Version Description
22/April/2022 =
FEATURE: Disable login lockdown feature when the AIOWPS_DISABLE_LOGIN_LOCKDOWN constant with true value.
FIX: For multisite giving fatal error on settings and dashboard page Call to a member function on null.
FIX: Scores not updating correctly if a feature activated and "Remove wp generator meta info" activated shows 5/5 for all.
FIX: Change hard-coded references of wp-content to WP_CONTENT_DIR constant.
TWEAK: Get user IP Address using an external service in local server setup.
TWEAK: Filter name changed to "aiowps_pre_add_to_permanent_block" from "pre_add_to_permanent_block".
TWEAK: Filter name changed to "aiowps_filter_event_logger_data" from "filter_event_logger_data".
TWEAK: Disables the "Secret Word" and "Re-direct URL" input fields when the "Enable Brute Force Attack Prevention" option is unchecked.
TWEAK: Show nice error on activation if site php version is lower than 5.6.
Download this release
Release Info
| Developer | DavidAnderson |
| Plugin |  All In One WP Security & Firewall |
| Version | 4.4.12 |
| Comparing to | |
| See all releases | |
Code changes from version 4.4.11 to 4.4.12
- admin/wp-security-admin-init.php +1 -1
- admin/wp-security-brute-force-menu.php +15 -4
- admin/wp-security-dashboard-menu.php +3 -4
- classes/grade-system/wp-security-feature-item-manager.php +1 -1
- classes/wp-security-blocking.php +1 -1
- classes/wp-security-captcha.php +13 -13
- classes/wp-security-comment.php +32 -0
- classes/wp-security-general-init-tasks.php +57 -53
- classes/wp-security-notices.php +22 -0
- classes/wp-security-user-login.php +55 -2
- classes/wp-security-utility-file.php +3 -3
- classes/wp-security-utility-ip-address.php +46 -5
- classes/wp-security-utility.php +1 -1
- classes/wp-security-wp-footer-content.php +5 -4
- js/wp-security-admin-script.js +7 -0
- readme.txt +20 -9
- vendor/composer/installed.php +2 -2
- wp-security-core.php +29 -12
- wp-security.php +5 -5
admin/wp-security-admin-init.php
CHANGED
|
@@ -339,7 +339,7 @@ class AIOWPSecurity_Admin_Init {
|
|
| 339 |
{
|
| 340 |
$brute_force_feature_secret_word = sanitize_text_field($_POST['aiowps_brute_force_secret_word']);
|
| 341 |
if(empty($brute_force_feature_secret_word)){
|
| 342 |
-
$brute_force_feature_secret_word = "
|
| 343 |
}
|
| 344 |
AIOWPSecurity_Utility::set_cookie_value($brute_force_feature_secret_word, "1");
|
| 345 |
}
|
| 339 |
{
|
| 340 |
$brute_force_feature_secret_word = sanitize_text_field($_POST['aiowps_brute_force_secret_word']);
|
| 341 |
if(empty($brute_force_feature_secret_word)){
|
| 342 |
+
$brute_force_feature_secret_word = "aiowpssecret";
|
| 343 |
}
|
| 344 |
AIOWPSecurity_Utility::set_cookie_value($brute_force_feature_secret_word, "1");
|
| 345 |
}
|
admin/wp-security-brute-force-menu.php
CHANGED
|
@@ -245,7 +245,7 @@ class AIOWPSecurity_Brute_Force_Menu extends AIOWPSecurity_Admin_Menu
|
|
| 245 |
{
|
| 246 |
$brute_force_feature_secret_word = sanitize_text_field($_POST['aiowps_brute_force_secret_word']);
|
| 247 |
if(empty($brute_force_feature_secret_word)){
|
| 248 |
-
$brute_force_feature_secret_word = "
|
| 249 |
}else if(!ctype_alnum($brute_force_feature_secret_word)){
|
| 250 |
$msg = '<p>'.__('Settings have not been saved - your secret word must consist only of alphanumeric characters, ie, letters and/or numbers only!', 'all-in-one-wp-security-and-firewall').'</p>';
|
| 251 |
$error = true;
|
|
@@ -376,7 +376,7 @@ class AIOWPSecurity_Brute_Force_Menu extends AIOWPSecurity_Admin_Menu
|
|
| 376 |
<tr valign="top">
|
| 377 |
<th scope="row"><?php _e('Enable Brute Force Attack Prevention', 'all-in-one-wp-security-and-firewall')?>:</th>
|
| 378 |
<td>
|
| 379 |
-
<input name="aiowps_enable_brute_force_attack_prevention" type="checkbox"<?php
|
| 380 |
<span class="description"><?php _e('Check this if you want to protect your login page from Brute Force Attack.', 'all-in-one-wp-security-and-firewall'); ?></span>
|
| 381 |
<span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php _e('More Info', 'all-in-one-wp-security-and-firewall'); ?></span></span>
|
| 382 |
<div class="aiowps_more_info_body">
|
|
@@ -400,13 +400,13 @@ class AIOWPSecurity_Brute_Force_Menu extends AIOWPSecurity_Admin_Menu
|
|
| 400 |
</tr>
|
| 401 |
<tr valign="top">
|
| 402 |
<th scope="row"><?php _e('Secret Word', 'all-in-one-wp-security-and-firewall')?>:</th>
|
| 403 |
-
<td><input type="text" size="40" name="aiowps_brute_force_secret_word" value="<?php echo $aio_wp_security->configs->get_value('aiowps_brute_force_secret_word'); ?>"
|
| 404 |
<span class="description"><?php _e('Choose a secret word consisting of alphanumeric characters which you can use to access your special URL. Your are highly encouraged to choose a word which will be difficult to guess.', 'all-in-one-wp-security-and-firewall'); ?></span>
|
| 405 |
</td>
|
| 406 |
</tr>
|
| 407 |
<tr valign="top">
|
| 408 |
<th scope="row"><?php _e('Re-direct URL', 'all-in-one-wp-security-and-firewall')?>:</th>
|
| 409 |
-
<td><input type="text" size="40" name="aiowps_cookie_based_brute_force_redirect_url" value="<?php echo $aio_wp_security->configs->get_value('aiowps_cookie_based_brute_force_redirect_url'); ?>"
|
| 410 |
<span class="description">
|
| 411 |
<?php
|
| 412 |
_e('Specify a URL to redirect a hacker to when they try to access your WordPress login page.', 'all-in-one-wp-security-and-firewall');
|
|
@@ -577,6 +577,17 @@ class AIOWPSecurity_Brute_Force_Menu extends AIOWPSecurity_Admin_Menu
|
|
| 577 |
</p>
|
| 578 |
</div>
|
| 579 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 580 |
<table class="form-table">
|
| 581 |
<tr valign="top">
|
| 582 |
<th scope="row"><?php _e('Use Google reCAPTCHA as default', 'all-in-one-wp-security-and-firewall')?>:</th>
|
| 245 |
{
|
| 246 |
$brute_force_feature_secret_word = sanitize_text_field($_POST['aiowps_brute_force_secret_word']);
|
| 247 |
if(empty($brute_force_feature_secret_word)){
|
| 248 |
+
$brute_force_feature_secret_word = "aiowpssecret";
|
| 249 |
}else if(!ctype_alnum($brute_force_feature_secret_word)){
|
| 250 |
$msg = '<p>'.__('Settings have not been saved - your secret word must consist only of alphanumeric characters, ie, letters and/or numbers only!', 'all-in-one-wp-security-and-firewall').'</p>';
|
| 251 |
$error = true;
|
| 376 |
<tr valign="top">
|
| 377 |
<th scope="row"><?php _e('Enable Brute Force Attack Prevention', 'all-in-one-wp-security-and-firewall')?>:</th>
|
| 378 |
<td>
|
| 379 |
+
<input name="aiowps_enable_brute_force_attack_prevention" type="checkbox"<?php checked($aio_wp_security->configs->get_value('aiowps_enable_brute_force_attack_prevention')); ?> value="1"/>
|
| 380 |
<span class="description"><?php _e('Check this if you want to protect your login page from Brute Force Attack.', 'all-in-one-wp-security-and-firewall'); ?></span>
|
| 381 |
<span class="aiowps_more_info_anchor"><span class="aiowps_more_info_toggle_char">+</span><span class="aiowps_more_info_toggle_text"><?php _e('More Info', 'all-in-one-wp-security-and-firewall'); ?></span></span>
|
| 382 |
<div class="aiowps_more_info_body">
|
| 400 |
</tr>
|
| 401 |
<tr valign="top">
|
| 402 |
<th scope="row"><?php _e('Secret Word', 'all-in-one-wp-security-and-firewall')?>:</th>
|
| 403 |
+
<td><input type="text" size="40" name="aiowps_brute_force_secret_word" value="<?php echo $aio_wp_security->configs->get_value('aiowps_brute_force_secret_word'); ?>"<?php if(!$aio_wp_security->configs->get_value('aiowps_enable_brute_force_attack_prevention')) echo ' disabled'; ?>/>
|
| 404 |
<span class="description"><?php _e('Choose a secret word consisting of alphanumeric characters which you can use to access your special URL. Your are highly encouraged to choose a word which will be difficult to guess.', 'all-in-one-wp-security-and-firewall'); ?></span>
|
| 405 |
</td>
|
| 406 |
</tr>
|
| 407 |
<tr valign="top">
|
| 408 |
<th scope="row"><?php _e('Re-direct URL', 'all-in-one-wp-security-and-firewall')?>:</th>
|
| 409 |
+
<td><input type="text" size="40" name="aiowps_cookie_based_brute_force_redirect_url" value="<?php echo $aio_wp_security->configs->get_value('aiowps_cookie_based_brute_force_redirect_url'); ?>"<?php if(!$aio_wp_security->configs->get_value('aiowps_enable_brute_force_attack_prevention')) echo ' disabled'; ?>/>
|
| 410 |
<span class="description">
|
| 411 |
<?php
|
| 412 |
_e('Specify a URL to redirect a hacker to when they try to access your WordPress login page.', 'all-in-one-wp-security-and-firewall');
|
| 577 |
</p>
|
| 578 |
</div>
|
| 579 |
|
| 580 |
+
<?php if ($aio_wp_security->is_login_lockdown_by_const()) { ?>
|
| 581 |
+
<div class="aio_blue_box">
|
| 582 |
+
<p>
|
| 583 |
+
<?php
|
| 584 |
+
echo __('Recaptcha will not work because you have disabled login lockdown by acitvating the AIOWPS_DISABLE_LOGIN_LOCKDOWN constant value in a configuration file.', 'all-in-one-wp-security-and-firewall').'
|
| 585 |
+
<br />'.__('To enable it, define AIOWPS_DISABLE_LOGIN_LOCKDOWN constant value as false, or remove it.', 'all-in-one-wp-security-and-firewall');
|
| 586 |
+
?>
|
| 587 |
+
</p>
|
| 588 |
+
</div>
|
| 589 |
+
<?php } ?>
|
| 590 |
+
|
| 591 |
<table class="form-table">
|
| 592 |
<tr valign="top">
|
| 593 |
<th scope="row"><?php _e('Use Google reCAPTCHA as default', 'all-in-one-wp-security-and-firewall')?>:</th>
|
admin/wp-security-dashboard-menu.php
CHANGED
|
@@ -431,10 +431,10 @@ class AIOWPSecurity_Dashboard_Menu extends AIOWPSecurity_Admin_Menu
|
|
| 431 |
public function widget_spread_the_word() {
|
| 432 |
?>
|
| 433 |
<p><?php _e('We are working hard to make your WordPress site more secure. Please support us, here is how:', 'all-in-one-wp-security-and-firewall');?></p>
|
| 434 |
-
<p><a href="https://
|
| 435 |
</p>
|
| 436 |
<p>
|
| 437 |
-
<a href="http://twitter.com/intent/tweet?url=https://
|
| 438 |
target="_blank" class="aio_tweet_link"><?php _e('Post to Twitter', 'all-in-one-wp-security-and-firewall');?></a>
|
| 439 |
</p>
|
| 440 |
<p>
|
|
@@ -447,8 +447,7 @@ class AIOWPSecurity_Dashboard_Menu extends AIOWPSecurity_Admin_Menu
|
|
| 447 |
public function widget_know_developers() {
|
| 448 |
?>
|
| 449 |
<p><?php _e('Wanna know more about the developers behind this plugin?', 'all-in-one-wp-security-and-firewall');?></p>
|
| 450 |
-
<p><a href="https://
|
| 451 |
-
<p><a href="https://www.tipsandtricks-hq.com/" target="_blank">Tips and Tricks HQ</a></p>
|
| 452 |
|
| 453 |
<?php
|
| 454 |
}
|
| 431 |
public function widget_spread_the_word() {
|
| 432 |
?>
|
| 433 |
<p><?php _e('We are working hard to make your WordPress site more secure. Please support us, here is how:', 'all-in-one-wp-security-and-firewall');?></p>
|
| 434 |
+
<p><a href="https://twitter.com/intent/user?screen_name=UpdraftPlus" target="_blank"><?php _e('Follow us on', 'all-in-one-wp-security-and-firewall');?> Twitter</a>
|
| 435 |
</p>
|
| 436 |
<p>
|
| 437 |
+
<a href="http://twitter.com/intent/tweet?url=https://wordpress.org/plugins/all-in-one-wp-security-and-firewall&text=I love the All In One WP Security and Firewall plugin!"
|
| 438 |
target="_blank" class="aio_tweet_link"><?php _e('Post to Twitter', 'all-in-one-wp-security-and-firewall');?></a>
|
| 439 |
</p>
|
| 440 |
<p>
|
| 447 |
public function widget_know_developers() {
|
| 448 |
?>
|
| 449 |
<p><?php _e('Wanna know more about the developers behind this plugin?', 'all-in-one-wp-security-and-firewall');?></p>
|
| 450 |
+
<p><a href="https://teamupdraft.com/" target="_blank">Team UpdraftPlus</a></p>
|
|
|
|
| 451 |
|
| 452 |
<?php
|
| 453 |
}
|
classes/grade-system/wp-security-feature-item-manager.php
CHANGED
|
@@ -128,7 +128,7 @@ class AIOWPSecurity_Feature_Item_Manager {
|
|
| 128 |
|
| 129 |
public function get_feature_item_by_id($feature_id) {
|
| 130 |
foreach ($this->feature_items as $item) {
|
| 131 |
-
if ($feature_id) {
|
| 132 |
return $item;
|
| 133 |
}
|
| 134 |
}
|
| 128 |
|
| 129 |
public function get_feature_item_by_id($feature_id) {
|
| 130 |
foreach ($this->feature_items as $item) {
|
| 131 |
+
if ($item->feature_id == $feature_id) {
|
| 132 |
return $item;
|
| 133 |
}
|
| 134 |
}
|
classes/wp-security-blocking.php
CHANGED
|
@@ -71,7 +71,7 @@ class AIOWPSecurity_Blocking {
|
|
| 71 |
'block_reason'=>$reason,
|
| 72 |
'blocked_date'=>$time_now
|
| 73 |
);
|
| 74 |
-
$data = apply_filters('
|
| 75 |
$res = $wpdb->insert(AIOWPSEC_TBL_PERM_BLOCK, $data);
|
| 76 |
if (false === $res) {
|
| 77 |
$aio_wp_security->debug_logger->log_debug("AIOWPSecurity_Blocking::add_ip_to_block_list - Error inserting record into AIOWPSEC_TBL_PERM_BLOCK table for IP ".$ip_address);
|
| 71 |
'block_reason'=>$reason,
|
| 72 |
'blocked_date'=>$time_now
|
| 73 |
);
|
| 74 |
+
$data = apply_filters('aiowps_pre_add_to_permanent_block', $data);
|
| 75 |
$res = $wpdb->insert(AIOWPSEC_TBL_PERM_BLOCK, $data);
|
| 76 |
if (false === $res) {
|
| 77 |
$aio_wp_security->debug_logger->log_debug("AIOWPSecurity_Blocking::add_ip_to_block_list - Error inserting record into AIOWPSEC_TBL_PERM_BLOCK table for IP ".$ip_address);
|
classes/wp-security-captcha.php
CHANGED
|
@@ -4,13 +4,13 @@ if (!defined('ABSPATH')) {
|
|
| 4 |
}
|
| 5 |
|
| 6 |
class AIOWPSecurity_Captcha {
|
| 7 |
-
|
| 8 |
private $google_verify_recaptcha_url = 'https://www.google.com/recaptcha/api/siteverify';
|
| 9 |
|
| 10 |
public function __construct() {
|
| 11 |
//NOP
|
| 12 |
}
|
| 13 |
-
|
| 14 |
/**
|
| 15 |
* Displays Google reCaptcha form v2
|
| 16 |
*
|
|
@@ -50,15 +50,15 @@ class AIOWPSecurity_Captcha {
|
|
| 50 |
$cap_form .= $maths_question_output . '</strong></div></p>';
|
| 51 |
echo $cap_form;
|
| 52 |
}
|
| 53 |
-
|
| 54 |
public function generate_maths_question() {
|
| 55 |
global $aio_wp_security;
|
| 56 |
//For now we will only do plus, minus, multiplication
|
| 57 |
$equation_string = '';
|
| 58 |
$operator_type = array('+', '−', '×');
|
| 59 |
-
|
| 60 |
$operand_display = array('word', 'number');
|
| 61 |
-
|
| 62 |
//let's now generate an equation
|
| 63 |
$operator = $operator_type[rand(0, 2)];
|
| 64 |
|
|
@@ -70,13 +70,13 @@ class AIOWPSecurity_Captcha {
|
|
| 70 |
$first_digit = rand(1, 20);
|
| 71 |
$second_digit = rand(1, 20);
|
| 72 |
}
|
| 73 |
-
|
| 74 |
if ('word' == $operand_display[rand(0, 1)]) {
|
| 75 |
$first_operand = $this->number_word_mapping($first_digit);
|
| 76 |
} else {
|
| 77 |
$first_operand = $first_digit;
|
| 78 |
}
|
| 79 |
-
|
| 80 |
if ('word' == $operand_display[rand(0, 1)]) {
|
| 81 |
$second_operand = $this->number_word_mapping($second_digit);
|
| 82 |
} else {
|
|
@@ -103,7 +103,7 @@ class AIOWPSecurity_Captcha {
|
|
| 103 |
$equation_string .= $first_operand . ' ' . $operator . ' ' . $second_operand . ' = ';
|
| 104 |
$result = $first_digit*$second_digit;
|
| 105 |
}
|
| 106 |
-
|
| 107 |
//Let's encode correct answer
|
| 108 |
$captcha_secret_string = $aio_wp_security->configs->get_value('aiowps_captcha_secret_key');
|
| 109 |
$current_time = time();
|
|
@@ -121,7 +121,7 @@ class AIOWPSecurity_Captcha {
|
|
| 121 |
$equation_string .= '<input type="text" size="2" id="aiowps-captcha-answer" name="aiowps-captcha-answer" value="" autocomplete="off" />';
|
| 122 |
return $equation_string;
|
| 123 |
}
|
| 124 |
-
|
| 125 |
public function number_word_mapping($num) {
|
| 126 |
$number_map = array(
|
| 127 |
1 => __('one', 'all-in-one-wp-security-and-firewall'),
|
|
@@ -147,8 +147,8 @@ class AIOWPSecurity_Captcha {
|
|
| 147 |
);
|
| 148 |
return $number_map[$num];
|
| 149 |
}
|
| 150 |
-
|
| 151 |
-
|
| 152 |
/**
|
| 153 |
* Verifies the math or Google recaptcha v2 forms
|
| 154 |
* Returns TRUE if correct answer.
|
|
@@ -186,7 +186,7 @@ class AIOWPSecurity_Captcha {
|
|
| 186 |
}
|
| 187 |
}
|
| 188 |
}
|
| 189 |
-
|
| 190 |
/**
|
| 191 |
* Verifies the math captcha answer entered by the user
|
| 192 |
*
|
|
@@ -231,7 +231,7 @@ class AIOWPSecurity_Captcha {
|
|
| 231 |
}
|
| 232 |
|
| 233 |
$url = $this->google_verify_recaptcha_url;
|
| 234 |
-
|
| 235 |
$sitekey = $aio_wp_security->configs->get_value('aiowps_recaptcha_site_key');// phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable
|
| 236 |
$secret = $aio_wp_security->configs->get_value('aiowps_recaptcha_secret_key');
|
| 237 |
$ip_address = AIOWPSecurity_Utility_IP::get_user_ip_address();
|
| 4 |
}
|
| 5 |
|
| 6 |
class AIOWPSecurity_Captcha {
|
| 7 |
+
|
| 8 |
private $google_verify_recaptcha_url = 'https://www.google.com/recaptcha/api/siteverify';
|
| 9 |
|
| 10 |
public function __construct() {
|
| 11 |
//NOP
|
| 12 |
}
|
| 13 |
+
|
| 14 |
/**
|
| 15 |
* Displays Google reCaptcha form v2
|
| 16 |
*
|
| 50 |
$cap_form .= $maths_question_output . '</strong></div></p>';
|
| 51 |
echo $cap_form;
|
| 52 |
}
|
| 53 |
+
|
| 54 |
public function generate_maths_question() {
|
| 55 |
global $aio_wp_security;
|
| 56 |
//For now we will only do plus, minus, multiplication
|
| 57 |
$equation_string = '';
|
| 58 |
$operator_type = array('+', '−', '×');
|
| 59 |
+
|
| 60 |
$operand_display = array('word', 'number');
|
| 61 |
+
|
| 62 |
//let's now generate an equation
|
| 63 |
$operator = $operator_type[rand(0, 2)];
|
| 64 |
|
| 70 |
$first_digit = rand(1, 20);
|
| 71 |
$second_digit = rand(1, 20);
|
| 72 |
}
|
| 73 |
+
|
| 74 |
if ('word' == $operand_display[rand(0, 1)]) {
|
| 75 |
$first_operand = $this->number_word_mapping($first_digit);
|
| 76 |
} else {
|
| 77 |
$first_operand = $first_digit;
|
| 78 |
}
|
| 79 |
+
|
| 80 |
if ('word' == $operand_display[rand(0, 1)]) {
|
| 81 |
$second_operand = $this->number_word_mapping($second_digit);
|
| 82 |
} else {
|
| 103 |
$equation_string .= $first_operand . ' ' . $operator . ' ' . $second_operand . ' = ';
|
| 104 |
$result = $first_digit*$second_digit;
|
| 105 |
}
|
| 106 |
+
|
| 107 |
//Let's encode correct answer
|
| 108 |
$captcha_secret_string = $aio_wp_security->configs->get_value('aiowps_captcha_secret_key');
|
| 109 |
$current_time = time();
|
| 121 |
$equation_string .= '<input type="text" size="2" id="aiowps-captcha-answer" name="aiowps-captcha-answer" value="" autocomplete="off" />';
|
| 122 |
return $equation_string;
|
| 123 |
}
|
| 124 |
+
|
| 125 |
public function number_word_mapping($num) {
|
| 126 |
$number_map = array(
|
| 127 |
1 => __('one', 'all-in-one-wp-security-and-firewall'),
|
| 147 |
);
|
| 148 |
return $number_map[$num];
|
| 149 |
}
|
| 150 |
+
|
| 151 |
+
|
| 152 |
/**
|
| 153 |
* Verifies the math or Google recaptcha v2 forms
|
| 154 |
* Returns TRUE if correct answer.
|
| 186 |
}
|
| 187 |
}
|
| 188 |
}
|
| 189 |
+
|
| 190 |
/**
|
| 191 |
* Verifies the math captcha answer entered by the user
|
| 192 |
*
|
| 231 |
}
|
| 232 |
|
| 233 |
$url = $this->google_verify_recaptcha_url;
|
| 234 |
+
|
| 235 |
$sitekey = $aio_wp_security->configs->get_value('aiowps_recaptcha_site_key');// phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable
|
| 236 |
$secret = $aio_wp_security->configs->get_value('aiowps_recaptcha_secret_key');
|
| 237 |
$ip_address = AIOWPSecurity_Utility_IP::get_user_ip_address();
|
classes/wp-security-comment.php
ADDED
|
@@ -0,0 +1,32 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
<?php
|
| 2 |
+
if (!defined('ABSPATH')) {
|
| 3 |
+
exit;//Exit if accessed directly
|
| 4 |
+
}
|
| 5 |
+
|
| 6 |
+
/**
|
| 7 |
+
* Handles Comment related hooks.
|
| 8 |
+
*/
|
| 9 |
+
class AIOWPSecurity_Comment {
|
| 10 |
+
|
| 11 |
+
/**
|
| 12 |
+
* Class constructor. Add action hooks.
|
| 13 |
+
*
|
| 14 |
+
* @return void
|
| 15 |
+
*/
|
| 16 |
+
public function __construct() {
|
| 17 |
+
add_filter('pre_comment_user_ip', array($this, 'pre_comment_user_ip'));
|
| 18 |
+
}
|
| 19 |
+
|
| 20 |
+
/**
|
| 21 |
+
* Set comment user IP for local server setup.
|
| 22 |
+
*
|
| 23 |
+
* @param string $comment_user_ip comment user IP.
|
| 24 |
+
* @return string Comment user IP.
|
| 25 |
+
*/
|
| 26 |
+
public function pre_comment_user_ip($comment_user_ip) {
|
| 27 |
+
if (in_array($comment_user_ip, array('', '127.0.0.1', '::1'))) {
|
| 28 |
+
$comment_user_ip = AIOWPSecurity_Utility_IP::get_external_ip_address();
|
| 29 |
+
}
|
| 30 |
+
return $comment_user_ip;
|
| 31 |
+
}
|
| 32 |
+
}
|
classes/wp-security-general-init-tasks.php
CHANGED
|
@@ -7,7 +7,7 @@ class AIOWPSecurity_General_Init_Tasks {
|
|
| 7 |
public function __construct() {
|
| 8 |
// Do init time tasks
|
| 9 |
global $aio_wp_security;
|
| 10 |
-
|
| 11 |
if ($aio_wp_security->configs->get_value('aiowps_disable_xmlrpc_pingback_methods') == '1') {
|
| 12 |
add_filter('xmlrpc_methods', array($this, 'aiowps_disable_xmlrpc_pingback_methods'));
|
| 13 |
add_filter('wp_headers', array($this, 'aiowps_remove_x_pingback_header'));
|
|
@@ -36,8 +36,8 @@ class AIOWPSecurity_General_Init_Tasks {
|
|
| 36 |
$this->reapply_htaccess_rules();
|
| 37 |
add_action('admin_notices', array($this,'reapply_htaccess_rules_notice'));
|
| 38 |
}
|
| 39 |
-
|
| 40 |
-
|
| 41 |
/**
|
| 42 |
* Send X-Frame-Options: SAMEORIGIN in HTTP header
|
| 43 |
*/
|
|
@@ -50,7 +50,7 @@ class AIOWPSecurity_General_Init_Tasks {
|
|
| 50 |
add_filter('style_loader_src', array($this,'remove_wp_css_js_meta_info'));
|
| 51 |
add_filter('script_loader_src', array($this,'remove_wp_css_js_meta_info'));
|
| 52 |
}
|
| 53 |
-
|
| 54 |
// For the cookie based brute force prevention feature
|
| 55 |
if ($aio_wp_security->configs->get_value('aiowps_enable_brute_force_attack_prevention') == 1) {
|
| 56 |
$bfcf_secret_word = $aio_wp_security->configs->get_value('aiowps_brute_force_secret_word');
|
|
@@ -60,17 +60,17 @@ class AIOWPSecurity_General_Init_Tasks {
|
|
| 60 |
AIOWPSecurity_Utility::redirect_to_url(AIOWPSEC_WP_URL."/wp-admin");
|
| 61 |
}
|
| 62 |
}
|
| 63 |
-
|
| 64 |
// Stop users enumeration feature
|
| 65 |
if ($aio_wp_security->configs->get_value('aiowps_prevent_users_enumeration') == 1) {
|
| 66 |
include_once(AIO_WP_SECURITY_PATH.'/other-includes/wp-security-stop-users-enumeration.php');
|
| 67 |
}
|
| 68 |
-
|
| 69 |
// REST API security
|
| 70 |
if ($aio_wp_security->configs->get_value('aiowps_disallow_unauthorized_rest_requests') == 1) {
|
| 71 |
add_action('rest_api_init', array($this, 'check_rest_api_requests'), 10, 1);
|
| 72 |
}
|
| 73 |
-
|
| 74 |
// For user unlock request feature
|
| 75 |
if (isset($_POST['aiowps_unlock_request']) || isset($_POST['aiowps_wp_submit_unlock_request'])) {
|
| 76 |
nocache_headers();
|
|
@@ -78,7 +78,7 @@ class AIOWPSecurity_General_Init_Tasks {
|
|
| 78 |
include_once(AIO_WP_SECURITY_PATH.'/other-includes/wp-security-unlock-request.php');
|
| 79 |
exit();
|
| 80 |
}
|
| 81 |
-
|
| 82 |
if (isset($_GET['aiowps_auth_key'])) {
|
| 83 |
//If URL contains unlock key in query param then process the request
|
| 84 |
$unlock_key = sanitize_text_field($_GET['aiowps_auth_key']);
|
|
@@ -94,7 +94,7 @@ class AIOWPSecurity_General_Init_Tasks {
|
|
| 94 |
AIOWPSecurity_Utility::redirect_to_url('http://127.0.0.1');
|
| 95 |
}
|
| 96 |
}
|
| 97 |
-
|
| 98 |
// For 404 IP lockout feature
|
| 99 |
if ($aio_wp_security->configs->get_value('aiowps_enable_404_IP_lockout') == '1') {
|
| 100 |
if (!is_user_logged_in() || !current_user_can('administrator')) {
|
|
@@ -124,12 +124,12 @@ class AIOWPSecurity_General_Init_Tasks {
|
|
| 124 |
if (!is_user_logged_in()) {
|
| 125 |
add_action('woocommerce_register_form', array($this, 'insert_captcha_question_form'));
|
| 126 |
}
|
| 127 |
-
|
| 128 |
if (isset($_POST['woocommerce-register-nonce'])) {
|
| 129 |
add_filter('woocommerce_process_registration_errors', array($this, 'aiowps_validate_woo_login_or_reg_captcha'), 10, 3);
|
| 130 |
}
|
| 131 |
}
|
| 132 |
-
|
| 133 |
if ($aio_wp_security->configs->get_value('aiowps_enable_woo_lostpassword_captcha') == '1') {
|
| 134 |
if (!is_user_logged_in()) {
|
| 135 |
add_action('woocommerce_lostpassword_form', array($this, 'insert_captcha_question_form'));
|
|
@@ -145,7 +145,7 @@ class AIOWPSecurity_General_Init_Tasks {
|
|
| 145 |
add_action('bbp_theme_before_topic_form_submit_wrapper', array($this, 'insert_captcha_question_form'));
|
| 146 |
}
|
| 147 |
}
|
| 148 |
-
|
| 149 |
// For custom login form captcha feature, ie, when wp_login_form() function is used to generate login form
|
| 150 |
if ($aio_wp_security->configs->get_value('aiowps_enable_custom_login_captcha') == '1') {
|
| 151 |
if (!is_user_logged_in()) {
|
|
@@ -166,7 +166,7 @@ class AIOWPSecurity_General_Init_Tasks {
|
|
| 166 |
add_action('register_form', array($this, 'insert_honeypot_hidden_field'));
|
| 167 |
}
|
| 168 |
}
|
| 169 |
-
|
| 170 |
// For lost password captcha feature
|
| 171 |
if ($aio_wp_security->configs->get_value('aiowps_enable_lost_password_captcha') == '1') {
|
| 172 |
if (!is_user_logged_in()) {
|
|
@@ -179,7 +179,7 @@ class AIOWPSecurity_General_Init_Tasks {
|
|
| 179 |
if ($aio_wp_security->configs->get_value('aiowps_enable_manual_registration_approval') == '1') {
|
| 180 |
add_filter('wp_login_errors', array($this, 'modify_registration_page_messages'), 10, 2);
|
| 181 |
}
|
| 182 |
-
|
| 183 |
// For registration page captcha feature
|
| 184 |
if (AIOWPSecurity_Utility::is_multisite_install()) {
|
| 185 |
$blog_id = get_current_blog_id();
|
|
@@ -227,38 +227,38 @@ class AIOWPSecurity_General_Init_Tasks {
|
|
| 227 |
}
|
| 228 |
}
|
| 229 |
}
|
| 230 |
-
|
| 231 |
// For buddypress registration captcha feature
|
| 232 |
if ($aio_wp_security->configs->get_value('aiowps_enable_bp_register_captcha') == '1') {
|
| 233 |
add_action('bp_account_details_fields', array($this, 'insert_captcha_question_form'));
|
| 234 |
add_action('bp_signup_validate', array($this, 'buddy_press_signup_validate_captcha'));
|
| 235 |
}
|
| 236 |
-
|
| 237 |
-
|
| 238 |
// For feature which displays logged in users
|
| 239 |
$aio_wp_security->user_login_obj->update_users_online_transient();
|
| 240 |
-
|
| 241 |
// For block fake googlebots feature
|
| 242 |
if ($aio_wp_security->configs->get_value('aiowps_block_fake_googlebots') == '1') {
|
| 243 |
include_once(AIO_WP_SECURITY_PATH.'/classes/wp-security-bot-protection.php');
|
| 244 |
AIOWPSecurity_Fake_Bot_Protection::block_fake_googlebots();
|
| 245 |
}
|
| 246 |
-
|
| 247 |
// For 404 event logging
|
| 248 |
if ($aio_wp_security->configs->get_value('aiowps_enable_404_logging') == '1') {
|
| 249 |
add_action('wp_head', array($this, 'check_404_event'));
|
| 250 |
}
|
| 251 |
|
| 252 |
// Add more tasks that need to be executed at init time
|
| 253 |
-
|
| 254 |
} // end _construct()
|
| 255 |
-
|
| 256 |
public function aiowps_disable_xmlrpc_pingback_methods($methods) {
|
| 257 |
unset($methods['pingback.ping']);
|
| 258 |
unset($methods['pingback.extensions.getPingbacks']);
|
| 259 |
return $methods;
|
| 260 |
}
|
| 261 |
-
|
| 262 |
public function aiowps_remove_x_pingback_header($headers) {
|
| 263 |
unset($headers['X-Pingback']);
|
| 264 |
return $headers;
|
|
@@ -342,11 +342,11 @@ class AIOWPSecurity_General_Init_Tasks {
|
|
| 342 |
public function do_404_lockout_tasks() {
|
| 343 |
global $aio_wp_security;
|
| 344 |
$redirect_url = $aio_wp_security->configs->get_value('aiowps_404_lock_redirect_url'); //This is the redirect URL for blocked users
|
| 345 |
-
|
| 346 |
$visitor_ip = AIOWPSecurity_Utility_IP::get_user_ip_address();
|
| 347 |
-
|
| 348 |
$is_locked = AIOWPSecurity_Utility::check_locked_ip($visitor_ip);
|
| 349 |
-
|
| 350 |
if ($is_locked) {
|
| 351 |
//redirect blocked user to configured URL
|
| 352 |
AIOWPSecurity_Utility::redirect_to_url($redirect_url);
|
|
@@ -364,6 +364,10 @@ class AIOWPSecurity_General_Init_Tasks {
|
|
| 364 |
*/
|
| 365 |
public function insert_captcha_custom_login($cust_html_code) {
|
| 366 |
global $aio_wp_security;
|
|
|
|
|
|
|
|
|
|
|
|
|
| 367 |
if ($aio_wp_security->configs->get_value('aiowps_default_recaptcha')) {
|
| 368 |
$site_key = esc_html($aio_wp_security->configs->get_value('aiowps_recaptcha_site_key'));
|
| 369 |
$cap_form = '<div class="g-recaptcha-wrap" style="padding:10px 0 10px 0"><div class="g-recaptcha" data-sitekey="'.$site_key.'"></div></div>';
|
|
@@ -379,12 +383,12 @@ class AIOWPSecurity_General_Init_Tasks {
|
|
| 379 |
return $cust_html_code;
|
| 380 |
}
|
| 381 |
}
|
| 382 |
-
|
| 383 |
public function insert_captcha_question_form_multi() {
|
| 384 |
global $aio_wp_security;
|
| 385 |
$aio_wp_security->captcha_obj->display_captcha_form();
|
| 386 |
}
|
| 387 |
-
|
| 388 |
public function process_signup_form_multi($result) {
|
| 389 |
global $aio_wp_security;
|
| 390 |
//Check if captcha enabled
|
|
@@ -395,12 +399,12 @@ class AIOWPSecurity_General_Init_Tasks {
|
|
| 395 |
}
|
| 396 |
return $result;
|
| 397 |
}
|
| 398 |
-
|
| 399 |
public function insert_captcha_question_form() {
|
| 400 |
global $aio_wp_security;
|
| 401 |
-
|
| 402 |
if ($aio_wp_security->configs->get_value('aiowps_default_recaptcha')) {
|
| 403 |
-
|
| 404 |
// Woocommerce "my account" page needs special consideration, ie,
|
| 405 |
// need to display two Google reCaptcha forms on same page (for login and register forms)
|
| 406 |
// For this case we use the "explicit" recaptcha display
|
|
@@ -415,14 +419,14 @@ class AIOWPSecurity_General_Init_Tasks {
|
|
| 415 |
echo '<div class="g-recaptcha-wrap" style="padding:10px 0 10px 0"><div id="woo_recaptcha_2" class="g-recaptcha" data-sitekey="'.$site_key.'"></div></div>';
|
| 416 |
return;
|
| 417 |
}
|
| 418 |
-
|
| 419 |
// For all other forms simply display google recaptcha as per normal
|
| 420 |
$aio_wp_security->captcha_obj->display_recaptcha_form();
|
| 421 |
} else {
|
| 422 |
// display plain maths captcha form
|
| 423 |
$aio_wp_security->captcha_obj->display_captcha_form();
|
| 424 |
}
|
| 425 |
-
|
| 426 |
}
|
| 427 |
|
| 428 |
public function insert_honeypot_hidden_field() {
|
|
@@ -430,7 +434,7 @@ class AIOWPSecurity_General_Init_Tasks {
|
|
| 430 |
$honey_input .= '<input name="aio_special_field" type="text" id="aio_special_field" class="aio_special_field" value="" /></p>';
|
| 431 |
echo $honey_input;
|
| 432 |
}
|
| 433 |
-
|
| 434 |
public function process_comment_post($comment) {
|
| 435 |
global $aio_wp_security;
|
| 436 |
if (is_user_logged_in()) {
|
|
@@ -446,7 +450,7 @@ class AIOWPSecurity_General_Init_Tasks {
|
|
| 446 |
if ('' != $comment['comment_type'] && 'comment' != $comment['comment_type'] && 'review' != $comment['comment_type']) {
|
| 447 |
return $comment;
|
| 448 |
}
|
| 449 |
-
|
| 450 |
$verify_captcha = $aio_wp_security->captcha_obj->verify_captcha_submit();
|
| 451 |
if (false === $verify_captcha) {
|
| 452 |
//Wrong answer
|
|
@@ -455,14 +459,14 @@ class AIOWPSecurity_General_Init_Tasks {
|
|
| 455 |
return($comment);
|
| 456 |
}
|
| 457 |
}
|
| 458 |
-
|
| 459 |
/**
|
| 460 |
* Process the main Wordpress account lost password login form post
|
| 461 |
* Called by wp hook "lostpassword_post"
|
| 462 |
*/
|
| 463 |
public function process_lost_password_form_post() {
|
| 464 |
global $aio_wp_security;
|
| 465 |
-
|
| 466 |
// Workaround - the woocommerce lost password form also uses the same "lostpassword_post" hook.
|
| 467 |
// We don't want to process woo forms here so ignore if this is a woo lost password $_POST
|
| 468 |
if (!array_key_exists('woocommerce-lost-password-nonce', $_POST)) {
|
|
@@ -472,20 +476,20 @@ class AIOWPSecurity_General_Init_Tasks {
|
|
| 472 |
}
|
| 473 |
}
|
| 474 |
}
|
| 475 |
-
|
| 476 |
public function add_lostpassword_captcha_error_msg() {
|
| 477 |
//Insert an error just before the password reset process kicks in
|
| 478 |
return new WP_Error('aiowps_captcha_error', __('<strong>ERROR</strong>: Your answer was incorrect - please try again.', 'all-in-one-wp-security-and-firewall'));
|
| 479 |
}
|
| 480 |
-
|
| 481 |
public function check_404_event() {
|
| 482 |
if (is_404()) {
|
| 483 |
//This means a 404 event has occurred - let's log it!
|
| 484 |
AIOWPSecurity_Utility::event_logger('404');
|
| 485 |
}
|
| 486 |
-
|
| 487 |
}
|
| 488 |
-
|
| 489 |
public function buddy_press_signup_validate_captcha() {
|
| 490 |
global $bp, $aio_wp_security;
|
| 491 |
//Check captcha if required
|
|
@@ -496,7 +500,7 @@ class AIOWPSecurity_General_Init_Tasks {
|
|
| 496 |
}
|
| 497 |
return;
|
| 498 |
}
|
| 499 |
-
|
| 500 |
public function aiowps_validate_woo_login_or_reg_captcha($errors) {
|
| 501 |
global $aio_wp_security;
|
| 502 |
$locked = $aio_wp_security->user_login_obj->check_locked_user();
|
|
@@ -511,16 +515,16 @@ class AIOWPSecurity_General_Init_Tasks {
|
|
| 511 |
$errors->add('authentication_failed', __('<strong>ERROR</strong>: Your answer was incorrect - please try again.', 'all-in-one-wp-security-and-firewall'));
|
| 512 |
}
|
| 513 |
return $errors;
|
| 514 |
-
|
| 515 |
}
|
| 516 |
-
|
| 517 |
/**
|
| 518 |
* Process the woocommerce lost password login form post
|
| 519 |
* Called by wp hook "lostpassword_post"
|
| 520 |
*/
|
| 521 |
public function process_woo_lost_password_form_post() {
|
| 522 |
global $aio_wp_security;
|
| 523 |
-
|
| 524 |
if (isset($_POST['woocommerce-lost-password-nonce'])) {
|
| 525 |
$verify_captcha = $aio_wp_security->captcha_obj->verify_captcha_submit();
|
| 526 |
if (false === $verify_captcha) {
|
|
@@ -528,7 +532,7 @@ class AIOWPSecurity_General_Init_Tasks {
|
|
| 528 |
}
|
| 529 |
}
|
| 530 |
}
|
| 531 |
-
|
| 532 |
/**
|
| 533 |
* Reapply htaccess rule or dismiss the related notice.
|
| 534 |
*
|
|
@@ -565,7 +569,7 @@ class AIOWPSecurity_General_Init_Tasks {
|
|
| 565 |
}
|
| 566 |
}
|
| 567 |
}
|
| 568 |
-
|
| 569 |
/**
|
| 570 |
* Displays a notice message if the entered recatcha site key is wrong.
|
| 571 |
*/
|
|
@@ -580,7 +584,7 @@ class AIOWPSecurity_General_Init_Tasks {
|
|
| 580 |
echo '</p></div>';
|
| 581 |
}
|
| 582 |
}
|
| 583 |
-
|
| 584 |
/**
|
| 585 |
* Displays a notice message if the plugin was reactivated after being initially deactivated
|
| 586 |
* Gives users option of re-applying the aiowps rules which were deleted from the .htaccess after deactivation.
|
|
@@ -592,7 +596,7 @@ class AIOWPSecurity_General_Init_Tasks {
|
|
| 592 |
echo '<div class="updated"><p>'.__('Would you like All In One WP Security & Firewall to re-insert the security rules in your .htaccess file which were cleared when you deactivated the plugin?', 'all-in-one-wp-security-and-firewall').' <a href="'.esc_url($reapply_htaccess_yes_url).'" class="button-primary">'.__('Yes', 'all-in-one-wp-security-and-firewall').'</a> <a href="'.esc_url($reapply_htaccess_no_url).'" class="button-primary">'.__('No', 'all-in-one-wp-security-and-firewall').'</a></p></div>';
|
| 593 |
}
|
| 594 |
}
|
| 595 |
-
|
| 596 |
/**
|
| 597 |
* This is a fix for cases when the password reset URL in the email was not decoding all html entities properly
|
| 598 |
*
|
|
@@ -603,7 +607,7 @@ class AIOWPSecurity_General_Init_Tasks {
|
|
| 603 |
$message = html_entity_decode($message);
|
| 604 |
return $message;
|
| 605 |
}
|
| 606 |
-
|
| 607 |
public function modify_registration_page_messages($errors) {
|
| 608 |
if (isset($_GET['checkemail']) && 'registered' == $_GET['checkemail']) {
|
| 609 |
if (is_wp_error($errors)) {
|
|
@@ -615,7 +619,7 @@ class AIOWPSecurity_General_Init_Tasks {
|
|
| 615 |
}
|
| 616 |
return $errors;
|
| 617 |
}
|
| 618 |
-
|
| 619 |
/**
|
| 620 |
* Re-wrote code which checks for REST API requests
|
| 621 |
* Below uses the "rest_api_init" action hook to check for REST requests.
|
|
@@ -638,16 +642,16 @@ class AIOWPSecurity_General_Init_Tasks {
|
|
| 638 |
*/
|
| 639 |
public function add_recaptcha_script() {
|
| 640 |
// Enqueue the recaptcha api url
|
| 641 |
-
|
| 642 |
// Do NOT enqueue if this is the main woocommerce account login page because for woocommerce page we "explicitly" render the recaptcha widget
|
| 643 |
$is_woo = false;
|
| 644 |
-
|
| 645 |
// We don't want to load for woo account page because we have a special function for this
|
| 646 |
if (function_exists('is_account_page')) {
|
| 647 |
// Check if this a woocommerce account page
|
| 648 |
$is_woo = is_account_page();
|
| 649 |
}
|
| 650 |
-
|
| 651 |
if (empty($is_woo)) {
|
| 652 |
//only enqueue when not a woocommerce page
|
| 653 |
wp_enqueue_script('google-recaptcha', 'https://www.google.com/recaptcha/api.js', false);
|
| 7 |
public function __construct() {
|
| 8 |
// Do init time tasks
|
| 9 |
global $aio_wp_security;
|
| 10 |
+
|
| 11 |
if ($aio_wp_security->configs->get_value('aiowps_disable_xmlrpc_pingback_methods') == '1') {
|
| 12 |
add_filter('xmlrpc_methods', array($this, 'aiowps_disable_xmlrpc_pingback_methods'));
|
| 13 |
add_filter('wp_headers', array($this, 'aiowps_remove_x_pingback_header'));
|
| 36 |
$this->reapply_htaccess_rules();
|
| 37 |
add_action('admin_notices', array($this,'reapply_htaccess_rules_notice'));
|
| 38 |
}
|
| 39 |
+
|
| 40 |
+
|
| 41 |
/**
|
| 42 |
* Send X-Frame-Options: SAMEORIGIN in HTTP header
|
| 43 |
*/
|
| 50 |
add_filter('style_loader_src', array($this,'remove_wp_css_js_meta_info'));
|
| 51 |
add_filter('script_loader_src', array($this,'remove_wp_css_js_meta_info'));
|
| 52 |
}
|
| 53 |
+
|
| 54 |
// For the cookie based brute force prevention feature
|
| 55 |
if ($aio_wp_security->configs->get_value('aiowps_enable_brute_force_attack_prevention') == 1) {
|
| 56 |
$bfcf_secret_word = $aio_wp_security->configs->get_value('aiowps_brute_force_secret_word');
|
| 60 |
AIOWPSecurity_Utility::redirect_to_url(AIOWPSEC_WP_URL."/wp-admin");
|
| 61 |
}
|
| 62 |
}
|
| 63 |
+
|
| 64 |
// Stop users enumeration feature
|
| 65 |
if ($aio_wp_security->configs->get_value('aiowps_prevent_users_enumeration') == 1) {
|
| 66 |
include_once(AIO_WP_SECURITY_PATH.'/other-includes/wp-security-stop-users-enumeration.php');
|
| 67 |
}
|
| 68 |
+
|
| 69 |
// REST API security
|
| 70 |
if ($aio_wp_security->configs->get_value('aiowps_disallow_unauthorized_rest_requests') == 1) {
|
| 71 |
add_action('rest_api_init', array($this, 'check_rest_api_requests'), 10, 1);
|
| 72 |
}
|
| 73 |
+
|
| 74 |
// For user unlock request feature
|
| 75 |
if (isset($_POST['aiowps_unlock_request']) || isset($_POST['aiowps_wp_submit_unlock_request'])) {
|
| 76 |
nocache_headers();
|
| 78 |
include_once(AIO_WP_SECURITY_PATH.'/other-includes/wp-security-unlock-request.php');
|
| 79 |
exit();
|
| 80 |
}
|
| 81 |
+
|
| 82 |
if (isset($_GET['aiowps_auth_key'])) {
|
| 83 |
//If URL contains unlock key in query param then process the request
|
| 84 |
$unlock_key = sanitize_text_field($_GET['aiowps_auth_key']);
|
| 94 |
AIOWPSecurity_Utility::redirect_to_url('http://127.0.0.1');
|
| 95 |
}
|
| 96 |
}
|
| 97 |
+
|
| 98 |
// For 404 IP lockout feature
|
| 99 |
if ($aio_wp_security->configs->get_value('aiowps_enable_404_IP_lockout') == '1') {
|
| 100 |
if (!is_user_logged_in() || !current_user_can('administrator')) {
|
| 124 |
if (!is_user_logged_in()) {
|
| 125 |
add_action('woocommerce_register_form', array($this, 'insert_captcha_question_form'));
|
| 126 |
}
|
| 127 |
+
|
| 128 |
if (isset($_POST['woocommerce-register-nonce'])) {
|
| 129 |
add_filter('woocommerce_process_registration_errors', array($this, 'aiowps_validate_woo_login_or_reg_captcha'), 10, 3);
|
| 130 |
}
|
| 131 |
}
|
| 132 |
+
|
| 133 |
if ($aio_wp_security->configs->get_value('aiowps_enable_woo_lostpassword_captcha') == '1') {
|
| 134 |
if (!is_user_logged_in()) {
|
| 135 |
add_action('woocommerce_lostpassword_form', array($this, 'insert_captcha_question_form'));
|
| 145 |
add_action('bbp_theme_before_topic_form_submit_wrapper', array($this, 'insert_captcha_question_form'));
|
| 146 |
}
|
| 147 |
}
|
| 148 |
+
|
| 149 |
// For custom login form captcha feature, ie, when wp_login_form() function is used to generate login form
|
| 150 |
if ($aio_wp_security->configs->get_value('aiowps_enable_custom_login_captcha') == '1') {
|
| 151 |
if (!is_user_logged_in()) {
|
| 166 |
add_action('register_form', array($this, 'insert_honeypot_hidden_field'));
|
| 167 |
}
|
| 168 |
}
|
| 169 |
+
|
| 170 |
// For lost password captcha feature
|
| 171 |
if ($aio_wp_security->configs->get_value('aiowps_enable_lost_password_captcha') == '1') {
|
| 172 |
if (!is_user_logged_in()) {
|
| 179 |
if ($aio_wp_security->configs->get_value('aiowps_enable_manual_registration_approval') == '1') {
|
| 180 |
add_filter('wp_login_errors', array($this, 'modify_registration_page_messages'), 10, 2);
|
| 181 |
}
|
| 182 |
+
|
| 183 |
// For registration page captcha feature
|
| 184 |
if (AIOWPSecurity_Utility::is_multisite_install()) {
|
| 185 |
$blog_id = get_current_blog_id();
|
| 227 |
}
|
| 228 |
}
|
| 229 |
}
|
| 230 |
+
|
| 231 |
// For buddypress registration captcha feature
|
| 232 |
if ($aio_wp_security->configs->get_value('aiowps_enable_bp_register_captcha') == '1') {
|
| 233 |
add_action('bp_account_details_fields', array($this, 'insert_captcha_question_form'));
|
| 234 |
add_action('bp_signup_validate', array($this, 'buddy_press_signup_validate_captcha'));
|
| 235 |
}
|
| 236 |
+
|
| 237 |
+
|
| 238 |
// For feature which displays logged in users
|
| 239 |
$aio_wp_security->user_login_obj->update_users_online_transient();
|
| 240 |
+
|
| 241 |
// For block fake googlebots feature
|
| 242 |
if ($aio_wp_security->configs->get_value('aiowps_block_fake_googlebots') == '1') {
|
| 243 |
include_once(AIO_WP_SECURITY_PATH.'/classes/wp-security-bot-protection.php');
|
| 244 |
AIOWPSecurity_Fake_Bot_Protection::block_fake_googlebots();
|
| 245 |
}
|
| 246 |
+
|
| 247 |
// For 404 event logging
|
| 248 |
if ($aio_wp_security->configs->get_value('aiowps_enable_404_logging') == '1') {
|
| 249 |
add_action('wp_head', array($this, 'check_404_event'));
|
| 250 |
}
|
| 251 |
|
| 252 |
// Add more tasks that need to be executed at init time
|
| 253 |
+
|
| 254 |
} // end _construct()
|
| 255 |
+
|
| 256 |
public function aiowps_disable_xmlrpc_pingback_methods($methods) {
|
| 257 |
unset($methods['pingback.ping']);
|
| 258 |
unset($methods['pingback.extensions.getPingbacks']);
|
| 259 |
return $methods;
|
| 260 |
}
|
| 261 |
+
|
| 262 |
public function aiowps_remove_x_pingback_header($headers) {
|
| 263 |
unset($headers['X-Pingback']);
|
| 264 |
return $headers;
|
| 342 |
public function do_404_lockout_tasks() {
|
| 343 |
global $aio_wp_security;
|
| 344 |
$redirect_url = $aio_wp_security->configs->get_value('aiowps_404_lock_redirect_url'); //This is the redirect URL for blocked users
|
| 345 |
+
|
| 346 |
$visitor_ip = AIOWPSecurity_Utility_IP::get_user_ip_address();
|
| 347 |
+
|
| 348 |
$is_locked = AIOWPSecurity_Utility::check_locked_ip($visitor_ip);
|
| 349 |
+
|
| 350 |
if ($is_locked) {
|
| 351 |
//redirect blocked user to configured URL
|
| 352 |
AIOWPSecurity_Utility::redirect_to_url($redirect_url);
|
| 364 |
*/
|
| 365 |
public function insert_captcha_custom_login($cust_html_code) {
|
| 366 |
global $aio_wp_security;
|
| 367 |
+
if ($aio_wp_security->is_login_lockdown_by_const()) {
|
| 368 |
+
return '';
|
| 369 |
+
}
|
| 370 |
+
|
| 371 |
if ($aio_wp_security->configs->get_value('aiowps_default_recaptcha')) {
|
| 372 |
$site_key = esc_html($aio_wp_security->configs->get_value('aiowps_recaptcha_site_key'));
|
| 373 |
$cap_form = '<div class="g-recaptcha-wrap" style="padding:10px 0 10px 0"><div class="g-recaptcha" data-sitekey="'.$site_key.'"></div></div>';
|
| 383 |
return $cust_html_code;
|
| 384 |
}
|
| 385 |
}
|
| 386 |
+
|
| 387 |
public function insert_captcha_question_form_multi() {
|
| 388 |
global $aio_wp_security;
|
| 389 |
$aio_wp_security->captcha_obj->display_captcha_form();
|
| 390 |
}
|
| 391 |
+
|
| 392 |
public function process_signup_form_multi($result) {
|
| 393 |
global $aio_wp_security;
|
| 394 |
//Check if captcha enabled
|
| 399 |
}
|
| 400 |
return $result;
|
| 401 |
}
|
| 402 |
+
|
| 403 |
public function insert_captcha_question_form() {
|
| 404 |
global $aio_wp_security;
|
| 405 |
+
|
| 406 |
if ($aio_wp_security->configs->get_value('aiowps_default_recaptcha')) {
|
| 407 |
+
|
| 408 |
// Woocommerce "my account" page needs special consideration, ie,
|
| 409 |
// need to display two Google reCaptcha forms on same page (for login and register forms)
|
| 410 |
// For this case we use the "explicit" recaptcha display
|
| 419 |
echo '<div class="g-recaptcha-wrap" style="padding:10px 0 10px 0"><div id="woo_recaptcha_2" class="g-recaptcha" data-sitekey="'.$site_key.'"></div></div>';
|
| 420 |
return;
|
| 421 |
}
|
| 422 |
+
|
| 423 |
// For all other forms simply display google recaptcha as per normal
|
| 424 |
$aio_wp_security->captcha_obj->display_recaptcha_form();
|
| 425 |
} else {
|
| 426 |
// display plain maths captcha form
|
| 427 |
$aio_wp_security->captcha_obj->display_captcha_form();
|
| 428 |
}
|
| 429 |
+
|
| 430 |
}
|
| 431 |
|
| 432 |
public function insert_honeypot_hidden_field() {
|
| 434 |
$honey_input .= '<input name="aio_special_field" type="text" id="aio_special_field" class="aio_special_field" value="" /></p>';
|
| 435 |
echo $honey_input;
|
| 436 |
}
|
| 437 |
+
|
| 438 |
public function process_comment_post($comment) {
|
| 439 |
global $aio_wp_security;
|
| 440 |
if (is_user_logged_in()) {
|
| 450 |
if ('' != $comment['comment_type'] && 'comment' != $comment['comment_type'] && 'review' != $comment['comment_type']) {
|
| 451 |
return $comment;
|
| 452 |
}
|
| 453 |
+
|
| 454 |
$verify_captcha = $aio_wp_security->captcha_obj->verify_captcha_submit();
|
| 455 |
if (false === $verify_captcha) {
|
| 456 |
//Wrong answer
|
| 459 |
return($comment);
|
| 460 |
}
|
| 461 |
}
|
| 462 |
+
|
| 463 |
/**
|
| 464 |
* Process the main Wordpress account lost password login form post
|
| 465 |
* Called by wp hook "lostpassword_post"
|
| 466 |
*/
|
| 467 |
public function process_lost_password_form_post() {
|
| 468 |
global $aio_wp_security;
|
| 469 |
+
|
| 470 |
// Workaround - the woocommerce lost password form also uses the same "lostpassword_post" hook.
|
| 471 |
// We don't want to process woo forms here so ignore if this is a woo lost password $_POST
|
| 472 |
if (!array_key_exists('woocommerce-lost-password-nonce', $_POST)) {
|
| 476 |
}
|
| 477 |
}
|
| 478 |
}
|
| 479 |
+
|
| 480 |
public function add_lostpassword_captcha_error_msg() {
|
| 481 |
//Insert an error just before the password reset process kicks in
|
| 482 |
return new WP_Error('aiowps_captcha_error', __('<strong>ERROR</strong>: Your answer was incorrect - please try again.', 'all-in-one-wp-security-and-firewall'));
|
| 483 |
}
|
| 484 |
+
|
| 485 |
public function check_404_event() {
|
| 486 |
if (is_404()) {
|
| 487 |
//This means a 404 event has occurred - let's log it!
|
| 488 |
AIOWPSecurity_Utility::event_logger('404');
|
| 489 |
}
|
| 490 |
+
|
| 491 |
}
|
| 492 |
+
|
| 493 |
public function buddy_press_signup_validate_captcha() {
|
| 494 |
global $bp, $aio_wp_security;
|
| 495 |
//Check captcha if required
|
| 500 |
}
|
| 501 |
return;
|
| 502 |
}
|
| 503 |
+
|
| 504 |
public function aiowps_validate_woo_login_or_reg_captcha($errors) {
|
| 505 |
global $aio_wp_security;
|
| 506 |
$locked = $aio_wp_security->user_login_obj->check_locked_user();
|
| 515 |
$errors->add('authentication_failed', __('<strong>ERROR</strong>: Your answer was incorrect - please try again.', 'all-in-one-wp-security-and-firewall'));
|
| 516 |
}
|
| 517 |
return $errors;
|
| 518 |
+
|
| 519 |
}
|
| 520 |
+
|
| 521 |
/**
|
| 522 |
* Process the woocommerce lost password login form post
|
| 523 |
* Called by wp hook "lostpassword_post"
|
| 524 |
*/
|
| 525 |
public function process_woo_lost_password_form_post() {
|
| 526 |
global $aio_wp_security;
|
| 527 |
+
|
| 528 |
if (isset($_POST['woocommerce-lost-password-nonce'])) {
|
| 529 |
$verify_captcha = $aio_wp_security->captcha_obj->verify_captcha_submit();
|
| 530 |
if (false === $verify_captcha) {
|
| 532 |
}
|
| 533 |
}
|
| 534 |
}
|
| 535 |
+
|
| 536 |
/**
|
| 537 |
* Reapply htaccess rule or dismiss the related notice.
|
| 538 |
*
|
| 569 |
}
|
| 570 |
}
|
| 571 |
}
|
| 572 |
+
|
| 573 |
/**
|
| 574 |
* Displays a notice message if the entered recatcha site key is wrong.
|
| 575 |
*/
|
| 584 |
echo '</p></div>';
|
| 585 |
}
|
| 586 |
}
|
| 587 |
+
|
| 588 |
/**
|
| 589 |
* Displays a notice message if the plugin was reactivated after being initially deactivated
|
| 590 |
* Gives users option of re-applying the aiowps rules which were deleted from the .htaccess after deactivation.
|
| 596 |
echo '<div class="updated"><p>'.__('Would you like All In One WP Security & Firewall to re-insert the security rules in your .htaccess file which were cleared when you deactivated the plugin?', 'all-in-one-wp-security-and-firewall').' <a href="'.esc_url($reapply_htaccess_yes_url).'" class="button-primary">'.__('Yes', 'all-in-one-wp-security-and-firewall').'</a> <a href="'.esc_url($reapply_htaccess_no_url).'" class="button-primary">'.__('No', 'all-in-one-wp-security-and-firewall').'</a></p></div>';
|
| 597 |
}
|
| 598 |
}
|
| 599 |
+
|
| 600 |
/**
|
| 601 |
* This is a fix for cases when the password reset URL in the email was not decoding all html entities properly
|
| 602 |
*
|
| 607 |
$message = html_entity_decode($message);
|
| 608 |
return $message;
|
| 609 |
}
|
| 610 |
+
|
| 611 |
public function modify_registration_page_messages($errors) {
|
| 612 |
if (isset($_GET['checkemail']) && 'registered' == $_GET['checkemail']) {
|
| 613 |
if (is_wp_error($errors)) {
|
| 619 |
}
|
| 620 |
return $errors;
|
| 621 |
}
|
| 622 |
+
|
| 623 |
/**
|
| 624 |
* Re-wrote code which checks for REST API requests
|
| 625 |
* Below uses the "rest_api_init" action hook to check for REST requests.
|
| 642 |
*/
|
| 643 |
public function add_recaptcha_script() {
|
| 644 |
// Enqueue the recaptcha api url
|
| 645 |
+
|
| 646 |
// Do NOT enqueue if this is the main woocommerce account login page because for woocommerce page we "explicitly" render the recaptcha widget
|
| 647 |
$is_woo = false;
|
| 648 |
+
|
| 649 |
// We don't want to load for woo account page because we have a special function for this
|
| 650 |
if (function_exists('is_account_page')) {
|
| 651 |
// Check if this a woocommerce account page
|
| 652 |
$is_woo = is_account_page();
|
| 653 |
}
|
| 654 |
+
|
| 655 |
if (empty($is_woo)) {
|
| 656 |
//only enqueue when not a woocommerce page
|
| 657 |
wp_enqueue_script('google-recaptcha', 'https://www.google.com/recaptcha/api.js', false);
|
classes/wp-security-notices.php
CHANGED
|
@@ -31,6 +31,28 @@ class AIOWPSecurity_Notices extends Updraft_Notices {
|
|
| 31 |
'supported_positions' => $this->dashboard_top,
|
| 32 |
'validity_function' => 'show_rate_notice'
|
| 33 |
),
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 34 |
);
|
| 35 |
|
| 36 |
return array_merge($parent_notice_content, $child_notice_content);
|
| 31 |
'supported_positions' => $this->dashboard_top,
|
| 32 |
'validity_function' => 'show_rate_notice'
|
| 33 |
),
|
| 34 |
+
'updraftplus' => array(
|
| 35 |
+
'prefix' => '',
|
| 36 |
+
'title' => __('Enhance your security even more by backing up your site', 'all-in-one-wp-security-and-firewall'),
|
| 37 |
+
'text' => __("UpdraftPlus is the world's most trusted backup plugin from the owners of All In One WP Security & Firewall", 'all-in-one-wp-security-and-firewall'),
|
| 38 |
+
'image' => 'notices/updraft_logo.png',
|
| 39 |
+
'button_link' => 'https://wordpress.org/plugins/updraftplus/',
|
| 40 |
+
'button_meta' => 'updraftplus',
|
| 41 |
+
'dismiss_time' => 'dismiss_page_notice_until',
|
| 42 |
+
'supported_positions' => $this->dashboard_top_or_report,
|
| 43 |
+
'validity_function' => 'updraftplus_not_installed',
|
| 44 |
+
),
|
| 45 |
+
'wp-optimize' => array(
|
| 46 |
+
'prefix' => '',
|
| 47 |
+
'title' => 'WP-Optimize',
|
| 48 |
+
'text' => __("After you've secured your site, we recommend you install our WP-Optimize plugin to streamline it for better website performance.", "all-in-one-wp-security-and-firewall"),
|
| 49 |
+
'image' => 'notices/wp_optimize_logo.png',
|
| 50 |
+
'button_link' => 'https://wordpress.org/plugins/wp-optimize/',
|
| 51 |
+
'button_meta' => 'wp-optimize',
|
| 52 |
+
'dismiss_time' => 'dismiss_notice',
|
| 53 |
+
'supported_positions' => $this->anywhere,
|
| 54 |
+
'validity_function' => 'wp_optimize_not_installed',
|
| 55 |
+
),
|
| 56 |
);
|
| 57 |
|
| 58 |
return array_merge($parent_notice_content, $child_notice_content);
|
classes/wp-security-user-login.php
CHANGED
|
@@ -4,7 +4,7 @@ if (!defined('ABSPATH')) {
|
|
| 4 |
}
|
| 5 |
|
| 6 |
class AIOWPSecurity_User_Login {
|
| 7 |
-
|
| 8 |
public $key_login_msg;// This will store a URI query string key for passing messages to the login form
|
| 9 |
|
| 10 |
public function __construct() {
|
|
@@ -23,7 +23,54 @@ class AIOWPSecurity_User_Login {
|
|
| 23 |
add_action('aiowps_force_logout_check', array($this, 'aiowps_force_logout_action_handler'));
|
| 24 |
add_action('clear_auth_cookie', array($this, 'wp_logout_action_handler'));
|
| 25 |
add_filter('login_message', array($this, 'aiowps_login_message')); //WP filter to add or modify messages on the login page
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 26 |
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 27 |
/**
|
| 28 |
* Terminate the execution via wp_die with 503 status code, if current
|
| 29 |
* user's IP is currently locked.
|
|
@@ -34,6 +81,12 @@ class AIOWPSecurity_User_Login {
|
|
| 34 |
*/
|
| 35 |
public function block_ip_if_locked($user) {
|
| 36 |
global $aio_wp_security;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 37 |
$user_locked = $this->check_locked_user();
|
| 38 |
if (null != $user_locked) {
|
| 39 |
$aio_wp_security->debug_logger->log_debug("Login attempt from blocked IP range - ".$user_locked['failed_login_ip'], 2);
|
|
@@ -61,7 +114,7 @@ class AIOWPSecurity_User_Login {
|
|
| 61 |
*/
|
| 62 |
public function check_captcha($user) {
|
| 63 |
global $aio_wp_security;
|
| 64 |
-
if (is_wp_error($user)) {
|
| 65 |
// Authentication has failed already at some earlier step.
|
| 66 |
return $user;
|
| 67 |
}
|
| 4 |
}
|
| 5 |
|
| 6 |
class AIOWPSecurity_User_Login {
|
| 7 |
+
|
| 8 |
public $key_login_msg;// This will store a URI query string key for passing messages to the login form
|
| 9 |
|
| 10 |
public function __construct() {
|
| 23 |
add_action('aiowps_force_logout_check', array($this, 'aiowps_force_logout_action_handler'));
|
| 24 |
add_action('clear_auth_cookie', array($this, 'wp_logout_action_handler'));
|
| 25 |
add_filter('login_message', array($this, 'aiowps_login_message')); //WP filter to add or modify messages on the login page
|
| 26 |
+
|
| 27 |
+
// Display disable lockdown message
|
| 28 |
+
if (is_admin() && current_user_can(AIOWPSEC_MANAGEMENT_PERMISSION) && $aio_wp_security->is_login_lockdown_by_const() && $this->is_admin_page_to_display_disable_login_lockdown_by_const_notice()) {
|
| 29 |
+
add_action('all_admin_notices', array($this, 'disable_login_lockdown_by_const_notice'));
|
| 30 |
+
}
|
| 31 |
+
}
|
| 32 |
+
|
| 33 |
+
/**
|
| 34 |
+
* Check whether the admin page is to display disable login lockdown by const notice.
|
| 35 |
+
*
|
| 36 |
+
* @return boolean True if the notice will be displayed, Otherwise false.
|
| 37 |
+
*/
|
| 38 |
+
private function is_admin_page_to_display_disable_login_lockdown_by_const_notice() {
|
| 39 |
+
global $pagenow;
|
| 40 |
+
if (in_array($pagenow, array('index.php', 'plugins.php'))) {
|
| 41 |
+
return true;
|
| 42 |
+
} elseif (('admin.php' == $pagenow && isset($_GET['page']) && false !== strpos($_GET['page'], AIOWPSEC_MENU_SLUG_PREFIX)) && !$this->is_locked_ip_addresses_tab_admin_page()) {
|
| 43 |
+
return true;
|
| 44 |
+
}
|
| 45 |
+
return false;
|
| 46 |
}
|
| 47 |
+
|
| 48 |
+
/**
|
| 49 |
+
* Check whether the admin page is Locked IP Addresses Tab page.
|
| 50 |
+
*
|
| 51 |
+
* @return boolean True if is Locked IP Addresses Tab page, Otherwise false.
|
| 52 |
+
*/
|
| 53 |
+
private function is_locked_ip_addresses_tab_admin_page() {
|
| 54 |
+
global $pagenow;
|
| 55 |
+
return ('admin.php' == $pagenow && isset($_GET['page']) && 'aiowpsec' == $_GET['page'] && isset($_GET['tab']) && 'tab3' == $_GET['tab']);
|
| 56 |
+
}
|
| 57 |
+
|
| 58 |
+
/**
|
| 59 |
+
* Display admin to disable lockdown message
|
| 60 |
+
*/
|
| 61 |
+
public function disable_login_lockdown_by_const_notice() {
|
| 62 |
+
|
| 63 |
+
echo '<div class="notice notice-error">
|
| 64 |
+
<p>'.
|
| 65 |
+
__('You have disabled login lockdown by defining the AIOWPS_DISABLE_LOGIN_LOCKDOWN constant value as true, and the login lockdown setting has enabled it.', 'all-in-one-wp-security-and-firewall') . ' ' .
|
| 66 |
+
/* translators: 1: Locked IP Addresses admin page link */
|
| 67 |
+
sprintf(__('Delete your login lockdown IP from %s and define the AIOWPS_DISABLE_LOGIN_LOCKDOWN constant value as false.', 'all-in-one-wp-security-and-firewall'),
|
| 68 |
+
'<a href="'.admin_url('admin.php?page=aiowpsec&tab=tab3').'">' . __('Locked IP Addresses', 'all-in-one-wp-security-and-firewall') . '</a>'
|
| 69 |
+
).
|
| 70 |
+
'</p>
|
| 71 |
+
</div>';
|
| 72 |
+
}
|
| 73 |
+
|
| 74 |
/**
|
| 75 |
* Terminate the execution via wp_die with 503 status code, if current
|
| 76 |
* user's IP is currently locked.
|
| 81 |
*/
|
| 82 |
public function block_ip_if_locked($user) {
|
| 83 |
global $aio_wp_security;
|
| 84 |
+
|
| 85 |
+
// Allow users to login when disable AIOWPS_DISABLE_LOCK_DOWN defined true
|
| 86 |
+
if ($aio_wp_security->is_login_lockdown_by_const()) {
|
| 87 |
+
return $user;
|
| 88 |
+
}
|
| 89 |
+
|
| 90 |
$user_locked = $this->check_locked_user();
|
| 91 |
if (null != $user_locked) {
|
| 92 |
$aio_wp_security->debug_logger->log_debug("Login attempt from blocked IP range - ".$user_locked['failed_login_ip'], 2);
|
| 114 |
*/
|
| 115 |
public function check_captcha($user) {
|
| 116 |
global $aio_wp_security;
|
| 117 |
+
if (is_wp_error($user) || $aio_wp_security->is_login_lockdown_by_const()) {
|
| 118 |
// Authentication has failed already at some earlier step.
|
| 119 |
return $user;
|
| 120 |
}
|
classes/wp-security-utility-file.php
CHANGED
|
@@ -23,10 +23,10 @@ class AIOWPSecurity_Utility_File {
|
|
| 23 |
array('name' => '.htaccess', 'path' => $home_path.".htaccess", 'permissions' => '0644'),
|
| 24 |
array('name' => 'wp-admin/index.php', 'path' => ABSPATH."wp-admin/index.php", 'permissions' => '0644'),
|
| 25 |
array('name' => 'wp-admin/js/', 'path' => ABSPATH."wp-admin/js/", 'permissions' => '0755'),
|
| 26 |
-
array('name' => 'wp-content/themes/', 'path' =>
|
| 27 |
-
array('name' => 'wp-content/plugins/', 'path' =>
|
| 28 |
array('name' => 'wp-admin/', 'path' => ABSPATH."wp-admin", 'permissions' => '0755'),
|
| 29 |
-
array('name' => 'wp-content/', 'path' =>
|
| 30 |
array('name' => 'wp-config.php', 'path' => $wp_config_path, 'permissions' => '0640'),
|
| 31 |
//Add as many files or dirs as needed by following the convention above
|
| 32 |
);
|
| 23 |
array('name' => '.htaccess', 'path' => $home_path.".htaccess", 'permissions' => '0644'),
|
| 24 |
array('name' => 'wp-admin/index.php', 'path' => ABSPATH."wp-admin/index.php", 'permissions' => '0644'),
|
| 25 |
array('name' => 'wp-admin/js/', 'path' => ABSPATH."wp-admin/js/", 'permissions' => '0755'),
|
| 26 |
+
array('name' => 'wp-content/themes/', 'path' => WP_CONTENT_DIR."/themes", 'permissions' => '0755'),
|
| 27 |
+
array('name' => 'wp-content/plugins/', 'path' => WP_PLUGIN_DIR, 'permissions' => '0755'),
|
| 28 |
array('name' => 'wp-admin/', 'path' => ABSPATH."wp-admin", 'permissions' => '0755'),
|
| 29 |
+
array('name' => 'wp-content/', 'path' => WP_CONTENT_DIR, 'permissions' => '0755'),
|
| 30 |
array('name' => 'wp-config.php', 'path' => $wp_config_path, 'permissions' => '0640'),
|
| 31 |
//Add as many files or dirs as needed by following the convention above
|
| 32 |
);
|
classes/wp-security-utility-ip-address.php
CHANGED
|
@@ -7,19 +7,60 @@ class AIOWPSecurity_Utility_IP {
|
|
| 7 |
public function __construct() {
|
| 8 |
//NOP
|
| 9 |
}
|
| 10 |
-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11 |
public static function get_user_ip_address() {
|
|
|
|
| 12 |
if (isset($_SERVER['HTTP_X_REAL_IP'])) {
|
| 13 |
-
|
| 14 |
} elseif (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
|
| 15 |
// Proxy servers can send through this header like this: X-Forwarded-For: client1, proxy1, proxy2
|
| 16 |
// Make sure we always only send through the first IP in the list which should always be the client IP.
|
| 17 |
-
|
| 18 |
} elseif (isset($_SERVER['REMOTE_ADDR'])) {
|
| 19 |
-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 20 |
}
|
| 21 |
|
| 22 |
-
return
|
| 23 |
}
|
| 24 |
|
| 25 |
/**
|
| 7 |
public function __construct() {
|
| 8 |
//NOP
|
| 9 |
}
|
| 10 |
+
|
| 11 |
+
/**
|
| 12 |
+
* Get user IP Address.
|
| 13 |
+
*
|
| 14 |
+
* @return string User IP Address.
|
| 15 |
+
*/
|
| 16 |
public static function get_user_ip_address() {
|
| 17 |
+
$user_ip = '';
|
| 18 |
if (isset($_SERVER['HTTP_X_REAL_IP'])) {
|
| 19 |
+
$user_ip = sanitize_text_field(wp_unslash($_SERVER['HTTP_X_REAL_IP']));
|
| 20 |
} elseif (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
|
| 21 |
// Proxy servers can send through this header like this: X-Forwarded-For: client1, proxy1, proxy2
|
| 22 |
// Make sure we always only send through the first IP in the list which should always be the client IP.
|
| 23 |
+
$user_ip = (string) rest_is_ip_address(trim(current(preg_split('/,/', sanitize_text_field(wp_unslash($_SERVER['HTTP_X_FORWARDED_FOR']))))));
|
| 24 |
} elseif (isset($_SERVER['REMOTE_ADDR'])) {
|
| 25 |
+
$user_ip = sanitize_text_field(wp_unslash($_SERVER['REMOTE_ADDR']));
|
| 26 |
+
}
|
| 27 |
+
|
| 28 |
+
if (in_array($user_ip, array('', '127.0.0.1', '::1'))) {
|
| 29 |
+
$user_ip = self::get_external_ip_address();
|
| 30 |
+
}
|
| 31 |
+
|
| 32 |
+
return $user_ip;
|
| 33 |
+
}
|
| 34 |
+
|
| 35 |
+
/**
|
| 36 |
+
* Get user IP Address using an external service.
|
| 37 |
+
* This can be used as a fallback for users on localhost where
|
| 38 |
+
* get_ip_address() will be a local IP and non-geolocatable.
|
| 39 |
+
*
|
| 40 |
+
* @return string external ip address.
|
| 41 |
+
*/
|
| 42 |
+
public static function get_external_ip_address() {
|
| 43 |
+
$external_ip_address = '0.0.0.0';
|
| 44 |
+
$ip_lookup_services = array(
|
| 45 |
+
'ipify' => 'http://api.ipify.org/',
|
| 46 |
+
'ipecho' => 'http://ipecho.net/plain',
|
| 47 |
+
'ident' => 'http://ident.me',
|
| 48 |
+
'whatismyipaddress' => 'http://bot.whatismyipaddress.com',
|
| 49 |
+
);
|
| 50 |
+
$ip_lookup_services_keys = array_keys($ip_lookup_services);
|
| 51 |
+
shuffle($ip_lookup_services_keys);
|
| 52 |
+
|
| 53 |
+
foreach ($ip_lookup_services_keys as $service_name) {
|
| 54 |
+
$service_endpoint = $ip_lookup_services[$service_name];
|
| 55 |
+
$response = wp_safe_remote_get($service_endpoint, array( 'timeout' => 2 ));
|
| 56 |
+
|
| 57 |
+
if (!is_wp_error($response) && rest_is_ip_address($response['body'])) {
|
| 58 |
+
$external_ip_address = sanitize_text_field($response['body']);
|
| 59 |
+
break;
|
| 60 |
+
}
|
| 61 |
}
|
| 62 |
|
| 63 |
+
return $external_ip_address;
|
| 64 |
}
|
| 65 |
|
| 66 |
/**
|
classes/wp-security-utility.php
CHANGED
|
@@ -382,7 +382,7 @@ class AIOWPSecurity_Utility {
|
|
| 382 |
'event_data' => '',
|
| 383 |
);
|
| 384 |
|
| 385 |
-
$data = apply_filters('
|
| 386 |
//log to database
|
| 387 |
$result = $wpdb->insert($events_table_name, $data);
|
| 388 |
if (false === $result) {
|
| 382 |
'event_data' => '',
|
| 383 |
);
|
| 384 |
|
| 385 |
+
$data = apply_filters('aiowps_filter_event_logger_data', $data);
|
| 386 |
//log to database
|
| 387 |
$result = $wpdb->insert($events_table_name, $data);
|
| 388 |
if (false === $result) {
|
classes/wp-security-wp-footer-content.php
CHANGED
|
@@ -39,15 +39,16 @@ class AIOWPSecurity_WP_Footer_Content {
|
|
| 39 |
/**
|
| 40 |
* For Woocommerce my account page - display two separate Google reCaptcha forms "explicitly"
|
| 41 |
*
|
| 42 |
-
* @global
|
| 43 |
*/
|
| 44 |
public function print_recaptcha_api_woo() {
|
| 45 |
global $aio_wp_security;
|
| 46 |
-
|
| 47 |
-
|
| 48 |
-
if (
|
| 49 |
return; // if current page is not woo account page don't do anything
|
| 50 |
}
|
|
|
|
| 51 |
$site_key = esc_html($aio_wp_security->configs->get_value('aiowps_recaptcha_site_key'));
|
| 52 |
?>
|
| 53 |
<script type="text/javascript">
|
| 39 |
/**
|
| 40 |
* For Woocommerce my account page - display two separate Google reCaptcha forms "explicitly"
|
| 41 |
*
|
| 42 |
+
* @global $aio_wp_security
|
| 43 |
*/
|
| 44 |
public function print_recaptcha_api_woo() {
|
| 45 |
global $aio_wp_security;
|
| 46 |
+
|
| 47 |
+
// We don't want to load for woo account page because we have a special function for this
|
| 48 |
+
if (function_exists('is_account_page') && !is_account_page()) {
|
| 49 |
return; // if current page is not woo account page don't do anything
|
| 50 |
}
|
| 51 |
+
|
| 52 |
$site_key = esc_html($aio_wp_security->configs->get_value('aiowps_recaptcha_site_key'));
|
| 53 |
?>
|
| 54 |
<script type="text/javascript">
|
js/wp-security-admin-script.js
CHANGED
|
@@ -54,4 +54,11 @@ jQuery(document).ready(function($){
|
|
| 54 |
if (!results[2]) return '';
|
| 55 |
return decodeURIComponent(results[2].replace(/\+/g, " "));
|
| 56 |
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 57 |
});
|
| 54 |
if (!results[2]) return '';
|
| 55 |
return decodeURIComponent(results[2].replace(/\+/g, " "));
|
| 56 |
}
|
| 57 |
+
|
| 58 |
+
// Start of brute force attack prevention toggle handling
|
| 59 |
+
jQuery('input[name=aiowps_enable_brute_force_attack_prevention]').on('click', function() {
|
| 60 |
+
jQuery('input[name=aiowps_brute_force_secret_word]').prop('disabled', !jQuery(this).prop('checked'));
|
| 61 |
+
jQuery('input[name=aiowps_cookie_based_brute_force_redirect_url]').prop('disabled', !jQuery(this).prop('checked'));
|
| 62 |
+
});
|
| 63 |
+
// End of brute force attack prevention toggle handling
|
| 64 |
});
|
readme.txt
CHANGED
|
@@ -1,12 +1,12 @@
|
|
| 1 |
=== All In One WP Security & Firewall ===
|
| 2 |
-
Contributors: Tips and Tricks HQ, wpsolutions, Peter Petreski, Ruhul Amin, mbrsolution
|
| 3 |
-
Donate link: https://
|
| 4 |
Tags: security, secure, Anti Virus, antivirus, ban, ban hacker, virus, firewall, firewall security, login, lockdown, htaccess, hack, malware, vulnerability, protect, protection, phishing, database, backup, plugin, sql injection, ssl, restrict, login captcha, bot, hotlink, 404 detection, admin, rename, all in one, scan, scanner, iframe,
|
| 5 |
Requires PHP: 5.6
|
| 6 |
Requires at least: 5.0
|
| 7 |
-
Tested up to:
|
| 8 |
-
Stable tag: 4.4.
|
| 9 |
-
License: GPLv3
|
| 10 |
|
| 11 |
A comprehensive, user-friendly, all in one WordPress security and firewall plugin for your site.
|
| 12 |
|
|
@@ -33,8 +33,6 @@ Our security and firewall rules are categorized into "basic", "intermediate" and
|
|
| 33 |
|
| 34 |
The All In One WordPress Security plugin doesn't slow down your site and it is 100% free.
|
| 35 |
|
| 36 |
-
Visit the [WordPress Security Plugin](https://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin) page for more details.
|
| 37 |
-
|
| 38 |
Below is a list of the security and firewall features offered in this plugin:
|
| 39 |
|
| 40 |
= User Accounts Security =
|
|
@@ -139,7 +137,6 @@ or malicious bots who do not have a special cookie in their browser. You (the si
|
|
| 139 |
|
| 140 |
= Developers =
|
| 141 |
* If you are a developer and you need some extra hooks or filters for this plugin then let us know.
|
| 142 |
-
* Github repository - https://github.com/Arsenal21/all-in-one-wordpress-security
|
| 143 |
|
| 144 |
= Translations =
|
| 145 |
* All In One WP Security plugin can be translated to any language.
|
|
@@ -185,6 +182,18 @@ None
|
|
| 185 |
|
| 186 |
== Changelog ==
|
| 187 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 188 |
= 4.4.11 - 29/March/2022 =
|
| 189 |
|
| 190 |
* FEATURE: Reset all settings by clicking on the "Reset Settings" button on the Settings Page.
|
|
@@ -197,6 +206,8 @@ None
|
|
| 197 |
* FIX: The login lockdown unlock request was not working in a few specific server environments.
|
| 198 |
* FIX: The warning headers already sent was displayed in a few specific server environments.
|
| 199 |
* FIX: Handle invalid tabs appropriately in setting pages.
|
|
|
|
|
|
|
| 200 |
* TWEAK: Add review notice.
|
| 201 |
* TWEAK: Improve functionality of fake google bot prevents to access the site.
|
| 202 |
* TWEAK: Remove IP address retrieval setting and detect IP address automatically.
|
|
@@ -209,7 +220,7 @@ None
|
|
| 209 |
* TWEAK: Add more specific instructions to change the Display name compared to the username in Admin Dashboard > WP Security > User Accounts > "Display Name" tab > "Modify Accounts With Identical Login Name & Display Name" section.
|
| 210 |
* TWEAK: Remove Admin Dashboard > WP Security > Site Info tab (now redundant because of WP's "Site Health" tool)
|
| 211 |
* TWEAK: The "Allow Login Lockout Request" checkbox is ticked by default.
|
| 212 |
-
|
| 213 |
|
| 214 |
= 4.4.10 - 21/Jan/2022 =
|
| 215 |
|
| 1 |
=== All In One WP Security & Firewall ===
|
| 2 |
+
Contributors: DavidAnderson, pmbaldha, Tips and Tricks HQ, wpsolutions, Peter Petreski, Ruhul Amin, mbrsolution
|
| 3 |
+
Donate link: https://david.dw-perspective.org.uk/donate
|
| 4 |
Tags: security, secure, Anti Virus, antivirus, ban, ban hacker, virus, firewall, firewall security, login, lockdown, htaccess, hack, malware, vulnerability, protect, protection, phishing, database, backup, plugin, sql injection, ssl, restrict, login captcha, bot, hotlink, 404 detection, admin, rename, all in one, scan, scanner, iframe,
|
| 5 |
Requires PHP: 5.6
|
| 6 |
Requires at least: 5.0
|
| 7 |
+
Tested up to: 6.0
|
| 8 |
+
Stable tag: 4.4.12
|
| 9 |
+
License: GPLv3 or later
|
| 10 |
|
| 11 |
A comprehensive, user-friendly, all in one WordPress security and firewall plugin for your site.
|
| 12 |
|
| 33 |
|
| 34 |
The All In One WordPress Security plugin doesn't slow down your site and it is 100% free.
|
| 35 |
|
|
|
|
|
|
|
| 36 |
Below is a list of the security and firewall features offered in this plugin:
|
| 37 |
|
| 38 |
= User Accounts Security =
|
| 137 |
|
| 138 |
= Developers =
|
| 139 |
* If you are a developer and you need some extra hooks or filters for this plugin then let us know.
|
|
|
|
| 140 |
|
| 141 |
= Translations =
|
| 142 |
* All In One WP Security plugin can be translated to any language.
|
| 182 |
|
| 183 |
== Changelog ==
|
| 184 |
|
| 185 |
+
= 4.4.12 - 22/April/2022 =
|
| 186 |
+
|
| 187 |
+
* FEATURE: Disable login lockdown feature when the AIOWPS_DISABLE_LOGIN_LOCKDOWN constant with true value.
|
| 188 |
+
* FIX: For multisite giving fatal error on settings and dashboard page Call to a member function on null.
|
| 189 |
+
* FIX: Scores not updating correctly if a feature activated and "Remove wp generator meta info" activated shows 5/5 for all.
|
| 190 |
+
* FIX: Change hard-coded references of wp-content to WP_CONTENT_DIR constant.
|
| 191 |
+
* TWEAK: Get user IP Address using an external service in local server setup.
|
| 192 |
+
* TWEAK: Filter name changed to "aiowps_pre_add_to_permanent_block" from "pre_add_to_permanent_block".
|
| 193 |
+
* TWEAK: Filter name changed to "aiowps_filter_event_logger_data" from "filter_event_logger_data".
|
| 194 |
+
* TWEAK: Disables the "Secret Word" and "Re-direct URL" input fields when the "Enable Brute Force Attack Prevention" option is unchecked.
|
| 195 |
+
* TWEAK: Show nice error on activation if site php version is lower than 5.6.
|
| 196 |
+
|
| 197 |
= 4.4.11 - 29/March/2022 =
|
| 198 |
|
| 199 |
* FEATURE: Reset all settings by clicking on the "Reset Settings" button on the Settings Page.
|
| 206 |
* FIX: The login lockdown unlock request was not working in a few specific server environments.
|
| 207 |
* FIX: The warning headers already sent was displayed in a few specific server environments.
|
| 208 |
* FIX: Handle invalid tabs appropriately in setting pages.
|
| 209 |
+
* FIX: A Fatal error occurred when WooCommerce was activated, but it was disabled on the frontend by the Asset Cleanup Pro plugin.
|
| 210 |
+
* FIX: Fix login lockout issue with different timezone.
|
| 211 |
* TWEAK: Add review notice.
|
| 212 |
* TWEAK: Improve functionality of fake google bot prevents to access the site.
|
| 213 |
* TWEAK: Remove IP address retrieval setting and detect IP address automatically.
|
| 220 |
* TWEAK: Add more specific instructions to change the Display name compared to the username in Admin Dashboard > WP Security > User Accounts > "Display Name" tab > "Modify Accounts With Identical Login Name & Display Name" section.
|
| 221 |
* TWEAK: Remove Admin Dashboard > WP Security > Site Info tab (now redundant because of WP's "Site Health" tool)
|
| 222 |
* TWEAK: The "Allow Login Lockout Request" checkbox is ticked by default.
|
| 223 |
+
|
| 224 |
|
| 225 |
= 4.4.10 - 21/Jan/2022 =
|
| 226 |
|
vendor/composer/installed.php
CHANGED
|
@@ -5,7 +5,7 @@
|
|
| 5 |
'type' => 'project',
|
| 6 |
'install_path' => __DIR__ . '/../../',
|
| 7 |
'aliases' => array(),
|
| 8 |
-
'reference' => '
|
| 9 |
'name' => 'updraftplus/all-in-one-wp-security-and-firewall',
|
| 10 |
'dev' => false,
|
| 11 |
),
|
|
@@ -16,7 +16,7 @@
|
|
| 16 |
'type' => 'project',
|
| 17 |
'install_path' => __DIR__ . '/../../',
|
| 18 |
'aliases' => array(),
|
| 19 |
-
'reference' => '
|
| 20 |
'dev_requirement' => false,
|
| 21 |
),
|
| 22 |
),
|
| 5 |
'type' => 'project',
|
| 6 |
'install_path' => __DIR__ . '/../../',
|
| 7 |
'aliases' => array(),
|
| 8 |
+
'reference' => '0a8fd396ce6ab0e11e5aeb680114fd061486648f',
|
| 9 |
'name' => 'updraftplus/all-in-one-wp-security-and-firewall',
|
| 10 |
'dev' => false,
|
| 11 |
),
|
| 16 |
'type' => 'project',
|
| 17 |
'install_path' => __DIR__ . '/../../',
|
| 18 |
'aliases' => array(),
|
| 19 |
+
'reference' => '0a8fd396ce6ab0e11e5aeb680114fd061486648f',
|
| 20 |
'dev_requirement' => false,
|
| 21 |
),
|
| 22 |
),
|
wp-security-core.php
CHANGED
|
@@ -8,7 +8,7 @@ if (!class_exists('AIO_WP_Security')) {
|
|
| 8 |
|
| 9 |
class AIO_WP_Security {
|
| 10 |
|
| 11 |
-
public $version = '4.4.
|
| 12 |
|
| 13 |
public $db_version = '1.9';
|
| 14 |
|
|
@@ -61,7 +61,7 @@ if (!class_exists('AIO_WP_Security')) {
|
|
| 61 |
* @var boolean
|
| 62 |
*/
|
| 63 |
public $is_aiowps_admin_page;
|
| 64 |
-
|
| 65 |
/**
|
| 66 |
* Whether the page is AIOWPS Login recaptcha page.
|
| 67 |
*
|
|
@@ -152,6 +152,7 @@ if (!class_exists('AIO_WP_Security')) {
|
|
| 152 |
include_once('classes/wp-security-captcha.php');
|
| 153 |
include_once('classes/wp-security-backup.php');
|
| 154 |
include_once('classes/wp-security-file-scan.php');
|
|
|
|
| 155 |
include_once('classes/wp-security-cronjob-handler.php');
|
| 156 |
include_once('classes/grade-system/wp-security-feature-item.php');
|
| 157 |
include_once('classes/grade-system/wp-security-feature-item-manager.php');
|
|
@@ -176,16 +177,19 @@ if (!class_exists('AIO_WP_Security')) {
|
|
| 176 |
$debug_config = $this->configs->get_value('aiowps_enable_debug');
|
| 177 |
$debug_enabled = empty($debug_config) ? false : true;
|
| 178 |
$this->debug_logger = new AIOWPSecurity_Logger($debug_enabled);
|
| 179 |
-
|
| 180 |
-
if (is_admin()) {
|
| 181 |
-
$this->admin_init = new AIOWPSecurity_Admin_Init();
|
| 182 |
-
$this->notices = new AIOWPSecurity_Notices();
|
| 183 |
-
}
|
| 184 |
}
|
| 185 |
|
| 186 |
public static function activate_handler($networkwide) {
|
| 187 |
global $wpdb;// phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable -- Used for the include below
|
| 188 |
//Only runs when the plugin activates
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 189 |
include_once('classes/wp-security-installer.php');
|
| 190 |
AIOWPSecurity_Installer::run_installer($networkwide);
|
| 191 |
AIOWPSecurity_Installer::set_cron_tasks_upon_activation($networkwide);
|
|
@@ -328,6 +332,8 @@ if (!class_exists('AIO_WP_Security')) {
|
|
| 328 |
if (is_admin()) {
|
| 329 |
//Do plugins_loaded operations for admin side
|
| 330 |
$this->db_upgrade_handler();
|
|
|
|
|
|
|
| 331 |
}
|
| 332 |
$this->do_additional_plugins_loaded_tasks();
|
| 333 |
}
|
|
@@ -368,6 +374,7 @@ if (!class_exists('AIO_WP_Security')) {
|
|
| 368 |
// For front side force log out.
|
| 369 |
add_action('template_redirect', array($this, 'do_action_force_logout_check'));
|
| 370 |
new AIOWPSecurity_General_Init_Tasks();
|
|
|
|
| 371 |
}
|
| 372 |
|
| 373 |
public function aiowps_wp_loaded_handler() {
|
|
@@ -379,7 +386,7 @@ if (!class_exists('AIO_WP_Security')) {
|
|
| 379 |
*/
|
| 380 |
public function aiowps_login_enqueue() {
|
| 381 |
global $aio_wp_security;
|
| 382 |
-
if ($aio_wp_security->configs->get_value('aiowps_default_recaptcha')) {
|
| 383 |
if ($aio_wp_security->configs->get_value('aiowps_enable_login_captcha') == '1' || $aio_wp_security->configs->get_value('aiowps_enable_registration_page_captcha') == '1') {
|
| 384 |
wp_enqueue_script('google-recaptcha', 'https://www.google.com/recaptcha/api.js', false, AIO_WP_SECURITY_VERSION);
|
| 385 |
// below is needed to provide some space for the google reCaptcha form (otherwise it appears partially hidden on RHS)
|
|
@@ -449,7 +456,7 @@ if (!class_exists('AIO_WP_Security')) {
|
|
| 449 |
if (false !== strpos($response_body, 'Invalid site key')) $result = false;
|
| 450 |
return $result;
|
| 451 |
}
|
| 452 |
-
|
| 453 |
/**
|
| 454 |
* Check whether current admin page is Admin Dashboard page or not.
|
| 455 |
*
|
|
@@ -491,7 +498,7 @@ if (!class_exists('AIO_WP_Security')) {
|
|
| 491 |
$this->is_aiowps_admin_page = ('admin.php' == $pagenow && isset($_GET['page']) && false !== strpos($_GET['page'], AIOWPSEC_MENU_SLUG_PREFIX));
|
| 492 |
return $this->is_aiowps_admin_page;
|
| 493 |
}
|
| 494 |
-
|
| 495 |
/**
|
| 496 |
* Check whether current admin page is Google recaptcha tab page or not.
|
| 497 |
*
|
|
@@ -510,7 +517,7 @@ if (!class_exists('AIO_WP_Security')) {
|
|
| 510 |
);
|
| 511 |
return $this->is_aiowps_google_recaptcha_tab_page;
|
| 512 |
}
|
| 513 |
-
|
| 514 |
/**
|
| 515 |
* Invokes all functions attached to action hook aiowps_force_logout_check
|
| 516 |
*
|
|
@@ -519,7 +526,17 @@ if (!class_exists('AIO_WP_Security')) {
|
|
| 519 |
public function do_action_force_logout_check() {
|
| 520 |
do_action('aiowps_force_logout_check');
|
| 521 |
}
|
| 522 |
-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 523 |
|
| 524 |
}//End of class not exists check
|
| 525 |
|
| 8 |
|
| 9 |
class AIO_WP_Security {
|
| 10 |
|
| 11 |
+
public $version = '4.4.12';
|
| 12 |
|
| 13 |
public $db_version = '1.9';
|
| 14 |
|
| 61 |
* @var boolean
|
| 62 |
*/
|
| 63 |
public $is_aiowps_admin_page;
|
| 64 |
+
|
| 65 |
/**
|
| 66 |
* Whether the page is AIOWPS Login recaptcha page.
|
| 67 |
*
|
| 152 |
include_once('classes/wp-security-captcha.php');
|
| 153 |
include_once('classes/wp-security-backup.php');
|
| 154 |
include_once('classes/wp-security-file-scan.php');
|
| 155 |
+
include_once(AIO_WP_SECURITY_PATH.'/classes/wp-security-comment.php');
|
| 156 |
include_once('classes/wp-security-cronjob-handler.php');
|
| 157 |
include_once('classes/grade-system/wp-security-feature-item.php');
|
| 158 |
include_once('classes/grade-system/wp-security-feature-item-manager.php');
|
| 177 |
$debug_config = $this->configs->get_value('aiowps_enable_debug');
|
| 178 |
$debug_enabled = empty($debug_config) ? false : true;
|
| 179 |
$this->debug_logger = new AIOWPSecurity_Logger($debug_enabled);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 180 |
}
|
| 181 |
|
| 182 |
public static function activate_handler($networkwide) {
|
| 183 |
global $wpdb;// phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable -- Used for the include below
|
| 184 |
//Only runs when the plugin activates
|
| 185 |
+
if (version_compare(phpversion(), '5.6.0', '<')) {
|
| 186 |
+
deactivate_plugins(basename(__FILE__));
|
| 187 |
+
wp_die(
|
| 188 |
+
sprintf(htmlspecialchars(__('This plugin requires PHP version %s.', 'all-in-one-wp-security-and-firewall')), '<strong>5.6+</strong>')
|
| 189 |
+
.' '.sprintf(htmlspecialchars(__('Current site PHP version is %s.', 'all-in-one-wp-security-and-firewall')), '<strong>'.phpversion().'</strong>')
|
| 190 |
+
.' '.htmlspecialchars(__('You will need to ask your web hosting company to upgrade.', 'all-in-one-wp-security-and-firewall'))
|
| 191 |
+
);
|
| 192 |
+
}
|
| 193 |
include_once('classes/wp-security-installer.php');
|
| 194 |
AIOWPSecurity_Installer::run_installer($networkwide);
|
| 195 |
AIOWPSecurity_Installer::set_cron_tasks_upon_activation($networkwide);
|
| 332 |
if (is_admin()) {
|
| 333 |
//Do plugins_loaded operations for admin side
|
| 334 |
$this->db_upgrade_handler();
|
| 335 |
+
$this->admin_init = new AIOWPSecurity_Admin_Init();
|
| 336 |
+
$this->notices = new AIOWPSecurity_Notices();
|
| 337 |
}
|
| 338 |
$this->do_additional_plugins_loaded_tasks();
|
| 339 |
}
|
| 374 |
// For front side force log out.
|
| 375 |
add_action('template_redirect', array($this, 'do_action_force_logout_check'));
|
| 376 |
new AIOWPSecurity_General_Init_Tasks();
|
| 377 |
+
new AIOWPSecurity_Comment();
|
| 378 |
}
|
| 379 |
|
| 380 |
public function aiowps_wp_loaded_handler() {
|
| 386 |
*/
|
| 387 |
public function aiowps_login_enqueue() {
|
| 388 |
global $aio_wp_security;
|
| 389 |
+
if (!$aio_wp_security->is_login_lockdown_by_const() && $aio_wp_security->configs->get_value('aiowps_default_recaptcha')) {
|
| 390 |
if ($aio_wp_security->configs->get_value('aiowps_enable_login_captcha') == '1' || $aio_wp_security->configs->get_value('aiowps_enable_registration_page_captcha') == '1') {
|
| 391 |
wp_enqueue_script('google-recaptcha', 'https://www.google.com/recaptcha/api.js', false, AIO_WP_SECURITY_VERSION);
|
| 392 |
// below is needed to provide some space for the google reCaptcha form (otherwise it appears partially hidden on RHS)
|
| 456 |
if (false !== strpos($response_body, 'Invalid site key')) $result = false;
|
| 457 |
return $result;
|
| 458 |
}
|
| 459 |
+
|
| 460 |
/**
|
| 461 |
* Check whether current admin page is Admin Dashboard page or not.
|
| 462 |
*
|
| 498 |
$this->is_aiowps_admin_page = ('admin.php' == $pagenow && isset($_GET['page']) && false !== strpos($_GET['page'], AIOWPSEC_MENU_SLUG_PREFIX));
|
| 499 |
return $this->is_aiowps_admin_page;
|
| 500 |
}
|
| 501 |
+
|
| 502 |
/**
|
| 503 |
* Check whether current admin page is Google recaptcha tab page or not.
|
| 504 |
*
|
| 517 |
);
|
| 518 |
return $this->is_aiowps_google_recaptcha_tab_page;
|
| 519 |
}
|
| 520 |
+
|
| 521 |
/**
|
| 522 |
* Invokes all functions attached to action hook aiowps_force_logout_check
|
| 523 |
*
|
| 526 |
public function do_action_force_logout_check() {
|
| 527 |
do_action('aiowps_force_logout_check');
|
| 528 |
}
|
| 529 |
+
|
| 530 |
+
/**
|
| 531 |
+
* Check AIOWPS_DISABLE_LOGIN_LOCKDOWN constant value
|
| 532 |
+
*
|
| 533 |
+
* @return boolean True if the AIOWPS_DISABLE_LOGIN_LOCKDOWN constant defined with true value, otherwise false.
|
| 534 |
+
*/
|
| 535 |
+
public function is_login_lockdown_by_const() {
|
| 536 |
+
return defined('AIOWPS_DISABLE_LOGIN_LOCKDOWN') && AIOWPS_DISABLE_LOGIN_LOCKDOWN;
|
| 537 |
+
}
|
| 538 |
+
|
| 539 |
+
} // End of class
|
| 540 |
|
| 541 |
}//End of class not exists check
|
| 542 |
|
wp-security.php
CHANGED
|
@@ -2,15 +2,15 @@
|
|
| 2 |
// @codingStandardsIgnoreStart
|
| 3 |
/*
|
| 4 |
Plugin Name: All In One WP Security
|
| 5 |
-
Version: 4.4.
|
| 6 |
-
Plugin URI: https://
|
| 7 |
Update URI: https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
|
| 8 |
-
Author:
|
| 9 |
-
Author URI: https://
|
| 10 |
Description: All round best WordPress security plugin!
|
| 11 |
Text Domain: all-in-one-wp-security-and-firewall
|
| 12 |
Domain Path: /languages
|
| 13 |
-
License:
|
| 14 |
License URI: https://www.gnu.org/licenses/gpl-3.0.en.html
|
| 15 |
Requires at least: 5.0
|
| 16 |
Requires PHP: 5.6
|
| 2 |
// @codingStandardsIgnoreStart
|
| 3 |
/*
|
| 4 |
Plugin Name: All In One WP Security
|
| 5 |
+
Version: 4.4.12
|
| 6 |
+
Plugin URI: https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
|
| 7 |
Update URI: https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
|
| 8 |
+
Author: All In One WP Security & Firewall Team
|
| 9 |
+
Author URI: https://teamupdraft.com/
|
| 10 |
Description: All round best WordPress security plugin!
|
| 11 |
Text Domain: all-in-one-wp-security-and-firewall
|
| 12 |
Domain Path: /languages
|
| 13 |
+
License: GPLv3 or later
|
| 14 |
License URI: https://www.gnu.org/licenses/gpl-3.0.en.html
|
| 15 |
Requires at least: 5.0
|
| 16 |
Requires PHP: 5.6
|
