All In One WP Security & Firewall - Version 3.4

Version Description

  • Consolidated "Brute Force" features by moving all such features to the "Brute Force" menu.
  • Improved the file change detection scan feature: Introduced a button allowing admin to view the file change results from the last scan and fixed small bug whereby the change detected flag was not being cleared for applicable cases.
  • Fixed a small bug with "rename login page" feature.
  • Made wp-config.php and .htaccess file backups more secure. Thanks to @wzp for the tip.
  • Made the login code more robust by catering for cases where the "wp_login" action was not passing 2 parameters.
Download this release

Release Info

Developer mra13
Plugin Icon 128x128 All In One WP Security & Firewall
Version 3.4
Comparing to
See all releases

Code changes from version 3.3 to 3.4

Files changed (17) hide show
  1. admin/wp-security-admin-init.php +3 -3
  2. admin/wp-security-brute-force-menu.php +481 -4
  3. admin/wp-security-database-menu.php +1 -1
  4. admin/wp-security-filescan-menu.php +28 -7
  5. admin/wp-security-firewall-menu.php +0 -262
  6. admin/wp-security-settings-menu.php +1 -1
  7. admin/wp-security-user-login-menu.php +8 -229
  8. classes/wp-security-file-scan.php +4 -0
  9. classes/wp-security-process-renamed-login-page.php +1 -0
  10. classes/wp-security-user-login.php +10 -1
  11. classes/wp-security-utility-file.php +46 -0
  12. classes/wp-security-utility-htaccess.php +11 -19
  13. classes/wp-security-utility.php +1 -1
  14. other-includes/wp-security-rename-login-feature.php +1 -1
  15. readme.txt +8 -3
  16. wp-security-core.php +1 -1
  17. wp-security.php +1 -1
admin/wp-security-admin-init.php CHANGED
@@ -103,12 +103,12 @@ class AIOWPSecurity_Admin_Init
103
 
104
  function do_other_admin_side_init_tasks()
105
  {
106
- if (isset($_GET['page']) && $_GET['page'] == AIOWPSEC_FIREWALL_MENU_SLUG && isset($_GET['tab']) && $_GET['tab'] == 'tab4')
107
  {
108
  global $aio_wp_security;
109
  if(isset($_POST['aiowps_do_cookie_test_for_bfla'])){
110
  AIOWPSecurity_Utility::set_cookie_value("aiowps_cookie_test", "1");
111
- $cur_url = "admin.php?page=".AIOWPSEC_FIREWALL_MENU_SLUG."&tab=tab4";
112
  $redirect_url = AIOWPSecurity_Utility::add_query_data_to_url($cur_url, "aiowps_cookie_test", "1");
113
  AIOWPSecurity_Utility::redirect_to_url($redirect_url);
114
  }
@@ -146,7 +146,7 @@ class AIOWPSecurity_Admin_Init
146
  die("Nonce check failed on wp_config file save!");
147
  }
148
  $wp_config_path = ABSPATH . 'wp-config.php';
149
- $result = AIOWPSecurity_Utility_File::backup_a_file($wp_config_path); //Backup the wp_config.php file
150
  AIOWPSecurity_Utility_File::download_a_file_option1($wp_config_path, "wp-config-backup.txt");
151
  }
152
  }
103
 
104
  function do_other_admin_side_init_tasks()
105
  {
106
+ if (isset($_GET['page']) && $_GET['page'] == AIOWPSEC_BRUTE_FORCE_MENU_SLUG && isset($_GET['tab']) && $_GET['tab'] == 'tab2')
107
  {
108
  global $aio_wp_security;
109
  if(isset($_POST['aiowps_do_cookie_test_for_bfla'])){
110
  AIOWPSecurity_Utility::set_cookie_value("aiowps_cookie_test", "1");
111
+ $cur_url = "admin.php?page=".AIOWPSEC_BRUTE_FORCE_MENU_SLUG."&tab=tab2";
112
  $redirect_url = AIOWPSecurity_Utility::add_query_data_to_url($cur_url, "aiowps_cookie_test", "1");
113
  AIOWPSecurity_Utility::redirect_to_url($redirect_url);
114
  }
146
  die("Nonce check failed on wp_config file save!");
147
  }
148
  $wp_config_path = ABSPATH . 'wp-config.php';
149
+ $result = AIOWPSecurity_Utility_File::backup_and_rename_wp_config($wp_config_path); //Backup the wp_config.php file
150
  AIOWPSecurity_Utility_File::download_a_file_option1($wp_config_path, "wp-config-backup.txt");
151
  }
152
  }
admin/wp-security-brute-force-menu.php CHANGED
@@ -10,6 +10,8 @@ class AIOWPSecurity_Brute_Force_Menu extends AIOWPSecurity_Admin_Menu
10
  var $menu_tabs_handler = array(
11
  'tab1' => 'render_tab1',
12
  'tab2' => 'render_tab2',
 
 
13
  );
14
 
15
  function __construct()
@@ -21,7 +23,10 @@ class AIOWPSecurity_Brute_Force_Menu extends AIOWPSecurity_Admin_Menu
21
  {
22
  $this->menu_tabs = array(
23
  'tab1' => __('Rename Login Page','aiowpsecurity'),
24
- //'tab2' => __('TODO','aiowpsecurity'),
 
 
 
25
  );
26
  }
27
 
@@ -113,12 +118,12 @@ class AIOWPSecurity_Brute_Force_Menu extends AIOWPSecurity_Admin_Menu
113
  ?>
114
  <div class="aio_blue_box">
115
  <?php
116
- $cookie_based_feature_url = '<a href="admin.php?page='.AIOWPSEC_FIREWALL_MENU_SLUG.'&tab=tab4" target="_blank">Cookie Based Brute Force Prevention</a>';
117
- $white_list_feature_url = '<a href="admin.php?page='.AIOWPSEC_USER_LOGIN_MENU_SLUG.'&tab=tab3" target="_blank">Login Page White List</a>';
118
  echo '<p>'.__('An effective Brute Force prevention technique is to change the default WordPress login page URL.', 'aiowpsecurity').'</p>'.
119
  '<p>'.__('Normally if you wanted to login to WordPress you would type your site\'s home URL followed by wp-login.php.', 'aiowpsecurity').'</p>'.
120
  '<p>'.__('This feature allows you to change the login URL by setting your own slug and renaming the last portion of the login URL which contains the <strong>wp-login.php</strong> to any string that you like.', 'aiowpsecurity').'</p>'.
121
- '<p>'.__('By doing doing this, malicious bots and hackers will not be able to access your login page because they will not know the correct login page URL.', 'aiowpsecurity').'</p>'.
122
  '<div class="aio_section_separator_1"></div>'.
123
  '<p>'.__('You may also be interested in the following alternative brute force prevention features:', 'aiowpsecurity').'</p>'.
124
  '<p>'.$cookie_based_feature_url.'</p>'.
@@ -174,6 +179,478 @@ class AIOWPSecurity_Brute_Force_Menu extends AIOWPSecurity_Admin_Menu
174
 
175
  function render_tab2()
176
  {
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
177
  }
178
 
179
  } //end class
10
  var $menu_tabs_handler = array(
11
  'tab1' => 'render_tab1',
12
  'tab2' => 'render_tab2',
13
+ 'tab3' => 'render_tab3',
14
+ 'tab4' => 'render_tab4',
15
  );
16
 
17
  function __construct()
23
  {
24
  $this->menu_tabs = array(
25
  'tab1' => __('Rename Login Page','aiowpsecurity'),
26
+ 'tab2' => __('Cookie Based Brute Force Prevention', 'aiowpsecurity'),
27
+ 'tab3' => __('Login Captcha', 'aiowpsecurity'),
28
+ 'tab4' => __('Login Whitelist', 'aiowpsecurity'),
29
+
30
  );
31
  }
32
 
118
  ?>
119
  <div class="aio_blue_box">
120
  <?php
121
+ $cookie_based_feature_url = '<a href="admin.php?page='.AIOWPSEC_BRUTE_FORCE_MENU_SLUG.'&tab=tab2" target="_blank">Cookie Based Brute Force Prevention</a>';
122
+ $white_list_feature_url = '<a href="admin.php?page='.AIOWPSEC_BRUTE_FORCE_MENU_SLUG.'&tab=tab4" target="_blank">Login Page White List</a>';
123
  echo '<p>'.__('An effective Brute Force prevention technique is to change the default WordPress login page URL.', 'aiowpsecurity').'</p>'.
124
  '<p>'.__('Normally if you wanted to login to WordPress you would type your site\'s home URL followed by wp-login.php.', 'aiowpsecurity').'</p>'.
125
  '<p>'.__('This feature allows you to change the login URL by setting your own slug and renaming the last portion of the login URL which contains the <strong>wp-login.php</strong> to any string that you like.', 'aiowpsecurity').'</p>'.
126
+ '<p>'.__('By doing this, malicious bots and hackers will not be able to access your login page because they will not know the correct login page URL.', 'aiowpsecurity').'</p>'.
127
  '<div class="aio_section_separator_1"></div>'.
128
  '<p>'.__('You may also be interested in the following alternative brute force prevention features:', 'aiowpsecurity').'</p>'.
129
  '<p>'.$cookie_based_feature_url.'</p>'.
179
 
180
  function render_tab2()
181
  {
182
+ global $aio_wp_security;
183
+ global $aiowps_feature_mgr;
184
+ $error = false;
185
+
186
+ //Save settings for brute force cookie method
187
+ if(isset($_POST['aiowps_apply_cookie_based_bruteforce_firewall']))
188
+ {
189
+ $nonce=$_REQUEST['_wpnonce'];
190
+ if (!wp_verify_nonce($nonce, 'aiowpsec-enable-cookie-based-brute-force-prevention'))
191
+ {
192
+ $aio_wp_security->debug_logger->log_debug("Nonce check failed on enable cookie based brute force prevention feature!",4);
193
+ die("Nonce check failed on enable cookie based brute force prevention feature!");
194
+ }
195
+
196
+ if(isset($_POST['aiowps_enable_brute_force_attack_prevention']))
197
+ {
198
+ $brute_force_feature_secret_word = sanitize_text_field($_POST['aiowps_brute_force_secret_word']);
199
+ if(empty($brute_force_feature_secret_word)){
200
+ $brute_force_feature_secret_word = "aiowps_secret";
201
+ }else if(!ctype_alnum($brute_force_feature_secret_word)){
202
+ $msg = '<p>'.__('Settings have not been saved - your secret word must consist only of alphanumeric characters, ie, letters and/or numbers only!', 'aiowpsecurity').'</p>';
203
+ $error = true;
204
+ }
205
+
206
+ if(filter_var($_POST['aiowps_cookie_based_brute_force_redirect_url'], FILTER_VALIDATE_URL))
207
+ {
208
+ $aio_wp_security->configs->set_value('aiowps_cookie_based_brute_force_redirect_url',esc_url_raw($_POST['aiowps_cookie_based_brute_force_redirect_url']));
209
+ }
210
+ else
211
+ {
212
+ $aio_wp_security->configs->set_value('aiowps_cookie_based_brute_force_redirect_url','http://127.0.0.1');
213
+ }
214
+
215
+ $aio_wp_security->configs->set_value('aiowps_enable_brute_force_attack_prevention','1');
216
+
217
+ if (!$error)
218
+ {
219
+ $aio_wp_security->configs->set_value('aiowps_brute_force_secret_word',$brute_force_feature_secret_word);
220
+ $msg = '<p>'.__('You have successfully enabled the cookie based brute force prevention feature', 'aiowpsecurity').'</p>';
221
+ $msg .= '<p>'.__('From now on you will need to log into your WP Admin using the following URL:', 'aiowpsecurity').'</p>';
222
+ $msg .= '<p><strong>'.AIOWPSEC_WP_URL.'/?'.$brute_force_feature_secret_word.'=1</strong></p>';
223
+ $msg .= '<p>'.__('It is important that you save this URL value somewhere in case you forget it, OR,', 'aiowpsecurity').'</p>';
224
+ $msg .= '<p>'.sprintf( __('simply remember to add a "?%s=1" to your current site URL address.', 'aiowpsecurity'), $brute_force_feature_secret_word).'</p>';
225
+ }
226
+ }
227
+ else
228
+ {
229
+ $aio_wp_security->configs->set_value('aiowps_enable_brute_force_attack_prevention','');
230
+ $msg = __('You have successfully saved cookie based brute force prevention feature settings.', 'aiowpsecurity');
231
+ }
232
+
233
+ if(isset($_POST['aiowps_brute_force_attack_prevention_pw_protected_exception']))
234
+ {
235
+ $aio_wp_security->configs->set_value('aiowps_brute_force_attack_prevention_pw_protected_exception','1');
236
+ }
237
+ else
238
+ {
239
+ $aio_wp_security->configs->set_value('aiowps_brute_force_attack_prevention_pw_protected_exception','');
240
+ }
241
+
242
+ if(isset($_POST['aiowps_brute_force_attack_prevention_ajax_exception']))
243
+ {
244
+ $aio_wp_security->configs->set_value('aiowps_brute_force_attack_prevention_ajax_exception','1');
245
+ }
246
+ else
247
+ {
248
+ $aio_wp_security->configs->set_value('aiowps_brute_force_attack_prevention_ajax_exception','');
249
+ }
250
+
251
+ if (!$error)
252
+ {
253
+ $aio_wp_security->configs->save_config();//save the value
254
+
255
+ //Recalculate points after the feature status/options have been altered
256
+ $aiowps_feature_mgr->check_feature_status_and_recalculate_points();
257
+
258
+ $res = AIOWPSecurity_Utility_Htaccess::write_to_htaccess();
259
+ if ($res){
260
+ echo '<div id="message" class="updated fade"><p>';
261
+ echo $msg;
262
+ echo '</p></div>';
263
+ }
264
+ else if($res == -1){
265
+ $this->show_msg_error(__('Could not write to the .htaccess file. Please check the file permissions.', 'aiowpsecurity'));
266
+ }
267
+ }
268
+ else
269
+ {
270
+ $this->show_msg_error($msg);
271
+ }
272
+ }
273
+
274
+ ?>
275
+ <h2><?php _e('Brute Force Prevention Firewall Settings', 'aiowpsecurity')?></h2>
276
+
277
+ <div class="aio_blue_box">
278
+ <?php
279
+ //TODO - need to fix the following message
280
+ echo '<p>'.__('A Brute Force Attack is when a hacker tries many combinations of usernames and passwords until they succeed in guessing the right combination.', 'aiowpsecurity').
281
+ '<br />'.__('Due to the fact that at any one time there may be many concurrent login attempts occurring on your site via malicious automated robots, this also has a negative impact on your server\'s memory and performance.', 'aiowpsecurity').
282
+ '<br />'.__('The features in this tab will stop the majority of Brute Force Login Attacks at the .htaccess level thus providing even better protection for your WP login page and also reducing the load on your server because the system does not have to run PHP code to process the login attempts.', 'aiowpsecurity').'</p>';
283
+ ?>
284
+ </div>
285
+ <div class="aio_yellow_box">
286
+ <?php
287
+ $backup_tab_link = '<a href="admin.php?page='.AIOWPSEC_SETTINGS_MENU_SLUG.'&tab=tab2" target="_blank">backup</a>';
288
+ $video_link = '<a href="http://www.tipsandtricks-hq.com/all-in-one-wp-security-plugin-cookie-based-brute-force-login-attack-prevention-feature-5994" target="_blank">video tutorial</a>';
289
+ $info_msg = sprintf( __('Even though this feature should not have any impact on your site\'s general functionality <strong>you are strongly encouraged to take a %s of your .htaccess file before proceeding</strong>.', 'aiowpsecurity'), $backup_tab_link);
290
+ $info_msg1 = __('If this feature is not used correctly, you can get locked out of your site. A backed up .htaccess file will come in handy if that happens.', 'aiowpsecurity');
291
+ $info_msg2 = sprintf( __('To learn more about how to use this feature please watch the following %s.', 'aiowpsecurity'), $video_link);
292
+ $brute_force_login_feature_link = '<a href="admin.php?page='.AIOWPSEC_FIREWALL_MENU_SLUG.'&tab=tab4" target="_blank">Cookie-Based Brute Force Login Prevention</a>';
293
+ echo '<p>'.$info_msg.
294
+ '<br />'.$info_msg1.
295
+ '<br />'.$info_msg2.'</p>';
296
+ ?>
297
+ </div>
298
+
299
+ <div class="postbox">
300
+ <h3><label for="title"><?php _e('Cookie Based Brute Force Login Prevention', 'aiowpsecurity'); ?></label></h3>
301
+ <div class="inside">
302
+ <?php
303
+ //Display security info badge
304
+ global $aiowps_feature_mgr;
305
+ $aiowps_feature_mgr->output_feature_details_badge("firewall-enable-brute-force-attack-prevention");
306
+ ?>
307
+ <form action="" method="POST">
308
+ <?php wp_nonce_field('aiowpsec-enable-cookie-based-brute-force-prevention'); ?>
309
+ <table class="form-table">
310
+ <tr valign="top">
311
+ <th scope="row"><?php _e('Enable Brute Force Attack Prevention', 'aiowpsecurity')?>:</th>
312
+ <td>
313
+ <input name="aiowps_enable_brute_force_attack_prevention" type="checkbox"<?php if($aio_wp_security->configs->get_value('aiowps_enable_brute_force_attack_prevention')=='1') echo ' checked="checked"'; ?> value="1"/>
314
+ <span class="description"><?php _e('Check this if you want to protect your login page from Brute Force Attack.', 'aiowpsecurity'); ?></span>
315
+ <span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php _e('More Info', 'aiowpsecurity'); ?></span></span>
316
+ <div class="aiowps_more_info_body">
317
+ <p class="description">
318
+ <?php
319
+ _e('This feature will deny access to your WordPress login page for all people except those who have a special cookie in their browser.', 'aiowpsecurity');
320
+ echo '<br />';
321
+ _e('To use this feature do the following:', 'aiowpsecurity');
322
+ echo '<br />';
323
+ _e('1) Enable the checkbox.', 'aiowpsecurity');
324
+ echo '<br />';
325
+ _e('2) Enter a secret word consisting of alphanumeric characters which will be difficult to guess. This secret word will be useful whenever you need to know the special URL which you will use to access the login page (see point below).', 'aiowpsecurity');
326
+ echo '<br />';
327
+ _e('3) You will then be provided with a special login URL. You will need to use this URL to login to your WordPress site instead of the usual login URL. NOTE: The system will deposit a special cookie in your browser which will allow you access to the WordPress administration login page.', 'aiowpsecurity');
328
+ echo '<br />';
329
+ _e('Any person trying to access your login page who does not have the special cookie in their browser will be automatically blocked.', 'aiowpsecurity');
330
+ ?>
331
+ </p>
332
+ </div>
333
+ </td>
334
+ </tr>
335
+ <tr valign="top">
336
+ <th scope="row"><?php _e('Secret Word', 'aiowpsecurity')?>:</th>
337
+ <td><input type="text" size="40" name="aiowps_brute_force_secret_word" value="<?php echo $aio_wp_security->configs->get_value('aiowps_brute_force_secret_word'); ?>" />
338
+ <span class="description"><?php _e('Choose a secret word consisting of alphanumeric characters which you can use to access your special URL. Your are highly encouraged to choose a word which will be difficult to guess.', 'aiowpsecurity'); ?></span>
339
+ </td>
340
+ </tr>
341
+ <tr valign="top">
342
+ <th scope="row"><?php _e('Re-direct URL', 'aiowpsecurity')?>:</th>
343
+ <td><input type="text" size="40" name="aiowps_cookie_based_brute_force_redirect_url" value="<?php echo $aio_wp_security->configs->get_value('aiowps_cookie_based_brute_force_redirect_url'); ?>" />
344
+ <span class="description">
345
+ <?php
346
+ _e('Specify a URL to redirect a hacker to when they try to access your WordPress login page.', 'aiowpsecurity');
347
+ ?>
348
+ </span>
349
+ <span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php _e('More Info', 'aiowpsecurity'); ?></span></span>
350
+ <div class="aiowps_more_info_body">
351
+ <p class="description">
352
+ <?php
353
+ _e('The URL specified here can be any site\'s URL and does not have to be your own. For example you can be as creative as you like and send hackers to the CIA or NSA home page.', 'aiowpsecurity');
354
+ echo '<br />';
355
+ _e('This field will default to: http://127.0.0.1 if you do not enter a value.', 'aiowpsecurity');
356
+ echo '<br />';
357
+ _e('Useful Tip:', 'aiowpsecurity');
358
+ echo '<br />';
359
+ _e('It\'s a good idea to not redirect attempted brute force login attempts to your site because it increases the load on your server.', 'aiowpsecurity');
360
+ echo '<br />';
361
+ _e('Redirecting a hacker or malicious bot back to "http://127.0.0.1" is ideal because it deflects them back to their own local host and puts the load on their server instead of yours.', 'aiowpsecurity');
362
+ ?>
363
+ </p>
364
+ </div>
365
+ </td>
366
+ </tr>
367
+ <tr valign="top">
368
+ <th scope="row"><?php _e('My Site Has Posts Or Pages Which Are Password Protected', 'aiowpsecurity')?>:</th>
369
+ <td>
370
+ <input name="aiowps_brute_force_attack_prevention_pw_protected_exception" type="checkbox"<?php if($aio_wp_security->configs->get_value('aiowps_brute_force_attack_prevention_pw_protected_exception')=='1') echo ' checked="checked"'; ?> value="1"/>
371
+ <span class="description"><?php _e('Check this if you are using the native WordPress password protection feature for some or all of your blog posts or pages.', 'aiowpsecurity'); ?></span>
372
+ <span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php _e('More Info', 'aiowpsecurity'); ?></span></span>
373
+ <div class="aiowps_more_info_body">
374
+ <p class="description">
375
+ <?php
376
+ _e('In the cases where you are protecting some of your posts or pages using the in-built WordPress password protection feature, a few extra lines of directives and exceptions need to be added to your .htacces file so that people trying to access pages are not automatically blocked.', 'aiowpsecurity');
377
+ echo '<br />';
378
+ _e('By enabling this checkbox the plugin will add the necessary rules and exceptions to your .htacces file so that people trying to access these pages are not automatically blocked.', 'aiowpsecurity');
379
+ echo '<br />';
380
+ echo "<strong>".__('Helpful Tip:', 'aiowpsecurity')."</strong>";
381
+ echo '<br />';
382
+ _e('If you do not use the WordPress password protection feature for your posts or pages then it is highly recommended that you leave this checkbox disabled.', 'aiowpsecurity');
383
+ ?>
384
+ </p>
385
+ </div>
386
+ </td>
387
+ </tr>
388
+ <tr valign="top">
389
+ <th scope="row"><?php _e('My Site Has a Theme or Plugins Which Use AJAX', 'aiowpsecurity')?>:</th>
390
+ <td>
391
+ <input name="aiowps_brute_force_attack_prevention_ajax_exception" type="checkbox"<?php if($aio_wp_security->configs->get_value('aiowps_brute_force_attack_prevention_ajax_exception')=='1') echo ' checked="checked"'; ?> value="1"/>
392
+ <span class="description"><?php _e('Check this if your site uses AJAX functionality.', 'aiowpsecurity'); ?></span>
393
+ <span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php _e('More Info', 'aiowpsecurity'); ?></span></span>
394
+ <div class="aiowps_more_info_body">
395
+ <p class="description">
396
+ <?php
397
+ _e('In the cases where your WordPress installation has a theme or plugins which use AJAX, a few extra lines of directives and exceptions need to be added to your .htacces file to prevent AJAX requests from being automatically blocked by the brute force prevention feature.', 'aiowpsecurity');
398
+ echo '<br />';
399
+ _e('By enabling this checkbox the plugin will add the necessary rules and exceptions to your .htacces file so that AJAX operations will work as expected.', 'aiowpsecurity');
400
+ ?>
401
+ </p>
402
+ </div>
403
+ </td>
404
+ </tr>
405
+ </table>
406
+ <?php
407
+ $cookie_test_value = $aio_wp_security->configs->get_value('aiowps_cookie_test_success');
408
+ $bfla_feature_enabled = $aio_wp_security->configs->get_value('aiowps_enable_brute_force_attack_prevention');
409
+ if($cookie_test_value == '1' || $bfla_feature_enabled == '1')//If the cookie test is successful or if the feature is already enabled then go ahead as normal
410
+ {
411
+ if (isset($_REQUEST['aiowps_cookie_test']))
412
+ {//Cookie test was just performed and the test succeded
413
+ echo '<div class="aio_green_box"><p>';
414
+ _e('The cookie test was successful. You can now enable this feature.', 'aiowpsecurity');
415
+ echo '</p></div>';
416
+ }
417
+ echo '<input type="submit" name="aiowps_apply_cookie_based_bruteforce_firewall" value="'.__('Save Feature Settings', 'aiowpsecurity').'" class="button-primary" />';
418
+ }
419
+ else
420
+ {
421
+ //Cookie test needs to be performed
422
+ if(isset($_REQUEST['aiowps_cookie_test']) && $cookie_test_value != '1'){//Test failed
423
+ echo '<div class="aio_red_box"><p>';
424
+ _e('The cookie test failed on this server. So this feature cannot be used on this site.', 'aiowpsecurity');
425
+ echo '</p></div>';
426
+ }
427
+
428
+ echo '<div class="aio_yellow_box"><p>';
429
+ _e("Before using this feature you are required to perform a cookie test first. This is to make sure that your browser cookie is working correctly and that you won't lock yourself out.", 'aiowpsecurity');
430
+ echo '</p></div>';
431
+ echo '<input type="submit" name="aiowps_do_cookie_test_for_bfla" value="'.__('Perform Cookie Test', 'aiowpsecurity').'" class="button-primary" />';
432
+ }
433
+ ?>
434
+ </form>
435
+ </div></div>
436
+ <?php
437
+ }
438
+
439
+ function render_tab3()
440
+ {
441
+ global $aio_wp_security;
442
+ global $aiowps_feature_mgr;
443
+
444
+ if(isset($_POST['aiowpsec_save_captcha_settings']))//Do form submission tasks
445
+ {
446
+ $error = '';
447
+ $nonce=$_REQUEST['_wpnonce'];
448
+ if (!wp_verify_nonce($nonce, 'aiowpsec-captcha-settings-nonce'))
449
+ {
450
+ $aio_wp_security->debug_logger->log_debug("Nonce check failed on captcha settings save!",4);
451
+ die("Nonce check failed on captcha settings save!");
452
+ }
453
+
454
+
455
+ //Save all the form values to the options
456
+ $random_20_digit_string = AIOWPSecurity_Utility::generate_alpha_numeric_random_string(20); //Generate random 20 char string for use during captcha encode/decode
457
+ $aio_wp_security->configs->set_value('aiowps_captcha_secret_key', $random_20_digit_string);
458
+ $aio_wp_security->configs->set_value('aiowps_enable_login_captcha',isset($_POST["aiowps_enable_login_captcha"])?'1':'');
459
+ $aio_wp_security->configs->set_value('aiowps_enable_lost_password_captcha',isset($_POST["aiowps_enable_lost_password_captcha"])?'1':'');
460
+ $aio_wp_security->configs->save_config();
461
+
462
+ //Recalculate points after the feature status/options have been altered
463
+ $aiowps_feature_mgr->check_feature_status_and_recalculate_points();
464
+
465
+ $this->show_msg_settings_updated();
466
+ }
467
+ ?>
468
+ <div class="aio_blue_box">
469
+ <?php
470
+ echo '<p>'.__('This feature allows you to add a captcha form on the WordPress login page.', 'aiowpsecurity').'
471
+ <br />'.__('Users who attempt to login will also need to enter the answer to a simple mathematical question - if they enter the wrong answer, the plugin will not allow them login even if they entered the correct username and password.', 'aiowpsecurity').'
472
+ <br />'.__('Therefore, adding a captcha form on the login page is another effective yet simple "Brute Force" prevention technique.', 'aiowpsecurity').'
473
+ </p>';
474
+ ?>
475
+ </div>
476
+ <form action="" method="POST">
477
+ <div class="postbox">
478
+ <h3><label for="title"><?php _e('Login Form Captcha Settings', 'aiowpsecurity'); ?></label></h3>
479
+ <div class="inside">
480
+ <?php
481
+ //Display security info badge
482
+ global $aiowps_feature_mgr;
483
+ $aiowps_feature_mgr->output_feature_details_badge("user-login-captcha");
484
+ ?>
485
+
486
+ <?php wp_nonce_field('aiowpsec-captcha-settings-nonce'); ?>
487
+ <table class="form-table">
488
+ <tr valign="top">
489
+ <th scope="row"><?php _e('Enable Captcha On Login Page', 'aiowpsecurity')?>:</th>
490
+ <td>
491
+ <input name="aiowps_enable_login_captcha" type="checkbox"<?php if($aio_wp_security->configs->get_value('aiowps_enable_login_captcha')=='1') echo ' checked="checked"'; ?> value="1"/>
492
+ <span class="description"><?php _e('Check this if you want to insert a captcha form on the login page', 'aiowpsecurity'); ?></span>
493
+ </td>
494
+ </tr>
495
+ </table>
496
+ </div></div>
497
+ <div class="postbox">
498
+ <h3><label for="title"><?php _e('Lost Password Form Captcha Settings', 'aiowpsecurity'); ?></label></h3>
499
+ <div class="inside">
500
+ <?php
501
+ //Display security info badge
502
+ global $aiowps_feature_mgr;
503
+ $aiowps_feature_mgr->output_feature_details_badge("lost-password-captcha");
504
+ ?>
505
+
506
+ <table class="form-table">
507
+ <tr valign="top">
508
+ <th scope="row"><?php _e('Enable Captcha On Lost Password Page', 'aiowpsecurity')?>:</th>
509
+ <td>
510
+ <input name="aiowps_enable_lost_password_captcha" type="checkbox"<?php if($aio_wp_security->configs->get_value('aiowps_enable_lost_password_captcha')=='1') echo ' checked="checked"'; ?> value="1"/>
511
+ <span class="description"><?php _e('Check this if you want to insert a captcha form on the lost password page', 'aiowpsecurity'); ?></span>
512
+ </td>
513
+ </tr>
514
+ </table>
515
+ </div></div>
516
+ <input type="submit" name="aiowpsec_save_captcha_settings" value="<?php _e('Save Settings', 'aiowpsecurity')?>" class="button-primary" />
517
+ </form>
518
+ <?php
519
+ }
520
+
521
+ function render_tab4()
522
+ {
523
+ global $aio_wp_security;
524
+ global $aiowps_feature_mgr;
525
+ $result = 1;
526
+ $your_ip_address = AIOWPSecurity_Utility_IP::get_user_ip_address();
527
+ if (isset($_POST['aiowps_save_whitelist_settings']))
528
+ {
529
+ $nonce=$_REQUEST['_wpnonce'];
530
+ if (!wp_verify_nonce($nonce, 'aiowpsec-whitelist-settings-nonce'))
531
+ {
532
+ $aio_wp_security->debug_logger->log_debug("Nonce check failed for save whitelist settings!",4);
533
+ die(__('Nonce check failed for save whitelist settings!','aiowpsecurity'));
534
+ }
535
+
536
+ if (isset($_POST["aiowps_enable_whitelisting"]) && empty($_POST['aiowps_allowed_ip_addresses']))
537
+ {
538
+ $this->show_msg_error('You must submit at least one IP address!','aiowpsecurity');
539
+ }
540
+ else
541
+ {
542
+ if (!empty($_POST['aiowps_allowed_ip_addresses']))
543
+ {
544
+ $ip_addresses = $_POST['aiowps_allowed_ip_addresses'];
545
+ $ip_list_array = AIOWPSecurity_Utility_IP::create_ip_list_array_from_string_with_newline($ip_addresses);
546
+ $payload = AIOWPSecurity_Utility_IP::validate_ip_list($ip_list_array, 'whitelist');
547
+ if($payload[0] == 1){
548
+ //success case
549
+ $result = 1;
550
+ $list = $payload[1];
551
+ $banned_ip_data = implode(PHP_EOL, $list);
552
+ $aio_wp_security->configs->set_value('aiowps_allowed_ip_addresses',$banned_ip_data);
553
+ $_POST['aiowps_allowed_ip_addresses'] = ''; //Clear the post variable for the banned address list
554
+ }
555
+ else{
556
+ $result = -1;
557
+ $error_msg = $payload[1][0];
558
+ $this->show_msg_error($error_msg);
559
+ }
560
+
561
+ }
562
+ else
563
+ {
564
+ $aio_wp_security->configs->set_value('aiowps_allowed_ip_addresses',''); //Clear the IP address config value
565
+ }
566
+
567
+ if ($result == 1)
568
+ {
569
+ $aio_wp_security->configs->set_value('aiowps_enable_whitelisting',isset($_POST["aiowps_enable_whitelisting"])?'1':'');
570
+ $aio_wp_security->configs->save_config(); //Save the configuration
571
+
572
+ //Recalculate points after the feature status/options have been altered
573
+ $aiowps_feature_mgr->check_feature_status_and_recalculate_points();
574
+
575
+ $this->show_msg_settings_updated();
576
+
577
+ $write_result = AIOWPSecurity_Utility_Htaccess::write_to_htaccess(); //now let's write to the .htaccess file
578
+ if ($write_result == -1)
579
+ {
580
+ $this->show_msg_error(__('The plugin was unable to write to the .htaccess file. Please edit file manually.','aiowpsecurity'));
581
+ $aio_wp_security->debug_logger->log_debug("AIOWPSecurity_whitelist_Menu - The plugin was unable to write to the .htaccess file.");
582
+ }
583
+ }
584
+ }
585
+ }
586
+ ?>
587
+ <h2><?php _e('Login Whitelist', 'aiowpsecurity')?></h2>
588
+ <div class="aio_blue_box">
589
+ <?php
590
+ echo '<p>'.__('The All In One WP Security Whitelist feature gives you the option of only allowing certain IP addresses or ranges to have access to your WordPress login page.', 'aiowpsecurity').'
591
+ <br />'.__('This feature will deny login access for all IP addresses which are not in your whitelist as configured in the settings below.', 'aiowpsecurity').'
592
+ <br />'.__('The plugin achieves this by writing the appropriate directives to your .htaccess file.', 'aiowpsecurity').'
593
+ <br />'.__('By allowing/blocking IP addresses via the .htaccess file your are using the most secure first line of defence because login access will only be granted to whitelisted IP addresses and other addresses will be blocked as soon as they try to access your login page.', 'aiowpsecurity').'
594
+ </p>';
595
+ ?>
596
+ </div>
597
+ <div class="aio_yellow_box">
598
+ <?php
599
+ $brute_force_login_feature_link = '<a href="admin.php?page='.AIOWPSEC_BRUTE_FORCE_MENU_SLUG.'&tab=tab2" target="_blank">Cookie-Based Brute Force Login Prevention</a>';
600
+ echo '<p>'.sprintf( __('Attention: If in addition to enabling the white list feature, you also have the %s feature enabled, <strong>you will still need to use your secret word in the URL when trying to access your WordPress login page</strong>.', 'aiowpsecurity'), $brute_force_login_feature_link).'</p>
601
+ <p>'.__('These features are NOT functionally related. Having both of them enabled on your site means you are creating 2 layers of security.', 'aiowpsecurity').'</p>';
602
+ ?>
603
+ </div>
604
+
605
+ <div class="postbox">
606
+ <h3><label for="title"><?php _e('Login IP Whitelist Settings', 'aiowpsecurity'); ?></label></h3>
607
+ <div class="inside">
608
+ <?php
609
+ //Display security info badge
610
+ global $aiowps_feature_mgr;
611
+ $aiowps_feature_mgr->output_feature_details_badge("whitelist-manager-ip-login-whitelisting");
612
+ ?>
613
+ <form action="" method="POST">
614
+ <?php wp_nonce_field('aiowpsec-whitelist-settings-nonce'); ?>
615
+ <table class="form-table">
616
+ <tr valign="top">
617
+ <th scope="row"><?php _e('Enable IP Whitelisting', 'aiowpsecurity')?>:</th>
618
+ <td>
619
+ <input name="aiowps_enable_whitelisting" type="checkbox"<?php if($aio_wp_security->configs->get_value('aiowps_enable_whitelisting')=='1') echo ' checked="checked"'; ?> value="1"/>
620
+ <span class="description"><?php _e('Check this if you want to enable the whitelisting of selected IP addresses specified in the settings below', 'aiowpsecurity'); ?></span>
621
+ </td>
622
+ </tr>
623
+ <tr valign="top">
624
+ <th scope="row"><?php _e('Your Current IP Address', 'aiowpsecurity')?>:</th>
625
+ <td>
626
+ <input size="20" name="aiowps_user_ip" type="text" value="<?php echo $your_ip_address; ?>" readonly="readonly"/>
627
+ <span class="description"><?php _e('You can copy and paste this address in the text box below if you want to include it in your login whitelist.', 'aiowpsecurity'); ?></span>
628
+ </td>
629
+ </tr>
630
+ <tr valign="top">
631
+ <th scope="row"><?php _e('Enter Whitelisted IP Addresses:', 'aiowpsecurity')?></th>
632
+ <td>
633
+ <textarea name="aiowps_allowed_ip_addresses" rows="5" cols="50"><?php echo ($result == -1)?$_POST['aiowps_allowed_ip_addresses']:$aio_wp_security->configs->get_value('aiowps_allowed_ip_addresses'); ?></textarea>
634
+ <br />
635
+ <span class="description"><?php _e('Enter one or more IP addresses or IP ranges you wish to include in your whitelist. Only the addresses specified here will have access to the WordPress login page.','aiowpsecurity');?></span>
636
+ <span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php _e('More Info', 'aiowpsecurity'); ?></span></span>
637
+ <div class="aiowps_more_info_body">
638
+ <?php
639
+ echo '<p class="description">'.__('Each IP address must be on a new line.', 'aiowpsecurity').'</p>';
640
+ echo '<p class="description">'.__('To specify an IP range use a wildcard "*" character. Acceptable ways to use wildcards is shown in the examples below:', 'aiowpsecurity').'</p>';
641
+ echo '<p class="description">'.__('Example 1: 195.47.89.*', 'aiowpsecurity').'</p>';
642
+ echo '<p class="description">'.__('Example 2: 195.47.*.*', 'aiowpsecurity').'</p>';
643
+ echo '<p class="description">'.__('Example 3: 195.*.*.*', 'aiowpsecurity').'</p>';
644
+ ?>
645
+ </div>
646
+
647
+ </td>
648
+ </tr>
649
+ </table>
650
+ <input type="submit" name="aiowps_save_whitelist_settings" value="<?php _e('Save Settings', 'aiowpsecurity')?>" class="button-primary" />
651
+ </form>
652
+ </div></div>
653
+ <?php
654
  }
655
 
656
  } //end class
admin/wp-security-database-menu.php CHANGED
@@ -382,7 +382,7 @@ class AIOWPSecurity_Database_Menu extends AIOWPSecurity_Admin_Menu
382
  echo ($info_msg_string);
383
 
384
  //Do a back of the config file
385
- if(!AIOWPSecurity_Utility_File::backup_a_file($config_file))
386
  {
387
  echo '<div class="aio_red_box"><p>'.__('Failed to make a backup of the wp-config.php file. This operation will not go ahead.', 'aiowpsecurity').'</p></div>';
388
  return;
382
  echo ($info_msg_string);
383
 
384
  //Do a back of the config file
385
+ if(!AIOWPSecurity_Utility_File::backup_and_rename_wp_config($config_file))
386
  {
387
  echo '<div class="aio_red_box"><p>'.__('Failed to make a backup of the wp-config.php file. This operation will not go ahead.', 'aiowpsecurity').'</p></div>';
388
  return;
admin/wp-security-filescan-menu.php CHANGED
@@ -86,6 +86,14 @@ class AIOWPSecurity_Filescan_Menu extends AIOWPSecurity_Admin_Menu
86
  $this->display_last_scan_results();
87
  }
88
 
 
 
 
 
 
 
 
 
89
  if (isset($_POST['aiowps_manual_fcd_scan']))
90
  {
91
  $nonce=$_REQUEST['_wpnonce'];
@@ -100,12 +108,9 @@ class AIOWPSecurity_Filescan_Menu extends AIOWPSecurity_Admin_Menu
100
  if ($result['initial_scan'] == 1)
101
  {
102
  $this->show_msg_updated(__('The plugin has detected that this is your first file change detection scan. The file details from this scan will be used to detect file changes for future scans!','aiowpsecurity'));
 
 
103
  }
104
- // else
105
- // {
106
- // $aio_wp_security->debug_logger->log_debug("Manual File Change Detection scan operation failed!",4);
107
- // $this->show_msg_error(__('Manual File Change Detection scan operation failed!','aiowpsecurity'));
108
- // }
109
  }
110
 
111
  if(isset($_POST['aiowps_schedule_fcd_scan']))//Do form submission tasks
@@ -236,6 +241,19 @@ class AIOWPSecurity_Filescan_Menu extends AIOWPSecurity_Admin_Menu
236
  </form>
237
  </div></div>
238
  <div class="postbox">
 
 
 
 
 
 
 
 
 
 
 
 
 
239
  <h3><label for="title"><?php _e('File Change Detection Settings', 'aiowpsecurity'); ?></label></h3>
240
  <div class="inside">
241
  <?php
@@ -348,12 +366,15 @@ class AIOWPSecurity_Filescan_Menu extends AIOWPSecurity_Admin_Menu
348
  $scan_db_data = $wpdb->get_row($query, ARRAY_A);
349
  if ($scan_db_data === NULL)
350
  {
351
- //TODO: Failure scenario
352
  $aio_wp_security->debug_logger->log_debug("display_last_scan_results() - DB query for scan results data from global meta table returned NULL!",4);
353
- return;
354
  }
355
  $date_last_scan = $scan_db_data['date_time'];
356
  $scan_results_unserialized = maybe_unserialize($scan_db_data['meta_value5']);
 
 
 
 
357
  ?>
358
  <div class="postbox">
359
  <h3><label for="title"><?php _e('Latest File Change Scan Results', 'aiowpsecurity'); ?></label></h3>
86
  $this->display_last_scan_results();
87
  }
88
 
89
+ if (isset($_POST['aiowps_view_last_fcd_results']))
90
+ {
91
+ //Display the last scan results
92
+ if (!$this->display_last_scan_results()){
93
+ $this->show_msg_updated(__('There have been no file changes since the last scan.', 'aiowpsecurity'));
94
+ }
95
+ }
96
+
97
  if (isset($_POST['aiowps_manual_fcd_scan']))
98
  {
99
  $nonce=$_REQUEST['_wpnonce'];
108
  if ($result['initial_scan'] == 1)
109
  {
110
  $this->show_msg_updated(__('The plugin has detected that this is your first file change detection scan. The file details from this scan will be used to detect file changes for future scans!','aiowpsecurity'));
111
+ }else if(!$aio_wp_security->configs->get_value('aiowps_fcds_change_detected')){
112
+ $this->show_msg_updated(__('Scan Complete - There were no file changes detected!', 'aiowpsecurity'));
113
  }
 
 
 
 
 
114
  }
115
 
116
  if(isset($_POST['aiowps_schedule_fcd_scan']))//Do form submission tasks
241
  </form>
242
  </div></div>
243
  <div class="postbox">
244
+ <h3><label for="title"><?php _e('View Last Saved File Change Results', 'aiowpsecurity'); ?></label></h3>
245
+ <div class="inside">
246
+ <form action="" method="POST">
247
+ <?php wp_nonce_field('aiowpsec-view-last-fcd-results-nonce'); ?>
248
+ <table class="form-table">
249
+ <tr valign="top">
250
+ <span class="description"><?php _e('Click the button below to view the saved file change results from the last scan.', 'aiowpsecurity'); ?></span>
251
+ </tr>
252
+ </table>
253
+ <input type="submit" name="aiowps_view_last_fcd_results" value="<?php _e('View Last File Change', 'aiowpsecurity')?>" class="button-primary" />
254
+ </form>
255
+ </div></div>
256
+ <div class="postbox">
257
  <h3><label for="title"><?php _e('File Change Detection Settings', 'aiowpsecurity'); ?></label></h3>
258
  <div class="inside">
259
  <?php
366
  $scan_db_data = $wpdb->get_row($query, ARRAY_A);
367
  if ($scan_db_data === NULL)
368
  {
 
369
  $aio_wp_security->debug_logger->log_debug("display_last_scan_results() - DB query for scan results data from global meta table returned NULL!",4);
370
+ return FALSE;
371
  }
372
  $date_last_scan = $scan_db_data['date_time'];
373
  $scan_results_unserialized = maybe_unserialize($scan_db_data['meta_value5']);
374
+ if (empty($scan_results_unserialized['files_added']) && empty($scan_results_unserialized['files_removed']) && empty($scan_results_unserialized['files_changed'])){
375
+ //No file change detected
376
+ return FALSE;
377
+ }
378
  ?>
379
  <div class="postbox">
380
  <h3><label for="title"><?php _e('Latest File Change Scan Results', 'aiowpsecurity'); ?></label></h3>
admin/wp-security-firewall-menu.php CHANGED
@@ -11,7 +11,6 @@ class AIOWPSecurity_Firewall_Menu extends AIOWPSecurity_Admin_Menu
11
  'tab1' => 'render_tab1',
12
  'tab2' => 'render_tab2',
13
  'tab3' => 'render_tab3',
14
- 'tab4' => 'render_tab4',
15
  );
16
 
17
  function __construct()
@@ -25,7 +24,6 @@ class AIOWPSecurity_Firewall_Menu extends AIOWPSecurity_Admin_Menu
25
  'tab1' => __('Basic Firewall Rules', 'aiowpsecurity'),
26
  'tab2' => __('Additional Firewall Rules', 'aiowpsecurity'),
27
  'tab3' => __('5G Blacklist Firewall Rules', 'aiowpsecurity'),
28
- 'tab4' => __('Brute Force Prevention', 'aiowpsecurity'),
29
  );
30
  }
31
 
@@ -544,265 +542,5 @@ class AIOWPSecurity_Firewall_Menu extends AIOWPSecurity_Admin_Menu
544
  </div></div>
545
  <?php
546
  }
547
-
548
- function render_tab4()
549
- {
550
- global $aio_wp_security;
551
- global $aiowps_feature_mgr;
552
- $error = false;
553
-
554
- //Save settings for brute force cookie method
555
- if(isset($_POST['aiowps_apply_cookie_based_bruteforce_firewall']))
556
- {
557
- $nonce=$_REQUEST['_wpnonce'];
558
- if (!wp_verify_nonce($nonce, 'aiowpsec-enable-cookie-based-brute-force-prevention'))
559
- {
560
- $aio_wp_security->debug_logger->log_debug("Nonce check failed on enable cookie based brute force prevention feature!",4);
561
- die("Nonce check failed on enable cookie based brute force prevention feature!");
562
- }
563
-
564
- if(isset($_POST['aiowps_enable_brute_force_attack_prevention']))
565
- {
566
- $brute_force_feature_secret_word = sanitize_text_field($_POST['aiowps_brute_force_secret_word']);
567
- if(empty($brute_force_feature_secret_word)){
568
- $brute_force_feature_secret_word = "aiowps_secret";
569
- }else if(!ctype_alnum($brute_force_feature_secret_word)){
570
- $msg = '<p>'.__('Settings have not been saved - your secret word must consist only of alphanumeric characters, ie, letters and/or numbers only!', 'aiowpsecurity').'</p>';
571
- $error = true;
572
- }
573
-
574
- if(filter_var($_POST['aiowps_cookie_based_brute_force_redirect_url'], FILTER_VALIDATE_URL))
575
- {
576
- $aio_wp_security->configs->set_value('aiowps_cookie_based_brute_force_redirect_url',esc_url_raw($_POST['aiowps_cookie_based_brute_force_redirect_url']));
577
- }
578
- else
579
- {
580
- $aio_wp_security->configs->set_value('aiowps_cookie_based_brute_force_redirect_url','http://127.0.0.1');
581
- }
582
-
583
- $aio_wp_security->configs->set_value('aiowps_enable_brute_force_attack_prevention','1');
584
-
585
- if (!$error)
586
- {
587
- $aio_wp_security->configs->set_value('aiowps_brute_force_secret_word',$brute_force_feature_secret_word);
588
- $msg = '<p>'.__('You have successfully enabled the cookie based brute force prevention feature', 'aiowpsecurity').'</p>';
589
- $msg .= '<p>'.__('From now on you will need to log into your WP Admin using the following URL:', 'aiowpsecurity').'</p>';
590
- $msg .= '<p><strong>'.AIOWPSEC_WP_URL.'/?'.$brute_force_feature_secret_word.'=1</strong></p>';
591
- $msg .= '<p>'.__('It is important that you save this URL value somewhere in case you forget it, OR,', 'aiowpsecurity').'</p>';
592
- $msg .= '<p>'.sprintf( __('simply remember to add a "?%s=1" to your current site URL address.', 'aiowpsecurity'), $brute_force_feature_secret_word).'</p>';
593
- }
594
- }
595
- else
596
- {
597
- $aio_wp_security->configs->set_value('aiowps_enable_brute_force_attack_prevention','');
598
- $msg = __('You have successfully saved cookie based brute force prevention feature settings.', 'aiowpsecurity');
599
- }
600
-
601
- if(isset($_POST['aiowps_brute_force_attack_prevention_pw_protected_exception']))
602
- {
603
- $aio_wp_security->configs->set_value('aiowps_brute_force_attack_prevention_pw_protected_exception','1');
604
- }
605
- else
606
- {
607
- $aio_wp_security->configs->set_value('aiowps_brute_force_attack_prevention_pw_protected_exception','');
608
- }
609
-
610
- if(isset($_POST['aiowps_brute_force_attack_prevention_ajax_exception']))
611
- {
612
- $aio_wp_security->configs->set_value('aiowps_brute_force_attack_prevention_ajax_exception','1');
613
- }
614
- else
615
- {
616
- $aio_wp_security->configs->set_value('aiowps_brute_force_attack_prevention_ajax_exception','');
617
- }
618
-
619
- if (!$error)
620
- {
621
- $aio_wp_security->configs->save_config();//save the value
622
-
623
- //Recalculate points after the feature status/options have been altered
624
- $aiowps_feature_mgr->check_feature_status_and_recalculate_points();
625
-
626
- $res = AIOWPSecurity_Utility_Htaccess::write_to_htaccess();
627
- if ($res){
628
- echo '<div id="message" class="updated fade"><p>';
629
- echo $msg;
630
- echo '</p></div>';
631
- }
632
- else if($res == -1){
633
- $this->show_msg_error(__('Could not write to the .htaccess file. Please check the file permissions.', 'aiowpsecurity'));
634
- }
635
- }
636
- else
637
- {
638
- $this->show_msg_error($msg);
639
- }
640
- }
641
-
642
- ?>
643
- <h2><?php _e('Brute Force Prevention Firewall Settings', 'aiowpsecurity')?></h2>
644
-
645
- <div class="aio_blue_box">
646
- <?php
647
- //TODO - need to fix the following message
648
- echo '<p>'.__('A Brute Force Attack is when a hacker tries many combinations of usernames and passwords until they succeed in guessing the right combination.', 'aiowpsecurity').
649
- '<br />'.__('Due to the fact that at any one time there may be many concurrent login attempts occurring on your site via malicious automated robots, this also has a negative impact on your server\'s memory and performance.', 'aiowpsecurity').
650
- '<br />'.__('The features in this tab will stop the majority of Brute Force Login Attacks at the .htaccess level thus providing even better protection for your WP login page and also reducing the load on your server because the system does not have to run PHP code to process the login attempts.', 'aiowpsecurity').'</p>';
651
- ?>
652
- </div>
653
- <div class="aio_yellow_box">
654
- <?php
655
- $backup_tab_link = '<a href="admin.php?page='.AIOWPSEC_SETTINGS_MENU_SLUG.'&tab=tab2" target="_blank">backup</a>';
656
- $video_link = '<a href="http://www.tipsandtricks-hq.com/all-in-one-wp-security-plugin-cookie-based-brute-force-login-attack-prevention-feature-5994" target="_blank">video tutorial</a>';
657
- $info_msg = sprintf( __('Even though this feature should not have any impact on your site\'s general functionality <strong>you are strongly encouraged to take a %s of your .htaccess file before proceeding</strong>.', 'aiowpsecurity'), $backup_tab_link);
658
- $info_msg1 = __('If this feature is not used correctly, you can get locked out of your site. A backup file will come in handy if that happens.', 'aiowpsecurity');
659
- $info_msg2 = sprintf( __('To learn more about how to use this feature please watch the following %s.', 'aiowpsecurity'), $video_link);
660
- $brute_force_login_feature_link = '<a href="admin.php?page='.AIOWPSEC_FIREWALL_MENU_SLUG.'&tab=tab4" target="_blank">Cookie-Based Brute Force Login Prevention</a>';
661
- echo '<p>'.$info_msg.
662
- '<br />'.$info_msg1.
663
- '<br />'.$info_msg2.'</p>';
664
- ?>
665
- </div>
666
-
667
- <div class="postbox">
668
- <h3><label for="title"><?php _e('Cookie Based Brute Force Login Prevention', 'aiowpsecurity'); ?></label></h3>
669
- <div class="inside">
670
- <?php
671
- //Display security info badge
672
- global $aiowps_feature_mgr;
673
- $aiowps_feature_mgr->output_feature_details_badge("firewall-enable-brute-force-attack-prevention");
674
- ?>
675
- <form action="" method="POST">
676
- <?php wp_nonce_field('aiowpsec-enable-cookie-based-brute-force-prevention'); ?>
677
- <table class="form-table">
678
- <tr valign="top">
679
- <th scope="row"><?php _e('Enable Brute Force Attack Prevention', 'aiowpsecurity')?>:</th>
680
- <td>
681
- <input name="aiowps_enable_brute_force_attack_prevention" type="checkbox"<?php if($aio_wp_security->configs->get_value('aiowps_enable_brute_force_attack_prevention')=='1') echo ' checked="checked"'; ?> value="1"/>
682
- <span class="description"><?php _e('Check this if you want to protect your login page from Brute Force Attack.', 'aiowpsecurity'); ?></span>
683
- <span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php _e('More Info', 'aiowpsecurity'); ?></span></span>
684
- <div class="aiowps_more_info_body">
685
- <p class="description">
686
- <?php
687
- _e('This feature will deny access to your WordPress login page for all people except those who have a special cookie in their browser.', 'aiowpsecurity');
688
- echo '<br />';
689
- _e('To use this feature do the following:', 'aiowpsecurity');
690
- echo '<br />';
691
- _e('1) Enable the checkbox.', 'aiowpsecurity');
692
- echo '<br />';
693
- _e('2) Enter a secret word consisting of alphanumeric characters which will be difficult to guess. This secret word will be useful whenever you need to know the special URL which you will use to access the login page (see point below).', 'aiowpsecurity');
694
- echo '<br />';
695
- _e('3) You will then be provided with a special login URL. You will need to use this URL to login to your WordPress site instead of the usual login URL. NOTE: The system will deposit a special cookie in your browser which will allow you access to the WordPress administration login page.', 'aiowpsecurity');
696
- echo '<br />';
697
- _e('Any person trying to access your login page who does not have the special cookie in their browser will be automatically blocked.', 'aiowpsecurity');
698
- ?>
699
- </p>
700
- </div>
701
- </td>
702
- </tr>
703
- <tr valign="top">
704
- <th scope="row"><?php _e('Secret Word', 'aiowpsecurity')?>:</th>
705
- <td><input type="text" size="40" name="aiowps_brute_force_secret_word" value="<?php echo $aio_wp_security->configs->get_value('aiowps_brute_force_secret_word'); ?>" />
706
- <span class="description"><?php _e('Choose a secret word consisting of alphanumeric characters which you can use to access your special URL. Your are highly encouraged to choose a word which will be difficult to guess.', 'aiowpsecurity'); ?></span>
707
- </td>
708
- </tr>
709
- <tr valign="top">
710
- <th scope="row"><?php _e('Re-direct URL', 'aiowpsecurity')?>:</th>
711
- <td><input type="text" size="40" name="aiowps_cookie_based_brute_force_redirect_url" value="<?php echo $aio_wp_security->configs->get_value('aiowps_cookie_based_brute_force_redirect_url'); ?>" />
712
- <span class="description">
713
- <?php
714
- _e('Specify a URL to redirect a hacker to when they try to access your WordPress login page.', 'aiowpsecurity');
715
- ?>
716
- </span>
717
- <span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php _e('More Info', 'aiowpsecurity'); ?></span></span>
718
- <div class="aiowps_more_info_body">
719
- <p class="description">
720
- <?php
721
- _e('The URL specified here can be any site\'s URL and does not have to be your own. For example you can be as creative as you like and send hackers to the CIA or NSA home page.', 'aiowpsecurity');
722
- echo '<br />';
723
- _e('This field will default to: http://127.0.0.1 if you do not enter a value.', 'aiowpsecurity');
724
- echo '<br />';
725
- _e('Useful Tip:', 'aiowpsecurity');
726
- echo '<br />';
727
- _e('It\'s a good idea to not redirect attempted brute force login attempts to your site because it increases the load on your server.', 'aiowpsecurity');
728
- echo '<br />';
729
- _e('Redirecting a hacker or malicious bot back to "http://127.0.0.1" is ideal because it deflects them back to their own local host and puts the load on their server instead of yours.', 'aiowpsecurity');
730
- ?>
731
- </p>
732
- </div>
733
- </td>
734
- </tr>
735
- <tr valign="top">
736
- <th scope="row"><?php _e('My Site Has Posts Or Pages Which Are Password Protected', 'aiowpsecurity')?>:</th>
737
- <td>
738
- <input name="aiowps_brute_force_attack_prevention_pw_protected_exception" type="checkbox"<?php if($aio_wp_security->configs->get_value('aiowps_brute_force_attack_prevention_pw_protected_exception')=='1') echo ' checked="checked"'; ?> value="1"/>
739
- <span class="description"><?php _e('Check this if you are using the native WordPress password protection feature for some or all of your blog posts or pages.', 'aiowpsecurity'); ?></span>
740
- <span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php _e('More Info', 'aiowpsecurity'); ?></span></span>
741
- <div class="aiowps_more_info_body">
742
- <p class="description">
743
- <?php
744
- _e('In the cases where you are protecting some of your posts or pages using the in-built WordPress password protection feature, a few extra lines of directives and exceptions need to be added to your .htacces file so that people trying to access pages are not automatically blocked.', 'aiowpsecurity');
745
- echo '<br />';
746
- _e('By enabling this checkbox the plugin will add the necessary rules and exceptions to your .htacces file so that people trying to access these pages are not automatically blocked.', 'aiowpsecurity');
747
- echo '<br />';
748
- echo "<strong>".__('Helpful Tip:', 'aiowpsecurity')."</strong>";
749
- echo '<br />';
750
- _e('If you do not use the WordPress password protection feature for your posts or pages then it is highly recommended that you leave this checkbox disabled.', 'aiowpsecurity');
751
- ?>
752
- </p>
753
- </div>
754
- </td>
755
- </tr>
756
- <tr valign="top">
757
- <th scope="row"><?php _e('My Site Has a Theme or Plugins Which Use AJAX', 'aiowpsecurity')?>:</th>
758
- <td>
759
- <input name="aiowps_brute_force_attack_prevention_ajax_exception" type="checkbox"<?php if($aio_wp_security->configs->get_value('aiowps_brute_force_attack_prevention_ajax_exception')=='1') echo ' checked="checked"'; ?> value="1"/>
760
- <span class="description"><?php _e('Check this if your site uses AJAX functionality.', 'aiowpsecurity'); ?></span>
761
- <span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php _e('More Info', 'aiowpsecurity'); ?></span></span>
762
- <div class="aiowps_more_info_body">
763
- <p class="description">
764
- <?php
765
- _e('In the cases where your WordPress installation has a theme or plugins which use AJAX, a few extra lines of directives and exceptions need to be added to your .htacces file to prevent AJAX requests from being automatically blocked by the brute force prevention feature.', 'aiowpsecurity');
766
- echo '<br />';
767
- _e('By enabling this checkbox the plugin will add the necessary rules and exceptions to your .htacces file so that AJAX operations will work as expected.', 'aiowpsecurity');
768
- ?>
769
- </p>
770
- </div>
771
- </td>
772
- </tr>
773
- </table>
774
- <?php
775
- $cookie_test_value = $aio_wp_security->configs->get_value('aiowps_cookie_test_success');
776
- $bfla_feature_enabled = $aio_wp_security->configs->get_value('aiowps_enable_brute_force_attack_prevention');
777
- if($cookie_test_value == '1' || $bfla_feature_enabled == '1')//If the cookie test is successful or if the feature is already enabled then go ahead as normal
778
- {
779
- if (isset($_REQUEST['aiowps_cookie_test']))
780
- {//Cookie test was just performed and the test succeded
781
- echo '<div class="aio_green_box"><p>';
782
- _e('The cookie test was successful. You can now enable this feature.', 'aiowpsecurity');
783
- echo '</p></div>';
784
- }
785
- echo '<input type="submit" name="aiowps_apply_cookie_based_bruteforce_firewall" value="'.__('Save Feature Settings', 'aiowpsecurity').'" class="button-primary" />';
786
- }
787
- else
788
- {
789
- //Cookie test needs to be performed
790
- if(isset($_REQUEST['aiowps_cookie_test']) && $cookie_test_value != '1'){//Test failed
791
- echo '<div class="aio_red_box"><p>';
792
- _e('The cookie test failed on this server. So this feature cannot be used on this site.', 'aiowpsecurity');
793
- echo '</p></div>';
794
- }
795
-
796
- //TODO - pretty up the message
797
- echo '<div class="aio_yellow_box"><p>';
798
- _e("Before using this feature you are required to perform a cookie test first. This is to make sure that your browser cookie is working correctly and that you won't lock yourself out.", 'aiowpsecurity');
799
- echo '</p></div>';
800
- echo '<input type="submit" name="aiowps_do_cookie_test_for_bfla" value="'.__('Perform Cookie Test', 'aiowpsecurity').'" class="button-primary" />';
801
- }
802
- ?>
803
- </form>
804
- </div></div>
805
- <?php
806
- }
807
 
808
  } //end class
11
  'tab1' => 'render_tab1',
12
  'tab2' => 'render_tab2',
13
  'tab3' => 'render_tab3',
 
14
  );
15
 
16
  function __construct()
24
  'tab1' => __('Basic Firewall Rules', 'aiowpsecurity'),
25
  'tab2' => __('Additional Firewall Rules', 'aiowpsecurity'),
26
  'tab3' => __('5G Blacklist Firewall Rules', 'aiowpsecurity'),
 
27
  );
28
  }
29
 
542
  </div></div>
543
  <?php
544
  }
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
545
 
546
  } //end class
admin/wp-security-settings-menu.php CHANGED
@@ -194,7 +194,7 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
194
  die("Nonce check failed on htaccess file save!");
195
  }
196
  $htaccess_path = ABSPATH . '.htaccess';
197
- $result = AIOWPSecurity_Utility_File::backup_a_file($htaccess_path); //Backup the htaccess file
198
 
199
  if ($result)
200
  {
194
  die("Nonce check failed on htaccess file save!");
195
  }
196
  $htaccess_path = ABSPATH . '.htaccess';
197
+ $result = AIOWPSecurity_Utility_File::backup_and_rename_wp_config($htaccess_path); //Backup the htaccess file
198
 
199
  if ($result)
200
  {
admin/wp-security-user-login-menu.php CHANGED
@@ -12,8 +12,6 @@ class AIOWPSecurity_User_Login_Menu extends AIOWPSecurity_Admin_Menu
12
  'tab3' => 'render_tab3',
13
  'tab4' => 'render_tab4',
14
  'tab5' => 'render_tab5',
15
- 'tab6' => 'render_tab6',
16
- 'tab7' => 'render_tab7',
17
  );
18
 
19
  function __construct()
@@ -25,12 +23,10 @@ class AIOWPSecurity_User_Login_Menu extends AIOWPSecurity_Admin_Menu
25
  {
26
  $this->menu_tabs = array(
27
  'tab1' => __('Login Lockdown', 'aiowpsecurity'),
28
- 'tab2' => __('Login Captcha', 'aiowpsecurity'),
29
- 'tab3' => __('Login Whitelist', 'aiowpsecurity'),
30
- 'tab4' => __('Failed Login Records', 'aiowpsecurity'),
31
- 'tab5' => __('Force Logout', 'aiowpsecurity'),
32
- 'tab6' => __('Account Activity Logs', 'aiowpsecurity'),
33
- 'tab7' => __('Logged In Users', 'aiowpsecurity'),
34
  );
35
  }
36
 
@@ -163,7 +159,7 @@ class AIOWPSecurity_User_Login_Menu extends AIOWPSecurity_Admin_Menu
163
  <h2><?php _e('Login Lockdown Configuration', 'aiowpsecurity')?></h2>
164
  <div class="aio_blue_box">
165
  <?php
166
- $brute_force_login_feature_link = '<a href="admin.php?page='.AIOWPSEC_FIREWALL_MENU_SLUG.'&tab=tab4">Cookie-Based Brute Force Login Prevention</a>';
167
  echo '<p>'.__('One of the ways hackers try to compromise sites is via a ', 'aiowpsecurity').'<strong>'.__('Brute Force Login Attack', 'aiowpsecurity').'</strong>.
168
  <br />'.__('This is where attackers use repeated login attempts until they guess the password.', 'aiowpsecurity').'
169
  <br />'.__('Apart from choosing strong passwords, monitoring and blocking IP addresses which are involved in repeated login failures in a short period of time is a very effective way to stop these types of attacks.', 'aiowpsecurity').
@@ -268,223 +264,6 @@ class AIOWPSecurity_User_Login_Menu extends AIOWPSecurity_Admin_Menu
268
  }
269
 
270
  function render_tab2()
271
- {
272
- global $aio_wp_security;
273
- global $aiowps_feature_mgr;
274
-
275
- if(isset($_POST['aiowpsec_save_captcha_settings']))//Do form submission tasks
276
- {
277
- $error = '';
278
- $nonce=$_REQUEST['_wpnonce'];
279
- if (!wp_verify_nonce($nonce, 'aiowpsec-captcha-settings-nonce'))
280
- {
281
- $aio_wp_security->debug_logger->log_debug("Nonce check failed on captcha settings save!",4);
282
- die("Nonce check failed on captcha settings save!");
283
- }
284
-
285
-
286
- //Save all the form values to the options
287
- $random_20_digit_string = AIOWPSecurity_Utility::generate_alpha_numeric_random_string(20); //Generate random 20 char string for use during captcha encode/decode
288
- $aio_wp_security->configs->set_value('aiowps_captcha_secret_key', $random_20_digit_string);
289
- $aio_wp_security->configs->set_value('aiowps_enable_login_captcha',isset($_POST["aiowps_enable_login_captcha"])?'1':'');
290
- $aio_wp_security->configs->set_value('aiowps_enable_lost_password_captcha',isset($_POST["aiowps_enable_lost_password_captcha"])?'1':'');
291
- $aio_wp_security->configs->save_config();
292
-
293
- //Recalculate points after the feature status/options have been altered
294
- $aiowps_feature_mgr->check_feature_status_and_recalculate_points();
295
-
296
- $this->show_msg_settings_updated();
297
- }
298
- ?>
299
- <div class="aio_blue_box">
300
- <?php
301
- echo '<p>'.__('This feature allows you to add a captcha form on the WordPress login page.', 'aiowpsecurity').'
302
- <br />'.__('Users who attempt to login will also need to enter the answer to a simple mathematical question - if they enter the wrong answer, the plugin will not allow them login even if they entered the correct username and password.', 'aiowpsecurity').'
303
- <br />'.__('Therefore, adding a captcha form on the login page is another effective yet simple "Brute Force" prevention technique.', 'aiowpsecurity').'
304
- </p>';
305
- ?>
306
- </div>
307
- <form action="" method="POST">
308
- <div class="postbox">
309
- <h3><label for="title"><?php _e('Login Form Captcha Settings', 'aiowpsecurity'); ?></label></h3>
310
- <div class="inside">
311
- <?php
312
- //Display security info badge
313
- global $aiowps_feature_mgr;
314
- $aiowps_feature_mgr->output_feature_details_badge("user-login-captcha");
315
- ?>
316
-
317
- <?php wp_nonce_field('aiowpsec-captcha-settings-nonce'); ?>
318
- <table class="form-table">
319
- <tr valign="top">
320
- <th scope="row"><?php _e('Enable Captcha On Login Page', 'aiowpsecurity')?>:</th>
321
- <td>
322
- <input name="aiowps_enable_login_captcha" type="checkbox"<?php if($aio_wp_security->configs->get_value('aiowps_enable_login_captcha')=='1') echo ' checked="checked"'; ?> value="1"/>
323
- <span class="description"><?php _e('Check this if you want to insert a captcha form on the login page', 'aiowpsecurity'); ?></span>
324
- </td>
325
- </tr>
326
- </table>
327
- </div></div>
328
- <div class="postbox">
329
- <h3><label for="title"><?php _e('Lost Password Form Captcha Settings', 'aiowpsecurity'); ?></label></h3>
330
- <div class="inside">
331
- <?php
332
- //Display security info badge
333
- global $aiowps_feature_mgr;
334
- $aiowps_feature_mgr->output_feature_details_badge("lost-password-captcha");
335
- ?>
336
-
337
- <table class="form-table">
338
- <tr valign="top">
339
- <th scope="row"><?php _e('Enable Captcha On Lost Password Page', 'aiowpsecurity')?>:</th>
340
- <td>
341
- <input name="aiowps_enable_lost_password_captcha" type="checkbox"<?php if($aio_wp_security->configs->get_value('aiowps_enable_lost_password_captcha')=='1') echo ' checked="checked"'; ?> value="1"/>
342
- <span class="description"><?php _e('Check this if you want to insert a captcha form on the lost password page', 'aiowpsecurity'); ?></span>
343
- </td>
344
- </tr>
345
- </table>
346
- </div></div>
347
- <input type="submit" name="aiowpsec_save_captcha_settings" value="<?php _e('Save Settings', 'aiowpsecurity')?>" class="button-primary" />
348
- </form>
349
- <?php
350
- }
351
-
352
- function render_tab3()
353
- {
354
- global $aio_wp_security;
355
- global $aiowps_feature_mgr;
356
- $result = 1;
357
- $your_ip_address = AIOWPSecurity_Utility_IP::get_user_ip_address();
358
- if (isset($_POST['aiowps_save_whitelist_settings']))
359
- {
360
- $nonce=$_REQUEST['_wpnonce'];
361
- if (!wp_verify_nonce($nonce, 'aiowpsec-whitelist-settings-nonce'))
362
- {
363
- $aio_wp_security->debug_logger->log_debug("Nonce check failed for save whitelist settings!",4);
364
- die(__('Nonce check failed for save whitelist settings!','aiowpsecurity'));
365
- }
366
-
367
- if (isset($_POST["aiowps_enable_whitelisting"]) && empty($_POST['aiowps_allowed_ip_addresses']))
368
- {
369
- $this->show_msg_error('You must submit at least one IP address!','aiowpsecurity');
370
- }
371
- else
372
- {
373
- if (!empty($_POST['aiowps_allowed_ip_addresses']))
374
- {
375
- $ip_addresses = $_POST['aiowps_allowed_ip_addresses'];
376
- $ip_list_array = AIOWPSecurity_Utility_IP::create_ip_list_array_from_string_with_newline($ip_addresses);
377
- $payload = AIOWPSecurity_Utility_IP::validate_ip_list($ip_list_array, 'whitelist');
378
- if($payload[0] == 1){
379
- //success case
380
- $result = 1;
381
- $list = $payload[1];
382
- $banned_ip_data = implode(PHP_EOL, $list);
383
- $aio_wp_security->configs->set_value('aiowps_allowed_ip_addresses',$banned_ip_data);
384
- $_POST['aiowps_allowed_ip_addresses'] = ''; //Clear the post variable for the banned address list
385
- }
386
- else{
387
- $result = -1;
388
- $error_msg = $payload[1][0];
389
- $this->show_msg_error($error_msg);
390
- }
391
-
392
- }
393
- else
394
- {
395
- $aio_wp_security->configs->set_value('aiowps_allowed_ip_addresses',''); //Clear the IP address config value
396
- }
397
-
398
- if ($result == 1)
399
- {
400
- $aio_wp_security->configs->set_value('aiowps_enable_whitelisting',isset($_POST["aiowps_enable_whitelisting"])?'1':'');
401
- $aio_wp_security->configs->save_config(); //Save the configuration
402
-
403
- //Recalculate points after the feature status/options have been altered
404
- $aiowps_feature_mgr->check_feature_status_and_recalculate_points();
405
-
406
- $this->show_msg_settings_updated();
407
-
408
- $write_result = AIOWPSecurity_Utility_Htaccess::write_to_htaccess(); //now let's write to the .htaccess file
409
- if ($write_result == -1)
410
- {
411
- $this->show_msg_error(__('The plugin was unable to write to the .htaccess file. Please edit file manually.','aiowpsecurity'));
412
- $aio_wp_security->debug_logger->log_debug("AIOWPSecurity_whitelist_Menu - The plugin was unable to write to the .htaccess file.");
413
- }
414
- }
415
- }
416
- }
417
- ?>
418
- <h2><?php _e('Login Whitelist', 'aiowpsecurity')?></h2>
419
- <div class="aio_blue_box">
420
- <?php
421
- echo '<p>'.__('The All In One WP Security Whitelist feature gives you the option of only allowing certain IP addresses or ranges to have access to your WordPress login page.', 'aiowpsecurity').'
422
- <br />'.__('This feature will deny login access for all IP addresses which are not in your whitelist as configured in the settings below.', 'aiowpsecurity').'
423
- <br />'.__('The plugin achieves this by writing the appropriate directives to your .htaccess file.', 'aiowpsecurity').'
424
- <br />'.__('By allowing/blocking IP addresses via the .htaccess file your are using the most secure first line of defence because login access will only be granted to whitelisted IP addresses and other addresses will be blocked as soon as they try to access your login page.', 'aiowpsecurity').'
425
- </p>';
426
- ?>
427
- </div>
428
- <div class="aio_yellow_box">
429
- <?php
430
- $brute_force_login_feature_link = '<a href="admin.php?page='.AIOWPSEC_FIREWALL_MENU_SLUG.'&tab=tab4" target="_blank">Cookie-Based Brute Force Login Prevention</a>';
431
- echo '<p>'.sprintf( __('Attention: If in addition to enabling the white list feature, you also have the %s feature enabled, <strong>you will still need to use your secret word in the URL when trying to access your WordPress login page</strong>.', 'aiowpsecurity'), $brute_force_login_feature_link).'</p>
432
- <p>'.__('These features are NOT functionally related. Having both of them enabled on your site means you are creating 2 layers of security.', 'aiowpsecurity').'</p>';
433
- ?>
434
- </div>
435
-
436
- <div class="postbox">
437
- <h3><label for="title"><?php _e('Login IP Whitelist Settings', 'aiowpsecurity'); ?></label></h3>
438
- <div class="inside">
439
- <?php
440
- //Display security info badge
441
- global $aiowps_feature_mgr;
442
- $aiowps_feature_mgr->output_feature_details_badge("whitelist-manager-ip-login-whitelisting");
443
- ?>
444
- <form action="" method="POST">
445
- <?php wp_nonce_field('aiowpsec-whitelist-settings-nonce'); ?>
446
- <table class="form-table">
447
- <tr valign="top">
448
- <th scope="row"><?php _e('Enable IP Whitelisting', 'aiowpsecurity')?>:</th>
449
- <td>
450
- <input name="aiowps_enable_whitelisting" type="checkbox"<?php if($aio_wp_security->configs->get_value('aiowps_enable_whitelisting')=='1') echo ' checked="checked"'; ?> value="1"/>
451
- <span class="description"><?php _e('Check this if you want to enable the whitelisting of selected IP addresses specified in the settings below', 'aiowpsecurity'); ?></span>
452
- </td>
453
- </tr>
454
- <tr valign="top">
455
- <th scope="row"><?php _e('Your Current IP Address', 'aiowpsecurity')?>:</th>
456
- <td>
457
- <input size="20" name="aiowps_user_ip" type="text" value="<?php echo $your_ip_address; ?>" readonly="readonly"/>
458
- <span class="description"><?php _e('You can copy and paste this address in the text box below if you want to include it in your login whitelist.', 'aiowpsecurity'); ?></span>
459
- </td>
460
- </tr>
461
- <tr valign="top">
462
- <th scope="row"><?php _e('Enter Whitelisted IP Addresses:', 'aiowpsecurity')?></th>
463
- <td>
464
- <textarea name="aiowps_allowed_ip_addresses" rows="5" cols="50"><?php echo ($result == -1)?$_POST['aiowps_allowed_ip_addresses']:$aio_wp_security->configs->get_value('aiowps_allowed_ip_addresses'); ?></textarea>
465
- <br />
466
- <span class="description"><?php _e('Enter one or more IP addresses or IP ranges you wish to include in your whitelist. Only the addresses specified here will have access to the WordPress login page.','aiowpsecurity');?></span>
467
- <span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php _e('More Info', 'aiowpsecurity'); ?></span></span>
468
- <div class="aiowps_more_info_body">
469
- <?php
470
- echo '<p class="description">'.__('Each IP address must be on a new line.', 'aiowpsecurity').'</p>';
471
- echo '<p class="description">'.__('To specify an IP range use a wildcard "*" character. Acceptable ways to use wildcards is shown in the examples below:', 'aiowpsecurity').'</p>';
472
- echo '<p class="description">'.__('Example 1: 195.47.89.*', 'aiowpsecurity').'</p>';
473
- echo '<p class="description">'.__('Example 2: 195.47.*.*', 'aiowpsecurity').'</p>';
474
- echo '<p class="description">'.__('Example 3: 195.*.*.*', 'aiowpsecurity').'</p>';
475
- ?>
476
- </div>
477
-
478
- </td>
479
- </tr>
480
- </table>
481
- <input type="submit" name="aiowps_save_whitelist_settings" value="<?php _e('Save Settings', 'aiowpsecurity')?>" class="button-primary" />
482
- </form>
483
- </div></div>
484
- <?php
485
- }
486
-
487
- function render_tab4()
488
  {
489
  global $aio_wp_security, $wpdb;
490
  if (isset($_POST['aiowps_delete_failed_login_records']))
@@ -559,7 +338,7 @@ class AIOWPSecurity_User_Login_Menu extends AIOWPSecurity_Admin_Menu
559
  <?php
560
  }
561
 
562
- function render_tab5()
563
  {
564
  global $aio_wp_security;
565
  global $aiowps_feature_mgr;
@@ -642,7 +421,7 @@ class AIOWPSecurity_User_Login_Menu extends AIOWPSecurity_Admin_Menu
642
  <?php
643
  }
644
 
645
- function render_tab6()
646
  {
647
  include_once 'wp-security-list-acct-activity.php'; //For rendering the AIOWPSecurity_List_Table in tab4
648
  $acct_activity_list = new AIOWPSecurity_List_Account_Activity(); //For rendering the AIOWPSecurity_List_Table in tab2
@@ -679,7 +458,7 @@ class AIOWPSecurity_User_Login_Menu extends AIOWPSecurity_Admin_Menu
679
  <?php
680
  }
681
 
682
- function render_tab7()
683
  {
684
  $logged_in_users = (AIOWPSecurity_Utility::is_multisite_install() ? get_site_transient('users_online') : get_transient('users_online'));
685
 
12
  'tab3' => 'render_tab3',
13
  'tab4' => 'render_tab4',
14
  'tab5' => 'render_tab5',
 
 
15
  );
16
 
17
  function __construct()
23
  {
24
  $this->menu_tabs = array(
25
  'tab1' => __('Login Lockdown', 'aiowpsecurity'),
26
+ 'tab2' => __('Failed Login Records', 'aiowpsecurity'),
27
+ 'tab3' => __('Force Logout', 'aiowpsecurity'),
28
+ 'tab4' => __('Account Activity Logs', 'aiowpsecurity'),
29
+ 'tab5' => __('Logged In Users', 'aiowpsecurity'),
 
 
30
  );
31
  }
32
 
159
  <h2><?php _e('Login Lockdown Configuration', 'aiowpsecurity')?></h2>
160
  <div class="aio_blue_box">
161
  <?php
162
+ $brute_force_login_feature_link = '<a href="admin.php?page='.AIOWPSEC_BRUTE_FORCE_MENU_SLUG.'&tab=tab2">Cookie-Based Brute Force Login Prevention</a>';
163
  echo '<p>'.__('One of the ways hackers try to compromise sites is via a ', 'aiowpsecurity').'<strong>'.__('Brute Force Login Attack', 'aiowpsecurity').'</strong>.
164
  <br />'.__('This is where attackers use repeated login attempts until they guess the password.', 'aiowpsecurity').'
165
  <br />'.__('Apart from choosing strong passwords, monitoring and blocking IP addresses which are involved in repeated login failures in a short period of time is a very effective way to stop these types of attacks.', 'aiowpsecurity').
264
  }
265
 
266
  function render_tab2()
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
267
  {
268
  global $aio_wp_security, $wpdb;
269
  if (isset($_POST['aiowps_delete_failed_login_records']))
338
  <?php
339
  }
340
 
341
+ function render_tab3()
342
  {
343
  global $aio_wp_security;
344
  global $aiowps_feature_mgr;
421
  <?php
422
  }
423
 
424
+ function render_tab4()
425
  {
426
  include_once 'wp-security-list-acct-activity.php'; //For rendering the AIOWPSecurity_List_Table in tab4
427
  $acct_activity_list = new AIOWPSecurity_List_Account_Activity(); //For rendering the AIOWPSecurity_List_Table in tab2
458
  <?php
459
  }
460
 
461
+ function render_tab5()
462
  {
463
  $logged_in_users = (AIOWPSecurity_Utility::is_multisite_install() ? get_site_transient('users_online') : get_transient('users_online'));
464
 
classes/wp-security-file-scan.php CHANGED
@@ -28,6 +28,10 @@ class AIOWPSecurity_Filescan
28
  $aio_wp_security->debug_logger->log_debug("File Change Detection Feature: change to filesystem detected!");
29
 
30
  $this->aiowps_send_file_change_alert_email(); //Send file change scan results via email if applicable
 
 
 
 
31
  }
32
  return $scan_result;
33
  }
28
  $aio_wp_security->debug_logger->log_debug("File Change Detection Feature: change to filesystem detected!");
29
 
30
  $this->aiowps_send_file_change_alert_email(); //Send file change scan results via email if applicable
31
+ }else if(empty($scan_result['files_added']) && empty($scan_result['files_removed']) && empty($scan_result['files_changed'])){
32
+ //Reset the change flag
33
+ $aio_wp_security->configs->set_value('aiowps_fcds_change_detected', FALSE);
34
+ $aio_wp_security->configs->save_config();
35
  }
36
  return $scan_result;
37
  }
classes/wp-security-process-renamed-login-page.php CHANGED
@@ -9,6 +9,7 @@ class AIOWPSecurity_Process_Renamed_Login_Page
9
  add_filter('site_url', array(&$this, 'aiowps_site_url'), 10, 2);
10
  add_filter('network_site_url', array(&$this, 'aiowps_site_url'), 10, 2);
11
  add_filter('wp_redirect', array(&$this, 'aiowps_wp_redirect'), 10, 2);
 
12
 
13
  }
14
 
9
  add_filter('site_url', array(&$this, 'aiowps_site_url'), 10, 2);
10
  add_filter('network_site_url', array(&$this, 'aiowps_site_url'), 10, 2);
11
  add_filter('wp_redirect', array(&$this, 'aiowps_wp_redirect'), 10, 2);
12
+ remove_action('template_redirect', 'wp_redirect_admin_locations', 1000); //To prevent redirect to login page when people type "login" at end of home URL
13
 
14
  }
15
 
classes/wp-security-user-login.php CHANGED
@@ -382,10 +382,19 @@ class AIOWPSecurity_User_Login
382
  return $last_login;
383
  }
384
 
385
- function wp_login_action_handler($user_login, $user)
386
  {
387
  global $wpdb, $aio_wp_security;
388
  $login_activity_table = AIOWPSEC_TBL_USER_LOGIN_ACTIVITY;
 
 
 
 
 
 
 
 
 
389
  $login_date_time = current_time('mysql');
390
  update_user_meta($user->ID, 'last_login_time', $login_date_time); //store last login time in meta table
391
  $curr_ip_address = AIOWPSecurity_Utility_IP::get_user_ip_address();
382
  return $last_login;
383
  }
384
 
385
+ function wp_login_action_handler($user_login, $user='')
386
  {
387
  global $wpdb, $aio_wp_security;
388
  $login_activity_table = AIOWPSEC_TBL_USER_LOGIN_ACTIVITY;
389
+
390
+ if ($user == ''){
391
+ //Try and get user object
392
+ $user = get_user_by('login', $user_login); //This should return WP_User obj
393
+ if (!$user){
394
+ $aio_wp_security->debug_logger->log_debug("AIOWPSecurity_User_Login::wp_login_action_handler: Unable to get WP_User object for login ".$user_login,4);
395
+ return;
396
+ }
397
+ }
398
  $login_date_time = current_time('mysql');
399
  update_user_meta($user->ID, 'last_login_time', $login_date_time); //store last login time in meta table
400
  $curr_ip_address = AIOWPSecurity_Utility_IP::get_user_ip_address();
classes/wp-security-utility-file.php CHANGED
@@ -52,7 +52,53 @@ class AIOWPSecurity_Utility_File
52
  }
53
  return true;
54
  }
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
55
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
56
  //Function which reads entire contents of a file and stores serialized contents into our global_meta table
57
  static function backup_file_contents_to_db($src_file_path, $key_description)
58
  {
52
  }
53
  return true;
54
  }
55
+
56
+ static function backup_and_rename_wp_config($src_file_path, $prefix = 'backup')
57
+ {
58
+ global $aio_wp_security;
59
+
60
+ //Check to see if the main "backups" directory exists - create it otherwise
61
+ $aiowps_backup_dir = WP_CONTENT_DIR.'/'.AIO_WP_SECURITY_BACKUPS_DIR_NAME;
62
+ if (!AIOWPSecurity_Utility_File::create_dir($aiowps_backup_dir))
63
+ {
64
+ $aio_wp_security->debug_logger->log_debug("backup_and_rename_wp_config - Creation of backup directory failed!",4);
65
+ return false;
66
+ }
67
+
68
+ $src_parts = pathinfo($src_file_path);
69
+ $backup_file_name = $prefix . '.' . $src_parts['basename'];
70
+
71
+ $backup_file_path = $aiowps_backup_dir . '/' . $backup_file_name;
72
+ if (!copy($src_file_path, $backup_file_path)) {
73
+ //Failed to make a backup copy
74
+ return false;
75
+ }
76
+ return true;
77
+ }
78
 
79
+ static function backup_and_rename_htaccess($src_file_path, $suffix = 'backup')
80
+ {
81
+ global $aio_wp_security;
82
+
83
+ //Check to see if the main "backups" directory exists - create it otherwise
84
+ $aiowps_backup_dir = WP_CONTENT_DIR.'/'.AIO_WP_SECURITY_BACKUPS_DIR_NAME;
85
+ if (!AIOWPSecurity_Utility_File::create_dir($aiowps_backup_dir))
86
+ {
87
+ $aio_wp_security->debug_logger->log_debug("backup_and_rename_htaccess - Creation of backup directory failed!",4);
88
+ return false;
89
+ }
90
+
91
+ $src_parts = pathinfo($src_file_path);
92
+ $backup_file_name = $src_parts['basename'] . '.' . $suffix;
93
+
94
+ $backup_file_path = $aiowps_backup_dir . '/' . $backup_file_name;
95
+ if (!copy($src_file_path, $backup_file_path)) {
96
+ //Failed to make a backup copy
97
+ return false;
98
+ }
99
+ return true;
100
+ }
101
+
102
  //Function which reads entire contents of a file and stores serialized contents into our global_meta table
103
  static function backup_file_contents_to_db($src_file_path, $key_description)
104
  {
classes/wp-security-utility-htaccess.php CHANGED
@@ -112,7 +112,7 @@ class AIOWPSecurity_Utility_Htaccess
112
  return -1;
113
  }
114
  }
115
- AIOWPSecurity_Utility_File::backup_a_file($htaccess); //TODO - we dont want to continually be backing up the htaccess file
116
  @ini_set( 'auto_detect_line_endings', true );
117
  $ht = explode( PHP_EOL, implode( '', file( $htaccess ) ) ); //parse each line of file into array
118
 
@@ -245,18 +245,18 @@ class AIOWPSecurity_Utility_Htaccess
245
  if($aio_wp_security->configs->get_value('aiowps_prevent_default_wp_file_access')=='1')
246
  {
247
  $rules .= AIOWPSecurity_Utility_Htaccess::$prevent_wp_file_access_marker_start . PHP_EOL; //Add feature marker start
248
- $rules .= '<files license.txt>
249
  order allow,deny
250
  deny from all
251
  </files>
252
- <files wp-config-sample.php>
253
  order allow,deny
254
  deny from all
255
- </files>
256
- <files readme.html>
257
  order allow,deny
258
  deny from all
259
- </files>' . PHP_EOL;
260
  $rules .= AIOWPSecurity_Utility_Htaccess::$prevent_wp_file_access_marker_end . PHP_EOL; //Add feature marker end
261
  }
262
 
@@ -409,10 +409,10 @@ class AIOWPSecurity_Utility_Htaccess
409
  {
410
  $rules .= AIOWPSecurity_Utility_Htaccess::$basic_htaccess_rules_marker_start . PHP_EOL; //Add feature marker start
411
  //protect the htaccess file - this is done by default with apache config file but we are including it here for good measure
412
- $rules .= '<files .htaccess>' . PHP_EOL;
413
  $rules .= 'order allow,deny' . PHP_EOL;
414
  $rules .= 'deny from all' . PHP_EOL;
415
- $rules .= '</files>' . PHP_EOL;
416
 
417
  //disable the server signature
418
  $rules .= 'ServerSignature Off' . PHP_EOL;
@@ -421,10 +421,10 @@ class AIOWPSecurity_Utility_Htaccess
421
  $rules .= 'LimitRequestBody 10240000' . PHP_EOL;
422
 
423
  // protect wpconfig.php.
424
- $rules .= '<files wp-config.php>' . PHP_EOL;
425
  $rules .= 'order allow,deny' . PHP_EOL;
426
  $rules .= 'deny from all' . PHP_EOL;
427
- $rules .= '</files>' . PHP_EOL;
428
 
429
  $rules .= AIOWPSecurity_Utility_Htaccess::$basic_htaccess_rules_marker_end . PHP_EOL; //Add feature marker end
430
  }
@@ -838,15 +838,7 @@ class AIOWPSecurity_Utility_Htaccess
838
  <ifModule mod_rewrite.c>
839
  RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
840
  RewriteRule .* - [F]
841
- </IfModule>
842
-
843
- # 5G:[BAD IPS]
844
- <limit GET POST PUT>
845
- Order Allow,Deny
846
- Allow from all
847
- # uncomment/edit/repeat next line to block IPs
848
- # Deny from 123.456.789
849
- </limit>' . PHP_EOL;
850
  $rules .= AIOWPSecurity_Utility_Htaccess::$five_g_blacklist_marker_end . PHP_EOL; //Add feature marker end
851
  }
852
 
112
  return -1;
113
  }
114
  }
115
+ AIOWPSecurity_Utility_File::backup_and_rename_htaccess($htaccess); //TODO - we dont want to continually be backing up the htaccess file
116
  @ini_set( 'auto_detect_line_endings', true );
117
  $ht = explode( PHP_EOL, implode( '', file( $htaccess ) ) ); //parse each line of file into array
118
 
245
  if($aio_wp_security->configs->get_value('aiowps_prevent_default_wp_file_access')=='1')
246
  {
247
  $rules .= AIOWPSecurity_Utility_Htaccess::$prevent_wp_file_access_marker_start . PHP_EOL; //Add feature marker start
248
+ $rules .= '<Files license.txt>
249
  order allow,deny
250
  deny from all
251
  </files>
252
+ <Files wp-config-sample.php>
253
  order allow,deny
254
  deny from all
255
+ </Files>
256
+ <Files readme.html>
257
  order allow,deny
258
  deny from all
259
+ </Files>' . PHP_EOL;
260
  $rules .= AIOWPSecurity_Utility_Htaccess::$prevent_wp_file_access_marker_end . PHP_EOL; //Add feature marker end
261
  }
262
 
409
  {
410
  $rules .= AIOWPSecurity_Utility_Htaccess::$basic_htaccess_rules_marker_start . PHP_EOL; //Add feature marker start
411
  //protect the htaccess file - this is done by default with apache config file but we are including it here for good measure
412
+ $rules .= '<Files .htaccess>' . PHP_EOL;
413
  $rules .= 'order allow,deny' . PHP_EOL;
414
  $rules .= 'deny from all' . PHP_EOL;
415
+ $rules .= '</Files>' . PHP_EOL;
416
 
417
  //disable the server signature
418
  $rules .= 'ServerSignature Off' . PHP_EOL;
421
  $rules .= 'LimitRequestBody 10240000' . PHP_EOL;
422
 
423
  // protect wpconfig.php.
424
+ $rules .= '<Files wp-config.php>' . PHP_EOL;
425
  $rules .= 'order allow,deny' . PHP_EOL;
426
  $rules .= 'deny from all' . PHP_EOL;
427
+ $rules .= '</Files>' . PHP_EOL;
428
 
429
  $rules .= AIOWPSecurity_Utility_Htaccess::$basic_htaccess_rules_marker_end . PHP_EOL; //Add feature marker end
430
  }
838
  <ifModule mod_rewrite.c>
839
  RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
840
  RewriteRule .* - [F]
841
+ </IfModule>' . PHP_EOL;
 
 
 
 
 
 
 
 
842
  $rules .= AIOWPSecurity_Utility_Htaccess::$five_g_blacklist_marker_end . PHP_EOL; //Add feature marker end
843
  }
844
 
classes/wp-security-utility.php CHANGED
@@ -201,7 +201,7 @@ class AIOWPSecurity_Utility
201
  }
202
 
203
  //Make a backup of the config file
204
- if(!AIOWPSecurity_Utility_File::backup_a_file($config_file))
205
  {
206
  $this->show_msg_error(__('Failed to make a backup of the wp-config.php file. This operation will not go ahead.', 'aiowpsecurity'));
207
  //$aio_wp_security->debug_logger->log_debug("Disable PHP File Edit - Failed to make a backup of the wp-config.php file.",4);
201
  }
202
 
203
  //Make a backup of the config file
204
+ if(!AIOWPSecurity_Utility_File::backup_and_rename_wp_config($config_file))
205
  {
206
  $this->show_msg_error(__('Failed to make a backup of the wp-config.php file. This operation will not go ahead.', 'aiowpsecurity'));
207
  //$aio_wp_security->debug_logger->log_debug("Disable PHP File Edit - Failed to make a backup of the wp-config.php file.",4);
other-includes/wp-security-rename-login-feature.php CHANGED
@@ -902,7 +902,7 @@ d.select();
902
  }, 200);
903
  }
904
 
905
- <?php if ( !$error ) { ?>
906
  wp_attempt_focus();
907
  <?php } ?>
908
  if(typeof wpOnload=='function')wpOnload();
902
  }, 200);
903
  }
904
 
905
+ <?php if ( !$errors ) { ?>
906
  wp_attempt_focus();
907
  <?php } ?>
908
  if(typeof wpOnload=='function')wpOnload();
readme.txt CHANGED
@@ -4,7 +4,7 @@ Donate link: http://www.tipsandtricks-hq.com
4
  Tags: security, secure, Anti Virus, antivirus, ban, ban hacker, virus, firewall, firewall security, login, lockdown, htaccess, hack, malware, vulnerability, protect, protection, phishing, database, backup, plugin, sql injection, ssl, restrict, login captcha
5
  Requires at least: 3.5
6
  Tested up to: 3.8
7
- Stable tag: 3.3
8
  License: GPLv3
9
 
10
  A comprehensive, user-friendly, all in one WordPress security and firewall plugin for your site.
@@ -39,9 +39,7 @@ you are making it 50% easier for hackers because they already know the login nam
39
  via email whenever somebody gets locked out due to too many login attempts.
40
 
41
  * As the administrator you can view a list of all locked out users which are displayed in an easily readable and navigable table which also allows you to unlock individual or bulk IP addresses at the click of a button.
42
-
43
  * Force logout of all users after a configurable time period
44
-
45
  * Monitor/View failed login attempts which show the user's IP address, User ID/Username and Date/Time of the failed login attempt
46
 
47
  * Monitor/View the account activity of all user accounts on your system by keeping track of the username, IP address, login date/time, and logout date/time.
@@ -148,6 +146,13 @@ None
148
 
149
  == Changelog ==
150
 
 
 
 
 
 
 
 
151
  = 3.3 =
152
  - Added a brand new brute force prevention feature - Rename Login Page. This feature can be found in the new menu item called "Brute Force".
153
  - Modified the new unlock request feature so that the locked out user will only have to enter email address when they submit an unlock request.
4
  Tags: security, secure, Anti Virus, antivirus, ban, ban hacker, virus, firewall, firewall security, login, lockdown, htaccess, hack, malware, vulnerability, protect, protection, phishing, database, backup, plugin, sql injection, ssl, restrict, login captcha
5
  Requires at least: 3.5
6
  Tested up to: 3.8
7
+ Stable tag: 3.4
8
  License: GPLv3
9
 
10
  A comprehensive, user-friendly, all in one WordPress security and firewall plugin for your site.
39
  via email whenever somebody gets locked out due to too many login attempts.
40
 
41
  * As the administrator you can view a list of all locked out users which are displayed in an easily readable and navigable table which also allows you to unlock individual or bulk IP addresses at the click of a button.
 
42
  * Force logout of all users after a configurable time period
 
43
  * Monitor/View failed login attempts which show the user's IP address, User ID/Username and Date/Time of the failed login attempt
44
 
45
  * Monitor/View the account activity of all user accounts on your system by keeping track of the username, IP address, login date/time, and logout date/time.
146
 
147
  == Changelog ==
148
 
149
+ = 3.4 =
150
+ - Consolidated "Brute Force" features by moving all such features to the "Brute Force" menu.
151
+ - Improved the file change detection scan feature: Introduced a button allowing admin to view the file change results from the last scan and fixed small bug whereby the change detected flag was not being cleared for applicable cases.
152
+ - Fixed a small bug with "rename login page" feature.
153
+ - Made wp-config.php and .htaccess file backups more secure. Thanks to @wzp for the tip.
154
+ - Made the login code more robust by catering for cases where the "wp_login" action was not passing 2 parameters.
155
+
156
  = 3.3 =
157
  - Added a brand new brute force prevention feature - Rename Login Page. This feature can be found in the new menu item called "Brute Force".
158
  - Modified the new unlock request feature so that the locked out user will only have to enter email address when they submit an unlock request.
wp-security-core.php CHANGED
@@ -3,7 +3,7 @@
3
  if (!class_exists('AIO_WP_Security')){
4
 
5
  class AIO_WP_Security{
6
- var $version = '3.3';
7
  var $db_version = '1.4';
8
  var $plugin_url;
9
  var $plugin_path;
3
  if (!class_exists('AIO_WP_Security')){
4
 
5
  class AIO_WP_Security{
6
+ var $version = '3.4';
7
  var $db_version = '1.4';
8
  var $plugin_url;
9
  var $plugin_path;
wp-security.php CHANGED
@@ -1,7 +1,7 @@
1
  <?php
2
  /*
3
  Plugin Name: All In One WP Security
4
- Version: v3.3
5
  Plugin URI: http://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin
6
  Author: Tips and Tricks HQ, Peter, Ruhul, Ivy
7
  Author URI: http://www.tipsandtricks-hq.com/
1
  <?php
2
  /*
3
  Plugin Name: All In One WP Security
4
+ Version: v3.4
5
  Plugin URI: http://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin
6
  Author: Tips and Tricks HQ, Peter, Ruhul, Ivy
7
  Author URI: http://www.tipsandtricks-hq.com/