All In One WP Security & Firewall - Version 3.9.9

Version Description

  • Fixed an issue with the rename login page feature for WordPress 4.3
  • Added esc_attr() sanitization to some of the relevant parameters
  • Added the necessary changes to allow activation via wp-cli
Download this release

Release Info

Developer mra13
Plugin Icon 128x128 All In One WP Security & Firewall
Version 3.9.9
Comparing to
See all releases

Code changes from version 3.9.6 to 3.9.9

Files changed (18) hide show
  1. admin/wp-security-dashboard-menu.php +1 -1
  2. admin/wp-security-firewall-menu.php +127 -3
  3. admin/wp-security-list-registered-users.php +1 -1
  4. admin/wp-security-spam-menu.php +2 -2
  5. admin/wp-security-user-login-menu.php +6 -6
  6. admin/wp-security-user-registration-menu.php +1 -1
  7. classes/grade-system/wp-security-feature-item-manager.php +17 -0
  8. classes/wp-security-configure-settings.php +9 -0
  9. classes/wp-security-deactivation-tasks.php +2 -0
  10. classes/wp-security-general-init-tasks.php +3 -3
  11. classes/wp-security-installer.php +2 -0
  12. classes/wp-security-process-renamed-login-page.php +1 -0
  13. classes/wp-security-utility-htaccess.php +46 -2
  14. other-includes/wp-security-rename-login-feature.php +869 -814
  15. other-includes/wp-security-unlock-request.php +2 -1
  16. readme.txt +25 -7
  17. wp-security-core.php +1 -1
  18. wp-security.php +1 -1
admin/wp-security-dashboard-menu.php CHANGED
@@ -664,7 +664,7 @@ var msnry = new Masonry( container, {
664
  ?>
665
  <form id="tables-filter" method="get" onSubmit="return confirm('Are you sure you want to perform this bulk operation on the selected entries?');">
666
  <!-- For plugins, we also need to ensure that the form posts back to our current page -->
667
- <input type="hidden" name="page" value="<?php echo $_REQUEST['page']; ?>" />
668
  <?php
669
  if(isset($_REQUEST["tab"]))
670
  {
664
  ?>
665
  <form id="tables-filter" method="get" onSubmit="return confirm('Are you sure you want to perform this bulk operation on the selected entries?');">
666
  <!-- For plugins, we also need to ensure that the form posts back to our current page -->
667
+ <input type="hidden" name="page" value="<?php echo esc_attr($_REQUEST['page']); ?>" />
668
  <?php
669
  if(isset($_REQUEST["tab"]))
670
  {
admin/wp-security-firewall-menu.php CHANGED
@@ -14,6 +14,7 @@ class AIOWPSecurity_Firewall_Menu extends AIOWPSecurity_Admin_Menu
14
  'tab4' => 'render_tab4',
15
  'tab5' => 'render_tab5',
16
  'tab6' => 'render_tab6',
 
17
  );
18
 
19
  function __construct()
@@ -29,7 +30,8 @@ class AIOWPSecurity_Firewall_Menu extends AIOWPSecurity_Admin_Menu
29
  'tab3' => __('5G Blacklist Firewall Rules', 'aiowpsecurity'),
30
  'tab4' => __('Internet Bots', 'aiowpsecurity'),
31
  'tab5' => __('Prevent Hotlinks', 'aiowpsecurity'),
32
- 'tab6' => __('404 Detection', 'aiowpsecurity'),
 
33
  );
34
  }
35
 
@@ -100,6 +102,7 @@ class AIOWPSecurity_Firewall_Menu extends AIOWPSecurity_Admin_Menu
100
  }
101
 
102
  $aio_wp_security->configs->set_value('aiowps_enable_pingback_firewall',isset($_POST["aiowps_enable_pingback_firewall"])?'1':'');
 
103
 
104
  //Commit the config settings
105
  $aio_wp_security->configs->save_config();
@@ -208,6 +211,32 @@ class AIOWPSecurity_Firewall_Menu extends AIOWPSecurity_Admin_Menu
208
  </tr>
209
  </table>
210
  </div></div>
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
211
  <input type="submit" name="aiowps_apply_basic_firewall_settings" value="<?php _e('Save Basic Firewall Settings', 'aiowpsecurity')?>" class="button-primary" />
212
  </form>
213
  <?php
@@ -878,7 +907,7 @@ class AIOWPSecurity_Firewall_Menu extends AIOWPSecurity_Admin_Menu
878
  ?>
879
  <form id="tables-filter" method="post">
880
  <!-- For plugins, we also need to ensure that the form posts back to our current page -->
881
- <input type="hidden" name="page" value="<?php echo $_REQUEST['page']; ?>" />
882
  <?php $event_list_404->search_box('Search', 'search_404_events'); ?>
883
  <?php
884
  if(isset($_REQUEST["tab"]))
@@ -906,5 +935,100 @@ class AIOWPSecurity_Firewall_Menu extends AIOWPSecurity_Admin_Menu
906
 
907
  <?php
908
  }
909
-
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
910
  } //end class
14
  'tab4' => 'render_tab4',
15
  'tab5' => 'render_tab5',
16
  'tab6' => 'render_tab6',
17
+ 'tab7' => 'render_tab7',
18
  );
19
 
20
  function __construct()
30
  'tab3' => __('5G Blacklist Firewall Rules', 'aiowpsecurity'),
31
  'tab4' => __('Internet Bots', 'aiowpsecurity'),
32
  'tab5' => __('Prevent Hotlinks', 'aiowpsecurity'),
33
+ 'tab6' => __('404 Detection', 'aiowpsecurity'),
34
+ 'tab7' => __('Custom Rules', 'aiowpsecurity'),
35
  );
36
  }
37
 
102
  }
103
 
104
  $aio_wp_security->configs->set_value('aiowps_enable_pingback_firewall',isset($_POST["aiowps_enable_pingback_firewall"])?'1':'');
105
+ $aio_wp_security->configs->set_value('aiowps_block_debug_log_file_access',isset($_POST["aiowps_block_debug_log_file_access"])?'1':'');
106
 
107
  //Commit the config settings
108
  $aio_wp_security->configs->save_config();
211
  </tr>
212
  </table>
213
  </div></div>
214
+
215
+ <div class="postbox">
216
+ <h3><label for="title"><?php _e('Block Accesss to Debug Log File', 'aiowpsecurity'); ?></label></h3>
217
+ <div class="inside">
218
+ <?php
219
+ //Display security info badge
220
+ $aiowps_feature_mgr->output_feature_details_badge("firewall-block-debug-file-access");
221
+ ?>
222
+ <table class="form-table">
223
+ <tr valign="top">
224
+ <th scope="row"><?php _e('Block Access to debug.log File', 'aiowpsecurity')?>:</th>
225
+ <td>
226
+ <input name="aiowps_block_debug_log_file_access" type="checkbox"<?php if($aio_wp_security->configs->get_value('aiowps_block_debug_log_file_access')=='1') echo ' checked="checked"'; ?> value="1"/>
227
+ <span class="description"><?php _e('Check this if you want to block access to the debug.log file that WordPress creates when debug logging is enabled.', 'aiowpsecurity'); ?></span>
228
+ <span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php _e('More Info', 'aiowpsecurity'); ?></span></span>
229
+ <div class="aiowps_more_info_body">
230
+ <?php
231
+ echo '<p class="description">'.__('WordPress has an option to turn on the debug logging to a file located in wp-content/debug.log. This file may contain sensitive information.', 'aiowpsecurity').'</p>';
232
+ echo '<p class="description">'.__('Using this optoin will block external access to this file. You can still access this file by logging into your site via FTP', 'aiowpsecurity').'</p>';
233
+ ?>
234
+ </div>
235
+ </td>
236
+ </tr>
237
+ </table>
238
+ </div></div>
239
+
240
  <input type="submit" name="aiowps_apply_basic_firewall_settings" value="<?php _e('Save Basic Firewall Settings', 'aiowpsecurity')?>" class="button-primary" />
241
  </form>
242
  <?php
907
  ?>
908
  <form id="tables-filter" method="post">
909
  <!-- For plugins, we also need to ensure that the form posts back to our current page -->
910
+ <input type="hidden" name="page" value="<?php echo esc_attr($_REQUEST['page']); ?>" />
911
  <?php $event_list_404->search_box('Search', 'search_404_events'); ?>
912
  <?php
913
  if(isset($_REQUEST["tab"]))
935
 
936
  <?php
937
  }
938
+
939
+ function render_tab7()
940
+ {
941
+ global $aio_wp_security;
942
+ if(isset($_POST['aiowps_save_custom_rules_settings']))//Do form submission tasks
943
+ {
944
+ $nonce=$_REQUEST['_wpnonce'];
945
+ if (!wp_verify_nonce($nonce, 'aiowpsec-save-custom-rules-settings-nonce'))
946
+ {
947
+ $aio_wp_security->debug_logger->log_debug("Nonce check failed for save custom rules settings!",4);
948
+ die("Nonce check failed for save custom rules settings!");
949
+ }
950
+
951
+ //Save settings
952
+ if (isset($_POST["aiowps_enable_custom_rules"]) && empty($_POST['aiowps_custom_rules']))
953
+ {
954
+ $this->show_msg_error('You must enter some .htaccess directives code in the text box below','aiowpsecurity');
955
+ }
956
+ else
957
+ {
958
+ if (!empty($_POST['aiowps_custom_rules']))
959
+ {
960
+ $custom_rules = $_POST['aiowps_custom_rules'];
961
+
962
+ }
963
+ else
964
+ {
965
+ $aio_wp_security->configs->set_value('aiowps_custom_rules',''); //Clear the custom rules config value
966
+ }
967
+
968
+ $aio_wp_security->configs->set_value('aiowps_custom_rules',$custom_rules);
969
+ $aio_wp_security->configs->set_value('aiowps_enable_custom_rules',isset($_POST["aiowps_enable_custom_rules"])?'1':'');
970
+ $aio_wp_security->configs->save_config(); //Save the configuration
971
+
972
+ $this->show_msg_settings_updated();
973
+
974
+ $write_result = AIOWPSecurity_Utility_Htaccess::write_to_htaccess(); //now let's write to the .htaccess file
975
+ if ($write_result == -1)
976
+ {
977
+ $this->show_msg_error(__('The plugin was unable to write to the .htaccess file. Please edit file manually.','aiowpsecurity'));
978
+ $aio_wp_security->debug_logger->log_debug("Custom Rules feature - The plugin was unable to write to the .htaccess file.");
979
+ }
980
+ }
981
+
982
+ }
983
+
984
+ ?>
985
+ <h2><?php _e('Custom .htaccess Rules Settings', 'aiowpsecurity')?></h2>
986
+ <form action="" method="POST">
987
+ <?php wp_nonce_field('aiowpsec-save-custom-rules-settings-nonce'); ?>
988
+ <div class="aio_blue_box">
989
+ <?php
990
+ $info_msg = '';
991
+
992
+ $info_msg .= '<p>'. __('This feature can be used to apply your own custom .htaccess rules and directives.', 'aiowpsecurity').'</p>';
993
+ $info_msg .= '<p>'. __('It is useful for when you want to tweak our existing firewall rules or when you want to add your own.', 'aiowpsecurity').'</p>';
994
+ $info_msg .= '<p>'. __('NOTE: This feature can only used if your site is hosted in an apache or similar web server.', 'aiowpsecurity').'</p>';
995
+ echo $info_msg;
996
+ ?>
997
+ </div>
998
+ <div class="aio_yellow_box">
999
+ <?php
1000
+ $info_msg_2 = '<p>'. __('<strong>Warning</strong>: Only use this feature if you know what you are doing.', 'aiowpsecurity').'</p>';
1001
+ $info_msg_2 .= '<p>'.__('Incorrect .htaccess rules or directives can break or prevent access to your site.', 'aiowpsecurity').'</p>';
1002
+ $info_msg_2 .= '<p>'.__('It is your responsibility to ensure that you are entering the correct code!', 'aiowpsecurity').'</p>';
1003
+ $info_msg_2 .= '<p>'.__('If you break your site you will need to access your server via FTP or something similar and then edit your .htaccess file and delete the changes you made.', 'aiowpsecurity').'</p>';
1004
+ echo $info_msg_2;
1005
+ ?>
1006
+ </div>
1007
+
1008
+ <div class="postbox">
1009
+ <h3><label for="title"><?php _e('Custom .htaccess Rules', 'aiowpsecurity'); ?></label></h3>
1010
+ <div class="inside">
1011
+ <table class="form-table">
1012
+ <tr valign="top">
1013
+ <th scope="row"><?php _e('Enable Custom .htaccess Rules', 'aiowpsecurity')?>:</th>
1014
+ <td>
1015
+ <input name="aiowps_enable_custom_rules" type="checkbox"<?php if($aio_wp_security->configs->get_value('aiowps_enable_custom_rules')=='1') echo ' checked="checked"'; ?> value="1"/>
1016
+ <span class="description"><?php _e('Check this if you want to enable custom rules entered in the text box below', 'aiowpsecurity'); ?></span>
1017
+ </td>
1018
+ </tr>
1019
+ <tr valign="top">
1020
+ <th scope="row"><?php _e('Enter Custom .htaccess Rules:', 'aiowpsecurity')?></th>
1021
+ <td>
1022
+ <textarea name="aiowps_custom_rules" rows="35" cols="50"><?php echo $aio_wp_security->configs->get_value('aiowps_custom_rules'); ?></textarea>
1023
+ <br />
1024
+ <span class="description"><?php _e('Enter your custom .htaccess rules/directives.','aiowpsecurity');?></span>
1025
+ </td>
1026
+ </tr>
1027
+ </table>
1028
+ </div></div>
1029
+ <input type="submit" name="aiowps_save_custom_rules_settings" value="<?php _e('Save Custom Rules', 'aiowpsecurity')?>" class="button-primary" />
1030
+ </form>
1031
+ <?php
1032
+ }
1033
+
1034
  } //end class
admin/wp-security-list-registered-users.php CHANGED
@@ -130,7 +130,7 @@ class AIOWPSecurity_List_Registered_Users extends AIOWPSecurity_List_Table {
130
  $email_msg = '';
131
  $to_email_address = $user->user_email;
132
  $subject = '['.get_option('siteurl').'] '. __('Your account is now active','aiowpsecurity');
133
- $email_msg .= __('Your account with username:','aiowpsecurity').$user->ID.__(' is now active','aiowpsecurity')."\n";
134
  $site_title = get_bloginfo( 'name' );
135
  $from_name = empty($site_title)?'WordPress':$site_title;
136
  $email_header = 'From: '.$from_name.' <'.get_bloginfo('admin_email').'>' . "\r\n\\";
130
  $email_msg = '';
131
  $to_email_address = $user->user_email;
132
  $subject = '['.get_option('siteurl').'] '. __('Your account is now active','aiowpsecurity');
133
+ $email_msg .= __('Your account with user ID:','aiowpsecurity').$user->ID.__(' is now active','aiowpsecurity')."\n";
134
  $site_title = get_bloginfo( 'name' );
135
  $from_name = empty($site_title)?'WordPress':$site_title;
136
  $email_header = 'From: '.$from_name.' <'.get_bloginfo('admin_email').'>' . "\r\n\\";
admin/wp-security-spam-menu.php CHANGED
@@ -282,8 +282,8 @@ class AIOWPSecurity_Spam_Menu extends AIOWPSecurity_Admin_Menu
282
  ?>
283
  <form id="tables-filter" method="get" onSubmit="return confirm('Are you sure you want to perform this bulk operation on the selected entries?');">
284
  <!-- For plugins, we also need to ensure that the form posts back to our current page -->
285
- <input type="hidden" name="page" value="<?php echo $_REQUEST['page']; ?>" />
286
- <input type="hidden" name="tab" value="<?php echo $_REQUEST['tab']; ?>" />
287
  <!-- Now we can render the completed list table -->
288
  <?php $spammer_ip_list->display(); ?>
289
  </form>
282
  ?>
283
  <form id="tables-filter" method="get" onSubmit="return confirm('Are you sure you want to perform this bulk operation on the selected entries?');">
284
  <!-- For plugins, we also need to ensure that the form posts back to our current page -->
285
+ <input type="hidden" name="page" value="<?php echo esc_attr($_REQUEST['page']); ?>" />
286
+ <input type="hidden" name="tab" value="<?php echo esc_attr($_REQUEST['tab']); ?>" />
287
  <!-- Now we can render the completed list table -->
288
  <?php $spammer_ip_list->display(); ?>
289
  </form>
admin/wp-security-user-login-menu.php CHANGED
@@ -304,8 +304,8 @@ class AIOWPSecurity_User_Login_Menu extends AIOWPSecurity_Admin_Menu
304
  ?>
305
  <form id="tables-filter" method="get" onSubmit="return confirm('Are you sure you want to perform this bulk operation on the selected entries?');">
306
  <!-- For plugins, we also need to ensure that the form posts back to our current page -->
307
- <input type="hidden" name="page" value="<?php echo $_REQUEST['page']; ?>" />
308
- <input type="hidden" name="tab" value="<?php echo $_REQUEST['tab']; ?>" />
309
  <!-- Now we can render the completed list table -->
310
  <?php $failed_login_list->display(); ?>
311
  </form>
@@ -438,8 +438,8 @@ class AIOWPSecurity_User_Login_Menu extends AIOWPSecurity_Admin_Menu
438
  ?>
439
  <form id="tables-filter" method="get" onSubmit="return confirm('Are you sure you want to perform this bulk operation on the selected entries?');">
440
  <!-- For plugins, we also need to ensure that the form posts back to our current page -->
441
- <input type="hidden" name="page" value="<?php echo $_REQUEST['page']; ?>" />
442
- <input type="hidden" name="tab" value="<?php echo $_REQUEST['tab']; ?>" />
443
  <!-- Now we can render the completed list table -->
444
  <?php $acct_activity_list->display(); ?>
445
  </form>
@@ -501,8 +501,8 @@ class AIOWPSecurity_User_Login_Menu extends AIOWPSecurity_Admin_Menu
501
  ?>
502
  <form id="tables-filter" method="get" onSubmit="return confirm('Are you sure you want to perform this bulk operation on the selected entries?');">
503
  <!-- For plugins, we also need to ensure that the form posts back to our current page -->
504
- <input type="hidden" name="page" value="<?php echo $_REQUEST['page']; ?>" />
505
- <input type="hidden" name="tab" value="<?php echo $_REQUEST['tab']; ?>" />
506
  <!-- Now we can render the completed list table -->
507
  <?php $user_list->display(); ?>
508
  </form>
304
  ?>
305
  <form id="tables-filter" method="get" onSubmit="return confirm('Are you sure you want to perform this bulk operation on the selected entries?');">
306
  <!-- For plugins, we also need to ensure that the form posts back to our current page -->
307
+ <input type="hidden" name="page" value="<?php echo esc_attr($_REQUEST['page']); ?>" />
308
+ <input type="hidden" name="tab" value="<?php echo esc_attr($_REQUEST['tab']); ?>" />
309
  <!-- Now we can render the completed list table -->
310
  <?php $failed_login_list->display(); ?>
311
  </form>
438
  ?>
439
  <form id="tables-filter" method="get" onSubmit="return confirm('Are you sure you want to perform this bulk operation on the selected entries?');">
440
  <!-- For plugins, we also need to ensure that the form posts back to our current page -->
441
+ <input type="hidden" name="page" value="<?php echo esc_attr($_REQUEST['page']); ?>" />
442
+ <input type="hidden" name="tab" value="<?php echo esc_attr($_REQUEST['tab']); ?>" />
443
  <!-- Now we can render the completed list table -->
444
  <?php $acct_activity_list->display(); ?>
445
  </form>
501
  ?>
502
  <form id="tables-filter" method="get" onSubmit="return confirm('Are you sure you want to perform this bulk operation on the selected entries?');">
503
  <!-- For plugins, we also need to ensure that the form posts back to our current page -->
504
+ <input type="hidden" name="page" value="<?php echo esc_attr($_REQUEST['page']); ?>" />
505
+ <input type="hidden" name="tab" value="<?php echo esc_attr($_REQUEST['tab']); ?>" />
506
  <!-- Now we can render the completed list table -->
507
  <?php $user_list->display(); ?>
508
  </form>
admin/wp-security-user-registration-menu.php CHANGED
@@ -155,7 +155,7 @@ class AIOWPSecurity_User_Registration_Menu extends AIOWPSecurity_Admin_Menu
155
  ?>
156
  <form id="tables-filter" method="get" onSubmit="return confirm('Are you sure you want to perform this bulk operation on the selected entries?');">
157
  <!-- For plugins, we also need to ensure that the form posts back to our current page -->
158
- <input type="hidden" name="page" value="<?php echo $_REQUEST['page']; ?>" />
159
  <!-- Now we can render the completed list table -->
160
  <?php $user_list->display(); ?>
161
  </div></div>
155
  ?>
156
  <form id="tables-filter" method="get" onSubmit="return confirm('Are you sure you want to perform this bulk operation on the selected entries?');">
157
  <!-- For plugins, we also need to ensure that the form posts back to our current page -->
158
+ <input type="hidden" name="page" value="<?php echo esc_attr($_REQUEST['page']); ?>" />
159
  <!-- Now we can render the completed list table -->
160
  <?php $user_list->display(); ?>
161
  </div></div>
classes/grade-system/wp-security-feature-item-manager.php CHANGED
@@ -78,6 +78,7 @@ class AIOWPSecurity_Feature_Item_Manager
78
  //Basic firewall
79
  $this->feature_items[] = new AIOWPSecurity_Feature_Item("firewall-basic-rules", __("Enable Basic Firewall", "aiowpsecurity"), $this->feature_point_3, $this->sec_level_basic);
80
  $this->feature_items[] = new AIOWPSecurity_Feature_Item("firewall-pingback-rules", __("Enable Pingback Vulnerability Protection", "aiowpsecurity"), $this->feature_point_3, $this->sec_level_basic);
 
81
  $this->feature_items[] = new AIOWPSecurity_Feature_Item("firewall-enable-404-blocking", __("Enable IP blocking for 404 detection", "aiowpsecurity"), $this->feature_point_1, $this->sec_level_inter);
82
 
83
  //Brute Force Menu Features
@@ -251,6 +252,11 @@ class AIOWPSecurity_Feature_Item_Manager
251
  $this->check_enable_pingback_firewall_feature($item);
252
  }
253
 
 
 
 
 
 
254
  if($item->feature_id == "firewall-enable-404-blocking")
255
  {
256
  $this->check_enable_404_blocking_feature($item);
@@ -611,6 +617,17 @@ class AIOWPSecurity_Feature_Item_Manager
611
  }
612
  }
613
 
 
 
 
 
 
 
 
 
 
 
 
614
 
615
  function check_disable_trace_track_firewall_feature($item)
616
  {
78
  //Basic firewall
79
  $this->feature_items[] = new AIOWPSecurity_Feature_Item("firewall-basic-rules", __("Enable Basic Firewall", "aiowpsecurity"), $this->feature_point_3, $this->sec_level_basic);
80
  $this->feature_items[] = new AIOWPSecurity_Feature_Item("firewall-pingback-rules", __("Enable Pingback Vulnerability Protection", "aiowpsecurity"), $this->feature_point_3, $this->sec_level_basic);
81
+ $this->feature_items[] = new AIOWPSecurity_Feature_Item("firewall-block-debug-file-access", __("Block Accesss to Debug Log File", "aiowpsecurity"), $this->feature_point_2, $this->sec_level_inter);
82
  $this->feature_items[] = new AIOWPSecurity_Feature_Item("firewall-enable-404-blocking", __("Enable IP blocking for 404 detection", "aiowpsecurity"), $this->feature_point_1, $this->sec_level_inter);
83
 
84
  //Brute Force Menu Features
252
  $this->check_enable_pingback_firewall_feature($item);
253
  }
254
 
255
+ if($item->feature_id == "firewall-block-debug-file-access")
256
+ {
257
+ $this->check_debug_file_access_block_firewall_feature($item);
258
+ }
259
+
260
  if($item->feature_id == "firewall-enable-404-blocking")
261
  {
262
  $this->check_enable_404_blocking_feature($item);
617
  }
618
  }
619
 
620
+ function check_debug_file_access_block_firewall_feature($item)
621
+ {
622
+ global $aio_wp_security;
623
+ if ($aio_wp_security->configs->get_value('aiowps_block_debug_log_file_access') == '1') {
624
+ $item->set_feature_status($this->feature_active);
625
+ }
626
+ else
627
+ {
628
+ $item->set_feature_status($this->feature_inactive);
629
+ }
630
+ }
631
 
632
  function check_disable_trace_track_firewall_feature($item)
633
  {
classes/wp-security-configure-settings.php CHANGED
@@ -70,12 +70,15 @@ class AIOWPSecurity_Configure_Settings
70
  //Firewall features
71
  $aio_wp_security->configs->set_value('aiowps_enable_basic_firewall','');//Checkbox
72
  $aio_wp_security->configs->set_value('aiowps_enable_pingback_firewall','');//Checkbox
 
73
  $aio_wp_security->configs->set_value('aiowps_disable_index_views','');//Checkbox
74
  $aio_wp_security->configs->set_value('aiowps_disable_trace_and_track','');//Checkbox
75
  $aio_wp_security->configs->set_value('aiowps_forbid_proxy_comments','');//Checkbox
76
  $aio_wp_security->configs->set_value('aiowps_deny_bad_query_strings','');//Checkbox
77
  $aio_wp_security->configs->set_value('aiowps_advanced_char_string_filter','');//Checkbox
78
  $aio_wp_security->configs->set_value('aiowps_enable_5g_firewall','');//Checkbox
 
 
79
 
80
  //404 detection
81
  $aio_wp_security->configs->set_value('aiowps_enable_404_logging','');//Checkbox
@@ -190,12 +193,15 @@ class AIOWPSecurity_Configure_Settings
190
  //Firewall features
191
  $aio_wp_security->configs->add_value('aiowps_enable_basic_firewall','');//Checkbox
192
  $aio_wp_security->configs->add_value('aiowps_enable_pingback_firewall','');//Checkbox
 
193
  $aio_wp_security->configs->add_value('aiowps_disable_index_views','');//Checkbox
194
  $aio_wp_security->configs->add_value('aiowps_disable_trace_and_track','');//Checkbox
195
  $aio_wp_security->configs->add_value('aiowps_forbid_proxy_comments','');//Checkbox
196
  $aio_wp_security->configs->add_value('aiowps_deny_bad_query_strings','');//Checkbox
197
  $aio_wp_security->configs->add_value('aiowps_advanced_char_string_filter','');//Checkbox
198
  $aio_wp_security->configs->add_value('aiowps_enable_5g_firewall','');//Checkbox
 
 
199
 
200
  //404 detection
201
  $aio_wp_security->configs->add_value('aiowps_enable_404_logging','');//Checkbox
@@ -266,6 +272,7 @@ class AIOWPSecurity_Configure_Settings
266
 
267
  $aio_wp_security->configs->set_value('aiowps_enable_basic_firewall','');//Checkbox
268
  $aio_wp_security->configs->set_value('aiowps_enable_pingback_firewall','');//Checkbox
 
269
  $aio_wp_security->configs->set_value('aiowps_disable_index_views','');//Checkbox
270
  $aio_wp_security->configs->set_value('aiowps_disable_trace_and_track','');//Checkbox
271
  $aio_wp_security->configs->set_value('aiowps_forbid_proxy_comments','');//Checkbox
@@ -273,6 +280,8 @@ class AIOWPSecurity_Configure_Settings
273
  $aio_wp_security->configs->set_value('aiowps_advanced_char_string_filter','');//Checkbox
274
  $aio_wp_security->configs->set_value('aiowps_enable_5g_firewall','');//Checkbox
275
  $aio_wp_security->configs->set_value('aiowps_enable_brute_force_attack_prevention','');//Checkbox
 
 
276
 
277
  $aio_wp_security->configs->set_value('aiowps_prevent_default_wp_file_access','');//Checkbox
278
 
70
  //Firewall features
71
  $aio_wp_security->configs->set_value('aiowps_enable_basic_firewall','');//Checkbox
72
  $aio_wp_security->configs->set_value('aiowps_enable_pingback_firewall','');//Checkbox
73
+ $aio_wp_security->configs->set_value('aiowps_block_debug_log_file_access','');//Checkbox
74
  $aio_wp_security->configs->set_value('aiowps_disable_index_views','');//Checkbox
75
  $aio_wp_security->configs->set_value('aiowps_disable_trace_and_track','');//Checkbox
76
  $aio_wp_security->configs->set_value('aiowps_forbid_proxy_comments','');//Checkbox
77
  $aio_wp_security->configs->set_value('aiowps_deny_bad_query_strings','');//Checkbox
78
  $aio_wp_security->configs->set_value('aiowps_advanced_char_string_filter','');//Checkbox
79
  $aio_wp_security->configs->set_value('aiowps_enable_5g_firewall','');//Checkbox
80
+ $aio_wp_security->configs->set_value('aiowps_enable_custom_rules','');//Checkbox
81
+ $aio_wp_security->configs->set_value('aiowps_custom_rules','');
82
 
83
  //404 detection
84
  $aio_wp_security->configs->set_value('aiowps_enable_404_logging','');//Checkbox
193
  //Firewall features
194
  $aio_wp_security->configs->add_value('aiowps_enable_basic_firewall','');//Checkbox
195
  $aio_wp_security->configs->add_value('aiowps_enable_pingback_firewall','');//Checkbox
196
+ $aio_wp_security->configs->set_value('aiowps_block_debug_log_file_access','');//Checkbox
197
  $aio_wp_security->configs->add_value('aiowps_disable_index_views','');//Checkbox
198
  $aio_wp_security->configs->add_value('aiowps_disable_trace_and_track','');//Checkbox
199
  $aio_wp_security->configs->add_value('aiowps_forbid_proxy_comments','');//Checkbox
200
  $aio_wp_security->configs->add_value('aiowps_deny_bad_query_strings','');//Checkbox
201
  $aio_wp_security->configs->add_value('aiowps_advanced_char_string_filter','');//Checkbox
202
  $aio_wp_security->configs->add_value('aiowps_enable_5g_firewall','');//Checkbox
203
+ $aio_wp_security->configs->add_value('aiowps_enable_custom_rules','');//Checkbox
204
+ $aio_wp_security->configs->add_value('aiowps_custom_rules','');
205
 
206
  //404 detection
207
  $aio_wp_security->configs->add_value('aiowps_enable_404_logging','');//Checkbox
272
 
273
  $aio_wp_security->configs->set_value('aiowps_enable_basic_firewall','');//Checkbox
274
  $aio_wp_security->configs->set_value('aiowps_enable_pingback_firewall','');//Checkbox
275
+ $aio_wp_security->configs->set_value('aiowps_block_debug_log_file_access','');//Checkbox
276
  $aio_wp_security->configs->set_value('aiowps_disable_index_views','');//Checkbox
277
  $aio_wp_security->configs->set_value('aiowps_disable_trace_and_track','');//Checkbox
278
  $aio_wp_security->configs->set_value('aiowps_forbid_proxy_comments','');//Checkbox
280
  $aio_wp_security->configs->set_value('aiowps_advanced_char_string_filter','');//Checkbox
281
  $aio_wp_security->configs->set_value('aiowps_enable_5g_firewall','');//Checkbox
282
  $aio_wp_security->configs->set_value('aiowps_enable_brute_force_attack_prevention','');//Checkbox
283
+ $aio_wp_security->configs->set_value('aiowps_enable_custom_rules','');//Checkbox
284
+ $aio_wp_security->configs->set_value('aiowps_custom_rules','');
285
 
286
  $aio_wp_security->configs->set_value('aiowps_prevent_default_wp_file_access','');//Checkbox
287
 
classes/wp-security-deactivation-tasks.php CHANGED
@@ -1,5 +1,7 @@
1
  <?php
2
 
 
 
3
  class AIOWPSecurity_Deactivation
4
  {
5
  static function run_deactivation_tasks()
1
  <?php
2
 
3
+ include_once(dirname(__FILE__) . '/wp-security-configure-settings.php');//Allows activating via wp-cli
4
+
5
  class AIOWPSecurity_Deactivation
6
  {
7
  static function run_deactivation_tasks()
classes/wp-security-general-init-tasks.php CHANGED
@@ -7,7 +7,7 @@ class AIOWPSecurity_General_Init_Tasks
7
 
8
  if ($aio_wp_security->configs->get_value('aiowps_enable_rename_login_page') == '1') {
9
  add_action( 'widgets_init', array(&$this, 'remove_standard_wp_meta_widget' ));
10
- add_filter( 'aiowps_retrieve_password_message', array(&$this, 'decode_reset_pw_msg'), 10, 2); //Fix for non decoded html entities in password reset link
11
  }
12
 
13
  add_action('admin_notices', array(&$this,'reapply_htaccess_rules_notice'));
@@ -397,10 +397,10 @@ class AIOWPSecurity_General_Init_Tasks
397
  }
398
 
399
  //This is a fix for cases when the password reset URL in the email was not decoding all html entities properly
400
- function decode_reset_pw_msg($message, $key)
401
  {
402
  global $aio_wp_security;
403
  $message = html_entity_decode($message);
404
  return $message;
405
- }
406
  }
7
 
8
  if ($aio_wp_security->configs->get_value('aiowps_enable_rename_login_page') == '1') {
9
  add_action( 'widgets_init', array(&$this, 'remove_standard_wp_meta_widget' ));
10
+ add_filter( 'retrieve_password_message', array(&$this, 'decode_reset_pw_msg'), 10, 4); //Fix for non decoded html entities in password reset link
11
  }
12
 
13
  add_action('admin_notices', array(&$this,'reapply_htaccess_rules_notice'));
397
  }
398
 
399
  //This is a fix for cases when the password reset URL in the email was not decoding all html entities properly
400
+ function decode_reset_pw_msg($message, $key, $user_login, $user_data)
401
  {
402
  global $aio_wp_security;
403
  $message = html_entity_decode($message);
404
  return $message;
405
+ }
406
  }
classes/wp-security-installer.php CHANGED
@@ -1,5 +1,7 @@
1
  <?php
2
 
 
 
3
  class AIOWPSecurity_Installer
4
  {
5
  static function run_installer()
1
  <?php
2
 
3
+ include_once(dirname(__FILE__) . '/wp-security-configure-settings.php');//Allows activating via wp-cli
4
+
5
  class AIOWPSecurity_Installer
6
  {
7
  static function run_installer()
classes/wp-security-process-renamed-login-page.php CHANGED
@@ -64,6 +64,7 @@ class AIOWPSecurity_Process_Renamed_Login_Page
64
  }
65
  parse_str($args[1], $args);
66
  $url = esc_url(add_query_arg($args, AIOWPSecurity_Process_Renamed_Login_Page::new_login_url()));
 
67
  }else{
68
  $url = AIOWPSecurity_Process_Renamed_Login_Page::new_login_url();
69
  }
64
  }
65
  parse_str($args[1], $args);
66
  $url = esc_url(add_query_arg($args, AIOWPSecurity_Process_Renamed_Login_Page::new_login_url()));
67
+ $url = html_entity_decode($url);
68
  }else{
69
  $url = AIOWPSecurity_Process_Renamed_Login_Page::new_login_url();
70
  }
classes/wp-security-utility-htaccess.php CHANGED
@@ -16,6 +16,9 @@ class AIOWPSecurity_Utility_Htaccess
16
  public static $pingback_htaccess_rules_marker_start = '#AIOWPS_PINGBACK_HTACCESS_RULES_START';
17
  public static $pingback_htaccess_rules_marker_end = '#AIOWPS_PINGBACK_HTACCESS_RULES_END';
18
 
 
 
 
19
  public static $user_agent_blacklist_marker_start = '#AIOWPS_USER_AGENT_BLACKLIST_START';
20
  public static $user_agent_blacklist_marker_end = '#AIOWPS_USER_AGENT_BLACKLIST_END';
21
 
@@ -48,7 +51,10 @@ class AIOWPSecurity_Utility_Htaccess
48
 
49
  public static $prevent_image_hotlinks_marker_start = '#AIOWPS_PREVENT_IMAGE_HOTLINKS_START';
50
  public static $prevent_image_hotlinks_marker_end = '#AIOWPS_PREVENT_IMAGE_HOTLINKS_END';
51
-
 
 
 
52
  // TODO - enter more markers as new .htaccess features are added
53
 
54
  function __construct(){
@@ -193,6 +199,7 @@ class AIOWPSecurity_Utility_Htaccess
193
  $rules .= AIOWPSecurity_Utility_Htaccess::getrules_block_wp_file_access();
194
  $rules .= AIOWPSecurity_Utility_Htaccess::getrules_basic_htaccess();
195
  $rules .= AIOWPSecurity_Utility_Htaccess::getrules_pingback_htaccess();
 
196
  $rules .= AIOWPSecurity_Utility_Htaccess::getrules_disable_index_views();
197
  $rules .= AIOWPSecurity_Utility_Htaccess::getrules_blacklist();
198
  $rules .= AIOWPSecurity_Utility_Htaccess::getrules_disable_trace_and_track();
@@ -204,6 +211,7 @@ class AIOWPSecurity_Utility_Htaccess
204
  $rules .= AIOWPSecurity_Utility_Htaccess::getrules_block_spambots();
205
  $rules .= AIOWPSecurity_Utility_Htaccess::getrules_enable_login_whitelist();
206
  $rules .= AIOWPSecurity_Utility_Htaccess::prevent_image_hotlinks();
 
207
  //TODO: The following utility functions are ready to use when we write the menu pages for these features
208
 
209
  //Add more functions for features as needed
@@ -423,7 +431,6 @@ class AIOWPSecurity_Utility_Htaccess
423
  if($aio_wp_security->configs->get_value('aiowps_enable_pingback_firewall')=='1')
424
  {
425
  $rules .= AIOWPSecurity_Utility_Htaccess::$pingback_htaccess_rules_marker_start . PHP_EOL; //Add feature marker start
426
- //protect the htaccess file - this is done by default with apache config file but we are including it here for good measure
427
  $rules .= '<Files xmlrpc.php>' . PHP_EOL;
428
  $rules .= 'order deny,allow' . PHP_EOL;
429
  $rules .= 'deny from all' . PHP_EOL;
@@ -434,6 +441,23 @@ class AIOWPSecurity_Utility_Htaccess
434
  return $rules;
435
  }
436
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
437
  /*
438
  * This function will write some drectives to block all people who do not have a cookie
439
  * when trying to access the WP login page
@@ -933,6 +957,26 @@ class AIOWPSecurity_Utility_Htaccess
933
  return $rules;
934
  }
935
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
936
  /*
937
  * This function will do a quick check to see if a file's contents are actually .htaccess specific.
938
  * At the moment it will look for the following tag somewhere in the file - "# BEGIN WordPress"
16
  public static $pingback_htaccess_rules_marker_start = '#AIOWPS_PINGBACK_HTACCESS_RULES_START';
17
  public static $pingback_htaccess_rules_marker_end = '#AIOWPS_PINGBACK_HTACCESS_RULES_END';
18
 
19
+ public static $debug_log_block_htaccess_rules_marker_start = '#AIOWPS_DEBUG_LOG_BLOCK_HTACCESS_RULES_START';
20
+ public static $debug_log_block_htaccess_rules_marker_end = '#AIOWPS_DEBUG_LOG_BLOCK_HTACCESS_RULES_END';
21
+
22
  public static $user_agent_blacklist_marker_start = '#AIOWPS_USER_AGENT_BLACKLIST_START';
23
  public static $user_agent_blacklist_marker_end = '#AIOWPS_USER_AGENT_BLACKLIST_END';
24
 
51
 
52
  public static $prevent_image_hotlinks_marker_start = '#AIOWPS_PREVENT_IMAGE_HOTLINKS_START';
53
  public static $prevent_image_hotlinks_marker_end = '#AIOWPS_PREVENT_IMAGE_HOTLINKS_END';
54
+
55
+ public static $custom_rules_marker_start = '#AIOWPS_CUSTOM_RULES_START';
56
+ public static $custom_rules_marker_end = '#AIOWPS_CUSTOM_RULES_END';
57
+
58
  // TODO - enter more markers as new .htaccess features are added
59
 
60
  function __construct(){
199
  $rules .= AIOWPSecurity_Utility_Htaccess::getrules_block_wp_file_access();
200
  $rules .= AIOWPSecurity_Utility_Htaccess::getrules_basic_htaccess();
201
  $rules .= AIOWPSecurity_Utility_Htaccess::getrules_pingback_htaccess();
202
+ $rules .= AIOWPSecurity_Utility_Htaccess::getrules_block_debug_log_access_htaccess();
203
  $rules .= AIOWPSecurity_Utility_Htaccess::getrules_disable_index_views();
204
  $rules .= AIOWPSecurity_Utility_Htaccess::getrules_blacklist();
205
  $rules .= AIOWPSecurity_Utility_Htaccess::getrules_disable_trace_and_track();
211
  $rules .= AIOWPSecurity_Utility_Htaccess::getrules_block_spambots();
212
  $rules .= AIOWPSecurity_Utility_Htaccess::getrules_enable_login_whitelist();
213
  $rules .= AIOWPSecurity_Utility_Htaccess::prevent_image_hotlinks();
214
+ $rules .= AIOWPSecurity_Utility_Htaccess::getrules_custom_rules();
215
  //TODO: The following utility functions are ready to use when we write the menu pages for these features
216
 
217
  //Add more functions for features as needed
431
  if($aio_wp_security->configs->get_value('aiowps_enable_pingback_firewall')=='1')
432
  {
433
  $rules .= AIOWPSecurity_Utility_Htaccess::$pingback_htaccess_rules_marker_start . PHP_EOL; //Add feature marker start
 
434
  $rules .= '<Files xmlrpc.php>' . PHP_EOL;
435
  $rules .= 'order deny,allow' . PHP_EOL;
436
  $rules .= 'deny from all' . PHP_EOL;
441
  return $rules;
442
  }
443
 
444
+ static function getrules_block_debug_log_access_htaccess()
445
+ {
446
+ global $aio_wp_security;
447
+
448
+ $rules = '';
449
+ if($aio_wp_security->configs->get_value('aiowps_block_debug_log_file_access')=='1')
450
+ {
451
+ $rules .= AIOWPSecurity_Utility_Htaccess::$debug_log_block_htaccess_rules_marker_start . PHP_EOL; //Add feature marker start
452
+ $rules .= '<Files debug.log>' . PHP_EOL;
453
+ $rules .= 'order deny,allow' . PHP_EOL;
454
+ $rules .= 'deny from all' . PHP_EOL;
455
+ $rules .= '</Files>' . PHP_EOL;
456
+ $rules .= AIOWPSecurity_Utility_Htaccess::$debug_log_block_htaccess_rules_marker_end . PHP_EOL; //Add feature marker end
457
+ }
458
+ return $rules;
459
+ }
460
+
461
  /*
462
  * This function will write some drectives to block all people who do not have a cookie
463
  * when trying to access the WP login page
957
  return $rules;
958
  }
959
 
960
+ /**
961
+ * This function will write any custom htaccess rules into the server's .htaccess file
962
+ * @return string
963
+ */
964
+ static function getrules_custom_rules()
965
+ {
966
+ global $aio_wp_security;
967
+ $rules = '';
968
+ if($aio_wp_security->configs->get_value('aiowps_enable_custom_rules')=='1')
969
+ {
970
+ $custom_rules = $aio_wp_security->configs->get_value('aiowps_custom_rules');
971
+ $rules .= AIOWPSecurity_Utility_Htaccess::$custom_rules_marker_start . PHP_EOL; //Add feature marker start
972
+ $rules .= $custom_rules . PHP_EOL;
973
+ $rules .= AIOWPSecurity_Utility_Htaccess::$custom_rules_marker_end . PHP_EOL; //Add feature marker end
974
+ }
975
+
976
+ return $rules;
977
+ }
978
+
979
+
980
  /*
981
  * This function will do a quick check to see if a file's contents are actually .htaccess specific.
982
  * At the moment it will look for the following tag somewhere in the file - "# BEGIN WordPress"
other-includes/wp-security-rename-login-feature.php CHANGED
@@ -8,387 +8,406 @@
8
  * @package WordPress
9
  */
10
 
 
11
  // Redirect to https login if forced to use SSL
12
  if ( force_ssl_admin() && ! is_ssl() ) {
13
- if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) {
14
- wp_redirect( set_url_scheme( $_SERVER['REQUEST_URI'], 'https' ) );
15
- exit();
16
- } else {
17
- wp_redirect( 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] );
18
- exit();
19
- }
20
  }
21
 
22
  /**
23
  * Output the login page header.
24
  *
25
- * @param string $title Optional. WordPress Log In Page title to display in <title/> element. Default 'Log In'.
26
- * @param string $message Optional. Message to display in header. Default empty.
27
- * @param string $wp_error Optional. The error to pass. Default empty.
28
- * @param WP_Error $wp_error Optional. WordPress Error Object
29
  */
30
  function login_header( $title = 'Log In', $message = '', $wp_error = '' ) {
31
- global $error, $interim_login, $action;
32
-
33
- // Don't index any of these forms
34
- add_action( 'login_head', 'wp_no_robots' );
35
-
36
- if ( wp_is_mobile() )
37
- add_action( 'login_head', 'wp_login_viewport_meta' );
38
-
39
- if ( empty($wp_error) )
40
- $wp_error = new WP_Error();
41
-
42
- // Shake it!
43
- $shake_error_codes = array( 'empty_password', 'empty_email', 'invalid_email', 'invalidcombo', 'empty_username', 'invalid_username', 'incorrect_password' );
44
- /**
45
- * Filter the error codes array for shaking the login form.
46
- *
47
- * @since 3.0.0
48
- *
49
- * @param array $shake_error_codes Error codes that shake the login form.
50
- */
51
- $shake_error_codes = apply_filters( 'shake_error_codes', $shake_error_codes );
52
-
53
- if ( $shake_error_codes && $wp_error->get_error_code() && in_array( $wp_error->get_error_code(), $shake_error_codes ) )
54
- add_action( 'login_head', 'wp_shake_js', 12 );
55
-
56
- ?><!DOCTYPE html>
57
- <!--[if IE 8]>
58
- <html xmlns="http://www.w3.org/1999/xhtml" class="ie8" <?php language_attributes(); ?>>
59
- <![endif]-->
60
- <!--[if !(IE 8) ]><!-->
61
- <html xmlns="http://www.w3.org/1999/xhtml" <?php language_attributes(); ?>>
62
- <!--<![endif]-->
63
- <head>
64
- <meta http-equiv="Content-Type" content="<?php bloginfo('html_type'); ?>; charset=<?php bloginfo('charset'); ?>" />
65
- <title><?php bloginfo('name'); ?> &rsaquo; <?php echo $title; ?></title>
66
- <?php
67
 
68
- wp_admin_css( 'login', true );
69
-
70
- // Remove all stored post data on logging out.
71
- // This could be added by add_action('login_head'...) like wp_shake_js()
72
- // but maybe better if it's not removable by plugins
73
- if ( 'loggedout' == $wp_error->get_error_code() ) {
74
- ?>
75
- <script>if("sessionStorage" in window){try{for(var key in sessionStorage){if(key.indexOf("wp-autosave-")!=-1){sessionStorage.removeItem(key)}}}catch(e){}};</script>
76
- <?php
77
- }
78
-
79
- /**
80
- * Enqueue scripts and styles for the login page.
81
- *
82
- * @since 3.1.0
83
- */
84
- do_action( 'login_enqueue_scripts' );
85
- /**
86
- * Fires in the login page header after scripts are enqueued.
87
- *
88
- * @since 2.1.0
89
- */
90
- do_action( 'login_head' );
91
-
92
- if ( is_multisite() ) {
93
- $login_header_url = network_home_url();
94
- $login_header_title = get_current_site()->site_name;
95
- } else {
96
- $login_header_url = __( 'https://wordpress.org/' );
97
- $login_header_title = __( 'Powered by WordPress' );
98
- }
99
-
100
- /**
101
- * Filter link URL of the header logo above login form.
102
- *
103
- * @since 2.1.0
104
- *
105
- * @param string $login_header_url Login header logo URL.
106
- */
107
- $login_header_url = apply_filters( 'login_headerurl', $login_header_url );
108
- /**
109
- * Filter the title attribute of the header logo above login form.
110
- *
111
- * @since 2.1.0
112
- *
113
- * @param string $login_header_title Login header logo title attribute.
114
- */
115
- $login_header_title = apply_filters( 'login_headertitle', $login_header_title );
116
-
117
- $classes = array( 'login-action-' . $action, 'wp-core-ui' );
118
- if ( wp_is_mobile() )
119
- $classes[] = 'mobile';
120
- if ( is_rtl() )
121
- $classes[] = 'rtl';
122
- if ( $interim_login ) {
123
- $classes[] = 'interim-login';
124
- ?>
125
- <style type="text/css">html{background-color: transparent;}</style>
126
- <?php
127
-
128
- if ( 'success' === $interim_login )
129
- $classes[] = 'interim-login-success';
130
- }
131
- $classes[] =' locale-' . sanitize_html_class( strtolower( str_replace( '_', '-', get_locale() ) ) );
132
-
133
- /**
134
- * Filter the login page body classes.
135
- *
136
- * @since 3.5.0
137
- *
138
- * @param array $classes An array of body classes.
139
- * @param string $action The action that brought the visitor to the login page.
140
- */
141
- $classes = apply_filters( 'login_body_class', $classes, $action );
142
-
143
- ?>
144
- </head>
145
- <body class="login <?php echo esc_attr( implode( ' ', $classes ) ); ?>">
146
- <div id="login">
147
- <h1><a href="<?php echo esc_url( $login_header_url ); ?>" title="<?php echo esc_attr( $login_header_title ); ?>"><?php bloginfo( 'name' ); ?></a></h1>
148
- <?php
149
 
150
- unset( $login_header_url, $login_header_title );
151
-
152
- /**
153
- * Filter the message to display above the login form.
154
- *
155
- * @since 2.1.0
156
- *
157
- * @param string $message Login message text.
158
- */
159
- $message = apply_filters( 'login_message', $message );
160
- if ( !empty( $message ) )
161
- echo $message . "\n";
162
-
163
- // In case a plugin uses $error rather than the $wp_errors object
164
- if ( !empty( $error ) ) {
165
- $wp_error->add('error', $error);
166
- unset($error);
167
- }
168
-
169
- if ( $wp_error->get_error_code() ) {
170
- $errors = '';
171
- $messages = '';
172
- foreach ( $wp_error->get_error_codes() as $code ) {
173
- $severity = $wp_error->get_error_data($code);
174
- foreach ( $wp_error->get_error_messages($code) as $error ) {
175
- if ( 'message' == $severity )
176
- $messages .= ' ' . $error . "<br />\n";
177
- else
178
- $errors .= ' ' . $error . "<br />\n";
179
- }
180
- }
181
- if ( ! empty( $errors ) ) {
182
- /**
183
- * Filter the error messages displayed above the login form.
184
- *
185
- * @since 2.1.0
186
- *
187
- * @param string $errors Login error message.
188
- */
189
- echo '<div id="login_error">' . apply_filters( 'login_errors', $errors ) . "</div>\n";
190
- }
191
- if ( ! empty( $messages ) ) {
192
- /**
193
- * Filter instructional messages displayed above the login form.
194
- *
195
- * @since 2.5.0
196
- *
197
- * @param string $messages Login messages.
198
- */
199
- echo '<p class="message">' . apply_filters( 'login_messages', $messages ) . "</p>\n";
200
- }
201
- }
202
- } // End of login_header()
203
 
 
 
204
  /**
205
- * Outputs the footer for the login page.
206
  *
207
- * @param string $input_id Which input to auto-focus
 
 
208
  */
209
- function login_footer($input_id = '') {
210
- global $interim_login;
211
-
212
- // Don't allow interim logins to navigate away from the page.
213
- if ( ! $interim_login ): ?>
214
- <p id="backtoblog"><a href="<?php echo esc_url( home_url( '/' ) ); ?>" title="<?php esc_attr_e( 'Are you lost?' ); ?>"><?php printf( __( '&larr; Back to %s' ), get_bloginfo( 'title', 'display' ) ); ?></a></p>
215
- <?php endif; ?>
216
-
217
- </div>
218
-
219
- <?php if ( !empty($input_id) ) : ?>
220
- <script type="text/javascript">
221
- try{document.getElementById('<?php echo $input_id; ?>').focus();}catch(e){}
222
- if(typeof wpOnload=='function')wpOnload();
223
- </script>
224
- <?php endif; ?>
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
225
 
226
- <?php
227
- /**
228
- * Fires in the login page footer.
229
- *
230
- * @since 3.1.0
231
- */
232
- do_action( 'login_footer' ); ?>
233
- <div class="clear"></div>
234
- </body>
235
- </html>
236
- <?php
237
  }
238
 
 
 
 
239
  function wp_shake_js() {
240
- if ( wp_is_mobile() )
241
- return;
242
- ?>
243
- <script type="text/javascript">
244
- addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
245
- function s(id,pos){g(id).left=pos+'px';}
246
- function g(id){return document.getElementById(id).style;}
247
- function shake(id,a,d){c=a.shift();s(id,c);if(a.length>0){setTimeout(function(){shake(id,a,d);},d);}else{try{g(id).position='static';wp_attempt_focus();}catch(e){}}}
248
- addLoadEvent(function(){ var p=new Array(15,30,15,0,-15,-30,-15,0);p=p.concat(p.concat(p));var i=document.forms[0].id;g(i).position='relative';shake(i,p,20);});
249
- </script>
250
  <?php
251
  }
252
 
 
 
 
253
  function wp_login_viewport_meta() {
254
- ?>
255
- <meta name="viewport" content="width=device-width" />
256
- <?php
257
  }
258
 
259
  /**
260
  * Handles sending password retrieval email to user.
261
  *
262
- * @uses $wpdb WordPress Database object
 
263
  *
264
  * @return bool|WP_Error True: when finish. WP_Error on error
265
  */
266
  function retrieve_password() {
267
- global $wpdb, $wp_hasher;
268
-
269
- $errors = new WP_Error();
270
-
271
- if ( empty( $_POST['user_login'] ) ) {
272
- $errors->add('empty_username', __('<strong>ERROR</strong>: Enter a username or e-mail address.'));
273
- } else if ( strpos( $_POST['user_login'], '@' ) ) {
274
- $user_data = get_user_by( 'email', trim( $_POST['user_login'] ) );
275
- if ( empty( $user_data ) )
276
- $errors->add('invalid_email', __('<strong>ERROR</strong>: There is no user registered with that email address.'));
277
- } else {
278
- $login = trim($_POST['user_login']);
279
- $user_data = get_user_by('login', $login);
280
- }
281
-
282
- /**
283
- * Fires before errors are returned from a password reset request.
284
- *
285
- * @since 2.1.0
286
- */
287
- do_action( 'lostpassword_post' );
288
-
289
- if ( $errors->get_error_code() )
290
- return $errors;
291
-
292
- if ( !$user_data ) {
293
- $errors->add('invalidcombo', __('<strong>ERROR</strong>: Invalid username or e-mail.'));
294
- return $errors;
295
- }
296
-
297
- // redefining user_login ensures we return the right case in the email
298
- $user_login = $user_data->user_login;
299
- $user_email = $user_data->user_email;
300
-
301
- /**
302
- * Fires before a new password is retrieved.
303
- *
304
- * @since 1.5.0
305
- * @deprecated 1.5.1 Misspelled. Use 'retrieve_password' hook instead.
306
- *
307
- * @param string $user_login The user login name.
308
- */
309
- do_action( 'retreive_password', $user_login );
310
- /**
311
- * Fires before a new password is retrieved.
312
- *
313
- * @since 1.5.1
314
- *
315
- * @param string $user_login The user login name.
316
- */
317
- do_action( 'retrieve_password', $user_login );
318
-
319
- /**
320
- * Filter whether to allow a password to be reset.
321
- *
322
- * @since 2.7.0
323
- *
324
- * @param bool true Whether to allow the password to be reset. Default true.
325
- * @param int $user_data->ID The ID of the user attempting to reset a password.
326
- */
327
- $allow = apply_filters( 'allow_password_reset', true, $user_data->ID );
328
-
329
- if ( ! $allow )
330
- return new WP_Error('no_password_reset', __('Password reset is not allowed for this user'));
331
- else if ( is_wp_error($allow) )
332
- return $allow;
333
-
334
- // Generate something random for a password reset key.
335
- $key = wp_generate_password( 20, false );
336
-
337
- /**
338
- * Fires when a password reset key is generated.
339
- *
340
- * @since 2.5.0
341
- *
342
- * @param string $user_login The username for the user.
343
- * @param string $key The generated password reset key.
344
- */
345
- do_action( 'retrieve_password_key', $user_login, $key );
346
-
347
- // Now insert the key, hashed, into the DB.
348
- if ( empty( $wp_hasher ) ) {
349
- require_once ABSPATH . 'wp-includes/class-phpass.php';
350
- $wp_hasher = new PasswordHash( 8, true );
351
- }
352
- $hashed = $wp_hasher->HashPassword( $key );
353
- $wpdb->update( $wpdb->users, array( 'user_activation_key' => $hashed ), array( 'user_login' => $user_login ) );
354
-
355
- $message = __('Someone requested that the password be reset for the following account:') . "\r\n\r\n";
356
- $message .= network_home_url( '/' ) . "\r\n\r\n";
357
- $message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";
358
- $message .= __('If this was a mistake, just ignore this email and nothing will happen.') . "\r\n\r\n";
359
- $message .= __('To reset your password, visit the following address:') . "\r\n\r\n";
360
- $message .= '<' . network_site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login') . ">\r\n";
361
-
362
- if ( is_multisite() )
363
- $blogname = $GLOBALS['current_site']->site_name;
364
- else
365
- // The blogname option is escaped with esc_html on the way into the database in sanitize_option
366
- // we want to reverse this for the plain text arena of emails.
367
- $blogname = wp_specialchars_decode(get_option('blogname'), ENT_QUOTES);
368
-
369
- $title = sprintf( __('[%s] Password Reset'), $blogname );
370
-
371
- /**
372
- * Filter the subject of the password reset email.
373
- *
374
- * @since 2.8.0
375
- *
376
- * @param string $title Default email title.
377
- */
378
- $title = apply_filters( 'retrieve_password_title', $title );
379
- /**
380
- * Filter the message body of the password reset mail.
381
- *
382
- * @since 2.8.0
383
- *
384
- * @param string $message Default mail message.
385
- * @param string $key The activation key.
386
- */
387
- $message = apply_filters( 'aiowps_retrieve_password_message', $message, $key );
388
- if ( $message && !wp_mail( $user_email, wp_specialchars_decode( $title ), $message ) )
389
- wp_die( __('The e-mail could not be sent.') . "<br />\n" . __('Possible reason: your host may have disabled the mail() function.') );
390
-
391
- return true;
 
 
 
 
 
 
 
 
 
392
  }
393
 
394
  //
@@ -399,29 +418,30 @@ $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
399
  $errors = new WP_Error();
400
 
401
  if ( isset($_GET['key']) )
402
- $action = 'resetpass';
403
 
404
  // validate action so as to default to the login screen
405
  if ( !in_array( $action, array( 'postpass', 'logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'login' ), true ) && false === has_filter( 'login_form_' . $action ) )
406
- $action = 'login';
407
 
408
  nocache_headers();
409
 
410
  header('Content-Type: '.get_bloginfo('html_type').'; charset='.get_bloginfo('charset'));
411
 
412
  if ( defined( 'RELOCATE' ) && RELOCATE ) { // Move flag is set
413
- if ( isset( $_SERVER['PATH_INFO'] ) && ($_SERVER['PATH_INFO'] != $_SERVER['PHP_SELF']) )
414
- $_SERVER['PHP_SELF'] = str_replace( $_SERVER['PATH_INFO'], '', $_SERVER['PHP_SELF'] );
415
 
416
- $url = dirname( set_url_scheme( 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'] ) );
417
- if ( $url != get_option( 'siteurl' ) )
418
- update_option( 'siteurl', $url );
419
  }
420
 
421
  //Set a cookie now to see if they are supported by the browser.
422
- setcookie(TEST_COOKIE, 'WP Cookie check', 0, COOKIEPATH, COOKIE_DOMAIN);
 
423
  if ( SITECOOKIEPATH != COOKIEPATH )
424
- setcookie(TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH, COOKIE_DOMAIN);
425
 
426
  /**
427
  * Fires when the login form is initialized.
@@ -432,7 +452,7 @@ do_action( 'login_init' );
432
  /**
433
  * Fires before a specified login form action.
434
  *
435
- * The dynamic portion of the hook name, $action, refers to the action
436
  * that brought the visitor to the login form. Actions include 'postpass',
437
  * 'logout', 'lostpassword', etc.
438
  *
@@ -445,497 +465,532 @@ $interim_login = isset($_REQUEST['interim-login']);
445
 
446
  switch ($action) {
447
 
448
- case 'postpass' :
449
- require_once ABSPATH . 'wp-includes/class-phpass.php';
450
- $hasher = new PasswordHash( 8, true );
451
-
452
- /**
453
- * Filter the life span of the post password cookie.
454
- *
455
- * By default, the cookie expires 10 days from creation. To turn this
456
- * into a session cookie, return 0.
457
- *
458
- * @since 3.7.0
459
- *
460
- * @param int $expires The expiry time, as passed to setcookie().
461
- */
462
- $expire = apply_filters( 'post_password_expires', time() + 10 * DAY_IN_SECONDS );
463
- setcookie( 'wp-postpass_' . COOKIEHASH, $hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ), $expire, COOKIEPATH );
464
-
465
- wp_safe_redirect( wp_get_referer() );
466
- exit();
467
-
468
- break;
469
-
470
- case 'logout' :
471
- check_admin_referer('log-out');
472
- wp_logout();
473
-
474
- $redirect_to = !empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : 'wp-login.php?loggedout=true';
475
- wp_safe_redirect( $redirect_to );
476
- exit();
477
-
478
- break;
479
-
480
- case 'lostpassword' :
481
- case 'retrievepassword' :
482
-
483
- if ( $http_post ) {
484
- $errors = retrieve_password();
485
- if ( !is_wp_error($errors) ) {
486
- $redirect_to = !empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : 'wp-login.php?checkemail=confirm';
487
- wp_safe_redirect( $redirect_to );
488
- exit();
489
- }
490
- }
491
-
492
- if ( isset( $_GET['error'] ) ) {
493
- if ( 'invalidkey' == $_GET['error'] )
494
- $errors->add( 'invalidkey', __( 'Sorry, that key does not appear to be valid.' ) );
495
- elseif ( 'expiredkey' == $_GET['error'] )
496
- $errors->add( 'expiredkey', __( 'Sorry, that key has expired. Please try again.' ) );
497
- }
498
-
499
- $lostpassword_redirect = ! empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '';
500
- /**
501
- * Filter the URL redirected to after submitting the lostpassword/retrievepassword form.
502
- *
503
- * @since 3.0.0
504
- *
505
- * @param string $lostpassword_redirect The redirect destination URL.
506
- */
507
- $redirect_to = apply_filters( 'lostpassword_redirect', $lostpassword_redirect );
508
-
509
- /**
510
- * Fires before the lost password form.
511
- *
512
- * @since 1.5.1
513
- */
514
- do_action( 'lost_password' );
515
-
516
- login_header(__('Lost Password'), '<p class="message">' . __('Please enter your username or email address. You will receive a link to create a new password via email.') . '</p>', $errors);
517
-
518
- $user_login = isset($_POST['user_login']) ? wp_unslash($_POST['user_login']) : '';
519
-
520
- ?>
521
-
522
- <form name="lostpasswordform" id="lostpasswordform" action="<?php echo esc_url( site_url( 'wp-login.php?action=lostpassword', 'login_post' ) ); ?>" method="post">
523
- <p>
524
- <label for="user_login" ><?php _e('Username or E-mail:') ?><br />
525
- <input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr($user_login); ?>" size="20" /></label>
526
- </p>
527
- <?php
528
- /**
529
- * Fires inside the lostpassword <form> tags, before the hidden fields.
530
- *
531
- * @since 2.1.0
532
- */
533
- do_action( 'lostpassword_form' ); ?>
534
- <input type="hidden" name="redirect_to" value="<?php echo esc_attr( $redirect_to ); ?>" />
535
- <p class="submit"><input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="<?php esc_attr_e('Get New Password'); ?>" /></p>
536
- </form>
537
-
538
- <p id="nav">
539
- <a href="<?php echo esc_url( wp_login_url() ); ?>"><?php _e('Log in') ?></a>
540
- <?php
541
- if ( get_option( 'users_can_register' ) ) :
542
- $registration_url = sprintf( '<a href="%s">%s</a>', esc_url( wp_registration_url() ), __( 'Register' ) );
543
- /**
544
- * Filter the registration URL below the login form.
545
- *
546
- * @since 1.5.0
547
- *
548
- * @param string $registration_url Registration URL.
549
- */
550
- echo ' | ' . apply_filters( 'register', $registration_url );
551
- endif;
552
- ?>
553
- </p>
554
-
555
- <?php
556
- login_footer('user_login');
557
- break;
558
-
559
- case 'resetpass' :
560
- case 'rp' :
561
- $user = check_password_reset_key($_GET['key'], $_GET['login']);
562
-
563
- if ( is_wp_error($user) ) {
564
- if ( $user->get_error_code() === 'expired_key' )
565
- wp_redirect( site_url( 'wp-login.php?action=lostpassword&error=expiredkey' ) );
566
- else
567
- wp_redirect( site_url( 'wp-login.php?action=lostpassword&error=invalidkey' ) );
568
- exit;
569
- }
570
-
571
- $errors = new WP_Error();
572
-
573
- if ( isset($_POST['pass1']) && $_POST['pass1'] != $_POST['pass2'] )
574
- $errors->add( 'password_reset_mismatch', __( 'The passwords do not match.' ) );
575
-
576
- /**
577
- * Fires before the password reset procedure is validated.
578
- *
579
- * @since 3.5.0
580
- *
581
- * @param object $errors WP Error object.
582
- * @param WP_User|WP_Error $user WP_User object if the login and reset key match. WP_Error object otherwise.
583
- */
584
- do_action( 'validate_password_reset', $errors, $user );
585
-
586
- if ( ( ! $errors->get_error_code() ) && isset( $_POST['pass1'] ) && !empty( $_POST['pass1'] ) ) {
587
- reset_password($user, $_POST['pass1']);
588
- login_header( __( 'Password Reset' ), '<p class="message reset-pass">' . __( 'Your password has been reset.' ) . ' <a href="' . esc_url( wp_login_url() ) . '">' . __( 'Log in' ) . '</a></p>' );
589
- login_footer();
590
- exit;
591
- }
592
-
593
- wp_enqueue_script('utils');
594
- wp_enqueue_script('user-profile');
595
-
596
- login_header(__('Reset Password'), '<p class="message reset-pass">' . __('Enter your new password below.') . '</p>', $errors );
597
-
598
- ?>
599
- <form name="resetpassform" id="resetpassform" action="<?php echo esc_url( site_url( 'wp-login.php?action=resetpass&key=' . urlencode( $_GET['key'] ) . '&login=' . urlencode( $_GET['login'] ), 'login_post' ) ); ?>" method="post" autocomplete="off">
600
- <input type="hidden" id="user_login" value="<?php echo esc_attr( $_GET['login'] ); ?>" autocomplete="off" />
601
-
602
- <p>
603
- <label for="pass1"><?php _e('New password') ?><br />
604
- <input type="password" name="pass1" id="pass1" class="input" size="20" value="" autocomplete="off" /></label>
605
- </p>
606
- <p>
607
- <label for="pass2"><?php _e('Confirm new password') ?><br />
608
- <input type="password" name="pass2" id="pass2" class="input" size="20" value="" autocomplete="off" /></label>
609
- </p>
610
-
611
- <div id="pass-strength-result" class="hide-if-no-js"><?php _e('Strength indicator'); ?></div>
612
- <p class="description indicator-hint"><?php _e('Hint: The password should be at least seven characters long. To make it stronger, use upper and lower case letters, numbers, and symbols like ! " ? $ % ^ &amp; ).'); ?></p>
613
-
614
- <br class="clear" />
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
615
 
616
- <?php
617
- /**
618
- * Fires following the 'Strength indicator' meter in the user password reset form.
619
- *
620
- * @since 3.9.0
621
- *
622
- * @param WP_User $user User object of the user whose password is being reset.
623
- */
624
- do_action( 'resetpass_form', $user );
625
- ?>
626
- <p class="submit"><input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="<?php esc_attr_e('Reset Password'); ?>" /></p>
627
- </form>
628
-
629
- <p id="nav">
630
- <a href="<?php echo esc_url( wp_login_url() ); ?>"><?php _e( 'Log in' ); ?></a>
631
- <?php
632
- if ( get_option( 'users_can_register' ) ) :
633
- $registration_url = sprintf( '<a href="%s">%s</a>', esc_url( wp_registration_url() ), __( 'Register' ) );
634
- /** This filter is documented in wp-login.php */
635
- echo ' | ' . apply_filters( 'register', $registration_url );
636
- endif;
637
- ?>
638
- </p>
639
-
640
- <?php
641
- login_footer('user_pass');
642
- break;
643
-
644
- case 'register' :
645
- if ( is_multisite() ) {
646
- $sign_up_url = network_site_url( 'wp-signup.php' );
647
- /**
648
- * Filter the Multisite sign up URL.
649
- *
650
- * @since 3.0.0
651
- *
652
- * @param string $sign_up_url The sign up URL.
653
- */
654
- wp_redirect( apply_filters( 'wp_signup_location', $sign_up_url ) );
655
- exit;
656
- }
657
-
658
- if ( !get_option('users_can_register') ) {
659
- wp_redirect( site_url('wp-login.php?registration=disabled') );
660
- exit();
661
- }
662
-
663
- $user_login = '';
664
- $user_email = '';
665
- if ( $http_post ) {
666
- $user_login = $_POST['user_login'];
667
- $user_email = $_POST['user_email'];
668
- $errors = register_new_user($user_login, $user_email);
669
- if ( !is_wp_error($errors) ) {
670
- $redirect_to = !empty( $_POST['redirect_to'] ) ? $_POST['redirect_to'] : 'wp-login.php?checkemail=registered';
671
- wp_safe_redirect( $redirect_to );
672
- exit();
673
- }
674
- }
675
-
676
- $registration_redirect = ! empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '';
677
- /**
678
- * Filter the registration redirect URL.
679
- *
680
- * @since 3.0.0
681
- *
682
- * @param string $registration_redirect The redirect destination URL.
683
- */
684
- $redirect_to = apply_filters( 'registration_redirect', $registration_redirect );
685
- login_header(__('Registration Form'), '<p class="message register">' . __('Register For This Site') . '</p>', $errors);
686
- ?>
687
-
688
- <form name="registerform" id="registerform" action="<?php echo esc_url( site_url('wp-login.php?action=register', 'login_post') ); ?>" method="post">
689
- <p>
690
- <label for="user_login"><?php _e('Username') ?><br />
691
- <input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr(wp_unslash($user_login)); ?>" size="20" /></label>
692
- </p>
693
- <p>
694
- <label for="user_email"><?php _e('E-mail') ?><br />
695
- <input type="text" name="user_email" id="user_email" class="input" value="<?php echo esc_attr(wp_unslash($user_email)); ?>" size="25" /></label>
696
- </p>
697
- <?php
698
- /**
699
- * Fires following the 'E-mail' field in the user registration form.
700
- *
701
- * @since 2.1.0
702
- */
703
- do_action( 'register_form' );
704
- ?>
705
- <p id="reg_passmail"><?php _e('A password will be e-mailed to you.') ?></p>
706
- <br class="clear" />
707
- <input type="hidden" name="redirect_to" value="<?php echo esc_attr( $redirect_to ); ?>" />
708
- <p class="submit"><input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="<?php esc_attr_e('Register'); ?>" /></p>
709
- </form>
710
-
711
- <p id="nav">
712
- <a href="<?php echo esc_url( wp_login_url() ); ?>"><?php _e( 'Log in' ); ?></a> |
713
- <a href="<?php echo esc_url( wp_lostpassword_url() ); ?>" title="<?php esc_attr_e( 'Password Lost and Found' ) ?>"><?php _e( 'Lost your password?' ); ?></a>
714
- </p>
715
-
716
- <?php
717
- login_footer('user_login');
718
- break;
719
-
720
- case 'login' :
721
- default:
722
- $secure_cookie = '';
723
- $customize_login = isset( $_REQUEST['customize-login'] );
724
- if ( $customize_login )
725
- wp_enqueue_script( 'customize-base' );
726
-
727
- // If the user wants ssl but the session is not ssl, force a secure cookie.
728
- if ( !empty($_POST['log']) && !force_ssl_admin() ) {
729
- $user_name = sanitize_user($_POST['log']);
730
- if ( $user = get_user_by('login', $user_name) ) {
731
- if ( get_user_option('use_ssl', $user->ID) ) {
732
- $secure_cookie = true;
733
- force_ssl_admin(true);
734
- }
735
- }
736
- }
737
-
738
- if ( isset( $_REQUEST['redirect_to'] ) ) {
739
- $redirect_to = $_REQUEST['redirect_to'];
740
- // Redirect to https if user wants ssl
741
- if ( $secure_cookie && false !== strpos($redirect_to, 'wp-admin') )
742
- $redirect_to = preg_replace('|^http://|', 'https://', $redirect_to);
743
- } else {
744
- $redirect_to = admin_url();
745
- }
746
-
747
- $reauth = empty($_REQUEST['reauth']) ? false : true;
748
-
749
- // If the user was redirected to a secure login form from a non-secure admin page, and secure login is required but secure admin is not, then don't use a secure
750
- // cookie and redirect back to the referring non-secure admin page. This allows logins to always be POSTed over SSL while allowing the user to choose visiting
751
- // the admin via http or https.
752
- if ( !$secure_cookie && is_ssl() && force_ssl_login() && !force_ssl_admin() && ( 0 !== strpos($redirect_to, 'https') ) && ( 0 === strpos($redirect_to, 'http') ) )
753
- $secure_cookie = false;
754
-
755
- $user = wp_signon( '', $secure_cookie );
756
-
757
- if ( empty( $_COOKIE[ LOGGED_IN_COOKIE ] ) ) {
758
- if ( headers_sent() ) {
759
- $user = new WP_Error( 'test_cookie', sprintf( __( '<strong>ERROR</strong>: Cookies are blocked due to unexpected output. For help, please see <a href="%1$s">this documentation</a> or try the <a href="%2$s">support forums</a>.' ),
760
- __( 'http://codex.wordpress.org/Cookies' ), __( 'https://wordpress.org/support/' ) ) );
761
- } elseif ( isset( $_POST['testcookie'] ) && empty( $_COOKIE[ TEST_COOKIE ] ) ) {
762
- // If cookies are disabled we can't log in even with a valid user+pass
763
- $user = new WP_Error( 'test_cookie', sprintf( __( '<strong>ERROR</strong>: Cookies are blocked or not supported by your browser. You must <a href="%s">enable cookies</a> to use WordPress.' ),
764
- __( 'http://codex.wordpress.org/Cookies' ) ) );
765
- }
766
- }
767
-
768
- $requested_redirect_to = isset( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '';
769
- /**
770
- * Filter the login redirect URL.
771
- *
772
- * @since 3.0.0
773
- *
774
- * @param string $redirect_to The redirect destination URL.
775
- * @param string $requested_redirect_to The requested redirect destination URL passed as a parameter.
776
- * @param WP_User|WP_Error $user WP_User object if login was successful, WP_Error object otherwise.
777
- */
778
- $redirect_to = apply_filters( 'login_redirect', $redirect_to, $requested_redirect_to, $user );
779
-
780
- if ( !is_wp_error($user) && !$reauth ) {
781
- if ( $interim_login ) {
782
- $message = '<p class="message">' . __('You have logged in successfully.') . '</p>';
783
- $interim_login = 'success';
784
- login_header( '', $message ); ?>
785
  </div>
786
  <?php
787
- /** This action is documented in wp-login.php */
788
- do_action( 'login_footer' ); ?>
789
- <?php if ( $customize_login ) : ?>
790
- <script type="text/javascript">setTimeout( function(){ new wp.customize.Messenger({ url: '<?php echo wp_customize_url(); ?>', channel: 'login' }).send('login') }, 1000 );</script>
791
- <?php endif; ?>
792
  </body></html>
793
  <?php exit;
794
- }
795
-
796
- if ( ( empty( $redirect_to ) || $redirect_to == 'wp-admin/' || $redirect_to == admin_url() ) ) {
797
- // If the user doesn't belong to a blog, send them to user admin. If the user can't edit posts, send them to their profile.
798
- if ( is_multisite() && !get_active_blog_for_user($user->ID) && !is_super_admin( $user->ID ) )
799
- $redirect_to = user_admin_url();
800
- elseif ( is_multisite() && !$user->has_cap('read') )
801
- $redirect_to = get_dashboard_url( $user->ID );
802
- elseif ( !$user->has_cap('edit_posts') )
803
- $redirect_to = admin_url('profile.php');
804
- }
805
- wp_safe_redirect($redirect_to);
806
- exit();
807
- }
808
-
809
- $errors = $user;
810
- // Clear errors if loggedout is set.
811
- if ( !empty($_GET['loggedout']) || $reauth )
812
- $errors = new WP_Error();
813
-
814
- if ( $interim_login ) {
815
- if ( ! $errors->get_error_code() )
816
- $errors->add('expired', __('Session expired. Please log in again. You will not move away from this page.'), 'message');
817
- } else {
818
- // Some parts of this script use the main login form to display a message
819
- if ( isset($_GET['loggedout']) && true == $_GET['loggedout'] )
820
- $errors->add('loggedout', __('You are now logged out.'), 'message');
821
- elseif ( isset($_GET['registration']) && 'disabled' == $_GET['registration'] )
822
- $errors->add('registerdisabled', __('User registration is currently not allowed.'));
823
- elseif ( isset($_GET['checkemail']) && 'confirm' == $_GET['checkemail'] )
824
- $errors->add('confirm', __('Check your e-mail for the confirmation link.'), 'message');
825
- elseif ( isset($_GET['checkemail']) && 'newpass' == $_GET['checkemail'] )
826
- $errors->add('newpass', __('Check your e-mail for your new password.'), 'message');
827
- elseif ( isset($_GET['checkemail']) && 'registered' == $_GET['checkemail'] )
828
- $errors->add('registered', __('Registration complete. Please check your e-mail.'), 'message');
829
- elseif ( strpos( $redirect_to, 'about.php?updated' ) )
830
- $errors->add('updated', __( '<strong>You have successfully updated WordPress!</strong> Please log back in to experience the awesomeness.' ), 'message' );
831
- }
832
-
833
- /**
834
- * Filter the login page errors.
835
- *
836
- * @since 3.6.0
837
- *
838
- * @param object $errors WP Error object.
839
- * @param string $redirect_to Redirect destination URL.
840
- */
841
- $errors = apply_filters( 'wp_login_errors', $errors, $redirect_to );
842
-
843
- // Clear any stale cookies.
844
- if ( $reauth )
845
- wp_clear_auth_cookie();
846
-
847
- login_header(__('Log In'), '', $errors);
848
-
849
- $user_login = '';
850
- if ( isset($_POST['log']) )
851
- $user_login = ( 'incorrect_password' == $errors->get_error_code() || 'empty_password' == $errors->get_error_code() ) ? esc_attr(wp_unslash($_POST['log'])) : '';
852
- $rememberme = ! empty( $_POST['rememberme'] );
853
- ?>
 
 
 
 
 
854
 
855
  <form name="loginform" id="loginform" action="<?php echo esc_url( site_url( 'wp-login.php', 'login_post' ) ); ?>" method="post">
856
  <p>
857
  <label for="user_login"><?php _e('Username') ?><br />
858
- <input type="text" name="log" id="user_login" class="input" value="<?php echo esc_attr($user_login); ?>" size="20" /></label>
859
  </p>
860
  <p>
861
  <label for="user_pass"><?php _e('Password') ?><br />
862
- <input type="password" name="pwd" id="user_pass" class="input" value="" size="20" /></label>
863
  </p>
864
  <?php
865
- /**
866
- * Fires following the 'Password' field in the login form.
867
- *
868
- * @since 2.1.0
869
- */
870
- do_action( 'login_form' );
871
- ?>
872
  <p class="forgetmenot"><label for="rememberme"><input name="rememberme" type="checkbox" id="rememberme" value="forever" <?php checked( $rememberme ); ?> /> <?php esc_attr_e('Remember Me'); ?></label></p>
873
  <p class="submit">
874
  <input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="<?php esc_attr_e('Log In'); ?>" />
875
  <?php if ( $interim_login ) { ?>
876
- <input type="hidden" name="interim-login" value="1" />
877
- <?php } else { ?>
878
- <input type="hidden" name="redirect_to" value="<?php echo esc_attr($redirect_to); ?>" />
879
- <?php } ?>
880
- <?php if ( $customize_login ) : ?>
881
- <input type="hidden" name="customize-login" value="1" />
882
- <?php endif; ?>
883
  <input type="hidden" name="testcookie" value="1" />
884
  </p>
885
  </form>
886
 
887
  <?php if ( ! $interim_login ) { ?>
888
- <p id="nav">
889
- <?php if ( ! isset( $_GET['checkemail'] ) || ! in_array( $_GET['checkemail'], array( 'confirm', 'newpass' ) ) ) :
890
- if ( get_option( 'users_can_register' ) ) :
891
- $registration_url = sprintf( '<a href="%s">%s</a>', esc_url( wp_registration_url() ), __( 'Register' ) );
892
- /** This filter is documented in wp-login.php */
893
- echo apply_filters( 'register', $registration_url ) . ' | ';
894
- endif;
895
- ?>
896
- <a href="<?php echo esc_url( wp_lostpassword_url() ); ?>" title="<?php esc_attr_e( 'Password Lost and Found' ); ?>"><?php _e( 'Lost your password?' ); ?></a>
897
- <?php endif; ?>
898
- </p>
899
- <?php } ?>
 
900
 
901
  <script type="text/javascript">
902
  function wp_attempt_focus(){
903
  setTimeout( function(){ try{
904
- <?php if ( $user_login || $interim_login ) { ?>
905
- d = document.getElementById('user_pass');
906
- d.value = '';
907
- <?php } else { ?>
908
- d = document.getElementById('user_login');
909
- <?php if ( 'invalid_username' == $errors->get_error_code() ) { ?>
910
- if( d.value != '' )
911
- d.value = '';
912
- <?php
913
- }
914
- }?>
915
  d.focus();
916
  d.select();
917
  } catch(e){}
918
  }, 200);
919
  }
920
 
921
- <?php if ( ! empty( $errors ) ) { ?>
922
- wp_attempt_focus();
923
- <?php } ?>
924
  if(typeof wpOnload=='function')wpOnload();
925
  <?php if ( $interim_login ) { ?>
926
- (function(){
927
- try {
928
- var i, links = document.getElementsByTagName('a');
929
- for ( i in links ) {
930
- if ( links[i].href )
931
- links[i].target = '_blank';
932
- }
933
- } catch(e){}
934
- }());
935
- <?php } ?>
936
  </script>
937
 
938
  <?php
939
- login_footer();
940
- break;
941
  } // end action switch
8
  * @package WordPress
9
  */
10
 
11
+
12
  // Redirect to https login if forced to use SSL
13
  if ( force_ssl_admin() && ! is_ssl() ) {
14
+ if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) {
15
+ wp_redirect( set_url_scheme( $_SERVER['REQUEST_URI'], 'https' ) );
16
+ exit();
17
+ } else {
18
+ wp_redirect( 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] );
19
+ exit();
20
+ }
21
  }
22
 
23
  /**
24
  * Output the login page header.
25
  *
26
+ * @param string $title Optional. WordPress login Page title to display in the `<title>` element.
27
+ * Default 'Log In'.
28
+ * @param string $message Optional. Message to display in header. Default empty.
29
+ * @param WP_Error $wp_error Optional. The error to pass. Default empty.
30
  */
31
  function login_header( $title = 'Log In', $message = '', $wp_error = '' ) {
32
+ global $error, $interim_login, $action;
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
33
 
34
+ // Don't index any of these forms
35
+ add_action( 'login_head', 'wp_no_robots' );
36
+
37
+ if ( wp_is_mobile() )
38
+ add_action( 'login_head', 'wp_login_viewport_meta' );
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
39
 
40
+ if ( empty($wp_error) )
41
+ $wp_error = new WP_Error();
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
42
 
43
+ // Shake it!
44
+ $shake_error_codes = array( 'empty_password', 'empty_email', 'invalid_email', 'invalidcombo', 'empty_username', 'invalid_username', 'incorrect_password' );
45
  /**
46
+ * Filter the error codes array for shaking the login form.
47
  *
48
+ * @since 3.0.0
49
+ *
50
+ * @param array $shake_error_codes Error codes that shake the login form.
51
  */
52
+ $shake_error_codes = apply_filters( 'shake_error_codes', $shake_error_codes );
53
+
54
+ if ( $shake_error_codes && $wp_error->get_error_code() && in_array( $wp_error->get_error_code(), $shake_error_codes ) )
55
+ add_action( 'login_head', 'wp_shake_js', 12 );
56
+
57
+ ?><!DOCTYPE html>
58
+ <!--[if IE 8]>
59
+ <html xmlns="http://www.w3.org/1999/xhtml" class="ie8" <?php language_attributes(); ?>>
60
+ <![endif]-->
61
+ <!--[if !(IE 8) ]><!-->
62
+ <html xmlns="http://www.w3.org/1999/xhtml" <?php language_attributes(); ?>>
63
+ <!--<![endif]-->
64
+ <head>
65
+ <meta http-equiv="Content-Type" content="<?php bloginfo('html_type'); ?>; charset=<?php bloginfo('charset'); ?>" />
66
+ <title><?php bloginfo('name'); ?> &rsaquo; <?php echo $title; ?></title>
67
+ <?php
68
+
69
+ wp_admin_css( 'login', true );
70
+
71
+ /*
72
+ * Remove all stored post data on logging out.
73
+ * This could be added by add_action('login_head'...) like wp_shake_js(),
74
+ * but maybe better if it's not removable by plugins
75
+ */
76
+ if ( 'loggedout' == $wp_error->get_error_code() ) {
77
+ ?>
78
+ <script>if("sessionStorage" in window){try{for(var key in sessionStorage){if(key.indexOf("wp-autosave-")!=-1){sessionStorage.removeItem(key)}}}catch(e){}};</script>
79
+ <?php
80
+ }
81
+
82
+ /**
83
+ * Enqueue scripts and styles for the login page.
84
+ *
85
+ * @since 3.1.0
86
+ */
87
+ do_action( 'login_enqueue_scripts' );
88
+ /**
89
+ * Fires in the login page header after scripts are enqueued.
90
+ *
91
+ * @since 2.1.0
92
+ */
93
+ do_action( 'login_head' );
94
+
95
+ if ( is_multisite() ) {
96
+ $login_header_url = network_home_url();
97
+ $login_header_title = get_current_site()->site_name;
98
+ } else {
99
+ $login_header_url = __( 'https://wordpress.org/' );
100
+ $login_header_title = __( 'Powered by WordPress' );
101
+ }
102
+
103
+ /**
104
+ * Filter link URL of the header logo above login form.
105
+ *
106
+ * @since 2.1.0
107
+ *
108
+ * @param string $login_header_url Login header logo URL.
109
+ */
110
+ $login_header_url = apply_filters( 'login_headerurl', $login_header_url );
111
+ /**
112
+ * Filter the title attribute of the header logo above login form.
113
+ *
114
+ * @since 2.1.0
115
+ *
116
+ * @param string $login_header_title Login header logo title attribute.
117
+ */
118
+ $login_header_title = apply_filters( 'login_headertitle', $login_header_title );
119
+
120
+ $classes = array( 'login-action-' . $action, 'wp-core-ui' );
121
+ if ( wp_is_mobile() )
122
+ $classes[] = 'mobile';
123
+ if ( is_rtl() )
124
+ $classes[] = 'rtl';
125
+ if ( $interim_login ) {
126
+ $classes[] = 'interim-login';
127
+ ?>
128
+ <style type="text/css">html{background-color: transparent;}</style>
129
+ <?php
130
+
131
+ if ( 'success' === $interim_login )
132
+ $classes[] = 'interim-login-success';
133
+ }
134
+ $classes[] =' locale-' . sanitize_html_class( strtolower( str_replace( '_', '-', get_locale() ) ) );
135
+
136
+ /**
137
+ * Filter the login page body classes.
138
+ *
139
+ * @since 3.5.0
140
+ *
141
+ * @param array $classes An array of body classes.
142
+ * @param string $action The action that brought the visitor to the login page.
143
+ */
144
+ $classes = apply_filters( 'login_body_class', $classes, $action );
145
+
146
+ ?>
147
+ </head>
148
+ <body class="login <?php echo esc_attr( implode( ' ', $classes ) ); ?>">
149
+ <div id="login">
150
+ <h1><a href="<?php echo esc_url( $login_header_url ); ?>" title="<?php echo esc_attr( $login_header_title ); ?>" tabindex="-1"><?php bloginfo( 'name' ); ?></a></h1>
151
+ <?php
152
+
153
+ unset( $login_header_url, $login_header_title );
154
+
155
+ /**
156
+ * Filter the message to display above the login form.
157
+ *
158
+ * @since 2.1.0
159
+ *
160
+ * @param string $message Login message text.
161
+ */
162
+ $message = apply_filters( 'login_message', $message );
163
+ if ( !empty( $message ) )
164
+ echo $message . "\n";
165
+
166
+ // In case a plugin uses $error rather than the $wp_errors object
167
+ if ( !empty( $error ) ) {
168
+ $wp_error->add('error', $error);
169
+ unset($error);
170
+ }
171
+
172
+ if ( $wp_error->get_error_code() ) {
173
+ $errors = '';
174
+ $messages = '';
175
+ foreach ( $wp_error->get_error_codes() as $code ) {
176
+ $severity = $wp_error->get_error_data( $code );
177
+ foreach ( $wp_error->get_error_messages( $code ) as $error_message ) {
178
+ if ( 'message' == $severity )
179
+ $messages .= ' ' . $error_message . "<br />\n";
180
+ else
181
+ $errors .= ' ' . $error_message . "<br />\n";
182
+ }
183
+ }
184
+ if ( ! empty( $errors ) ) {
185
+ /**
186
+ * Filter the error messages displayed above the login form.
187
+ *
188
+ * @since 2.1.0
189
+ *
190
+ * @param string $errors Login error message.
191
+ */
192
+ echo '<div id="login_error">' . apply_filters( 'login_errors', $errors ) . "</div>\n";
193
+ }
194
+ if ( ! empty( $messages ) ) {
195
+ /**
196
+ * Filter instructional messages displayed above the login form.
197
+ *
198
+ * @since 2.5.0
199
+ *
200
+ * @param string $messages Login messages.
201
+ */
202
+ echo '<p class="message">' . apply_filters( 'login_messages', $messages ) . "</p>\n";
203
+ }
204
+ }
205
+ } // End of login_header()
206
+
207
+ /**
208
+ * Outputs the footer for the login page.
209
+ *
210
+ * @param string $input_id Which input to auto-focus
211
+ */
212
+ function login_footer($input_id = '') {
213
+ global $interim_login;
214
+
215
+ // Don't allow interim logins to navigate away from the page.
216
+ if ( ! $interim_login ): ?>
217
+ <p id="backtoblog"><a href="<?php echo esc_url( home_url( '/' ) ); ?>" title="<?php esc_attr_e( 'Are you lost?' ); ?>"><?php printf( __( '&larr; Back to %s' ), get_bloginfo( 'title', 'display' ) ); ?></a></p>
218
+ <?php endif; ?>
219
+
220
+ </div>
221
+
222
+ <?php if ( !empty($input_id) ) : ?>
223
+ <script type="text/javascript">
224
+ try{document.getElementById('<?php echo $input_id; ?>').focus();}catch(e){}
225
+ if(typeof wpOnload=='function')wpOnload();
226
+ </script>
227
+ <?php endif; ?>
228
 
229
+ <?php
230
+ /**
231
+ * Fires in the login page footer.
232
+ *
233
+ * @since 3.1.0
234
+ */
235
+ do_action( 'login_footer' ); ?>
236
+ <div class="clear"></div>
237
+ </body>
238
+ </html>
239
+ <?php
240
  }
241
 
242
+ /**
243
+ * @since 3.0.0
244
+ */
245
  function wp_shake_js() {
246
+ if ( wp_is_mobile() )
247
+ return;
248
+ ?>
249
+ <script type="text/javascript">
250
+ addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
251
+ function s(id,pos){g(id).left=pos+'px';}
252
+ function g(id){return document.getElementById(id).style;}
253
+ function shake(id,a,d){c=a.shift();s(id,c);if(a.length>0){setTimeout(function(){shake(id,a,d);},d);}else{try{g(id).position='static';wp_attempt_focus();}catch(e){}}}
254
+ addLoadEvent(function(){ var p=new Array(15,30,15,0,-15,-30,-15,0);p=p.concat(p.concat(p));var i=document.forms[0].id;g(i).position='relative';shake(i,p,20);});
255
+ </script>
256
  <?php
257
  }
258
 
259
+ /**
260
+ * @since 3.7.0
261
+ */
262
  function wp_login_viewport_meta() {
263
+ ?>
264
+ <meta name="viewport" content="width=device-width" />
265
+ <?php
266
  }
267
 
268
  /**
269
  * Handles sending password retrieval email to user.
270
  *
271
+ * @global wpdb $wpdb WordPress database abstraction object.
272
+ * @global PasswordHash $wp_hasher Portable PHP password hashing framework.
273
  *
274
  * @return bool|WP_Error True: when finish. WP_Error on error
275
  */
276
  function retrieve_password() {
277
+ global $wpdb, $wp_hasher;
278
+
279
+ $errors = new WP_Error();
280
+
281
+ if ( empty( $_POST['user_login'] ) ) {
282
+ $errors->add('empty_username', __('<strong>ERROR</strong>: Enter a username or e-mail address.'));
283
+ } elseif ( strpos( $_POST['user_login'], '@' ) ) {
284
+ $user_data = get_user_by( 'email', trim( $_POST['user_login'] ) );
285
+ if ( empty( $user_data ) )
286
+ $errors->add('invalid_email', __('<strong>ERROR</strong>: There is no user registered with that email address.'));
287
+ } else {
288
+ $login = trim($_POST['user_login']);
289
+ $user_data = get_user_by('login', $login);
290
+ }
291
+
292
+ /**
293
+ * Fires before errors are returned from a password reset request.
294
+ *
295
+ * @since 2.1.0
296
+ */
297
+ do_action( 'lostpassword_post' );
298
+
299
+ if ( $errors->get_error_code() )
300
+ return $errors;
301
+
302
+ if ( !$user_data ) {
303
+ $errors->add('invalidcombo', __('<strong>ERROR</strong>: Invalid username or e-mail.'));
304
+ return $errors;
305
+ }
306
+
307
+ // Redefining user_login ensures we return the right case in the email.
308
+ $user_login = $user_data->user_login;
309
+ $user_email = $user_data->user_email;
310
+
311
+ /**
312
+ * Fires before a new password is retrieved.
313
+ *
314
+ * @since 1.5.0
315
+ * @deprecated 1.5.1 Misspelled. Use 'retrieve_password' hook instead.
316
+ *
317
+ * @param string $user_login The user login name.
318
+ */
319
+ do_action( 'retreive_password', $user_login );
320
+
321
+ /**
322
+ * Fires before a new password is retrieved.
323
+ *
324
+ * @since 1.5.1
325
+ *
326
+ * @param string $user_login The user login name.
327
+ */
328
+ do_action( 'retrieve_password', $user_login );
329
+
330
+ /**
331
+ * Filter whether to allow a password to be reset.
332
+ *
333
+ * @since 2.7.0
334
+ *
335
+ * @param bool true Whether to allow the password to be reset. Default true.
336
+ * @param int $user_data->ID The ID of the user attempting to reset a password.
337
+ */
338
+ $allow = apply_filters( 'allow_password_reset', true, $user_data->ID );
339
+
340
+ if ( ! $allow ) {
341
+ return new WP_Error( 'no_password_reset', __('Password reset is not allowed for this user') );
342
+ } elseif ( is_wp_error( $allow ) ) {
343
+ return $allow;
344
+ }
345
+
346
+ // Generate something random for a password reset key.
347
+ $key = wp_generate_password( 20, false );
348
+
349
+ /**
350
+ * Fires when a password reset key is generated.
351
+ *
352
+ * @since 2.5.0
353
+ *
354
+ * @param string $user_login The username for the user.
355
+ * @param string $key The generated password reset key.
356
+ */
357
+ do_action( 'retrieve_password_key', $user_login, $key );
358
+
359
+ // Now insert the key, hashed, into the DB.
360
+ if ( empty( $wp_hasher ) ) {
361
+ require_once ABSPATH . WPINC . '/class-phpass.php';
362
+ $wp_hasher = new PasswordHash( 8, true );
363
+ }
364
+ $hashed = time() . ':' . $wp_hasher->HashPassword( $key );
365
+ $wpdb->update( $wpdb->users, array( 'user_activation_key' => $hashed ), array( 'user_login' => $user_login ) );
366
+
367
+ $message = __('Someone requested that the password be reset for the following account:') . "\r\n\r\n";
368
+ $message .= network_home_url( '/' ) . "\r\n\r\n";
369
+ $message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";
370
+ $message .= __('If this was a mistake, just ignore this email and nothing will happen.') . "\r\n\r\n";
371
+ $message .= __('To reset your password, visit the following address:') . "\r\n\r\n";
372
+ $message .= '<' . network_site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login') . ">\r\n";
373
+
374
+ if ( is_multisite() )
375
+ $blogname = $GLOBALS['current_site']->site_name;
376
+ else
377
+ /*
378
+ * The blogname option is escaped with esc_html on the way into the database
379
+ * in sanitize_option we want to reverse this for the plain text arena of emails.
380
+ */
381
+ $blogname = wp_specialchars_decode(get_option('blogname'), ENT_QUOTES);
382
+
383
+ $title = sprintf( __('[%s] Password Reset'), $blogname );
384
+
385
+ /**
386
+ * Filter the subject of the password reset email.
387
+ *
388
+ * @since 2.8.0
389
+ *
390
+ * @param string $title Default email title.
391
+ */
392
+ $title = apply_filters( 'retrieve_password_title', $title );
393
+
394
+ /**
395
+ * Filter the message body of the password reset mail.
396
+ *
397
+ * @since 2.8.0
398
+ * @since 4.1.0 Added `$user_login` and `$user_data` parameters.
399
+ *
400
+ * @param string $message Default mail message.
401
+ * @param string $key The activation key.
402
+ * @param string $user_login The username for the user.
403
+ * @param WP_User $user_data WP_User object.
404
+ */
405
+ $message = apply_filters( 'retrieve_password_message', $message, $key, $user_login, $user_data );
406
+
407
+ if ( $message && !wp_mail( $user_email, wp_specialchars_decode( $title ), $message ) )
408
+ wp_die( __('The e-mail could not be sent.') . "<br />\n" . __('Possible reason: your host may have disabled the mail() function.') );
409
+
410
+ return true;
411
  }
412
 
413
  //
418
  $errors = new WP_Error();
419
 
420
  if ( isset($_GET['key']) )
421
+ $action = 'resetpass';
422
 
423
  // validate action so as to default to the login screen
424
  if ( !in_array( $action, array( 'postpass', 'logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'login' ), true ) && false === has_filter( 'login_form_' . $action ) )
425
+ $action = 'login';
426
 
427
  nocache_headers();
428
 
429
  header('Content-Type: '.get_bloginfo('html_type').'; charset='.get_bloginfo('charset'));
430
 
431
  if ( defined( 'RELOCATE' ) && RELOCATE ) { // Move flag is set
432
+ if ( isset( $_SERVER['PATH_INFO'] ) && ($_SERVER['PATH_INFO'] != $_SERVER['PHP_SELF']) )
433
+ $_SERVER['PHP_SELF'] = str_replace( $_SERVER['PATH_INFO'], '', $_SERVER['PHP_SELF'] );
434
 
435
+ $url = dirname( set_url_scheme( 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'] ) );
436
+ if ( $url != get_option( 'siteurl' ) )
437
+ update_option( 'siteurl', $url );
438
  }
439
 
440
  //Set a cookie now to see if they are supported by the browser.
441
+ $secure = ( 'https' === parse_url( site_url(), PHP_URL_SCHEME ) && 'https' === parse_url( home_url(), PHP_URL_SCHEME ) );
442
+ setcookie( TEST_COOKIE, 'WP Cookie check', 0, COOKIEPATH, COOKIE_DOMAIN, $secure );
443
  if ( SITECOOKIEPATH != COOKIEPATH )
444
+ setcookie( TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH, COOKIE_DOMAIN, $secure );
445
 
446
  /**
447
  * Fires when the login form is initialized.
452
  /**
453
  * Fires before a specified login form action.
454
  *
455
+ * The dynamic portion of the hook name, `$action`, refers to the action
456
  * that brought the visitor to the login form. Actions include 'postpass',
457
  * 'logout', 'lostpassword', etc.
458
  *
465
 
466
  switch ($action) {
467
 
468
+ case 'postpass' :
469
+ require_once ABSPATH . WPINC . '/class-phpass.php';
470
+ $hasher = new PasswordHash( 8, true );
471
+
472
+ /**
473
+ * Filter the life span of the post password cookie.
474
+ *
475
+ * By default, the cookie expires 10 days from creation. To turn this
476
+ * into a session cookie, return 0.
477
+ *
478
+ * @since 3.7.0
479
+ *
480
+ * @param int $expires The expiry time, as passed to setcookie().
481
+ */
482
+ $expire = apply_filters( 'post_password_expires', time() + 10 * DAY_IN_SECONDS );
483
+ $secure = ( 'https' === parse_url( home_url(), PHP_URL_SCHEME ) );
484
+ setcookie( 'wp-postpass_' . COOKIEHASH, $hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ), $expire, COOKIEPATH, COOKIE_DOMAIN, $secure );
485
+
486
+ wp_safe_redirect( wp_get_referer() );
487
+ exit();
488
+
489
+ case 'logout' :
490
+ check_admin_referer('log-out');
491
+
492
+ $user = wp_get_current_user();
493
+
494
+ wp_logout();
495
+
496
+ if ( ! empty( $_REQUEST['redirect_to'] ) ) {
497
+ $redirect_to = $requested_redirect_to = $_REQUEST['redirect_to'];
498
+ } else {
499
+ $redirect_to = 'wp-login.php?loggedout=true';
500
+ $requested_redirect_to = '';
501
+ }
502
+
503
+ /**
504
+ * Filter the log out redirect URL.
505
+ *
506
+ * @since 4.2.0
507
+ *
508
+ * @param string $redirect_to The redirect destination URL.
509
+ * @param string $requested_redirect_to The requested redirect destination URL passed as a parameter.
510
+ * @param WP_User $user The WP_User object for the user that's logging out.
511
+ */
512
+ $redirect_to = apply_filters( 'logout_redirect', $redirect_to, $requested_redirect_to, $user );
513
+ wp_safe_redirect( $redirect_to );
514
+ exit();
515
+
516
+ case 'lostpassword' :
517
+ case 'retrievepassword' :
518
+
519
+ if ( $http_post ) {
520
+ $errors = retrieve_password();
521
+ if ( !is_wp_error($errors) ) {
522
+ $redirect_to = !empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : 'wp-login.php?checkemail=confirm';
523
+ wp_safe_redirect( $redirect_to );
524
+ exit();
525
+ }
526
+ }
527
+
528
+ if ( isset( $_GET['error'] ) ) {
529
+ if ( 'invalidkey' == $_GET['error'] ) {
530
+ $errors->add( 'invalidkey', __( 'Your password reset link appears to be invalid. Please request a new link below.' ) );
531
+ } elseif ( 'expiredkey' == $_GET['error'] ) {
532
+ $errors->add( 'expiredkey', __( 'Your password reset link has expired. Please request a new link below.' ) );
533
+ }
534
+ }
535
+
536
+ $lostpassword_redirect = ! empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '';
537
+ /**
538
+ * Filter the URL redirected to after submitting the lostpassword/retrievepassword form.
539
+ *
540
+ * @since 3.0.0
541
+ *
542
+ * @param string $lostpassword_redirect The redirect destination URL.
543
+ */
544
+ $redirect_to = apply_filters( 'lostpassword_redirect', $lostpassword_redirect );
545
+
546
+ /**
547
+ * Fires before the lost password form.
548
+ *
549
+ * @since 1.5.1
550
+ */
551
+ do_action( 'lost_password' );
552
+
553
+ login_header(__('Lost Password'), '<p class="message">' . __('Please enter your username or email address. You will receive a link to create a new password via email.') . '</p>', $errors);
554
+
555
+ $user_login = isset($_POST['user_login']) ? wp_unslash($_POST['user_login']) : '';
556
+
557
+ ?>
558
+
559
+ <form name="lostpasswordform" id="lostpasswordform" action="<?php echo esc_url( network_site_url( 'wp-login.php?action=lostpassword', 'login_post' ) ); ?>" method="post">
560
+ <p>
561
+ <label for="user_login" ><?php _e('Username or E-mail:') ?><br />
562
+ <input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr($user_login); ?>" size="20" /></label>
563
+ </p>
564
+ <?php
565
+ /**
566
+ * Fires inside the lostpassword form tags, before the hidden fields.
567
+ *
568
+ * @since 2.1.0
569
+ */
570
+ do_action( 'lostpassword_form' ); ?>
571
+ <input type="hidden" name="redirect_to" value="<?php echo esc_attr( $redirect_to ); ?>" />
572
+ <p class="submit"><input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="<?php esc_attr_e('Get New Password'); ?>" /></p>
573
+ </form>
574
+
575
+ <p id="nav">
576
+ <a href="<?php echo esc_url( wp_login_url() ); ?>"><?php _e('Log in') ?></a>
577
+ <?php
578
+ if ( get_option( 'users_can_register' ) ) :
579
+ $registration_url = sprintf( '<a href="%s">%s</a>', esc_url( wp_registration_url() ), __( 'Register' ) );
580
+
581
+ /** This filter is documented in wp-includes/general-template.php */
582
+ echo ' | ' . apply_filters( 'register', $registration_url );
583
+ endif;
584
+ ?>
585
+ </p>
586
+
587
+ <?php
588
+ login_footer('user_login');
589
+ break;
590
+
591
+ case 'resetpass' :
592
+ case 'rp' :
593
+ list( $rp_path ) = explode( '?', wp_unslash( $_SERVER['REQUEST_URI'] ) );
594
+ $rp_cookie = 'wp-resetpass-' . COOKIEHASH;
595
+ if ( isset( $_GET['key'] ) ) {
596
+ $value = sprintf( '%s:%s', wp_unslash( $_GET['login'] ), wp_unslash( $_GET['key'] ) );
597
+ setcookie( $rp_cookie, $value, 0, $rp_path, COOKIE_DOMAIN, is_ssl(), true );
598
+ wp_safe_redirect( remove_query_arg( array( 'key', 'login' ) ) );
599
+ exit;
600
+ }
601
+
602
+ if ( isset( $_COOKIE[ $rp_cookie ] ) && 0 < strpos( $_COOKIE[ $rp_cookie ], ':' ) ) {
603
+ list( $rp_login, $rp_key ) = explode( ':', wp_unslash( $_COOKIE[ $rp_cookie ] ), 2 );
604
+ $user = check_password_reset_key( $rp_key, $rp_login );
605
+ if ( isset( $_POST['pass1'] ) && ! hash_equals( $rp_key, $_POST['rp_key'] ) ) {
606
+ $user = false;
607
+ }
608
+ } else {
609
+ $user = false;
610
+ }
611
+
612
+ if ( ! $user || is_wp_error( $user ) ) {
613
+ setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true );
614
+ if ( $user && $user->get_error_code() === 'expired_key' )
615
+ wp_redirect( site_url( 'wp-login.php?action=lostpassword&error=expiredkey' ) );
616
+ else
617
+ wp_redirect( site_url( 'wp-login.php?action=lostpassword&error=invalidkey' ) );
618
+ exit;
619
+ }
620
+
621
+ $errors = new WP_Error();
622
+
623
+ if ( isset($_POST['pass1']) && $_POST['pass1'] != $_POST['pass2'] )
624
+ $errors->add( 'password_reset_mismatch', __( 'The passwords do not match.' ) );
625
+
626
+ /**
627
+ * Fires before the password reset procedure is validated.
628
+ *
629
+ * @since 3.5.0
630
+ *
631
+ * @param object $errors WP Error object.
632
+ * @param WP_User|WP_Error $user WP_User object if the login and reset key match. WP_Error object otherwise.
633
+ */
634
+ do_action( 'validate_password_reset', $errors, $user );
635
+
636
+ if ( ( ! $errors->get_error_code() ) && isset( $_POST['pass1'] ) && !empty( $_POST['pass1'] ) ) {
637
+ reset_password($user, $_POST['pass1']);
638
+ setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true );
639
+ login_header( __( 'Password Reset' ), '<p class="message reset-pass">' . __( 'Your password has been reset.' ) . ' <a href="' . esc_url( wp_login_url() ) . '">' . __( 'Log in' ) . '</a></p>' );
640
+ login_footer();
641
+ exit;
642
+ }
643
+
644
+ wp_enqueue_script('utils');
645
+ wp_enqueue_script('user-profile');
646
+
647
+ login_header(__('Reset Password'), '<p class="message reset-pass">' . __('Enter your new password below.') . '</p>', $errors );
648
+
649
+ ?>
650
+ <form name="resetpassform" id="resetpassform" action="<?php echo esc_url( network_site_url( 'wp-login.php?action=resetpass', 'login_post' ) ); ?>" method="post" autocomplete="off">
651
+ <input type="hidden" id="user_login" value="<?php echo esc_attr( $rp_login ); ?>" autocomplete="off" />
652
+
653
+ <p class="user-pass1-wrap">
654
+ <label for="pass1"><?php _e('New password') ?></label><br />
655
+ <div class="wp-pwd">
656
+ <span class="password-input-wrapper">
657
+ <input type="password" data-reveal="1" data-pw="<?php echo esc_attr( wp_generate_password( 16 ) ); ?>" name="pass1" id="pass1" class="input" size="20" value="" autocomplete="off" aria-describedby="pass-strength-result" />
658
+ </span>
659
+ <div id="pass-strength-result" class="hide-if-no-js" aria-live="polite"><?php _e( 'Strength indicator' ); ?></div>
660
+ </div>
661
+ </p>
662
+ <p class="user-pass2-wrap">
663
+ <label for="pass2"><?php _e('Confirm new password') ?></label><br />
664
+ <input type="password" name="pass2" id="pass2" class="input" size="20" value="" autocomplete="off" />
665
+ </p>
666
+
667
+ <p class="description indicator-hint"><?php echo wp_get_password_hint(); ?></p>
668
+ <br class="clear" />
669
+
670
+ <?php
671
+ /**
672
+ * Fires following the 'Strength indicator' meter in the user password reset form.
673
+ *
674
+ * @since 3.9.0
675
+ *
676
+ * @param WP_User $user User object of the user whose password is being reset.
677
+ */
678
+ do_action( 'resetpass_form', $user );
679
+ ?>
680
+ <input type="hidden" name="rp_key" value="<?php echo esc_attr( $rp_key ); ?>" />
681
+ <p class="submit"><input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="<?php esc_attr_e('Reset Password'); ?>" /></p>
682
+ </form>
683
+
684
+ <p id="nav">
685
+ <a href="<?php echo esc_url( wp_login_url() ); ?>"><?php _e( 'Log in' ); ?></a>
686
+ <?php
687
+ if ( get_option( 'users_can_register' ) ) :
688
+ $registration_url = sprintf( '<a href="%s">%s</a>', esc_url( wp_registration_url() ), __( 'Register' ) );
689
+
690
+ /** This filter is documented in wp-includes/general-template.php */
691
+ echo ' | ' . apply_filters( 'register', $registration_url );
692
+ endif;
693
+ ?>
694
+ </p>
695
+
696
+ <?php
697
+ login_footer('user_pass');
698
+ break;
699
+
700
+ case 'register' :
701
+ if ( is_multisite() ) {
702
+ /**
703
+ * Filter the Multisite sign up URL.
704
+ *
705
+ * @since 3.0.0
706
+ *
707
+ * @param string $sign_up_url The sign up URL.
708
+ */
709
+ wp_redirect( apply_filters( 'wp_signup_location', network_site_url( 'wp-signup.php' ) ) );
710
+ exit;
711
+ }
712
+
713
+ if ( !get_option('users_can_register') ) {
714
+ wp_redirect( site_url('wp-login.php?registration=disabled') );
715
+ exit();
716
+ }
717
 
718
+ $user_login = '';
719
+ $user_email = '';
720
+ if ( $http_post ) {
721
+ $user_login = $_POST['user_login'];
722
+ $user_email = $_POST['user_email'];
723
+ $errors = register_new_user($user_login, $user_email);
724
+ if ( !is_wp_error($errors) ) {
725
+ $redirect_to = !empty( $_POST['redirect_to'] ) ? $_POST['redirect_to'] : 'wp-login.php?checkemail=registered';
726
+ wp_safe_redirect( $redirect_to );
727
+ exit();
728
+ }
729
+ }
730
+
731
+ $registration_redirect = ! empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '';
732
+ /**
733
+ * Filter the registration redirect URL.
734
+ *
735
+ * @since 3.0.0
736
+ *
737
+ * @param string $registration_redirect The redirect destination URL.
738
+ */
739
+ $redirect_to = apply_filters( 'registration_redirect', $registration_redirect );
740
+ login_header(__('Registration Form'), '<p class="message register">' . __('Register For This Site') . '</p>', $errors);
741
+ ?>
742
+
743
+ <form name="registerform" id="registerform" action="<?php echo esc_url( site_url('wp-login.php?action=register', 'login_post') ); ?>" method="post" novalidate="novalidate">
744
+ <p>
745
+ <label for="user_login"><?php _e('Username') ?><br />
746
+ <input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr(wp_unslash($user_login)); ?>" size="20" /></label>
747
+ </p>
748
+ <p>
749
+ <label for="user_email"><?php _e('E-mail') ?><br />
750
+ <input type="email" name="user_email" id="user_email" class="input" value="<?php echo esc_attr( wp_unslash( $user_email ) ); ?>" size="25" /></label>
751
+ </p>
752
+ <?php
753
+ /**
754
+ * Fires following the 'E-mail' field in the user registration form.
755
+ *
756
+ * @since 2.1.0
757
+ */
758
+ do_action( 'register_form' );
759
+ ?>
760
+ <p id="reg_passmail"><?php _e( 'Registration confirmation will be e-mailed to you.' ); ?></p>
761
+ <br class="clear" />
762
+ <input type="hidden" name="redirect_to" value="<?php echo esc_attr( $redirect_to ); ?>" />
763
+ <p class="submit"><input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="<?php esc_attr_e('Register'); ?>" /></p>
764
+ </form>
765
+
766
+ <p id="nav">
767
+ <a href="<?php echo esc_url( wp_login_url() ); ?>"><?php _e( 'Log in' ); ?></a> |
768
+ <a href="<?php echo esc_url( wp_lostpassword_url() ); ?>" title="<?php esc_attr_e( 'Password Lost and Found' ) ?>"><?php _e( 'Lost your password?' ); ?></a>
769
+ </p>
770
+
771
+ <?php
772
+ login_footer('user_login');
773
+ break;
774
+
775
+ case 'login' :
776
+ default:
777
+ $secure_cookie = '';
778
+ $customize_login = isset( $_REQUEST['customize-login'] );
779
+ if ( $customize_login )
780
+ wp_enqueue_script( 'customize-base' );
781
+
782
+ // If the user wants ssl but the session is not ssl, force a secure cookie.
783
+ if ( !empty($_POST['log']) && !force_ssl_admin() ) {
784
+ $user_name = sanitize_user($_POST['log']);
785
+ if ( $user = get_user_by('login', $user_name) ) {
786
+ if ( get_user_option('use_ssl', $user->ID) ) {
787
+ $secure_cookie = true;
788
+ force_ssl_admin(true);
789
+ }
790
+ }
791
+ }
792
+
793
+ if ( isset( $_REQUEST['redirect_to'] ) ) {
794
+ $redirect_to = $_REQUEST['redirect_to'];
795
+ // Redirect to https if user wants ssl
796
+ if ( $secure_cookie && false !== strpos($redirect_to, 'wp-admin') )
797
+ $redirect_to = preg_replace('|^http://|', 'https://', $redirect_to);
798
+ } else {
799
+ $redirect_to = admin_url();
800
+ }
801
+
802
+ $reauth = empty($_REQUEST['reauth']) ? false : true;
803
+
804
+ $user = wp_signon( '', $secure_cookie );
805
+
806
+ if ( empty( $_COOKIE[ LOGGED_IN_COOKIE ] ) ) {
807
+ if ( headers_sent() ) {
808
+ $user = new WP_Error( 'test_cookie', sprintf( __( '<strong>ERROR</strong>: Cookies are blocked due to unexpected output. For help, please see <a href="%1$s">this documentation</a> or try the <a href="%2$s">support forums</a>.' ),
809
+ __( 'https://codex.wordpress.org/Cookies' ), __( 'https://wordpress.org/support/' ) ) );
810
+ } elseif ( isset( $_POST['testcookie'] ) && empty( $_COOKIE[ TEST_COOKIE ] ) ) {
811
+ // If cookies are disabled we can't log in even with a valid user+pass
812
+ $user = new WP_Error( 'test_cookie', sprintf( __( '<strong>ERROR</strong>: Cookies are blocked or not supported by your browser. You must <a href="%s">enable cookies</a> to use WordPress.' ),
813
+ __( 'https://codex.wordpress.org/Cookies' ) ) );
814
+ }
815
+ }
816
+
817
+ $requested_redirect_to = isset( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '';
818
+ /**
819
+ * Filter the login redirect URL.
820
+ *
821
+ * @since 3.0.0
822
+ *
823
+ * @param string $redirect_to The redirect destination URL.
824
+ * @param string $requested_redirect_to The requested redirect destination URL passed as a parameter.
825
+ * @param WP_User|WP_Error $user WP_User object if login was successful, WP_Error object otherwise.
826
+ */
827
+ $redirect_to = apply_filters( 'login_redirect', $redirect_to, $requested_redirect_to, $user );
828
+
829
+ if ( !is_wp_error($user) && !$reauth ) {
830
+ if ( $interim_login ) {
831
+ $message = '<p class="message">' . __('You have logged in successfully.') . '</p>';
832
+ $interim_login = 'success';
833
+ login_header( '', $message ); ?>
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
834
  </div>
835
  <?php
836
+ /** This action is documented in wp-login.php */
837
+ do_action( 'login_footer' ); ?>
838
+ <?php if ( $customize_login ) : ?>
839
+ <script type="text/javascript">setTimeout( function(){ new wp.customize.Messenger({ url: '<?php echo wp_customize_url(); ?>', channel: 'login' }).send('login') }, 1000 );</script>
840
+ <?php endif; ?>
841
  </body></html>
842
  <?php exit;
843
+ }
844
+
845
+ if ( ( empty( $redirect_to ) || $redirect_to == 'wp-admin/' || $redirect_to == admin_url() ) ) {
846
+ // If the user doesn't belong to a blog, send them to user admin. If the user can't edit posts, send them to their profile.
847
+ if ( is_multisite() && !get_active_blog_for_user($user->ID) && !is_super_admin( $user->ID ) )
848
+ $redirect_to = user_admin_url();
849
+ elseif ( is_multisite() && !$user->has_cap('read') )
850
+ $redirect_to = get_dashboard_url( $user->ID );
851
+ elseif ( !$user->has_cap('edit_posts') )
852
+ $redirect_to = admin_url('profile.php');
853
+ }
854
+ wp_safe_redirect($redirect_to);
855
+ exit();
856
+ }
857
+
858
+ $errors = $user;
859
+ // Clear errors if loggedout is set.
860
+ if ( !empty($_GET['loggedout']) || $reauth )
861
+ $errors = new WP_Error();
862
+
863
+ if ( $interim_login ) {
864
+ if ( ! $errors->get_error_code() )
865
+ $errors->add('expired', __('Session expired. Please log in again. You will not move away from this page.'), 'message');
866
+ } else {
867
+ // Some parts of this script use the main login form to display a message
868
+ if ( isset($_GET['loggedout']) && true == $_GET['loggedout'] )
869
+ $errors->add('loggedout', __('You are now logged out.'), 'message');
870
+ elseif ( isset($_GET['registration']) && 'disabled' == $_GET['registration'] )
871
+ $errors->add('registerdisabled', __('User registration is currently not allowed.'));
872
+ elseif ( isset($_GET['checkemail']) && 'confirm' == $_GET['checkemail'] )
873
+ $errors->add('confirm', __('Check your e-mail for the confirmation link.'), 'message');
874
+ elseif ( isset($_GET['checkemail']) && 'newpass' == $_GET['checkemail'] )
875
+ $errors->add('newpass', __('Check your e-mail for your new password.'), 'message');
876
+ elseif ( isset($_GET['checkemail']) && 'registered' == $_GET['checkemail'] )
877
+ $errors->add('registered', __('Registration complete. Please check your e-mail.'), 'message');
878
+ elseif ( strpos( $redirect_to, 'about.php?updated' ) )
879
+ $errors->add('updated', __( '<strong>You have successfully updated WordPress!</strong> Please log back in to see what&#8217;s new.' ), 'message' );
880
+ }
881
+
882
+ /**
883
+ * Filter the login page errors.
884
+ *
885
+ * @since 3.6.0
886
+ *
887
+ * @param object $errors WP Error object.
888
+ * @param string $redirect_to Redirect destination URL.
889
+ */
890
+ $errors = apply_filters( 'wp_login_errors', $errors, $redirect_to );
891
+
892
+ // Clear any stale cookies.
893
+ if ( $reauth )
894
+ wp_clear_auth_cookie();
895
+
896
+ login_header(__('Log In'), '', $errors);
897
+
898
+ if ( isset($_POST['log']) )
899
+ $user_login = ( 'incorrect_password' == $errors->get_error_code() || 'empty_password' == $errors->get_error_code() ) ? esc_attr(wp_unslash($_POST['log'])) : '';
900
+ $rememberme = ! empty( $_POST['rememberme'] );
901
+
902
+ if ( ! empty( $errors->errors ) ) {
903
+ $aria_describedby_error = ' aria-describedby="login_error"';
904
+ } else {
905
+ $aria_describedby_error = '';
906
+ }
907
+ ?>
908
 
909
  <form name="loginform" id="loginform" action="<?php echo esc_url( site_url( 'wp-login.php', 'login_post' ) ); ?>" method="post">
910
  <p>
911
  <label for="user_login"><?php _e('Username') ?><br />
912
+ <input type="text" name="log" id="user_login"<?php echo $aria_describedby_error; ?> class="input" value="<?php echo esc_attr( $user_login ); ?>" size="20" /></label>
913
  </p>
914
  <p>
915
  <label for="user_pass"><?php _e('Password') ?><br />
916
+ <input type="password" name="pwd" id="user_pass"<?php echo $aria_describedby_error; ?> class="input" value="" size="20" /></label>
917
  </p>
918
  <?php
919
+ /**
920
+ * Fires following the 'Password' field in the login form.
921
+ *
922
+ * @since 2.1.0
923
+ */
924
+ do_action( 'login_form' );
925
+ ?>
926
  <p class="forgetmenot"><label for="rememberme"><input name="rememberme" type="checkbox" id="rememberme" value="forever" <?php checked( $rememberme ); ?> /> <?php esc_attr_e('Remember Me'); ?></label></p>
927
  <p class="submit">
928
  <input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="<?php esc_attr_e('Log In'); ?>" />
929
  <?php if ( $interim_login ) { ?>
930
+ <input type="hidden" name="interim-login" value="1" />
931
+ <?php } else { ?>
932
+ <input type="hidden" name="redirect_to" value="<?php echo esc_attr($redirect_to); ?>" />
933
+ <?php } ?>
934
+ <?php if ( $customize_login ) : ?>
935
+ <input type="hidden" name="customize-login" value="1" />
936
+ <?php endif; ?>
937
  <input type="hidden" name="testcookie" value="1" />
938
  </p>
939
  </form>
940
 
941
  <?php if ( ! $interim_login ) { ?>
942
+ <p id="nav">
943
+ <?php if ( ! isset( $_GET['checkemail'] ) || ! in_array( $_GET['checkemail'], array( 'confirm', 'newpass' ) ) ) :
944
+ if ( get_option( 'users_can_register' ) ) :
945
+ $registration_url = sprintf( '<a href="%s">%s</a>', esc_url( wp_registration_url() ), __( 'Register' ) );
946
+
947
+ /** This filter is documented in wp-includes/general-template.php */
948
+ echo apply_filters( 'register', $registration_url ) . ' | ';
949
+ endif;
950
+ ?>
951
+ <a href="<?php echo esc_url( wp_lostpassword_url() ); ?>" title="<?php esc_attr_e( 'Password Lost and Found' ); ?>"><?php _e( 'Lost your password?' ); ?></a>
952
+ <?php endif; ?>
953
+ </p>
954
+ <?php } ?>
955
 
956
  <script type="text/javascript">
957
  function wp_attempt_focus(){
958
  setTimeout( function(){ try{
959
+ <?php if ( $user_login ) { ?>
960
+ d = document.getElementById('user_pass');
961
+ d.value = '';
962
+ <?php } else { ?>
963
+ d = document.getElementById('user_login');
964
+ <?php if ( 'invalid_username' == $errors->get_error_code() ) { ?>
965
+ if( d.value != '' )
966
+ d.value = '';
967
+ <?php
968
+ }
969
+ }?>
970
  d.focus();
971
  d.select();
972
  } catch(e){}
973
  }, 200);
974
  }
975
 
976
+ <?php if ( !$error ) { ?>
977
+ wp_attempt_focus();
978
+ <?php } ?>
979
  if(typeof wpOnload=='function')wpOnload();
980
  <?php if ( $interim_login ) { ?>
981
+ (function(){
982
+ try {
983
+ var i, links = document.getElementsByTagName('a');
984
+ for ( i in links ) {
985
+ if ( links[i].href )
986
+ links[i].target = '_blank';
987
+ }
988
+ } catch(e){}
989
+ }());
990
+ <?php } ?>
991
  </script>
992
 
993
  <?php
994
+ login_footer();
995
+ break;
996
  } // end action switch
other-includes/wp-security-unlock-request.php CHANGED
@@ -53,7 +53,8 @@ if (isset($_POST['aiowps_wp_submit_unlock_request']))
53
  if($errors){
54
  $display_form = true;
55
  echo '<div id="login_error">'.$errors.'</div>';
56
- echo display_unlock_form($email);
 
57
  }else{
58
  $locked_user = get_user_by('email', $email);
59
  if(!$locked_user){
53
  if($errors){
54
  $display_form = true;
55
  echo '<div id="login_error">'.$errors.'</div>';
56
+ $sanitized_email = sanitize_email($email);
57
+ echo display_unlock_form($sanitized_email);
58
  }else{
59
  $locked_user = get_user_by('email', $email);
60
  if(!$locked_user){
readme.txt CHANGED
@@ -3,8 +3,8 @@ Contributors: Tips and Tricks HQ, wpsolutions, Peter Petreski, Ruhul Amin, mbrso
3
  Donate link: https://www.tipsandtricks-hq.com
4
  Tags: security, secure, Anti Virus, antivirus, ban, ban hacker, virus, firewall, firewall security, login, lockdown, htaccess, hack, malware, vulnerability, protect, protection, phishing, database, backup, plugin, sql injection, ssl, restrict, login captcha, bot, hotlink, 404 detection, admin, rename, all in one, scan, scanner, iframe,
5
  Requires at least: 3.5
6
- Tested up to: 4.2
7
- Stable tag: 3.9.6
8
  License: GPLv3
9
 
10
  A comprehensive, user-friendly, all in one WordPress security and firewall plugin for your site.
@@ -80,18 +80,20 @@ via email whenever somebody gets locked out due to too many login attempts.
80
  This plugin allows you to easily add a lot of firewall protection to your site via htaccess file. An htaccess file is processed by your web server before any other code on your site.
81
  So these firewall rules will stop malicious script(s) before it gets a chance to reach the WordPress code on your site.
82
 
83
- * Access control facility
84
- * Instantly activate a selection of firewall settings ranging from basic, intermediate and advanced
85
  * Enable the famous "5G Blacklist" Firewall rules courtesy of [Perishable Press](http://perishablepress.com/)
86
- * Forbid proxy comment posting
87
- * Disable trace and track
88
- * Deny bad or malicious query strings
 
89
  * Protect against Cross Site Scripting (XSS) by activating the comprehensive advanced character string filter.
90
  or malicious bots who do not have a special cookie in their browser. You (the site admin) will know how to set this special cookie and be able to log into your site.
91
  * WordPress PingBack Vulnerability Protection feature. This firewall feature allows the user to prohibit access to the xmlrpc.php file in order to protect against certain vulnerabilities in the pingback functionality. This is also helpful to block bots from constantly accessing the xmlrpc.php file and wasting your server resource.
92
  * Ability to block fake Googlebots from crawling your site.
93
  * Ability to prevent image hotlinking. Use this to prevent others from hotlinking your images.
94
  * Ability to log all 404 events on your site. You can also choose to automatically block IP addresses that are hitting too many 404s.
 
95
 
96
  = Brute force login attack prevention =
97
  * Instantly block Brute Force Login Attacks via our special Cookie-Based Brute Force Login Prevention feature. This firewall functionality will block all login attempts from people and bots.
@@ -176,7 +178,23 @@ https://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin
176
  == Upgrade Notice ==
177
  None
178
 
 
179
  == Changelog ==
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
180
  = 3.9.6 =
181
  - Added Rename Login page feature from the "Brute Force" menu to multisite sub-sites.
182
  - Removed invalid "length" attribute from input element in captcha code.
3
  Donate link: https://www.tipsandtricks-hq.com
4
  Tags: security, secure, Anti Virus, antivirus, ban, ban hacker, virus, firewall, firewall security, login, lockdown, htaccess, hack, malware, vulnerability, protect, protection, phishing, database, backup, plugin, sql injection, ssl, restrict, login captcha, bot, hotlink, 404 detection, admin, rename, all in one, scan, scanner, iframe,
5
  Requires at least: 3.5
6
+ Tested up to: 4.3
7
+ Stable tag: 3.9.9
8
  License: GPLv3
9
 
10
  A comprehensive, user-friendly, all in one WordPress security and firewall plugin for your site.
80
  This plugin allows you to easily add a lot of firewall protection to your site via htaccess file. An htaccess file is processed by your web server before any other code on your site.
81
  So these firewall rules will stop malicious script(s) before it gets a chance to reach the WordPress code on your site.
82
 
83
+ * Access control facility.
84
+ * Instantly activate a selection of firewall settings ranging from basic, intermediate and advanced.
85
  * Enable the famous "5G Blacklist" Firewall rules courtesy of [Perishable Press](http://perishablepress.com/)
86
+ * Forbid proxy comment posting.
87
+ * Block access to debug log file.
88
+ * Disable trace and track.
89
+ * Deny bad or malicious query strings.
90
  * Protect against Cross Site Scripting (XSS) by activating the comprehensive advanced character string filter.
91
  or malicious bots who do not have a special cookie in their browser. You (the site admin) will know how to set this special cookie and be able to log into your site.
92
  * WordPress PingBack Vulnerability Protection feature. This firewall feature allows the user to prohibit access to the xmlrpc.php file in order to protect against certain vulnerabilities in the pingback functionality. This is also helpful to block bots from constantly accessing the xmlrpc.php file and wasting your server resource.
93
  * Ability to block fake Googlebots from crawling your site.
94
  * Ability to prevent image hotlinking. Use this to prevent others from hotlinking your images.
95
  * Ability to log all 404 events on your site. You can also choose to automatically block IP addresses that are hitting too many 404s.
96
+ * Ability to add custom rules to block access to various resources of your site.
97
 
98
  = Brute force login attack prevention =
99
  * Instantly block Brute Force Login Attacks via our special Cookie-Based Brute Force Login Prevention feature. This firewall functionality will block all login attempts from people and bots.
178
  == Upgrade Notice ==
179
  None
180
 
181
+
182
  == Changelog ==
183
+
184
+ = 3.9.9 =
185
+ - Fixed an issue with the rename login page feature for WordPress 4.3
186
+ - Added esc_attr() sanitization to some of the relevant parameters
187
+ - Added the necessary changes to allow activation via wp-cli
188
+
189
+ = 3.9.8 =
190
+ - Added guard against possible XSS in the unlock request feature.
191
+
192
+ = 3.9.7 =
193
+ - Added new feature which allows custom .htaccess rules. (See "Custom Rules" tab in Firewall menu). You can now use this to add custom rules to block access to various resources on your site.
194
+ - Added a new feature to block access to the wp-content/debug.log file (WordPress creates this file if you enabled debug loggin option in the config file).
195
+ - Removed the "v" from version number of the plugin.
196
+ - Completed testing with WordPress 4.3.
197
+
198
  = 3.9.6 =
199
  - Added Rename Login page feature from the "Brute Force" menu to multisite sub-sites.
200
  - Removed invalid "length" attribute from input element in captcha code.
wp-security-core.php CHANGED
@@ -3,7 +3,7 @@
3
  if (!class_exists('AIO_WP_Security')){
4
 
5
  class AIO_WP_Security{
6
- var $version = '3.9.6';
7
  var $db_version = '1.6';
8
  var $plugin_url;
9
  var $plugin_path;
3
  if (!class_exists('AIO_WP_Security')){
4
 
5
  class AIO_WP_Security{
6
+ var $version = '3.9.9';
7
  var $db_version = '1.6';
8
  var $plugin_url;
9
  var $plugin_path;
wp-security.php CHANGED
@@ -1,7 +1,7 @@
1
  <?php
2
  /*
3
  Plugin Name: All In One WP Security
4
- Version: v3.9.6
5
  Plugin URI: http://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin
6
  Author: Tips and Tricks HQ, Peter, Ruhul, Ivy
7
  Author URI: http://www.tipsandtricks-hq.com/
1
  <?php
2
  /*
3
  Plugin Name: All In One WP Security
4
+ Version: 3.9.9
5
  Plugin URI: http://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin
6
  Author: Tips and Tricks HQ, Peter, Ruhul, Ivy
7
  Author URI: http://www.tipsandtricks-hq.com/