All In One WP Security & Firewall

Version Description

Made file change scanner code more robust for cases when open_basedir restriction is in effect. (Thanks to Manuel Jeanne for pointing this out).
Added code which will remove WordPress version info during CSS and JS script loading if you have the "Remove WP Generator Meta Info" option checked. (Thanks to aldemarcalazans for pointing this out).
Fixed some potential SQL injection vulnerabilities. (Thanks to Julio Potier for pointing these out).
Changed the feature category of blacklist manger from "Intermediate" to "Advanced".
Tweak: Remove "@" from list of characters blocked by advanced character string filter. (Because it is often used in retina-ready images).
Fix: Use home URL instead of site URL in lock notification email subject. Thanks to @chesio for fixing this.

Release Info

Developer	mra13
Plugin	All In One WP Security & Firewall
Version	4.0.9
Comparing to
See all releases

Code changes from version 4.0.8 to 4.0.9

Files changed (14) hide show

admin/wp-security-blacklist-menu.php +6 -1
admin/wp-security-database-menu.php +6 -9
admin/wp-security-list-locked-ip.php +1 -1
admin/wp-security-settings-menu.php +6 -4
admin/wp-security-user-accounts-menu.php +2 -1
admin/wp-security-user-login-menu.php +0 -64
classes/grade-system/wp-security-feature-item-manager.php +1 -1
classes/wp-security-file-scan.php +1 -0
classes/wp-security-general-init-tasks.php +9 -0
classes/wp-security-user-login.php +4 -15
classes/wp-security-utility-htaccess.php +4 -2
readme.txt +10 -1
wp-security-core.php +1 -1
wp-security.php +1 -1

admin/wp-security-blacklist-menu.php CHANGED Viewed

	@@ -170,7 +170,12 @@ class AIOWPSecurity_Blacklist_Menu extends AIOWPSecurity_Admin_Menu
170	$aiowps_feature_mgr->output_feature_details_badge("blacklist-manager-ip-user-agent-blacklisting");
171	?>
172	<form action="" method="POST">
173	- <?php wp_nonce_field('aiowpsec-blacklist-settings-nonce'); ?>





174	<table class="form-table">
175	<tr valign="top">
176	<th scope="row"><?php _e('Enable IP or User Agent Blacklisting', 'all-in-one-wp-security-and-firewall')?>:</th>


170	$aiowps_feature_mgr->output_feature_details_badge("blacklist-manager-ip-user-agent-blacklisting");
171	?>
172	<form action="" method="POST">
173	+ <?php wp_nonce_field('aiowpsec-blacklist-settings-nonce'); ?>
174	+ <div class="aio_orange_box">
175	+ <p>
176	+ <?php _e('This feature can lock you out of admin if it doesn\'t work correctly on your site. You <a href="https://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin#advanced_features_note" target="_blank">must read this message</a> before activating this feature.', 'all-in-one-wp-security-and-firewall'); ?>
177	+ </p>
178	+ </div>
179	<table class="form-table">
180	<tr valign="top">
181	<th scope="row"><?php _e('Enable IP or User Agent Blacklisting', 'all-in-one-wp-security-and-firewall')?>:</th>

admin/wp-security-database-menu.php CHANGED Viewed

	@@ -462,10 +462,9 @@ class AIOWPSecurity_Database_Menu extends AIOWPSecurity_Admin_Menu
462	}
463
464	//Now let's update the options table
465	- $update_option_table_query = "UPDATE " . $table_new_prefix . "options
466	SET option_name = '".$table_new_prefix ."user_roles'
467	- WHERE option_name = '".$table_old_prefix."user_roles'
468	- LIMIT 1";
469
470	if ( false === $wpdb->query($update_option_table_query) )
471	{
	@@ -483,10 +482,9 @@ class AIOWPSecurity_Database_Menu extends AIOWPSecurity_Admin_Menu
483	if ($blog_id == 1){continue;} //skip main site
484	$new_pref_and_site_id = $table_new_prefix.$blog_id.'_';
485	$old_pref_and_site_id = $table_old_prefix.$blog_id.'_';
486	- $update_ms_option_table_query = "UPDATE " . $new_pref_and_site_id . "options
487	SET option_name = '".$new_pref_and_site_id."user_roles'
488	- WHERE option_name = '".$old_pref_and_site_id."user_roles'
489	- LIMIT 1";
490	if ( false === $wpdb->query($update_ms_option_table_query) )
491	{
492	echo '<p class="aio_error_with_icon">'.sprintf( __('Update of table %s failed: unable to change %s to %s', 'all-in-one-wp-security-and-firewall'),$new_pref_and_site_id.'options', $old_pref_and_site_id.'user_roles', $new_pref_and_site_id.'user_roles').'</p>';
	@@ -515,10 +513,9 @@ class AIOWPSecurity_Database_Menu extends AIOWPSecurity_Admin_Menu
515	//Create new meta key
516	$new_meta_key = $table_new_prefix . substr( $meta_key->meta_key, $old_prefix_length );
517
518	- $update_user_meta_sql = "UPDATE " . $table_new_prefix . "usermeta
519	SET meta_key='" . $new_meta_key . "'
520	- WHERE meta_key='" . $meta_key->meta_key ~~. "'~~
521	- AND user_id='" . $meta_key->user_id."'";
522
523	if (false === $wpdb->query($update_user_meta_sql))
524	{


462	}
463
464	//Now let's update the options table
465	+ $update_option_table_query = $wpdb->prepare("UPDATE " . $table_new_prefix . "options
466	SET option_name = '".$table_new_prefix ."user_roles'
467	+ WHERE option_name = %s LIMIT 1", $table_old_prefix."user_roles");

468
469	if ( false === $wpdb->query($update_option_table_query) )
470	{

482	if ($blog_id == 1){continue;} //skip main site
483	$new_pref_and_site_id = $table_new_prefix.$blog_id.'_';
484	$old_pref_and_site_id = $table_old_prefix.$blog_id.'_';
485	+ $update_ms_option_table_query = $wpdb->prepare("UPDATE " . $new_pref_and_site_id . "options
486	SET option_name = '".$new_pref_and_site_id."user_roles'
487	+ WHERE option_name = %s LIMIT 1", $old_pref_and_site_id."user_roles");

488	if ( false === $wpdb->query($update_ms_option_table_query) )
489	{
490	echo '<p class="aio_error_with_icon">'.sprintf( __('Update of table %s failed: unable to change %s to %s', 'all-in-one-wp-security-and-firewall'),$new_pref_and_site_id.'options', $old_pref_and_site_id.'user_roles', $new_pref_and_site_id.'user_roles').'</p>';

513	//Create new meta key
514	$new_meta_key = $table_new_prefix . substr( $meta_key->meta_key, $old_prefix_length );
515
516	+ $update_user_meta_sql = $wpdb->prepare("UPDATE " . $table_new_prefix . "usermeta
517	SET meta_key='" . $new_meta_key . "'
518	+ WHERE meta_key=%s AND user_id=%s", $meta_key->meta_key, $meta_key->user_id);

519
520	if (false === $wpdb->query($update_user_meta_sql))
521	{

admin/wp-security-list-locked-ip.php CHANGED Viewed

	@@ -138,7 +138,7 @@ class AIOWPSecurity_List_Locked_IP extends AIOWPSecurity_List_Table {
138	}
139
140	//Unlock single record
141	- $unlock_command = "UPDATE ".$lockdown_table." SET release_date = now() WHERE id = '".absint($entries)~~."'"~~;
142	$result = $wpdb->query($unlock_command);
143	if($result != NULL)
144	{


138	}
139
140	//Unlock single record
141	+ $unlock_command = $wpdb->prepare( "UPDATE ".$lockdown_table." SET release_date = now() WHERE id = %d", absint($entries) );
142	$result = $wpdb->query($unlock_command);
143	if($result != NULL)
144	{

admin/wp-security-settings-menu.php CHANGED Viewed

	@@ -26,7 +26,7 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
26	'tab1' => __('General Settings', 'all-in-one-wp-security-and-firewall'),
27	'tab2' => '.htaccess '.__('File', 'all-in-one-wp-security-and-firewall'),
28	'tab3' => 'wp-config.php '.__('File', 'all-in-one-wp-security-and-firewall'),
29	- 'tab4' => __('WP ~~Meta~~ Info', 'all-in-one-wp-security-and-firewall'),
30	'tab5' => __('Import/Export', 'all-in-one-wp-security-and-firewall'),
31	);
32	}
	@@ -505,13 +505,15 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
505	$this->show_msg_settings_updated();
506	}
507	?>
508	- <h2><?php _e('WP Generator Meta Tag', 'all-in-one-wp-security-and-firewall')?></h2>
509	<div class="aio_blue_box">
510	<?php
511	echo '<p>'.__('Wordpress generator automatically adds some meta information inside the "head" tags of every page on your site\'s front end. Below is an example of this:', 'all-in-one-wp-security-and-firewall');
512	echo '<br /><strong><meta name="generator" content="WordPress 3.5.1" /></strong>';
513	echo '<br />'.__('The above meta information shows which version of WordPress your site is currently running and thus can help hackers or crawlers scan your site to see if you have an older version of WordPress or one with a known exploit.', 'all-in-one-wp-security-and-firewall').'
514	- <br />'.__('~~This~~ ~~feature~~ ~~will~~ ~~allow~~ ~~you~~ to ~~remove~~ ~~the~~ WP ~~generator~~ ~~meta~~ ~~info~~ ~~from~~ ~~your~~ ~~site\'s~~ ~~pages~~.', 'all-in-one-wp-security-and-firewall').'


515	</p>';
516	?>
517	</div>
	@@ -532,7 +534,7 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
532	<th scope="row"><?php _e('Remove WP Generator Meta Info', 'all-in-one-wp-security-and-firewall')?>:</th>
533	<td>
534	<input name="aiowps_remove_wp_generator_meta_info" type="checkbox"<?php if($aio_wp_security->configs->get_value('aiowps_remove_wp_generator_meta_info')=='1') echo ' checked="checked"'; ?> value="1"/>
535	- <span class="description"><?php _e('Check this if you want to remove the meta info produced by WP ~~Generator~~ from all pages', 'all-in-one-wp-security-and-firewall'); ?></span>
536	</td>
537	</tr>
538	</table>


26	'tab1' => __('General Settings', 'all-in-one-wp-security-and-firewall'),
27	'tab2' => '.htaccess '.__('File', 'all-in-one-wp-security-and-firewall'),
28	'tab3' => 'wp-config.php '.__('File', 'all-in-one-wp-security-and-firewall'),
29	+ 'tab4' => __('WP Version Info', 'all-in-one-wp-security-and-firewall'),
30	'tab5' => __('Import/Export', 'all-in-one-wp-security-and-firewall'),
31	);
32	}

505	$this->show_msg_settings_updated();
506	}
507	?>
508	+ <h2><?php _e('WP Generator Meta Tag & Version Info', 'all-in-one-wp-security-and-firewall')?></h2>
509	<div class="aio_blue_box">
510	<?php
511	echo '<p>'.__('Wordpress generator automatically adds some meta information inside the "head" tags of every page on your site\'s front end. Below is an example of this:', 'all-in-one-wp-security-and-firewall');
512	echo '<br /><strong><meta name="generator" content="WordPress 3.5.1" /></strong>';
513	echo '<br />'.__('The above meta information shows which version of WordPress your site is currently running and thus can help hackers or crawlers scan your site to see if you have an older version of WordPress or one with a known exploit.', 'all-in-one-wp-security-and-firewall').'
514	+ <br /><br />'.__('There are also other ways wordpress reveals version info such as during style and script loading. An example of this is:', 'all-in-one-wp-security-and-firewall').'
515	+ <br /><strong><link rel="stylesheet" id="jquery-ui-style-css" href="//ajax.googleapis.com/ajax/libs/jqueryui/1.11.0/themes/smoothness/jquery-ui.css?ver=4.5.2" type="text/css" media="all" /></strong>
516	+ <br /><br />'.__('This feature will allow you to remove the WP generator meta info and other version info from your site\'s pages.', 'all-in-one-wp-security-and-firewall').'
517	</p>';
518	?>
519	</div>

534	<th scope="row"><?php _e('Remove WP Generator Meta Info', 'all-in-one-wp-security-and-firewall')?>:</th>
535	<td>
536	<input name="aiowps_remove_wp_generator_meta_info" type="checkbox"<?php if($aio_wp_security->configs->get_value('aiowps_remove_wp_generator_meta_info')=='1') echo ' checked="checked"'; ?> value="1"/>
537	+ <span class="description"><?php _e('Check this if you want to remove the version and meta info produced by WP from all pages', 'all-in-one-wp-security-and-firewall'); ?></span>
538	</td>
539	</tr>
540	</table>

admin/wp-security-user-accounts-menu.php CHANGED Viewed

	@@ -261,7 +261,8 @@ class AIOWPSecurity_User_Accounts_Menu extends AIOWPSecurity_Admin_Menu
261	$username_is_admin = FALSE;
262	}
263	//Now let's change the username
264	- $~~result~~ = $wpdb->~~query~~("UPDATE `" . $wpdb->users . "` SET user_login = '" . esc_sql($new_username) . "' WHERE user_login='admin';");

265	if (!$result) {
266	//There was an error updating the users table
267	$user_update_error = __('The database update operation of the user account failed!', 'all-in-one-wp-security-and-firewall');


261	$username_is_admin = FALSE;
262	}
263	//Now let's change the username
264	+ $sql = $wpdb->prepare( "UPDATE `" . $wpdb->users . "` SET user_login = '" . esc_sql($new_username) . "' WHERE user_login=%s", "admin" );
265	+ $result = $wpdb->query($sql);
266	if (!$result) {
267	//There was an error updating the users table
268	$user_update_error = __('The database update operation of the user account failed!', 'all-in-one-wp-security-and-firewall');

admin/wp-security-user-login-menu.php CHANGED Viewed

@@ -511,68 +511,4 @@ class AIOWPSecurity_User_Login_Menu extends AIOWPSecurity_Admin_Menu
+                }
-            -
                /*
-            -
                 * This function will unlock an IP range by modifying the "release_date" column of a record in the "login_lockdown" table
-            -
                 */
-            -
                function unlock_ip_range($entries)
-            -
                {
-            -
                    global $wpdb, $aio_wp_security;
-            -
                    $lockdown_table = AIOWPSEC_TBL_LOGIN_LOCKDOWN;
-            -
                    if (is_array($entries))
-            -
                    {
-            -
                        //Unlock multiple records
-            -
                        $entries = array_filter($entries, 'is_numeric'); //discard non-numeric ID values
-            -
                        $id_list = "(" .implode(",",$entries) .")"; //Create comma separate list for DB operation
-            -
                        $unlock_command = "UPDATE ".$lockdown_table." SET release_date = now() WHERE ID IN ".$id_list;
-            -
                        $result = $wpdb->query($unlock_command);
-            -
                        if($result != NULL)
-            -
                        {
-            -
                            $this->show_msg_updated(__('The selected IP entries were unlocked successfully!','all-in-one-wp-security-and-firewall'));
-            -
                        }
-            -
                    } elseif ($entries != NULL)
-            -
                    {
-            -
                        //Delete single record
-            -
                        $unlock_command = "UPDATE ".$lockdown_table." SET release_date = now() WHERE ID = '".absint($entries)."'";
-            -
                        $result = $wpdb->query($unlock_command);
-            -
                        if($result != NULL)
-            -
                        {
-            -
                            $this->show_msg_updated(__('The selected IP entry was unlocked successfully!','all-in-one-wp-security-and-firewall'));
-            -
                        }
-            -
                    }
-            -
                    //$aio_wp_security->debug_logger->log_debug("IP range unlocked from login_lockdown table - lockdown ID: ".$lockdown_id,0);
-            -
                }
-            -
-            -
                /*
-            -
                 * This function will delete selected records from the "login_lockdown" table.
-            -
                 * The function accepts either an array of IDs or a single ID
-            -
                 */
-            -
                function delete_lockdown_records($entries)
-            -
                {
-            -
                    global $wpdb, $aio_wp_security;
-            -
                    $lockdown_table = AIOWPSEC_TBL_LOGIN_LOCKDOWN;
-            -
                    if (is_array($entries))
-            -
                    {
-            -
                        //Delete multiple records
-            -
                        $entries = array_filter($entries, 'is_numeric'); //discard non-numeric ID values
-            -
                        $id_list = "(" .implode(",",$entries) .")"; //Create comma separate list for DB operation
-            -
                        $delete_command = "DELETE FROM ".$lockdown_table." WHERE ID IN ".$id_list;
-            -
                        $result = $wpdb->query($delete_command);
-            -
                        if($result != NULL)
-            -
                        {
-            -
                            $this->show_msg_updated(__('The selected records were deleted successfully!','all-in-one-wp-security-and-firewall'));
-            -
                        }
-            -
                    } elseif ($entries != NULL)
-            -
                    {
-            -
                        //Delete single record
-            -
            //            $delete_command = "DELETE FROM ".$lockdown_table." WHERE ID = '".absint($entries)."'";
-            -
            //            $result = $wpdb->query($delete_command);
-            -
                        $result = $wpdb->delete($lockdown_table, array('ID' => absint($entries)));
-            -
                        if($result != NULL)
-            -
                        {
-            -
                            $this->show_msg_updated(__('The selected record was deleted successfully!','all-in-one-wp-security-and-firewall'));
-            -
                        }
-            -
                        //$aio_wp_security->debug_logger->log_debug("Record deleted from login_lockdown table - lockdown ID: ".$entries,0);
-            -
                    }
-            -
                }
-            -
             } //end class


511
512	}
513
































































514	} //end class

classes/grade-system/wp-security-feature-item-manager.php CHANGED Viewed

	@@ -72,7 +72,7 @@ class AIOWPSecurity_Feature_Item_Manager
72
73	//Blacklist Manager Menu Features
74	//IP and user agent blacklisting
75	- $this->feature_items[] = new AIOWPSecurity_Feature_Item("blacklist-manager-ip-user-agent-blacklisting", __("IP and User Agent Blacklisting", "all-in-one-wp-security-and-firewall"), $this->feature_point_3, $this->~~sec_level_inter~~);
76
77	//Firewall Menu Features
78	//Basic firewall


72
73	//Blacklist Manager Menu Features
74	//IP and user agent blacklisting
75	+ $this->feature_items[] = new AIOWPSecurity_Feature_Item("blacklist-manager-ip-user-agent-blacklisting", __("IP and User Agent Blacklisting", "all-in-one-wp-security-and-firewall"), $this->feature_point_3, $this->sec_level_advanced);
76
77	//Firewall Menu Features
78	//Basic firewall

classes/wp-security-file-scan.php CHANGED Viewed

	@@ -210,6 +210,7 @@ class AIOWPSecurity_Scan
210	$file_types_to_skip = $aio_wp_security->configs->get_value('aiowps_fcd_exclude_filetypes');
211
212	foreach ($rit as $fileinfo) {

213	if ($fileinfo->isDir()) continue; //skip directories
214	if ($fileinfo->getFilename() == 'wp-security-log-cron-job.txt' \|\| $fileinfo->getFilename() == 'wp-security-log.txt') continue; //skip aiowps log files
215	//Let's omit any file types from the scan which were specified in the settings if necessary


210	$file_types_to_skip = $aio_wp_security->configs->get_value('aiowps_fcd_exclude_filetypes');
211
212	foreach ($rit as $fileinfo) {
213	+ if ($fileinfo->getFilename() == "..") continue; //skip .. directories
214	if ($fileinfo->isDir()) continue; //skip directories
215	if ($fileinfo->getFilename() == 'wp-security-log-cron-job.txt' \|\| $fileinfo->getFilename() == 'wp-security-log.txt') continue; //skip aiowps log files
216	//Let's omit any file types from the scan which were specified in the settings if necessary

classes/wp-security-general-init-tasks.php CHANGED Viewed

	@@ -43,6 +43,8 @@ class AIOWPSecurity_General_Init_Tasks
43
44	if($aio_wp_security->configs->get_value('aiowps_remove_wp_generator_meta_info') == '1'){
45	add_filter('the_generator', array(&$this,'remove_wp_generator_meta_info'));


46	}
47
48	//For the cookie based brute force prevention feature
	@@ -252,6 +254,13 @@ class AIOWPSecurity_General_Init_Tasks
252	return '';
253	}
254







255	function do_404_lockout_tasks(){
256	global $aio_wp_security;
257	$redirect_url = $aio_wp_security->configs->get_value('aiowps_404_lock_redirect_url'); //This is the redirect URL for blocked users


43
44	if($aio_wp_security->configs->get_value('aiowps_remove_wp_generator_meta_info') == '1'){
45	add_filter('the_generator', array(&$this,'remove_wp_generator_meta_info'));
46	+ add_filter( 'style_loader_src', array(&$this,'remove_wp_css_js_meta_info'));
47	+ add_filter( 'script_loader_src', array(&$this,'remove_wp_css_js_meta_info'));
48	}
49
50	//For the cookie based brute force prevention feature

254	return '';
255	}
256
257	+ function remove_wp_css_js_meta_info($src) {
258	+ if (strpos($src, 'ver=')) {
259	+ $src = remove_query_arg('ver', $src);
260	+ }
261	+ return $src;
262	+ }
263	+
264	function do_404_lockout_tasks(){
265	global $aio_wp_security;
266	$redirect_url = $aio_wp_security->configs->get_value('aiowps_404_lock_redirect_url'); //This is the redirect URL for blocked users

classes/wp-security-user-login.php CHANGED Viewed

	@@ -267,7 +267,7 @@ class AIOWPSecurity_User_Login
267	$email_msg = '';
268	if ($email_notification_enabled == 1)
269	{
270	- $subject = '['.get_option('~~siteurl~~').'] '. __('Site Lockout Notification','all-in-one-wp-security-and-firewall');
271	$email_msg .= __('A lockdown event has occurred due to too many failed login attempts or invalid username:','all-in-one-wp-security-and-firewall')."\n";
272	$email_msg .= __('Username: '.($username?$username:"Unknown"),'all-in-one-wp-security-and-firewall')."\n";
273	$email_msg .= __('IP Address: '.$ip,'all-in-one-wp-security-and-firewall')."\n\n";
	@@ -295,8 +295,7 @@ class AIOWPSecurity_User_Login
295	$unlock_link = '';
296	$lockdown_table_name = AIOWPSEC_TBL_LOGIN_LOCKDOWN;
297	$secret_rand_key = (md5(uniqid(rand(), true)));
298	- $sql = "UPDATE $lockdown_table_name SET unlock_key = '$secret_rand_key' WHERE release_date > now() AND failed_login_ip LIKE '%".esc_sql($ip_range)."%'";
299	- //$res = $wpdb->get_results("SELECT * FROM $lockdown_table_name WHERE release_date > now() AND user_login = '$username'", ARRAY_A);
300	$res = $wpdb->query($sql);
301	if($res == NULL){
302	$aio_wp_security->debug_logger->log_debug("No locked user found with IP range ".$ip_range,4);
	@@ -304,7 +303,7 @@ class AIOWPSecurity_User_Login
304	}else{
305	$query_param = array('aiowps_auth_key'=>$secret_rand_key);
306	$wp_site_url = AIOWPSEC_WP_URL;
307	- $unlock_link = esc_url(add_query_arg($query_param, $wp_site_url));
308	}
309	return $unlock_link;
310	}
	@@ -319,7 +318,7 @@ class AIOWPSecurity_User_Login
319	global $wpdb, $aio_wp_security;
320	$lockdown_table_name = AIOWPSEC_TBL_LOGIN_LOCKDOWN;
321
322	- $unlock_command = "UPDATE ".$lockdown_table_name." SET release_date = now() WHERE unlock_key = '".$unlock_key~~."'"~~;
323	$result = $wpdb->query($unlock_command);
324	if($result === false)
325	{
	@@ -429,16 +428,6 @@ class AIOWPSecurity_User_Login
429
430	}
431
432	- function check_user_logged_in($user_login)
433	- {
434	- // get the online users list
435	- $logged_in_users = get_transient('users_online');
436	-
437	- //If user is in the transient list and last activity was less than 15 minutes ago they are classed as being online
438	- return isset($logged_in_users[$user_id]) && ($logged_in_users[$user_id]['last_activity'] > (current_time('timestamp') - (15 * 60)));
439	-
440	- }
441	-
442	/**
443	* The handler for logout events, ie, uses the WP "clear_auth_cookies" action.
444


267	$email_msg = '';
268	if ($email_notification_enabled == 1)
269	{
270	+ $subject = '['.get_option('home').'] '. __('Site Lockout Notification','all-in-one-wp-security-and-firewall');
271	$email_msg .= __('A lockdown event has occurred due to too many failed login attempts or invalid username:','all-in-one-wp-security-and-firewall')."\n";
272	$email_msg .= __('Username: '.($username?$username:"Unknown"),'all-in-one-wp-security-and-firewall')."\n";
273	$email_msg .= __('IP Address: '.$ip,'all-in-one-wp-security-and-firewall')."\n\n";

295	$unlock_link = '';
296	$lockdown_table_name = AIOWPSEC_TBL_LOGIN_LOCKDOWN;
297	$secret_rand_key = (md5(uniqid(rand(), true)));
298	+ $sql = $wpdb->prepare("UPDATE $lockdown_table_name SET unlock_key = '$secret_rand_key' WHERE release_date > now() AND failed_login_ip LIKE %s","%".esc_sql($ip_range)."%");

299	$res = $wpdb->query($sql);
300	if($res == NULL){
301	$aio_wp_security->debug_logger->log_debug("No locked user found with IP range ".$ip_range,4);

303	}else{
304	$query_param = array('aiowps_auth_key'=>$secret_rand_key);
305	$wp_site_url = AIOWPSEC_WP_URL;
306	+ $unlock_link = esc_url(add_query_arg($query_param, $wp_site_url));
307	}
308	return $unlock_link;
309	}

318	global $wpdb, $aio_wp_security;
319	$lockdown_table_name = AIOWPSEC_TBL_LOGIN_LOCKDOWN;
320
321	+ $unlock_command = $wpdb->prepare( "UPDATE ".$lockdown_table_name." SET release_date = now() WHERE unlock_key = %s", $unlock_key );
322	$result = $wpdb->query($unlock_command);
323	if($result === false)
324	{

428
429	}
430










431	/**
432	* The handler for logout events, ie, uses the WP "clear_auth_cookies" action.
433

classes/wp-security-utility-htaccess.php CHANGED Viewed

	@@ -679,7 +679,10 @@ class AIOWPSecurity_Utility_Htaccess
679	//Redirectmatch 403 convert(
680	//RedirectMatch 403 .inc
681	//RedirectMatch 403 include.
682	-



683
684	static function getrules_advanced_character_string_filter()
685	{
	@@ -693,7 +696,6 @@ class AIOWPSecurity_Utility_Htaccess
693	RedirectMatch 403 \:
694	RedirectMatch 403 \;
695	RedirectMatch 403 \=
696	- RedirectMatch 403 \@
697	RedirectMatch 403 \[
698	RedirectMatch 403 \]
699	RedirectMatch 403 \^


679	//Redirectmatch 403 convert(
680	//RedirectMatch 403 .inc
681	//RedirectMatch 403 include.
682	+ //
683	+ // The "@" sign is often used in filenames of retina-ready images like
684	+ // "logo@2x.jpg", therefore it has been removed from the list.
685	+ //RedirectMatch 403 \@
686
687	static function getrules_advanced_character_string_filter()
688	{

696	RedirectMatch 403 \:
697	RedirectMatch 403 \;
698	RedirectMatch 403 \=

699	RedirectMatch 403 \[
700	RedirectMatch 403 \]
701	RedirectMatch 403 \^

readme.txt CHANGED Viewed

	@@ -4,7 +4,7 @@ Donate link: https://www.tipsandtricks-hq.com
4	Tags: security, secure, Anti Virus, antivirus, ban, ban hacker, virus, firewall, firewall security, login, lockdown, htaccess, hack, malware, vulnerability, protect, protection, phishing, database, backup, plugin, sql injection, ssl, restrict, login captcha, bot, hotlink, 404 detection, admin, rename, all in one, scan, scanner, iframe,
5	Requires at least: 3.5
6	Tested up to: 4.5
7	- Stable tag: 4.0.8
8	License: GPLv3
9
10	A comprehensive, user-friendly, all in one WordPress security and firewall plugin for your site.
	@@ -126,6 +126,7 @@ or malicious bots who do not have a special cookie in their browser. You (the si
126
127	= Additional Features =
128	* Ability to remove the WordPress Generator Meta information from the HTML source of your site.

129	* Ability to prevent people from accessing the readme.html, license.txt and wp-config-sample.php files
130	* Ability to temporarily lock down the front end of your site from general visitors while you do various backend tasks (investigate security attacks, perform site upgrades, do maintenance work etc.)
131	* Ability to export/import the security settings.
	@@ -182,6 +183,14 @@ None
182
183	== Changelog ==
184








185	= 4.0.8 =
186	- Added ability to identify IP addresses during user registration and option to block selected IPs.
187	- Added login form captcha functionality for sub-sites in a multi-site installation. (see the Brute Force menu)


4	Tags: security, secure, Anti Virus, antivirus, ban, ban hacker, virus, firewall, firewall security, login, lockdown, htaccess, hack, malware, vulnerability, protect, protection, phishing, database, backup, plugin, sql injection, ssl, restrict, login captcha, bot, hotlink, 404 detection, admin, rename, all in one, scan, scanner, iframe,
5	Requires at least: 3.5
6	Tested up to: 4.5
7	+ Stable tag: 4.0.9
8	License: GPLv3
9
10	A comprehensive, user-friendly, all in one WordPress security and firewall plugin for your site.

126
127	= Additional Features =
128	* Ability to remove the WordPress Generator Meta information from the HTML source of your site.
129	+ * Ability to remove the WordPress Version information from the JS and CSS file includes of your site.
130	* Ability to prevent people from accessing the readme.html, license.txt and wp-config-sample.php files
131	* Ability to temporarily lock down the front end of your site from general visitors while you do various backend tasks (investigate security attacks, perform site upgrades, do maintenance work etc.)
132	* Ability to export/import the security settings.

183
184	== Changelog ==
185
186	+ = 4.0.9 =
187	+ - Made file change scanner code more robust for cases when open_basedir restriction is in effect. (Thanks to Manuel Jeanne for pointing this out).
188	+ - Added code which will remove WordPress version info during CSS and JS script loading if you have the "Remove WP Generator Meta Info" option checked. (Thanks to aldemarcalazans for pointing this out).
189	+ - Fixed some potential SQL injection vulnerabilities. (Thanks to Julio Potier for pointing these out).
190	+ - Changed the feature category of blacklist manger from "Intermediate" to "Advanced".
191	+ - Tweak: Remove "@" from list of characters blocked by advanced character string filter. (Because it is often used in retina-ready images).
192	+ - Fix: Use home URL instead of site URL in lock notification email subject. Thanks to @chesio for fixing this.
193	+
194	= 4.0.8 =
195	- Added ability to identify IP addresses during user registration and option to block selected IPs.
196	- Added login form captcha functionality for sub-sites in a multi-site installation. (see the Brute Force menu)

wp-security-core.php CHANGED Viewed

	@@ -3,7 +3,7 @@
3	if (!class_exists('AIO_WP_Security')){
4
5	class AIO_WP_Security{
6	- var $version = '4.0.8';
7	var $db_version = '1.8';
8	var $plugin_url;
9	var $plugin_path;


3	if (!class_exists('AIO_WP_Security')){
4
5	class AIO_WP_Security{
6	+ var $version = '4.0.9';
7	var $db_version = '1.8';
8	var $plugin_url;
9	var $plugin_path;

wp-security.php CHANGED Viewed

	@@ -1,7 +1,7 @@
1	<?php
2	/*
3	Plugin Name: All In One WP Security
4	- Version: 4.0.8
5	Plugin URI: https://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin
6	Author: Tips and Tricks HQ, Peter, Ruhul, Ivy
7	Author URI: https://www.tipsandtricks-hq.com/


1	<?php
2	/*
3	Plugin Name: All In One WP Security
4	+ Version: 4.0.9
5	Plugin URI: https://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin
6	Author: Tips and Tricks HQ, Peter, Ruhul, Ivy
7	Author URI: https://www.tipsandtricks-hq.com/

All In One WP Security & Firewall - Version 4.0.9

Version Description

Release Info

Code changes from version 4.0.8 to 4.0.9