All In One WP Security & Firewall

Version Description

Fixed a bug where the cookie-based brute force directives were not being deleted from the .htaccess file when the Rename Login Page feature was being activated.

Release Info

Developer	mra13
Plugin	All In One WP Security & Firewall
Version	3.5.1
Comparing to
See all releases

Code changes from version 3.4 to 3.5.1

Files changed (12) hide show

admin/wp-security-brute-force-menu.php +28 -3
admin/wp-security-dashboard-menu.php +98 -2
admin/wp-security-firewall-menu.php +91 -2
admin/wp-security-settings-menu.php +4 -8
classes/grade-system/wp-security-feature-item-manager.php +18 -2
classes/wp-security-backup.php +1 -1
classes/wp-security-bot-protection.php +38 -0
classes/wp-security-file-scan.php +1 -1
classes/wp-security-general-init-tasks.php +8 -0
readme.txt +17 -4
wp-security-core.php +1 -1
wp-security.php +1 -1

admin/wp-security-brute-force-menu.php CHANGED Viewed

	@@ -105,13 +105,24 @@ class AIOWPSecurity_Brute_Force_Menu extends AIOWPSecurity_Admin_Menu
105	$this->show_msg_error(__('Attention!','aiowpsecurity').$error);
106	}else{
107	//Save all the form values to the options
108	- ~~$aio_wp_security->configs->set_value~~(~~'aiowps_enable_rename_login_page',~~isset($_POST["aiowps_enable_rename_login_page"])~~?'1':''~~);





109	$aio_wp_security->configs->set_value('aiowps_login_page_slug',$aiowps_login_page_slug);
110	$aio_wp_security->configs->save_config();
111
112	//Recalculate points after the feature status/options have been altered
113	$aiowps_feature_mgr->check_feature_status_and_recalculate_points();
114	- $~~this->show_msg_settings_updated~~();






115	}
116	}
117
	@@ -139,6 +150,7 @@ class AIOWPSecurity_Brute_Force_Menu extends AIOWPSecurity_Admin_Menu
139	<p><?php _e('Your WordPress login page URL has been renamed.', 'aiowpsecurity'); ?></p>
140	<p><?php _e('Your current login URL is:', 'aiowpsecurity'); ?></p>
141	<p><strong><?php echo $home_url.$aio_wp_security->configs->get_value('aiowps_login_page_slug'); ?></strong></p>

142	</div>
143
144	<?php
	@@ -213,7 +225,8 @@ class AIOWPSecurity_Brute_Force_Menu extends AIOWPSecurity_Admin_Menu
213	}
214
215	$aio_wp_security->configs->set_value('aiowps_enable_brute_force_attack_prevention','1');
216	-

217	if (!$error)
218	{
219	$aio_wp_security->configs->set_value('aiowps_brute_force_secret_word',$brute_force_feature_secret_word);
	@@ -295,6 +308,18 @@ class AIOWPSecurity_Brute_Force_Menu extends AIOWPSecurity_Admin_Menu
295	'<br />'.$info_msg2.'</p>';
296	?>
297	</div>












298
299	<div class="postbox">
300	<h3><label for="title"><?php _e('Cookie Based Brute Force Login Prevention', 'aiowpsecurity'); ?></label></h3>


105	$this->show_msg_error(__('Attention!','aiowpsecurity').$error);
106	}else{
107	//Save all the form values to the options
108	+ if (isset($_POST["aiowps_enable_rename_login_page"])){
109	+ $aio_wp_security->configs->set_value('aiowps_enable_rename_login_page', '1');
110	+ $aio_wp_security->configs->set_value('aiowps_enable_brute_force_attack_prevention', '');//deactivate cookie based feature
111	+ }else{
112	+ $aio_wp_security->configs->set_value('aiowps_enable_rename_login_page', '');
113	+ }
114	$aio_wp_security->configs->set_value('aiowps_login_page_slug',$aiowps_login_page_slug);
115	$aio_wp_security->configs->save_config();
116
117	//Recalculate points after the feature status/options have been altered
118	$aiowps_feature_mgr->check_feature_status_and_recalculate_points();
119	+ $res = AIOWPSecurity_Utility_Htaccess::write_to_htaccess(); //Delete the cookie based directives if that feature is active
120	+ if ($res){
121	+ $this->show_msg_settings_updated();
122	+ }
123	+ else if($res == -1){
124	+ $this->show_msg_error(__('Could not delete the Cookie-based directives from the .htaccess file. Please check the file permissions.', 'aiowpsecurity'));
125	+ }
126	}
127	}
128

150	<p><?php _e('Your WordPress login page URL has been renamed.', 'aiowpsecurity'); ?></p>
151	<p><?php _e('Your current login URL is:', 'aiowpsecurity'); ?></p>
152	<p><strong><?php echo $home_url.$aio_wp_security->configs->get_value('aiowps_login_page_slug'); ?></strong></p>
153	+ <p><strong><?php _e('NOTE: If you already had the Cookie-Based Brute Force Prevention feature active, the plugin has automatically deactivated it because only one of these features can be active at any one time.', 'aiowpsecurity'); ?></strong></p>
154	</div>
155
156	<?php

225	}
226
227	$aio_wp_security->configs->set_value('aiowps_enable_brute_force_attack_prevention','1');
228	+ $aio_wp_security->configs->set_value('aiowps_enable_rename_login_page',''); //Disable the Rename Login Page feature
229	+
230	if (!$error)
231	{
232	$aio_wp_security->configs->set_value('aiowps_brute_force_secret_word',$brute_force_feature_secret_word);

308	'<br />'.$info_msg2.'</p>';
309	?>
310	</div>
311	+ <?php
312	+ //Show the user the new login URL if this feature is active
313	+ if ($aio_wp_security->configs->get_value('aiowps_enable_brute_force_attack_prevention')=='1')
314	+ {
315	+ ?>
316	+ <div class="aio_yellow_box">
317	+ <p><strong><?php _e('NOTE: If you already had the Rename Login Page feature active, the plugin has automatically deactivated it because only one of these features can be active at any one time.', 'aiowpsecurity'); ?></strong></p>
318	+ </div>
319	+
320	+ <?php
321	+ }
322	+ ?>
323
324	<div class="postbox">
325	<h3><label for="title"><?php _e('Cookie Based Brute Force Login Prevention', 'aiowpsecurity'); ?></label></h3>

admin/wp-security-dashboard-menu.php CHANGED Viewed

@@ -71,7 +71,7 @@ class AIOWPSecurity_Dashboard_Menu extends AIOWPSecurity_Admin_Menu
+                {
                     echo '<div class="aio_grey_box">';
              	echo '<p>'.__('For information, updates and documentation, please visit the','aiowpsecurity').' <a href="http://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin" target="_blank">'.__('AIO WP Security & Firewall Plugin','aiowpsecurity').'</a> '.__('Page','aiowpsecurity').'</p>';
-            -
                    echo '<p><a href="http://www.tipsandtricks-hq.com/development-center" target="_blank">'.__('Follow us','aiowpsecurity').'</a> on '.__('Twitter, Google+ or via Email to stay upto date about the new security features of this plugin.','aiowpsecurity').'</p>';
                     echo '</div>';
                     echo "<script type='text/javascript' src='https://www.google.com/jsapi'></script>";//Include the google chart library
@@ -236,6 +236,51 @@ class AIOWPSecurity_Dashboard_Menu extends AIOWPSecurity_Admin_Menu
                     </div></div>
                     </div><!-- aiowps_dashboard_box -->
                     <div class="aiowps_dashboard_box_small">
                     <div class="postbox">
                     <h3><label for="title"><?php _e('Maintenance Mode Status', 'aiowpsecurity');?></label></h3>
@@ -266,6 +311,57 @@ class AIOWPSecurity_Dashboard_Menu extends AIOWPSecurity_Admin_Menu
                     </div><!-- aiowps_dashboard_box -->
                     <?php
                     if($aio_wp_security->configs->get_value('aiowps_enable_automated_fcd_scan') == '1'){
                     echo '<div class="aiowps_dashboard_box_small">';
@@ -283,7 +379,7 @@ class AIOWPSecurity_Dashboard_Menu extends AIOWPSecurity_Admin_Menu
                     echo '</div></div>';
                     echo '</div>';//<!-- aiowps_dashboard_box -->
-            -
                    }
                     ?>
                     <div class="aiowps_dashboard_box_small">


71	{
72	echo '<div class="aio_grey_box">';
73	echo '<p>'.__('For information, updates and documentation, please visit the','aiowpsecurity').' <a href="http://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin" target="_blank">'.__('AIO WP Security & Firewall Plugin','aiowpsecurity').'</a> '.__('Page','aiowpsecurity').'</p>';
74	+ echo '<p><a href="http://www.tipsandtricks-hq.com/development-center" target="_blank">'.__('Follow us','aiowpsecurity').'</a> on '.__('Twitter, Google+ or via Email to stay up to date about the new security features of this plugin.','aiowpsecurity').'</p>';
75	echo '</div>';
76
77	echo "<script type='text/javascript' src='https://www.google.com/jsapi'></script>";//Include the google chart library

236	</div></div>
237	</div><!-- aiowps_dashboard_box -->
238
239	+ <div class="aiowps_dashboard_box_small">
240	+ <div class="postbox">
241	+ <h3><label for="title"><?php _e('Last 5 Logins', 'aiowpsecurity');?></label></h3>
242	+ <div class="inside">
243	+ <?php
244	+ global $wpdb;
245	+ $login_activity_table = AIOWPSEC_TBL_USER_LOGIN_ACTIVITY;
246	+
247	+ /* -- Ordering parameters -- */
248	+ //Parameters that are going to be used to order the result
249	+ $orderby = !empty($_GET["orderby"]) ? mysql_real_escape_string($_GET["orderby"]) : 'login_date';
250	+ $order = !empty($_GET["order"]) ? mysql_real_escape_string($_GET["order"]) : 'DESC';
251	+
252	+ $data = $wpdb->get_results("SELECT * FROM $login_activity_table ORDER BY $orderby $order LIMIT 5", ARRAY_A); //Get the last 50 records
253	+
254	+ if ($data == NULL){
255	+ echo '<p>'.__('No data found!','aiowpsecurity').'</p>';
256	+
257	+ }else{
258	+ $login_summary_table = '';
259	+ echo '<p>'.__('Last 5 logins summary:','aiowpsecurity').'</p>';
260	+ $login_summary_table .= '<table class="widefat">';
261	+ $login_summary_table .= '<thead>';
262	+ $login_summary_table .= '<tr>';
263	+ $login_summary_table .= '<th>'.__('User','aiowpsecurity').'</th>';
264	+ $login_summary_table .= '<th>'.__('Date','aiowpsecurity').'</th>';
265	+ $login_summary_table .= '<th>'.__('IP','aiowpsecurity').'</th>';
266	+ $login_summary_table .= '</tr>';
267	+ $login_summary_table .= '</thead>';
268	+ foreach ($data as $entry) {
269	+ $login_summary_table .= '<tr>';
270	+ $login_summary_table .= '<td>'.$entry['user_login'].'</td>';
271	+ $login_summary_table .= '<td>'.$entry['login_date'].'</td>';
272	+ $login_summary_table .= '<td>'.$entry['login_ip'].'</td>';
273	+ $login_summary_table .= '</tr>';
274	+ }
275	+ $login_summary_table .= '</table>';
276	+ echo $login_summary_table;
277	+ }
278	+
279	+ echo '<div class="aio_clear_float"></div>';
280	+ ?>
281	+ </div></div>
282	+ </div><!-- aiowps_dashboard_box -->
283	+
284	<div class="aiowps_dashboard_box_small">
285	<div class="postbox">
286	<h3><label for="title"><?php _e('Maintenance Mode Status', 'aiowpsecurity');?></label></h3>

311	</div><!-- aiowps_dashboard_box -->
312
313	<?php
314	+ //Insert Cookie Based Brute Force feature box if this feature is active
315	+ if($aio_wp_security->configs->get_value('aiowps_enable_brute_force_attack_prevention')=='1'){
316	+ ?>
317	+ <div class="aiowps_dashboard_box_small">
318	+ <div class="postbox">
319	+ <h3><label for="title"><?php _e('Cookie Based Brute Prevention', 'aiowpsecurity');?></label></h3>
320	+ <div class="inside">
321	+ <?php
322	+ $brute_force_login_feature_link = '<a href="admin.php?page='.AIOWPSEC_BRUTE_FORCE_MENU_SLUG.'&tab=tab2" target="_blank">'.__('Cookie-Based Brute Force','aiowpsecurity').'</a>';
323	+ $brute_force_feature_secret_word = $aio_wp_security->configs->get_value('aiowps_brute_force_secret_word');
324	+ echo '<div class="aio_yellow_box">';
325	+
326	+ echo '<p>'.sprintf( __('The %s feature is currently active.', 'aiowpsecurity'), $brute_force_login_feature_link).'</p>';
327	+ echo '<p>'.__('Your new WordPress login URL is now:','aiowpsecurity').'</p>';
328	+ echo '<p><strong>'.AIOWPSEC_WP_URL.'/?'.$brute_force_feature_secret_word.'=1</strong></p>';
329	+ echo '</div>'; //yellow box div
330	+ echo '<div class="aio_clear_float"></div>';
331	+ ?>
332	+ </div></div>
333	+ </div><!-- aiowps_dashboard_box -->
334	+ <?php
335	+ }//End if statement for Cookie Based Brute Prevention box
336	+
337	+ //Insert Rename Login Page feature box if this feature is active
338	+ if($aio_wp_security->configs->get_value('aiowps_enable_rename_login_page')=='1'){
339	+ ?>
340	+ <div class="aiowps_dashboard_box_small">
341	+ <div class="postbox">
342	+ <h3><label for="title"><?php _e('Rename Login Page', 'aiowpsecurity');?></label></h3>
343	+ <div class="inside">
344	+ <?php
345	+ if (get_option('permalink_structure')){
346	+ $home_url = trailingslashit(home_url());
347	+ }else{
348	+ $home_url = trailingslashit(home_url()) . '?';
349	+ }
350	+
351	+ $rename_login_feature_link = '<a href="admin.php?page='.AIOWPSEC_BRUTE_FORCE_MENU_SLUG.'&tab=tab1" target="_blank">'.__('Rename Login Page','aiowpsecurity').'</a>';
352	+ echo '<div class="aio_yellow_box">';
353	+
354	+ echo '<p>'.sprintf( __('The %s feature is currently active.', 'aiowpsecurity'), $rename_login_feature_link).'</p>';
355	+ echo '<p>'.__('Your new WordPress login URL is now:','aiowpsecurity').'</p>';
356	+ echo '<p><strong>'.$home_url.$aio_wp_security->configs->get_value('aiowps_login_page_slug').'</strong></p>';
357	+ echo '</div>'; //yellow box div
358	+ echo '<div class="aio_clear_float"></div>';
359	+ ?>
360	+ </div></div>
361	+ </div><!-- aiowps_dashboard_box -->
362	+ <?php
363	+ }//End if statement for Rename Login box
364	+
365	if($aio_wp_security->configs->get_value('aiowps_enable_automated_fcd_scan') == '1'){
366
367	echo '<div class="aiowps_dashboard_box_small">';

379
380	echo '</div></div>';
381	echo '</div>';//<!-- aiowps_dashboard_box -->
382	+ }//End if statement for automated scan box
383	?>
384
385	<div class="aiowps_dashboard_box_small">

admin/wp-security-firewall-menu.php CHANGED Viewed

@@ -11,6 +11,7 @@ class AIOWPSecurity_Firewall_Menu extends AIOWPSecurity_Admin_Menu
                     'tab1' => 'render_tab1',
                     'tab2' => 'render_tab2',
                     'tab3' => 'render_tab3',
                     );
                 function __construct()
@@ -24,6 +25,7 @@ class AIOWPSecurity_Firewall_Menu extends AIOWPSecurity_Admin_Menu
                     'tab1' => __('Basic Firewall Rules', 'aiowpsecurity'),
                     'tab2' => __('Additional Firewall Rules', 'aiowpsecurity'),
                     'tab3' => __('5G Blacklist Firewall Rules', 'aiowpsecurity'),
                     );
+                }
@@ -325,7 +327,7 @@ class AIOWPSecurity_Firewall_Menu extends AIOWPSecurity_Admin_Menu
                                     echo '<br />';
                                     _e('This feature will prevent the listing of contents for all directories.', 'aiowpsecurity');
                                     echo '<br />';
-            -
                                    _e('NOTE: In order for this feature to work "AllowOverride" must be enabled in your httpd.conf file. Ask your hosting provider to check this if you don\'t have access to httpd.conf', 'aiowpsecurity');
                                     ?>
                                 </p>
                             </div>
@@ -542,5 +544,92 @@ class AIOWPSecurity_Firewall_Menu extends AIOWPSecurity_Admin_Menu
                     </div></div>
                     <?php
+                }
-            -
             } //end class


11	'tab1' => 'render_tab1',
12	'tab2' => 'render_tab2',
13	'tab3' => 'render_tab3',
14	+ 'tab4' => 'render_tab4',
15	);
16
17	function __construct()

25	'tab1' => __('Basic Firewall Rules', 'aiowpsecurity'),
26	'tab2' => __('Additional Firewall Rules', 'aiowpsecurity'),
27	'tab3' => __('5G Blacklist Firewall Rules', 'aiowpsecurity'),
28	+ 'tab4' => __('Internet Bots', 'aiowpsecurity'),
29	);
30	}
31

327	echo '<br />';
328	_e('This feature will prevent the listing of contents for all directories.', 'aiowpsecurity');
329	echo '<br />';
330	+ _e('NOTE: In order for this feature to work "AllowOverride" of the Indexes directive must be enabled in your httpd.conf file. Ask your hosting provider to check this if you don\'t have access to httpd.conf', 'aiowpsecurity');
331	?>
332	</p>
333	</div>

544	</div></div>
545	<?php
546	}
547	+
548	+ function render_tab4()
549	+ {
550	+ global $aio_wp_security;
551	+ if(isset($_POST['aiowps_save_internet_bot_settings']))//Do form submission tasks
552	+ {
553	+ $nonce=$_REQUEST['_wpnonce'];
554	+ if (!wp_verify_nonce($nonce, 'aiowpsec-save-internet-bot-settings-nonce'))
555	+ {
556	+ $aio_wp_security->debug_logger->log_debug("Nonce check failed for save internet bot settings!",4);
557	+ die("Nonce check failed for save internet bot settings!");
558	+ }
559	+
560	+ //Save settings
561	+ if(isset($_POST['aiowps_block_fake_googlebots']))
562	+ {
563	+ $aio_wp_security->configs->set_value('aiowps_block_fake_googlebots','1');
564	+ }
565	+ else
566	+ {
567	+ $aio_wp_security->configs->set_value('aiowps_block_fake_googlebots','');
568	+ }
569	+
570	+ //Commit the config settings
571	+ $aio_wp_security->configs->save_config();
572	+
573	+ $this->show_msg_updated(__('The Internet bot settings were successfully saved', 'aiowpsecurity'));
574	+ }
575	+
576	+ ?>
577	+ <h2><?php _e('Internet Bot Settings', 'aiowpsecurity')?></h2>
578	+ <form action="" method="POST">
579	+ <?php wp_nonce_field('aiowpsec-save-internet-bot-settings-nonce'); ?>
580	+ <div class="aio_blue_box">
581	+ <?php
582	+ $info_msg = '';
583	+ $wiki_link = '<a href="http://en.wikipedia.org/wiki/Internet_bot" target="_blank">What is an Internet Bot</a>';
584	+ $info_msg .= '<p><strong>'.sprintf( __('%s?', 'aiowpsecurity'), $wiki_link).'</strong></p>';
585	+
586	+ $info_msg .= '<p>'. __('A bot is a piece of software which runs on the Internet and performs automatic tasks. For example when Google indexes your pages it uses automatic bots to achieve this task.', 'aiowpsecurity').'</p>';
587	+ $info_msg .= '<p>'. __('A lot of bots are legitimate and non-malicous but not all bots are good and often you will find some which try to impersonate legitimate bots such as "Googlebot" but in reality they have nohing to do with Google at all.', 'aiowpsecurity').'</p>';
588	+ $info_msg .= '<p>'. __('Although most of the bots out there are relatively harmless sometimes website owners want to have more control over which bots they allow into their site.', 'aiowpsecurity').'</p>';
589	+ $info_msg .= '<p>'. __('This feature allows you to block bots which are impersonating as a Googlebot but actually aren\'t. (In other words they are fake Google bots)', 'aiowpsecurity').'</p>';
590	+ $info_msg .= '<p>'.__('Googlebots have a unique indentity which cannot easily be forged and this feature will indentify any fake Google bots and block them from reading your site\'s pages.', 'aiowpsecurity').'</p>';
591	+ echo $info_msg;
592	+ ?>
593	+ </div>
594	+ <div class="aio_yellow_box">
595	+ <?php
596	+ $info_msg_2 = '<p>'. __('<strong>Attention</strong>: Sometimes non-malicious Internet organizations might have bots which impersonate as a "Googlebot".', 'aiowpsecurity').'</p>';
597	+ $info_msg_2 .= '<p>'.__('Just be aware that if you activate this feature the plugin will block all bots which use the "Googlebot" string in their User Agent information but are NOT officially from Google (irrespective whether they are malicious or not).', 'aiowpsecurity').'</p>';
598	+ $info_msg_2 .= '<p>'.__('All other bots from other organizations such as "Yahoo", "Bing" etc will not be affected by this feature.', 'aiowpsecurity').'</p>';
599	+ echo $info_msg_2;
600	+ ?>
601	+ </div>
602	+
603	+ <div class="postbox">
604	+ <h3><label for="title"><?php _e('Block Fake Googlebots', 'aiowpsecurity'); ?></label></h3>
605	+ <div class="inside">
606	+ <?php
607	+ //Display security info badge
608	+ global $aiowps_feature_mgr;
609	+ $aiowps_feature_mgr->output_feature_details_badge("firewall-block-fake-googlebots");
610	+ ?>
611	+
612	+ <table class="form-table">
613	+ <tr valign="top">
614	+ <th scope="row"><?php _e('Block Fake Googlebots', 'aiowpsecurity')?>:</th>
615	+ <td>
616	+ <input name="aiowps_block_fake_googlebots" type="checkbox"<?php if($aio_wp_security->configs->get_value('aiowps_block_fake_googlebots')=='1') echo ' checked="checked"'; ?> value="1"/>
617	+ <span class="description"><?php _e('Check this if you want to block all fake Googlebots.', 'aiowpsecurity'); ?></span>
618	+ <span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php _e('More Info', 'aiowpsecurity'); ?></span></span>
619	+ <div class="aiowps_more_info_body">
620	+ <?php
621	+ echo '<p class="description">'.__('This feature will check if the User Agent information of a bot contains the string "Googlebot".', 'aiowpsecurity').'</p>';
622	+ echo '<p class="description">'.__('It will then perform a few tests to verify if the bot is legitimately from Google and if so it will allow the bot to proceed.', 'aiowpsecurity').'</p>';
623	+ echo '<p class="description">'.__('If the bot fails the checks then the plugin will mark it as being a fake Googlebot and it will block it', 'aiowpsecurity').'</p>';
624	+ ?>
625	+ </div>
626	+ </td>
627	+ </tr>
628	+ </table>
629	+ </div></div>
630	+ <input type="submit" name="aiowps_save_internet_bot_settings" value="<?php _e('Save Internet Bot Settings', 'aiowpsecurity')?>" class="button-primary" />
631	+ </form>
632	+ <?php
633	+ }
634	+
635	} //end class

admin/wp-security-settings-menu.php CHANGED Viewed

	@@ -194,20 +194,16 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
194	die("Nonce check failed on htaccess file save!");
195	}
196	$htaccess_path = ABSPATH . '.htaccess';
197	- $result = AIOWPSecurity_Utility_File::~~backup_and_rename_wp_config~~($htaccess_path); //Backup the htaccess file
198
199	if ($result)
200	{
201	$random_prefix = AIOWPSecurity_Utility::generate_alpha_numeric_random_string(10);
202	- if ~~(rename(ABSPATH.'.htaccess.backup',~~ ~~AIO_WP_SECURITY_BACKUPS_PATH~~.'/'~~.$random_prefix~~.~~'_htaccess_backup.txt'))~~

203	{
204	- // $backup_file_url = AIOWPSEC_WP_URL . '/htaccess_backup.txt';
205	echo '<div id="message" class="updated fade"><p>';
206	- _e('Your .htaccess file was successfully backed up! Using an FTP program go to the "~~backups~~" directory ~~of this plugin~~ to save a copy of the file to your computer.','aiowpsecurity');
207	- // echo '<p>';
208	- // _e('Your .htaccess File: ');
209	- // echo '<a href="'.$backup_file_url.'" target="_blank">'.$backup_file_url.'</a>';
210	- // echo '</p>';
211	echo '</p></div>';
212	}
213	else


194	die("Nonce check failed on htaccess file save!");
195	}
196	$htaccess_path = ABSPATH . '.htaccess';
197	+ $result = AIOWPSecurity_Utility_File::backup_and_rename_htaccess($htaccess_path); //Backup the htaccess file
198
199	if ($result)
200	{
201	$random_prefix = AIOWPSecurity_Utility::generate_alpha_numeric_random_string(10);
202	+ $aiowps_backup_dir = WP_CONTENT_DIR.'/'.AIO_WP_SECURITY_BACKUPS_DIR_NAME;
203	+ if (rename($aiowps_backup_dir.'/'.'.htaccess.backup', $aiowps_backup_dir.'/'.$random_prefix.'_htaccess_backup.txt'))
204	{

205	echo '<div id="message" class="updated fade"><p>';
206	+ _e('Your .htaccess file was successfully backed up! Using an FTP program go to the "/wp-content/aiowps_backups" directory to save a copy of the file to your computer.','aiowpsecurity');




207	echo '</p></div>';
208	}
209	else

classes/grade-system/wp-security-feature-item-manager.php CHANGED Viewed

	@@ -80,14 +80,14 @@ class AIOWPSecurity_Feature_Item_Manager
80	$this->feature_items[] = new AIOWPSecurity_Feature_Item("bf-rename-login-page", __("Enable Rename Login Page", "aiowpsecurity"), $this->feature_point_2, $this->sec_level_inter);
81
82	//Additional and Advanced firewall
83	- $this->feature_items[] = new AIOWPSecurity_Feature_Item("firewall-enable-brute-force-attack-prevention", __("Enable Brute Force Attack Prevention", "aiowpsecurity"), $this->feature_point_4, $this->~~sec_level_inter~~);
84	$this->feature_items[] = new AIOWPSecurity_Feature_Item("firewall-disable-index-views", __("Disable Index Views", "aiowpsecurity"), $this->feature_point_1, $this->sec_level_inter);
85	$this->feature_items[] = new AIOWPSecurity_Feature_Item("firewall-disable-trace-track", __("Disable Trace and Track", "aiowpsecurity"), $this->feature_point_2, $this->sec_level_advanced);
86	$this->feature_items[] = new AIOWPSecurity_Feature_Item("firewall-forbid-proxy-comments", __("Forbid Proxy Comments", "aiowpsecurity"), $this->feature_point_2, $this->sec_level_advanced);
87	$this->feature_items[] = new AIOWPSecurity_Feature_Item("firewall-deny-bad-queries", __("Deny Bad Queries", "aiowpsecurity"), $this->feature_point_3, $this->sec_level_advanced);
88	$this->feature_items[] = new AIOWPSecurity_Feature_Item("firewall-advanced-character-string-filter", __("Advanced Character String Filter", "aiowpsecurity"), $this->feature_point_3, $this->sec_level_advanced);
89	$this->feature_items[] = new AIOWPSecurity_Feature_Item("firewall-enable-5g-blacklist", __("5G Blacklist", "aiowpsecurity"), $this->feature_point_4, $this->sec_level_advanced);
90	-
91	//SPAM Prevention
92	$this->feature_items[] = new AIOWPSecurity_Feature_Item("block-spambots", __("Block Spambots", "aiowpsecurity"), $this->feature_point_2, $this->sec_level_basic);
93	//Comment Captcha
	@@ -258,6 +258,10 @@ class AIOWPSecurity_Feature_Item_Manager
258	{
259	$this->check_enable_5G_blacklist_firewall_feature($item);
260	}




261
262	if($item->feature_id == "bf-rename-login-page")
263	{
	@@ -624,6 +628,18 @@ class AIOWPSecurity_Feature_Item_Manager
624	$item->set_feature_status($this->feature_inactive);
625	}
626	}












627
628	function check_enable_rename_login_page_feature($item)
629	{


80	$this->feature_items[] = new AIOWPSecurity_Feature_Item("bf-rename-login-page", __("Enable Rename Login Page", "aiowpsecurity"), $this->feature_point_2, $this->sec_level_inter);
81
82	//Additional and Advanced firewall
83	+ $this->feature_items[] = new AIOWPSecurity_Feature_Item("firewall-enable-brute-force-attack-prevention", __("Enable Brute Force Attack Prevention", "aiowpsecurity"), $this->feature_point_4, $this->sec_level_advanced);
84	$this->feature_items[] = new AIOWPSecurity_Feature_Item("firewall-disable-index-views", __("Disable Index Views", "aiowpsecurity"), $this->feature_point_1, $this->sec_level_inter);
85	$this->feature_items[] = new AIOWPSecurity_Feature_Item("firewall-disable-trace-track", __("Disable Trace and Track", "aiowpsecurity"), $this->feature_point_2, $this->sec_level_advanced);
86	$this->feature_items[] = new AIOWPSecurity_Feature_Item("firewall-forbid-proxy-comments", __("Forbid Proxy Comments", "aiowpsecurity"), $this->feature_point_2, $this->sec_level_advanced);
87	$this->feature_items[] = new AIOWPSecurity_Feature_Item("firewall-deny-bad-queries", __("Deny Bad Queries", "aiowpsecurity"), $this->feature_point_3, $this->sec_level_advanced);
88	$this->feature_items[] = new AIOWPSecurity_Feature_Item("firewall-advanced-character-string-filter", __("Advanced Character String Filter", "aiowpsecurity"), $this->feature_point_3, $this->sec_level_advanced);
89	$this->feature_items[] = new AIOWPSecurity_Feature_Item("firewall-enable-5g-blacklist", __("5G Blacklist", "aiowpsecurity"), $this->feature_point_4, $this->sec_level_advanced);
90	+ $this->feature_items[] = new AIOWPSecurity_Feature_Item("firewall-block-fake-googlebots", __("Block Fake Googlebots", "aiowpsecurity"), $this->feature_point_1, $this->sec_level_advanced);
91	//SPAM Prevention
92	$this->feature_items[] = new AIOWPSecurity_Feature_Item("block-spambots", __("Block Spambots", "aiowpsecurity"), $this->feature_point_2, $this->sec_level_basic);
93	//Comment Captcha

258	{
259	$this->check_enable_5G_blacklist_firewall_feature($item);
260	}
261	+ if($item->feature_id == "firewall-block-fake-googlebots")
262	+ {
263	+ $this->check_block_fake_googlebots_firewall_feature($item);
264	+ }
265
266	if($item->feature_id == "bf-rename-login-page")
267	{

628	$item->set_feature_status($this->feature_inactive);
629	}
630	}
631	+
632	+ function check_block_fake_googlebots_firewall_feature($item)
633	+ {
634	+ global $aio_wp_security;
635	+ if ($aio_wp_security->configs->get_value('aiowps_block_fake_googlebots') == '1') {
636	+ $item->set_feature_status($this->feature_active);
637	+ }
638	+ else
639	+ {
640	+ $item->set_feature_status($this->feature_inactive);
641	+ }
642	+ }
643
644	function check_enable_rename_login_page_feature($item)
645	{

classes/wp-security-backup.php CHANGED Viewed

	@@ -173,7 +173,7 @@ class AIOWPSecurity_Backup
173	}
174
175	$to = $toaddress;
176	- $headers = 'From: ' . get_option( 'blogname' ) . ' <' . ~~$to~~ . '>' . PHP_EOL;
177	$subject = __( 'All In One WP Security - Site Database Backup', 'aiowpsecurity' ) . ' ' . date( 'l, F jS, Y \a\\t g:i a', current_time( 'timestamp' ) );
178	$attachment = array( $this->last_backup_file_path );
179	$message = __( 'Attached is your latest DB backup file for site URL', 'aiowpsecurity' ) . ' ' . get_option( 'siteurl' ) . __( ' generated on', 'aiowpsecurity' ) . ' ' . date( 'l, F jS, Y \a\\t g:i a', current_time( 'timestamp' ) );


173	}
174
175	$to = $toaddress;
176	+ $headers = 'From: ' . get_option( 'blogname' ) . ' <' . get_option('admin_email') . '>' . PHP_EOL;
177	$subject = __( 'All In One WP Security - Site Database Backup', 'aiowpsecurity' ) . ' ' . date( 'l, F jS, Y \a\\t g:i a', current_time( 'timestamp' ) );
178	$attachment = array( $this->last_backup_file_path );
179	$message = __( 'Attached is your latest DB backup file for site URL', 'aiowpsecurity' ) . ' ' . get_option( 'siteurl' ) . __( ' generated on', 'aiowpsecurity' ) . ' ' . date( 'l, F jS, Y \a\\t g:i a', current_time( 'timestamp' ) );

classes/wp-security-bot-protection.php ADDED Viewed

	@@ -0,0 +1,38 @@


1	+ <?php
2	+
3	+ /*
4	+ * This class handles all bot related tasks and protection mechanisms.
5	+ *
6	+ */
7	+
8	+ class AIOWPSecurity_Fake_Bot_Protection
9	+ {
10	+ function __construct()
11	+ {
12	+ //NOP
13	+ }
14	+
15	+ static function block_fake_googlebots()
16	+ {
17	+ $user_agent = (isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : '');
18	+ if (preg_match('/Googlebot/i', $user_agent, $matches)){
19	+ //If user agent says it is googlebot start doing checks
20	+ $ip = AIOWPSecurity_Utility_IP::get_user_ip_address();
21	+ $name = gethostbyaddr($ip); //let's get the internet hostname using the given IP address
22	+ //TODO - maybe add check if gethostbyaddr() fails
23	+ $host_ip = gethostbyname($name); //Reverse lookup - let's get the IP using the name
24	+ if(preg_match('/Googlebot/i', $name, $matches)){
25	+ if ($host_ip == $ip){
26	+ //Genuine googlebot allow it through....
27	+ }else{
28	+ //fake googlebot - block it!
29	+ exit();
30	+ }
31	+ }else{
32	+ //fake googlebot - block it!
33	+ exit();
34	+ }
35	+ }
36	+ }
37	+
38	+ }

classes/wp-security-file-scan.php CHANGED Viewed

	@@ -58,7 +58,7 @@ class AIOWPSecurity_Filescan
58	}
59
60	$to = $toaddress;
61	- $headers = 'From: ' . get_option( 'blogname' ) . ' <' . ~~$to~~ . '>' . PHP_EOL;
62	$subject = __( 'All In One WP Security - File change detected!', 'aiowpsecurity' ) . ' ' . date( 'l, F jS, Y \a\\t g:i a', current_time( 'timestamp' ) );
63	//$attachment = array();
64	$message = __( 'A file change was detected on your system for site URL', 'aiowpsecurity' ) . ' ' . get_option( 'siteurl' ) . __( '. Scan was generated on', 'aiowpsecurity' ) . ' ' . date( 'l, F jS, Y \a\\t g:i a', current_time( 'timestamp' ) );


58	}
59
60	$to = $toaddress;
61	+ $headers = 'From: ' . get_option( 'blogname' ) . ' <' . get_option('admin_email') . '>' . PHP_EOL;
62	$subject = __( 'All In One WP Security - File change detected!', 'aiowpsecurity' ) . ' ' . date( 'l, F jS, Y \a\\t g:i a', current_time( 'timestamp' ) );
63	//$attachment = array();
64	$message = __( 'A file change was detected on your system for site URL', 'aiowpsecurity' ) . ' ' . get_option( 'siteurl' ) . __( '. Scan was generated on', 'aiowpsecurity' ) . ' ' . date( 'l, F jS, Y \a\\t g:i a', current_time( 'timestamp' ) );

classes/wp-security-general-init-tasks.php CHANGED Viewed

	@@ -79,7 +79,15 @@ class AIOWPSecurity_General_Init_Tasks
79	//For feature which displays logged in users
80	$this->update_logged_in_user_transient();
81







82	//Add more tasks that need to be executed at init time

83	}
84
85	function remove_wp_generator_meta_info()


79	//For feature which displays logged in users
80	$this->update_logged_in_user_transient();
81
82	+ //For block fake googlebots feature
83	+ if($aio_wp_security->configs->get_value('aiowps_enable_block_fake_googlebots') == '1'){
84	+ include_once(AIO_WP_SECURITY_PATH.'/classes/wp-security-bot-protection.php');
85	+ AIOWPSecurity_Fake_Bot_Protection::block_fake_googlebots();
86	+ }
87	+
88	+
89	//Add more tasks that need to be executed at init time
90	+
91	}
92
93	function remove_wp_generator_meta_info()

readme.txt CHANGED Viewed

	@@ -1,10 +1,10 @@
1	=== All In One WP Security & Firewall ===
2	Contributors: Tips and Tricks HQ, wpsolutions, Peter Petreski, Ruhul Amin
3	Donate link: http://www.tipsandtricks-hq.com
4	- Tags: security, secure, Anti Virus, antivirus, ban, ban hacker, virus, firewall, firewall security, login, lockdown, htaccess, hack, malware, vulnerability, protect, protection, phishing, database, backup, plugin, sql injection, ssl, restrict, login captcha
5	Requires at least: 3.5
6	- Tested up to: 3.8
7	- Stable tag: 3.4
8	License: GPLv3
9
10	A comprehensive, user-friendly, all in one WordPress security and firewall plugin for your site.
	@@ -85,6 +85,7 @@ So these firewall rules will stop malicious script(s) before it gets a chance to
85	* Protect against Cross Site Scripting (XSS) by activating the comprehensive advanced character string filter.
86	or malicious bots who do not have a special cookie in their browser. You (the site admin) will know how to set this special cookie and be able to log into your site.
87	* WordPress PingBack Vulnerability Protection feature. This firewall feature allows the user to prohibit access to the xmlrpc.php file in order to protect against certain vulnerabilities in the pingback functionality. This is also helpful to block bots from constantly accessing the xmlrpc.php file and wasting your server resource.

88
89	= Brute force login attack prevention =
90	* Instantly block Brute Force Login Attacks via our special Cookie-Based Brute Force Login Prevention feature. This firewall functionality will block all login attempts from people and bots.
	@@ -146,11 +147,23 @@ None
146
147	== Changelog ==
148












149	= 3.4 =
150	- Consolidated "Brute Force" features by moving all such features to the "Brute Force" menu.
151	- Improved the file change detection scan feature: Introduced a button allowing admin to view the file change results from the last scan and fixed small bug whereby the change detected flag was not being cleared for applicable cases.
152	- Fixed a small bug with "rename login page" feature.
153	- - Made wp-config.php and .htaccess file backups more secure. Thanks to @~~wzp~~ for the tip.
154	- Made the login code more robust by catering for cases where the "wp_login" action was not passing 2 parameters.
155
156	= 3.3 =


1	=== All In One WP Security & Firewall ===
2	Contributors: Tips and Tricks HQ, wpsolutions, Peter Petreski, Ruhul Amin
3	Donate link: http://www.tipsandtricks-hq.com
4	+ Tags: security, secure, Anti Virus, antivirus, ban, ban hacker, virus, firewall, firewall security, login, lockdown, htaccess, hack, malware, vulnerability, protect, protection, phishing, database, backup, plugin, sql injection, ssl, restrict, login captcha, bot
5	Requires at least: 3.5
6	+ Tested up to: 3.8.1
7	+ Stable tag: 3.5.1
8	License: GPLv3
9
10	A comprehensive, user-friendly, all in one WordPress security and firewall plugin for your site.

85	* Protect against Cross Site Scripting (XSS) by activating the comprehensive advanced character string filter.
86	or malicious bots who do not have a special cookie in their browser. You (the site admin) will know how to set this special cookie and be able to log into your site.
87	* WordPress PingBack Vulnerability Protection feature. This firewall feature allows the user to prohibit access to the xmlrpc.php file in order to protect against certain vulnerabilities in the pingback functionality. This is also helpful to block bots from constantly accessing the xmlrpc.php file and wasting your server resource.
88	+ * Ability to block fake Googlebots from crawling your site.
89
90	= Brute force login attack prevention =
91	* Instantly block Brute Force Login Attacks via our special Cookie-Based Brute Force Login Prevention feature. This firewall functionality will block all login attempts from people and bots.

147
148	== Changelog ==
149
150	+ = 3.5.1 =
151	+ - Fixed a bug where the cookie-based brute force directives were not being deleted from the .htaccess file when the Rename Login Page feature was being activated.
152	+
153	+ = 3.5 =
154	+ - Added new feature which will Block Fake Googlebots from crawling your site. Check the Firewall menu for this new feature.
155	+ - Added code to prevent users from having both the Rename Login Page and Cookie-Based Brute Force features active at the same time.
156	+ - Added some useful info boxes in the dashboard: 1) to inform the user if the cookie based brute force or rename login page features are active, 2) last 5 logins to your site.
157	+ - Fixed minor bug with .htaccess backup feature.
158	+ - Updated the from email address value used for sending backups and file change notification. Thanks to @TheAssurer for the tip.
159	+ - Updated the warning message for the disable index view feature.
160	+
161	+
162	= 3.4 =
163	- Consolidated "Brute Force" features by moving all such features to the "Brute Force" menu.
164	- Improved the file change detection scan feature: Introduced a button allowing admin to view the file change results from the last scan and fixed small bug whereby the change detected flag was not being cleared for applicable cases.
165	- Fixed a small bug with "rename login page" feature.
166	+ - Made wp-config.php and .htaccess file backups more secure. Thanks to @TheAssurer for the tip.
167	- Made the login code more robust by catering for cases where the "wp_login" action was not passing 2 parameters.
168
169	= 3.3 =

wp-security-core.php CHANGED Viewed

	@@ -3,7 +3,7 @@
3	if (!class_exists('AIO_WP_Security')){
4
5	class AIO_WP_Security{
6	- var $version = '3.4';
7	var $db_version = '1.4';
8	var $plugin_url;
9	var $plugin_path;


3	if (!class_exists('AIO_WP_Security')){
4
5	class AIO_WP_Security{
6	+ var $version = '3.5.1';
7	var $db_version = '1.4';
8	var $plugin_url;
9	var $plugin_path;

wp-security.php CHANGED Viewed

	@@ -1,7 +1,7 @@
1	<?php
2	/*
3	Plugin Name: All In One WP Security
4	- Version: v3.4
5	Plugin URI: http://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin
6	Author: Tips and Tricks HQ, Peter, Ruhul, Ivy
7	Author URI: http://www.tipsandtricks-hq.com/


1	<?php
2	/*
3	Plugin Name: All In One WP Security
4	+ Version: v3.5.1
5	Plugin URI: http://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin
6	Author: Tips and Tricks HQ, Peter, Ruhul, Ivy
7	Author URI: http://www.tipsandtricks-hq.com/

All In One WP Security & Firewall - Version 3.5.1

Version Description

Release Info

Code changes from version 3.4 to 3.5.1