All In One WP Security & Firewall

Version Description

Debug logger class improvements.
Added a message in the debug settings area to state that the log files are reset on every plugin update.
Always return an array from scan_dir_sort_date() to prevent PHP notices.
Improvements for Automated DB backups filling up space - old backup file will be deleted first.
Thanks to RIPS Analyzer for sending us the vulnerability report.

Release Info

Developer	mra13
Plugin	All In One WP Security & Firewall
Version	4.2.2
Comparing to
See all releases

Code changes from version 4.1.7 to 4.2.2

Files changed (19) hide show

admin/wp-security-brute-force-menu.php +11 -1
admin/wp-security-dashboard-menu.php +6 -10
admin/wp-security-firewall-menu.php +1 -1
admin/wp-security-list-login-fails.php +2 -2
admin/wp-security-list-permanent-blocked-ip.php +1 -1
admin/wp-security-misc-options-menu.php +1 -0
admin/wp-security-settings-menu.php +1 -0
admin/wp-security-user-login-menu.php +30 -3
classes/wp-security-backup.php +23 -11
classes/wp-security-configure-settings.php +2 -0
classes/wp-security-debug-logger.php +7 -37
classes/wp-security-process-renamed-login-page.php +17 -3
classes/wp-security-user-login.php +13 -3
classes/wp-security-utility-file.php +9 -9
classes/wp-security-utility-htaccess.php +27 -17
classes/wp-security-wp-footer-content.php +3 -2
readme.txt +30 -1
wp-security-core.php +14 -6
wp-security.php +4 -2

admin/wp-security-brute-force-menu.php CHANGED Viewed

	@@ -110,7 +110,7 @@ class AIOWPSecurity_Brute_Force_Menu extends AIOWPSecurity_Admin_Menu
110	if($aiowps_login_page_slug == 'wp-admin'){
111	$error .= '<br />'.__('You cannot use the value "wp-admin" for your login page slug.','all-in-one-wp-security-and-firewall');
112	}elseif(preg_match('/[^a-z_\-0-9]/i', $aiowps_login_page_slug)){
113	- $error .= '<br />'.__('You must alpha numeric characters for your login page slug.','all-in-one-wp-security-and-firewall');
114	}
115	}
116
	@@ -136,6 +136,16 @@ class AIOWPSecurity_Brute_Force_Menu extends AIOWPSecurity_Admin_Menu
136	else {
137	$this->show_msg_error(__('Could not delete the Cookie-based directives from the .htaccess file. Please check the file permissions.', 'all-in-one-wp-security-and-firewall'));
138	}










139	}
140	}
141


110	if($aiowps_login_page_slug == 'wp-admin'){
111	$error .= '<br />'.__('You cannot use the value "wp-admin" for your login page slug.','all-in-one-wp-security-and-firewall');
112	}elseif(preg_match('/[^a-z_\-0-9]/i', $aiowps_login_page_slug)){
113	+ $error .= '<br />'.__('You must use alpha numeric characters for your login page slug.','all-in-one-wp-security-and-firewall');
114	}
115	}
116

136	else {
137	$this->show_msg_error(__('Could not delete the Cookie-based directives from the .htaccess file. Please check the file permissions.', 'all-in-one-wp-security-and-firewall'));
138	}
139	+
140	+ /** The following is a fix/workaround for the following issue:
141	+ * https://wordpress.org/support/topic/applying-brute-force-rename-login-page-not-working/
142	+ * ie, when saving the rename login config, the logout link does not update on the first page load after the $_POST submit to reflect the new rename login setting.
143	+ * Added a page refresh to fix this for now until I figure out a better solution.
144	+ *
145	+ **/
146	+ $cur_url = "admin.php?page=".AIOWPSEC_BRUTE_FORCE_MENU_SLUG."&tab=tab1";
147	+ AIOWPSecurity_Utility::redirect_to_url($cur_url);
148	+
149	}
150	}
151

admin/wp-security-dashboard-menu.php CHANGED Viewed

	@@ -756,7 +756,7 @@ class AIOWPSecurity_Dashboard_Menu extends AIOWPSecurity_Admin_Menu
756	<input type="hidden" name="page" value="<?php echo esc_attr($_REQUEST['page']); ?>"/>
757	<?php
758	if (isset($_REQUEST["tab"])) {
759	- echo '<input type="hidden" name="tab" value="' . $_REQUEST["tab"] . '" />';
760	}
761	?>
762	<!-- Now we can render the completed list table -->
	@@ -805,7 +805,7 @@ class AIOWPSecurity_Dashboard_Menu extends AIOWPSecurity_Admin_Menu
805	<?php
806	$blocked_ip_list->search_box('Search', 'search_permanent_block');
807	if (isset($_REQUEST["tab"])) {
808	- echo '<input type="hidden" name="tab" value="' . $_REQUEST["tab"] . '" />';
809	}
810	?>
811	<!-- Now we can render the completed list table -->
	@@ -819,7 +819,8 @@ class AIOWPSecurity_Dashboard_Menu extends AIOWPSecurity_Admin_Menu
819
820	function render_tab5()
821	{
822	- $~~file_selected = ''~~;

823
824	?>
825	<div class="postbox">
	@@ -859,20 +860,15 @@ class AIOWPSecurity_Dashboard_Menu extends AIOWPSecurity_Admin_Menu
859	</div>
860	</div>
861	<?php
862	- if (isset($_POST['aiowps_view_logs']))//Do form submission tasks
863	{
864	- ~~$error~~ = ~~'';~~
865	-
866	- //Check nonce before doing anything
867	$nonce = $_REQUEST['_wpnonce'];
868	if (!wp_verify_nonce($nonce, 'aiowpsec-dashboard-logs-nonce')) {
869	$aio_wp_security->debug_logger->log_debug("Nonce check failed on dashboard view logs!", 4);
870	wp_die("Error! Nonce check failed on dashboard view logs!");
871	}
872
873	- //Get the selected file
874	- $file_selected = isset($_POST["aiowps_log_file"]) ? sanitize_text_field($_POST["aiowps_log_file"]) : '';
875	-
876	//Let's make sure that the file selected can only ever be the correct log file of this plugin.
877	$valid_aiowps_log_files = array('wp-security-log.txt', 'wp-security-log-cron-job.txt');
878	if(!in_array($file_selected, $valid_aiowps_log_files)){


756	<input type="hidden" name="page" value="<?php echo esc_attr($_REQUEST['page']); ?>"/>
757	<?php
758	if (isset($_REQUEST["tab"])) {
759	+ echo '<input type="hidden" name="tab" value="' . esc_attr($_REQUEST["tab"]) . '" />';
760	}
761	?>
762	<!-- Now we can render the completed list table -->

805	<?php
806	$blocked_ip_list->search_box('Search', 'search_permanent_block');
807	if (isset($_REQUEST["tab"])) {
808	+ echo '<input type="hidden" name="tab" value="' . esc_attr($_REQUEST["tab"]) . '" />';
809	}
810	?>
811	<!-- Now we can render the completed list table -->

819
820	function render_tab5()
821	{
822	+ global $aio_wp_security;
823	+ $file_selected = filter_input(INPUT_POST, 'aiowps_log_file'); // Get the selected file
824
825	?>
826	<div class="postbox">

860	</div>
861	</div>
862	<?php
863	+ if (isset($_POST['aiowps_view_logs']) && $file_selected)//Do form submission tasks
864	{
865	+ //Check nonce before doing anything


866	$nonce = $_REQUEST['_wpnonce'];
867	if (!wp_verify_nonce($nonce, 'aiowpsec-dashboard-logs-nonce')) {
868	$aio_wp_security->debug_logger->log_debug("Nonce check failed on dashboard view logs!", 4);
869	wp_die("Error! Nonce check failed on dashboard view logs!");
870	}
871



872	//Let's make sure that the file selected can only ever be the correct log file of this plugin.
873	$valid_aiowps_log_files = array('wp-security-log.txt', 'wp-security-log-cron-job.txt');
874	if(!in_array($file_selected, $valid_aiowps_log_files)){

admin/wp-security-firewall-menu.php CHANGED Viewed

	@@ -972,7 +972,7 @@ class AIOWPSecurity_Firewall_Menu extends AIOWPSecurity_Admin_Menu
972	<?php
973	if(isset($_REQUEST["tab"]))
974	{
975	- echo '<input type="hidden" name="tab" value="'.$_REQUEST["tab"].'" />';
976	}
977	?>
978	<!-- Now we can render the completed list table -->


972	<?php
973	if(isset($_REQUEST["tab"]))
974	{
975	+ echo '<input type="hidden" name="tab" value="'.esc_attr($_REQUEST["tab"]).'" />';
976	}
977	?>
978	<!-- Now we can render the completed list table -->

admin/wp-security-list-login-fails.php CHANGED Viewed

	@@ -164,8 +164,8 @@ class AIOWPSecurity_List_Login_Failed_Attempts extends AIOWPSecurity_List_Table
164
165	$orderby = AIOWPSecurity_Utility::sanitize_value_by_array($orderby, $sortable);
166	$order = AIOWPSecurity_Utility::sanitize_value_by_array($order, array('DESC' => '1', 'ASC' => '1'));
167	-
168	- $data = $wpdb->get_results(~~$wpdb->prepare(~~"SELECT * FROM $failed_logins_table_name ~~WHERE id > %d~~ ORDER BY $orderby $order", ~~-1),~~ ARRAY_A); ~~//Note: had to deliberately introduce WHERE clause because you need at least 2 arguments in prepare statement. Cannot use order/orderby~~
169	$current_page = $this->get_pagenum();
170	$total_items = count($data);
171	$data = array_slice($data,(($current_page-1)*$per_page),$per_page);


164
165	$orderby = AIOWPSecurity_Utility::sanitize_value_by_array($orderby, $sortable);
166	$order = AIOWPSecurity_Utility::sanitize_value_by_array($order, array('DESC' => '1', 'ASC' => '1'));
167	+
168	+ $data = $wpdb->get_results("SELECT * FROM $failed_logins_table_name ORDER BY $orderby $order", ARRAY_A);
169	$current_page = $this->get_pagenum();
170	$total_items = count($data);
171	$data = array_slice($data,(($current_page-1)*$per_page),$per_page);

admin/wp-security-list-permanent-blocked-ip.php CHANGED Viewed

	@@ -163,7 +163,7 @@ class AIOWPSecurity_List_Blocked_IP extends AIOWPSecurity_List_Table
163	$search_term = trim($_POST['s']);
164	$data = $wpdb->get_results($wpdb->prepare("SELECT * FROM " . $block_table_name . " WHERE `blocked_ip` LIKE '%%%s%%' OR `block_reason` LIKE '%%%s%%' OR `country_origin` LIKE '%%%s%%' OR `blocked_date` LIKE '%%%s%%'", $search_term, $search_term, $search_term, $search_term), ARRAY_A);
165	} else {
166	- $data = $wpdb->get_results(~~$wpdb->prepare(~~"SELECT * FROM " . $block_table_name . " ~~WHERE id > %d~~ ORDER BY $orderby $order", ~~-1),~~ ARRAY_A);
167	}
168
169	$current_page = $this->get_pagenum();


163	$search_term = trim($_POST['s']);
164	$data = $wpdb->get_results($wpdb->prepare("SELECT * FROM " . $block_table_name . " WHERE `blocked_ip` LIKE '%%%s%%' OR `block_reason` LIKE '%%%s%%' OR `country_origin` LIKE '%%%s%%' OR `blocked_date` LIKE '%%%s%%'", $search_term, $search_term, $search_term, $search_term), ARRAY_A);
165	} else {
166	+ $data = $wpdb->get_results("SELECT * FROM " . $block_table_name . " ORDER BY $orderby $order", ARRAY_A);
167	}
168
169	$current_page = $this->get_pagenum();

admin/wp-security-misc-options-menu.php CHANGED Viewed

	@@ -100,6 +100,7 @@ class AIOWPSecurity_Misc_Options_Menu extends AIOWPSecurity_Admin_Menu
100	<div class="aio_blue_box">
101	<?php
102	echo '<p>'.__('This feature allows you to disable the ability to select and copy text from your front end.', 'all-in-one-wp-security-and-firewall').'</p>';

103	?>
104	</div>
105	<table class="form-table">


100	<div class="aio_blue_box">
101	<?php
102	echo '<p>'.__('This feature allows you to disable the ability to select and copy text from your front end.', 'all-in-one-wp-security-and-firewall').'</p>';
103	+ echo '<p>'.__('When admin user is logged in, the feature is automatically disabled for his session.', 'all-in-one-wp-security-and-firewall').'</p>';
104	?>
105	</div>
106	<table class="form-table">

admin/wp-security-settings-menu.php CHANGED Viewed

	@@ -217,6 +217,7 @@ class AIOWPSecurity_Settings_Menu extends AIOWPSecurity_Admin_Menu
217	<td>
218	<input name="aiowps_enable_debug" type="checkbox"<?php if($aio_wp_security->configs->get_value('aiowps_enable_debug')=='1') echo ' checked="checked"'; ?> value="1"/>
219	<span class="description"><?php _e('Check this if you want to enable debug. You should keep this option disabled after you have finished debugging the issue.', 'all-in-one-wp-security-and-firewall'); ?></span>

220	</td>
221	</tr>
222	</table>


217	<td>
218	<input name="aiowps_enable_debug" type="checkbox"<?php if($aio_wp_security->configs->get_value('aiowps_enable_debug')=='1') echo ' checked="checked"'; ?> value="1"/>
219	<span class="description"><?php _e('Check this if you want to enable debug. You should keep this option disabled after you have finished debugging the issue.', 'all-in-one-wp-security-and-firewall'); ?></span>
220	+ <p class="description"><?php _e('Please note that the log files are reset on every plugin update.', 'all-in-one-wp-security-and-firewall'); ?></p>
221	</td>
222	</tr>
223	</table>

admin/wp-security-user-login-menu.php CHANGED Viewed

	@@ -119,6 +119,21 @@ class AIOWPSecurity_User_Login_Menu extends AIOWPSecurity_Admin_Menu
119	$email_address = get_bloginfo('admin_email'); //Set the default value to the blog admin email
120	}
121















122	if($error)
123	{
124	$this->show_msg_error(__('Attention!','all-in-one-wp-security-and-firewall').$error);
	@@ -135,6 +150,7 @@ class AIOWPSecurity_User_Login_Menu extends AIOWPSecurity_Admin_Menu
135	$aio_wp_security->configs->set_value('aiowps_lockout_time_length',absint($lockout_time_length));
136	$aio_wp_security->configs->set_value('aiowps_set_generic_login_msg',isset($_POST["aiowps_set_generic_login_msg"])?'1':'');
137	$aio_wp_security->configs->set_value('aiowps_enable_invalid_username_lockdown',isset($_POST["aiowps_enable_invalid_username_lockdown"])?'1':'');

138	$aio_wp_security->configs->set_value('aiowps_enable_email_notify',isset($_POST["aiowps_enable_email_notify"])?'1':'');
139	$aio_wp_security->configs->set_value('aiowps_email_address',$email_address);
140	$aio_wp_security->configs->save_config();
	@@ -161,8 +177,7 @@ class AIOWPSecurity_User_Login_Menu extends AIOWPSecurity_Admin_Menu
161	<div class="aio_blue_box">
162	<?php
163	$brute_force_login_feature_link = '<a href="admin.php?page='.AIOWPSEC_BRUTE_FORCE_MENU_SLUG.'&tab=tab2">Cookie-Based Brute Force Login Prevention</a>';
164	- echo '<p>'.__('One of the ways hackers try to compromise sites is via a ', 'all-in-one-wp-security-and-firewall').'<strong>'.__('Brute Force Login Attack', 'all-in-one-wp-security-and-firewall').'</strong>.
165	- <br />'.__('This is where attackers use repeated login attempts until they guess the password.', 'all-in-one-wp-security-and-firewall').'
166	<br />'.__('Apart from choosing strong passwords, monitoring and blocking IP addresses which are involved in repeated login failures in a short period of time is a very effective way to stop these types of attacks.', 'all-in-one-wp-security-and-firewall').
167	'<p>'.sprintf( __('You may also want to checkout our %s feature for another secure way to protect against these types of attacks.', 'all-in-one-wp-security-and-firewall'), $brute_force_login_feature_link).'</p>';
168	?>
	@@ -225,7 +240,19 @@ class AIOWPSecurity_User_Login_Menu extends AIOWPSecurity_Admin_Menu
225	<span class="description"><?php _e('Check this if you want to instantly lockout login attempts with usernames which do not exist on your system', 'all-in-one-wp-security-and-firewall'); ?></span>
226	</td>
227	</tr>
228	-












229	<tr valign="top">
230	<th scope="row"><?php _e('Notify By Email', 'all-in-one-wp-security-and-firewall')?>:</th>
231	<td>


119	$email_address = get_bloginfo('admin_email'); //Set the default value to the blog admin email
120	}
121
122	+ // Instantly lockout specific usernames
123	+ $_ilsu = isset($_POST['aiowps_instantly_lockout_specific_usernames']) ? $_POST['aiowps_instantly_lockout_specific_usernames'] : '';
124	+ // Read into array, sanitize, filter empty and keep only unique usernames.
125	+ $instantly_lockout_specific_usernames
126	+ = array_unique(
127	+ array_filter(
128	+ array_map(
129	+ 'sanitize_user',
130	+ AIOWPSecurity_Utility::explode_trim_filter_empty($_ilsu)
131	+ ),
132	+ 'strlen'
133	+ )
134	+ )
135	+ ;
136	+
137	if($error)
138	{
139	$this->show_msg_error(__('Attention!','all-in-one-wp-security-and-firewall').$error);

150	$aio_wp_security->configs->set_value('aiowps_lockout_time_length',absint($lockout_time_length));
151	$aio_wp_security->configs->set_value('aiowps_set_generic_login_msg',isset($_POST["aiowps_set_generic_login_msg"])?'1':'');
152	$aio_wp_security->configs->set_value('aiowps_enable_invalid_username_lockdown',isset($_POST["aiowps_enable_invalid_username_lockdown"])?'1':'');
153	+ $aio_wp_security->configs->set_value('aiowps_instantly_lockout_specific_usernames', $instantly_lockout_specific_usernames);
154	$aio_wp_security->configs->set_value('aiowps_enable_email_notify',isset($_POST["aiowps_enable_email_notify"])?'1':'');
155	$aio_wp_security->configs->set_value('aiowps_email_address',$email_address);
156	$aio_wp_security->configs->save_config();

177	<div class="aio_blue_box">
178	<?php
179	$brute_force_login_feature_link = '<a href="admin.php?page='.AIOWPSEC_BRUTE_FORCE_MENU_SLUG.'&tab=tab2">Cookie-Based Brute Force Login Prevention</a>';
180	+ echo '<p>'.__('One of the ways hackers try to compromise sites is via a ', 'all-in-one-wp-security-and-firewall').'<strong>'.__('Brute Force Login Attack', 'all-in-one-wp-security-and-firewall').'</strong>. '.__('This is where attackers use repeated login attempts until they guess the password.', 'all-in-one-wp-security-and-firewall').'

181	<br />'.__('Apart from choosing strong passwords, monitoring and blocking IP addresses which are involved in repeated login failures in a short period of time is a very effective way to stop these types of attacks.', 'all-in-one-wp-security-and-firewall').
182	'<p>'.sprintf( __('You may also want to checkout our %s feature for another secure way to protect against these types of attacks.', 'all-in-one-wp-security-and-firewall'), $brute_force_login_feature_link).'</p>';
183	?>

240	<span class="description"><?php _e('Check this if you want to instantly lockout login attempts with usernames which do not exist on your system', 'all-in-one-wp-security-and-firewall'); ?></span>
241	</td>
242	</tr>
243	+ <tr valign="top">
244	+ <th scope="row"><?php _e('Instantly Lockout Specific Usernames', 'all-in-one-wp-security-and-firewall')?>:</th>
245	+ <td>
246	+ <?php
247	+ $instant_lockout_users_list = $aio_wp_security->configs->get_value('aiowps_instantly_lockout_specific_usernames');
248	+ if(empty($instant_lockout_users_list)){
249	+ $instant_lockout_users_list = array();
250	+ }
251	+ ?>
252	+ <textarea name="aiowps_instantly_lockout_specific_usernames" cols="50" rows="5"><?php echo implode(PHP_EOL, $instant_lockout_users_list); ?></textarea><br>
253	+ <span class="description"><?php _e('Insert one username per line. Existing usernames are not blocked even if present in the list.', 'all-in-one-wp-security-and-firewall'); ?></span>
254	+ </td>
255	+ </tr>
256	<tr valign="top">
257	<th scope="row"><?php _e('Notify By Email', 'all-in-one-wp-security-and-firewall')?>:</th>
258	<td>

classes/wp-security-backup.php CHANGED Viewed

	@@ -171,6 +171,12 @@ class AIOWPSecurity_Backup
171	return false;
172	}
173






174	$fw_res = $this->write_db_backup_file($handle, $tables);
175	@fclose( $handle );
176
	@@ -204,7 +210,6 @@ class AIOWPSecurity_Backup
204	}
205
206	$this->aiowps_send_backup_email(); //Send backup file via email if applicable
207	- $this->aiowps_delete_backup_files();
208	return true;
209	}
210
	@@ -237,30 +242,33 @@ class AIOWPSecurity_Backup
237	}
238	}
239	}
240	-
241	- function aiowps_delete_backup_files()
242	{
243	global $aio_wp_security;
244	- if ( $aio_wp_security->configs->get_value('aiowps_backup_files_stored') ~~> 0~~ )

245	{
246	- $~~path_parts~~ = ~~pathinfo~~($~~this->last_backup_file_path~~);
247	- $~~backups_path~~ = $~~path_parts['dirname']~~;
248	- $files = AIOWPSecurity_Utility_File::scan_dir_sort_date( $backups_path );
249	$count = 0;
250
251	- foreach ( $files as $file )
252	{
253	if ( strpos( $file, 'database-backup' ) !== false )
254	{
255	- if ( $count >= $~~aio_wp_security->configs->get_value('aiowps_backup_files_stored')~~ )
256	{
257	- @unlink( $~~backups_path~~ . '/' . $file );
258	}
259	$count++;
260	}
261	-
262	}
263	}




264	}
265
266	function aiowps_scheduled_backup_handler()
	@@ -282,6 +290,10 @@ class AIOWPSecurity_Backup
282	$interval = 'days';
283	break;
284	case '2':




285	$interval = 'weeks';
286	break;
287	}


171	return false;
172	}
173
174	+ // Delete old backup files now to avoid polluting backups directory
175	+ // with incomplete backups on websites where max execution time is too
176	+ // low for database content to be written to a file:
177	+ // https://github.com/Arsenal21/all-in-one-wordpress-security/issues/62
178	+ $this->aiowps_delete_backup_files($dirpath);
179	+
180	$fw_res = $this->write_db_backup_file($handle, $tables);
181	@fclose( $handle );
182

210	}
211
212	$this->aiowps_send_backup_email(); //Send backup file via email if applicable

213	return true;
214	}
215

242	}
243	}
244	}
245	+
246	+ function aiowps_delete_backup_files($backups_dir)
247	{
248	global $aio_wp_security;
249	+ $files_to_keep = absint($aio_wp_security->configs->get_value('aiowps_backup_files_stored'));
250	+ if ( $files_to_keep > 0 )
251	{
252	+ $aio_wp_security->debug_logger->log_debug(sprintf('DB Backup - Deleting all but %d latest backup file(s) in %s directory.', $files_to_keep, $backups_dir));
253	+ $files = AIOWPSecurity_Utility_File::scan_dir_sort_date( $backups_dir );

254	$count = 0;
255
256	+ foreach ( $files as $file )
257	{
258	if ( strpos( $file, 'database-backup' ) !== false )
259	{
260	+ if ( $count >= $files_to_keep )
261	{
262	+ @unlink( $backups_dir . '/' . $file );
263	}
264	$count++;
265	}

266	}
267	}
268	+ else
269	+ {
270	+ $aio_wp_security->debug_logger->log_debug('DB Backup - Backup configuration prevents removal of old backup files!', 3);
271	+ }
272	}
273
274	function aiowps_scheduled_backup_handler()

290	$interval = 'days';
291	break;
292	case '2':
293	+ $interval = 'weeks';
294	+ break;
295	+ default:
296	+ // Fall back to default value, if config is corrupted for some reason.
297	$interval = 'weeks';
298	break;
299	}

classes/wp-security-configure-settings.php CHANGED Viewed

	@@ -35,6 +35,7 @@ class AIOWPSecurity_Configure_Settings
35	$aio_wp_security->configs->set_value('aiowps_enable_forced_logout','');//Checkbox
36	$aio_wp_security->configs->set_value('aiowps_logout_time_period','60');
37	$aio_wp_security->configs->set_value('aiowps_enable_invalid_username_lockdown','');//Checkbox

38	$aio_wp_security->configs->set_value('aiowps_unlock_request_secret_key',AIOWPSecurity_Utility::generate_alpha_numeric_random_string(20));//Hidden secret value which will be used to do some unlock request processing. This will be assigned a random string generated when lockdown settings saved
39
40	//Captcha feature
	@@ -168,6 +169,7 @@ class AIOWPSecurity_Configure_Settings
168	$aio_wp_security->configs->add_value('aiowps_enable_forced_logout','');//Checkbox
169	$aio_wp_security->configs->add_value('aiowps_logout_time_period','60');
170	$aio_wp_security->configs->add_value('aiowps_enable_invalid_username_lockdown','');//Checkbox

171	$aio_wp_security->configs->add_value('aiowps_unlock_request_secret_key',AIOWPSecurity_Utility::generate_alpha_numeric_random_string(20));//Hidden secret value which will be used to do some unlock request processing. This will be assigned a random string generated when lockdown settings saved
172
173	//Login Whitelist feature


35	$aio_wp_security->configs->set_value('aiowps_enable_forced_logout','');//Checkbox
36	$aio_wp_security->configs->set_value('aiowps_logout_time_period','60');
37	$aio_wp_security->configs->set_value('aiowps_enable_invalid_username_lockdown','');//Checkbox
38	+ $aio_wp_security->configs->set_value('aiowps_instantly_lockout_specific_usernames', array()); // Textarea (list of strings)
39	$aio_wp_security->configs->set_value('aiowps_unlock_request_secret_key',AIOWPSecurity_Utility::generate_alpha_numeric_random_string(20));//Hidden secret value which will be used to do some unlock request processing. This will be assigned a random string generated when lockdown settings saved
40
41	//Captcha feature

169	$aio_wp_security->configs->add_value('aiowps_enable_forced_logout','');//Checkbox
170	$aio_wp_security->configs->add_value('aiowps_logout_time_period','60');
171	$aio_wp_security->configs->add_value('aiowps_enable_invalid_username_lockdown','');//Checkbox
172	+ $aio_wp_security->configs->add_value('aiowps_instantly_lockout_specific_usernames', array()); // Textarea (list of strings)
173	$aio_wp_security->configs->add_value('aiowps_unlock_request_secret_key',AIOWPSecurity_Utility::generate_alpha_numeric_random_string(20));//Hidden secret value which will be used to do some unlock request processing. This will be assigned a random string generated when lockdown settings saved
174
175	//Login Whitelist feature

classes/wp-security-debug-logger.php CHANGED Viewed

	@@ -13,9 +13,10 @@ class AIOWPSecurity_Logger
13	var $debug_status = array('SUCCESS','STATUS','NOTICE','WARNING','FAILURE','CRITICAL');
14	var $section_break_marker = "\n----------------------------------------------------------\n\n";
15	var $log_reset_marker = "-------- Log File Reset --------\n";
16	-
17	- function __construct()
18	{

19	$this->log_folder_path = AIO_WP_SECURITY_PATH . '/logs';
20	}
21
	@@ -26,13 +27,7 @@ class AIOWPSecurity_Logger
26
27	function get_debug_status($level)
28	{
29	- $~~size~~ = ~~count(~~$this->debug_status);
30	- if($level >= $size){
31	- return 'UNKNOWN';
32	- }
33	- else{
34	- return $this->debug_status[$level];
35	- }
36	}
37
38	function get_section_break($section_break)
	@@ -61,13 +56,9 @@ class AIOWPSecurity_Logger
61	fwrite($fp, $content);
62	fclose($fp);
63	}
64	-
65	function log_debug($message,$level=0,$section_break=false,$file_name='')
66	{
67	- global $aio_wp_security;
68	- $debug_config = $aio_wp_security->configs->get_value('aiowps_enable_debug');
69	- $this->debug_enabled = empty($debug_config)?false:true;
70	-
71	if (!$this->debug_enabled) return;
72	$content = $this->get_debug_timestamp();//Timestamp
73	$content .= $this->get_debug_status($level);//Debug status
	@@ -79,28 +70,7 @@ class AIOWPSecurity_Logger
79
80	function log_debug_cron($message,$level=0,$section_break=false)
81	{
82	- ~~global~~ $~~aio_wp_security~~;
83	- $debug_config = $aio_wp_security->configs->get_value('aiowps_enable_debug');
84	- $this->debug_enabled = empty($debug_config)?false:true;
85	-
86	- if (!$this->debug_enabled) return;
87	- $content = $this->get_debug_timestamp();//Timestamp
88	- $content .= $this->get_debug_status($level);//Debug status
89	- $content .= ' : ';
90	- $content .= $message . "\n";
91	- $content .= $this->get_section_break($section_break);
92	- //$file_name = $this->default_log_file_cron;
93	- $this->append_to_file($content, $this->default_log_file_cron);
94	- }
95	-
96	- //TODO - this function need to be completed
97	- static function log_debug_st($message,$level=0,$section_break=false,$file_name='')
98	- {
99	- $content = "\n". $message . "\n";
100	- $debug_log_file = 'wp-security-log-static.txt';
101	- //$debug_log_file = AIO_WP_SECURITY_PATH .'/wp-security-log.txt';
102	- $fp=fopen($debug_log_file,'a');
103	- fwrite($fp, $content);
104	- fclose($fp);
105	}

106	}


13	var $debug_status = array('SUCCESS','STATUS','NOTICE','WARNING','FAILURE','CRITICAL');
14	var $section_break_marker = "\n----------------------------------------------------------\n\n";
15	var $log_reset_marker = "-------- Log File Reset --------\n";
16	+
17	+ function __construct($debug_enabled)
18	{
19	+ $this->debug_enabled = $debug_enabled;
20	$this->log_folder_path = AIO_WP_SECURITY_PATH . '/logs';
21	}
22

27
28	function get_debug_status($level)
29	{
30	+ return isset($this->debug_status[$level]) ? $this->debug_status[$level] : 'UNKNOWN';






31	}
32
33	function get_section_break($section_break)

56	fwrite($fp, $content);
57	fclose($fp);
58	}
59	+
60	function log_debug($message,$level=0,$section_break=false,$file_name='')
61	{




62	if (!$this->debug_enabled) return;
63	$content = $this->get_debug_timestamp();//Timestamp
64	$content .= $this->get_debug_status($level);//Debug status

70
71	function log_debug_cron($message,$level=0,$section_break=false)
72	{
73	+ $this->log_debug($message, $level, $section_break, $this->default_log_file_cron);






















74	}
75	+
76	}

classes/wp-security-process-renamed-login-page.php CHANGED Viewed

	@@ -131,6 +131,15 @@ class AIOWPSecurity_Process_Renamed_Login_Page
131
132	$login_slug = $aio_wp_security->configs->get_value('aiowps_login_page_slug');
133	$home_url_with_slug = home_url($login_slug, 'relative');









134	/*
135	* * Compatibility fix for qTranslate-X plugin *
136	* qTranslate-X plugin modifies the result for the following command by adding the protocol and host to the url path:
	@@ -145,9 +154,14 @@ class AIOWPSecurity_Process_Renamed_Login_Page
145
146	if(untrailingslashit($parsed_url['path']) === $home_url_with_slug
147	\|\| (!get_option('permalink_structure') && isset($_GET[$login_slug]))){
148	- ~~status_header~~( ~~200~~ );
149	- ~~require_once(AIO_WP_SECURITY_PATH~~ . ~~'/other-includes/wp-security-rename-~~login~~-feature.php'~~ );
150	- ~~die~~;





151	}
152	}
153


131
132	$login_slug = $aio_wp_security->configs->get_value('aiowps_login_page_slug');
133	$home_url_with_slug = home_url($login_slug, 'relative');
134	+
135	+ /*
136	+ * Compatibility fix for WPML plugin
137	+ */
138	+ if (function_exists('icl_object_id') && strpos($home_url_with_slug,$login_slug)){
139	+ $home_url_with_slug = home_url($login_slug);
140	+ function qtranxf_init_language() {}
141	+ }
142	+
143	/*
144	* * Compatibility fix for qTranslate-X plugin *
145	* qTranslate-X plugin modifies the result for the following command by adding the protocol and host to the url path:

154
155	if(untrailingslashit($parsed_url['path']) === $home_url_with_slug
156	\|\| (!get_option('permalink_structure') && isset($_GET[$login_slug]))){
157	+ if(empty($action) && is_user_logged_in()){
158	+ //if user is already logged in but tries to access the renamed login page, send them to the dashboard
159	+ AIOWPSecurity_Utility::redirect_to_url(AIOWPSEC_WP_URL."/wp-admin");
160	+ }else{
161	+ status_header( 200 );
162	+ require_once(AIO_WP_SECURITY_PATH . '/other-includes/wp-security-rename-login-feature.php' );
163	+ die;
164	+ }
165	}
166	}
167

classes/wp-security-user-login.php CHANGED Viewed

	@@ -11,6 +11,7 @@ class AIOWPSecurity_User_Login
11	{
12	$this->initialize();
13	remove_filter('authenticate', 'wp_authenticate_username_password', 20, 3);

14	add_filter('authenticate', array(&$this, 'aiowp_auth_login'), 10, 3);
15	add_action('aiowps_force_logout_check', array(&$this, 'aiowps_force_logout_action_handler'));
16	//add_action('wp_login', array(&$this, 'wp_login_action_handler'), 10, 2);
	@@ -109,8 +110,17 @@ class AIOWPSecurity_User_Login
109	$this->increment_failed_logins($username);
110	if($aio_wp_security->configs->get_value('aiowps_enable_login_lockdown')=='1')
111	{
112	- ~~if(~~$login_attempts_permitted <= $this->get_login_fail_count() ~~\|\| $aio_wp_security->configs->get_value('aiowps_enable_invalid_username_lockdown')=='1')~~
113	- {









114	$this->lock_the_user($username, 'login_fail');
115	}
116	}
	@@ -214,7 +224,7 @@ class AIOWPSecurity_User_Login
214	if(empty($ip_range)) return false;
215
216	$username = sanitize_user($username);
217	- $user = get_user_by('login',$username); //Returns WP_User object if exists
218	$ip_range = apply_filters('aiowps_before_lockdown', $ip_range);
219	if ($user)
220	{


11	{
12	$this->initialize();
13	remove_filter('authenticate', 'wp_authenticate_username_password', 20, 3);
14	+ remove_filter('authenticate', 'wp_authenticate_email_password', 20, 3);
15	add_filter('authenticate', array(&$this, 'aiowp_auth_login'), 10, 3);
16	add_action('aiowps_force_logout_check', array(&$this, 'aiowps_force_logout_action_handler'));
17	//add_action('wp_login', array(&$this, 'wp_login_action_handler'), 10, 2);

110	$this->increment_failed_logins($username);
111	if($aio_wp_security->configs->get_value('aiowps_enable_login_lockdown')=='1')
112	{
113	+ $too_many_failed_logins = $login_attempts_permitted <= $this->get_login_fail_count();
114	+ $invalid_username_lockdown = $aio_wp_security->configs->get_value('aiowps_enable_invalid_username_lockdown') == '1';
115	+
116	+ $instant_lockout_users_list = $aio_wp_security->configs->get_value('aiowps_instantly_lockout_specific_usernames');
117	+ if(empty($instant_lockout_users_list)){
118	+ $instant_lockout_users_list = array();
119	+ }
120	+ $username_blacklisted = in_array($username, $instant_lockout_users_list);
121	+
122	+ if ( $too_many_failed_logins \|\| $invalid_username_lockdown \|\| $username_blacklisted )
123	+ {
124	$this->lock_the_user($username, 'login_fail');
125	}
126	}

224	if(empty($ip_range)) return false;
225
226	$username = sanitize_user($username);
227	+ $user = get_user_by('login', $username); //Returns WP_User object if exists
228	$ip_range = apply_filters('aiowps_before_lockdown', $ip_range);
229	if ($user)
230	{

classes/wp-security-utility-file.php CHANGED Viewed

	@@ -417,9 +417,9 @@ class AIOWPSecurity_Utility_File
417
418	/**
419	* Will return an indexed array of files sorted by last modified timestamp
420	- * @param $dir
421	* @param string $sort (ASC, DESC)
422	- * @return array~~\|bool~~
423	*/
424	static function scan_dir_sort_date($dir, $sort='DESC') {
425	$files = array();
	@@ -427,14 +427,14 @@ class AIOWPSecurity_Utility_File
427	$files[$file] = filemtime($dir . '/' . $file);
428	}
429
430	- ~~arsort~~($~~files~~);
431	- ~~$files = array_keys~~($files);
432	- ~~if($sort == 'ASC'){~~
433	- ~~$files~~ ~~= array_reverse($files);~~

434	}
435	- return ($files) ? $files : false;
436	- }
437	-
438


439
440	}


417
418	/**
419	* Will return an indexed array of files sorted by last modified timestamp
420	+ * @param string $dir
421	* @param string $sort (ASC, DESC)
422	+ * @return array
423	*/
424	static function scan_dir_sort_date($dir, $sort='DESC') {
425	$files = array();

427	$files[$file] = filemtime($dir . '/' . $file);
428	}
429
430	+ if ($sort === 'ASC') {
431	+ asort($files);
432	+ }
433	+ else {
434	+ arsort($files);
435	}



436
437	+ return array_keys($files);
438	+ }
439
440	}

classes/wp-security-utility-htaccess.php CHANGED Viewed

	@@ -557,9 +557,11 @@ class AIOWPSecurity_Utility_Htaccess
557	$rules = '';
558	if ($aio_wp_security->configs->get_value('aiowps_disable_trace_and_track') == '1') {
559	$rules .= AIOWPSecurity_Utility_Htaccess::$disable_trace_track_marker_start . PHP_EOL; //Add feature marker start

560	$rules .= 'RewriteEngine On' . PHP_EOL;
561	$rules .= 'RewriteCond %{REQUEST_METHOD} ^(TRACE\|TRACK)' . PHP_EOL;
562	$rules .= 'RewriteRule .* - [F]' . PHP_EOL;

563	$rules .= AIOWPSecurity_Utility_Htaccess::$disable_trace_track_marker_end . PHP_EOL; //Add feature marker end
564	}
565
	@@ -578,6 +580,8 @@ class AIOWPSecurity_Utility_Htaccess
578	$rules = '';
579	if ($aio_wp_security->configs->get_value('aiowps_forbid_proxy_comments') == '1') {
580	$rules .= AIOWPSecurity_Utility_Htaccess::$forbid_proxy_comments_marker_start . PHP_EOL; //Add feature marker start


581	$rules .= 'RewriteCond %{REQUEST_METHOD} ^POST' . PHP_EOL;
582	$rules .= 'RewriteCond %{HTTP:VIA} !^$ [OR]' . PHP_EOL;
583	$rules .= 'RewriteCond %{HTTP:FORWARDED} !^$ [OR]' . PHP_EOL;
	@@ -589,6 +593,7 @@ class AIOWPSecurity_Utility_Htaccess
589	$rules .= 'RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]' . PHP_EOL;
590	$rules .= 'RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$' . PHP_EOL;
591	$rules .= 'RewriteRule wp-comments-post\.php - [F]' . PHP_EOL;

592	$rules .= AIOWPSecurity_Utility_Htaccess::$forbid_proxy_comments_marker_end . PHP_EOL; //Add feature marker end
593	}
594
	@@ -607,6 +612,8 @@ class AIOWPSecurity_Utility_Htaccess
607	$rules = '';
608	if ($aio_wp_security->configs->get_value('aiowps_deny_bad_query_strings') == '1') {
609	$rules .= AIOWPSecurity_Utility_Htaccess::$deny_bad_query_strings_marker_start . PHP_EOL; //Add feature marker start


610	//$rules .= 'RewriteCond %{QUERY_STRING} ../ [NC,OR]' . PHP_EOL;
611	//$rules .= 'RewriteCond %{QUERY_STRING} boot.ini [NC,OR]' . PHP_EOL;
612	//$rules .= 'RewriteCond %{QUERY_STRING} tag= [NC,OR]' . PHP_EOL;
	@@ -620,6 +627,7 @@ class AIOWPSecurity_Utility_Htaccess
620	$rules .= 'RewriteCond %{QUERY_STRING} ^.(globals\|encode\|localhost\|loopback). [NC,OR]' . PHP_EOL;
621	$rules .= 'RewriteCond %{QUERY_STRING} (\;\|\'\|\"\|%22).*(request\|insert\|union\|declare\|drop) [NC]' . PHP_EOL;
622	$rules .= 'RewriteRule ^(.*)$ - [F,L]' . PHP_EOL;

623	$rules .= AIOWPSecurity_Utility_Htaccess::$deny_bad_query_strings_marker_end . PHP_EOL; //Add feature marker end
624	}
625
	@@ -916,13 +924,14 @@ class AIOWPSecurity_Utility_Htaccess
916	$url_string = AIOWPSEC_WP_HOME_URL;
917	}
918	$rules .= AIOWPSecurity_Utility_Htaccess::$block_spambots_marker_start . PHP_EOL; //Add feature marker start
919	- $rules .= '<IfModule mod_rewrite.c>
920	- ~~RewriteCond~~ ~~%{REQUEST_METHOD}~~ ~~POST~~
921	- RewriteCond %{~~REQUEST_URI~~} ~~^(.)?wp-comments-post\.php(.)$~~' . PHP_EOL;
922	- $rules .= ' RewriteCond %{~~HTTP_REFERER~~} ~~!^' .~~ $~~url_string .~~ ' ~~[NC,OR]'~~ . PHP_EOL;
923	- $rules .= ' RewriteCond %{~~HTTP_USER_AGENT~~} ^$
924	- ~~RewriteRule~~ .* ~~http://127~~.~~0.0.1~~ ~~[L]~~
925	- ~~</IfModule>~~' . PHP_EOL;

926	$rules .= AIOWPSecurity_Utility_Htaccess::$block_spambots_marker_end . PHP_EOL; //Add feature marker end
927	}
928
	@@ -942,14 +951,14 @@ class AIOWPSecurity_Utility_Htaccess
942	$url_string = AIOWPSEC_WP_HOME_URL;
943	}
944	$rules .= AIOWPSecurity_Utility_Htaccess::$prevent_image_hotlinks_marker_start . PHP_EOL; //Add feature marker start
945	- $rules .= '<IfModule mod_rewrite.c>
946	- RewriteEngine on
947	- RewriteCond %{HTTP_REFERER} !^$' . PHP_EOL;
948	- $rules .= ' RewriteCond %{REQUEST_FILENAME} -f' . PHP_EOL;
949	- $rules .= ' RewriteCond %{REQUEST_FILENAME} \.(gif\|jpe?g?\|png)$ [NC]' . PHP_EOL;
950	- $rules .= ' RewriteCond %{HTTP_REFERER} !^' . $url_string . ' [NC]' . PHP_EOL;
951	- $rules .= ' RewriteRule \.(gif\|jpe?g?\|png)$ - [F,NC,L]
952	- </IfModule>' . PHP_EOL;
953	$rules .= AIOWPSecurity_Utility_Htaccess::$prevent_image_hotlinks_marker_end . PHP_EOL; //Add feature marker end
954	}
955
	@@ -1009,7 +1018,6 @@ class AIOWPSecurity_Utility_Htaccess
1009	* Example: If URL passed to function = "http://www.mysite.com"
1010	* Result = "http(s)?://(.*)?mysite\.com"
1011	*/
1012	-
1013	static function return_regularized_url($url)
1014	{
1015	if (filter_var($url, FILTER_VALIDATE_URL)) {
	@@ -1028,7 +1036,9 @@ class AIOWPSecurity_Utility_Htaccess
1028	$j++;
1029	}
1030	//Now replace the "http" with "http(s)?" to cover both secure and non-secure
1031	- if (strpos($y, '~~http~~') !== false) {


1032	$y = str_replace('http', 'http(s)?', $y);
1033	}
1034	return $y;


557	$rules = '';
558	if ($aio_wp_security->configs->get_value('aiowps_disable_trace_and_track') == '1') {
559	$rules .= AIOWPSecurity_Utility_Htaccess::$disable_trace_track_marker_start . PHP_EOL; //Add feature marker start
560	+ $rules .= '<IfModule mod_rewrite.c>' . PHP_EOL;
561	$rules .= 'RewriteEngine On' . PHP_EOL;
562	$rules .= 'RewriteCond %{REQUEST_METHOD} ^(TRACE\|TRACK)' . PHP_EOL;
563	$rules .= 'RewriteRule .* - [F]' . PHP_EOL;
564	+ $rules .= '</IfModule>' . PHP_EOL;
565	$rules .= AIOWPSecurity_Utility_Htaccess::$disable_trace_track_marker_end . PHP_EOL; //Add feature marker end
566	}
567

580	$rules = '';
581	if ($aio_wp_security->configs->get_value('aiowps_forbid_proxy_comments') == '1') {
582	$rules .= AIOWPSecurity_Utility_Htaccess::$forbid_proxy_comments_marker_start . PHP_EOL; //Add feature marker start
583	+ $rules .= '<IfModule mod_rewrite.c>' . PHP_EOL;
584	+ $rules .= 'RewriteEngine On' . PHP_EOL;
585	$rules .= 'RewriteCond %{REQUEST_METHOD} ^POST' . PHP_EOL;
586	$rules .= 'RewriteCond %{HTTP:VIA} !^$ [OR]' . PHP_EOL;
587	$rules .= 'RewriteCond %{HTTP:FORWARDED} !^$ [OR]' . PHP_EOL;

593	$rules .= 'RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]' . PHP_EOL;
594	$rules .= 'RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$' . PHP_EOL;
595	$rules .= 'RewriteRule wp-comments-post\.php - [F]' . PHP_EOL;
596	+ $rules .= '</IfModule>' . PHP_EOL;
597	$rules .= AIOWPSecurity_Utility_Htaccess::$forbid_proxy_comments_marker_end . PHP_EOL; //Add feature marker end
598	}
599

612	$rules = '';
613	if ($aio_wp_security->configs->get_value('aiowps_deny_bad_query_strings') == '1') {
614	$rules .= AIOWPSecurity_Utility_Htaccess::$deny_bad_query_strings_marker_start . PHP_EOL; //Add feature marker start
615	+ $rules .= '<IfModule mod_rewrite.c>' . PHP_EOL;
616	+ $rules .= 'RewriteEngine On' . PHP_EOL;
617	//$rules .= 'RewriteCond %{QUERY_STRING} ../ [NC,OR]' . PHP_EOL;
618	//$rules .= 'RewriteCond %{QUERY_STRING} boot.ini [NC,OR]' . PHP_EOL;
619	//$rules .= 'RewriteCond %{QUERY_STRING} tag= [NC,OR]' . PHP_EOL;

627	$rules .= 'RewriteCond %{QUERY_STRING} ^.(globals\|encode\|localhost\|loopback). [NC,OR]' . PHP_EOL;
628	$rules .= 'RewriteCond %{QUERY_STRING} (\;\|\'\|\"\|%22).*(request\|insert\|union\|declare\|drop) [NC]' . PHP_EOL;
629	$rules .= 'RewriteRule ^(.*)$ - [F,L]' . PHP_EOL;
630	+ $rules .= '</IfModule>' . PHP_EOL;
631	$rules .= AIOWPSecurity_Utility_Htaccess::$deny_bad_query_strings_marker_end . PHP_EOL; //Add feature marker end
632	}
633

924	$url_string = AIOWPSEC_WP_HOME_URL;
925	}
926	$rules .= AIOWPSecurity_Utility_Htaccess::$block_spambots_marker_start . PHP_EOL; //Add feature marker start
927	+ $rules .= '<IfModule mod_rewrite.c>' . PHP_EOL;
928	+ $rules .= 'RewriteEngine On' . PHP_EOL;
929	+ $rules .= 'RewriteCond %{REQUEST_METHOD} POST' . PHP_EOL;
930	+ $rules .= 'RewriteCond %{REQUEST_URI} ^(.)?wp-comments-post\.php(.)$' . PHP_EOL;
931	+ $rules .= 'RewriteCond %{HTTP_REFERER} !^' . $url_string . ' [NC,OR]' . PHP_EOL;
932	+ $rules .= 'RewriteCond %{HTTP_USER_AGENT} ^$' . PHP_EOL;
933	+ $rules .= 'RewriteRule .* http://127.0.0.1 [L]' . PHP_EOL;
934	+ $rules .= '</IfModule>' . PHP_EOL;
935	$rules .= AIOWPSecurity_Utility_Htaccess::$block_spambots_marker_end . PHP_EOL; //Add feature marker end
936	}
937

951	$url_string = AIOWPSEC_WP_HOME_URL;
952	}
953	$rules .= AIOWPSecurity_Utility_Htaccess::$prevent_image_hotlinks_marker_start . PHP_EOL; //Add feature marker start
954	+ $rules .= '<IfModule mod_rewrite.c>' . PHP_EOL;
955	+ $rules .= 'RewriteEngine On' . PHP_EOL;
956	+ $rules .= 'RewriteCond %{HTTP_REFERER} !^$' . PHP_EOL;
957	+ $rules .= 'RewriteCond %{REQUEST_FILENAME} -f' . PHP_EOL;
958	+ $rules .= 'RewriteCond %{REQUEST_FILENAME} \.(gif\|jpe?g?\|png)$ [NC]' . PHP_EOL;
959	+ $rules .= 'RewriteCond %{HTTP_REFERER} !^' . $url_string . ' [NC]' . PHP_EOL;
960	+ $rules .= 'RewriteRule \.(gif\|jpe?g?\|png)$ - [F,NC,L]' . PHP_EOL;
961	+ $rules .= '</IfModule>' . PHP_EOL;
962	$rules .= AIOWPSecurity_Utility_Htaccess::$prevent_image_hotlinks_marker_end . PHP_EOL; //Add feature marker end
963	}
964

1018	* Example: If URL passed to function = "http://www.mysite.com"
1019	* Result = "http(s)?://(.*)?mysite\.com"
1020	*/

1021	static function return_regularized_url($url)
1022	{
1023	if (filter_var($url, FILTER_VALIDATE_URL)) {

1036	$j++;
1037	}
1038	//Now replace the "http" with "http(s)?" to cover both secure and non-secure
1039	+ if (strpos($y, 'https') !== false) {
1040	+ $y = str_replace('https', 'http(s)?', $y);
1041	+ }else if (strpos($y, 'http') !== false) {
1042	$y = str_replace('http', 'http(s)?', $y);
1043	}
1044	return $y;

classes/wp-security-wp-footer-content.php CHANGED Viewed

	@@ -8,8 +8,9 @@ class AIOWPSecurity_WP_Footer_Content {
8
9	global $aio_wp_security;
10
11	- //~~Handle~~ the copy protection feature
12	- if ($aio_wp_security->configs->get_value('aiowps_copy_protection') == '1'~~) {~~

13	$this->output_copy_protection_code();
14	}
15


8
9	global $aio_wp_security;
10
11	+ // Activate the copy protection feature for non-admin users
12	+ $copy_protection_active = $aio_wp_security->configs->get_value('aiowps_copy_protection') == '1';
13	+ if ( $copy_protection_active && !current_user_can(AIOWPSEC_MANAGEMENT_PERMISSION) ) {
14	$this->output_copy_protection_code();
15	}
16

readme.txt CHANGED Viewed

@@ -4,7 +4,7 @@ Donate link: https://www.tipsandtricks-hq.com
             Tags: security, secure, Anti Virus, antivirus, ban, ban hacker, virus, firewall, firewall security, login, lockdown, htaccess, hack, malware, vulnerability, protect, protection, phishing, database, backup, plugin, sql injection, ssl, restrict, login captcha, bot, hotlink, 404 detection, admin, rename, all in one, scan, scanner, iframe,
             Requires at least: 3.5
             Tested up to: 4.6
-            -
            Stable tag: 4.1.7
             License: GPLv3
             A comprehensive, user-friendly, all in one WordPress security and firewall plugin for your site.
@@ -183,6 +183,35 @@ None
             == Changelog ==
             = 4.1.7 =
             - Added sanitisation for log file data in textarea.
             - Disabled autocomplete for Captcha field.


4	Tags: security, secure, Anti Virus, antivirus, ban, ban hacker, virus, firewall, firewall security, login, lockdown, htaccess, hack, malware, vulnerability, protect, protection, phishing, database, backup, plugin, sql injection, ssl, restrict, login captcha, bot, hotlink, 404 detection, admin, rename, all in one, scan, scanner, iframe,
5	Requires at least: 3.5
6	Tested up to: 4.6
7	+ Stable tag: 4.2.2
8	License: GPLv3
9
10	A comprehensive, user-friendly, all in one WordPress security and firewall plugin for your site.

183
184	== Changelog ==
185
186	+ = 4.2.2 =
187	+ - Debug logger class improvements.
188	+ - Added a message in the debug settings area to state that the log files are reset on every plugin update.
189	+ - Always return an array from scan_dir_sort_date() to prevent PHP notices.
190	+ - Improvements for Automated DB backups filling up space - old backup file will be deleted first.
191	+ - Thanks to RIPS Analyzer for sending us the vulnerability report.
192	+
193	+ = 4.2.1 =
194	+ - Improve output of .htaccess to include <IfModule mod_rewrite.c> checks and RewriteEngine On directives.
195	+ - Fall back to default DB backup interval in case of invalid value.
196	+ - The aiowps_delete_backup_files() function will produce a debug log message on every call (to help with troubleshooting when needed).
197	+
198	+ = 4.2.0 =
199	+ - WPML plugin compatibility fix for the renamed admin login page feature.
200	+ - Fixed a few potential XSS vulnerabilities.
201	+
202	+ = 4.1.9 =
203	+ - Small improvement to the new "immediate blocking of specific usernames" feature.
204	+
205	+ = 4.1.8 =
206	+ - New feature to allow immediate blocking of specific usernames.
207	+ - Only activate copy (right-click) protection for non-admin users.
208	+ - Fixed bug where logout link in admin bar does not get updated on after the $_POST submit to reflect the new rename login setting.
209	+ - Fixed small bug in return_regularized_url function.
210	+ - Improvement/bug fix: When currently logged in user attempts to access renamed login page, redirect them to dashboard.
211	+ - Removed Spanish language files so they can be automatically pulled from WordPress.org.
212	+ - Drop unnecessary WHERE clause in some backend listings.
213	+ - Improvement: do not schedule a cronjob, if it is already scheduled.
214	+
215	= 4.1.7 =
216	- Added sanitisation for log file data in textarea.
217	- Disabled autocomplete for Captcha field.

wp-security-core.php CHANGED Viewed

	@@ -3,7 +3,7 @@
3	if (!class_exists('AIO_WP_Security')){
4
5	class AIO_WP_Security{
6	- var $version = '4.1.7';
7	var $db_version = '1.8';
8	var $plugin_url;
9	var $plugin_path;
	@@ -124,21 +124,29 @@ class AIO_WP_Security{
124	function loader_operations()
125	{
126	add_action('plugins_loaded',array(&$this, 'plugins_loaded_handler'));//plugins loaded hook
127	- ~~$this->debug_logger = new AIOWPSecurity_Logger();~~




128	if(is_admin()){
129	$this->admin_init = new AIOWPSecurity_Admin_Init();
130	}
131	}
132	-
133	static function activate_handler()
134	{
135	//Only runs when the plugin activates
136	include_once ('classes/wp-security-installer.php');
137	AIOWPSecurity_Installer::run_installer();
138
139	- ~~wp_schedule_event~~(~~time~~(), '~~hourly', '~~aiowps_hourly_cron_event'); ~~//schedule~~ ~~an hourly cron event~~
140	- wp_schedule_event(time(), '~~daily~~', '~~aiowps_daily_cron_event~~'); //schedule an ~~daily~~ cron event
141	-




142	do_action('aiowps_activation_complete');
143	}
144


3	if (!class_exists('AIO_WP_Security')){
4
5	class AIO_WP_Security{
6	+ var $version = '4.2.2';
7	var $db_version = '1.8';
8	var $plugin_url;
9	var $plugin_path;

124	function loader_operations()
125	{
126	add_action('plugins_loaded',array(&$this, 'plugins_loaded_handler'));//plugins loaded hook
127	+
128	+ $debug_config = $this->configs->get_value('aiowps_enable_debug');
129	+ $debug_enabled = empty($debug_config) ? false : true;
130	+ $this->debug_logger = new AIOWPSecurity_Logger($debug_enabled);
131	+
132	if(is_admin()){
133	$this->admin_init = new AIOWPSecurity_Admin_Init();
134	}
135	}
136	+
137	static function activate_handler()
138	{
139	//Only runs when the plugin activates
140	include_once ('classes/wp-security-installer.php');
141	AIOWPSecurity_Installer::run_installer();
142
143	+ if ( !wp_next_scheduled('aiowps_hourly_cron_event') ) {
144	+ wp_schedule_event(time(), 'hourly', 'aiowps_hourly_cron_event'); //schedule an hourly cron event
145	+ }
146	+ if ( !wp_next_scheduled('aiowps_daily_cron_event') ) {
147	+ wp_schedule_event(time(), 'daily', 'aiowps_daily_cron_event'); //schedule an daily cron event
148	+ }
149	+
150	do_action('aiowps_activation_complete');
151	}
152

wp-security.php CHANGED Viewed

	@@ -1,7 +1,7 @@
1	<?php
2	/*
3	Plugin Name: All In One WP Security
4	- Version: 4.1.7
5	Plugin URI: https://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin
6	Author: Tips and Tricks HQ, Peter, Ruhul, Ivy
7	Author URI: https://www.tipsandtricks-hq.com/
	@@ -9,7 +9,9 @@ Description: All round best WordPress security plugin!
9	License: GPL3
10	*/
11
12	- if(!defined('ABSPATH'))~~exit; //Exit if accessed directly~~


13
14	include_once('wp-security-core.php');
15	register_activation_hook(__FILE__,array('AIO_WP_Security','activate_handler'));//activation hook


1	<?php
2	/*
3	Plugin Name: All In One WP Security
4	+ Version: 4.2.2
5	Plugin URI: https://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin
6	Author: Tips and Tricks HQ, Peter, Ruhul, Ivy
7	Author URI: https://www.tipsandtricks-hq.com/

9	License: GPL3
10	*/
11
12	+ if(!defined('ABSPATH')){
13	+ exit;//Exit if accessed directly
14	+ }
15
16	include_once('wp-security-core.php');
17	register_activation_hook(__FILE__,array('AIO_WP_Security','activate_handler'));//activation hook

All In One WP Security & Firewall - Version 4.2.2

Version Description

Release Info

Code changes from version 4.1.7 to 4.2.2