute_force_attack_prevention_ajax_exception','');//Checkbox
66
 
@@ -176,6 +175,28 @@ class AIOWPSecurity_Configure_Settings
176
  AIOWPSecurity_Configure_Settings::set_default_settings();
177
  }
178
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
179
  static function restore_to_factory_default()
180
  {
181
  //TOOD - complete the implementation
60
  $aio_wp_security->configs->set_value('aiowps_enable_brute_force_attack_prevention','');//Checkbox
61
  $aio_wp_security->configs->set_value('aiowps_brute_force_secret_word','');
62
  $aio_wp_security->configs->set_value('aiowps_cookie_based_brute_force_redirect_url','http://127.0.0.1');
 
63
  $aio_wp_security->configs->set_value('aiowps_brute_force_attack_prevention_pw_protected_exception','');//Checkbox
64
  $aio_wp_security->configs->set_value('aiowps_brute_force_attack_prevention_ajax_exception','');//Checkbox
65
 
175
  AIOWPSecurity_Configure_Settings::set_default_settings();
176
  }
177
 
178
+ static function turn_off_all_firewall_rules()
179
+ {
180
+ global $aio_wp_security;
181
+ $aio_wp_security->configs->set_value('aiowps_enable_blacklisting','');//Checkbox
182
+
183
+ $aio_wp_security->configs->set_value('aiowps_enable_basic_firewall','');//Checkbox
184
+ $aio_wp_security->configs->set_value('aiowps_enable_pingback_firewall','');//Checkbox
185
+ $aio_wp_security->configs->set_value('aiowps_disable_index_views','');//Checkbox
186
+ $aio_wp_security->configs->set_value('aiowps_disable_trace_and_track','');//Checkbox
187
+ $aio_wp_security->configs->set_value('aiowps_forbid_proxy_comments','');//Checkbox
188
+ $aio_wp_security->configs->set_value('aiowps_deny_bad_query_strings','');//Checkbox
189
+ $aio_wp_security->configs->set_value('aiowps_advanced_char_string_filter','');//Checkbox
190
+ $aio_wp_security->configs->set_value('aiowps_enable_5g_firewall','');//Checkbox
191
+ $aio_wp_security->configs->set_value('aiowps_enable_brute_force_attack_prevention','');//Checkbox
192
+
193
+ $aio_wp_security->configs->set_value('aiowps_prevent_default_wp_file_access','');//Checkbox
194
+
195
+ $aio_wp_security->configs->set_value('aiowps_enable_spambot_blocking','');//Checkbox
196
+
197
+ $aio_wp_security->configs->save_config();
198
+ }
199
+
200
  static function restore_to_factory_default()
201
  {
202
  //TOOD - complete the implementation
classes/wp-security-deactivation-tasks.php ADDED
@@ -0,0 +1,71 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ <?php
2
+
3
+ class AIOWPSecurity_Deactivation
4
+ {
5
+ static function run_deactivation_tasks()
6
+ {
7
+ global $wpdb;
8
+ if (function_exists('is_multisite') && is_multisite())
9
+ {
10
+ // check if it is a network activation - if so, run the activation function for each blog id
11
+ if (isset($_GET['networkwide']) && ($_GET['networkwide'] == 1))
12
+ {
13
+ $old_blog = $wpdb->blogid;
14
+ // Get all blog ids
15
+ $blogids = $wpdb->get_col("SELECT blog_id FROM $wpdb->blogs");
16
+ foreach ($blogids as $blog_id) {
17
+ switch_to_blog($blog_id);
18
+ }
19
+ switch_to_blog($old_blog);
20
+ return;
21
+ }
22
+ }
23
+
24
+ //Let's backup .htaccess contents when AIOWPS was active
25
+ $ht_file = ABSPATH . '.htaccess';
26
+ $key_desc_ht_backup = 'aiowps_htaccess_backup'; //This will be the key to decribe the entry we are inserting into the global_meta table
27
+ AIOWPSecurity_Utility_File::backup_file_contents_to_db($ht_file, $key_desc_ht_backup); //Store the original htaccess contents in our global_meta table (ie, before AIOWPS was active)
28
+
29
+ //Let's backup wp_config.php contents
30
+ $wp_config_file = ABSPATH . 'wp-config.php';
31
+ $key_desc_wp_config_backup = 'aiowps_wp_config_php_backup'; //This will be the key to decribe the entry we are inserting into the global_meta table
32
+ AIOWPSecurity_Utility_File::backup_file_contents_to_db($wp_config_file, $key_desc_wp_config_backup); //Store the original htaccess contents in our global_meta table (ie, before AIOWPS was active)
33
+
34
+ //Restore original contents of .htaccess file upon deactivation
35
+ $htaccess_file_contents = AIOWPSecurity_Deactivation::get_original_file_contents('original_htaccess_backup');
36
+ if ($htaccess_file_contents)
37
+ {
38
+ if (file_put_contents($ht_file, $htaccess_file_contents) === false)
39
+ {
40
+ //File write failed
41
+ $aio_wp_security->debug_logger->log_debug("AIOWPSecurity_Deactivation::run_deactivation_tasks() - Failed to write to .htaccess file",4);
42
+ }
43
+ }
44
+
45
+ //Restore original contents of wp-config.php file upon deactivation
46
+ $wp_config_file_contents = AIOWPSecurity_Deactivation::get_original_file_contents('original_wp_config_php_backup');
47
+ if ($wp_config_file_contents)
48
+ {
49
+ if (file_put_contents($wp_config_file, $wp_config_file_contents) === false)
50
+ {
51
+ //File write failed
52
+ $aio_wp_security->debug_logger->log_debug("AIOWPSecurity_Deactivation::run_deactivation_tasks() - Failed to write to wp-config.php file",4);
53
+ }
54
+ }
55
+ }
56
+
57
+ static function get_original_file_contents($key_description)
58
+ {
59
+ global $wpdb;
60
+ $aiowps_global_meta_tbl_name = AIOWPSEC_TBL_GLOBAL_META_DATA;
61
+ $resultset = $wpdb->get_row("SELECT * FROM $aiowps_global_meta_tbl_name WHERE meta_key1 = '$key_description'", OBJECT);
62
+ if($resultset){
63
+ $file_contents = maybe_unserialize($resultset->meta_value2);
64
+ return $file_contents;
65
+ }
66
+ else
67
+ {
68
+ return false;
69
+ }
70
+ }
71
+ }
classes/wp-security-general-init-tasks.php CHANGED
@@ -24,6 +24,9 @@ class AIOWPSecurity_General_Init_Tasks
24
  }
25
  }
26
 
 
 
 
27
  //Add more tasks that need to be executed at init time
28
  }
29
 
@@ -39,4 +42,62 @@ class AIOWPSecurity_General_Init_Tasks
39
  include_once(AIO_WP_SECURITY_PATH.'/other-includes/wp-security-visitor-lockout-page.php');
40
  exit();
41
  }
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
42
  }
24
  }
25
  }
26
 
27
+ //For feature which displays logged in users
28
+ $this->update_logged_in_user_transient();
29
+
30
  //Add more tasks that need to be executed at init time
31
  }
32
 
42
  include_once(AIO_WP_SECURITY_PATH.'/other-includes/wp-security-visitor-lockout-page.php');
43
  exit();
44
  }
45
+
46
+ function update_logged_in_user_transient(){
47
+ if(is_user_logged_in()){
48
+ $current_user_ip = AIOWPSecurity_Utility_IP::get_user_ip_address();
49
+ // get the logged in users list from transients entry
50
+ $logged_in_users = (AIOWPSecurity_Utility::is_multisite_install() ? get_site_transient('users_online') : get_transient('users_online'));
51
+ // $logged_in_users = get_transient('users_online');
52
+ $current_user = wp_get_current_user();
53
+ $current_user = $current_user->ID;
54
+ $current_time = current_time('timestamp');
55
+
56
+ $current_user_info = array("user_id" => $current_user, "last_activity" => $current_time, "ip_address" => $current_user_ip); //We will store last activity time and ip address in transient entry
57
+
58
+ if($logged_in_users === false || $logged_in_users == NULL){
59
+ $logged_in_users = array();
60
+ $logged_in_users[] = $current_user_info;
61
+ AIOWPSecurity_Utility::is_multisite_install() ? set_site_transient('users_online', $logged_in_users, 30 * 60) : set_transient('users_online', $logged_in_users, 30 * 60);
62
+ // set_transient('users_online', $logged_in_users, 30 * 60); //Set transient with the data obtained above and also set the expire to 30min
63
+ }
64
+ else
65
+ {
66
+ $key = 0;
67
+ $do_nothing = false;
68
+ $update_existing = false;
69
+ $item_index = 0;
70
+ foreach ($logged_in_users as $value)
71
+ {
72
+ if($value['user_id'] == $current_user && strcmp($value['ip_address'], $current_user_ip) == 0)
73
+ {
74
+ if ($value['last_activity'] < ($current_time - (15 * 60)))
75
+ {
76
+ $update_existing = true;
77
+ $item_index = $key;
78
+ break;
79
+ }else{
80
+ $do_nothing = true;
81
+ break;
82
+ }
83
+ }
84
+ $key++;
85
+ }
86
+
87
+ if($update_existing)
88
+ {
89
+ //Update transient if the last activity was less than 15 min ago for this user
90
+ $logged_in_users[$item_index] = $current_user_info;
91
+ AIOWPSecurity_Utility::is_multisite_install() ? set_site_transient('users_online', $logged_in_users, 30 * 60) : set_transient('users_online', $logged_in_users, 30 * 60);
92
+ //set_transient('users_online', $logged_in_users, 30 * 60); //Set transient with the data obtained above and also set the expire to 30min
93
+ }else if($do_nothing){
94
+ //Do nothing
95
+ }else{
96
+ $logged_in_users[] = $current_user_info;
97
+ AIOWPSecurity_Utility::is_multisite_install() ? set_site_transient('users_online', $logged_in_users, 30 * 60) : set_transient('users_online', $logged_in_users, 30 * 60);
98
+ //set_transient('users_online', $logged_in_users, 30 * 60); //Set transient with the data obtained above and also set the expire to 30min
99
+ }
100
+ }
101
+ }
102
+ }
103
  }
classes/wp-security-installer.php CHANGED
@@ -26,6 +26,7 @@ class AIOWPSecurity_Installer
26
  AIOWPSecurity_Installer::create_db_tables();
27
  AIOWPSecurity_Configure_Settings::add_option_values();
28
  AIOWPSecurity_Installer::create_db_backup_dir(); //Create a backup dir in the WP uploads directory
 
29
  }
30
 
31
  static function create_db_tables()
@@ -118,4 +119,19 @@ RewriteRule .* http://127.0.0.1 [L]
118
  }
119
  }
120
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
121
  }
26
  AIOWPSecurity_Installer::create_db_tables();
27
  AIOWPSecurity_Configure_Settings::add_option_values();
28
  AIOWPSecurity_Installer::create_db_backup_dir(); //Create a backup dir in the WP uploads directory
29
+
30
  }
31
 
32
  static function create_db_tables()
119
  }
120
  }
121
 
122
+ // //Read entire contents of file at activation time and store serialized contents in our global_meta table
123
+ // static function backup_file_contents_to_db_at_activation($src_file, $key_description)
124
+ // {
125
+ // //First check if a backup entry already exists in the global_meta table
126
+ // global $wpdb;
127
+ // $aiowps_global_meta_tbl_name = AIOWPSEC_TBL_GLOBAL_META_DATA;
128
+ // $resultset = $wpdb->get_row("SELECT * FROM $aiowps_global_meta_tbl_name WHERE meta_key1 = '$key_description'", OBJECT);
129
+ // if($resultset){
130
+ // return; //Don't override original backup if one exists - so just return
131
+ // }
132
+ //
133
+ // //Otherwise read the contents of the file and store in global_meta table
134
+ // AIOWPSecurity_Utility_File::backup_file_contents_to_db($src_file, $key_description);
135
+ // return;
136
+ // }
137
  }
classes/wp-security-user-login.php CHANGED
@@ -289,6 +289,16 @@ class AIOWPSecurity_User_Login
289
 
290
  }
291
 
 
 
 
 
 
 
 
 
 
 
292
  /**
293
  * The handler for logout events, ie, uses the WP "clear_auth_cookies" action.
294
 
@@ -304,6 +314,9 @@ class AIOWPSecurity_User_Login
304
  $current_user = wp_get_current_user();
305
  $ip_addr = AIOWPSecurity_Utility_IP::get_user_ip_address();
306
  $user_id = $current_user->ID;
 
 
 
307
  $login_activity_table = AIOWPSEC_TBL_USER_LOGIN_ACTIVITY;
308
  $logout_date_time = current_time('mysql');
309
  $data = array('logout_date' => $logout_date_time);
@@ -316,6 +329,35 @@ class AIOWPSecurity_User_Login
316
  $aio_wp_security->debug_logger->log_debug("Error inserting record into ".$login_activity_table,4);//Log the highly unlikely event of DB error
317
  }
318
  }
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
319
 
320
  /**
321
  * The handler for the WP "login_message" filter
289
 
290
  }
291
 
292
+ function check_user_logged_in($user_login)
293
+ {
294
+ // get the online users list
295
+ $logged_in_users = get_transient('users_online');
296
+
297
+ //If user is in the transient list and last activity was less than 15 minutes ago they are classed as being online
298
+ return isset($logged_in_users[$user_id]) && ($logged_in_users[$user_id]['last_activity'] > (current_time('timestamp') - (15 * 60)));
299
+
300
+ }
301
+
302
  /**
303
  * The handler for logout events, ie, uses the WP "clear_auth_cookies" action.
304
 
314
  $current_user = wp_get_current_user();
315
  $ip_addr = AIOWPSecurity_Utility_IP::get_user_ip_address();
316
  $user_id = $current_user->ID;
317
+ //Clean up transients table
318
+ $this->update_user_online_transient($user_id, $ip_addr);
319
+
320
  $login_activity_table = AIOWPSEC_TBL_USER_LOGIN_ACTIVITY;
321
  $logout_date_time = current_time('mysql');
322
  $data = array('logout_date' => $logout_date_time);
329
  $aio_wp_security->debug_logger->log_debug("Error inserting record into ".$login_activity_table,4);//Log the highly unlikely event of DB error
330
  }
331
  }
332
+
333
+ /**
334
+ * This will clean up the "users_online" transient entry for the current user.
335
+ *
336
+ */
337
+ function update_user_online_transient($user_id, $ip_addr)
338
+ {
339
+ global $aio_wp_security;
340
+ $logged_in_users = (AIOWPSecurity_Utility::is_multisite_install() ? get_site_transient('users_online') : get_transient('users_online'));
341
+ //$logged_in_users = get_transient('users_online');
342
+ if ($logged_in_users === false || $logged_in_users == NULL)
343
+ {
344
+ return;
345
+ }
346
+ $j = 0;
347
+ foreach ($logged_in_users as $value)
348
+ {
349
+ if ($value['user_id'] == $user_id && strcmp($value['ip_address'], $ip_addr) == 0)
350
+ {
351
+ unset($logged_in_users[$j]);
352
+ break;
353
+ }
354
+ $j++;
355
+ }
356
+ //Save the transient
357
+ AIOWPSecurity_Utility::is_multisite_install() ? set_site_transient('users_online', $logged_in_users, 30 * 60) : set_transient('users_online', $logged_in_users, 30 * 60);
358
+ //set_transient('users_online', $logged_in_users, 30 * 60); //Set transient with the data obtained above and also set the expiry to 30min
359
+ return;
360
+ }
361
 
362
  /**
363
  * The handler for the WP "login_message" filter
classes/wp-security-utility-file.php CHANGED
@@ -51,7 +51,35 @@ class AIOWPSecurity_Utility_File
51
  return false;
52
  }
53
  return true;
54
- }
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
55
 
56
  static function recursive_file_search($pattern='*', $flags = 0, $path='')
57
  {
51
  return false;
52
  }
53
  return true;
54
+ }
55
+
56
+ //Function which reads entire contents of a file and stores serialized contents into our global_meta table
57
+ static function backup_file_contents_to_db($src_file_path, $key_description)
58
+ {
59
+ global $wpdb, $aio_wp_security;
60
+ $file_contents = AIOWPSecurity_Utility_File::get_file_contents($src_file_path);
61
+
62
+ $payload = serialize($file_contents);
63
+ $date_time = current_time('mysql');
64
+ $data = array('date_time' => $date_time, 'meta_key1' => $key_description, 'meta_value2' => $payload);
65
+
66
+ //First check if a backup entry already exists in the global_meta table
67
+ $aiowps_global_meta_tbl_name = AIOWPSEC_TBL_GLOBAL_META_DATA;
68
+ $resultset = $wpdb->get_row("SELECT * FROM $aiowps_global_meta_tbl_name WHERE meta_key1 = '$key_description'", OBJECT);
69
+ if($resultset){
70
+ $where = array('meta_key1' => $key_description);
71
+ $res = $wpdb->update($aiowps_global_meta_tbl_name, $data, $where);
72
+ }else{
73
+ $res = $wpdb->insert($aiowps_global_meta_tbl_name, $data);
74
+ }
75
+
76
+ if($res === false)
77
+ {
78
+ $aio_wp_security->debug_logger->log_debug("AIOWPSecurity_Utility_File::backup_file_contents_to_db() - Unable to write entry to DB",4);
79
+ }
80
+ return;
81
+ }
82
+
83
 
84
  static function recursive_file_search($pattern='*', $flags = 0, $path='')
85
  {
classes/wp-security-utility.php CHANGED
@@ -184,59 +184,43 @@ class AIOWPSecurity_Utility
184
  return true;
185
 
186
  }
187
- }
188
-
189
- if ($edit_file_config_entry_exists)
190
- {
191
- //Now let's modify the wp-config.php file
192
- if (AIOWPSecurity_Utility_File::write_content_to_file($config_file, $config_contents))
193
- {
194
- //$this->show_msg_updated(__('Settings Saved - Your system is now configured to not allow PHP file editing.', 'aiowpsecurity'));
195
- return true;
196
- }else
197
  {
198
- //$this->show_msg_error(__('Operation failed! Unable to modify wp-config.php file!', 'aiowpsecurity'));
199
- $aio_wp_security->debug_logger->log_debug("Disable PHP File Edit - Unable to modify wp-config.php",4);
200
- return false;
201
  }
202
- }else
 
 
203
  {
204
- //Make a backup of the config file
205
- if(!AIOWPSecurity_Utility_File::backup_a_file($config_file))
206
- {
207
- $this->show_msg_error(__('Failed to make a backup of the wp-config.php file. This operation will not go ahead.', 'aiowpsecurity'));
208
- //$aio_wp_security->debug_logger->log_debug("Disable PHP File Edit - Failed to make a backup of the wp-config.php file.",4);
209
- return false;
210
- }
211
- else{
212
- //$this->show_msg_updated(__('A backup copy of your wp-config.php file was created successfully....', 'aiowpsecurity'));
213
- }
214
-
215
  //Construct the config code which we will insert into wp-config.php
216
- $new_snippet = "//Disable File Edits\n";
217
  $new_snippet .= 'define(\'DISALLOW_FILE_EDIT\', true);';
218
-
219
- //Check for php ending tags for cases of wp-config file inherited from older WP systems.
220
- $last_line = end($config_contents);
221
- if (strrpos($last_line, "?>") !== false)
222
- {
223
- $fh = fopen($config_file, 'r+');
224
- $new_snippet .= '?>';
225
- fseek($fh, -2, SEEK_END);
226
- $write_result = fwrite($fh, $new_snippet);
227
- fclose($fh);
228
- }
229
- else
230
- {
231
- $write_result = file_put_contents($config_file, $new_snippet, FILE_APPEND | LOCK_EX);
232
- }
233
- if ($write_result === false)
234
- {
235
- return false;
236
- }else
237
- {
238
- return true;
239
- }
 
 
240
  }
241
  }
242
 
184
  return true;
185
 
186
  }
187
+
188
+ //For wp-config.php files originating from early WP versions we will remove the closing php tag
189
+ if (strpos($line, "?>") !== false)
 
 
 
 
 
 
 
190
  {
191
+ $config_contents[$line_num] = str_replace("?>", "", $line);
 
 
192
  }
193
+ }
194
+
195
+ if (!$edit_file_config_entry_exists)
196
  {
 
 
 
 
 
 
 
 
 
 
 
197
  //Construct the config code which we will insert into wp-config.php
198
+ $new_snippet = '//Disable File Edits' . PHP_EOL;
199
  $new_snippet .= 'define(\'DISALLOW_FILE_EDIT\', true);';
200
+ $config_contents[] = $new_snippet; //Append the new snippet to the end of the array
201
+ }
202
+
203
+ //Make a backup of the config file
204
+ if(!AIOWPSecurity_Utility_File::backup_a_file($config_file))
205
+ {
206
+ $this->show_msg_error(__('Failed to make a backup of the wp-config.php file. This operation will not go ahead.', 'aiowpsecurity'));
207
+ //$aio_wp_security->debug_logger->log_debug("Disable PHP File Edit - Failed to make a backup of the wp-config.php file.",4);
208
+ return false;
209
+ }
210
+ else{
211
+ //$this->show_msg_updated(__('A backup copy of your wp-config.php file was created successfully....', 'aiowpsecurity'));
212
+ }
213
+
214
+ //Now let's modify the wp-config.php file
215
+ if (AIOWPSecurity_Utility_File::write_content_to_file($config_file, $config_contents))
216
+ {
217
+ //$this->show_msg_updated(__('Settings Saved - Your system is now configured to not allow PHP file editing.', 'aiowpsecurity'));
218
+ return true;
219
+ }else
220
+ {
221
+ //$this->show_msg_error(__('Operation failed! Unable to modify wp-config.php file!', 'aiowpsecurity'));
222
+ $aio_wp_security->debug_logger->log_debug("Disable PHP File Edit - Unable to modify wp-config.php",4);
223
+ return false;
224
  }
225
  }
226
 
css/wp-security-admin-styles.css CHANGED
@@ -51,7 +51,7 @@
51
  border-radius: 3px 3px 3px 3px;
52
  border-style: solid;
53
  border-width: 1px;
54
- padding: 0 0 0 1em;
55
  }
56
 
57
  .aio_red_box {
@@ -62,7 +62,7 @@
62
  border-radius: 3px 3px 3px 3px;
63
  border-style: solid;
64
  border-width: 1px;
65
- padding: 0 0 0 1em;
66
  }
67
 
68
  .aio_success_with_icon {
@@ -150,6 +150,9 @@
150
  padding: 0 0 0 1em;
151
  }
152
 
 
 
 
153
  .aiowps_dashboard_box_small{
154
  float:left;
155
  max-width:350px;
51
  border-radius: 3px 3px 3px 3px;
52
  border-style: solid;
53
  border-width: 1px;
54
+ padding: 0 1em 0 1em;
55
  }
56
 
57
  .aio_red_box {
62
  border-radius: 3px 3px 3px 3px;
63
  border-style: solid;
64
  border-width: 1px;
65
+ padding: 0 1em 0 1em;
66
  }
67
 
68
  .aio_success_with_icon {
150
  padding: 0 0 0 1em;
151
  }
152
 
153
+ .aiowps_spread_the_word_widget{
154
+ }
155
+
156
  .aiowps_dashboard_box_small{
157
  float:left;
158
  max-width:350px;
readme.txt CHANGED
@@ -3,8 +3,8 @@ Contributors: Tips and Tricks HQ, wpsolutions, Peter Petreski, Ruhul Amin
3
  Donate link: http://www.tipsandtricks-hq.com
4
  Tags: security, secure, Anti Virus, antivirus, ban, ban hacker, virus, firewall, login, lockdown, htaccess, hack, malware, vulnerability, protect, protection, phishing, database, backup, plugin, sql injection, ssl, restrict
5
  Requires at least: 3.5
6
- Tested up to: 3.6
7
- Stable tag: 2.4
8
  License: GPLv3
9
 
10
  A comprehensive, user-friendly, all in one WordPress security and firewall plugin for your site.
@@ -46,6 +46,7 @@ via email whenever somebody gets locked out due to too many login attempts.
46
 
47
  * Monitor/View the account activity of all user accounts on your system by keeping track of the username, IP address, login date/time, and logout date/time.
48
  * Ability to automatically lockout IP address ranges which attempt to login with an invalid username.
 
49
 
50
  = Database Security =
51
  * Easily the default WP prefix to a value of your choice with the click of a button.
@@ -136,6 +137,12 @@ http://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin
136
  None
137
 
138
  == Changelog ==
 
 
 
 
 
 
139
  = 2.4 =
140
  - Added new feature/checkbox which will instantly lockout IP address ranges which attempt to login with an invalid username.
141
  - Fixed a bug in the Comment SPAM IP Monitoring page where trying to block one or more IPs was failing.
3
  Donate link: http://www.tipsandtricks-hq.com
4
  Tags: security, secure, Anti Virus, antivirus, ban, ban hacker, virus, firewall, login, lockdown, htaccess, hack, malware, vulnerability, protect, protection, phishing, database, backup, plugin, sql injection, ssl, restrict
5
  Requires at least: 3.5
6
+ Tested up to: 3.6.1
7
+ Stable tag: 2.5
8
  License: GPLv3
9
 
10
  A comprehensive, user-friendly, all in one WordPress security and firewall plugin for your site.
46
 
47
  * Monitor/View the account activity of all user accounts on your system by keeping track of the username, IP address, login date/time, and logout date/time.
48
  * Ability to automatically lockout IP address ranges which attempt to login with an invalid username.
49
+ * Ability to see a list of all the users who are currently logged into your site.
50
 
51
  = Database Security =
52
  * Easily the default WP prefix to a value of your choice with the click of a button.
137
  None
138
 
139
  == Changelog ==
140
+
141
+ = 2.5 =
142
+ - Added a new feature which will list the currently logged in users who have been active within the last 15 minutes.
143
+ - Added a new feature in settings menu which will disable all firewall rules and clear all applicable directives in the .htaccess file.
144
+ - Improved the way the wp-config.php file is handled when it contains an ending PHP tag "?>" (older sites that were using PHP4 earlier).
145
+
146
  = 2.4 =
147
  - Added new feature/checkbox which will instantly lockout IP address ranges which attempt to login with an invalid username.
148
  - Fixed a bug in the Comment SPAM IP Monitoring page where trying to block one or more IPs was failing.
wp-security-core.php CHANGED
@@ -3,7 +3,7 @@
3
  if (!class_exists('AIO_WP_Security')){
4
 
5
  class AIO_WP_Security{
6
- var $version = '2.4';
7
  var $db_version = '1.3';
8
  var $plugin_url;
9
  var $plugin_path;
@@ -125,8 +125,18 @@ class AIO_WP_Security{
125
  static function deactivate_handler()
126
  {
127
  //Only runs with the pluign is deactivated
 
 
128
  wp_clear_scheduled_hook('aiowps_hourly_cron_event');
129
  //wp_clear_scheduled_hook('aiowps_daily_cron_event');
 
 
 
 
 
 
 
 
130
  }
131
 
132
  function db_upgrade_handler()
3
  if (!class_exists('AIO_WP_Security')){
4
 
5
  class AIO_WP_Security{
6
+ var $version = '2.5';
7
  var $db_version = '1.3';
8
  var $plugin_url;
9
  var $plugin_path;
125
  static function deactivate_handler()
126
  {
127
  //Only runs with the pluign is deactivated
128
+ include_once ('classes/wp-security-deactivation-tasks.php');
129
+ //AIOWPSecurity_Deactivation::run_deactivation_tasks();
130
  wp_clear_scheduled_hook('aiowps_hourly_cron_event');
131
  //wp_clear_scheduled_hook('aiowps_daily_cron_event');
132
+ if (AIOWPSecurity_Utility::is_multisite_install())
133
+ {
134
+ delete_site_transient('users_online');
135
+ }
136
+ else
137
+ {
138
+ delete_transient('users_online');
139
+ }
140
  }
141
 
142
  function db_upgrade_handler()
wp-security.php CHANGED
@@ -1,12 +1,12 @@
1
  <?php
2
  /*
3
  Plugin Name: All In One WP Security
4
- Version: v2.4
5
  Plugin URI: http://www.tipsandtricks-hq.com/
6
  Author: Tips and Tricks HQ, Peter, Ruhul Amin
7
  Author URI: http://www.tipsandtricks-hq.com/
8
  Description: All round best WordPress security plugin!
9
- License: GPL2
10
  */
11
 
12
  if(!defined('ABSPATH'))exit; //Exit if accessed directly
1
  <?php
2
  /*
3
  Plugin Name: All In One WP Security
4
+ Version: v2.5
5
  Plugin URI: http://www.tipsandtricks-hq.com/
6
  Author: Tips and Tricks HQ, Peter, Ruhul Amin
7
  Author URI: http://www.tipsandtricks-hq.com/
8
  Description: All round best WordPress security plugin!
9
+ License: GPL3
10
  */
11
 
12
  if(!defined('ABSPATH'))exit; //Exit if accessed directly